ldap

ActiveDirectory/LDAP result limits – MaxPageSize

ns a website from a systems administrator for systems administrators Home IT-Admins CMDB IT-Admins tool IT Search EOL Solutions Blog Contact Links ActiveDirectory/LDAP result limits – MaxPageSize

ActiveDirectory, respective LDAP, has a result limit setting, MaxPageSize. Those are set by default to 1000 rows per query.

This is primarily important if you use some kind of programming language to get results from LDAP, this code must compensate those limits and engage paging.

Your LDAP query does not need to provide the limit, only the code needs to do the paging as you always just get the max. amount of results set in the current settings.

In order to check your settings do the following commands in a command prompt / cmd window:

ntdsutil
ldap policies 
connections
connect to domain YOURDOMAIN.LOCAL
quit
show values

ntdsutil

ldap policies

connections

connect to domain YOURDOMAIN.LOCAL

quit

show values

In theory you could set different values now as well, assuming you have the permission level to do so. But this is not recommended and you should engage paging instead, as you otherwise risk to overload your DCs – even if your commands won’t cause it, a possibly DoS attack could happen – malicious or not, so leave the limits, but be aware of them.

Monitor group memberships in Active Directory with PRTG

There is at least one group you want to monitor for any membership changes in Active Directory / LDAP – the Domain Admins group. This is so important, as any changes to this group could cause great harm to your whole system. Of course there are other ways in but you for sure want to monitor at least the basic information of the amount of users in this group.

In order to do so, I wrote a PowerShell script that provides you the amount of members of any given group in Active Directory, as well as a text response (under the probe name and in some alerts if activated) of the sAMAccountName of each member in the group. This way you can hopefully right away determine the changed object, assuming you know what should be in there and what not.

If you have nested groups, you might wanna monitor them as well till you reach a user only level.

Create the script as always on your PRTG probing server in C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML and add a new EXE/Advanced XML sensor in PRTG. Select the script and provide at a bare minimum the parameter MonitoredGroup.

Parameter samples:

-MonitoredGroup “Domain Admins”
-MonitoredGroup “Domain Admins” -Server “MyDC.domain.local”

If you do not provide a server name, the system will try determine it on it’s own – default Domain-Membership etc..

Once the first run was successful you should review the results and set the upper and lower error limit on the PRTG sensor to the current amount of members. Any change then will cause the sensor to go in to error status and inform you therefor about the change.

param(
	[string]$Server = "",
	[string]$MonitoredGroup = ""
)
Import-Module ActiveDirectory

If ($Server.Length -gt 0) {
    $LDAPGroup = Get-ADGroupMember $MonitoredGroup -Server $Server
} Else {
    $LDAPGroup = Get-ADGroupMember $MonitoredGroup 
}

[string]$LDAPGroupMembers = ""
Foreach ($Member in $LDAPGroup){
    If ($LDAPGroupMembers.Length -gt 0) {$LDAPGroupMembers += ", "}
    $LDAPGroupMembers += $Member.SamAccountName
}

$XML = "<prtg>
            <result>
                <channel>Amound of Users in Group</channel>
                <value>"+ $LDAPGroup.count +"</value>
            </result>			
            <text>"+ $MonitoredGroup +" Members: " + $LDAPGroupMembers + "</text>
        </prtg>"
 
Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...
{
	$StringWriter = New-Object System.IO.StringWriter;
	$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
	$XmlWriter.Formatting = "indented";
	$xml.WriteTo($XmlWriter);
	$XmlWriter.Flush();
	$StringWriter.Flush();
	Write-Output $StringWriter.ToString();
}
 
WriteXmlToScreen $XML;

param(

[string]$Server = "",

[string]$MonitoredGroup = ""

)

Import-Module ActiveDirectory

If ($Server.Length -gt 0) {

$LDAPGroup = Get-ADGroupMember $MonitoredGroup -Server $Server

} Else {

$LDAPGroup = Get-ADGroupMember $MonitoredGroup

}

[string]$LDAPGroupMembers = ""

Foreach ($Member in $LDAPGroup){

If ($LDAPGroupMembers.Length -gt 0) {$LDAPGroupMembers += ", "}

$LDAPGroupMembers += $Member.SamAccountName

}

$XML = "<prtg>

<channel>Amound of Users in Group</channel>

<value>"+ $LDAPGroup.count +"</value>

</result>

<text>"+ $MonitoredGroup +" Members: " + $LDAPGroupMembers + "</text>

</prtg>"

Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML;

October 13, 2020 by Florian Rossmark monitoring prtg scripts security server

Amount of locked out accounts

It is a good to know how many of your user accounts are locked out right now… I would go as far as saying you should monitor this and have alert levels on it, cause this could indicate and reveal a brute-force like attack against your system.

Doing it manually in a PowerShell (assuming you have RSAT / Active-Directory PowerShell modules installed) can be done with the following command that will show you who is locked out and the calculated amount as well..

$s=Search-ADAccount -LockedOut |ft
$s
'CurrentCount: ' + $s.count

$s=Search-ADAccount -LockedOut |ft

'CurrentCount: ' + $s.count

Using PRTG you can add the following advanced script

Import-module activedirectory
$Count=-1

$Accounts = Search-ADAccount -LockedOut
$Count=$Accounts.Count

$Users = ""
foreach ($user in $Accounts) {
	if ($Users.Length -gt 0) {
		$Users += " / "
	}
	$Users += $user.SamAccountName
}

$XML =  "<prtg>"
$XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"
$XML += "<text>$Users</text>"
$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}

WriteXmlToScreen $XML

Import-module activedirectory

$Count=-1

$Accounts = Search-ADAccount -LockedOut

$Count=$Accounts.Count

$Users = ""

foreach ($user in $Accounts) {

if ($Users.Length -gt 0) {

$Users += " / "

}

$Users += $user.SamAccountName

}

$XML = "<prtg>"

$XML += "<result><channel>LDAP accounts locked out</channel><value>$Count</value><unit>Count</unit></result>"

$XML += "<text>$Users</text>"

$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML

After adding it as a sensor, it will create a single channel with the amount of locked out users. You should set error limits:

minimum error limit: 0
- the script returns -1 if an error occurred
maximum error limit: this depends on your user base – I would say about 5% of your users – no more.. depends as well on the lockout-duration in your security policy…

The advantage of the script in PRTG is – it always reports back additional text – the currently locked out SamAccount names.. respective user-names.. so in case it generates an error – you will see some more information…

Assuming there is a brute-force, you might see this sparking and going down – meaning someone tries to find an entry account… since the lockout attribute causes an emergency-replication of your domain-controllers (this attribute bypasses the regular replication interval) you can fire it relatively simply against your domain, the script just uses the current logon domain of the executing user.

October 25, 2019 by Florian Rossmark monitoring prtg security server

Active Directory password reset events and group change events

The script below uses the security event log on defined DCs within your Active Directory to export events related to certain activities. Eventually the script will export this even to an email and send it to you as a report – if needed.

As is – the script will specifically look for those events

4724 – a user password was reset by an administrator respective via Active Directory Users and Groups MMC (or similar)
4728 – a user was added to a security group
4729 – a user was removed from a security group

There are more events – specifically events related to adding/removing users from distribution groups etc. – for the purpose of for what I wrote the script, I did not need this. Still, I thought it is worth publishing this, as others might find it helpful.

To add more events – just adjust line 19 – eventually just add more “or EventID=1234” statements – should be rather easy… in theory you could build that out as a parameter as well and inject it via the script.

param(
    [string] $DomainControllers = "",
    [bool]   $FullDetails = $false,
    [int]    $HoursInThePast = 24,
    [bool]   $SendMail = $false,
    [string] $SMTPfrom = "",
    [string] $SMTPto = "",
    [string] $SMTPsubject = "",
    [string] $SMTPserver = ""
)

#4724 - user PW reset by admin
#4728 - user added to security group
#4729 - user removed from security group

$Query = @"
<QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4724 or EventID=4728 or EventID=4729)]]</Select>
  </Query>
</QueryList>
"@

If ($DomainControllers.Length -eq 0) {
    Import-Module ActiveDirectory
    $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name
    ForEach($DC In $DomainControllers) {
        Write-Host "checking DC: $DC"
        $OutPut += "Export from DC: $DC" 
        $OutPut += ""
        If ($FullDetails) {
            $OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String
        } Else {
            $OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String
        }
    }
} Else {
    $DCs = $DomainControllers.Split(',')
    foreach ($DomainController in $DCs) {
        Write-Host "checking DC: $DomainController"
        $OutPut += "Export from DC: $DomainController" 
        $OutPut += ""
        If ($FullDetails) {
            $OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String
        } Else {
            $OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String
        }
    }
}

$OutPut

if ($SendMail) {
    Send-MailMessage -From $SMTPfrom -to $SMTPto -Subject $SMTPsubject -Body $OutPut -SmtpServer $SMTPserver
}

param(

[string] $DomainControllers = "",

[bool] $FullDetails = $false,

[int] $HoursInThePast = 24,

[bool] $SendMail = $false,

[string] $SMTPfrom = "",

[string] $SMTPto = "",

[string] $SMTPsubject = "",

[string] $SMTPserver = ""

)

#4724 - user PW reset by admin

#4728 - user added to security group

#4729 - user removed from security group

$Query = @"

<Select Path="Security">*[System[(EventID=4724 or EventID=4728 or EventID=4729)]]</Select>

</Query>

</QueryList>

If ($DomainControllers.Length -eq 0) {

Import-Module ActiveDirectory

$DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

ForEach($DC In $DomainControllers) {

Write-Host "checking DC: $DC"

$OutPut += "Export from DC: $DC"

$OutPut += ""

If ($FullDetails) {

$OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String

} Else {

$OutPut += Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String

}

} Else {

$DCs = $DomainControllers.Split(',')

foreach ($DomainController in $DCs) {

Write-Host "checking DC: $DomainController"

$OutPut += "Export from DC: $DomainController"

$OutPut += ""

If ($FullDetails) {

$OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | fl | Out-String

} Else {

$OutPut += Get-WinEvent -ComputerName $DomainController -FilterXml $Query -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-$HoursInThePast) } | ft | Out-String

}

$OutPut

if ($SendMail) {

Send-MailMessage -From $SMTPfrom -to $SMTPto -Subject $SMTPsubject -Body $OutPut -SmtpServer $SMTPserver

}

August 1, 2019 by Florian Rossmark scripts security server

Monitor user accounts in Active Directory with PRTG

The following script will read through your current Active Directory and filter for user accounts with the following specific conditions:

Lockedout users – please read below for further information about this
- all users that are lockedout
- must be an enabled user
- that is not expired
disabled users
- all users that have been disabled
expired users
- must be an enabled user
- the expiration date is set and past the current date
users with password never expires set
- must be an enabled user

This will give you a pure counter output per channel in an for PRTG Extended script sensor XML result.

But there is a theoretical flaw in one of the methods – the locked out users. Now, user accounts get locked out in Active Directory due to too many logon attempts with an invalid password. This causes Active Directory to set the lockedout bit in the object properties. The issue here is that this bit will not be set back to 0 after the defined lockout duration (GPO) is past, the property will only be set back to 0 once the lockout duration is passed and he successfully logged on.

This means, the counter might give you more results then currently true, it might count users that have been locked out but the lockout-duration passed – but they did not yet logon successfully. This is somehow a false positive, while not totally false. In any case, you need to be aware of this.

The script could be more efficient as well in the way it filters a few things, so far I optimized it as far as I could – the LockedOut value can not be set as a -Filter, in theory it might be possible to speed it up with a -Filter to the UserAccountControl (if that is even possible – not tested) – but I am not certain this would work. If you really want to speed it up you would need to work with -LDAPFilter – but this actually needs to completely replace the internal filter capabilities of Get-ADUser – you can’t use both – it is one or the other.

Import-Module ActiveDirectory

#you could add - filters, a OU limitation or a server against whom this would be executed.. see Get-ADUser options for more details
#$Server = ""
#$OU = ""
#Get-ADUser -Server $Server -Filter
#Get-ADUser -SearchBase $OU -Filter

#all locked users that aren't disabled or expired
$LockedOutUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {$_.lockedout -eq $True -and (($_.AccountExpirationDate -gt (Get-Date) -or ($_.AccountExpirationDate -eq $null)))} 

#all users that are disabled - this is a manual action in Active Directory
$DisabledUsers=Get-ADUser -Filter {Enabled -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

#all users that are not disabled but expired already
$ExpiredUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {(($_.AccountExpirationDate -lt (Get-Date) -and ($_.AccountExpirationDate -ne $null)))} 

#users with not expiring passwords and are enabled and not expired
$NotExpiringPWD=Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate 


If ($LockedOutUsers.count -eq $null -and $LockedOutUsers -eq $null){
    $cntLockedOutUsers=0
}Elseif ($LockedOutUsers.count -eq $null -and $LockedOutUsers -ne $null){
    $cntLockedOutUsers=1
}Else{
    $cntLockedOutUsers=@($LockedOutUsers.count)
}

If ($DisabledUsers.count -eq $null -and $DisabledUsers -eq $null){
    $cntDisabledUsers=0
}Elseif ($DisabledUsers.count -eq $null -and $DisabledUsers -ne $null){
    $cntDisabledUsers=1
}Else{
    $cntDisabledUsers=@($DisabledUsers.count)
}

If ($ExpiredUsers.count -eq $null -and $ExpiredUsers -eq $null){
    $cntExpiredUsers=0
}Elseif ($ExpiredUsers.count -eq $null -and $ExpiredUsers -ne $null){
    $cntExpiredUsers=1
}Else{
    $cntExpiredUsers=@($ExpiredUsers.count)
}

If ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -eq $null){
    $cntNotExpiringPWD=0
}Elseif ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -ne $null){
    $cntNotExpiringPWD=1
}Else{
    $cntNotExpiringPWD=@($NotExpiringPWD.count)
}

$XML += "<prtg>"
$XML += "<result>" 
$XML += "<channel>Locked Out Users</channel>" 
$XML += "<value>$cntLockedOutUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Disabled Users</channel>" 
$XML += "<value>$cntDisabledUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Expired Users - not disabled</channel>" 
$XML += "<value>$cntExpiredUsers</value>" 
$XML += "</result>"
$XML += "<result>" 
$XML += "<channel>Users with password never expires</channel>" 
$XML += "<value>$cntNotExpiringPWD</value>" 
$XML += "</result>"
$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)
{
    $StringWriter = New-Object System.IO.StringWriter;
    $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
    $XmlWriter.Formatting = "indented";
    $xml.WriteTo($XmlWriter);
    $XmlWriter.Flush();
    $StringWriter.Flush();
    Write-Output $StringWriter.ToString();
}

WriteXmlToScreen $XML

Import-Module ActiveDirectory

#you could add - filters, a OU limitation or a server against whom this would be executed.. see Get-ADUser options for more details

#$Server = ""

#$OU = ""

#Get-ADUser -Server $Server -Filter

#Get-ADUser -SearchBase $OU -Filter

#all locked users that aren't disabled or expired

$LockedOutUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {$_.lockedout -eq $True -and (($_.AccountExpirationDate -gt (Get-Date) -or ($_.AccountExpirationDate -eq $null)))}

#all users that are disabled - this is a manual action in Active Directory

$DisabledUsers=Get-ADUser -Filter {Enabled -eq $False -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

#all users that are not disabled but expired already

$ExpiredUsers=Get-ADUser -Filter {Enabled -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate | where {(($_.AccountExpirationDate -lt (Get-Date) -and ($_.AccountExpirationDate -ne $null)))}

#users with not expiring passwords and are enabled and not expired

$NotExpiringPWD=Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $True -and objectCategory -eq "person" -and objectClass -eq "user"} -Properties sAMAccountName,DisplayName,LockedOut,LockoutTime,Enabled,AccountExpirationDate

If ($LockedOutUsers.count -eq $null -and $LockedOutUsers -eq $null){

$cntLockedOutUsers=0

}Elseif ($LockedOutUsers.count -eq $null -and $LockedOutUsers -ne $null){

$cntLockedOutUsers=1

}Else{

$cntLockedOutUsers=@($LockedOutUsers.count)

}

If ($DisabledUsers.count -eq $null -and $DisabledUsers -eq $null){

$cntDisabledUsers=0

}Elseif ($DisabledUsers.count -eq $null -and $DisabledUsers -ne $null){

$cntDisabledUsers=1

}Else{

$cntDisabledUsers=@($DisabledUsers.count)

}

If ($ExpiredUsers.count -eq $null -and $ExpiredUsers -eq $null){

$cntExpiredUsers=0

}Elseif ($ExpiredUsers.count -eq $null -and $ExpiredUsers -ne $null){

$cntExpiredUsers=1

}Else{

$cntExpiredUsers=@($ExpiredUsers.count)

}

If ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -eq $null){

$cntNotExpiringPWD=0

}Elseif ($NotExpiringPWD.count -eq $null -and $NotExpiringPWD -ne $null){

$cntNotExpiringPWD=1

}Else{

$cntNotExpiringPWD=@($NotExpiringPWD.count)

}

$XML += "<prtg>"

$XML += "<result>"

$XML += "<channel>Locked Out Users</channel>"

$XML += "<value>$cntLockedOutUsers</value>"

$XML += "</result>"

$XML += "<result>"

$XML += "<channel>Disabled Users</channel>"

$XML += "<value>$cntDisabledUsers</value>"

$XML += "</result>"

$XML += "<result>"

$XML += "<channel>Expired Users - not disabled</channel>"

$XML += "<value>$cntExpiredUsers</value>"

$XML += "</result>"

$XML += "<result>"

$XML += "<channel>Users with password never expires</channel>"

$XML += "<value>$cntNotExpiringPWD</value>"

$XML += "</result>"

$XML += "</prtg>"

Function WriteXmlToScreen ([xml]$xml)

{

$StringWriter = New-Object System.IO.StringWriter;

$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;

$XmlWriter.Formatting = "indented";

$xml.WriteTo($XmlWriter);

$XmlWriter.Flush();

$StringWriter.Flush();

Write-Output $StringWriter.ToString();

}

WriteXmlToScreen $XML

This script updated with a corrected version as of February 2019 and was also posted in the PRTG knowledge base here.

July 19, 2018 by Florian Rossmark monitoring prtg scripts security server

ldap

ActiveDirectory/LDAP result limits – MaxPageSize

Monitor group memberships in Active Directory with PRTG

Amount of locked out accounts

Active Directory password reset events and group change events

Monitor user accounts in Active Directory with PRTG

Recent blog posts

Blog Archives

ldap

Recent blog posts

Blog Archives

Tags