Tiny Deathstars of Foulness

You can use PowerShell to pretty much get anything you want out of Active Directory. Let’s say you want to see when the last time a user changed their password was. You can use the Get-ADUser commandlet to obtain any attribute for a user in the Active Directory schema. To use Get-ADUser, you’ll need to define a scope. In this example, we’ll do so using the -filter option and filter for everyone, using an *. That could be a lot of data, so we’re also going to look for the property, or attribute of PasswordLastSet using the -Properties option:

Get-ADUser –filter * -Properties PasswordLastSet

We can then add a little more logic and pipe the output to a conditional statement that just looks at who hasn’t ever changed their password.

Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null }

A more common task, we could also look for the last 90 days, using “(get-date).adddays(-90)” in our filter. We don’t want to display disabled users, so we could do something like this (note the curly brackets allow us to compound search):

Get-ADUser -filter {(passwordlastset -le $90days) -AND (enabled -eq $True)}

April 1st, 2014

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

A UserPrincipalName (or UPN) is an attribute that contains an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is used for a lot of different tasks, notably for Kerberos/Single Sign-On. As such, there are a lot of scripts that can now key off of a UPN.

You can use the Get-ADUser cmdlet to query accounts for the UserPrincipalName attribute. To do so, we’re going to -Filter our results to display everyone (although we could include a username to only get one user) and then define the Search Base (using -SearchBase) to refine where in the query that the search will begin. Use the –Properties parameter followed by the userPrincipalName attribute (or whatever attribute you might be curious to query from). I specify the SearchBase of the organizational unit (OU), and I use the * filter. This is shown here:

Get-ADUser -Filter * -SearchBase 'ou=Users,dc=krypted,dc=com' -Properties userPrincipalName

Overall, we’re specifically looking at userPrincipalName, but we could just as well be looking for other attributes, such as primaryGroupID, proxyAddress, pwdLastSet, sn (although we’re likely feeding sn to the command by swapping it out with the *), streetAddress, sAMAccountName, etc.

October 13th, 2013

Posted In: Active Directory, Windows Server

Tags: , , , , , ,

One of the more common administrative tasks for any administrator of a mail server is to work with users on enabling various rules. One such rule is the Out of Office email messages. These messages can be enabled to automatically send responses to people that send email to those accounts when a user is not going to be checking mail. These can be somewhat frustrating for people on list serves, but they are a great way to be able to step away from your email in the event that you’re, I don’t know, Out of the Office. I should learn to rely on these more when I’m on vacation, but that’s another story…

To enable an Out of Office message for Lion Server’s Mail server is a fairly straight forward process. To do so, log into the web portal as the user whose mail you will be configuring an Out of Office message for. Once logged in, click on Settings at the top of the screen. From here, click on the Filters tab. From the Filters screen click on the plus sign icon (“+”) above the Filter Name sidebar. to create a new filter.

Here, provide a name for the filter in the Filter name field (e.g. Out of Office). Then select all messages in the For incoming mail: field. Use the Reply with message in the …execute the following actions: field. Then, for Reply with message, use the Message body to indicate what the contents of the email that is used to reply to senders should contain. Use the Message subject field to provide a subject in the response and if you’d like other accounts cc’d (e.g. an assistant or someone else handling your support inbox) provide a list of accounts, separated by a comma). Finally, use the How often send messages field (not taking into account whether the name of the field is grammatically correct) to configure how frequently the message will be sent (e,g. 1 would be once per day, 2 would be once every other day, etc).

Once you’re satisfied with your entry, click on the Save button.

I’ve seen a few instances where the filters weren’t running properly. These have usually been due to the fact that the RoundCube configuration file is missing the information needed to send on behalf of the mail server. To provide this information, check out the RoundCube configuration file, in /usr/share/webmail/config. Also, if webmail has the wrong reply-to address (can happen if I forget to set the hostname before enabling the service), correct the following line in there:

$rcmail_config['mail_domain'] = '';

March 27th, 2012

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , ,

I’ve seen a couple of posts on groups recently with people asking why they’re unable to NetBoot clients. Personally, I always verify that clients are able to obtain a DHCP lease and that the NetBoot server shows up in the Startup Disk System Preference pane. Provided those two things work then you will usually be able to NetBoot. Both of these can be verified when booted from an installer or an installed system (checking both never hurt anyone).

Next, break out your crossover cable (well, many a Mac doesn’t need one any more). If you can NetBoot when connected directly to a server then you’re usually looking at an infrastructure issue, be it routing and subnets or switching. Make sure the server can serve up DHCP though, since clients are required to get DHCP leases to NetBoot.

If you can’t NetBoot when connected directly to the server then I usually look at the image. If you manually restore an image to the client system will it boot a client? This often points us in the direction of looking at some kind of problem with the build train of the client being newer than the image, a MAC or machine type filter, etc. This same question can often be answered by using an older machine that you know is either part of the MAC or machine type filters. If the client can boot with the image restored to it and no other clients can boot NetBoot, even when connected directly to the server (or on a flat switching & routing topology) then make sure that DHCP is on.

Those are the most basic steps. But what if you’ve got multiple subnets? Then the bless command may very well be your friend. Not very scalable? Well, then look at configuring bootp relays. Bootpd is built into every Mac. Simply open up the /etc/bootp.plist and look for the keys to enable a relay (relay_enabled and then relay_ip_list, which is actually an array). Configure those as needed and launchctl to start bootpd. Still having problems, launchctl to stop and unload bootpd and then use /usr/libexec/bootpd -dv to start bootpd again. This gives you lots and lots of logs. Find the client in the DHCP table, figure out the DHCP and watch the conversations from the client. No conversation, you’re still not finding the NetBoot server. If there is a conversation then the problem will manifest itself in the verbose output for bootpd.

There’s bound to be tons of other things, but I would wager that the steps above help me in 99% of the cases I’ve seen, so I hope they’ll help you too.  Happy NetBooting!

August 26th, 2009

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , , , , , ,

Tor is a tool that can be used to proxy your online communications between multiple, randomly selected, global providers effectively anonymizing your Internet traffic. Tor is a free anonymizing service, but doesn’t also encrypt your traffic.

Privoxy is a non-caching proxy that also has a certain amount of filtering built into it. Many may use privoxy to do adware removal. But it can also be used to filter information for Tor. Installers are available at Once you have installed privoxy you can access the configuration page at Because privoxy is a command line tool, you can also access the help page for that using the following command (using privoxy as your working directory):
privoxy –help

By default privoxy will install the following files on your system:

  • /usr/sbin/privoxy
  • /etc/privoxy/config
  • /etc/privoxy/match-all.action
  • /etc/privoxy/default.action
  • /etc/privoxy/user.action
  • /etc/privoxy/default.filter
  • /etc/privoxy/user.filter
  • /etc/privoxy/trust
  • /etc/privoxy/templates/*
  • /var/log/privoxy/logfile

But you don’t have to install any of that.  Or use it manually – you can, but you don’t have to.  You can download the Vidalia Tor installer bundle, which will install privoxy, Vidalia, Tor and the Torbutton extension for Firefox. The installer package can be run choosing all of the defaults and then will need a reboot. Once complete, open Firefox (the first time it will install the extension, quit Firefox and then reopen it to activate it) and you’ll see Tor Disabled in the lower right hand corner of Firefox. You’ll then be able to click on it to switch over to using Tor from within Firefox. Click on it again and it will disable Tor again.

Overall, this is a nice and sleek design for obtaining anonymous web communications. Obviously, if you use it to log into your Twitter account, that’s not anonymous. But browsing and posting to sites does not link back to your IP address, which is one key aspect of Tor. You’re also still connecting over standard protocols. Again, Tor does nothing to encrypt data – it is a service dedicated to anonymity.

July 31st, 2009

Posted In: Mac OS X, Mac Security

Tags: , , , , , , ,

Save time.  Don’t touch a lot of photos one at a time.  You can resize images en masse using a variety of tools on the Mac or Windows.  Most notably, Photoshop.  But there are also less expensive tools, if not free ones out there.  For example, RightThumb.  RightThumb lets you resize images, filter images, change formats, add prefixes, etc. Nice little tool and free to boot.

October 22nd, 2007

Posted In: Windows Server, Windows XP

Tags: , , , , , , , , ,

Firefox users who wish to filter browsing (eliminate filtered words, etc) can use ProCon Latte, a Plug-in for Firefox.  ProCon is available at and can easily be deployed alongside Firefox.

January 16th, 2007

Posted In: Mac OS X, Mac OS X Server, Mac Security, Windows XP

Tags: , , , , ,