Finding the source for locked AD account from Event Viewer log on Domain controller

It’s actually really simple, but you’ll need administrator access on the domain controller in order to read the security event log so you might have to consult upper sys admins.

It seems to not want to filter/sort by username though so if you’re managing a huge enterprise with thousands of users this could be a bit tedious. On the other side, if that’s the case I suppose you already have better tools for the job.

Anyway, all invalid login attempts are logged as event id 4776 (Credential Validation).

  1. Open Event Viewer and connect to domain controller
  2. Go to Windows Logs -> Security
  3. Click on Filter Current Log... in the right navigation menu
  4. Enter 4776 into the input field which says <All Event IDs>
  5. Browse through the invalid login attempts till you find the one which belongs to your user and look in the description text field where it says “Source Workstation:    hostname”

Create a su command for Windows Command Prompt

As an IT tech I often have to open my command prompt as my domain administrator user which has administrator access on remote computers. I always forgets to right-click cmd and choose “Run as …” so I figured out a little shortcut for those times to mimic the su function in Linux.

Please note this won’t turn your currently open command prompt into an elevated one, it will just run a new cmd.exe process as the user you need.

Open an elevated command prompt and change directory to %windir%\system32 and run this command:

echo runas /user:domain\username "cmd" > sudo.bat

Now you can type “sudo” wherever (in your Run window or an existing cmd prompt) and it will prompt you for the password and open a new cmd window with the pre-defined user.

mtsc.exe blocks Alt Gr

From time to time my Alt Gr button seems to stop working, which I use for several special characters like @.

Turns out the problem is related to the process mstsc.exe (Microsoft Windows Remote Desktop).

Solution: Close any RDP windows you have open (no need to logout, just close them). Voila, Alt Gr works as intended again. Now you can reopen them and hope it doesn’t happen again.

You should also be aware of the temporary solution: Pressing CTRL + ALT is the same as Alt Gr – in case you can’t close the current RDP windows for any reason.

This minor, yet very infuriating issue, has been present at my computer(s) for several years, both Windows 7 and Windows 10.

Add remote access to MySQL server

Follow the commands below to setup a new user and open up for remote access to a specific database on your MySQL server.

$ mysql -u root -p
    Enter your MySQL root password.
mysql> CREATE USER 'itdb_admin';
mysql> CREATE DATABASE itdb_db;
mysql> GRANT ALL PRIVILEGES ON itdb_db.* to 'itdb_admin'@'%' IDENTIFIED BY 'my-password' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
mysql> EXIT;
$ sudo nano /etc/mysql/my.cnf
    Comment the following line (to disable it):
    bind-address        = 127.0.0.1
$ sudo service mysql restart

Quick summary:

1) Open the MySQL CLI
2) Create a new database
3) Create a new user
4) Give the user full access to the database. Notice the '%' which means we’re talking about remote access. The same user can have different access levels based on the connection (whether it’s remote or local)
5) Flush/refresh the privileges so they become active
6) Disable bind-address so the MySQL server will listen on any source address
7) Restart the MySQL service to reload the config file

Setup reverse SSH tunnel

Here’s a quick example for setting up reverse SSH tunnels on clients which can be controlled via the server from anywhere. This example presumes all the client computers has some sort of unique ID/hostname, like 9001, 9002, 9003, 9004 etc. Let’s say we have 10 clients stuck behind a firewall we’d like to access.

Start the SSH server on all clients like this:

ssh -R 1xxxx:localhost:22 user@server.com // replace xxxx with this client's unique id

Now we have all our clients setup with a reversed ssh tunnel.
If we’d like to ssh into id 9003 we run the following command from the server:

ssh user@localhost -p 19003

Lets ssh into 9005 instead:

ssh user@localhost -p 19005

Replace user with a local user on the client machine.

Example

I want to ssh into my Raspberry Pi. Local username is pi.

  • Step 1 – setup reverse ssh tunnel on the raspberry:
    ssh -R 19999:localhost:22 kek@it-db.com
  • Step 2 – from my “it-db.com” server I run the following command:
    ssh pi@localhost -p 19999

Combining with sshpass and autossh

sshpass -p "mypassword" autossh -R 19999:localhost:22 user@server.com

Create a daemon for Linux

# !/bin/sh
# /etc/init.d/daemond

### BEGIN INIT INFO
# Provides:             daemond
# Required-Start:       $remote_fs $syslog
# Required-Stop:        $remote_fs $syslog
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description:    Skeleton daemon
# Description:          Skeleton daemon
### END INIT INFO

case "$1" in
    start)
        echo 'hello world'
        ;;
    stop)
        killall daemond -q
        ;;
    *)
      echo "Usage: /etc/init.d/checkconnectiond {start|stop}"
      exit 1
      ;;
esac

exit 0

Add custom scripts to Powershell user scope

Today I had to google how to find out my Powershell version. How fucked up is that. Luckily 1680 other people wondered the same and appreciated this answer: http://stackoverflow.com/questions/1825585/determine-installed-powershell-version

Turns out the command is: (ignore PS C:\>, that’s just to indicate a Powershell)

PS C:\> $PSVersionTable.PSVersion

No way I’m going to remember that. Luckily, StackOverflow user @ADTC mentioned he made a function to output the version.
Open notepad and write the function to the file specified from the $profile path.

PS C:\> notepad $profile

Insert the function:

function psver { 
    $PSVersionTable; 
    $PSVersionTable.PSVersion 
}

Reload Powershell by running

PS C:\> . $profile

Now you can enter psver to output the version. Beautiful!

If you got an error when running notepad $profile that the file can’t be found, then simply enter $profile in your Powershell window to output the path and create the file manually in Windows Explorer.

Still delivering Out-Of-Office warning even though it’s turned off

Vacation’s over, back to work. However, Outlook still tells people I’m out of office. I wish…
For no apparant reason this seem to randomly happen with our users sometimes.

In an attempt to fix it we’ve tried the usual:

  • Start Outlook in safe mode and check that it’s indeed turned off
  • Check that it’s also turned of in our Exchange server for the user

Luckily we found a work-around using MFCMAPI which seems to fix the issue.
Be careful though, MFCMAPI talks directly to Exchange and it can mess up your Exchange account if pressing random buttons recklessly.

Step 1
Download MFCMAPI from http://mfcmapi.codeplex.com
Note that you must download the same architecture as your Outlook is running. 64-bit MFCMAPI won’t work with 32-bit Outlook.

Step 2
Close Outlook and open mfcmapi.exe
Click on Session -> Logon in the top menu and pick your Outlook profile.

Step 3
You should see a list of accounts connected to the Outlook profile you chose in the last step.
Click on your account, scroll down in the properties list until you see PR_OOF_STATE, PidTagOutOfOffice.... This will be set to True if OOF is activated. Double-click on this property and uncheck the Boolean checkbox in the dialog window. Click OK followed by Session -> Log off in the top menu. OOF should finally be disabled.

Simple Robocopy backup script

Robocopy syntax to copy all NEW or EDITED files from source to destination dir:

robocopy "%src%" "%dest%" /E /W:1 /R:1 /XC /log+:"robocopy_log.txt"

Description of the parameters:

  • /E = Copies subdirectories. Note that this option includes empty directories. If you wish to exclude empty directories, use /S.
  • /W:1 = Specifies the wait time between retries, in seconds. The default value of N is 30 (wait time 30 seconds).
  • /R:1 = Specifies the number of retries on failed copies. The default value of N is 1,000,000 (one million retries).
  • /XC = Excludes changed files.
  • /log+: = Writes the status output to the log file (appends the output to the existing log file).

Windows batch script to setup a scheduled task to run the robocopy command:

@echo off
title Robocopy Backup
echo.
echo Initial configuration for automatic backup with Robocopy + Task Scheduler
echo.

echo Step 1 - setup Robocopy:
echo.
set /p src=Backup FROM dir: 
set /p dest=Backup TO dir: 
(
echo cd %userprofile%\Desktop
echo robocopy "%src%" "%dest%" /E /W:1 /R:1 /XC /log+:"robocopy_log.txt"
)> %userprofile%\robocopy.bat

echo.
echo Step 2 - setup Task Scheduler:
echo.
schtasks /create /tn "Robocopy Backup" /tr "%userprofile%\robocopy.bat" /SC HOURLY
echo.
echo Done
echo.

pause

Copy & paste the text into a text editor and save it as a .bat file to make it executable.

When running this script you will setup a scheduled task which runs the robocopy.bat file every hour. Really great and time-saving if you work in a local folder on your C drive and wish to periodically take incremental backups to a network storage for instance.

Map network share without being on domain

Windows

Please note you must have access to a user account with NTFS permissions to access the file share (unless it’s open to everyone).

  • Open command prompt
  • Type the following command:
    net use x: \\server\share /user:domain\username password

Example:
net use y: \\itdb1\home /user:itdb\kek 123456

If the share is open for everyone, you can dismiss the user arguments:
net use y: \\itdb1\home

Keep in mind that if you already are on the domain and try to map a network share with another user than you’re currently logged in with, you will see the error message:

System error 1219 has occured.

Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.

Linux

Linux can also access NTFS mounts. Run the following commands in your terminal:

  • Create a folder which will be used for connecting to the share:
    $ sudo mkdir /mnt/ShareName
  • Mount the network share to your folder:
    • Without user authentication:
      $ sudo mount -t cifs //server/share /mnt/ShareName
    • With user authentication:
      $ sudo mount -t cifs -o username=itdb\kek,password=123456 //itdb1/home /mnt/ShareName