Products | Versions |
---|---|
Spotfire Server | All versions |
Sometimes you may want to compare different Active Directory (AD) service accounts or examine their attributes. For example, to verify delegation settings for Spotfire Server, Node Manager service accounts when using Kerberos authentication.
$FormatEnumerationLimit=-1
Get-AdUser ServiceAccount -Properties *,msDS-KeyVersionNumber,msDS-PrincipalName | out-string -width 4096
Import-Module ServerManager Add-WindowsFeature RSAT-AD-PowerShell import-module activedirectory
PS C:\Windows\system32> Import-Module ServerManager PS C:\Windows\system32> Add-WindowsFeature RSAT-AD-PowerShell Success Restart Needed Exit Code Feature Result ------- -------------- --------- -------------- True No Success {Remote Server Administration Tools, Activ... PS C:\Windows\system32> import-module activedirectory PS C:\Windows\system32> $FormatEnumerationLimit=-1 PS C:\Windows\system32> Get-AdUser ServiceAccount -Properties *,msDS-KeyVersionNumber,msDS-PrincipalName | out-string -wi dth 4096 AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 0 badPwdCount : 0 CannotChangePassword : False CanonicalName : sampledomain.local/foo/ServiceAccount Certificates : {} City : CN : ServiceAccount codePage : 0 Company : CompoundIdentitySupported : {} Country : countryCode : 0 Created : 7/4/2018 3:46:07 PM createTimeStamp : 7/4/2018 3:46:07 PM Deleted : Department : Description : DisplayName : ServiceAccount DistinguishedName : CN=ServiceAccount,OU=foo,DC=sampledomain,DC=local Division : DoesNotRequirePreAuth : False dSCorePropagationData : {9/5/2019 11:30:21 PM, 9/5/2019 9:56:29 PM, 8/30/2019 8:02:58 AM, 1/1/1601 1:04:1 7 AM} EmailAddress : EmployeeID : EmployeeNumber : Enabled : True Fax : GivenName : HomeDirectory : HomedirRequired : False HomeDrive : HomePage : HomePhone : Initials : instanceType : 4 isDeleted : KerberosEncryptionType : {} LastBadPasswordAttempt : LastKnownParent : lastLogoff : 0 lastLogon : 132133551308070193 LastLogonDate : 9/15/2019 1:52:09 AM lastLogonTimestamp : 132129787298475824 LockedOut : False logonCount : 39798 LogonWorkstations : Manager : MemberOf : {} MNSLogonAccount : False MobilePhone : Modified : 9/15/2019 1:52:09 AM modifyTimeStamp : 9/15/2019 1:52:09 AM msDS-AllowedToDelegateTo : {http/othermachine.sampledomain.local, http/OTHERMACHINE} msDS-KeyVersionNumber : 7 msDS-PrincipalName : SAMPLEDOMAIN\ServiceAccount msDS-User-Account-Control-Computed : 0 Name : ServiceAccount nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=sampledomain,DC=local ObjectClass : user ObjectGUID : ead579ac-5e5a-45f7-bf94-d0c5d0596c8b objectSid : S-1-5-21-4008232206-4678059366-3390115727-3625 Office : OfficePhone : Organization : OtherName : PasswordExpired : False PasswordLastSet : 9/13/2018 2:15:17 PM PasswordNeverExpires : True PasswordNotRequired : False POBox : PostalCode : PrimaryGroup : CN=Domain Users,CN=Users,DC=sampledomain,DC=local primaryGroupID : 513 PrincipalsAllowedToDelegateToAccount : {} ProfilePath : ProtectedFromAccidentalDeletion : False pwdLastSet : 131813145175461227 SamAccountName : ServiceAccount sAMAccountType : 805306368 ScriptPath : sDRightsEffective : 15 servicePrincipalName : {HTTP/mymachine.sampledomain.local, HTTP/mymachine} ServicePrincipalNames : {HTTP/mymachine.sampledomain.local, HTTP/mymachine} SID : S-1-5-21-4008232206-4678059366-3390115727-3625 SIDHistory : {} SmartcardLogonRequired : False State : StreetAddress : Surname : Title : TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 66048 userCertificate : {} UserPrincipalName : HTTP/mymachine.sampledomain.local@sampledomain.local uSNChanged : 9462562 uSNCreated : 6017631 whenChanged : 9/15/2019 1:52:09 AM whenCreated : 7/4/2018 3:46:07 PMSome of the attributes that could be interesting when troubleshooting Kerberos authentication are: delegation settings (msDS-AllowedToDelegateTo), when was the account modified (modifyTimeStamp), when was password changed the last time (PasswordLastSet), SPNs for the account (servicePrincipalName).