How to get detailed information about service accounts from Active Directory
Article ID: KB0077151
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | All versions |
Description
Sometimes you may want to compare different Active Directory (AD) service accounts or examine their attributes. For example, to verify delegation settings for Spotfire Server, Node Manager service accounts when using Kerberos authentication.
Resolution
To retrieve the value of any attribute of an existing user account in AD, please follow following steps:
- On a Windows Server machine run Windows PowerShell
- Change the $FormatEnumerationLimit Windows PowerShell preference variable and display more data in the console. Set it to infinite:
$FormatEnumerationLimit=-1
- Get all properties for the service account formatted with long strings (replace ServiceAccount with desired account)
Get-AdUser ServiceAccount -Properties *,msDS-KeyVersionNumber,msDS-PrincipalName | out-string -width 4096
- If you don't have access to the AD module you need to run the following commands in a PowerShell running as Administrator before changing the list enumeration and listing the properties (the two lines above)
Import-Module ServerManager Add-WindowsFeature RSAT-AD-PowerShell import-module activedirectory
- An example of the command and a sample output:
PS C:\Windows\system32> Import-Module ServerManager
PS C:\Windows\system32> Add-WindowsFeature RSAT-AD-PowerShell
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {Remote Server Administration Tools, Activ...
PS C:\Windows\system32> import-module activedirectory
PS C:\Windows\system32> $FormatEnumerationLimit=-1
PS C:\Windows\system32> Get-AdUser ServiceAccount -Properties *,msDS-KeyVersionNumber,msDS-PrincipalName | out-string -wi
dth 4096
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 0
badPwdCount : 0
CannotChangePassword : False
CanonicalName : sampledomain.local/foo/ServiceAccount
Certificates : {}
City :
CN : ServiceAccount
codePage : 0
Company :
CompoundIdentitySupported : {}
Country :
countryCode : 0
Created : 7/4/2018 3:46:07 PM
createTimeStamp : 7/4/2018 3:46:07 PM
Deleted :
Department :
Description :
DisplayName : ServiceAccount
DistinguishedName : CN=ServiceAccount,OU=foo,DC=sampledomain,DC=local
Division :
DoesNotRequirePreAuth : False
dSCorePropagationData : {9/5/2019 11:30:21 PM, 9/5/2019 9:56:29 PM, 8/30/2019 8:02:58 AM, 1/1/1601 1:04:1
7 AM}
EmailAddress :
EmployeeID :
EmployeeNumber :
Enabled : True
Fax :
GivenName :
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isDeleted :
KerberosEncryptionType : {}
LastBadPasswordAttempt :
LastKnownParent :
lastLogoff : 0
lastLogon : 132133551308070193
LastLogonDate : 9/15/2019 1:52:09 AM
lastLogonTimestamp : 132129787298475824
LockedOut : False
logonCount : 39798
LogonWorkstations :
Manager :
MemberOf : {}
MNSLogonAccount : False
MobilePhone :
Modified : 9/15/2019 1:52:09 AM
modifyTimeStamp : 9/15/2019 1:52:09 AM
msDS-AllowedToDelegateTo : {http/othermachine.sampledomain.local, http/OTHERMACHINE}
msDS-KeyVersionNumber : 7
msDS-PrincipalName : SAMPLEDOMAIN\ServiceAccount
msDS-User-Account-Control-Computed : 0
Name : ServiceAccount
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=sampledomain,DC=local
ObjectClass : user
ObjectGUID : ead579ac-5e5a-45f7-bf94-d0c5d0596c8b
objectSid : S-1-5-21-4008232206-4678059366-3390115727-3625
Office :
OfficePhone :
Organization :
OtherName :
PasswordExpired : False
PasswordLastSet : 9/13/2018 2:15:17 PM
PasswordNeverExpires : True
PasswordNotRequired : False
POBox :
PostalCode :
PrimaryGroup : CN=Domain Users,CN=Users,DC=sampledomain,DC=local
primaryGroupID : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 131813145175461227
SamAccountName : ServiceAccount
sAMAccountType : 805306368
ScriptPath :
sDRightsEffective : 15
servicePrincipalName : {HTTP/mymachine.sampledomain.local, HTTP/mymachine}
ServicePrincipalNames : {HTTP/mymachine.sampledomain.local, HTTP/mymachine}
SID : S-1-5-21-4008232206-4678059366-3390115727-3625
SIDHistory : {}
SmartcardLogonRequired : False
State :
StreetAddress :
Surname :
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 66048
userCertificate : {}
UserPrincipalName : HTTP/mymachine.sampledomain.local@sampledomain.local
uSNChanged : 9462562
uSNCreated : 6017631
whenChanged : 9/15/2019 1:52:09 AM
whenCreated : 7/4/2018 3:46:07 PM
Some of the attributes that could be interesting when troubleshooting Kerberos authentication are: delegation settings (msDS-AllowedToDelegateTo), when was the account modified (modifyTimeStamp), when was password changed the last time (PasswordLastSet), SPNs for the account (servicePrincipalName).
Issue/Introduction
The article contains PowerShell commands to retrieve the value of any attribute of an existing user account in Active Directory
Additional Information
External: Get-ADUser (from Microsoft documentation - "Windows 10 and Windows Server 2016 PowerShell")
Feedback
Yes
No
Powered by
