Powershell. Notify Users by email if their accounts is close to expiration date.

Here is a script which will help you to notify users if their account will be expired soon.
In my case I will use this script to notify 3rd users that they need to write request if prolongation required.

You can download script from here.

Have a nice Day.

Catch Memory Leak in Non Paged Pool

Here is a quick example about how to find out why our “favorite” task manager don’t show who allocate all RAM.
Here is my screen from physical server which is running out of memory.
And everything ok from details tab because kernel memory doesn’t included in the view.

There is poolmon.exe utility from MS which will list kernel memory.
Of course you need to download 100500 GB image file and install almost all applications in the Universe from Microsoft to get 28 Kilobytes poolmon.

I`ve archived poolmon for x86 and x64 and you can directly download from here.

You just need to execute it from cmd.

ALPC driver which ate all memory.
Now from :\Windows\System32\Drivers run findstr to find which file contain this string.
pcmcie.sys in my case the reason why my server is stuck.

Have a Good Day.

Change TimeZone and DST setting via Group Policy. Step-by-Step Guide.

Dear Colleagues from Azerbaijan, Now Time will not be adjusted to summertime and probably no one OS vendor will publish a new timezone file in this month.
To change time for all computers we need to create a GPP and apply to all computer (We can create a script which will use tzutil.exe but legacy systems lack of this app).
First please apply my register file, it will set AZT time with Daylight Saving Off.
Let’s create our policy with register wizard, start gpmc.msc
Open key that you imported:

Select Key and all value.

Copy DisableAutoDaylightTimeSet (Right click—>;Copy—>>;Pate) from this GPP and edit and change action from update to create for one of key.

Policy ready and you can deploy it for your computers.
But here is a one thing that we need to know, time setting will be applied when Windows Time service (W32Time) will reload configuration. To force reload time config you can use PSExec (From Systinternals suite, you can direct download from here or from Microsoft Site) to run ‘net stop w32time && net start w32time’.
I can’t run following command from my DC because of exception:

Therefore, following script will be executed from Powershell with AD Modules installed:

You might know that Kerberos protocol use timestamp when generate ticket and maximum time skew between DC and Computer by default is 5 minutes. To avoid problems with machine who is offline now you can temporary change this setting to 65 minutes and remove them when all your computers will pool your latest GPO.
You can change default settings from “Default Domain Policy” or can create your own policy (but make Policy Precedence order lower if you will create new policy file).


P.S. You can adjust all settings via Powershell and the only reason I use PSExec is to execute command across all device include legacy computers without PS.

Have a nice Holidays!

Mount Windows CIFS share to *nix servers using KERBEROS auth. Step-by-Step.

In my example I will use kerberos to authenticate my linux server on Active Directory and use this credentials to get CIFS share.
My lab

dc02.digitalbears.net -Domain controller
lpi2.digitalbears.net -Linux (CentOS 7)

First we need create an object in AD which we will use for authentication. We can create machine account in AD, but you should regenerate key
when your machine changes its password (you can’t set “password never expires” for computer object). To avoid this case, we will create a user
object in AD.

We will use created in AD user lpi@digitalbears.net.
You should add SPN for this account to allow linux server with FQDN lpi2.digitalbears.net (It’s some kind of delegation which will allow your lpi2.digitalbears.net
host to get Kerberos Ticket Granting Service on behalf of lpi@digitalbears.net user account).

To do it run from windows with ad permission:

Now you need to generate keytab file which you will use on centos server. Do it on same cmd.exe\powershell.exe:

Pass: Password for lpi@digitalbears.net
princ: “host”- include many services and CIFS one of them, “lpi2.digitalbears.net”- my linux server fqdn, @digitalbears.net my domain name (must be specified in uppercase)
mapuser: user name which will be used to generate keytab

Now you need to transfer C:\krb.keytab to lpi2.digitalbears.net, then from ssh console:

Past following information, but change digitalbears.net with your domain name in uppercase and digitalbears.net with you domainname in lowercase

Save this changes.
Check that no one kerberos tickets added to system:

Then you need to generate kerberos ticket using your keytab file. (You can remove your ticket by running kdestroy command)

You can see that kerberos ticket is imported and now we are ready to mount:

You are done, you can access this shared folder with permission which admin setup for username lpi@digitalbears.net on this folder.

Capture network traffic from Windows without Netmon or Wireshark.

Here is a way for traffic capture from Windows Computers without netmon or wireshark.
Of course you can install any traffic sniffer in minute but assume that you have a production server and policy does not allow to install additional soft on it.

Like tcpdump in Linux, You can run following program from cmd.exe


Then in Network Monitor open generated ETL file.
You should set “Windows” parser to make your data readable.


P.S. MS does not recommend to install Wireshark because it create filter on NDIS.