Jump to content

njordur

Members
  • Content count

    19
  • Joined

  • Last visited

  • Days Won

    3

njordur last won the day on January 20

njordur had the most liked content!

About njordur

  • Rank
    Member

Recent Profile Visitors

265 profile views
  1. Custom Password Validation Error

    No rush, its just an improvement for you guys :). I'll just wait for the release.
  2. Custom Password Validation Error

    No thats not it, I'm overwriting it each time with the variable. I hadn't even started handling that part. What comes in the variable database is just [GenericField1] So if I switch the catch output to this... switch -wildcard ($error[0].Exception.ToString().ToLower()) { #"*A network-related or instance-specific*" { Write-Output "Failed to execute script correctly against Host '$HostName' for the account '$UserName'. Please check SQL details are correct, and that a firewall is not blocking access - default Port is 1433."; break } #"*The password of the account must be changed*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. Password has expired."; break } #"*The account is disabled*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. Account is disabled."; break } #"*Login failed for user*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. UserName or Password is incorrect."; break } #Add other wildcard matches here as required default { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName' with Database:'$Database' Error = " + $error[0].Exception} } Then this is what I get in the attached picture
  3. I ran into a problem when I was trying to use a generic field in password validation. It doesn't seem to get through even though its available from the variable list. I even tried to pass on the URL variable which was standard and had the same results. I made a script for password reset with successful results. This is the script I tried without luck. What I'm trying to do is to validate a password for a contained database user. <# .SYNOPSIS Connect to a Microsoft SQL server and validates the password for a local SQL account. .NOTES Requires database connections on in-use Port to be allowed through Firewall #> function Validate-SQLPassword { [CmdletBinding()] param ( [String]$HostName, [String]$InstanceName, [String]$SQLPort, [String]$UserName, [String]$CurrentPassword, [String]$Database = 'master' ) try { #Declare some connection string variables [String]$InstanceNameString = '' [String]$SQLPortString = '' #Construct the Instance Name section of the connection string if required if ($InstanceName -ne '') { $InstanceNameString = '\' + $InstanceName } #Construct the Port Number section of the connection string if required if ($SQLPort -ne '') { $SQLPortString = ',' + $SQLPort } $SQLConnection = New-Object System.Data.SqlClient.SqlConnection $SQLConnection.ConnectionString = "Server=" + $HostName + $InstanceNameString + $SQLPortString + ";User ID=" + $UserName + ";Password=" + $CurrentPassword + ";Initial Catalog=" + $Database + ";" $SQLConnection.Open() $SQLConnection.Close() Write-Output "Success" } catch { switch -wildcard ($error[0].Exception.ToString().ToLower()) { "*A network-related or instance-specific*" { Write-Output "Failed to execute script correctly against Host '$HostName' for the account '$UserName'. Please check SQL details are correct, and that a firewall is not blocking access - default Port is 1433."; break } "*The password of the account must be changed*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. Password has expired."; break } "*The account is disabled*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. Account is disabled."; break } #"*Login failed for user*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. UserName or Password is incorrect."; break } #Add other wildcard matches here as required default { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName' with Database:'$Database' Error = " + $error[0].Exception} } } } #Make a call to the Validate-SQLPassword function Validate-SQLPassword -HostName '[HostName]' -InstanceName '[SQLInstanceName]' -SQLPort '[DatabasePort]' -Username '[UserName]' -CurrentPassword '[CurrentPassword]' -Database '[GenericField1]'
  4. Hi I added more functionality to the Reset SQL Password Script. The feature I added is the ability to change users in contained databases. However since those users are not part of the logins in the database server the connectionstrings must contain the database name. For that I changed the Passwordlist and Renamed the Generic Field 1 to Database and put the database name there. If it's not used or missing it doesn't matter and the script will still run on the SQL accounts with logins or with privileged user. The only drawback here it seems is that the custom password validation script doesn't seem to be accepting fields from variables to validate the contained database users, like [GenericField1] (I even tried , I'm assuming it's a bug. The password reset with the script however updates the heartbeat field correctly. <# .SYNOPSIS Connect to a Microsoft SQL server and change the password for a local SQL account. .NOTES Requires database connections on in-use Port to be allowed through Firewall Database variable is only used for contained databases #> function Set-SQLPassword { [CmdletBinding()] param ( [String]$HostName, [String]$InstanceName, [String]$SQLPort, [String]$UserName, [String]$NewPassword, [String]$OldPassword, [String]$PrivilegedAccountUserName, [String]$PrivilegedAccountPassword, [String]$Database ) #$SQLScript to be called once a database connection has been established. Add one command per line. $SQLScript1 = @" ALTER LOGIN $UserName WITH PASSWORD = '$NewPassword' "@ $SQLScript2 = @" ALTER LOGIN $UserName WITH PASSWORD = '$NewPassword' OLD_PASSWORD = '$OldPassword' "@ $SQLScript3 = @" ALTER User $UserName WITH PASSWORD = '$NewPassword' OLD_PASSWORD = '$OldPassword' "@ try { #Declare some connection string variables [String]$InstanceNameString = '' [String]$SQLPortString = '' #Construct the Instance Name section of the connection string if required if ($InstanceName -ne '') { $InstanceNameString = '\' + $InstanceName } #Construct the Port Number section of the connection string if required if ($SQLPort -ne '') { $SQLPortString = ',' + $SQLPort } $SQLConnection = New-Object System.Data.SqlClient.SqlConnection #Establish connection with Privileged Account if required, otherwise use own account to reset password if ($PrivilegedAccountUserName -ne '' -and $Database -eq '') { $SQLConnection.ConnectionString = "Server=" + $HostName + $InstanceNameString + $SQLPortString + ";User ID=" + $PrivilegedAccountUserName + ";Password=" + $PrivilegedAccountPassword + ";" } #Used for Contained Databases elseif ($PrivilegedAccountUserName -eq '' -and $Database -ne '') { $SQLConnection.ConnectionString = "Server=" + $HostName + $InstanceNameString + $SQLPortString + ";User ID=" + $UserName + ";Password=" + $OldPassword + ";Initial Catalog=" + $Database + ";" } else { $SQLConnection.ConnectionString = "Server=" + $HostName + $InstanceNameString + $SQLPortString + ";User ID=" + $UserName + ";Password=" + $OldPassword + ";" } $SQLConnection.Open() if ($PrivilegedAccountUserName -ne '' -and $Database -eq '') { $SQLCommand = New-Object System.Data.SqlClient.SqlCommand($SQLScript1, $SQLConnection) } elseif ($PrivilegedAccountUserName -eq '' -and $Database -ne '') { $SQLCommand = New-Object System.Data.SqlClient.SqlCommand($SQLScript3, $SQLConnection) } else { $SQLCommand = New-Object System.Data.SqlClient.SqlCommand($SQLScript2, $SQLConnection) } $SQLCommand.ExecuteScalar() $SQLConnection.Close() Write-Output "Success" } catch { switch -wildcard ($error[0].Exception.ToString().ToLower()) { "*A network-related or instance-specific*" { Write-Output "Failed to execute script correctly against Host '$HostName' for the account '$UserName'. Please check SQL details are correct, and that a firewall is not blocking access - default Port is 1433."; break } "*The password of the account must be changed*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. Password has expired."; break } "*The account is disabled*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. Account is disabled."; break } "*Login failed for user*" { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. UserName or Password is incorrect."; break } #Add other wildcard matches here as required default { Write-Output "Failed to validate the password for the SQL account '$UserName' on Host '$HostName'. Error = " + $error[0].Exception } } } } #Make a call to the Set-SQLPassword function Set-SQLPassword -HostName '[HostName]' -InstanceName '[SQLInstanceName]' -SQLPort '[DatabasePort]' -Username '[UserName]' -OldPassword '[OldPassword]' -NewPassword '[NewPassword]' -PrivilegedAccountUserName '[PrivilegedAccountUserName]' -PrivilegedAccountPassword '[PrivilegedAccountPassword]' -Database '[GenericField1]'
  5. Changed the default script so I could have the option of allowing the SQL user change his password by providing the old password. This way I don't have to define a Privileged Account with the password reset script. <# .SYNOPSIS Connect to a Microsoft SQL server using the current SQL user, and change the password for a local SQL account. .NOTES Requires database connections on in-use Port to be allowed through Firewall SQL user needs to be allowed to change own password #> function Set-SQLPassword2 { [CmdletBinding()] param ( [String]$HostName, [String]$InstanceName, [String]$SQLPort, [String]$UserName, [String]$NewPassword, [String]$OldPassword ) #$SQLScript to be called once a database connection has been established. Add one command per line. $SQLScript = @" ALTER LOGIN $UserName WITH PASSWORD = '$NewPassword' OLD_PASSWORD = '$OldPassword' "@ try { #Declare some connection string variables [String]$InstanceNameString = '' [String]$SQLPortString = '' #Construct the Instance Name section of the connection string if required if ($InstanceName -ne '') { $InstanceNameString = '\' + $InstanceName } #Construct the Port Number section of the connection string if required if ($SQLPort -ne '') { $SQLPortString = ',' + $SQLPort } $SQLConnection = New-Object System.Data.SqlClient.SqlConnection $SQLConnection.ConnectionString = "Server=" + $HostName + $InstanceNameString + $SQLPortString + ";User ID=" + $UserName + ";Password=" + $OldPassword + ";" $SQLConnection.Open() $SQLCommand = New-Object System.Data.SqlClient.SqlCommand($SQLScript, $SQLConnection) $SQLCommand.ExecuteScalar() $SQLConnection.Close() Write-Output "Success" } catch { switch -wildcard ($error[0].Exception.ToString().ToLower()) { "*A network-related or instance-specific*" { Write-Output "Failed to execute script correctly against Host '$HostName' for the account '$UserName'. Please check SQL details are correct, and that a firewall is not blocking access - default Port is 1433."; break } "*because it does not exist or you do not have permission*" { Write-Output "Failed to execute script correctly against Host '$HostName' for the account '$UserName'. Error = Account does not exist or you do not have permission."; break } "*Login failed for user*" { Write-Output "Failed to connect to the Host '$HostName' to reset the password for the account '$UserName'. Please check the Privileged Account Credentials provided associated with the Password Reset script are correct"; break } #Add other wildcard matches here as required default { Write-Output "Failed to reset the password for the SQL account '$UserName' on Host '$HostName'. Error = " + $error[0].Exception } } } } #Make a call to the Set-SQLPassword2 function Set-SQLPassword2 -HostName '[HostName]' -InstanceName '[SQLInstanceName]' -SQLPort '[DatabasePort]' -Username '[UserName]' -NewPassword '[NewPassword]' -OldPassword '[OldPassword]'
  6. I would like to see an option for password reset dependencies so that I can identify which the status and startup type on services on servers. This would really help doing some cleanup when we have a lot of dependencies on a service account. Also would be great if I could choose exclusions in the discovery, i.e. exclude manual and disabled startup types. /Njörður
  7. I'm using the latest version 7.7 (Build 7737) When I'm adding a new password to a password list that does not have the password & password strength field shown on it nothing happens. This happens both to old password lists and new. The cause seems to be that the password strength field has the required field grayed out and enabled so it seems to be still in effect even if the field is not shown. This started when I upgraded directly from Version 7.6 (Build 7676) to Build 7737
  8. Password discovery - bug of feature?

    Yes this was it thanks a lot for clarifying. About the changelog on the webpage can you update it.
  9. Password discovery - bug of feature?

    Ah ok, that must be the case then. I'll try to add the value and see if it pops in.
  10. Password discovery - bug of feature?

    This does not work for me i have build 7537. Still creates a new password for a existing password in another password list. Also update the changelog plz.
  11. Passwordstate 7.5 (Build 7539) Update

    Seems the changelog web page hasnt been updated since november 18, version 7483. You might want to look at that. I would like to to be aware of the changes made
  12. Maybe I spoke too soon. I just added the same computer again manually with a different instance name and added a password reset task on it. Hopefully this will solve the issue.
  13. I have several SQL servers with multiple instances on them. What would be the best way to do change the password on the instances this as the hosts in passwordstate only provides an option for one instance. Is DNS alias my only option perhaps?
  14. Hi, I'm using v.7.3 (Build 7316) and have restored the latest discovery scripts to the database. I had a problem with one 2012R2 server when discovering the resources on it. The problem had to do with the service account on the server had an SPN record for http. So the get-resources script needed to use the option If ($resultsarray.ErrorDetails.Message -like "*Connecting to remote server $HostName failed with the following error message*0x80090322*" -or $resultsarray.ErrorDetails.Message -like "*Connecting to remote server $HostName failed with the following error message*The WS-Management service cannot complete the operation within the time specified in OperationTimeout*") But the if statement: If ($resultsarray.ErrorDetails.Message -like "*Connecting to remote server $HostName failed with the following error message*0x80090322*" -or $resultsarray.ErrorDetails.Message -like "*Connecting to remote server $HostName failed with the following error message*The WS-Management service cannot complete the operation within the time specified in OperationTimeout*") didn't work since this is not the error message I got was different. When I added: If ($resultsarray.ErrorDetails.Message -like "*Connecting to remote server $HostName failed with the following error message*0x80090322*" -or $resultsarray.ErrorDetails.Message -like "*Connecting to remote server $HostName failed with the following error message*The WS-Management service cannot complete the operation within the time specified in OperationTimeout*") ... the results from the server came through and was written in passwordstate. Just wanted to let the community know if anyone else had this problem.
  15. Cleanup old resources

    I know I can delete a password reset task manually from the web page. Would it be possible to implement within the discovery scans or outside it, so that if a Service,Schedule or Application pool is not longer located on the server that the password reset task would get deleted from the database.
×