blog/source/_posts/splunk-ldapsearch-useraccou...

3.3 KiB

title excerpt date tags
Query LOCKOUT and PASSWORD_EXPIRED flags on Splunk SA-ldapsearch userAccountControl vs. msDS-User-Account-Control-Computed 2023-10-01
splunk

SA-ldapsearch (Splunk Supporting Add-on for Active Directory) has a useful feature that parses "userAccountControl" flags into a multivalue. For example, instead of showing "514", it shows [ACCOUNTDISABLE, NORMAL_ACCOUNT] instead. However, I noticed LOCKOUT and PASSWORD_EXPIRED flags are not shown even though I was sure the accounts I queried have either of those flags set. Those flags are indeed listed under documentations for "userAccountControl": Windows Server and Active Directory Schema.

Despite being mentioned in the documentations, in that Windows Server doc, there is a note that says those flags have been moved to "msDS-User-Account-Control-Computed" attribute since Windows Server 2003. But when I queried that attribute, I got a decimal value which meant the parsing function was not applied.

To apply flag-parsing function on "msDS-User-Account-Control-Computed":

    '1.2.840.113556.1.4.8':             format_user_flag_enum,         # User-Account-Control
    '1.2.840.113556.1.4.1460':          format_user_flag_enum,         # ms-DS-User-Account-Control-Computed

First line is an existing one, the second line is the new one.

For the sake of completeness, that function can also be patched to parse other flags of "msDS-User-Account-Control-Computed". I created a script to apply the following patch directly on "splunk-supporting-add-on-for-active-directory_*.tgz" and save it to a new app package "SA-ldapsearch_*.tgz".

--- SA-ldapsearch/bin/packages/app/formatting_extensions.py	2023-09-06 00:00:00.000000000 +0000
+++ SA-ldapsearch/bin/packages/app/formatting_extensions.py	2023-09-06 00:00:00.000000001 +0000
@@ -721,6 +721,12 @@
         names.append('PASSWORD_EXPIRED')
     if flags & 0x1000000:
         names.append('TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION')
+    if flags & 0x2000000:
+        names.append('NO_AUTH_DATA_REQUIRED')
+    if flags & 0x4000000:
+        names.append('PARTIAL_SECRETS_ACCOUNT')
+    if flags & 0x8000000:
+        names.append('USE_AES_KEYS')

     # Zero or one of these flags may be set

@@ -822,6 +828,7 @@
     '1.2.840.113556.1.4.1303':          format_sid,                    # Token-Groups-No-GC-Acceptable

     '1.2.840.113556.1.4.8':             format_user_flag_enum,         # User-Account-Control
+    '1.2.840.113556.1.4.1460':          format_user_flag_enum,         # ms-DS-User-Account-Control-Computed

     # formatter specially for msExchMailboxSecurityDescriptor
     '1.2.840.113556.1.4.7000.102.80' : format_security_descriptor,     # msExchMailboxSecurityDescriptor