Active Directory – Page 2

Active Directory – Standalone Managed Service Accounts and Group Managed Service Accounts

May 19, 2022January 21, 2020 by Kumaran

Managed Service Accounts (MSA) introduced in Server 2008 R2 helps reduce risk of system accounts running services being compromised.

Managed Service Accounts and its benefits

Standalone managed service accounts (sMSAs) are managed domain accounts that we use to help secure one or more services that run on a server. They can’t be reused across multiple servers. sMSAs provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate management to other administrators.

Windows Server 2012 introduced Group Managed Service Accounts (gMSAs) to over the limitation in sMSA as it can only be used on one server and not in cluster and NLB services.

Group managed service accounts (gMSAs) can run on a single server or on a server farm, such as systems behind a network load balancing or Internet Information Services (IIS) server. The Group in Group Managed Service Account stands for the ability to assign one gMSA to a group of computers.

Both sMSAs and gMSAs,

Set strong passwords – Use 240-byte, randomly generated complex passwords
- Minimizing the likelihood of a service getting compromised by brute force or dictionary attacks
Cycle password regularly – Windows automatically changes the password every 30 days
- Eliminating the need of scheduling password changes and minimizing downtime
Support simplified service principal name (SPN) management

Setup and Configure MSAs

Below I’ll go through steps on how to setup sMSAs and gMSAs in an AD environment.

Create the Key Distribution Services Root Key

Domain Controllers (DC) require a root key before we can start creating sMSA or gMSA accounts. A one-time operation has to be performed to create a KDS root key.

The DCs will wait up to 10 hours from time of creation to allow all DCs to converge their AD replication before allowing the creation of a sMSA or gMSA. The 10 hours is a safety measure to prevent password generation from occurring before all DCs in the environment are capable of answering sMSA/gMSA requests.

Run the following PowerShell command on the domain controller:

Add-KdsRootKey –EffectiveImmediately

For test environments with only one DC, to use the key immediately in the test environment, you can run this command:

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

To make sure the KDS root key was successfully created and to successfully test it, use the following cmdlets,

Get-KdsRootKey
Test-KdsRootKey -KeyId (Get-KdsRootKey).KeyId

Can also be validated with a 4004 event has been logged in the KdsSvc (Applications and Services Logs –> Microsoft-Windows-KdsSvc/Operational) event log,

objectClass difference between a sMSA and gMSA in AD,

Create and Install a standalone Managed Service Account (sMSA)

To create a new enabled sMSA account in AD, use the below cmdlet,

$msaName = Read-Host "Enter name of desired MSA name"
New-ADServiceAccount -Name "$msaName" -Enabled $True -RestrictToSingleComputer

To link the newly created sMSA to a computer/server.

Note: In my case I’m using the same PS session and I have cleared variables. Hence I’m reusing the ‘$msaName’ variable. The server/computer name in my scenario is SERVER-01. You’ll have to modify it accordingly.

$Server = Get-ADComputer -identity SERVER-01
Add-ADComputerServiceAccount -Identity $Server -ServiceAccount $msaName

sMSA and gMSA are created in the container CN=Managed Service Accounts by default

Use below cmdlet to get properties to the sMSA

Get-ADServiceAccount msaServer-01

To use MSA / gMSA on target servers or workstations, you first need to install the AD PS module. Run the below cmdlet in PS run as administrator:

Add-WindowsFeature RSAT-AD-PowerShell

On the target server where the service account needs to be installed and use the below cmdlets to install the account and test it,

$Account = Get-ADServiceAccount -Filter "Name -eq 'msaServer-01'"
Install-ADServiceAccount $Account

Test-AdServiceAccount msaServer-01

Create and Install a group Managed Service Account (gMSA)

As mentioned earlier in this post, gMSAs are only available to Windows Server 2012 or later versions.
Before getting started:

Ensure your forest schema is updated to Windows Server 2012
Make sure you have deployed a master root key for AD

Before creating the gMSA account, create a domain security group and add servers that will be allowed to use the password for this gMSA. I used the console to create a group but PS is another way to go.

To create a gMSA, use the command:

Note: The service account samAccountName attribute must not be longer than 15 characters.

New-ADServiceAccount -name gmsaSQLService1 -Enabled:$true -DNSHostName gmsaSQLService1.acloudguy.com -PrincipalsAllowedToRetrieveManagedPassword SQLServers –verbose

On the target server where the gMSA needs to be installed and use the below cmdlets to install the account and test it,

$Account = Get-ADServiceAccount -Filter "Name -eq 'gmsaSQLService1'"
Install-ADServiceAccount $Account

Test-AdServiceAccount gmsaSQLService1

To change a gMSA’s allowed servers, use the below cmdlet:

Set-ADServiceAccount -Identity gmsaSQLService1 -PrincipalsAllowedToRetrieveManagedPassword 'New-SQLServers' –verbose

Associate gMSA in application/service

In my scenario, I’m using the newly created gMSA in an SQL server configuration. Add a $ at end of the account which specifies the account is a ‘Service Account’. Don’t specify any password. Make sure to select the ‘Service Account’ object type.

Open SQL Server Configuration Manager
Select SQL Server Services, right-click the service and select Properties
Select the Log On tab
Click Yes when prompted to restart the service

When to use

Use sMSAs when there are one or more services deployed to a single server and gMSA can’t be used. Check with the application vendor to determine if sMSA is supported. If they can’t, you must test the application in a test environment. Although one sMSAs can be used for more than one service, it is recommended that each service have its own identity when it comes to auditing.

gMSAs should be the preferred type for on-premises services, as you can add servers to the AD group and makes it easier.

To run applications and services with gMSA, check vendor’s documentation to see if it is supported. Currently gMSA is supported in IIS, SQL Server, AD LDS, Exchange Server.

Issues you may encounter

sMSA can only be used on one computer/server. When you try to install it on a second server, you’ll get a warning prompt like in screenshot below,

‘Cannot install service account. Error Message: ‘{Access Denied}’ error when you install a gMSA to a server.

In my scenario, the server was not setup as ‘PrincipalsAllowedToRetrieveManagedPassword’. To determine which group is allowed to use the gMSA, use the below cmdlet:

Get-ADServiceAccount gmsaSQLService1 -properties * | Select Name, PrincipalsAllowedToRetrieveManagedPassword | fl

I added the SQL server to the ‘New-SQLServers’ AD group and run the cmdlets again to install the gMSA. I had to reboot the server for the membership to be updated.

Another similar issue you may face is the ‘The Service did not start due to a logon failure’. This is pretty much a follow-up of the previous error. Make sure the server object is in the group which can use the gMSA. And be sure to reboot the server.

Hope this post helped you get up and running with sMSA and gMSA in your environment.

Thank you for stopping by.✌

Active Directory – Decoding UserAccountControl Attribute Values

June 28, 2022November 27, 2019 by Kumaran

In Active Directory, When we open properties of an user account, click the Account tab, and then either check or uncheck boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. This UserAccountControl attribute determines the state of an account in the AD domain: active or locked, Password change at the next logon is enabled or not, if users can change their passwords and other options.

UserAccountControl Attribute in AD

To view user accounts,

Click Start –> Programs
Open Administrative Tools
Click Active Directory Users and Computers
- Or run dsa.msc from run window
Search for a user and right-click and select Properties
Click on Account tab

The Account Options section has the following options,

User must change password at next logon
User cannot change password
Password never expires
Store password using reversible encryption
Account is disabled
Smart card is required for interactive logon
Account is sensitive and cannot be delegated
User Kerberos DES encryption types for this account
This account supports Kerberos AES 128 bit encryption
This account supports Kerberos AES 256 bit encryption
Do not require Kerberos preauthentication

Each of these user account options is 1 (True) or 0 (False) and are not stored as separate AD attributes, instead the UserAccountControl attribute is used. The flags are cumulative. The total value of all options are stored in the value of UserAccountControl attribute.

To determine the current value of the attribute,

Using PowerShell,

$user = Read-Host "Enter user's logon"
Get-ADuser $user -properties * | Select name, UserAccountControl | ft

Using dsa.msc,

dsa.msc from Run window
Search for a user and right-click and select Properties
Click on Attribute Editor tab
- If you are missing this tab, Click View in the Active Directory Users and Computers window and select Advanced Features

In this example, the value of the attribute is 0x200 (decimal value is 512).

The following table lists possible flags that can be assigned to an account. Each flag corresponds to a certain UserAccountControl bit, and UserAccountControl value equals the sum of all flags.

UserAccountControl Flag	Hexadecimal Value	Decimal Value
SCRIPT	0x0001	1
ACCOUNTDISABLE	0x0002	2
HOMEDIR_REQUIRED	0x0008	8
LOCKOUT	0x0010	16
PASSWD_NOTREQD	0x0020	32
PASSWD_CANT_CHANGE	0x0040	64
ENCRYPTED_TEXT_PWD_ALLOWED	0x0080	128
TEMP_DUPLICATE_ACCOUNT	0x0100	256
NORMAL_ACCOUNT	0x0200	512
INTERDOMAIN_TRUST_ACCOUNT	0x0800	2048
WORKSTATION_TRUST_ACCOUNT	0x1000	4096
SERVER_TRUST_ACCOUNT	0x2000	8192
DONT_EXPIRE_PASSWORD	0x10000	65536
MNS_LOGON_ACCOUNT	0x20000	131072
SMARTCARD_REQUIRED	0x40000	262144
TRUSTED_FOR_DELEGATION	0x80000	524288
NOT_DELEGATED	0x100000	1048576
USE_DES_KEY_ONLY	0x200000	2097152
DONT_REQ_PREAUTH	0x400000	4194304
PASSWORD_EXPIRED	0x800000	8388608
TRUSTED_TO_AUTH_FOR_DELEGATION	0x1000000	16777216
PARTIAL_SECRETS_ACCOUNT	0x04000000	67108864

The userAccountControl value is calculated as,

NORMAL_ACCOUNT (512) + ACCOUNTDISABLE (2) = 514

NORMAL_ACCOUNT (512) + DONT_EXPIRE_PASSWORD (65536) + ACCOUNTDISABLE (2) = 66050

To list all active users,

Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=512)" | Select UserPrincipalName,userAccountControl | ft

To list all disabled user accounts,

Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=514)" | Select UserPrincipalName,userAccountControl | ft

To list accounts with a non-expiring password,

Get-ADUser -Properties * -ldapFilter "(useraccountcontrol=66048)" | Select UserPrincipalName,userAccountControl | ft

Here are the default UserAccountControl values for the certain objects:

Typical user: 0x200 (512)
Domain controller: 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Decode UserAccountControl Values

To fully decode UserAccountControl bit field we can use this PowerShell script,

Add-Type -TypeDefinition @'
[System.Flags]
public enum UserAccountControl{
	SCRIPT = 1,
	ACCOUNTDISABLE = 2,
	BIT_02 =  4,
	HOMEDIR_REQUIRED = 8,
	LOCKEDOUT = 16,
	PASSWD_NOTREQD = 32,
	PASSWD_CANT_CHANGE = 64,
	ENCRYPTED_TEXT_PWD_ALLOWED = 128,
	TEMP_DUPLICATE_ACCOUNT = 256,
	NORMAL_ACCOUNT = 512,
	BIT_10 = 1024,
	INTERDOMAIN_TRUST_ACCOUNT = 2048,
	WORKSTATION_TRUST_ACCOUNT = 4096,
	SERVER_TRUST_ACCOUNT = 8192,
	BIT_14 = 16384,
	BIT_15 = 32768,
	DONT_EXPIRE_PASSWORD = 65536,
	MNS_LOGON_ACCOUNT = 131072,
	SMARTCARD_REQUIRED = 262144,
	TRUSTED_FOR_DELEGATION = 524288,
	NOT_DELEGATED = 1048576,
	USE_DES_KEY_ONLY = 2097152,
	DONT_REQ_PREAUTH = 4194304,
	PASSWORD_EXPIRED = 8388608,
	TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216,
	PARTIAL_SECRETS_ACCOUNT = 67108864
}
'@

Which can be used like this to decode the bits,

If you want to display all flags that are set in UAC,

Get-AdUser -Filter * -Properties UserAccountControl | select name, @{n='UAC';e={[UserAccountControl]$_.UserAccountControl}}

This script can also be used to determine UserAccountControl value for specific AD accounts,

$user = Read-Host "Enter user's logon"
Get-ADuser $user -properties * | select name,UserPrincipalName, @{n='UAC';e={[UserAccountControl]$_.UserAccountControl}}

Update UserAccoutControl Attribute in AD using PowerShell

To change UserAccountControl attribute in AD using PowerShell, we can use Set-ADUser, Set-ADComputer and Set-ADAccountControl cmdlets,

$user = Read-Host "Enter user's logon"
Set-ADAccountControl -Identity $user –CannotChangePassword:$true -PasswordNeverExpires:$true

$user = Read-Host "Enter user's logon"
Set-ADUser -Identity $user –CannotChangePassword:$true -PasswordNeverExpires:$true

Set a specified computer to be trusted for delegation,

$Computer = Read-Host "Enter computer or server name"
Set-ADAccountControl -Identity $Computer -TrustedForDelegation $True

$Computer = Read-Host "Enter computer or server name"
Set-ADComputer -Identity $Computer -TrustedForDelegation $True

The user account attribute can also be updated using the Set-ADUser cmdlet. In this below example, I’m enabling user account,

$user = Read-Host "Enter user's logon"
Set-ADUser $user -Replace @{UserAccountControl = 512}

Hope this post helped you get a better understanding of the UserAccountControl attribute.

Thank you for stopping by ✌

PowerShell – Generate and email list of new users created in AD – Updated

September 19, 2022November 19, 2019 by Kumaran

If you don’t have an AD user provisioning tool implemented in your environment, I’m sure most of your user provisioning and de-provisioning is done using PowerShell scripts which helps in reducing the amount of time consumed in this process.

You probably are bombarded with requests from various departments in your organization to provide them with a list of new users who were created for various reasons.

This script can be automated by securely storing the credentials and running a scheduled task that runs on a specific day. Don’t store your admin or any credentials in any of your scripts.

You can use ConvertFrom-SecureString command to get an encrypted standard string and ConvertTo-SecureString to simply reverse the process by importing the data from your file and then create a PSCredential object.

(Get-Credential).Password | ConvertFrom-SecureString | Out-File "C:\Temp\Password.txt"

$User = "AdminUser@acme.com"
$File = "C:\Temp\Password.txt"
$MyCredential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $File | ConvertTo-SecureString)

In this above method, the point of converting password to a SecureString and storing it in a file is to keep it out of plain text in PS scripts so that it’s not as easily discovered. This can be easily decrypted and not recommended.

You can use the Microsoft.PowerShell.SecretManagement and Microsoft.PowerShell.SecretStore PS modules which I’ve covered in a later post.

$Days = -7
$Maxdate = (Get-Date).addDays($Days) 
$CurrentWeekNumber = Get-Date -UFormat %V

$dateformat = "dddd MM/dd/yyyy"
$subjDate = Get-Date $Maxdate -Format $dateformat

$NewUsers = Get-ADUser -filter { whencreated -ge $Maxdate} -Properties EmailAddress, co, Description | Select-Object -Property GivenName, SurName, DisplayName, Description, co, EmailAddress # Gathering recent New AD Users

if ($NewUsers) # If there are more than one new user created in last $Days, prepare to send a mail
    {
    $MailBody = $NewUsers | ConvertTo-Html -Fragment
    
            $MailParams = @{Body       = $mailBody | Out-String
                            BodyAsHtml = $true
                            From       = "AD-Admin@acme.com"
                            To         = "jsmith@acme.com" # separate with comma for multiple users. "jdoe@acme.com", "jroe@acme.com"
                            SmtpServer = "smtp.acme.com"
                            Subject    = "New users for the week : $CurrentWeekNumber | Week Starting - $subjDate"
                            Encoding   = "UTF8"
                            Priority   = "Normal" # Accepted values: Normal, High, Low
                            #Port      = xxxx #If not 25
                            Credential = $(Get-Credential)
                            }
    Send-MailMessage @MailParams
    }

Hope this script was useful is generating weekly reports of newly created AD users.

Thank you for stopping by. ✌

Active Directory – Update user’s co and countryCode attributes using PowerShell

July 1, 2022July 20, 2019 by Kumaran

I recently faced an issue where users are provisioned to AD using an user system/tool that applies the Country value to the user while creating the account but it doesn’t have the ability to update the countryCode and co attributes. And I had few thousand users with no value set in the co and countryCode attributes.

In this post, I’ll cover the details on how came up with a workaround for this issue.

The AD attributes we are dealing with here are,

c (Country-Name): ISO-3166 2-digit string value
countryCode (Country-Code): ISO-3166 Integer value
co (Text-Country): Open string value

When we pick a country name from the drop-down in the Active Directory users and computers GUI, the c, co and countryCode attributes are automatically assigned.

With PowerShell, we can use the Set-ADUser to assign the c attribute to the user,

$user = Read-Host "Enter user's logon"
Set-ADUser -Identity $user -Country US

In this method, no values are assigned to the co and countryCode attributes automatically like how it happened while updating in the GUI. Below are the screenshots of the user properties after running the above cmdlet.

We can use this method to assign all three values for the user,

$user = Read-Host "Enter user's logon"
Set-ADUser -identity $user -Replace @{c="CN";co="United States";countryCode="840"}

In my scenario, the users provisioned by the tool already had the c attribute value set. I exported all users from the AD domain, determined the countries and then used the below script to update the co and countryCode attributes.

$users = Get-ADUser -LDAPFilter '(!userAccountControl:1.2.840.113556.1.4.803:=2)' -Properties * | Select cn, sAMAccountName, userPrincipalName, c

foreach ($User in $Users){
        if($user.c -eq 'AU') {
            Set-ADuser $user.sAMAccountName -Replace @{co="Australia";countrycode="36"}
        }
        elseif ($user.c -eq 'US') {
	        Set-ADuser $user.sAMAccountName -Replace @{co="United States";countrycode="840"}
        }
        elseif ($user.c -eq 'GB') {
	        Set-ADuser $user.sAMAccountName -Replace @{co="United Kingdom";countrycode="826"}
        }
        elseif ($user.c -eq 'CA') {
	    Set-ADuser $user.sAMAccountName -Replace @{co="Canada";countrycode="124"}
        }
        else {
            Write-Host $user.cn does not contain Country value
    }
}

This table at the end of this post provides all countries in the AD address tab Country/region drop-down list. You can use this to update the above script according to your needs. I also made this script to be run as a scheduled task to run once a week to update the new users created throughout the week. Not a perfect solution but replacing the user provisioning tool wasn’t an option in my case, hence I stuck with this method.

Hope this post helped you in better understanding the c, co and countryCode attributes in AD and an easier method to update it.

Thank you for stopping by ✌

Country (co)	Code (c)	Code
Afghanistan	AF	4
Åland Islands	AX	248
Albania	AL	8
Algeria	DZ	12
American Samoa	AS	16
Andorra	AD	20
Angola	AO	24
Anguilla	AI	660
Antarctica	AQ	10
Antigua and Barbuda	AG	28
Argentina	AR	32
Armenia	AM	51
Aruba	AW	533
Australia	AU	36
Austria	AT	40
Azerbaijan	AZ	31
Bahamas, The	BS	44
Bahrain	BH	48
Bangladesh	BD	50
Barbados	BB	52
Belarus	BY	112
Belgium	BE	56
Belize	BZ	84
Benin	BJ	204
Bermuda	BM	60
Bhutan	BT	64
Bolivia	BO	68
Bonaire, Sint Eustatius and Saba	BQ	535
Bosnia and Herzegovina	BA	70
Botswana	BW	72
Bouvet Island	BV	74
Brazil	BR	76
British Indian Ocean Territory	IO	86
British Virgin Islands	VG	92
Brunei	BN	96
Bulgaria	BG	100
Burkina Faso	BF	854
Burundi	BI	108
Cabo Verde	CV	132
Cambodia	KH	116
Cameroon	CM	120
Canada	CA	124
Cayman Islands	KY	136
Central African Republic	CF	140
Chad	TD	148
Chile	CL	152
China	CN	156
Christmas Island	CX	162
Cocos (Keeling) Islands	CC	166
Colombia	CO	170
Comoros	KM	174
Congo	CG	178
Congo (DRC)	CD	180
Cook Islands	CK	184
Costa Rica	CR	188
Côte d’Ivoire	CI	384
Croatia	HR	191
Cuba	CU	192
Curaçao	CW	531
Cyprus	CY	196
Czech Republic	CZ	203
Denmark	DK	208
Djibouti	DJ	262
Dominica	DM	212
Dominican Republic	DO	214
Ecuador	EC	218
Egypt	EG	818
El Salvador	SV	222
Equatorial Guinea	GQ	226
Eritrea	ER	232
Estonia	EE	233
Ethiopia	ET	231
Falkland Islands	FK	238
Faroe Islands	FO	234
Fiji	FJ	242
Finland	FI	246
France	FR	250
French Guiana	GF	254
French Polynesia	PF	258
French Southern Territories	TF	260
Gabon	GA	266
Gambia	GM	270
Georgia	GE	268
Germany	DE	276
Ghana	GH	288
Gibraltar	GI	292
Greece	GR	300
Greenland	GL	304
Grenada	GD	308
Guadeloupe	GP	312
Guam	GU	316
Guatemala	GT	320
Guernsey	GG	831
Guinea	GN	324
Guinea-Bissau	GW	624
Guyana	GY	328
Haiti	HT	332
Heard and McDonald Islands	HM	334
Honduras	HN	340
Hong Kong SAR	HK	344
Hungary	HU	348
Iceland	IS	352
India	IN	356
Indonesia	ID	360
Iran	IR	364
Iraq	IQ	368
Ireland	IE	372
Isle of Man	IM	833
Israel	IL	376
Italy	IT	380
Jamaica	JM	388
Jan Mayen	SJ	744
Japan	JP	392
Jersey	JE	832
Jordan	JO	400
Kazakhstan	KZ	398
Kenya	KE	404
Kiribati	KI	296
Korea	KR	410
Kosovo	XK	906
Kuwait	KW	414
Kyrgyzstan	KG	417
Laos	LA	418
Latvia	LV	428
Lebanon	LB	422
Lesotho	LS	426
Liberia	LR	430
Libya	LY	434
Liechtenstein	LI	438
Lithuania	LT	440
Luxembourg	LU	442
Macao SAR	MO	446
Macedonia, FYRO	MK	807
Madagascar	MG	450
Malawi	MW	454
Malaysia	MY	458
Maldives	MV	462
Mali	ML	466
Malta	MT	470
Marshall Islands	MH	584
Martinique	MQ	474
Mauritania	MR	478
Mauritius	MU	480
Mayotte	YT	175
Mexico	MX	484
Micronesia	FM	583
Moldova	MD	498
Monaco	MC	492
Mongolia	MN	496
Montenegro	ME	499
Montserrat	MS	500
Morocco	MA	504
Mozambique	MZ	508
Myanmar	MM	104
Namibia	NA	516
Nauru	NR	520
Nepal	NP	524
Netherlands	NL	528
New Caledonia	NC	540
New Zealand	NZ	554
Nicaragua	NI	558
Niger	NE	562
Nigeria	NG	566
Niue	NU	570
Norfolk Island	NF	574
North Korea	KP	408
Northern Mariana Islands	MP	580
Norway	NO	578
Oman	OM	512
Pakistan	PK	586
Palau	PW	585
Palestinian Authority	PS	275
Panama	PA	591
Papua New Guinea	PG	598
Paraguay	PY	600
Peru	PE	604
Philippines	PH	608
Pitcairn Islands	PN	612
Poland	PL	616
Portugal	PT	620
Puerto Rico	PR	630
Qatar	QA	634
Reunion	RE	638
Romania	RO	642
Russia	RU	643
Rwanda	RW	646
Saint Barthélemy	BL	652
Saint Kitts and Nevis	KN	659
Saint Lucia	LC	662
Saint Martin	MF	663
Saint Pierre and Miquelon	PM	666
Saint Vincent and the Grenadines	VC	670
Samoa	WS	882
San Marino	SM	674
São Tomé and Príncipe	ST	678
Saudi Arabia	SA	682
Senegal	SN	686
Serbia	RS	688
Serbia and Montenegro (Former)	CS	891
Seychelles	SC	690
Sierra Leone	SL	694
Singapore	SG	702
Sint Maarten	SX	534
Slovakia	SK	703
Slovenia	SI	705
Solomon Islands	SB	90
Somalia	SO	706
South Africa	ZA	710
South Georgia and the South Sandwich Islands	GS	239
Spain	ES	724
Sri Lanka	LK	144
St Helena, Ascension and Tristan da Cunha	SH	654
Sudan	SD	736
Suriname	SR	740
Svalbard	SJ	744
Swaziland	SZ	748
Sweden	SE	752
Switzerland	CH	756
Syria	SY	760
Taiwan	TW	158
Tajikistan	TJ	762
Tanzania	TZ	834
Thailand	TH	764
Timor-Leste	TL	626
Togo	TG	768
Tokelau	TK	772
Tonga	TO	776
Trinidad and Tobago	TT	780
Tunisia	TN	788
Turkey	TR	792
Turkmenistan	TM	795
Turks and Caicos Islands	TC	796
Tuvalu	TV	798
U.S. Minor Outlying Islands	UM	581
U.S. Virgin Islands	VI	850
Uganda	UG	800
Ukraine	UA	804
United Arab Emirates	AE	784
United Kingdom	GB	826
United States	US	840
Uruguay	UY	858
Uzbekistan	UZ	860
Vanuatu	VU	548
Vatican City	VA	336
Venezuela	VE	862
Vietnam	VN	704
Wallis and Futuna	WF	876
Yemen	YE	887
Zambia	ZM	894
Zimbabwe	ZW	716