Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mastering Active Directory with PowerShell

Published byMelanie Dawson Modified over 7 years ago

Similar presentations

Presentation on theme: "Mastering Active Directory with PowerShell"— Presentation transcript:

1 Mastering Active Directory with PowerShell
Sean Metcalf CTO DAn Solutions sean dansolutions . Com DAnSolutions.com ADSecurity.org NoVA PowerShell User Group January 2015

2 Expectations This is not Active Directory PowerShell Training (that would take hours/days). Meant to spark ideas on how to work with AD better. Lots of PowerShell example code – how it’s used is up to you!  This session is interactive - Please ask questions!

3 Agenda Interfacing with Active Directory through PowerShell.
PowerShell Active Directory Module Cmdlets Forest & Domain Discovery Useful AD Cmdlets Computers, Users, & Groups, Oh My! Interesting AD Config Data Service Accounts DCs & GCs AD Replication Power Tips & Tricks References

4 PowerShell & Active Directory
PowerShell v1: NET & ADSI PowerShell v2 & newer: PowerShell Active Directory Module Import-module servermanager; add-windowsfeature rsat-ad-tools Import-module servermanager; add-windowsfeature rsat-ad-PowerShell

5 .Net “.NET Framework is a software framework developed by Microsoft that runs primarily on Microsoft Windows. It includes a large class library known as Framework Class Library (FCL) and provides language interoperability (each language can use code written in other languages) across several programming languages. Programs written for .NET Framework execute in a software environment (as contrasted to hardware environment), known as Common Language Runtime (CLR), an application virtual machine that provides services such as security, memory management, and exception handling. FCL and CLR together constitute .NET Framework.” -Wikipedia

6 Active Directory .NET Get the Current Domain: Get the Computer’s Site:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name Get the Computer’s Site: [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite() List All Domain Controllers in a Domain: [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers Get Active Directory Domain Mode: [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainMode List Active Directory FSMOs: ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).SchemaRoleOwner ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).NamingRoleOwner ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).InfrastructureRoleOwner ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).RidRoleOwner Part 1: Part 2:

7 Active Directory .NET Get Active Directory Forest Name:
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name Get a List of Sites in the Active Directory Forest: [array] $ADSites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites Get Active Directory Forest Domains: [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Domains Get Active Directory Forest Global Catalogs: [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs Get Active Directory Forest Mode: [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().ForestMode Get Active Directory Forest Root Domain: [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain Part 1: Part 2:

8 Old School - ADSI Active Directory Service Interface (ADSI)
“Active Directory Service Interfaces (ADSI) is a set of COM interfaces used to access the features of directory services from different network providers. ADSI is used in a distributed computing environment to present a single set of directory service interfaces for managing network resources. Administrators and developers can use ADSI services to enumerate and manage the resources in a directory service, no matter which network environment contains the resource.” ADSI Example: $UserID = “JoeUser” $root = [ADSI]'' $searcher = new-object System.DirectoryServices.DirectorySearcher($root) $searcher.filter = "(&(objectClass=user)(sAMAccountName= $UserID))" $user = $searcher.findall() $user

9 PowerShell Active Directory Module
Requires AD Web Services (ADWS) running on targeted DC (TCP 9389) Get-ADDomainController –Discover –Service “ADWS” SOAP XML message(s) over HTTP translated on DC PowerShell AD Cmdlet Example: Import-module ActiveDirectory $UserID = “JoeUser” Get-ADUser $UserID –property *

10 Active Directory Drive
Dir ad: Set-location ad: Set-location “dc=mlab,dc=adsecurity,dc=org”

11 Finding Useful AD Commands
Get-Module -ListAvailable Get-Command -module ActiveDirectory PowerShell AD Module Cmdlets: Windows Server 2008 R2: 76 cmdlets Windows Server 2012: cmdlets Windows Server 2012 R2: 147 cmdlets

12 Popular Cmdlets: Windows Server 2008 R2
Get/Set-ADForest Get/Set-ADDomain Get/Set-ADDomainController Get/Set-ADUser Get/Set-ADComputer Get/Set-ADGroup Get/Set-ADGroupMember Get/Set-ADObject Get/Set-ADOrganizationalUnit Enable-ADOptionalFeature Disable/Enable-ADAccount Move-ADDirectoryServerOperationMasterRole New-ADUser New-ADComputer New-ADGroup New-ADObject New-ADOrganizationalUnit Add-ADComputerServiceAccount Add-ADDomainControllerPasswordReplicationPolicy Add-ADFineGrainedPasswordPolicySubject Add-ADGroupMember Add-ADPrincipalGroupMembership Clear-ADAccountExpiration Disable-ADAccount Disable-ADOptionalFeature Enable-ADAccount Enable-ADOptionalFeature Get-ADAccountAuthorizationGroup Get-ADAccountResultantPasswordReplicationPolicy Get-ADComputer Get-ADComputerServiceAccount Get-ADDefaultDomainPasswordPolicy Get-ADDomain Get-ADDomainController Get-ADDomainControllerPasswordReplicationPolicy Get-ADDomainControllerPasswordReplicationPolicyUsage Get-ADFineGrainedPasswordPolicy Get-ADFineGrainedPasswordPolicySubject Get-ADForest Get-ADGroup Get-ADGroupMember Get-ADObject Get-ADOptionalFeature Get-ADOrganizationalUnit Get-ADPrincipalGroupMembership Get-ADRootDSE Get-ADServiceAccount Get-ADUser Get-ADUserResultantPasswordPolicy Install-ADServiceAccount Move-ADDirectoryServer Move-ADDirectoryServerOperationMasterRole Move-ADObject New-ADComputer New-ADFineGrainedPasswordPolicy New-ADGroup New-ADObject New-ADOrganizationalUnit New-ADServiceAccount New-ADUser Remove-ADComputer Remove-ADComputerServiceAccount Remove-ADDomainControllerPasswordReplicationPolicy Remove-ADFineGrainedPasswordPolicy Remove-ADFineGrainedPasswordPolicySubject Remove-ADGroup Remove-ADGroupMember Remove-ADObject Remove-ADOrganizationalUnit Remove-ADPrincipalGroupMembership Remove-ADServiceAccount Remove-ADUser Rename-ADObject Reset-ADServiceAccountPassword Restore-ADObject Search-ADAccount Set-ADAccountControl Set-ADAccountExpiration Set-ADAccountPassword Set-ADComputer Set-ADDefaultDomainPasswordPolicy Set-ADDomain Set-ADDomainMode Set-ADFineGrainedPasswordPolicy Set-ADForest Set-ADForestMode Set-ADGroup Set-ADObject Set-ADOrganizationalUnit Set-ADServiceAccount Set-ADUser Uninstall-ADServiceAccount Unlock-ADAccount

13 (some) New Cmdlets: Windows Server 2012+
*-ADResourcePropertyListMember *-ADAuthenticationPolicy *-ADAuthenticationPolicySilo *-ADCentralAccessPolicy *-ADCentralAccessRule *-ADResourceProperty *-ADResourcePropertyList *-ADResourcePropertyValueType *-ADDCCloneConfigFile *-ADReplicationAttributeMetadata *-ADReplicationConnection *-ADReplicationFailure *-ADReplicationPartnerMetadata *-ADReplicationQueueOperation *-ADReplicationSite *-ADReplicationSiteLink *-ADReplicationSiteLinkBridge *-ADReplicationSubnet *-ADReplicationUpToDatenessVectorTable Sync-ADObject Add-ADCentralAccessPolicyMember Add-ADComputerServiceAccount Add-ADDomainControllerPasswordReplicationPolicy Add-ADFineGrainedPasswordPolicySubject Add-ADGroupMember Add-ADPrincipalGroupMembership Add-ADResourcePropertyListMember Clear-ADAccountExpiration Clear-ADClaimTransformLink Disable-ADAccount Disable-ADOptionalFeature Enable-ADAccount Enable-ADOptionalFeature Get-ADAccountAuthorizationGroup Get-ADAccountResultantPasswordReplicationPolicy Get-ADAuthenticationPolicy Get-ADAuthenticationPolicySilo Get-ADCentralAccessPolicy Get-ADCentralAccessRule Get-ADClaimTransformPolicy Get-ADClaimType Get-ADComputer Get-ADComputerServiceAccount Get-ADDCCloningExcludedApplicationList Get-ADDefaultDomainPasswordPolicy Get-ADDomain Get-ADDomainController Get-ADDomainControllerPasswordReplicationPolicy Get-ADDomainControllerPasswordReplicationPolicyUsage Get-ADFineGrainedPasswordPolicy Get-ADFineGrainedPasswordPolicySubject Get-ADForest Get-ADGroup Get-ADGroupMember Get-ADObject Get-ADOptionalFeature Get-ADOrganizationalUnit Get-ADPrincipalGroupMembership Get-ADReplicationAttributeMetadata Get-ADReplicationConnection Get-ADReplicationFailure Get-ADReplicationPartnerMetadata Get-ADReplicationQueueOperation Get-ADReplicationSite Get-ADReplicationSiteLink Get-ADReplicationSiteLinkBridge Get-ADReplicationSubnet Get-ADReplicationUpToDatenessVectorTable Get-ADResourceProperty Get-ADResourcePropertyList Get-ADResourcePropertyValueType Get-ADRootDSE Get-ADServiceAccount Get-ADTrust Get-ADUser Get-ADUserResultantPasswordPolicy Grant-ADAuthenticationPolicySiloAccess Install-ADServiceAccount Move-ADDirectoryServer Move-ADDirectoryServerOperationMasterRole Move-ADObject New-ADAuthenticationPolicy New-ADAuthenticationPolicySilo New-ADCentralAccessPolicy New-ADCentralAccessRule New-ADClaimTransformPolicy New-ADClaimType New-ADComputer New-ADDCCloneConfigFile New-ADFineGrainedPasswordPolicy New-ADGroup New-ADObject New-ADOrganizationalUnit New-ADReplicationSite New-ADReplicationSiteLink New-ADReplicationSiteLinkBridge New-ADReplicationSubnet New-ADResourceProperty New-ADResourcePropertyList New-ADServiceAccount New-ADUser Remove-ADAuthenticationPolicy Remove-ADAuthenticationPolicySilo Remove-ADCentralAccessPolicy Remove-ADCentralAccessPolicyMember Remove-ADCentralAccessRule Remove-ADClaimTransformPolicy Remove-ADClaimType Remove-ADComputer Remove-ADComputerServiceAccount Remove-ADDomainControllerPasswordReplicationPolicy Remove-ADFineGrainedPasswordPolicy Remove-ADFineGrainedPasswordPolicySubject Remove-ADGroup Remove-ADGroupMember Remove-ADObject Remove-ADOrganizationalUnit Remove-ADPrincipalGroupMembership Remove-ADReplicationSite Remove-ADReplicationSiteLink Remove-ADReplicationSiteLinkBridge Remove-ADReplicationSubnet Remove-ADResourceProperty Remove-ADResourcePropertyList Remove-ADResourcePropertyListMember Remove-ADServiceAccount Remove-ADUser Rename-ADObject Reset-ADServiceAccountPassword Restore-ADObject Revoke-ADAuthenticationPolicySiloAccess Search-ADAccount Set-ADAccountAuthenticationPolicySilo Set-ADAccountControl Set-ADAccountExpiration Set-ADAccountPassword Set-ADAuthenticationPolicy Set-ADAuthenticationPolicySilo Set-ADCentralAccessPolicy Set-ADCentralAccessRule Set-ADClaimTransformLink Set-ADClaimTransformPolicy Set-ADClaimType Set-ADComputer Set-ADDefaultDomainPasswordPolicy Set-ADDomain Set-ADDomainMode Set-ADFineGrainedPasswordPolicy Set-ADForest Set-ADForestMode Set-ADGroup Set-ADObject Set-ADOrganizationalUnit Set-ADReplicationConnection Set-ADReplicationSite Set-ADReplicationSiteLink Set-ADReplicationSiteLinkBridge Set-ADReplicationSubnet Set-ADResourceProperty Set-ADResourcePropertyList Set-ADServiceAccount Set-ADUser Show-ADAuthenticationPolicyExpression Sync-ADObject Test-ADServiceAccount Uninstall-ADServiceAccount Unlock-ADAccount

14 Active Directory Discovery: Get-ADRootDSE

15 Active Directory Discovery: Get-ADForest

16 Active Directory Discovery: Get-ADDomain

17 Get-ADDomainController

18 Get-ADComputer Get-ADComputer $ComputerName

19 Quick AD Computer Count
$Time = (Measure-Command `     {[array] $AllComputers = Get-ADComputer -filter * -properties Name,CanonicalName,Enabled,passwordLastSet,SAMAccountName,LastLogonTimeSt amp,DistinguishedName,OperatingSystem }).TotalMinutes   $AllComputersCount = $AllComputers.Count Write-Output “There were $AllComputersCount Computers discovered in $DomainDNS in $Time minutes…  `r “

20 Finding Inactive Computer Accounts
$InactiveDate = (get-date).AddDays(-10) Get-ADComputer -filter {(LastLogonDate -le $InactiveDate) -AND (PasswordLastSet -le $InactiveDate)} -property Name,IPv4Address,` LastLogonDate,PasswordLastSet,Description,Created,DNSHostName

21 Get-ADUser Get-ADUser $UserID

22 AD Domain User Statistics
Import-Module ActiveDirectory $DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name [array]$AllUsers = Get-ADUser -filter * -properties Name,DistinguishedName,Enabled,LastLogonDate,LastLogonTimeStamp,LockedOut,msExchHom eServerName,SAMAccountName $AllUsersCount = $AllUsers.Count Write-Output “There were $AllUsersCount user objects discovered in $ADDomainDNSRoot … “ [array] $DisabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $False } $DisabledUsersCount = $DisabledUsers.Count [array] $EnabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $True } $EnabledUsersCount = $EnabledUsers.Count Write-Output “There are $EnabledUsersCount Enabled users and there are $DisabledUsersCount Disabled users in $DomainDNS “ Import-Module ActiveDirectory Write-Output “Generating AD User Statistics `r “ $DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name Write-Output “Discovering all users in $ADDomainDNSRoot … `r “ # Gather a list of all users in AD including necessary attributes [array]$AllUsers = Get-ADUser -filter * -properties Name,DistinguishedName,Enabled,LastLogonDate,LastLogonTimeStamp,LockedOut,msExchHomeServerName,SAMAccountName $AllUsersCount = $AllUsers.Count Write-Output “There were $AllUsersCount user objects discovered in $ADDomainDNSRoot … `r “ Write-Output ” `r “ Write-Output “Count Disabled Users `r “ [array] $DisabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $False } $DisabledUsersCount = $DisabledUsers.Count Write-Output “Count Enabled Users `r “ [array] $EnabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $True } $EnabledUsersCount = $EnabledUsers.Count Write-Output “There are $EnabledUsersCount Enabled users and there are $DisabledUsersCount Disabled users in $DomainDNS `r “

23 Finding Inactive User Accounts
$InactiveDate = (get-date).AddDays(-10) Get-ADUser -filter {(LastLogonDate -le $InactiveDate) -AND (PasswordLastSet -le $InactiveDate)} -property SAMAccountName,DisplayName,` LastLogonDate,PasswordLastSet,Description,Created,UserPrincipalName

24 Finding Users using ANR
Ambiguos Name Resolution (ANR) used by Outlook to find users Import-Module ActiveDirectory Get-ADObject -LDAPFilter { (&(ObjectClass=User)(ANR=Thor) ) } ANR queries are compared to indexed attributes such as: sAMAccountName displayName Name (cn) givenName (first name) sn (surname aka last name) legacyExchangeDN proxyAddresses (Exchange attribute) ANR enables you to find a user when you have some information about a user, but don’t know exactly to which attribute that data corresponds. For example, if you know the user has “Thor” somewhere, but don’t know exactly what the SAMAccountName is (or DN, SID, name, etc).  Submitting an ANR search will query the AD attributes flagged for ANR (attributes must be indexed) and replies with the results (may be more than one user found). The DC checks the following attributes for ANR queries (Windows Server 2008): displayName givenName legacyExchangeDN msDS-AdditionalSamAccountName msDS-PhoneticCompanyName msDS-PhoneticDepartment msDS-PhoneticDisplayName msDS-PhoneticFirstName msDS-PhoneticLastName physicalDeliveryOfficeName proxyAddresses Name sAMAccountName sn

25 Get & Set AD Attributes Find all users and display $AttributeName
Get-ADUser -filter * -SearchBase $SourceOU -properties *,$AttributeName Find all users with $AttributeName = $AttributeValue Get-ADUser -filter { $_.”$AttributeName” -eq $AttributeValue } -properties $AttributeName Find all users where $AttributeName has a value Get-ADUser -filter { $AttributeName –like “*” } –prop $AttributeName Update $User $AttributeName to "$AttributeValue Set-ADUser $User "$AttributeName" = "$AttributeValue" }

26 Get-ADGroup Get-ADGroup $GroupName

27 Get AD Domain Group Statistics
[array]$AllADGroups = Get-ADGroup -Filter * -Properties * $AllADGroupsCount = $AllADGroups.Count Write-Output “There are $AllADGroupsCount Total groups in AD `r “ [array]$ADUniversalGroups = $AllADGroups | Where {$_.GroupScope -eq “Universal” } [int]$ADUniversalGroupsCount = $ADUniversalGroups.Count Write-Output “There are $ADUniversalGroupsCount Universal groups in AD “ [array]$ADSecurityGroups = $AllADGroups | Where {$_.GroupCategory -eq “Security” } $ADSecurityGroupsCount = $ADSecurityGroups.Count Write-Output “There are $ADSecurityGroupsCount Security groups in AD “ Import-Module ActiveDirectory Write-Output “Getting list of AD Groups `r “ [array]$AllADGroups = Get-ADGroup -Filter * -Properties * $AllADGroupsCount = $AllADGroups.Count Write-Output “There are $AllADGroupsCount Total groups in AD `r “ [array]$ADUniversalGroups = $AllADGroups | Where {$_.GroupScope -eq “Universal” } $ADUniversalGroupsCount = $ADUniversalGroups.Count $PCTofTotal = $ADUniversalGroupsCount / $AllADGroupsCount $PCTofTotal = “{0:p2}”                      -f $PCTofTotal Write-Output “There are $ADUniversalGroupsCount Universal groups in AD ($PCTofTotal of all groups) `r “ [array]$ADGlobalGroups = $AllADGroups | Where {$_.GroupScope -eq “Global” } $ADGlobalGroupsCount = $ADGlobalGroups.Count $PCTofTotal = $ADGlobalGroupsCount / $AllADGroupsCount $PCTofTotal = “{0:p2}”                      -f $PCTofTotal Write-Output “There are $ADGlobalGroupsCount Global groups in AD ($PCTofTotal of all groups)  `r “ [array]$ADDomainLocalGroups = $AllADGroups | Where {$_.GroupScope -eq “DomainLocal” } $ADDomainLocalGroupsCount = $ADDomainLocalGroups.Count $PCTofTotal = $ADDomainLocalGroupsCount / $AllADGroupsCount $PCTofTotal = “{0:p2}”                      -f $PCTofTotal Write-Output “There are $ADDomainLocalGroupsCount Domain Local groups in AD ($PCTofTotal of all groups)  `r “ [array]$ADSecurityGroups = $AllADGroups | Where {$_.GroupCategory -eq “Security” } $ADSecurityGroupsCount = $ADSecurityGroups.Count $PCTofTotal = $ADSecurityGroupsCount / $AllADGroupsCount $PCTofTotal = “{0:p2}”                      -f $PCTofTotal Write-Output “There are $ADSecurityGroupsCount Security groups in AD ($PCTofTotal of all groups)  `r “ [array]$ADMESecurityGroups = $ADSecurityGroups | Where {$_.Mail -ne $Null } $ADMESecurityGroupsCount = $ADMESecurityGroups.Count $PCTofTotal = $ADMESecurityGroupsCount / $AllADGroupsCount $PCTofTotal = “{0:p2}”                      -f $PCTofTotal Write-Output “There are $ADSecurityGroupsCount Mail-Enabled Security groups in AD ($PCTofTotal of all groups)  `r “ [array]$ADDistributionGroups = $AllADGroups | Where {$_.GroupCategory -eq “Distribution” } $ADDistributionGroupsCount = $ADDistributionGroups.Count $PCTofTotal = $ADDistributionGroupsCount / $AllADGroupsCount $PCTofTotal = “{0:p2}”                      -f $PCTofTotal Write-Output “There are $ADDistributionGroupsCount Distribution groups in AD ($PCTofTotal of all groups)  `r “ [array]$ADMEnotUniGroups = $AllADGroups | Where { ($_.GroupCategory -eq “Distribution”) -AND ($_.GroupScope -ne “Universal” ) } $ADMEnotUniGroupsCount = $ADMEnotUniGroups.Count $PCTofTotal = $ADMEnotUniGroupsCount / $AllADGroupsCount $PCTofTotal = “{0:p2}”                      -f $PCTofTotal Write-Output “There are $ADMEnotUniGroupsCount Distribution groups that are not Universal groups in AD ($PCTofTotal of all groups)  `r “

28 Get-ADGroupMember

29 Get LogonTimeSyncInterval Value
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name $DomainDistinguishedName = (Get-ADDomain).DistinguishedName $DirectoryServicesNamingContext = Get-ADObject -Identity "$DomainDistinguishedName" -Properties * $LLTReplicationValue = $DirectoryServicesNamingContext."msDS-LogonTimeSyncInterval" IF ($LLTReplicationValue -ge 1) { Write-Output "The msDS-LogonTimeSyncInterval attribute value on $DomainDNS was changed from the default value of 14 to $LLTReplicationValue which means the LastLogonTimeStamp attribute will replication about every $LLTReplicationValue days `r " } ELSE { $LLTReplicationValue = 14 ; Write-Output "The msDS-LogonTimeSyncInterval attribute value on $DomainDNS is configured with the default value of 14 (value is blank) `r " }

30 Get Active Directory Instantiation Date
Get-ADObject -SearchBase (Get-ADForest).PartitionsContainer ` -LDAPFilter "(&(objectClass=crossRef)(systemFlags=3))" ` -Property dnsRoot, nETBIOSName, whenCreated | Sort-Object whenCreated | Format-Table dnsRoot, nETBIOSName, whenCreated -AutoSize

31 Get AD Password Policy Get-ADDefaultDomainPasswordPolicy

32 Get AD Tombstone Lifetime
$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext $DirectoryServicesConfigPartition = Get-ADObject -Identity ` "CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext" ` -Partition $ADForestconfigurationNamingContext -Properties * $TombstoneLifetime = $DirectoryServicesConfigPartition.tombstoneLifetime Write-Output "Active Directory's Tombstone Lifetime is set to $TombstoneLifetime days `r "

33 The AD Recycle Bin Requires Forest Functional Mode = Windows Server 2008 R2 Enable the Recycle Bin (as Enterprise Admin) Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=COM’ –Scope ForestOrConfigurationSet –Target ‘DOMAIN.COM’ Find all Deleted Users $DeletedUsers = Get-ADObject -SearchBase “CN=Deleted Objects,DC=DOMAIN,DC=COM” -Filter {ObjectClass -eq “user”} -IncludeDeletedObjects -Properties lastKnownParent Restore all Deleted Users $DeletedUsers | Restore-ADObject Restore users deleted on a specific date $ChangeDate = Get-Date (“1/1/2015″) Get-ADObject -Filter { (whenChanged -eq $changeDate) -and (isDeleted -eq $true) -and (name -ne “Deleted Objects”) -and (ObjectClass -eq “user”) } -IncludeDeletedObjects -Properties * | Restore- ADObject

34 Get Domain RID Stats $DomainDistinguishedName = (Get-ADDomain).DistinguishedName $RIDManagerProperty = Get-ADObject "cn=rid manager$,cn=system,$DomainDistinguishedName" -property RIDAvailablePool ` -server ((Get-ADDomain).RIDMaster) $RIDInfo = $RIDManagerProperty.RIDAvailablePool [int32]$TotalSIDS = $RIDInfo / ([math]::Pow(2,32)) [int64]$Temp64val = $TotalSIDS * ([math]::Pow(2,32)) [int32]$CurrentRIDPoolCount = $RIDInfo - $Temp64val $RIDsRemaining = $TotalSIDS - $CurrentRIDPoolCount $RIDsIssuedPcntOfTotal = ( $CurrentRIDPoolCount / $TotalSIDS ) $RIDsIssuedPercentofTotal = "{0:P2}" -f $RIDsIssuedPcntOfTotal $RIDsRemainingPcntOfTotal = ( $RIDsRemaining / $TotalSIDS ) $RIDsRemainingPercentofTotal = "{0:P2}" -f $RIDsRemainingPcntOfTotal Write-Output "RIDs Issued: $CurrentRIDPoolCount ($RIDsIssuedPercentofTotal of total) `r " Write-Output "RIDs Remaining: $RIDsRemaining ($RIDsRemainingPercentofTotal of total) `r "

35 Enumerate Domain Trusts
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name [array]$ADDomainTrusts = Get-ADObject -Filter {ObjectClass -eq "trustedDomain"} -Properties * [int]$ADDomainTrustsCount = $ADDomainTrusts.Count Write-Output "Discovered $ADDomainTrustsCount Trust(s) in $DomainDNS `r" $ADDomainTrusts | select Name,Created,flatName,instanceType,trustAttributes,trustDirection,securityIdentifier | format-table -auto

36 Get AD Sites $ADSites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites [int]$ADSitesCount = $ADSites.Count Write-Output "There are $ADSitesCount AD Sites `r" $ADSites | select-object Name,Domains,Subnets,AdjacentSites,SiteLinks | format-table -AutoSize

37 Backup Domain GPOs… For FREE!
Import-module GroupPolicy Backup-GPO –All –Domain “mlab.adsecurity.org” –Path “c:\GPOBackup”

38 Finding Service Accounts
Get-ADUser -filter {ServicePrincipalName -like "*"} -property Name,LastLogonDate,ServicePrincipalName,Created,DistinguishedName

39 Service Accounts Inventory Script

40 Discovering Services in AD With SPNs: SQL
get-adobject -filter { ServicePrincipalName -like "*SQL*" } -Properties Name,userPrincipalName,servicePrincipalName Active Directory SPN Directory: Active Directory SPN Directory:

41 Inventory SQL Servers

42 Finding Domain Controllers
Get-ADDomain import-module ActiveDirectory $ADInfo = Get-ADDomain $ADDomainReadOnlyReplicaDirectoryServers = $ADInfo.ReadOnlyReplicaDirectoryServers $ADDomainReplicaDirectoryServers = $ADInfo.ReplicaDirectoryServers $DomainControllers = $ADDomainReadOnlyReplicaDirectoryServers + ` ADDomainReplicaDirectoryServers Get-ADDomainController import-module ActiveDirectory $DomainControllers = Get-ADDomainController -filter * -DomainName $DOMAIN

43 Domain Controller Inventory
Import-Module ActiveDirectory Get-ADDomainController –filter * | ` select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem | ` format-table -auto

44 Domain Controllers Discovery
Discover PDCe in domain: Get-ADDomainController –Discover –ForceDiscover –Service “PrimaryDC” – DomainName “lab.adsecurity.org” Discover DCs in a Site: Get-ADDomainController –Discover –Site “HQ” Find all Read-Only Domain Controllers that are GCs Get-ADDomainController –filter ` { (isGlobalCatalog –eq $True) –AND (isReadOnly –eq $True) }

45 Discovering Global Catalogs (GCs)
Forest GCs  import-module ActiveDirectory $ADForest = Get-ADForest $ADForestGlobalCatalogs = $ADForest.GlobalCatalogs Domain DCs that are GCs import-module ActiveDirectory $DCsNotGCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $True} Domain DCs that are not GCs  import-module ActiveDirectory $DCsNotGCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $False } Import-Module ActiveDirectory IF ($TargetGC)     { ## OPEN IF TargetGC has a value       $GCInfo = Get-ADDomainController $TargetGC       IF ($GCInfo.OperatingSystemVersion -lt 6.0)          { ## OPEN IF TargetGC is not running Windows 2008 or higher             $LocalSite = (Get-ADDomainController -Discover).Site             $NewTargetGC = Get-ADDomainController -Discover -Service 6 -SiteName $LocalSite                 IF (!$NewTargetGC)                 { $NewTargetGC = Get-ADDomainController -Discover -Service 6 -NextClosestSite }             $LocalGC = $NewTargetGC.HostName + ":3268"          } ## CLOSE IF TargetGC is not running Windows 2008 or higher                 ELSE  { $LocalGC = $GCInfo.HostName + ":3268" }       } ## CLOSE IF TargetGC has a value     ELSE     { ## OPEN ELSE TargetGC is not set         Write-Output "Discover Local GC running ADWS `r "         $LocalSite = (Get-ADDomainController -Discover).Site         $NewTargetGC = Get-ADDomainController -Discover -Service 6 -SiteName $LocalSite         IF (!$NewTargetGC)             { $NewTargetGC = Get-ADDomainController -Discover -Service 6 -NextClosestSite }         $LocalGC = $NewTargetGC.HostName + ":3268"      } ## CLOSE ELSE TargetGC is not set

46 Active Directory Database Integrity Check
Write-Output "Checking the NTDS database for errors (semantic database analysis) `r " Stop-Service ntds -force $NTDSdbChecker = ntdsutil "activate instance ntds" "semantic database analysis" "verbose on" "Go" q q Start-Service ntds Write-Output "Results of Active Directory database integrity check: `r " $NTDSdbChecker Write-Output "Checking the NTDS database for errors (semantic database analysis) `r " Stop-Service ntds -force $NTDSdbChecker = ntdsutil "activate instance ntds" "semantic database analysis" "verbose on" "Go" q q Start-Service ntds Write-Output "Results of Active Directory database integrity check: `r " $NTDSdbChecker Check & Fix: $NTDSdbChecker = ntdsutil "activate instance ntds" "semantic database analysis" "verbose on" "Go Fixup" q q Note that replacing “Go” with “Go Fixup” runs the semantic check and will attempt to fix any errors. Also, you can remove the “verbose on” part – I like to see what is happening. “Unlike the file management commands …, which test the integrity of the database with respect to the ESENT database semantics, the semantic analysis analyzes the data with respect to Active Directory semantics. It generates reports on the number of records present, including deleted and phantom records.”

47 Finding FSMOs AD Cmdlets Import-Module ActiveDirectory (Get-ADForest).SchemaMaster (Get-ADForest).DomainNamingMaster (Get-ADDomain).InfrastructureMaster (Get-ADDomain).PDCEmulator (Get-ADDomain).RIDMaster .Net ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).SchemaRoleOwner ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).NamingRoleOwner ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).InfrastructureRoleOwner ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).RidRoleOwner

48 Moving FSMOs Can PowerShell move the FSMO role from one DC to another? get-command -module activedirectory -noun *Master* Moving FSMO Roles Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole RIDMaster Move-ADDirectoryServerOperationMasterRole -Identity $DCName - OperationMasterRole DomainNamingMaster Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole PDCEmulator Seizing FSMO Roles Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole PDCEmulator – FORCE

49 RepAdmin vs. PowerShell
2012 Cmdlets /FailCache Get-ADReplicationFailure /Queue Get-ADReplicationQueueOperation /ReplSingleObj Sync-ADObject /ShowConn Get-ADReplicationConnection /ShowObjMeta Get-ADReplicationAttributeMetadata /ShowRepl /ReplSum Get-ADReplicationPartnerMetadata /ShowUTDVec Get-ADReplicationUpToDatenessVectorTable /SiteOptions Set-ADReplicationSite 2008 R2 Cmdlets /ShowAttr Get-ADObject /SetAttr Set-ADObject /PRP Get-ADDomainControllerPasswordReplicationPolicy Add-ADDomainControllerPasswordReplicationPolicy Remove-ADDomainControllerPasswordReplicationPolicy Get-ADAccountResultantPasswordReplicationPolicy Get-ADDomainControllerPasswordReplicationPolicyUsage

50 Replication Cmdlets (2012) Get-ADReplicationPartnerMetadata

51 Replication Cmdlets (2012) Get-ADReplicationPartnerFailure

52 Replication Cmdlets (2012) Get-ADReplicationUpToDatenessVectorTable

53 Tips & Tricks Schedule a Backup-GPO PowerShell script to run weekly (at least!) ADSI properties are often Case senSitive Properties with a space or special character require quotes: $Object.”Property with spaces” PowerShell Remoting uses TCP 5985 (HTTP) or TCP 5986 (HTTPS) Don’t use credentials in Group Policy Preferences (MS14-025) GPP Vulnerability:

54 References ADSecurity.org – Filled with AD/Microsoft Security & PowerShell Goodness CMD to PowerShell Reference: PowerShell AD Cmdlet SOAP XML Messages and-powershell.aspx The AD: Drive Repadmin to PowerShell Quest AD cmdlets are useful, though not as necessary.

55 Bonus Slides Follow…

56 Validate Input as IP Address
$IPAddress = ’ ’ $IPAddressCheck = [System.Net.IPAddress]::parse($IPAddress) If there's data in $IPAddressCheck it's a valid IP. Example Result: Address : AddressFamily : InterNetwork ScopeId : IsIPv6Multicast : False IsIPv6LinkLocal : False IsIPv6SiteLocal : False IPAddressToString :

57 Enumerate Domain DFS Shares
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name $ADDomainDistinguishedName = (Get-ADDomain).DistinguishedName $DFSConfigObjectDN = "CN=Dfs-Configuration,CN=System,$ADDomainDistinguishedName“ $DFSConfigurationObject = Get-ADObject $DFSConfigObjectDN $DFSShareData = Get-ChildItem "AD:$DFSConfigObjectDN" ForEach ($DFSShareDataItem in $DFSShareData) { ## OPEN ForEach ($DFSShareDataItem in $DFSShareData) $DFSShareDataItemDN = $DFSShareDataItem.DistinguishedName $DFSShareDataItemNameArray = $DFSShareDataItemDN -split '=‘ $DFSShareDataItemNameArray2 = $DFSShareDataItemNameArray -split ',‘ $DFSShareDataItemName = $DFSShareDataItemNameArray2[1] $DFSShareDataItemServerPath = Get-ADObject $DFSShareDataItemDN -property *,RemoteServerName Write-Output "DFS Share Name: $DFSShareDataItemName `r “ Write-Output "$DFSShareDataItemDN `r “ $DFSShareDataItemServerPathName = ($DFSShareDataItemServerPath.RemoteServerName) -replace ('\*',"") $DFSShareDataItemServerPathName write-output " `r “ } ## CLOSE ForEach ($DFSShareDataItem in $DFSShareData) $DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name $ADDomainDistinguishedName = (Get-ADDomain).DistinguishedName $DFSConfigObjectDN = "CN=Dfs-Configuration,CN=System,$ADDomainDistinguishedName“ $DFSConfigurationObject = Get-ADObject $DFSConfigObjectDN $DFSShareData = Get-ChildItem "AD:$DFSConfigObjectDN" ForEach ($DFSShareDataItem in $DFSShareData) { ## OPEN ForEach ($DFSShareDataItem in $DFSShareData) $DFSShareDataItemDN = $DFSShareDataItem.DistinguishedName $DFSShareDataItemNameArray = $DFSShareDataItemDN -split '=‘ $DFSShareDataItemNameArray2 = $DFSShareDataItemNameArray -split ',‘ $DFSShareDataItemName = $DFSShareDataItemNameArray2[1] $DFSShareDataItemServerPath = Get-ADObject $DFSShareDataItemDN -property *,RemoteServerName Write-Output "DFS Share Name: $DFSShareDataItemName `r “ Write-Output "$DFSShareDataItemDN `r “ $DFSShareDataItemServerPathName = ($DFSShareDataItemServerPath.RemoteServerName) -replace ('\*',"") $DFSShareDataItemServerPathName write-output " `r “ } ## CLOSE ForEach ($DFSShareDataItem in $DFSShareData)

58 CONVERT DOMAIN DN TO FQDN
$ADObjectDN = "CN=Object1,OU=OrgUnit1,DC=child,DC=domain,DC=com" [array]$ADObjectDNArray = $ADObjectDN -Split(",DC=") [int]$DomainNameFECount = 0 ForEach ($ADObjectDNArrayItem in $ADObjectDNArray) { IF ($DomainNameFECount -gt 0) { [string]$ADObjectDNArrayItemDN += $ADObjectDNArrayItem + "." } $DomainNameFECount++ } $ADObjectDNDomainName = $ADObjectDNArrayItemDN.Substring(0,$ADObjectDNArrayItemDN.Length-1)

59 CONVERT DOMAIN FQDN TO DN
$DomainFullyQualifiedDomainName = "child.domain.com" $DomainFullyQualifiedDomainNameArray = $DomainFullyQualifiedDomainName -Split("\.") [int]$DomainNameFECount = 0 ForEach ($DomainFullyQualifiedDomainNameArrayItem in $DomainFullyQualifiedDomainNameArray) { IF ($DomainNameFECount -eq 0) { [string]$ADObjectDNArrayItemDomainName += "DC=" +$DomainFullyQualifiedDomainNameArrayItem } ELSE { [string]$ADObjectDNArrayItemDomainName += ",DC=" +$DomainFullyQualifiedDomainNameArrayItem } $DomainNameFECount++ } $ADObjectDNArrayItemDomainName

Download ppt "Mastering Active Directory with PowerShell"

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
The ActiveDirectory Module 2008R2 and 2012 Written and Delivered by: Gary Siepser.

The ActiveDirectory Module 2008R2 and 2012 Written and Delivered by: Gary Siepser.
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
What’s New in Active Directory: Windows Server 2008 R2 Brian Desmond Thursday, March 4 th, 2009.

What’s New in Active Directory: Windows Server 2008 R2 Brian Desmond Thursday, March 4 th, 2009.
Active Directory Disaster Recovery Paul Simmons Support Engineer Directory Services Microsoft Corporation.

Active Directory Disaster Recovery Paul Simmons Support Engineer Directory Services Microsoft Corporation.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Installing Exchange 2010 IT:Network:Applications.

Installing Exchange 2010 IT:Network:Applications.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Managing Active Directory with PowerShell JOSEPH MOODY.

Managing Active Directory with PowerShell JOSEPH MOODY.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Adding a Module The Import-Module cmdlet  Can be used to load any external module into PowerShell.  Uses the following syntax to add the ActiveDirectory.

Adding a Module The Import-Module cmdlet  Can be used to load any external module into PowerShell.  Uses the following syntax to add the ActiveDirectory.
Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.

Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.
Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.

Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.
Overview Print and Document Services Print Management console Printer properties Troubleshooting PowerShell.

Overview Print and Document Services Print Management console Printer properties Troubleshooting PowerShell.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Deploying and Managing Windows Server 2012

Deploying and Managing Windows Server 2012
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
IT Pro Connections 2009 The cutting edge event for IT pros Active Directory in Depth Χρήστος Σπανουγάκης MCT, MVP.

IT Pro Connections 2009 The cutting edge event for IT pros Active Directory in Depth Χρήστος Σπανουγάκης MCT, MVP.
Chapter 7: WORKING WITH GROUPS

Chapter 7: WORKING WITH GROUPS

Similar presentations

Ads by Google