One-Liner: Use PowerShell to Get GPOs Containing User Settings

Last week we used Get-ADObject to find GPOs based on their flags attribute. We targeted GPOs that were configured with user settings enabled and computer settings disabled. This week we’ll find GPOs containing user settings. I’ll show you two ways, the second of which is preferred…   Way, the first – Get-GPOReport  Get-GPO -All | ForEach-Object {…

1

Use PowerShell to Get GPO Status Flag

Here’s an interesting little exercise in using Get-ADObject to see which parts of a Group Policy are enabled or disabled. By parts, I mean the User or Computer settings.     Over to Get-ADObject… #Constants New-Variable -Name UE_CE -Value 0 -Option Constant #User Enabled / Computer Enabled New-Variable -Name UD_CE -Value 1 -Option Constant #User Disabled /…

0

Security Focus One Liner: AD Privileged User and Password Doesn’t Expire

I get to perform security assessments against Active Directory. It’s always fascinating. There’s a check that lists privileged users that are configured to not expire their password. Now, a proportion of flagged accounts are Service Accounts, but, there’s sometimes human-associated administrative accounts listed. This poor administrative practice still happens… after all these years of Active Directory, and after all these…

0

Parameter ValueFromPipelineByPropertyName Arguement

A customer pointed out that ValueFromPipelineByPropertyName wasn’t working as expected in one of their scripts. I wrote a very simple code sample to demonstrate what the syntax should look like and to show the functionality in action. Hang on, I’m getting ahead of myself… Param ([parameter(ValueFromPipelineByPropertyName=$true)] [String[]]$MachineName) The Param() statement let’s us define parameters for…

0

Security Focus: Orphaned AdminCount -eq 1 AD Users

AdminSDHolder and AdminCount have appeared in a few recent posts. In fact, in addition to this post, I’ve got another one on this topic lined up. It’ll be the last (for now), I promise! Anyway, to business… It’s long been known that objects that have been marked as AdminCount = 1 can become orphaned.   Consider…

2

Back to Basics: Change an Attribute on a File

Today’s post is short and sweet… just like the PoSh Progeny! Here’s a short and sweet way to manipulate file attributes. Stuff like ‘Read-only’ and ‘File is ready for archiving’ in the below image.   First up, add an attribute. We have a file that is marked as Archive and Offline. Time to add ReadOnly. #Attribute…

2

Security Focus: AD Objects Configured as AdminCount -eq 1

Let’s go! In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a…

0

Parameter HelpMessage Arguement

I taught a PowerShell course the other day. I hadn’t delivered that content for a while. I came to a section and I couldn’t remember exactly how to access the configured functionality. One of those moments! After, I thought the experience would make for an interesting little post and here we are… Look at this: [CmdletBinding()] Param ([parameter(mandatory, HelpMessage=”Enter…

1

Use PowerShell to Decipher GPO Version Information

A Group Policy is made up of a GPC (Group Policy Container) and a GPT (Group Policy Template). The GPC resides in Active Directory. The GPT lives on the file system of a Domain Controller in SYSVOL. We have to ensure that these two components are synchronised: AD replication looks after the GPC; DFSR looks…

0

Security Focus: Check the AdminSDHolder ACL – Part 2

Two weeks ago we used PowerShell to report on the AdminSDHolder ACL. We ended up with a CSV file of security principals from the ACL and a more detailed XML report. This week, I’ll show you how to quickly compare the CSV files, to see if the AdminSDHolder ACL has changed. And, here you go: $ref is the content…

0