Security Focus: Orphaned AdminCount -eq 1 AD Users

AdminSDHolder and AdminCount have appeared in a few recent posts. In fact, in addition to this post, I’ve got another one on this topic lined up. It’ll be the last (for now), I promise! Anyway, to business… It’s long been known that objects that have been marked as AdminCount = 1 can become orphaned.   Consider…

0

Back to Basics: Change an Attribute on a File

Today’s post is short and sweet… just like the PoSh Progeny! Here’s a short and sweet way to manipulate file attributes. Stuff like ‘Read-only’ and ‘File is ready for archiving’ in the below image.   First up, add an attribute. We have a file that is marked as Archive and Offline. Time to add ReadOnly. #Attribute…

1

Security Focus: AD Objects Configured as AdminCount -eq 1

Let’s go! In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a…

0

Parameter HelpMessage Arguement

I taught a PowerShell course the other day. I hadn’t delivered that content for a while. I came to a section and I couldn’t remember exactly how to access the configured functionality. One of those moments! After, I thought the experience would make for an interesting little post and here we are… Look at this: [CmdletBinding()] Param ([parameter(mandatory, HelpMessage=”Enter…

1

Use PowerShell to Decipher GPO Version Information

A Group Policy is made up of a GPC (Group Policy Container) and a GPT (Group Policy Template). The GPC resides in Active Directory. The GPT lives on the file system of a Domain Controller in SYSVOL. We have to ensure that these two components are synchronised: AD replication looks after the GPC; DFSR looks…

0

Security Focus: Check the AdminSDHolder ACL – Part 2

Two weeks ago we used PowerShell to report on the AdminSDHolder ACL. We ended up with a CSV file of security principals from the ACL and a more detailed XML report. This week, I’ll show you how to quickly compare the CSV files, to see if the AdminSDHolder ACL has changed. And, here you go: $ref is the content…

0

MS16-072 – Known Issue – Use PowerShell to Check GPOs

UPDATE – 30/06/2016 Official detect and fix script released. See here: Powershell script to adjust permissions for Authenticated Users on Group Policy   Further information: Deploying Group Policy Security Update MS16-072 \ KB3163622     Hello, There is a known issue with the application of particular GPOs once MS16-072 is applied. Click the following link and…

35

Security Focus: Check the AdminSDHolder ACL – Part 1

In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a means of protecting high…

0

Back to Basics: Is my Parameter Value from the Pipeline?

I was asked how to check if a supplied parameter value has come from the pipeline. I came up with two different methods, the first only works with v2. Here are the two test conditions: Test-ParamSource -MyParam $vals $vals | Test-ParamSource   Where $vals is an array of integers: $vals = 3,4,5,6,40,50   Right, we…

0

Security Focus: Reporting on Interesting UserAccountControl Values

I’ve talked about various UserAccountControl values in previous AD security focused posts. Recently, there’s been UserAccountControl values concerning ‘Unconstrained Delegation‘ and Protocol Transition. Prior to that, we’ve had ‘Account is sensitive and cannot be delegated’, ‘SCRIL’ and also accounts configured for ‘DES encryption‘. This time out, I’ll show you how to generate some basic reports, using the…

0