Security Focus One Liner: AD Privileged User and Password Doesn't Expire

I get to perform security assessments against Active Directory. It’s always fascinating. There’s a check that lists privileged users that are configured to not expire their password. Now, a proportion of flagged accounts are Service Accounts, but, there’s sometimes human-associated administrative accounts listed. This poor administrative practice still happens… after all these years of Active Directory, and after all these…

0

Security Focus: AD Objects Configured as AdminCount -eq 1

Let’s go! In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a…

0

Security Focus: Check the AdminSDHolder ACL - Part 1

In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a means of protecting high…

0

PowerShell, FSMOs and Netdom

I like any excuse to try and match the functionality of an executable with PowerShell. This week I decided to take a pop at: netdom query fsmo   This lists the FSMO role holders for the current domain and forest. Now, for some reason, there's not a cmdlet for listing out the FSMOs. In fact, getting…

2

PowerShell and _MSDCS Recovery

Oh, no! Someone's blatted the _MSDCS zone from DNS! The _MSDCS zone hosts the domain controller locator DNS resource records for all the domain controllers in an Active Directory forest – it's a key part of how clients find domain controller services. This unfortunate deletion has been replicated to all domain controllers. What to do?   Call your friendly, neighbourhood PowerShell!…

0

Use PowerShell to Find Active Directory Forest Conflict Objects

Quite often there’s conflict amongst the PoSh progeny. Usually, the most belligerent sibling gets sent to their bedroom. In Active Directory, when there’s a sibling name conflict the Relative Distinguished Name of the losing sibling is ‘mangled’, i.e. you’ll see ‘CNF:<guid>’ inserted into the name. Now, the last time there was a rumpus in the PoSh houshold, I tried inserting ‘*CNF:bf8149dd-3e1f-41f5-ad6b-bc11403bc579*’ into the name of the chief…

7

One-Liner: Specific GPO and DC Information from a Forest

Man, I love PowerShell one-liners. The efficiency, the elegance, the challenge! Here's one to give me a list of the domain names in a forest, the number of group policies per domain and the number of domain controllers per domain.   (Get-ADForest).Domains | ForEach-Object {"Domain Name`: $_"; "Number of GPOs`: $((Get-GPO -All -Domain $_ ).count)";…

1