Use PowerShell to List Active Directory Extended Rights

PowerShell providers allow us to traverse various data stores we encounter, as IT professionals, as if they were file systems. There is a PSProvider that allows us to navigate the smooth seas of the Active Directory PSDrive.     Thinking about a file system, we can talk about Access Control Entries (ACEs) that make up Access Control Lists (ACLs) to govern…


List Forest SPN Mappings

I was helping a customer setup Kerberos delegation the other day. After all these years, the specifics of this topic still seems to create uncertainty. Eventually, the conversation turned to the SPN-Mappings attribute. This little beauty can be found on the Directory Services NTDSService object in the configuration partition. It allows the “host/…” SPN of a computer to represent any…


One-Liner: Use PowerShell to Get GPOs Containing User Settings

Last week we used Get-ADObject to find GPOs based on their flags attribute. We targeted GPOs that were configured with user settings enabled and computer settings disabled. This week we’ll find GPOs containing user settings. I’ll show you two ways, the second of which is preferred…   Way, the first – Get-GPOReport  Get-GPO -All | ForEach-Object {…


Use PowerShell to Get GPO Status Flag

Here’s an interesting little exercise in using Get-ADObject to see which parts of a Group Policy are enabled or disabled. By parts, I mean the User or Computer settings.     Over to Get-ADObject… #Constants New-Variable -Name UE_CE -Value 0 -Option Constant #User Enabled / Computer Enabled New-Variable -Name UD_CE -Value 1 -Option Constant #User Disabled /…


Security Focus: AD Objects Configured as AdminCount -eq 1

Let’s go! In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a…


Security Focus: Report on Protocol Transition

A couple of weeks ago I showed how to report on Constrained Delegation. This week, I’m going to talk about a related concept – Protocol Transition. Protocol Transition The lesser know relative of Constrained Delegation! Where you find Protocol Transition, you’ll always find Constrained Delegation. Introduced in Windows Server 2003, Protocol Transition allows you to…


Security Focus: Report on Unconstrained Delegation

Last week I showed how to report on Constrained Delegation. This week, I'll show you how to report on Unconstrained Delegation. What's the difference? "…The feature that allows an application to act on behalf of a user is known as Kerberos Delegation. It has to be explicitly enabled for trusted services on a trusted computer. It can be switched…


Security Focus: Report on Constrained Delegation

It's a subject that's been written about on numerous occasions. However, there's not much out there on how to understand the extent of constrained delegation in a domain. What is constrained delegation then? Here's something from a pervious occasion: "…The feature that allows an application to act on behalf of a user is known as Kerberos Delegation….


Active Directory – Parsing a 'Multi-Line' Description Property

Interesting one this… A customer had some information they needed to obtain from the description property on an object. The information was 'multi-valued' and saved as a Unicode string. What am I talking about? Here's the string in the attribute editor of Active Directory Users and Computers (note the ';' delimiter): Here it is in the Multi-valued…


One-liner: Use Get-ADObject to Find Authorised DHCP Servers

The DHCP PowerShell module has the Get-DhcpServerInDC cmdlet to show you the DHCP servers that have been authorised in Active Directory. This cmdlet was introduced with Windows Server 2012 and v3 of PowerShell. What if you don't have access to the above? What if you want to impress your PoSh Chickens and get a list of…