More on Get-Acl with Active Directory

In June I posted about searching Active Directory for principals that have the “Write Members” permission on a Distribution List. I had a follow-up question, from an internal source, about deciphering each Access Control Entry (ACE) returned by Get-Acl against the Active Directory PS drive. I thought I’d convey the same information to the outside…


One-Liner: Query the AD Schema for User Object Attributes

I’ve lost count of just how many blog posts have their origin in a customer question. Here’s another:   “How do you use PowerShell to get a list of what attributes *could* be populated on an AD user object?”   A magnificent question!   The customer was unsure as to why some properties would appear…


Use PowerShell to List Active Directory Extended Rights

PowerShell providers allow us to traverse various data stores we encounter, as IT professionals, as if they were file systems. There is a PSProvider that allows us to navigate the smooth seas of the Active Directory PSDrive.     Thinking about a file system, we can talk about Access Control Entries (ACEs) that make up Access Control Lists (ACLs) to govern…


List Forest SPN Mappings

I was helping a customer setup Kerberos delegation the other day. After all these years, the specifics of this topic still seems to create uncertainty. Eventually, the conversation turned to the SPN-Mappings attribute. This little beauty can be found on the Directory Services NTDSService object in the configuration partition. It allows the “host/…” SPN of a computer to represent any…


One-Liner: Use PowerShell to Get GPOs Containing User Settings

Last week we used Get-ADObject to find GPOs based on their flags attribute. We targeted GPOs that were configured with user settings enabled and computer settings disabled. This week we’ll find GPOs containing user settings. I’ll show you two ways, the second of which is preferred…   Way, the first – Get-GPOReport  Get-GPO -All | ForEach-Object {…


Use PowerShell to Get GPO Status Flag

Here’s an interesting little exercise in using Get-ADObject to see which parts of a Group Policy are enabled or disabled. By parts, I mean the User or Computer settings.     Over to Get-ADObject… #Constants New-Variable -Name UE_CE -Value 0 -Option Constant #User Enabled / Computer Enabled New-Variable -Name UD_CE -Value 1 -Option Constant #User Disabled /…


Security Focus: AD Objects Configured as AdminCount -eq 1

Let’s go! In Active Directory, AdminSDHolder is an object in each domain partition’s system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This ‘fix up’ is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a…


Security Focus: Report on Protocol Transition

A couple of weeks ago I showed how to report on Constrained Delegation. This week, I’m going to talk about a related concept – Protocol Transition. Protocol Transition The lesser know relative of Constrained Delegation! Where you find Protocol Transition, you’ll always find Constrained Delegation. Introduced in Windows Server 2003, Protocol Transition allows you to…


Security Focus: Report on Unconstrained Delegation

Last week I showed how to report on Constrained Delegation. This week, I'll show you how to report on Unconstrained Delegation. What's the difference? "…The feature that allows an application to act on behalf of a user is known as Kerberos Delegation. It has to be explicitly enabled for trusted services on a trusted computer. It can be switched…


Security Focus: Report on Constrained Delegation

It's a subject that's been written about on numerous occasions. However, there's not much out there on how to understand the extent of constrained delegation in a domain. What is constrained delegation then? Here's something from a pervious occasion: "…The feature that allows an application to act on behalf of a user is known as Kerberos Delegation….