AD Cmdlet -Filter Faffing

I’m aware that I write for an international audience and I try to use international English in my posts.   When I use traditional or colloquial English I usually have a good reason for doing so. Today’s reason is because I like the alliteration that ‘Filter Faffing’ provides.   faffing – the act of making…

6

Security Focus: Get Mail Enabled Admin Users

Browsing the internet with an admin account is a very, very bad thing to do. Using an admin account to send / receive email is also a very, very bad thing. Why? Well you expose the credentials to a high risk of being stolen and used to compromise your enterprise. Want do to some checks against Active…

1

One-Liner: Find a Renamed and Relocated AD Guest Account WITHOUT using the Well-Known SID

So… someone decided to rename and move the domain’s Guest account. You could find searching via the well-know SID… SID: S-1-5-21domain-501 Name: Guest Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. Or… you could try this little trick…  …

0

Days of Service and Service Anniversaries

Not an exact science*, but PowerShell and Active Directory can be used to arrive at the length of service for people in your team. *this post assumes that the WhenCreated date on user accounts corresponds to an employee’s actual start date.   Take a look at this… $Team | ForEach-Object { Get-ADUser -Filter {Name -like $_} -Properties…

0

Security Focus: Orphaned AdminCount -eq 1 AD Users

AdminSDHolder and AdminCount have appeared in a few recent posts. In fact, in addition to this post, I’ve got another one on this topic lined up. It’ll be the last (for now), I promise! Anyway, to business… It’s long been known that objects that have been marked as AdminCount = 1 can become orphaned.   Consider…

2

Security Focus: Reporting on Interesting UserAccountControl Values

I’ve talked about various UserAccountControl values in previous AD security focused posts. Recently, there’s been UserAccountControl values concerning ‘Unconstrained Delegation’ and Protocol Transition. Prior to that, we’ve had ‘Account is sensitive and cannot be delegated’, ‘SCRIL’ and also accounts configured for ‘DES encryption’. This time out, I’ll show you how to generate some basic reports, using the…

0

Security Focus: sIDHistory / sID Filtering Sanity Check – Part 1 – aka Post #100!

 100 posts! Who’d have thought it? I started out wanting to evangelise PowerShell. 100 posts later, that desire is as strong as ever! Along the way, it seems that I have helped some folks out, made others laugh, confused some, talked about PoSh chickens… and had a jolly good time of it, too! Anyway, enough…

3

Remove a String from a Multi-Valued Attribute

Happy to Help This week a friend asked for a little extra-vocational assistance. A multi-valued attribute in Active Directory, populated on for a large number of users objects, contained an entry in a non-standard format. To make things interesting, whilst the non-standard format was the same for each user, the information contained within each entry was different. To make things even more interesting,…

4

Security Focus: Resetting 'Smart card is required for interactive logon'

Last week I mentioned that there are a number of configuration options we recommend for high privileged users and we discussed 'Account is sensitive and cannot be delegated'. This week let's look at 'Smart card is required for interactive logon' (SCRIL).   Smart Card Good, Post-It Note Bad 'Smart card is required for interactive logon' forces…

4

Security Focus: Analysing 'Account is sensitive and cannot be delegated' for Privileged Accounts

There are a number of configuration options we recommend for securing high privileged accounts. One of them, enabling 'Account is sensitive and cannot be delegated', ensures that an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application.    The feature that allows an application to act on behalf of a user…

2