One-Liner: Find a Renamed and Relocated AD Guest Account WITHOUT using the Well-Known SID

So… someone decided to rename and move the domain’s Guest account. You could find searching via the well-know SID… SID: S-1-5-21domain-501 Name: Guest Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. Or… you could try this little trick…  …

0

Security Focus: Set ConstrainedLanguage Mode on My Machine

Whilst doing some research, for a presentation on Security and PowerShell, I came across this cheeky one-liner: [Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy’, ‘4’, ‘Machine’)   After running it, look what happens when I try and start PowerShell. Damn, my profile script won’t run… but, what’s this? I can’t do other stuff, too? Damn!   If you’ve never come across…

0

One-Liner: Use PowerShell to Verify Domain Controller Location

It’s generally a bad thing if a domain controller isn’t in the domain controllers OU. For example, the default domain controllers policy may not be applied. Here’s a cheeky one-liner to check you’re good:   Get-ADDomainController -Filter * | ForEach-Object { if ($_.ComputerObjectDN -notmatch “CN=$($_.Name),OU=Domain COntrollers,$($_.DefaultPartition)”) { Write-Output “$($_.Name) computer object DN set to $($_.ComputerObjectDN)” }…

1

One-Liner: Use PowerShell to Get GPOs Containing User Settings

Last week we used Get-ADObject to find GPOs based on their flags attribute. We targeted GPOs that were configured with user settings enabled and computer settings disabled. This week we’ll find GPOs containing user settings. I’ll show you two ways, the second of which is preferred…   Way, the first – Get-GPOReport  Get-GPO -All | ForEach-Object {…

3

One-liner: Use Get-ADObject to Find Authorised DHCP Servers

The DHCP PowerShell module has the Get-DhcpServerInDC cmdlet to show you the DHCP servers that have been authorised in Active Directory. This cmdlet was introduced with Windows Server 2012 and v3 of PowerShell. What if you don't have access to the above? What if you want to impress your PoSh Chickens and get a list of…

0

One-Liner: Domain Controller Patch Levels

Before performing work against your Active Directoy, it's prudent to complete a few checks, e.g. is replication healthy, are my FSMOs up, do I have up-to-date, verified backups etc? Here's a one-liner to give you a view of whether your patch levels are consistent: Get-ADDomainController -Filter * | ForEach-Object { $HotFixes = (Get-HotFix -ComputerName $_.Name).Count Write-Host "$($_.Name): $($_.OperatingSystem)…

6

One-Liner: Change Account Lockout Threshold

What's the optimal Account Lockout Threshold value? A question that continues to generate a lot of debate! If an account lockout threshold is set, the latest guidance, issued with Windows Server 2012 R2, suggests a value of 10. Visit this post for more information: Configuring Account Lockout   After the new guidance was released, I wanted to quickly and efficiently…

1

One-Liner: Active Directory Protected Objects

This week I was asked how to get a list of Active Directory protected objects with PowerShell. Protected objects can’t be deleted as they are critical to the health of Active Directory. The easiest way I could think of is to use Get-ADObject with a specific LDAP filter. Get-ADObject -LDAPFilter “(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))” Here’s some output. Notice…

1

One-Liner: My Take On Finding Stale User and Computer Accounts

Using PowerShell and information in Active Directory to identify 'stale' user or computer accounts is prone to inaccuracies. This is because there are many circumstances or technical nuances that can make the data unreliable. For example, think of a globe-trotting sales person, they (and their laptop) might not see the office for months, however, they both still remain company…

1

One-Liner: Delegate Group Policy Management

Here's a quick and easy way to delegate the management of existing Group Policy Objects in your domain. Set-GPPermission -All -Domain "halo.net" -TargetType Group -TargetName "Domain Local – Halo GPO Edit 1" -PermissionLevel GpoEdit   What's going on here then? -All… well, that tells Set-GPPermission to apply the new Access Control Entry (ACE) to all the…

2