This one is awesome (and short). (Get-TlsCipherSuite).Name
Tag: one-liner
One-Liner: Find a Renamed and Relocated AD Guest Account WITHOUT using the Well-Known SID
So… someone decided to rename and move the domain’s Guest account. You could find searching via the well-know SID… SID: S-1-5-21domain-501 Name: Guest Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. Or… you could try this little trick… …
Security Focus: Set ConstrainedLanguage Mode on My Test Computer
Whilst doing some research, for a presentation on Security and PowerShell, I came across what I assume is an UNSUPPORTED setting, due to a lack of documentation: [Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy’, ‘4’, ‘Machine’) After running it, look what happens when I try and start PowerShell. Damn, my profile script won’t run… but, what’s this? I can’t do other…
One-Liner: Use PowerShell to Verify Domain Controller Location
It’s generally a bad thing if a domain controller isn’t in the domain controllers OU. For example, the default domain controllers policy may not be applied. Here’s a cheeky one-liner to check you’re good: Get-ADDomainController -Filter * | ForEach-Object { if ($_.ComputerObjectDN -notmatch “CN=$($_.Name),OU=Domain COntrollers,$($_.DefaultPartition)”) { Write-Output “$($_.Name) computer object DN set to $($_.ComputerObjectDN)” }…
One-Liner: Use PowerShell to Get GPOs Containing User Settings
Last week we used Get-ADObject to find GPOs based on their flags attribute. We targeted GPOs that were configured with user settings enabled and computer settings disabled. This week we’ll find GPOs containing user settings. I’ll show you two ways, the second of which is preferred… Way, the first – Get-GPOReport Get-GPO -All | ForEach-Object {…
One-liner: Use Get-ADObject to Find Authorised DHCP Servers
The DHCP PowerShell module has the Get-DhcpServerInDC cmdlet to show you the DHCP servers that have been authorised in Active Directory. This cmdlet was introduced with Windows Server 2012 and v3 of PowerShell. What if you don't have access to the above? What if you want to impress your PoSh Chickens and get a list of…
One-Liner: Domain Controller Patch Levels
Before performing work against your Active Directoy, it's prudent to complete a few checks, e.g. is replication healthy, are my FSMOs up, do I have up-to-date, verified backups etc? Here's a one-liner to give you a view of whether your patch levels are consistent: Get-ADDomainController -Filter * | ForEach-Object { $HotFixes = (Get-HotFix -ComputerName $_.Name).Count Write-Host "$($_.Name): $($_.OperatingSystem)…
One-Liner: Change Account Lockout Threshold
What's the optimal Account Lockout Threshold value? A question that continues to generate a lot of debate! If an account lockout threshold is set, the latest guidance, issued with Windows Server 2012 R2, suggests a value of 10. Visit this post for more information: Configuring Account Lockout After the new guidance was released, I wanted to quickly and efficiently…
One-Liner: Active Directory Protected Objects
This week I was asked how to get a list of Active Directory protected objects with PowerShell. Protected objects can’t be deleted as they are critical to the health of Active Directory. The easiest way I could think of is to use Get-ADObject with a specific LDAP filter. Get-ADObject -LDAPFilter “(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))” Here’s some output. Notice…
One-Liner: My Take On Finding Stale User and Computer Accounts
Using PowerShell and information in Active Directory to identify 'stale' user or computer accounts is prone to inaccuracies. This is because there are many circumstances or technical nuances that can make the data unreliable. For example, think of a globe-trotting sales person, they (and their laptop) might not see the office for months, however, they both still remain company…