Domed Sticker

Domed Sticker Online

Gathering AD Data with e Active Directory PowerShell Module

Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia

Beyond Domain Admins Domain Controller AD Administration

Securing Microsoft Active Directory Federation Server (ADFS)

Microsoft provided several Active Directory PowerShell cmdlets with Windows Server 2008 R2 (and newer) which greatly simplify tasks which previously required putting together lengthy lines of code involving ADSI.

On a Windows client, install theRemote Sever Administration Tools (RSAT)and ensure the Active Directory PowerShell module is installed.

On a Windows server (2008 R2 or newer), run the following commands in a PowerShell console (as an Adminsitrator):

Import-Module ServerManager ; Add-WindowsFeature RSAT-AD-PowerShell

Heres my (poor) ADSI example:

$UserID = JoeUser $root = [ADSI] $searcher = new-object System.DirectoryServices.DirectorySearcher($root) $searcher.filter = (&(objectClass=user)(sAMAccountName= $UserID)) $user = $searcher.findall() $user

Heres the same thing with the AD PowerShell cmdlet:

Note that with PowerShell version 3 and newer, you dont need to run the first line since Powershell will identify the necessary module and auto load it.

Once you have the Active Directory PowerShell module loaded, you can do cool stuff like browse AD like a file system

Discover available PowerShell modules:Get-Module -ListAvailable

Discover cmdlets in a PowerShell module:Get-Command -module ActiveDirectory

Finding Active Directory Flexible Master Single Operation (FSMO) Roles:

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).SchemaRoleOwner

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).NamingRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).InfrastructureRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).RidRoleOwner

Active Directory PowerShell Module Cmdlet Examples:

Get-RootDSEgets information about the LDAP server (the Domain Controller) and displays it. Theres some interesting information in the results like what OS the DC is running.

Get-ADForestprovides information about the Active Directory forest the computer you run the command is in.

Get-ADDomainprovides information about the current domain you are in.

Get-ADDomainControllerprovides computer information specific to Domain Controllers.

This cmdlet makes it easy to find all DCs in a specific site or running an OS version.

Get-ADComputerprovides most of what you would want to know about a computer object in AD.

Run with -Prop * to show all standard properties.

Get-ADUserprovides most of what you want to know about an AD user.

Run with -Prop * to show all standard properties.

Get-ADGroupprovides information about an AD group. Find all security groups by running:

Get-ADGroup -Filter GroupCategory -eq Security

Get-ADGroupMemberenumerates and returns the group members. Use the Recursive parameter to include all members of nested groups.

Get-ADGroupMember Administrators -Recursive

These cmdlets are useful to identify situations that previously required purchasing a product or custom scripting.

The following examples find inactive (stale) computers and users accounts that havent changed their passwords in the last 10 days. Note that this is a lab example. For real-world checks, change this to 60 to 90 days for computers and 180 365 days for users.

Note that the Windows 2012 module includes cmdlet for sites (Get-ADReplicationSite*).

Note this requires that the Group Policy PowerShell module is installed, which is separate from the Active Directory module.

Get-ADDomainControllerfilter * `select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem `format-table -auto

Get-ADReplicationPartnerMetadata(Windows Server 2012 and newer)

Get-ADReplicationPartnerFailureprovides information on DC replication failure status.

Get-ADReplicationUptodatenessVectorTabletracks replication status between Domain Controllers.

These examples and more are in these presentation slides:

(Visited 11,639 times, 15 visits today)

Active Directory PowerShell ModuleActive Directory TrustsAD cmdletsAD PowerShell cmdletsAdd-WindowsFeature RSAT-AD-PowerShellADSIBackup domain GPOsEnumerate Domain TrustsFind AD Kerberos Service AccountsFinding Active Directory Flexible Master Single Operation (FSMO) RolesGet AD site information.Get-ADComputerGet-ADDomainGet-ADDomainControllerGet-ADForestGet-ADGroupGet-ADGroupMemberGet-ADReplicationPartnerFailureGet-ADReplicationPartnerMetadataGet-ADReplicationUptodatenessVectorTableGet-ADUserGet-Command -module ActiveDirectoryGet-Module -ListAvailableGet-RootDSEImport-Module ServerManagerInventory Domain ControllersPowerShellPowerShell Find inactive computersPowerShell Find inactive users

I improve security for enterprises around the world working for

Read the About page (top left) for information about me. 🙂

Hi Sean, I have benefited from your expertise for many years. Thanks very much !

Is there a way to prevent authenticated folks who are not authorized from running these commands?

Not built-in and working to get these blocked would be non-trivial. Not that this is the same type of data that authenticated users can gather via LDAP.

Check out the PowerShell module PowerView:

There is a way to prevent cmdlets or functions for PS remote session. Look at Securing Privileged Access document from Microsoft. From there look at Just enough admin and you find how to restrict PS usage

NolaCon (2018) Active Directory Security Talk Slides Posted

Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory

Securing Microsoft Active Directory Federation Server (ADFS)

Gathering AD Data with the Active Directory PowerShell Module

Beyond Domain Admins Domain Controller AD Administration

Trimarc Active Directory Security Services

Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture.

Attack Methods for Gaining Domain Admin Rights in

PowerShell Encoding Decoding (Base64)

Securing Windows Workstations: Developing a Secure Baseline

The Most Common Active Directory Security Issues and

Building an Effective Active Directory Lab

Securing Domain Controllers to Improve Active

Detecting Offensive PowerShell Attack Tools

Microsoft Local Administrator Password Solution (LAPS)

Finding Passwords in SYSVOL Exploiting Group

PowerShell Version 5 is Available for Download (again)

Security Conference Presentation/Video

Content Disclaimer: This blog and its contents are provided AS IS with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 – 2017.

Content Disclaimer: This blog and its contents are provided AS IS with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned.

Tagged