DOWST.DEV

by a scope, writing them back to onpremises Active Directory, including group memberships.

can show Who has what on which object.

Securing Active Directory is a massive part of the overall organization security, configuration, and permission and Access Control List (ACL).

maintaining a secure environment and heading off bad actors early. Thankfully, AD offers the information necessary to track these changes, despite being difficult to parse and understand at times. LAPS is a great example of this.

how well does it scale? Not very well.

Ensuring its health is pivotal for the seamless operation of various services. Today, I decided to look at Microsoft Entra Connect Health (Azure AD Connect Health) service, which allows monitoring Azure AD Connect, ADFS, and Active Directory. This means that under a single umbrella, you can have an overview of three services health. But is it worth it?

about computers in our Active Directory domain. Then, we will update our dashboard and take advantage of the charting capabilities of Universal Dashboard to show the information in an easy to digest manner.

overview of their environment I always check a lot of things before writing a report and a recommendation about which steps we need to take. In this blog post, I will show you a script that gathers information about the Active Directory Domain which saves a lot of command-line checking and starting up Management Consoles 😉

of directory information across all domain controllers in a domain. Monitoring this process is important as it helps identify any issues that may arise and resolve them quickly. One way to monitor Active Directory replication is by using the Repadmin command-line tool. Repadmin provides a wealth of information about the replication status and health of a domain. However, manually checking the Repadmin output can be time-consuming and tedious, and running it manually every 30 minutes just to check if everything is great doesn't seem like a great idea. While PowerShell has its own commands around replication I've not found something as fast and reliable as repadmin /replsummary.

Active Directory scripts using VBScript and PowerShell for over a decade. Here's a big sample of Active Directory PowerShell scripts to do all kinds of stuff!

units don't refer to the site where the users work.

against a Windows Active-Directory domain.

Active Directory. The code used PowerShell and CIM events to notify you, for example, when a new user account is created. This can be helpful when you need alerting. But perhaps you only need reporting. What has changed in Active Directory since a given date and time, such as in the last 24 hours? And wouldn't it be nice to have a pretty report? Let me help. Here's how I approached the prob lem using PowerShell and the ActiveDirectory module.

criteria. However, these filters do not assess the content of the log entry messages. To evaluate the log messages, you can extend filters using an XPath query. The examples below demonstrate how to audit Group Policy changes with XML queries, which you can further process with PowerShell.

user?

different. By downloading a freely available PowerShell module, an IT admin can manage every facet of AD and build powerful scripts to save time on all kinds of tasks. The best part is that knowledge of LDAP, ADSI and other typically developer-focused terms is not necessary. The PowerShell cmdlets take care of that stuff for you.

to build a solid reporting tool around Active Directory. I had a library of scripts and functions I have written over the years, including a few that I've written about here recently. Thus was born ADReportingTools.

with the Backup-GPO cmdlet of the Group Policy module. With my function, it will be much easier to identify the correct Group Policy Object (GPO) in case you have to restore Group Policy settings.

users can't login, they probably can't browse the web, machines can't communicate and finance won't be able to generate their latest report. Be sure you keep AD in tip top shape with an Active Directory health check script!

objects. Also it logs in EventLog and as a file on disk in csv format.

so you may need also cleanup disabled users from groups. Sometimes you don't want to delete users but only removing them from AD groups is required (often for licensing issues etc.)

policies to users and computers. A policy is some computer setting you wish to enforce, such as which screen saver to use, what desktop background to use, or what the default execution policy should be.

code if the OSD process didn't join the domain properly. Basically, I'm using PowerShell to do a couple of lookups and writing the information to variables, which I then use to trigger an exit command.

when you by accident fat finger it, and you have to redo it? Or even, you have multiple people in ...

virtual machines, which are ideal as I can simply dispose of them after. But you also need to cleanup the device records that were created in Azure Active Directory, Intune, the Autopilot registration service, Microsoft Endpoint Manager (if you're using it) and Active Directory in the case of Hybrid-joined devices.

Administration Tools. That sucks! We want it as simple as executing a script.

off-hand remark about parsing out organizational unit names from a distinguished name. On one hand, this is a pretty simple task, assuming a proper distinguished name from the Active Directory cmdlets. All you really need to do is split the string.

important to document them. In this blog post I am going to show you two PowerShell commands [...]

either completely public cloud using AAD or they have hosted servers in our private cloud. For these clients I've made the following script to document their Active Directory server settings. I always I want to be in complete control of my clients environment. That means having up to date documentation at the ready.

including password resets, SID history injection, group membership changes, and enabling/disabling accounts.

basic user attributes in Active Directory. Like anyone else, I presented the idea of using RSAT to let them modify users in ADUC or ADAC. This was not an ideal solution because ADUC can become overwhelming to someone that isn't technical. They wanted something that was extremely basic, easy to follow and work in without any guidance or instructions, and did not show the user anything else that they could not modify or needed to see.

group writeback v2 to on-premises using MS Graph PowerShell

This was written on Friday, July 19, 2024, due to the CrowdStrike Outage. If you choose to test this PowerShell, ensure that you update the argument for the SearchBase parameter to reflect your Active Directory domain.

maintain a proper lifecycle around Active Directory groups. Many organizations love creating groups however, some (most?), don't really like to do cleanup

Group Policy. With rsop.msc, a graphical tool is available for this purpose. However, it is generally more efficient to generate a report using gpresult.exe and evaluate it with PowerShell.

may no longer be in use. Let's go.

main problem admins tend to face is identifying the source computer or service that is causing the account to lock out in the first place.

that tracks and prevent duplicate SPN's

includes the cmdlet Get-ADGroupMember for finding group members, but it cannot be used to query groups with over 5000 members. The cmdlet also suffers from performance bottlenecks. I'd like to share with you a tool I built that solves both those problems.

disable insecure LDAP Bindings, which is going to break a lot of your systems (hopefully not). But this was already communicated, and you know all about it, right? If not, you should read those two articles that can help you with understanding what is happening and when.

and other directory services. Knowing these ports is crucial for configuring firewalls, ensuring secure communication, and troubleshooting network issues related to Active Directory services. This post will teach you how to get the Active Directory ports with PowerShell.

Directory. A good use case is if a director or VP wants to send an email to all of their direct reports, and the direct reports of those direct reports. Another use case would be if you were doing an audit comparing your HR system to what is in Active Directory. What ever the reason might be, you can use this script to get direct reports in active directory using Powershell. Pretty neat!!

come to the right place! In this article, you will learn how to create custom reports of user accounts in your AD environment using the Get-ADObject cmdlet.

migrations, backup & restore.

Enter, will I be prompted for MyAdmin password? I saw a few examples but they don't seem to be quite what I'm looking for. I would be performing this on an individual station, therefore I don't think I would need to specify a computer name.

Directory. Well wonder no longer with this tutorial from Windows OS Hub showing you every step of the process, from enabling logging, to how to search the logs with PowerShell.

environment.

PowerShell is the optimal choice when you need to make large-scale changes. But there are caveats to consider before you can reap the automation benefits.

If so, you may have run across a frustrating problem - an on-prem AD user has expired but that user can still access resources protected with Azure AD.

production servers and not feel guilty! There are many possibilities for using PowerShell on non-Windows platforms now and today my mind was pondering how to use it to join Linux servers to Active Directory. So, I created a small little function that automates some of this called Join-LinuxToAD. Keep in mind I tested this only on CentOS 7.

Directory to avoid serious problems. PowerShell can make quick edits to keep order.

how it fits in with Identity Management. This is a new podcast presented by Semperis and hosted by 15 time MVP Sean Deuby. The podcast is off to a fantastic start with wide range of experts in the field of Identity Management. It's a great listen because of the topics but also because the episodes are only 15-20 minutes in length.

that haven't been turned on since World Cup 2016?" Yeah, we've all been there. Keeping AD clean and up-to-date is like trying to organize your garage-it's easy to put off until it becomes a total mess.

on your Active Directory, whether to view key indicators or to perform advanced searches in a simple way.

so you don't have to. It is not a replacement for tools already in place such as DCDiag. Instead, this toolkit comprises tools that my co-writers and I have found nowhere else. The goal of this module is to enable you to know when the core pieces of Active Directory aren't working as expected so you can take action.

are logged in the Event Viewer. In this article I will cover how to monitor all logon events with PowerShell. Let's dive in.

Access Management tool that will be living in your Azure environment, mostly designed for MSPs. If you want to see how AzPam looks or contribute, check out the Github page about it here. I should be pretty close to releasing an alpha version soon!

supported, due to COVID we had some extra time to prepare our clients for this change as its been postponed to July of 2021. We've helped all of our clients move to modern authentication last year but I understood there is still a bit of a struggle for other MSPs to achieve this.

and generates nicely viewable reports in HTML format by highlighting the spots that require attention. The script manipulates user data using facts collected with benchmark values.

person. Most who have tried granting permissions outside of adding users to groups in Active Directory would probably agree that, access delegation can be a daunting task.

to get started building your own PowerShell toolkit.

changes in a safe manner, Advanced Group Policy Management or AGPM, is an amazing tool.

supported. You can totally run the ActiveDirectory module, natively, without using the WindowsCompatibility module! This is one of the most under-reported facts of PowerShell 7, even going as far back as 6.1

security concerns. Delegation & Revocation of privileges. Configuring monitoring of active directory object changes. Analysis of security relevant AD configuration settings/state.

the functions are designed to work with eachother. Functions that gather information on users or computers can be piped into functions that take an action. For instance, you can pipe a function that returns computers that have not logged onto the network for 30 days into a function that disables computer accounts. In a single line of code, you can disable all the inactive computers in active directory. There are a wide variety of functions that perform other tasks like sending magic packets for wake on lan, measuring directory and sub-directory sizes, gathering large files, and other tasks. Every function is fully documented and works with the Get-Help function.

permissions. One of the replies I got about that was: How about the Container permissions, those are important too 🙂 And that's correct, they are! In this blog post, I will show you how to create a report on those (Script is based on the OU report)

Role Based Access and delegating permissions on Organizational Units (OU's). But one of the first questions was. What are the current permissions and what should we remove and where? In this blogpost I will show you a way to report on the current permissions so that you can remove them where they shouldn't be granted

companion tool to the Group Policy backup tool he shared earlier this year.

objects in AD.

helpdesk requests due to expired passwords, especially for VPN users, and may actually undermine security. However, timely notifications can help mitigate issues when password changes are necessary. Learn how to notify users with Group Policy or a PowerShell script.

combines that data into a prettified report. If you have ever used DSInternals, you know that while very powerful, it comes with raw data that is hard to process and requires some skills to get it into a state that can be shown to management or security.

redundant and scalable file shares. And yet anyone who has used it, knows that monitoring it can be difficult at the best of times.

it's best to deliver on the promise. What you're about to witness here is something I've worked on for a while now, and it meets my basic needs. If you don't have SIEM product or products that monitor who does what in Active Directory this command makes it very easy, even for people who don't have much experience in reading Event Logs. If you'd like to learn about working with Windows Event Logs here's a great article I wrote recently - PowerShell - Everything you wanted to know about Event Logs and then some.

Directory? Check out Anthony Howell’s walkthrough of a PowerShell function to easily do just that.

you need to extract specific information from events.

copied from Support Tool for WS2003) console tools to monitor and control Active Directory replication. In Windows Server 2012, Microsoft added a number of PowerShell cmdlets to manage and check replication status in the Active Directory forest. In this article we'll look at the main useful PoSh cmdlets that an AD administrator can use to control replication between domain controllers.

of an AD object - the time and date when the password for that object was last changed. This attribute is used to enforce password policies and track when a password was last changed. This quick post helps you understand these...

Directory. This applies, for example, to the expiration date of passwords or to Kerberos delegation. An AD audit should check this attribute regularly. This can be done using PowerShell, and there is a cmdlet for changing flags.

Create a local user or administrator account in Windows using PowerShell. It's a bit overcomplicated, but the goal was it should work for Windows 7 and up, and that means supporting PowerShell 2.0. As part of that exercise, I've been using Win32_UserAccount WMI based query to find local users and manage them to an extent. While Get-LocalUser exists, it's not suitable for the PowerShell 2.0 scenario. I also use the same query in GPO for WMI filtering. You can say it's been a good friend of mine - until today! Let's take a look at this basic WMI query:

group membership. Those are Get-ADGroup and Get-ADGroupMember. The first command contains property Members, which gives you DistinguishedName of all members, and Get-ADGroupMember can provide you either direct members or with Recursive switch all members recursively (skipping groups). Till a few weeks ago, I was a happy user of those commands until I noticed two things. Member property for Get-ADGroup sometimes misses elements for whatever reason.

check out the following command.

ldap signing. See LINK. This affects every supported version of Windows Server (from 2008R2 till 2019). There is another LINK ADV190023 with detailed explanation.

of Windows in your domain. It will also break down the versions of Windows 10.

make it easier to modify (Or more succinctly a Settings Page). This was a bit of work to think through. I am hoping someone might know of a more robust way to do what I am doing. This way I felt I could do with a bit of work. So I came up with two ways of implementing the same settings script.