Scribd
Upload
3 views

mastering-active-directory-management-with-powershell

This document provides guidance on managing Active Directory security using PowerShell scripts, emphasizing the importance of automating administrative tasks for better security. It covers topics such as managing inactive users, disabling reversible encryption for passwords, checking user permissions, modifying password policies, and implementing backup strategies. The document aims to equip security professionals with essential scripts to enhance their security management practices.

Uploaded by

Rafik Aidoudi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

mastering-active-directory-management-with-powershell

This document provides guidance on managing Active Directory security using PowerShell scripts, emphasizing the importance of automating administrative tasks for better security. It covers topics such as managing inactive users, disabling reversible encryption for passwords, checking user permissions, modifying password policies, and implementing backup strategies. The document aims to equip security professionals with essential scripts to enhance their security management practices.

Uploaded by

Rafik Aidoudi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Managing

Active Directory security


with PowerShell Scripts
Introduction
Windows PowerShell is a command-line shell that leverages .NET Framework to promote,
among other things, task automation and configuration management. The installation of
Microsoft’s Remote Server Administration Tools (RSAT) allow for the enablement of the
Windows PowerShell Active Directory module on everyday Windows workstations. This
provides security professionals with the capability to monitor the many properties of
domain users and computers while maintaining the principal of least privilege.

At its inception, PowerShell was leveraged by administrators to manage objects on user's


computers. However, with regular updates, PowerShell's versatile environment is now
actively used to users automate administrative jobs. In this e-book, we share a few
commands and scripts to help administrators automate Windows administration tasks,
including laborious security chores. We have identified those scripts that should be part of
your security team’s toolbox.

Managing Inactive Users


When employees leave organizations, their user accounts often remain in
Active Directory (AD) without gathering much attention. The passwords on
these accounts remain unchanged when they are no longer in use, which
could lead to potential compromise. For optimum security, enterprises
should always ensure that inactive or obsolete user accounts are protected
or, better yet, deleted.

Use the following PowerShell command to generate a report of inactive


users and run it against the domain for which the inactive users report is to
be generated.

PS C:\> Import-module activedirectory

$DaysInactive = 30
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADUser -Filter {LastLogonTimeStamp -gt $time -and enabled -eq $true}
-Properties LastLogonTimeStamp | select-object Name,@{Name="Stamp";
Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).-
ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv C:\Scripts\activeusers.csv
-notypeinformation

1
Spotting Accounts Configured with
Reversible Encryption
There are several dozen settings within Active Directory that if used can
weaken security and open your environment to the threat of compromise.
The Store password using reversible encryption option is one of those
settings.

Normally when a password is set on a user account in Active Directory the


password is hashed using a one-way hash; an method that can not be
decrypted. When Store password using reversible encryption is set the
password is stored such that the password can be decrypted. Unfortunately,
all it takes is a novice to accidentally set this option on the user property
page or with a PowerShell script and the security of the account is
essentially broken.

Use the following PowerShell cmdlets to disable storing passwords using


reversible encryption and to generate a lit of all users who's passwords are
stored with reversible encryption enabled.

# Disable "Store passwords using reversible encryption"


Set-ADAccountControl -Identity user01 -AllowReversiblePasswordEncryption
$false

# List users with "Store passwords using reversible encryption" enabled


Get-ADUser -Filter 'userAccountControl -band 128' -Properties
userAccountControl

Check Active Directory User Permissions


using Reports
For proper Active Directory management and better security, best practices
require permissions to be inherited via Active Directory group membership
rather than assigned explicitly. But ensuring that access rights follow this
principle can be a challenge. IT administrators need to regularly view Active
Directory user permissions reports that detail how permissions were
granted so they can remove any that were assigned explicitly, as well as
work with data owners to remove users from groups that grant them
permissions they don’t need them for their everyday work. Regular
permissions review and cleanup helps minimize the risk of privilege abuse
and data breaches.

2
Import-Module ActiveDirectory
# Array for report.
$report = @()
$schemaIDGUID = @{}
# ignore duplicate errors if any #
$ErrorActionPreference = 'SilentlyContinue'
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext
-LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID |
ForEach-Object
{$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}
Get-ADObject -SearchBase
"CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)"
-LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}
$ErrorActionPreference = 'Continue'
# Get a list of AD objects.
$AOs = @(Get-ADDomain | Select-Object -ExpandProperty
DistinguishedName)
$AOs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty
DistinguishedName
$AOs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName
-SearchScope Subtree -LDAPFilter '(objectClass=*)' | Select-Object
-ExpandProperty DistinguishedName
# Loop through each of the AD objects and retrieve their permissions.
# Add report columns to contain the path.
ForEach ($AO in $AOs) {
$report += Get-Acl -Path "AD:\$AO" |
Select-Object -ExpandProperty Access |
Select-Object @{name='organizationalunit';expression={$AO}}, `
@{name='objectTypeName';expression={if
($_.objectType.ToString() -eq
'00000000-0000-0000-0000-000000000000') {'All'} Else
{$schemaIDGUID.Item($_.objectType)}}}, `

@{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inhe
ritedObjectType)}}, `

3
Managing Domain Password Policy
The Domain Password policy determines how passwords are created and
how often they need to be changed, etc. The AD default password minimum
is 7 characters. Most AD environments we see have this set to between 8
and 10. Some are set to 0 or 3 or 5.
Password Spray attacks are effective against Active Directory due to bad
passwords (often with short minimum requirements).Increasing password
length can limit Password Spray effectiveness.

Use the following PowerShell Scripts to modify the default password policy
for an Active Directory domain:

Set-ADDefaultDomainPasswordPolicy
[-WhatIf]
[-Confirm]
[-AuthType <ADAuthType>]
[-ComplexityEnabled <Boolean>]
[-Credential <PSCredential>]
[-Identity] <ADDefaultDomainPasswordPolicy>
[-LockoutDuration <TimeSpan>]
[-LockoutObservationWindow <TimeSpan>]
[-LockoutThreshold <Int32>]
[-MaxPasswordAge <TimeSpan>]
[-MinPasswordAge <TimeSpan>]
[-MinPasswordLength <Int32>]
[-PassThru]
[-PasswordHistoryCount <Int32>]
[-ReversibleEncryptionEnabled <Boolean>]
[-Server <String>]
[<CommonParameters>]

Active Directory Backup


Although Active Directory services are designed with high redundancy (if
you deployed several DCs in your company), an AD administrator needs to
develop and implement a clear Active Directory backup policy. At least, you 1
need to back up a DCs with FSMO roles and one DC per site. The specific
recommendations for the backup strategy are highly dependent on your
domain architecture and network structure.

4
You can also use the Windows Server Backup module to backup Active
Directory on a domain controller with PowerShell. The following PowerShell
script will backup server’s System State to the specified drive:

$WBpolicy = New-WBPolicy

Add-WBSystemState -Policy $WBpolicy

$WBtarget = New-WBBackupTarget -VolumePath "E:"


Add-WBBackupTarget -Policy $policy -Target $WBtarget

Start-WBBackup -Policy $WBpolicy

Final Thoughts
Administrators have a tough, often tedious role to fill. Even relatively simple security
tasks, like deleting inactive users or ensuring that the devices on the network are all
patched and operating optimally can be very time-consuming when you factor in the
sheer number of devices being managed. However, with the help of such PowerShell
scripts, IT admins can simplify common IT tasks and automate them whenever necessary.

You might also like