Active Directory Archives - Page 2 of 2

How to Find Local Group Members from Remote Servers

February 12, 2022September 22, 2022 Yusuf Ustundag 2 Comments

If you need to list local group members belonging to remote servers , you can use two different powershell commands below.

By the way If the Windows Remote Management (WinRM) service is turned off on your remote servers, “Invoke-Command” doesn’t work.

$Servers = Get-Content C:\Temp\BulkServers.txt Foreach ($Server in $Servers) { Invoke-Command -ComputerName $Server -ScriptBlock {Get-LocalGroupMember -Group "Remote Desktop Users"} | Select PSComputerName,Name }

$Servers = Get-Content C:\Temp\BulkServers.txt Foreach ($Server in $Servers) { $Groups = Get-WmiObject Win32_GroupUser –Computer $Server $RDPUsers = $Groups | Where GroupComponent –like '*"Remote Desktop Users"'

Write-Host "Server: $Server" Write-Host " " $RDPUsers |% {
$_.partcomponent –match ".+Domain=(.+)\,Name=(.+)$" > $null $matches[1].trim('"') + "\" + $matches[2].trim('"') } Write-Host " " }

To list other group members, simply change the “Remote Desktop Users” group information.

Have a nice day !

How to Bulk Add DNS A Records

February 11, 2022September 22, 2022 Yusuf Ustundag Leave a comment

If you want to add A records in bulk, you must first edit the A records you want to add as a “.csv” file.

Then it will be enough to run the following powershell line.

Import-Csv .\dns.csv | ForEach-Object { Add-DnsServerResourceRecordA -Name $_.Name -IPv4Address $_.IPv4Address -ZoneName yusufustundag.com -ComputerName PDC -CreatePtr}

If you want to check the A records run the following powershell line.

Get-DnsServerResourceRecord -ZoneName yusufustundag.com -RRType A

Have a nice day!

How to your organization mitigate the risk of a Pass-the-Hash (PtH) attack?

February 4, 2022February 1, 2022 Yusuf Ustundag 1 Comment

This mitigation strategies that you can use in your organization to help prevent both lateral movement and privilege escalation by decreasing the impact of credential theft.

Lateral Movement: In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization.

Privilege Escalation: In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.

These mitigations are effective, practical, and broadly applicable to different domain configurations.

These mitigations are defense-in-depth measures designed to ensure that your environment is protected even if these measures fail.

Mitigation	Effectiveness	Effort Required	Privilege Escalation	Lateral Movement
Restrict and protect local accounts with Administrative Privileges	Excellent	Medium	√	–
Restrict and protect local accounts with Administrative Privileges	Excellent	Low	–	√
Restrict inbound traffic using the Windows Firewall	Excellent	Medium	–	√
More Recommendations	Effectiveness	Effort Required	Privilege Escalation	Lateral Movement
Remove standard users from the local Administrators Group	Excellent	High	√	–
Limit the number and use of privileged Domain Accounts	Good	Medium	√	–
Configure outbound proxies to deny internet to Privileged Accounts	Good	Low	√	–
Ensure Administrative Accounts don’t have email accounts	Good	Low	√	–
Use remote management tools that don’t place reusable credentials on a remote computers memory	Good	Medium	√	–
Avoid logons to less secure computers that are potentially compromised	Good	Low	√	√
Update applications and operating systems	Partial	Medium	–	–
Secure and manage Domain Controllers	Partial	Medium	–	–
Remove LM hashes	Partial	Low	–	–
Other Mitigation	Effectiveness	Effort Required	Privilege Escalation	Lateral Movement
Disable the NTLM Protocol	Minimal	High	–	–
Smart cards and multifactor authentication (MFA)	Minimal	High	–	–
Jump servers	Minimal	High	√	–
Rebooting workstations and servers	Minimal	Low	–	–

Have a nice day!

How to Force Active Directory Replication

January 30, 2022February 23, 2025 Yusuf Ustundag 1 Comment

If you make a changes on DC01 and you want to replicate those to other DCs instantly, run command repadmin /syncall /APeD on DC01.

^{A = All Partitions
P = Push
e = Enterprise (Cross Site)
D = Identify servers by distinguished names}

If DC01 is out of sync, you should run command repadmin /syncall /AeD on DC01.
This will do a pull replication, which means it will pull updates from DC02 to DC01.

Supported flags case sensitive.

Have a nice day!

How to Check Active Directory Replication

January 30, 2022February 23, 2025 Yusuf Ustundag 2 Comments

Repadmin.exe helps system administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.

For more about repadmin.exe

If you want view replication status and general health status, using command “/replsummary”.
This command will show you the percentage of replication attempts (Largest Delta/ Fails/Total/Error).
repadmin /replsummary

If you want view replication partner and status, using command “/showrepl”.
This command displays the GUID of each object that was replicated and it’s result.
repadmin /showrepl

Only to see the fail;
repadmin /showrepl /errorsonly

For other commands

If you don’t want to use commands, try this “Active Directory Replication Status Tool” 🙂

Have a nice day!

How to Get Domain Controller Information with Powershell

May 16, 2021February 23, 2025 Yusuf Ustundag 3 Comments

You can use the script below to discover your Domain Controller servers in your system.

(Get-ADForest).Domains | % { Get-ADDomainController -Discover -DomainName $_ } | % { Get-ADDomainController -server $_.Name -filter * }

ComputerObjectDN : Domain Controller Object Distinguished Name
DefaultPartition : Domain Partition
Domain : Domain Name
Enabled : Domain Status
Forest : Active Directory Forest Name
HostName : Domain Controller Host Name
InvocationId : The invocation ID identifies the version or the instantiation of the Active Directory database that is running on a given domain controller.
IPv4Address : Domain Controller IPv4 Address
IPv6Address : Domain Controller IPv6 Address
IsGlobalCatalog : Active Directory Global Catalog Status
IsReadOnly : Read-Only Domain Controllers Status
LdapPort : Domain Controller Ldap Port Number
Name : Domain Controller Computer Name
NTDSSettingsObjectDN : NTDS Settings Object Distinguished Name
OperatingSystem : Domain Controller Operation System
OperatingSystemHotfix : Domain Controller Operation Hotfix
OperatingSystemServicePack : Domain Controller Operation System Service Pack
OperatingSystemVersion : Domain Controller Operation System Version Build Number
OperationMasterRoles : Active Directory Flexible Single Master Operation (FSMO) Roles
Partitions : Domain Controller Partitions
ServerObjectDN : Server Object Distinguished Name
ServerObjectGuid : Server Object GUID Vaule
Site : Active Directory Site Name
SslPort : Domain Controller Ssl Port Number

You can customize the above criteria according to your needs and list them using the select command.

Example shell :

(Get-ADForest).Domains | % { Get-ADDomainController -Discover -DomainName $_ } | % { Get-ADDomainController -server $_.Name -filter * } | Select Name, Domain, Forest, IPv4Address, Site ,OperatingSystem, Operating SystemVersion, OperationMasterRoles,IsGlobalCatalog | ft ( or Out-GridView)

Have a nice day!