Tag: Advanced Powershell

Active Directory DSRM Password Change Tool

Yusuf Ustundag Leave a comment

What is Active Directory Directory Service Restore Mode (DSRM)?

Active Directory Directory Services Restore Mode (DSRM) is a special boot mode in Windows Server operating systems used for recovery and maintenance of the Active Directory database.

What Does It Do?

  • Recover Active Directory Database: When the Active Directory (AD) database becomes corrupted or inaccessible, Directory Services Restore Mode (DSRM) enables the system to boot securely and repair the database efficiently.
  • Restore Active Directory from Backup: Use Directory Services Restore Mode (DSRM) to restore the Active Directory database, ensuring data integrity and a successful system recovery.
  • Troubleshooting Database Issues: DSRM enables maintenance and troubleshooting tasks on the AD database.
  • Isolated Recovery from Attacks: It allows a secure recovery by isolating Active Directory from the network.

DSRM Password Storage: The system stores the DSRM password locally, keeping it independent of the Active Directory domain. This password remains unused during normal operations and is only required for recovery tasks.

Security Recommendations: To enhance Active Directory security, update the DSRM password every 6 to 12 months on each Active Directory server.

Case Example: You may have multiple domain environments in your company’s infrastructure and multiple Active Directory servers in these domain environments.
You can use the following script to perform DSRM password updates centrally on these servers.

Features of the Script:

  • Centralized or Individual Updates: The script can update the DSRM password for all AD servers in a domain or for individual servers.
  • Use Unique, Complex Passwords: Generate passwords with 16, 18, or 20 characters to ensure uniqueness and complexity for every AD server.
  • Export Results: After the password update, the script exports a CSV file containing the domain name, hostname, IP address, and the generated password for each AD server.

Requirements:

  • Domain Admin privileges
  • Administrator Privileges Required: Run the necessary commands with administrator privileges to apply these security measures.

DSRM Password Manager  GUI Interface, If you want to try the script I wrote, you can get it on Github

If you found this powershell script helpful, feel free to share it with your team and check out my blog for more quick tips and insights!

How to Change Active Directory OU Ownership

Yusuf Ustundag Leave a comment

AD OU Owner Manager is a user-friendly tool that allows you to view and securely change Organizational Unit (OU) ownerships in your Active Directory environment. This tool provides a solution especially for those who want to standardize OU ownerships with Domain Admins or other administrator groups.

Core Features

OU Owner Report Section:

  • Automatically scan all current OU ownership information with the Generate OU Owner Report button
  • All information is automatically exported to a CSV file for later review and documentation purposes

Change OU Owner Section:

  • Select Domain Admins or other administrator groups (containing admin value) from the dropdown menu
  • Assign the selected group as the owner of all OUs using the Change Owner with Selected Group button
  • View change results in the right panel after the operation
  • All changes are automatically recorded in a CSV file for change management and audit purposes

Why You Should Use This Tool

  • Easy to Use: Manage OU ownerships through a simple GUI interface
  • Bulk Operations: Change ownership of all OUs with a single click
  • Audit Compliance: Provide evidence for security audits with automatically generated CSV reports
  • Time Saving: Reduce hours of manual work to minutes
  • Error Prevention: Eliminate human errors that can occur during manual ownership changes

Usage Steps

Document Current State:

Launch the AD OU Owner Manager powershell script on ISE Click on “Generate OU Owner Report” Save the generated CSV report (as evidence of pre-change state)

  • Change Ownerships:

Select “Domain Admins” group or your preferred administrator group from the dropdown menu Click on “Change Owner with Selected Group” Review the results on screen when the process completes Save the automatically generated post-change CSV report

  • Verify Results:

Review the post-change report to ensure all OUs were correctly updated In case of any errors, manual corrections can be made using the previous CSV report

Security Benefits

Using this tool to transfer OU ownerships to the Domain Admins group provides these advantages:

Standardized Permissions: Consistent ownership and permission structure for all OUs Reduced Attack Surface: Elimination of security risks from scattered permission structures Simplified Management: Easier tracking of changes through centralized management Audit Readiness: Easy demonstration that OU ownerships are correctly configured during security audits

Periodically use the tool (e.g., quarterly) to check OU ownerships

GUI Interfaces , If you want to try the script I wrote, you can get it on Github

If you found this powershell script helpful, feel free to share it with your team and check out my blog for more quick tips and insights!