Active Directory Forensics

 

Here are a selection of scripts I find useful when interrogating all aspects of Active Directory.

You must have the Active Directory module enabled to run these commands. Simpliest way is to run these commands on your domain controller.

 

Information Gathering

 

Querying Users

 

Command What is does Category
Get-ADUser -Filter * -Properties * | where { $_.whenCreated -ge $week } | select Name,whenCreated | Sort Name Get Users created in the last Week, sorted by Name. USERS
Get-ADUser -Filter * -Properties PasswordNeverExpires | where { $_.PasswordNeverExpires -eq $true } | select Name | sort Name Get Users with passwords  set to “Never Expire”, sorted by Name USERS
Get-ADUser -Filter “Enabled -eq ‘$false'” | Select Name, UserPrincipalName | Sort name Get Users with INACTIVE accounts, Display Name and FQN, Sort by Name USERS
Search-ADAccount -AccountDisabled -UsersOnly | FT Name,ObjectClass -A Get Users with DISABLED accounts, Display Name and FQN, Sort by Name USERS
Search-ADAccount -LockedOut | Format-Table name,lastlogondate, lockedout, objectclass, passwordexpired, passwordneverexpires Find Users with locked Accounts USERS
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly |Sort-Object | FT Name,ObjectClass -A Find User Accounts not used for last 90 days USERS
Get-ADuser -Filter {name -like “*”} -properties *|select @{N=”Account”;E={$_.name}},@{N=”Name”;E={$_.givenname}},@{N=”LastName”;E={$_.surname}},@{N=”Mail”;E={$_.mail}},@{N=”AccountEnabled”;E={$_.enabled}},@{N=”MemberOf”;E={(Get-ADPrincipalGroupMembership $_).name -join (“`r`n”,”,,,,,”)}} | Sort-Object “Account” | FT -AutoSize Get all users group membership. Sorts data and formats as a table. Use Export-CSV to output to CSV file. USERS
Get-ADUser -Filter * -Properties LastLogonDate | ? { $_.LastLogonDate -eq $null } | Select name,samaccountname

 

Find users who have Never Logged on USERS

 

 

 

Querying Groups

 

Command What it does Category
get-adgroup -filter * -Properties GroupCategory | Select name, groupcategory | FT -A List all your Groups in active directory GROUPS
Get-ADGroupMember -identity “Administrators” -recursive | select name List all members of the Administrators Group (Edit Group name accordingly) GROUPS
Get-ADPrincipalGroupMembership -identity Turbogeek | Sort-object | FT -property name, samaccountname -AutoSize Find which groups a user is a member of. (Edit username accoridngly) GROUPS
Get-ADGroupMember -Identity Domain Admins” -Recursive | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled | ?{$_.Enabled -eq $false}} | Select DistinguishedName,Enabled Find Disabled Users in the Domain admins group (Edit Group name accordingly) GROUPS

 

 

Querying Active Directory Infrastructure

 

Command What it does Category
Get-ADDomainController -Filter * | Format-table name,domain, forest,site, ipv4address, operatingsystem Find the Domain controllers on your estate DC
Get-ADDomainController -Filter {IsGlobalCatalog -eq $true} | Select-Object Name,ipv4address,isglobalcatalog, operatingsystem | FT -A Find Global Cataglog Servers in Domain DC
Get-ADDomainController -Filter {IsReadOnly -eq $true} Find Readonly domain controllers if applicable to your infrastructure DC
Get-ADComputer -Filter ‘Name -like “SERVER1*”‘ -Properties canonicalName, CN, created, IPv4Address, objectclass, OperatingSystem, OperatingSystemServicePack | FT -A Find Domain computers like “Server1”, displays useful info in table DC
Get-ADForest | Select-Object -ExpandProperty ForestMode Get AD Forest level DC
Get-ADDomain | Select-Object -ExpandProperty domainmode Get AD Domain level DC
Get-ADReplicationConnection -Filter {AutoGenerated -eq $true} Get replication details on domain DC
$datecutoff = (Get-Date)
Get-ADComputer -Filter {LastLogonTimestamp -lt $datecutoff} -Properties Name,LastLogonTimeStamp|  Select Name,@{N=’LastLogonTimeStamp’; E={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}}
Set the $datecutoff and this will tell you last time a computer logged in DC

 

 

 

Editing Active Directory

 

**USE WITH CAUTION**

 

Command What it does Category
Disable-ADaccount -identity Turbogeek Disable account Turbogeek USERS
Enable-ADaccount -identity Turbogeek Enable account Turbogeek USERS
Set-ADAccountExpiriation -Identity Turbogeek -datetime “07/01/2018” Set Account turbogeek to expire on 7th Jan 2018 USERS
Clear-ADAccountExpiration -identity Turbogeek Clear account expiry date USERS
Set-ADAccountPassword -identity Turbogeek -reset -newpassword (Convertto-Securestring -asplaintext “Passw0rd123!” -Force) This will change users password securely and encyrpt password transmissions – essential USERS
Unlock-ADAccount -identity Turbogeek Unlocks Turbogeek Account USERS
New-AdGroup -Name “Test Users” -SamAccountName TestUser -GroupCategory Security -GroupScope Global -displayname ‘Test Users’ -Path “OU=Groups, OU=Resources, DC=TEST, DC=UK -Description “All Test Users” This will create a Security Group called Test Users in the OU Groups > Resources

(Edit as approrpriate)

GROUPS
Set-ADGroup -Identity ‘Test Users’ -groupcategory Distribution -groupscope Universal -Managedby ‘TurboGeek’ This will edit the Group Test Users and make it a Universal, distribution group managed by me. (Edit as appropriate) GROUPS
search-adaccount -lockedout | unlock-adaccount -passthru -confirm Unlock all user accounts in AD (Crude but effective) USERS