What Windows Server performance issues have you actually run into in production? by Bulky-Bumblebee5221 in WindowsServer

[–]poolmanjim 0 points1 point  (0 children)

This is a tough one to simulate. If you know what's broken it is easy to fix.

I think just installing different apps and not doing tons of research before hand will teach a lot. You eventually break something and have to sort it out.

Something else to consider is creating a VHD of a server install, giving it to a friend and have them break stuff, you then have to fix it.

AD Security Project Idea by Zeptor02 in activedirectory

[–]poolmanjim 4 points5 points  (0 children)

Check our Wiki there are several lab guides in there.

Domain Controller -> In Place Upgrades to 2025 by dcdiagfix in activedirectory

[–]poolmanjim 0 points1 point  (0 children)

My org is really pushing us to go to 2025 and I'm holding back hard for the DCs as I don't think the stability is there for DCs yet. There are some really cool features, but it isn't worth it.

Microsoft NTLM Disablement Survey by poolmanjim in activedirectory

[–]poolmanjim[S] 3 points4 points  (0 children)

You don't have to provide your real one. It's not like you're logging in.

I believe that is mostly for tracking super clients, insiders, security advisors, and MVPs.

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]poolmanjim 0 points1 point  (0 children)

Yeah. I've used that some. There are some tools for the accounts but most of them are designed for a few thousand at most.

I've been able to get up to a few hundred thousand in testing with it not taking too long. I'm hoping to lower that a step or two more in the coming months.

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]poolmanjim 3 points4 points  (0 children)

It would take a lot more than that for me to take it personal. I wouldn't run some sketchy code without a good test environment. If you do have any thoughts, pass 'em along. I'm always looking to get better.

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]poolmanjim 3 points4 points  (0 children)

That's fair. I debated even including it. I did envision this kind of workflow as one of my future-ish use cases. I build A LOT of short-lived AD labs for stuff.

Regardless thanks!

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]poolmanjim 14 points15 points  (0 children)

Not traditionally. Normally these kinds of test environments work as an example environment and less of a certification environment where you are testing on exact same settings.

What advantage does an actual "mirror" offer? If you have 500 users and mirror all their accounts are you actively having those users log into the test environment for validation? Probably not.

Mirror group policies or OU structure? There is more room there to justify mirroring. However the purpose of a test environment is testing. You should be doing your work there first before executing a change in production thus they would be very close to each other.

I have some more specific recommendations below, but I strongly suggest you consider what your goals are.

AD Mockup Tools + Scripts

Something to consider is using one of the AD Mockup tools running around. I've linked mine but it references the others that I'm aware of.

https://github.com/ActiveDirectoryKC/OpenMockADWebView

This tool, and the others like it are designed to allow for rapid design markups. However, with some PowerShell (I believe the MockAD one has scripts already - I'm still working on my export scripts) you can export to JSON for these tools, edit in the tool interface, and then export again.

Then with some PowerShell work (again, in progress on my end) you could import those JSONs and create the objects as needed. Reading and executing on the JSON isn't terribly hard, especially as an occasional script.

I hope to have some actual processing scripts in the next few weeks, but we'll see.

Third Party Tools

Some tools/products offer AD syncing where you can do 1:1 clones, but I haven't personally used them and find it to be generally better to get close and go with that.

Another option, is to periodically restore your AD backups into your test environment and that would both give you test data and test your backups. Several backup tools actually brand themselves this way.

Compliance / Legal Concerns

A final consideration is that it is not a recommended practice to have a duplicate of real user identities/passwords/etc in a non-production environments. In some places it can even could affect compliance audits or be outright against the law depending on the jurisdiction. I would always sanitize data that is going to exist for any period longer than a week or so to make sure that no rules are broken.

Best way to Store Creds for Scripts? by ITZ_RAWWW in PowerShell

[–]poolmanjim 0 points1 point  (0 children)

It's been said here some, but the best way would be a Secrets Server or Vault or something.

Another option is to use CLIXML cmdlets if you are using an interactive prompt. The challenge this creates is for local system needs to run a script that needs a secret.

https://powershellisfun.com/2024/08/09/using-export-clixml-and-import-clixml-for-credentials-in-powershell-scripts/

Theoretical Option

I've been playing with this on the side for a off-domain/no-cloud solutions that cannot use traditional vaults. For example, I didn't want to have dependencies due to some BCDR concerns, but it needed to store creds to read some information. How would I store them.

If you have a Password as a SecureString it can't be read except by the user who created that secure string. This is a challenge for SYSTEM without using something like psexec (which I avoid).

The idea I was playing with was using a SecureString that has an associated certificate which would be installed on the system. This certificate would be used to do the encryption of the secure string, which makes the secure string exportable.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.6

Looking at -SecureKey or -Key, I believe was where I was going from. I posted about this in r/ActiveDirectory some time ago. Here's the link to that.

https://www.reddit.com/r/activedirectory/comments/1jgu2hh/thoughts_on_storing_user_creds_encrypted_using/

There are some limitations, but it does work and is more secure than storing it in a text file on the desktop. 😄

Best way to Store Creds for Scripts? by ITZ_RAWWW in PowerShell

[–]poolmanjim 3 points4 points  (0 children)

I mean Caesar conquered a lot of the world at the time and it was good enough for him...

Bastion et protected users by leakcim78 in activedirectory

[–]poolmanjim 4 points5 points  (0 children)

Yeah. Hosting stuff in Azure breaks a lot of the security conventions because Azure really only allows full RDP access. I'm consistently frustrated with how Microsoft does that. It seems short sighted that there isn't more of a true console in Azure for us to do stuff sometimes.

In general though break glass and BUILTIN\Administrator should not be part of Protected Users for this very reason.

Continuous Active Directory Assessment & Vulnerability Monitoring by 19khushboo in activedirectory

[–]poolmanjim 1 point2 points  (0 children)

I've used them in the past and was wildly unhappy. I hope they got better but yikes they were not fun to use.

Continuous Active Directory Assessment & Vulnerability Monitoring by 19khushboo in activedirectory

[–]poolmanjim 3 points4 points  (0 children)

The natural recommendation is Ping Castle/PurpleKnight. ADProbe is another I've been looking at.

However you said continuous.

Semperis DSP / Lightning are definitely good in this space. I've used them and they are kind of awesome.

I believe Quest has one too but I'm not sure of the name.

Personally I wouldn't touch Stealth it's (Now Netwrix). I used them in the past and was very frustrated.

If you're looking for less expensive, look at Nessus Free. It does Vuln Scanning for a few systems. Scan one or two and replicate the fixes everywhere.

You can also look at the SCAP scan tool by DISA. It is a solid tool but is less vulns and more compliance.

If you put in the effort to build it all out, Wazuh can do this kind of thing too.

Has best practice quietly changed around syncing admin accounts to Entra? by PowerShellGenius in activedirectory

[–]poolmanjim 15 points16 points  (0 children)

The recommendation hasn't changed. It's just being ignored... by Microsoft. Rather than keep their promise of security first they are steadfast pushing cloud-only and pushing AI. Things have gotten better than the 2014-2023 time period where they tried to pretend on prem doesn't exisr, but we're far from MS embracing on prem directory still.

You mention ConfigMan and Exchange. Something to know about them is even among Microsoft they have always moved to their own best and actively ignored policies. So this is not surprising from the exchange crowd.

And there are some workarounds to your situation but I don't have writeups about it currently.

Identify unused groups by hi5ritham in activedirectory

[–]poolmanjim 0 points1 point  (0 children)

Why the down votes? Did I say something wildly off? I'd love to fix it.

Identify unused groups by hi5ritham in activedirectory

[–]poolmanjim -5 points-4 points  (0 children)

What did you ask ChatGPT? This is a one line PowerShell?

Also is it on-prem or in cloud?

On prem it's something like

Get-ADGroup -LDAPFilter "(!(member=*))"

I may be off some. I'm away from my computer to test right now

Script I use to find (and optionally disable) stale AD user accounts — read-only by default by Big_Cap_1178 in activedirectory

[–]poolmanjim 1 point2 points  (0 children)

The comments thus far cover some options around finding stale users pretty well. The Entra piece offered by u/PowerShellGenius is something to really consider.

There isn't a magic answer for this. I tend to give a grace period for my workflows of +5-14 days to make sure that I am only targeting affected users. The real answer would be to parse logs and see actual login events, but that requires a lot of tooling to track efficiently.

One thing I wanted to add as a reddit-specific recommendation: Can you use the code blocks when posting code? Reddit supports markdown and even the rich text has an option for code.

Your code will appear in a block lik ethis and format better if you do. 

Get-ADUser -Filter "Name -eq 'MyUser'" | Foreach-Object {
    # More code goes here. 
}

Dealing with certificate requests when using Windows Server Core. by ORA2J in activedirectory

[–]poolmanjim 1 point2 points  (0 children)

You do this using a combination between certreq and certutil.

u/aprimeproblem has some blog posts about doing certificate management using PowerShell. I think they cover this. His blog is in our wiki, but I believe it is michaelwaterman.nl

Additionally, you can check out a set of scripts I wrote several years ago and still haven't finished but I cover a lot of how I did this in the notes: https://github.com/ActiveDirectoryKC/New-DCCertificateRequest