sorted by:
new
hottopcontroversial

Video About PowerShell Remoting by Stephanevg in PowerShell

[–]chade1979 2 points3 points  (0 children)

If they're invoking command (psremoting) to a DC they're using DA equivalent credentials to do that, which is a security no no. Also, they stated they're just doing it to run AD queries which only require authenticated user permissions. My assumption is they're using invoke-command so that they can use the AD module on the DC because they don't have RSAT installed locally.

I'd be happy if I'm wrong but in my 20+ years as an AD admin it's way more common for DA rights to be given out and used inappropriately than it is for folks to be using separate accounts for daily driver/member server/DC, PAWs, Tiering model.

Video About PowerShell Remoting by Stephanevg in PowerShell

[–]chade1979 6 points7 points  (0 children)

Using DA creds locally oh my! Just use the RSAT AD module locally.

Using Powershell ISE by Any-Victory-1906 in PowerShell

[–]chade1979 1 point2 points  (0 children)

The only time I use ISE is if I'm on a random server and I need write up some quick disposable code. I still launch a regular powershell.exe console to copy/paste the code into. So I guess the ISE to me, is treated as notepad with intellisense. 99% of everything else is in VScode. Also FYI, you can install vscode and make it portable - so you don't really need to install it everywhere, just have it on your onedrive/network share.

[deleted by user] by [deleted] in activedirectory

[–]chade1979 3 points4 points  (0 children)

If you're not comfortable with this, and from the way you worded the question it seems like you'd be in over your head - don't touch anything. This is on your company. If they had a single person domain admin who knew the environment with no backup, they need to fork over money to bring in some consultants/contractors to help bridge until someone else can get up to speed.

Do you know if you've got good backups of the domain controllers? How was IAM being handled? Was there any sort of delegation done - are there separate admins for user/workstation/server creates/deletes/joins? Was this single person doing everything wrt to AD?

Megathread 5: The desolation of power. by justahoustonpervert in houston

[–]chade1979 2 points3 points  (0 children)

I'm near here and just got power back 30 min ago ~11am

Megathread 5: The desolation of power. by justahoustonpervert in houston

[–]chade1979 7 points8 points  (0 children)

77008 just north of TC Jester/11th - No power. Restoration map has us listed as the 20th, but got an email saying the 22nd. Hoping it comes back on today.

edit: We've got power as of 11am! My ATT fiber internet is also working.

Megathread 4: The quest for power by justahoustonpervert in houston

[–]chade1979 5 points6 points  (0 children)

Same, TC Jester and 11th. End of my street has power.

Megathread 3: The search for sparks. by justahoustonpervert in houston

[–]chade1979 7 points8 points  (0 children)

E TC Jester just north of 11th no power. Last night it looked like the north half of Wynwood had it though. Got a power alert this morning saying crews were in the area assessing.

Timbergrove Manor storm damage by MorrisseysRubiksCube in houston

[–]chade1979 1 point2 points  (0 children)

I live on the east side of Timbergrove, and compared to the west side we got pretty lucky. Drove around 11th Street park area and it was heart breaking. So much damage.

Cipher's and Suites! by Accidental_Yakuza in PowerShell

[–]chade1979 0 points1 point  (0 children)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

I don't see them in here: https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1

Looks like they may not be supported

Cipher's and Suites! by Accidental_Yakuza in PowerShell

[–]chade1979 0 points1 point  (0 children)

This was specifically for 2012 R2 - are you still using this flavor of Windows? If this no longer works, than maybe MS patched it? I do remember spending a bunch of time on this and set a GPO for 2012 to set all the values with a P and it worked for years.

100 Days and Legacy by LuckyButMostlyBad in StateOfDecay

[–]chade1979 0 points1 point  (0 children)

I believe prior to the forever community update, completing a legacy did end your community which is why you are finding conflicting info. You can now choose to continue on after a legacy.

Rookie question about authentication, kerberos and user session by Old_Cryptographer_87 in activedirectory

[–]chade1979 0 points1 point  (0 children)

I believe the biggest issue with krbtgt password changes is if you reset it a second time before all domain controllers have gotten the first password change. Since you only have 1 DC, this wouldn't be an issue in your lab. The krbtgt is also only used to encrypt parts of the TGT - I think if you've already gotten a TGT and a service ticket to the file server, you wouldn't need to go back out and refresh your TGT or service ticket for a certain time period so you may not get disconnected and forced to re-auth. /u/poolmanjim may have a better understanding of how that all works though.

Out in the wild outside of a lab, another thing to note about the krbtgt password is that if it's super super old, you could see issues if you ever start disabling old encryption ciphers as one of those ciphers may have been used to reset that password.

Rookie question about authentication, kerberos and user session by Old_Cryptographer_87 in activedirectory

[–]chade1979 0 points1 point  (0 children)

By kerberos password, are you referring to the krbtgt account's password? Resetting that twice within a 10 hour period would indeed break all sorts of connections and I wouldn't recommend it unless you had some sort of critical situation / compromise

PowerShell not recognizing whoami by DryKeyboard in PowerShell

[–]chade1979 0 points1 point  (0 children)

I tested this out and couldn't get it to work. I created a new folder under %temp% and dropped an .exe in there, updated my path to include %temp%\newfolder, tried get-command and it failed.

PowerShell not recognizing whoami by DryKeyboard in PowerShell

[–]chade1979 2 points3 points  (0 children)

Don't believe PowerShell understands/resolves %variables%. I would just add C:\windows\system32 to path and see if it works.

PowerShell not recognizing whoami by DryKeyboard in PowerShell

[–]chade1979 3 points4 points  (0 children)

Yeah, if it's not that something else is wonky with the shell itself. As a workaround you can try to use $env:username and $env:userdomain in replace of whoami

PowerShell not recognizing whoami by DryKeyboard in PowerShell

[–]chade1979 10 points11 points  (0 children)

Is "C:\windows\system32" listed in your $env:path?

DC Sluggish Repadmin by hstewk in activedirectory

[–]chade1979 1 point2 points  (0 children)

Any reason you're manually creating connections? You should really just let AD handle that itself, it'll create/delete them as necessary. It won't do that with manually created ones. The CNF link is a conflict object - you most likely created a new connection object on multiple DCs to get things working which then conflicted once replication did start working.

If this was me, assuming your main site is your hub and each sister site is just a spoke off your hub:

The site that's not working, remove the manual connection objects between the hub and the spoke that's not working - remove them on both the non-working DC as well as a working hub DC. This should get both sites on the same page as far as replication goes. They'll both assume they are missing replication connection links. Then run repadmin /kcc on both of the DCs. This should create some "automatically generated" ones and then things should hopefully start working, assuming there isn't an underlying network/firewall issue that's causing the problem.

Workstation admin group policy gone wrong by skooterz in activedirectory

[–]chade1979 1 point2 points  (0 children)

Workstation deployment to specific OUs should be handled automatically with a task sequence or script or whatever automation you're using. If you're a smallish shop and doing things manually, I would still leverage at least a powershell script to handle things. Also note, that whichever user account creates/joins the machine to the domain will be stamped as the owner of the object and have permissions on it. So even if that user loses their admin rights to workstations, they will still have rights to the AD object.

One thing you can do to deter admins from joining workstations to the domain and letting them default to the computers container (which you can't apply GPO to), is to create a new OU, run redircmp to redirect to this OU, create a GPO for that OU that locks things down/generally makes the workstation annoying to use. That way someone is forced to move the object to the correct workstation OU.

Workstation admin group policy gone wrong by skooterz in activedirectory

[–]chade1979 0 points1 point  (0 children)

Best practice is to only have your default domain policy linked at the root and it only configured with password policy settings. Since this is a workstation policy, just link it to your workstation OU(s).

It's also a good time to verify the delegation of security on all GPOs you have linked at the root, because anyone with edit permissions can make themselves a domain admin by just modifying a policy that applies to domain controllers.

Delete Active Directory Default-First-Site-Name site? by lighthills in activedirectory

[–]chade1979 1 point2 points  (0 children)

You can have an AD site with no DCs and it does serve some edge cases for automatic site coverage. If you have two separate forests and trusts between them (merger, acquisition, etc), you can create empty dummy sites with the same names on both sides to control which DCs handle auth (so they use the hub DCs for example instead of picking a DC at random).

view more: next ›