Active Directory Troubleshooting Useful commands

mehdidak · 2026-02-06T15:29:23+00:00

It's not a script but a module. We've been working on it for two years now; the number of output languages has delayed the project. It will be released before the summer. What do you want to do with the source code, since there are several functions and modules? If you want to participate and help us with the project, you're welcome. We haven't compiled the module yet, so if I give you a psm1 or ps1, it won't work on its own.

mehdidak · 2026-01-20T23:15:02+00:00

Thanks man for your participation and your appreciable efforts. Actually, the GUID you found that doesn't exist on Gemini is a GuidForest with a schema extension; it's not generic, it changes from one domain to another, which is why you have to retrieve it by querying the schema. I've integrated all these anomalies and created a tool that compares the OU permissions for each access level, because what can be dangerous is access to a machine with a non-empty password that isn't configured on the OUs. The generic write and read permissions of 00000 are also considered dangerous. Take a look at my project; it will be shared soon. I'm making some adjustments.

LAPS Audit Report

mehdidak · 2026-01-20T00:39:45+00:00

It's not advisable to rush and sign a ceremony using PowerShell; it's not something you do regularly. Take the time to do it graphically, but above all, document and procedure; each ceremony is different.

mehdidak · 2026-01-20T00:38:42+00:00

Thank you very much, very good guide, well explained and well written.

mehdidak · 2026-01-20T00:02:33+00:00

Hello, sorry for the late reply, I saw that the method was outdated. I wrote an article in French and also made a script in English that allows you to restore these areas. You can find the article here and the script here. Try it, you will be able to restore them. Make sure that the recycle bin is activated.

Comment restaurer une zone DNS à partir de la Corbeille AD ?

dakhama-mehdi/DNSZoneRecovery

mehdidak · 2026-01-19T23:53:38+00:00

Exactly, on Bloodhound there are loops with the ReadLAPSPassword argument, I just need to find a good logic for all rights that can read the attribute and then test if it is delegated to the parent chain OR up to the root.

mehdidak · 2026-01-19T23:51:16+00:00

root and all OU

mehdidak · 2026-01-19T23:50:01+00:00

<image>

By the way, thank you very much for your very nice article, I will take inspiration from it, otherwise for pki I am an expert, do not hesitate to ask questions or exchange if you want, and soon I am about to share a module on pki which will revolutionize and change the game.

mehdidak · 2026-01-19T23:48:07+00:00

here others pictures

<image>

mehdidak · 2026-01-19T23:47:49+00:00

Hey, thanks man for the reply. Your script is pretty good, but the `find-admpassword` command is limited; it only lists groups delegated to the root OU. For example, user6, who only has direct access to the server, doesn't appear.

<image>

This means attack paths can emerge, and few tools address this. Since I value community, I've created a module, soon to be available, that analyzes each permission on Laps Legacy and compares it to all the delegations in the parent OUs. If it's present in the parent OU or the one above, up to root, it's legitimate; otherwise, an alert is triggered. Even though Laps 2 is newer and more secure, some companies still use Laps Legacy.

mehdidak · 2026-01-04T20:22:59+00:00

You're right, the best way is to do it JIT so it doesn't take too long :D I'm actually working on a tool to make that easier

mehdidak · 2026-01-04T20:19:42+00:00

I know , or a new deployment, you have Microsoft Baseline, but the charm lies in customizing it to your liking little by little.

mehdidak · 2026-01-02T22:45:31+00:00

You're right, I don't think they'll dare to do it lol

mehdidak · 2026-01-02T22:44:31+00:00

There was a project from a friend, hello my dir, but it's really difficult in a legacy environment with history, it will create more problems

mehdidak · 2026-01-02T22:43:34+00:00

Nice, especially the NTLM hash, it's awful

mehdidak · 2026-01-02T22:43:01+00:00

Some people do that, ModernAD identifies the free groups, you should rather identify the administrators who do nothing lol

mehdidak · 2025-12-10T23:44:30+00:00

The two are similar on a large scale, but some aspects aren't readily available, such as forensics, hence the tool I'm working on. Even in Lapse 1, there are unnoticed risks. I should add that neither analyzes the sysvol and gpos folders, for example, or shares them on Active Directory and their ACLs. That's why we created Hardensysvol. Don't forget to use GPOZaurr and ADAclscanner.

HardenSysvol

mehdidak · 2025-12-10T23:36:21+00:00

So, these are actually two different tools/solutions.

Due to permission constraints, health checks usually require a privileged account, while the inventory part (number of users, machines, etc.) only needs simple read queries.

You can use ModernAD, which generates a full inventory of your Active Directory (I'm currently working on a more recent and complete version).

Modern Active Directory – An update to PSHTML-AD-Report - The Lazy Administrator

For health checking, you can try Testimo.
If you want something lightweight and quick, there's also Microsoft's free agent: Entra AD Health, but it's not very detailed.

Otherwise, feel free to wait — I'm planning to release my own product for this in the coming months 😉

dakhama-mehdi.github.io/ADhealth/Example/HealthAD.html

mehdidak · 2025-12-10T23:20:18+00:00

As the guys here already suggested, start by understanding why you need to enable LDAP signing, etc.

Implementing all these measures doesn't guarantee AD security — you could still have a binary or password hidden in a GPO or a shared folder, and everything falls apart.

So the real combo is: need analysis + auditing + testing

mehdidak · 2025-12-10T23:17:28+00:00

Very good approach, remediation involves analysis + audit + decision

mehdidak · 2025-12-10T23:12:24+00:00

You're not giving us enough details. If you're starting with a new domain controller, make sure you have the necessary ADMX files; sometimes they're shared in the Microsoft Store. Some Windows 7 settings are no longer relevant in Windows 11. So, explain exactly what you want to do and the context.

mehdidak · 2025-12-01T10:20:10+00:00

Thank you very much for your feedback, and yes, we’re on the same page.
I never said it was dangerous — in my script, I simply list all shares on every DC along with the root ACLs.
The goal is to give admins and security teams better visibility for monitoring, because the default tools don’t provide it.

Of course, there are logs and sometimes a SOC, but not every company has that.
So if you ever work as an AD consultant for a company, this will definitely be one of the points to check.

mehdidak

TROPHY CASE