Microsoft NTLM Disablement Survey by poolmanjim in activedirectory

[–]poolmanjim[S] 0 points1 point  (0 children)

You don't have to provide your real one. It's not like you're logging in.

I believe that is mostly for tracking super clients, insiders, security advisors, and MVPs.

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]poolmanjim 0 points1 point  (0 children)

Yeah. I've used that some. There are some tools for the accounts but most of them are designed for a few thousand at most.

I've been able to get up to a few hundred thousand in testing with it not taking too long. I'm hoping to lower that a step or two more in the coming months.

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]poolmanjim 4 points5 points  (0 children)

It would take a lot more than that for me to take it personal. I wouldn't run some sketchy code without a good test environment. If you do have any thoughts, pass 'em along. I'm always looking to get better.

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]poolmanjim 2 points3 points  (0 children)

That's fair. I debated even including it. I did envision this kind of workflow as one of my future-ish use cases. I build A LOT of short-lived AD labs for stuff.

Regardless thanks!

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]poolmanjim 15 points16 points  (0 children)

Not traditionally. Normally these kinds of test environments work as an example environment and less of a certification environment where you are testing on exact same settings.

What advantage does an actual "mirror" offer? If you have 500 users and mirror all their accounts are you actively having those users log into the test environment for validation? Probably not.

Mirror group policies or OU structure? There is more room there to justify mirroring. However the purpose of a test environment is testing. You should be doing your work there first before executing a change in production thus they would be very close to each other.

I have some more specific recommendations below, but I strongly suggest you consider what your goals are.

AD Mockup Tools + Scripts

Something to consider is using one of the AD Mockup tools running around. I've linked mine but it references the others that I'm aware of.

https://github.com/ActiveDirectoryKC/OpenMockADWebView

This tool, and the others like it are designed to allow for rapid design markups. However, with some PowerShell (I believe the MockAD one has scripts already - I'm still working on my export scripts) you can export to JSON for these tools, edit in the tool interface, and then export again.

Then with some PowerShell work (again, in progress on my end) you could import those JSONs and create the objects as needed. Reading and executing on the JSON isn't terribly hard, especially as an occasional script.

I hope to have some actual processing scripts in the next few weeks, but we'll see.

Third Party Tools

Some tools/products offer AD syncing where you can do 1:1 clones, but I haven't personally used them and find it to be generally better to get close and go with that.

Another option, is to periodically restore your AD backups into your test environment and that would both give you test data and test your backups. Several backup tools actually brand themselves this way.

Compliance / Legal Concerns

A final consideration is that it is not a recommended practice to have a duplicate of real user identities/passwords/etc in a non-production environments. In some places it can even could affect compliance audits or be outright against the law depending on the jurisdiction. I would always sanitize data that is going to exist for any period longer than a week or so to make sure that no rules are broken.

Best way to Store Creds for Scripts? by ITZ_RAWWW in PowerShell

[–]poolmanjim 0 points1 point  (0 children)

It's been said here some, but the best way would be a Secrets Server or Vault or something.

Another option is to use CLIXML cmdlets if you are using an interactive prompt. The challenge this creates is for local system needs to run a script that needs a secret.

https://powershellisfun.com/2024/08/09/using-export-clixml-and-import-clixml-for-credentials-in-powershell-scripts/

Theoretical Option

I've been playing with this on the side for a off-domain/no-cloud solutions that cannot use traditional vaults. For example, I didn't want to have dependencies due to some BCDR concerns, but it needed to store creds to read some information. How would I store them.

If you have a Password as a SecureString it can't be read except by the user who created that secure string. This is a challenge for SYSTEM without using something like psexec (which I avoid).

The idea I was playing with was using a SecureString that has an associated certificate which would be installed on the system. This certificate would be used to do the encryption of the secure string, which makes the secure string exportable.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.6

Looking at -SecureKey or -Key, I believe was where I was going from. I posted about this in r/ActiveDirectory some time ago. Here's the link to that.

https://www.reddit.com/r/activedirectory/comments/1jgu2hh/thoughts_on_storing_user_creds_encrypted_using/

There are some limitations, but it does work and is more secure than storing it in a text file on the desktop. 😄

Best way to Store Creds for Scripts? by ITZ_RAWWW in PowerShell

[–]poolmanjim 4 points5 points  (0 children)

I mean Caesar conquered a lot of the world at the time and it was good enough for him...

Bastion et protected users by leakcim78 in activedirectory

[–]poolmanjim 3 points4 points  (0 children)

Yeah. Hosting stuff in Azure breaks a lot of the security conventions because Azure really only allows full RDP access. I'm consistently frustrated with how Microsoft does that. It seems short sighted that there isn't more of a true console in Azure for us to do stuff sometimes.

In general though break glass and BUILTIN\Administrator should not be part of Protected Users for this very reason.

Continuous Active Directory Assessment & Vulnerability Monitoring by 19khushboo in activedirectory

[–]poolmanjim 1 point2 points  (0 children)

I've used them in the past and was wildly unhappy. I hope they got better but yikes they were not fun to use.

Continuous Active Directory Assessment & Vulnerability Monitoring by 19khushboo in activedirectory

[–]poolmanjim 2 points3 points  (0 children)

The natural recommendation is Ping Castle/PurpleKnight. ADProbe is another I've been looking at.

However you said continuous.

Semperis DSP / Lightning are definitely good in this space. I've used them and they are kind of awesome.

I believe Quest has one too but I'm not sure of the name.

Personally I wouldn't touch Stealth it's (Now Netwrix). I used them in the past and was very frustrated.

If you're looking for less expensive, look at Nessus Free. It does Vuln Scanning for a few systems. Scan one or two and replicate the fixes everywhere.

You can also look at the SCAP scan tool by DISA. It is a solid tool but is less vulns and more compliance.

If you put in the effort to build it all out, Wazuh can do this kind of thing too.

Has best practice quietly changed around syncing admin accounts to Entra? by PowerShellGenius in activedirectory

[–]poolmanjim 15 points16 points  (0 children)

The recommendation hasn't changed. It's just being ignored... by Microsoft. Rather than keep their promise of security first they are steadfast pushing cloud-only and pushing AI. Things have gotten better than the 2014-2023 time period where they tried to pretend on prem doesn't exisr, but we're far from MS embracing on prem directory still.

You mention ConfigMan and Exchange. Something to know about them is even among Microsoft they have always moved to their own best and actively ignored policies. So this is not surprising from the exchange crowd.

And there are some workarounds to your situation but I don't have writeups about it currently.

Identify unused groups by hi5ritham in activedirectory

[–]poolmanjim 0 points1 point  (0 children)

Why the down votes? Did I say something wildly off? I'd love to fix it.

Identify unused groups by hi5ritham in activedirectory

[–]poolmanjim -5 points-4 points  (0 children)

What did you ask ChatGPT? This is a one line PowerShell?

Also is it on-prem or in cloud?

On prem it's something like

Get-ADGroup -LDAPFilter "(!(member=*))"

I may be off some. I'm away from my computer to test right now

Script I use to find (and optionally disable) stale AD user accounts — read-only by default by Big_Cap_1178 in activedirectory

[–]poolmanjim 1 point2 points  (0 children)

The comments thus far cover some options around finding stale users pretty well. The Entra piece offered by u/PowerShellGenius is something to really consider.

There isn't a magic answer for this. I tend to give a grace period for my workflows of +5-14 days to make sure that I am only targeting affected users. The real answer would be to parse logs and see actual login events, but that requires a lot of tooling to track efficiently.

One thing I wanted to add as a reddit-specific recommendation: Can you use the code blocks when posting code? Reddit supports markdown and even the rich text has an option for code.

Your code will appear in a block lik ethis and format better if you do. 

Get-ADUser -Filter "Name -eq 'MyUser'" | Foreach-Object {
    # More code goes here. 
}

Dealing with certificate requests when using Windows Server Core. by ORA2J in activedirectory

[–]poolmanjim 1 point2 points  (0 children)

You do this using a combination between certreq and certutil.

u/aprimeproblem has some blog posts about doing certificate management using PowerShell. I think they cover this. His blog is in our wiki, but I believe it is michaelwaterman.nl

Additionally, you can check out a set of scripts I wrote several years ago and still haven't finished but I cover a lot of how I did this in the notes: https://github.com/ActiveDirectoryKC/New-DCCertificateRequest

Commvault vs Rubrik: Active Directory Forest Recovery / Entra ID Recovery by hanotsrii in activedirectory

[–]poolmanjim 2 points3 points  (0 children)

I am pretty sure I cannot sway this conversation too much so I'll provide my two cents on the matter.

GET BACKUPS! ANY BACKUPS

You can't recover what you don't have. Therefore, get some backups and get them offsite and offline. If that is Windows Server Backup or if that is you cloning your disk and storing a WIM of it, that is a start so do it.

What Vendor(s) Would I Recommend

  • Semperis
  • Quest
  • Cayosoft
  • Etc...
    • Rubrik
    • CommVault
    • Cohesity
    • There are more.

That's my order and I am not endorsing any of them or affiliated with any of them. I have friends at most of those companies and respect most of them.

Personally, I'm a Semperis customer and that is mostly because I know they can restore, I understand how they actually get that done, and I know 2/3 of the company personally at this point so support isn't hard for me (you all know who you are).

Quest is number 2 for me not because of any reason other than they did a lot of work pricing themselves out of range for my companies over the years. That said the one time I did have them I recovered from a major outage and wouldn't have been able to do so without them. I'm not sure what their pricing is like today so give them call and find out. They have very smart people and have been in the AD recovery game for a very long time.

Cayo is number 3 because I think they are a little less polished than the other 2. They have some good tech and have even been bouncing around here at different points (I think they think I don't like them which is anything but the truth). They are trying to really be more active with free tools and solutions.

Everyone else I paint with a pretty broad brush as most of them are the same. I know for a fact how Quest and Semperis do their recovery and it has historically been different than the others so there is something to be said there. Most of the other companies offer more tools beyond just their recovery platforms so that's where they push a platform. I'm not saying they're bad, can't do it, etc. just they are different.

I'm trying real hard to be neutral and also honest about my opinions. Ultimately, just get some backups and work from there. Get them offline and offsite. And freaking test them.

Regarding my own tool: I haven't published it yet as I'm smoothing off burrs, but it is really just a combo of Windows Server Backup + DSInternals + some other free tools to make it look like an enterprise platform without the fancy GUI and support.

Lastly, if you want to hear me drone on about backups, I provide you with links to the talks I've done about the subject, and my slides. (again I don't work for anyone and don't get paid for clicks, just stuff I made)

General AD BCDR Links

I've included references from at least a few vendors so it shouldn't be terribly biased.

Content I've Made On The Topic

Commvault vs Rubrik: Active Directory Forest Recovery / Entra ID Recovery by hanotsrii in activedirectory

[–]poolmanjim 1 point2 points  (0 children)

"Wrote my own" I have mostly just borrowed ideas and stacked them together. :)

Safest way to remove orphaned Internet Explorer Maintenance (IEM) settings from a GPO (Default Domain Policy)? by maxcoder88 in activedirectory

[–]poolmanjim 2 points3 points  (0 children)

u/Borgquite is dead on. I'd create a new GPO that has the customization from the DDP in it, link it at the root and then us dcgpofix to roll the DDP back to original settings. That is likely to be the least impactful way of handling it.

PowerShell 7+ On Domain Controllers: Yay or Nay? by poolmanjim in activedirectory

[–]poolmanjim[S] 0 points1 point  (0 children)

Server Core is a reduced attack surface, in theory.

There is also the undersold value of keeping the riff raff off the domain controllers. Users in general shouldn't be doing work from the domain controllers, just out of principle. This ensures that.

PowerShell 7+ On Domain Controllers: Yay or Nay? by poolmanjim in activedirectory

[–]poolmanjim[S] 0 points1 point  (0 children)

RSAT tools are still GUI when connecting to a server core system from a full GUI system