So I've been in a tech role for a few years now. Went from help desk to infrastructure architect/product owner. I was doing something in AD and saw the "save search" option. Went and played with that a bit and realized you don't have to navigate to the actual OU to see attribute editor. You can just create a saved search and always search a users name or ID to get to what you want.
Anyone have any other tips?
You don't. You fucking don't decentralise control over user access especially if you're a Microsoft shop and don't want to deal with the immense hassle that will be your life if you were to do away with Active Directory all together.
Fuck I hate ads
Hi, former dude who is now a dude. This is just a friendly PSA to let y'all know to NEVER put sensitive information in your Active Directory description fields.
An attacker who has even the lowest level of access in Active Directory can dump all of that information with little effort, it's not safe or secure.
I know most of you will say, "What kind of idiot would ever put a password or social security number in an AD field?!" Well, I'll just say I've seen it more than once during pentests.
Also, don't circumvent your own corporate password policies!
This subreddit is for technical professionals to discuss cybersecurity news, research, threats, etc.
Hi guys, I hope you are all doing well. I have recently created a active directory hacking lab which includes attacks such as Certificates (ESC1,ESC4,ESC8), IPV6 DNS takeover, SMB relay, LLMNR poisoning, Webclient workstation takeover, DCsync, RBCD, Unconstrained Delegation, AS-REP Roasting, Kerberoasting, Shadow Credentials etc. I have created the lab in nat network and I would like to host the OVAs so anyone can download them and practice in the lab. I also have created the playlist explaining all the attacks (). Does anyone know of any platform where I can simply host the OVAs for free and anyone can download from there ?
The Lab Link:
Happy Hacking!!
So I am tasked with building out a network that follows various compliance regulations, and many of the requirements need some way to manage aspects of the devices that would require some centralized device management system, such as Active Directory. The current network uses AD and has an on-prem domain controller, but we are completely re-doing everything. The caveat here is that my manager is adamant against using Active Directory or Azure. The alternatives he has suggested would help manage user sign on to devices, but do not help with the more technical aspects (like group policy to disable USB ports, etc.).
My manager also wants to move a lot of stuff to AWS, so if there is an AWS service that is like a cloud-based Domain Controller (aside from setting up a Windows Server EC2 instance) that can manage on-prem devices that might be "acceptable" for him.
Any input would be much appreciated!
Summary:
Small company, we wear many hats, looking for an AD Analyzer that doesn’t cost us 16k.
Looking to remediate misconfigurations and maintain drift without hiring additional resources.
Hi there,
Just been asked to create AD solution for 28+ million users. For some reason we have to have all valid users credentials in AD. Only going to be used external for authentication at the moment. I can see on that it should be possible but has anyone worked with this scale of users before? The most I've had on an AD before is about 2,000...
And yes, management says it has to be done this way.
Edit: Licensing on this thing looks like it'll be US$300K for just the External Connectors
Edit 2: Looks like will let me do this for free and still meet the security requirement. HA/Clustering looks interesting tho.
Edit 3: AD-LDS is not free for this use case :0(
Edit 4: Will report back when design and costing is done. Think it will be fine if just used for app authentication but more than 4GB RAM will be needed.
As stated in the title if anyone has any good resources they can link to I would appreciate it.
Disclaimer: I made this. It's free and open source. No ads, just clean, useful data provided in blog.
Here's a small PowerShell command/module I've written. It contains the following reports.
Usage:
Find-Events -Report ADGroupMembershipChanges -DatesRange Last3days -Servers AD1, AD2 | Format-Table -AutoSize
ReportTypes:
Computer changes – Created / Changed – ADComputerCreatedChanged
Computer changes – Detailed – ADComputerChangesDetailed
Computer deleted – ADComputerDeleted
Group changes – ADGroupChanges
Group changes – Detailed – ADGroupChangesDetailed
Group changes – Created / Deleted – ADGroupCreateDelete
Group enumeration – ADGroupEnumeration
Group membership changes – ADGroupMembershipChanges
Group policy changes – ADGroupPolicyChanges
Logs Cleared Other – ADLogsClearedOther
Logs Cleared Security – ADLogsClearedSecurity
User changes – ADUserChanges
User changes detailed – ADUserChangesDetailed
User lockouts – ADUserLockouts
User logon – ADUserLogon
User logon Kerberos – ADUserLogonKerberos
User status changes – ADUserStatus
User unlocks – ADUserUnlocked
DatesRanges are also provided. Basically what that command does it scans DC's for event types you want it to scan. It does that in parallel, it overcomes limitations of Get-WinEvent and generally prettifies output.
The output of that command (wrapped in Dashimo to show the data):
GitHub Sources:
Full article (usage/know-how):
The article describes the functionality of just one command but actually, PSWinReportingV2 is much more than that. There are also things I've not touched in the article but that should be a start. It's able to support any kind of Events from Event logs such as ADConnect, Hyper-V and other types of data. I just didn't have time to explain how to build configs for it and I don't work with Hyper-V or other systems to build them myself. If you know a lot about event logs and what to help to build prettified reports for more than Active Directory reach out.
Hey there, former sysadmin turned pentester here. Recently, in almost every environment, I've been able to privesc from a regular user to Domain Admin using AD CS vulnerabilities.
I definitely recommend running or () to see if you can identify any vulnerabilities in your environment. As far as I know, this stuff won't come up on a Nessus scan. I know when I was a sysadmin I set this up insecurely (has now been fixed). However, AD CS is easy to set up without knowing some of the security implications of the configurations.
The guys over at Spectorops who came out with their paper on attacking AD CS () also have a good talk on "".
Edit: I linked both Certify and Certipy earlier. Certify is a windows application. Certipy is based on python. I prefer certipy. If you want to run certipy it’s pretty easy. One way is to setup a Kali VM. .
Then next through the Kali install. If it pulls dns and up from DHCP you should be good to go. After you’re in, open up a command prompt and type
pip3 install certipy-ad
Then run
certipy find -vulnerable -stdout -u lowprivuser@domain.local -p password
What are you using for monitoring Active Directory?
Was talking to a recruiter, and he said one of his other clients wondered if it was worth listing AD experience because "nobody uses it anymore".
What is this attitude supposed to reflect? The impact of the cloud? The notion that MDM obsolesces group policy?
I wanted to introduce you today to my new PowerShell module. Actually a couple of them, and to remind you a bit about my other PowerShell modules. Hope you like this one. This PowerShell module is able to extract Active Directory data as can be seen below. If you want to find out more:
It covers usage, code explanation, examples, and a few other things. Generally all the know/how (no ads/no pay software). It's free and open source. All of it.
Links to sources:
PSWinDocumentation.AD - - the module that provides all the Active Directory data as one command.
Dashimo - - a module that is able to wrap that data into HTML
Emailimo - - a module that is able to wrap that data into Email and send it over
Documentimo - - a module that is able to wrap that data into WORD document (no word required)
Excelimo - - a module that is able to wrap that data into EXCEL document
Example output
HTML Version:
DocX Version:
Xlsx Version: (minimal)
Small code sample 1:
$Forest = Get-WinADForestInformation -Verbose -PasswordQuality $Forest
Small code sample 2:
$Forest = Get-WinADForestInformation -Verbose -PasswordQuality $Forest.FoundDomains $Forest.FoundDomains.'ad.evotec.xyz'
Small code sample 3:
$Forest = Get-WinADForestInformation -Verbose -PasswordQuality -DontRemoveSupportData -TypesRequired DomainGroups -Splitter "`r`n" $Forest
You can install it using:
Install-Module PSWinDocumentation.AD -Force
ForestInformation
ForestFSMO
ForestGlobalCatalogs
ForestOptionalFeatures
ForestUPNSuffixes
ForestSPNSuffixes
ForestSites
ForestSites1
ForestSites2
ForestSubnets
ForestSubnets1
ForestSubnets2
ForestSiteLinks
ForestDomainControllers
ForestRootDSE
ForestSchemaPropertiesUsers
ForestSchemaPropertiesComputers
DomainRootDSE
DomainRIDs
DomainAuthenticationPolicies
DomainAuthenticationPolicySilos
DomainCentralAccessPolicies
DomainCentralAccessRules
DomainClaimTransformPolicies
DomainClaimTypes
DomainFineGrainedPolicies
DomainFineGrainedPoliciesUsers
DomainFineGrainedPoliciesUsersExtended
DomainGUIDS
DomainDNSSRV
DomainDNSA
DomainInformation
DomainControllers
DomainFSMO
DomainDefaultPasswordPolicy
DomainGroupPolicies
DomainGroupPoliciesDetails
DomainGroupPoliciesACL
DomainOrganizationalUnits
DomainOrganizationalUnitsBasicACL
DomainOrganizationalUnitsExtendedACL
DomainContainers
DomainTrustsClean
DomainTrusts
DomainBitlocker
DomainLAPS
DomainGroupsFullList
DomainGroups
DomainGroupsMembers
DomainGroupsMembersRecursive
DomainGroupsSpecial
DomainGroupsSpecialMembers
DomainGroupsSpecialMembersRecursive
DomainGroupsPriviliged
DomainGroupsPriviligedMembers
DomainGroupsPriviligedMembersRecursive
DomainUsersFullList
DomainUsers
DomainUsersCount
DomainUsersAll
DomainUsersSystemAccounts
DomainUsersNeverExpiring
DomainUsersNeverExpiringInclDisabled
DomainUsersExpiredInclDisabled
DomainUsersExpiredExclDisabled
DomainAdministrators
DomainAdministratorsRecursive
DomainEnterpriseAdministrators
DomainEnterpriseAdministratorsRecursive
DomainComputersFullList
DomainComputersAll
DomainComputersAllCount
DomainComputers
DomainComputersCount
DomainServers
DomainServersCount
DomainComputersUnknown
DomainComputersUnknownCount
DomainPasswordDataUsers
DomainPasswordDataPasswords
DomainPasswordDataPasswordsHashes
DomainPasswordClearTextPassword
DomainPasswordClearTextPasswordEnabled
DomainPasswordClearTextPasswordDisabled
DomainPasswordLMHash
DomainPasswordEmptyPassword
DomainPasswordWeakPassword
DomainPasswordWeakPasswordEnabled
DomainPasswordWeakPasswordDisabled
DomainPasswordWeakPasswordList
DomainPasswordDefaultComputerPassword
DomainPasswordPasswordNotRequired
DomainPasswordPasswordNeverExpires
DomainPasswordAESKeysMissing
DomainPasswordPreAuthNotRequired
DomainPasswordDESEncryptionOnly
DomainPasswordDelegatableAdmins
DomainPasswordDuplicatePasswordGroups
DomainPasswordHashesWeakPassword
DomainPasswordHashesWeakPasswordEnabled
DomainPasswordHashesWeakPasswordDisabled
DomainPasswordStats
And just a small update on my Find-Events command... I've added one more report Organizational Unit Changes (move/add/remove). So the default list now covers:
ADComputerChangesDetailed
ADComputerCreatedChanged
ADComputerDeleted
ADGroupChanges
ADGroupChangesDetailed
ADGroupCreateDelete
ADGroupEnumeration
ADGroupMembershipChanges
ADGroupPolicyChanges
ADLogsClearedOther
ADLogsClearedSecurity
ADUserChanges
ADUserChangesDetailed
ADUserLockouts
ADUserLogon
ADUserLogonKerberos
ADUserStatus
ADUserUnlocked
ADOrganizationalUnitChangesDetailed (added in 2.0.10)
I've also added Credentials parameter which should provide a way for you to use a command from normal user PowerShell prompt. If you have no clue about that command yet - have a read here: otherwise:
Update-Module PSWinReportingV2
Enjoy :-)
The Juicy part: Ubuntu machines can join an Active Directory (AD) domain at installation for central configuration. AD administrators can now manage Ubuntu workstations, which simplifies compliance with company policies.
Ubuntu 21.04 adds the ability to configure system settings from an AD domain controller. Using a Group Policy Client, system administrators can specify security policies on all connected clients, such as password policies and user access control, and Desktop environment settings, such as login screen, background and favourite apps.
Welcome to Tales From Tech Support, the subreddit where we post stories about helping someone with a tech issue.
Was working on an issue for a user; they called in using this program called ResWare. We're going to call this user "Rani".
In ResWare, they export documents and such to MS office. This is pretty standard with pretty much any LOB programs that do reports/finances en masse. Okay, cool, traditional problem. Here we go, boys.
So she calls in telling me that she's having issues with opening documents in office. It was hard enough to understand with a combination of accent and the phone being muffled, but I like a challenge so let's see. I remote in to the machine and see the issue, office is asking for creds when logging in. Okay, so the product is unlicensed. Simple enough.
At this point, I had Rani log in. No good. Wouldn't take creds. Well, there could be a number of reasons for this but I don't feel like digging into them so I just had her try a few more times, same result. Okay, fine. I see how it is. Site uses O365 though, so let's see if they can even log into that.
So I had Rani log into this and it didn't work. Pass or username is no good. Ha. So it's a password problem. But it's never that simple. Here it comes. You can feel it. I felt it as soon as I saw those dreaded red letters.
Me: "All right! So it appears your password is wrong."
Rani: "It couldn't be. It was just working the other day."
Inner Me: "no. Stop. Don't do this to me, Rani. Don't. You're gonna make me get greasy with you."
Me: "I understand it may have been working the other day but sometimes this happens with O365 systems. Passwords expire or, for some random trick of the ether, they just stop working.
Okay, we all know passwords don't just "stop working", but most users don't inquire after that. I wish it would've been that simple.
Me: "Let me check something real quick for you..." *logs into O365 admin* "We may need to reset your password." *sees that account is synced with Active Directory. Victory, so they're using SSO.* "All right! So it seems your password is synced with AD, meaning they should all be the same. Try your computer login please."
Rani: i shouldn't have to do that. The passwords have always been different.
Inner Me: "I'm gonna have to do it to her. I'm REALLY gonna have to do it to her."
Me: "I understand that, but as of right now your account is synced with the server. This means that every password that is like that will be the same. Almost like one, big, easy to use system. Makes life much more streamlined for you."
Rani: "but I never had to do this before."
Me: "Let's try something..." *locks computer* "Login for me, please."
Rani logs in, after saying something about it. I noticed she typed in a stupid long password.
Me: "What password was that? The one you said your email pass was wasn't anywhere nearly as long as that."
Rani: "Yes, because the passwords are different."
The inner me at this point is furious like that character from Inside Out.
Me: "They're linked together, so let's try that." After she logged in, this verified her AD account wasn't locked
Pass didn't work in O365, I'm guaranteeing she half-assed it but whatever. I'm going to beat this issue to death if it kills me. Tried it several more times, no good.
Rani: "I don't know why this is taking so long. A previous tech from last week was able to do it in 2 seconds and it worked. I don't know why this is so difficult."
Inner Me: "Okay, so you're flipping telling me a tech did this LAST WEEK and did it completely wrong, which is why we're in this boat. I wonder who that was."
At this point she was getting that "you don't know what you're doing attitude" and I wasn't about to put up with that because it wouldn't have been good for either of us.
Me: "Okay, you know what..." *goes into O365 admin* "I'm going to reset your password in O365 here... and it'll work. Watch." *reset pass to what she wanted, had her log in and it worked fine* "Now look, here's what's going to happen. This account is going to work for an hour or two, maybe even a couple of days, BUT this system WILL sync back up to AD and your password WILL NOT WORK. All right?"
I suspected at this point she didn't want to talk to me anymore because she wouldn't hang around to test her original issue; not being able to send files from Resware to office because her products were unlicensed.
Rani: "I'll call you back if there are any other issues."
Me: "Mkay, here's your ticket number for if the issue reoccurs."
Then I proceeded to put in the internal notes about this foolish interaction because I'm not falling on that sword and having my own competency called into question. Nice enough lady to talk to, but as stubborn as a brick.
A subreddit for all things related to the administration of Apple devices.
Hi all,
Appreciate this has been done to death but just wanted some further thoughts and advice.
We have 10-15 mac devices on site, some are laptops the majority are iMacs. We need users to be able to sign into them using their AD credentials.
Currently, we would bind them to AD and use the 'Server' app from a mac-mini acting as a server, what with the Server app becoming more and more useless we're wanting to remove it entirely and more than likely just use Intune for policy and restrictions.
We've found historically after the devices being on the domain they get slow, whether this is just the device getting old or not I really don't know but free space is not the issue.
What do we think is best? It looks like using JAMF (NoMAD) is out of the question as they want 25 licenses minimum, so should we just bind them to AD and use Intune? OR is there another way we can get users to sign-in using their AD credentials?
Thanks in advance all.
This will either be one for the record books or something so dumb that I'll have to retire.
Premise: Trying to load a website and run a query. Works fine...until I add a computer to the domain.
All computers on the domain have a problem with this website. I KNOW WHAT YOURE THINKING, but I disabled ALL GPOs and fresh loaded windows/joined domain after, even then, website breaks.
No 3rd party Antivirus of any kind.
One of the more odd things is that the website works for about 5 minutes after being added to domain. After that Kaput.
I am truly baffled. 12+ years IT and 30+ hours on this issue alone. Please, help T.T
Edit. About to crash, I'll try all the new suggestions tomorrow and let everyone know how it goes.
==UPDATE==
I apologize for being ambiguous. I was being careful not to break any compliance. But I was authorized to give out the actual website this morning. The site we are using is
Simple recall lookup tool but we are bound to use THIS one due to customer restrictions. When the "issue" happens you get an error of.
"You have been redirected to this page because NHTSA's VIN search tool may be experiencing intermittent disruption due to routine maintenance, slow manufacturer response or heavy traffic to this page. To ensure you get the important information you are seeking, you can click on the appropriate vehicle maker below to go to its VIN search tool."
At first glance, I would assume that the issue was with the website. But after extensive testing, we determined that this only happens after adding the computer to our AD Domain. I do manage a couple other domains and none of them have this issue.
A place for De La Salle University - Manila students, faculty, alumni, and fans! Animo La Salle! 🏹
Since enlistment is tomorrow I tried logging-in to my animo.sys account to see if it was working, upon clicking login the page kept refreshing.
This wasnt the first time it happened to me so i was able to recover this issue before, i tried doing the change password in ActiveDirectory method again, but when i tried logging in naman on ActiveDirectory the security question page kept saying my answers were invalid. During the process i got my account blocked from trying to change the password. I’ve emailed ITS about this issue na but im hoping if anyone has an alternative solution to offer so i can finally login na sa animo.sys. Teewai! 🤕
Hello guys,
I have a question one of my clients want to return back from AAD(it have synchronized devices users etc) to his local active directory do you know any pros and cons of doing it and a time required for doing this?
A networking vendor is telling us that our AD usernames violate best practices because they start with a capital letter and that is why it is allowing MFA to be bypassed for their product.
Is there a published guideline for AD that says that usernames should not have capital letters that I have completely missed?
Edit: Thanks all for the confirmation. I've since found that a quick config change on their side in the documentation can address the issue, I am not sure what we are paying them for at this point...
### SOLVED ###
Hi everyone .
i'm facing a strange issue that is cracking my head. i have exchange server which was working fine untill this morning. this issue make me crazy the exchange not able to ping either active or passive active directory server, however the ping from AD servers can reached the exchange server. moreover the exchange server can ping all servers on the same subnet.
P.S exchange server and AD servers are in the same subnet no kind of firewall between them.
i will appreciate your support and ideas to resolve this issue.
Regards
From the "looking to get certified," to conversations/questions from current students, to certified and working professionals - this subreddit is dedicated to CompTIA certifications.
Over the past few weeks I have been planning and documenting an Active Directory home lab setup. If you are interested in doing the lab yourself, I created a full guide for you guys to follow along with. I know that hands on stuff definitely helps me learn, so feel free to check it out and get your feet wet with some VMs and AD. You can also include this on your resume if you choose, create your own documentation to go along with it! Hope you guys find this useful in some capacity.
![r/itsaunixsystem - [The Simpsons S31E12] It rubs Unix but with ActiveDirectory Users](http://web.archive.org./web/20240425210740im_/https://i.redd.it/oicu5ew8yey91.jpg)