Active Directory Administration

burmat / nathan burchfield

Search…

security and systems administration

security / hacking

One-Liners and Dirty Scripts

Domain Enumeration + Exploitation

MSFvenom Cheetsheet

OSCP / PWK - Random Tips and Tricks

systems administration

Active Directory Administration

Exchange Administration

System Fixes

Helper Commands

Log Parsing

Team Foundation Server Administration

SQL Server Administration

Active Directory Administration

This page is dedicated to any and all Active Directory administration

USER / HOST ENUMERATION
Get All Users
Get-ADUser -Filter * -Properties DisplayName, sAMAccountName, EmailAddress | Select DisplayName, sAMAccountName, EmailAddress | Export-CSV "C:\users.csv" 
Get Active Win10 Machine Patch Level (Last Logon in 60 Days)
$LastLogon = (Get-Date).Adddays( -(60) ); $Workstations = Get-ADComputer -Filter { LastLogonTimeStamp -gt $LastLogon -and OperatingSystem -like 'Windows 10'} -Properties *; $Workstations = $Workstations | Select-Object -Property DNSHostname,OperatingSystem,OperatingSystemVersion,IPv4Address,LastLogonDate,DistinguishedName,SID; Export-Results -Output $Workstations -Path "C:\Users\burmat\Desktop\Workstations.csv"
Get Hosts Last Logon
Iterate all computer objects in a given domain and get the date/time for the last time they were logged into:
1
Import-Module ActiveDirectory
2
​
3
function Get-ADHostsLastLogon() {
4
​
5
    $hnames = Get-ADComputer -Filter 'ObjectClass -eq "Computer"' | Select -Expand Name
6
​
7
    foreach ($hname in $hnames) {
8
        $dcs = Get-ADDomainController -Filter {Name -like "*"}
9
        $time = 0
10
        foreach($dc in $dcs) { 
11
            $computer = Get-ADComputer $hname | Get-ADObject -Properties lastLogon 
12
            if($computer.LastLogon -gt $time) {
13
                $time = $computer.LastLogon
14
            }
15
        }
16
        
17
        $dt = [DateTime]::FromFileTime($time).ToString('g')
18
        # 12/31/1600 will result if $time = 0 (never logged on before)
19
        Write-Host $dt", " $hname
20
    }
21
    Write-Host "Done."
22
}
23
​
24
Get-ADHostsLastLogon
Copied!
(Find my most recent copy on my GitHub)
Get Users Last Logon
To iterate all user objects in AD and get their last logon time, use:
1
Import-Module ActiveDirectory
2
​
3
function Get-ADUserLastLogon([string]$userName) {
4
​
5
    $dcs = Get-ADDomainController -Filter {Name -like "*"}
6
    $time = 0
7
    foreach($dc in $dcs) { 
8
        $hostname = $dc.HostName
9
        $user = Get-ADUser $userName | Get-ADObject -Properties lastLogon 
10
        if($user.LastLogon -gt $time) {
11
            $time = $user.LastLogon
12
        }
13
    }
14
    
15
    $dt = [DateTime]::FromFileTime($time)
16
    Write-Host $username "last logged on at:" $dt 
17
}
18
​
19
$unames = Get-ADUser -Filter 'ObjectClass -eq "User"' | Select -Expand SamAccountName
20
foreach ($uname in $unames) { Get-ADUserLastLogon($uname); } 
Copied!
(Find my most recent copy on my GitHub)
Get Stale Hosts
Use the following to generate a list of hosts that have not been logged into for the past 30 days:
1
Import-Module ActiveDirectory
2
​
3
function Get-StaleComputers() {
4
    $time = (Get-Date).Adddays(-30)
5
    Get-ADComputer -Filter { LastLogonTimeStamp -lt $time } -Properties LastLogonTimeStamp | Select-Object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} # | Export-CSV C:\temp\unused_machines.csv -notypeinformation
6
    Write-Host done.
7
}
8
​
9
Get-StaleComputers
Copied!
(Find my most recent copy on my GitHub)
DOMAIN MAINTENANCE
Move Object to Retire OU
I like to use the scripts above (Get Hosts Last Logon and Get Users Last Logon) to automatically move objects into the "Retire" OU using the following command(s):
1
# to move a user:
2
 Get-ADUser $uname | Move-ADObject -TargetPath 'OU=Retire,DC=burmat,DC=co' 
3
 
4
# to move a computer:
5
 Get-ADComputer $hname | Move-ADObject -TargetPath 'OU=Retire,DC=burmat,DC=co' 
Copied!
It's now trivial to disable all objects in the given OU.
Disable Everything in OU
Every few weeks, I run the following (as Domain Admin) to ensure the OU I use for my "Recycle Bin" is filled with only disabled accounts:
Get-ADUser -Filter * -SearchBase 'OU=Retire,DC=burmat,DC=co' | Disable-ADAccount 
Set Domain User Password
$uname = 'burmat'; $pass = "Password123!'; $securepass = ConvertTo-SecureString $pass -AsPlainText -Force; Set-DomainUserPassword -Identity $uname -AccountPassword $securepass;
FILE SYSTEM ADMINISTRATION
Getting Directory Sizes
I use the following command to generate a list of user profile's on a file server. It is useful to keep track of users that are exceeding our expectations when it comes to consuming space on a global server:
Get-ChildItem | Where-Object { $.PSIsContainer } | ForEach-Object { $.Name + ": " + "{0:N2}" -f ((Get-ChildItem $_ -Recurse | Measure-Object Length -Sum -ErrorAction SilentlyContinue).Sum / 1MB) + " MB" }
Tail a File
Similar to tail -f filename, you can use Get-Content to watch a file for changes:
 Get-Content -Path "\\server\logs\prod.server.log" -Wait 
MISC CLEANUP / MANAGEMENT
Clear Cached (mscachev2) Credentials
A domain-joined endpoint that is taken from the domain might still have cached (mscachev2) domain logins residing on it. This is why I always wipe the system or use the following to remove any cached credentials:
Run regedit and give your current local account Write access to the "SECURITY" node. After restarting regedit, navigate to:  HKEY_LOCAL_MACHINE\Security\Cache
Cached credentials are stored in the binary values of NL$1 through NL$10.  Zeroing out these values will clear the cached entries. Delete them if you want to remove them and disable this feature completely. 