Showing posts with label directory. Show all posts
Showing posts with label directory. Show all posts

Sunday, March 30, 2025

KQL - Group Object Audits ADDS 

This is a KQL written for Azure Sentinel. 
Purpose is to search for eventid from Active Directory Domain Services related to Group objects.


SecurityEvent
| where EventID in (4728, 4729, 4732, 4733, 4756, 4757, 4727, 4730, 4731, 4734) // Add or remove from group, create or delete group
| extend 
    Action = case(
        EventID == 4728, "Added to Global Group",
        EventID == 4729, "Removed from Global Group",
        EventID == 4732, "Added to Local Group",
        EventID == 4733, "Removed from Local Group",
        EventID == 4756, "Added to Universal Group",
        EventID == 4757, "Removed from Universal Group",
        EventID == 4727, "Created a Security-Enabled Global Group",
        EventID == 4730, "Deleted a Security-Enabled Global Group",
        EventID == 4731, "Created a Security-Enabled Local Group",
        EventID == 4734, "Deleted a Security-Enabled Local Group",
        "Unknown Action"
    ),
    Initiator = coalesce(tostring(SubjectUserName), tostring(AccountName), "Unknown Initiator")
| summarize 
    FirstOccurrence = min(TimeGenerated)    
    by Action, TargetGroup = TargetAccount, Initiator, Domain = TargetDomainName, MemberName, EventID
| project FirstOccurrence, Action, Initiator, Domain, TargetGroup, MemberName, EventID
- No comments:
Labels: , , , , , ,

Monday, June 29, 2020

Powershell : get-ADReplicationReport - Function to get replication status from specified domain controller 


.Synopsis
   Get Active Directory replication report
DESCRIPTION
   reports on replication issues
EXAMPLE
   get-ADReplicationReport -domains "Domain1","Domain2"

function get-QrgADReplicationReport
{
    [CmdletBinding()]
    [Alias()]
    [OutputType([int])]
    Param
    (
        [Parameter(Mandatory=$true,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [string]$Server
        
    )

    Begin
    {
    
    }
    Process
    {
    
        Get-ADReplicationPartnerMetadata -Target $server -Partition * | select `
        Server,`
        @{Name = 'Partner';Expression = {$_.Partner.split(",")[1].split("=")[1]}},`
        Partition,`
        LastReplicationSuccess,`
        ConsecutiveReplicationFailures,`
        PartnerType,`
        PartnerAddress,`
        PartnerGuid
    
    }
    
    End
    {
       
    }
}
- No comments:
Labels: , , , , , ,

Wednesday, September 20, 2017

Powershell : Certutil Find Expired Certs on CA server

Wrote this to get certificate expiration information for certificates that expired 5 days ago to ones that expire in 90 days. Wrap an invoke-command around this for remote query. 
$Before = (get-date).adddays(90).ToString("MM/dd/yyyy")
$After = (get-date).AddDays(-5).ToString("MM/dd/yyyy")
<#

https://blogs.technet.microsoft.com/poshchap/2016/01/01/powershell-and-certutil-exe/
We create a date range with
$Before, i.e. certificates expiring before this date, and
$After, i.e. certificates expiring after this date. These values are converted into something that certutil can understand - $Restrict. This is then used with the certutil -restrict parameter.
#>
$Restrict = "NotAfter<=$Before,NotAfter>=$After"
$Report = @()
$cmd = & certutil.exe -view -restrict $Restrict -out "RequesterName,CommonName,Certificate Expiration Date","Certificate Template"

$SplitLines = $cmd.Split("`n`r")

$Index = 0
foreach ($line in $SplitLines){

    if ($line -like "Row*" ){
        $Details = New-Object PSObject 
        $Details | Add-Member noteProperty "RequesterName" $SplitLines[$index+1].split(":")[1].Replace("`"","").Replace(" ","")
        $Details | Add-Member noteProperty "CommonName" $SplitLines[$index+2].split(":")[1].Replace("`"","").Replace(" ","")
        $Details | Add-Member noteProperty "Certificate Expiration Date" $SplitLines[$index+3].split(':')[1].split(" ")[1].Replace(" ","")

        
        if ($SplitLines[$index+4].split(":")[1].Replace("`"","") -notlike "*1.*") {
            $TemplateName = $SplitLines[$index+4].split(":")[1].Replace("`"","").Replace(" ","")
        }
        Else {
        write-host "hit"
        $templatename = $SplitLines[$index+4].split(":")[1].Replace("`"","").split(" ")[2].Replace(" ","")
        }

        $Details | Add-Member noteProperty "Certificate Template" $TemplateName
        
        
        
        $report += $Details 
    
    }

    $Index++
}
$report
- 2 comments:
Labels: , , , , , , , , , , , , , ,

Tuesday, October 18, 2016

Powershell: Change UPN on list of users

I needed a script to bulk change a list of users to a new UPN i came up with this.

#
$Users = gc c:\temp\users.txt | get-ADUser

foreach ($User in $Users)
$UserUPN = $User.UserPrincipalname
$UserUPNwithOutDomain = ([regex]::matches($UserUPN, "([^@]+)")).value[0]
Set-ADUser $User -userprincipalname "$UserUPNwithOutDomain@microsoft.com"
}
- No comments:
Labels: , , , , , , , , , , , ,

Wednesday, February 3, 2016

Powershell: RDP log user account off of all servers using jobs. 

#Log User account off all servers
# Tony Unger
# 

$Domain = "Microsoft.com"
$Servers = Get-ADComputer -Filter {(OperatingSystem -Like "Windows Server*")-and (enabled -eq "true")} -Property SamAccountName -Server $Domain Select -expand Name
$username = read-host "Enter Users Name:"
$i = 0

$scriptblock = {
 param(
 [string]$server,
 $Username
 )

$queryResults = (qwinsta /server:$server $Username| foreach { (($_.trim() -replace "\s+",","))} | ConvertFrom-Csv)
 foreach ($queryResult in $queryResults){
  Logoff /server:$server $queryResult.id
 }
}
$TotalServersCount = $Servers.count
foreach($server in $Servers){
$i++
    $running = @(Get-Job | Where-Object { $_.State -eq 'Running' })
 Write-Progress -Activity "logging off user" -status "Currently on $server -- $i of $TotalServersCount" -percentComplete ($i / $Servers.count*100)
 if ($running.Count -le 50) {
        Start-Job -ScriptBlock $scriptblock -Name $server -ArgumentList $server, $username
    }
 else {
         $running | Wait-Job
    }
}

while ($running.Count -ge 1) {
      sleep 1
    $running = @(Get-Job | Where-Object { $_.State -eq 'Running' })
 Remove-Job -State Completed
}
- No comments:
Labels: , , , , , , , , , , , ,

Thursday, July 9, 2015

Powershell: Jobs - Search for shares in ad windows servers

Job script to search for shares in a active directory environment. Update $Domain to your domain and run 
#Tony Unger 
#Tonyunger.com
#Scans all AD servers for Shares 
#50 servers at a time
#Will Prompt for creds
$i =0  
import-module activedirectory 
cls
$creds = Get-Credential 
$myCol = @()
$Domain = "microsoft.com"

$Servers = Get-ADComputer -server $Domain -Filter {(OperatingSystem -Like "Windows Server*")-and (enabled -eq "true")} -Property SamAccountName | Select -expand Name

$scriptblock = {
 param(
 [string]$server,
 $creds
 )
 Get-WmiObject Win32_Share -ComputerName $server -Credential $Creds | select *

}
foreach($server in $Servers){
$i++
    $running = @(Get-Job | Where-Object { $_.State -eq 'Running' })
 Write-Progress -Activity "Gathering computer info" -status "Currently on $server -- $i of $Servers.count" -percentComplete ($i / $Servers.count*100)
 if ($running.Count -le 50) {
        Start-Job -ScriptBlock $scriptblock -Name $server -ArgumentList $server, $creds 
    } 
 else {
         $running | Wait-Job
    }
}

while ($running.Count -ge 1) {
      sleep 1 
    $running = @(Get-Job | Where-Object { $_.State -eq 'Running' })
} 


foreach ($job in Get-Job ){

 $recjobs = Receive-Job -Keep -Job $job 
 foreach ($recjob in $recjobs){
    $Detail = New-Object PSObject 
  $Detail | Add-Member Noteproperty Name $recjob.name 
  $Detail | Add-Member Noteproperty Path $recjob.path 
  $Detail | Add-Member Noteproperty Server $recjob.__SERVER
  $myCol += $Detail
 }
}
$myCol
$myCol | export-csv -Path c:\TEMp\shares\output.csv -notype
- No comments:
Labels: , , , , , , , , ,

Thursday, February 13, 2014

Powershell: Get All AD Group Members


Purpose: This script requires the RSAT tools to work. It connects to AD and gets all groups and users within each group and outputs to a csv file. It can also get single groups and display/exports the results.


###################################
#Tony Unger - Get Group members
#12/12/2013
#1.0
###################################

Import-Module activedirectory

do {
  cls
$response = "N"
$ExportPath = "c:\temp\AD_GroupMemberofQuery.csv"
$myCol = @()

[int]$xMenuChoiceA = 0
while ( $xMenuChoiceA -lt 1 -or $xMenuChoiceA -gt 4 ){
Write-host "Active Directory Group Member Reporting" -foregroundcolor "magenta"
Write-host "1. Specifiy a Group"
Write-host "2. All Groups"
Write-host "3. Quit and exit"
[Int]$xMenuChoiceA = read-host "Please enter an option 1 to 3..." }

Switch( $xMenuChoiceA ){
  1{$ADGroups = read-host "Please enter the AD group name:"}
  2{$ADGroups = Get-ADGroup -filter {GroupCategory -eq "Security" -and GroupScope -eq "Global"} | Select -expand SamAccountName}
  3{exit}
default{exit}
}

$i = 0
foreach ($ADGroup in $ADGroups){
  

 $i++
 Write-Progress -Activity "Gathering members" -status "Currently on group $ADGroup" -percentComplete ($i / $ADGroups.count*100)
 $Members = get-adgroupmember $ADGroup -recursive

 
 foreach ($MemberofGroup in $Members){
 
  $Detail = New-Object PSObject 
  $Detail | Add-Member Noteproperty GroupName $ADGroup
  $Detail | Add-Member Noteproperty User $MemberofGroup.Name
  $Detail | Add-Member Noteproperty Account_Name $MemberofGroup.SamAccountName
  $myCol += $Detail
 }

}



$myCol | Export-Csv -Path $ExportPath -notype
Write-Host "File exported to: $ExportPath"


[int]$xMenuChoiceB = 0
while ( $xMenuChoiceB -lt 1 -or $xMenuChoiceA -gt 4 ){
cls
Write-host "Active Directory Group Member Reporting" -foregroundcolor "magenta"
Write-host "1. Display current results"
Write-host "2. Query another group"
Write-host "3. Quit and exit"
[Int]$xMenuChoiceB = read-host "Please enter an option 1 to 3..." }

Switch( $xMenuChoiceB ){
  1{$myCol}
  2{$response = "Y"}
  3{exit}
default{exit}
}

}
while ($response -eq "Y")
- 1 comment:
Labels: , , , , , , , ,

Tuesday, May 21, 2013

Powershell: Gather all user objects and report lastlogon and lastlogontimestamp to CSV file


Purpose:
Connects to active directory and pulls a list of all user objects and create a report of lastlogon and lastlogontimestamp values

Note: This is something i did around midnight so i need to do further testing on this script to ensure the data is correct and the lastlogon value will only be from the DC the script is running against

  
#Tony Unger
#Scans all user accounts and reports lastlogon and lastlogontimestamp attr.

Import-Module ActiveDirectory

$AllUsers = get-aduser -Filter * -SearchBase "DC=microsoft,DC=Com" -Property SamAccountName,Lastlogon,LastlogonTimeStamp | Select Name,UserPrincipalname,SamAccountName,@{Name='Last Logon Timestamp';Expression={[System.DateTime]::FromFileTime($_.LastLogonTimestamp).ToString('g')}},@{Name='Last Logon';Expression={[System.DateTime]::FromFileTime($_.LastLogon).ToString('g')}}

$AllUsers | Export-Csv -Path "c:\Audit_UsersLastLogon.csv" -NoTypeInformation
- No comments:
Labels: , , , , , , , , , , , , , ,

Tuesday, November 20, 2012

VBS script - List out all domain groups with users

This is a little VBS script I pieced together back in 2007. Its purpose is to connect to Active Directory and list out all domain groups and their users into a nice CSV file. If you have proper permissions on the domain just double click and it will save a csv file to c:\groupswithusers.csv. Purpose: List out all domain groups with users Note: There could be an issue listing out Domain Users group that I never fixed. 

'Tony Unger Nov 2007
'if you have questions, i may or may not be able to answer them
'This script returns all the groups with their members in this format
'"Group,Display name,Account Name,Group Scope,Group Type"
'I did it that way for easy import into excel
'Tested to work on
'2000 Mixed mode
'2000 Native Mode
'2003 Mode
'It should auto find the domain it is ran from.. if not look for strDNSDomain and fill in your information
'This was pieced together from many sources but mainly
'http://www.computerperformance.co.uk/vbscript/index.htm
'And a few others
'Use at your own risk, but i have never had an issue running this.

On Error Resume Next
Dim PathtoCSV
Dim Dil
PathtoCSV = "c:\GroupsWithUsers.csv" ' change the path here
dil = ","    'how do you want the values to be separated ?  by , ; etc
Dim objConnection, objCommand, objRootDSE, strDNSDomain
Dim strFilter, strQuery, objRecordSet, strgt
DIM fso, GuyFile ' write to text file


Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")


objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://RootDSE") 'bind the user object to Active Directory
Set fso = CreateObject("Scripting.FileSystemObject")
Set GuyFile = fso.CreateTextFile(PathtoCSV, True)

'Writes 1st line(Header) to text file
GuyFile.WriteLine("Group Name" & dil & "Display Name" & dil & "Account Name" & dil & "Group Scope" & dil &  "Group Type" & dil & "Last Password Set")

'Get domain if this doesn't work in auto finding the domain can try the commented out
strDNSDomain = objRootDSE.Get("defaultNamingContext")
'strDNSDomain = DC=microsoft,DC=com

strBase = ""

'Define the filter elements
strFilter = "(&(objectCategory=group))"

'List all attributes you will require
strAttributes = "distinguishedName,sAMAccountName,groupType"

'compose query
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 99999
objCommand.Properties("Timeout") = 300
objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    strDN = objRecordSet.Fields("distinguishedName") ' returns ldap path
    strSA = objRecordSet.Fields("sAMAccountName") ' returns Group name
    strgt = objRecordSet.Fields("groupType")
    If (strgt ANd &h01) <> 0 then
        Scope = "BuiltIn Local"
    ElseIf (strgt And &h02) <> 0 Then
        Scope = "Global"
    ElseIf (strgt And &h04) <> 0 Then
        Scope = "Domain Local"
    ElseIf (strgt And &h08) <> 0 Then
        Scope = "Universal"
    End If
    If (strgt And &h80000000) <> 0 Then
        SecDst = "Security Type"
    Else
        SecDst = "Distribution Type"
    End If

    'strDN Prints ex CN=IIS_WPG,OU=IT Dept,OU=Groups,DC=XXXX,DC=com   Sweet!!!
    'Wscript.Echo  strDN

    Set objGroup = GetObject("LDAP://" & strDN & "")
   
    For Each objUser in objGroup.Members
    'The mid function is set to start at char 4 on the returned string of objUser.Name to not write CN= to the csv file
    'If you wanted to only write certain groups and their members to the CSV file then uncomment the line below and the end if and follow the example
    'If strSA = "Domain Admins" or strSA = "Administrators" or strSA = "Enterprise Admins"
          GuyFile.WriteLine(strSA & dil & objUser.displayName & dil & mid(objUser.Name,4) & dil & Scope & dil &  SecDst & dil & objUser.PasswordLastChanged)
    'End If
     Next
    objRecordSet.MoveNext ' moves to next member in group
Loop


GuyFile.Close
objConnection.Close
PathtoCSV = nothing
Set objConnection = Nothing
Set objCommand = Nothing
Set objRootDSE = Nothing
Set objRecordSet = Nothing
WScript.Echo "Done! CSV file saved to: " & PathtoCSV
- No comments:
Labels: , , , , , , , , ,
Subscribe to: Comments (Atom)

Powershell: Microsoft Graph to add new roles to application registration

PowerShell Script Bulk add new roles to application registration in azure. Update $roles with ,Us...