Active Directory Security Report PowerShell

综合技术 It For Dummies (源链)

Active Directory Security Report PowerShell


Active Directory is one of the most critical system in your infrastructure, we sawpreviously how to get some basic information about how you’re using it, and get some statistics about the users, computers and groups.

Today, we’ll add some security indicators to this report:

  • Users that don’t require password
  • Users that don’t require preauth
  • Presence of dynamic object
  • Presence of DsrmAdminLogonBehavior registry key
  • Attribute not audited
  • Trusts without SID Filtering enabled
  • AdminSDHolder Metadata
  • Domain Metadata

This is not
an extensive list, just a very few
points you can easily
keep on your sight.

Users that don’t require password

This UserAccountControl flags allow users to bypass the password domain policy. This can lead to weak password, or no password at all.

Users that don’t require preauth

This can lead to a security risk as well explain here

Presence of dynamic object

Dynamic object presence can be a sign malicious activity if you don’t use it as a Privilege Access Management
. Indeed, those type of object are really discrete in the logs and are use by attackers to grant temporary administrative permissions very quietly.

Presence of DsrmAdminLogonBehavior registry key

This registry key control the logon behavior of the Directory Service Restore Mode (DSRM) account. Depending of the value
, it can allow the DSRM account to logon on a running Domain Controller. Once logged on, a DSRM account is as powerful as a domain admin.

Attribute not audited

If some attributes aren’t audited, you won’t be able to track any modification made to them from the security logs, it will be completely unnoticeable.

Trusts without SID Filtering enabled

If you have trusts without SID History filtering, users (with the appropriate permission in his domain) from the trusted domain can inject domain admin SID from your domain into his SidHistory attribute and take over your domain.

AdminSDHolder Metadata

Metadata of theAdminSdHoldercontainer is a nice thing to monitor, you will be able to spot any modification on this very sensitive object.

Domain Metadata

Like AdminSdHolder, metadata on the domain naming context are quite a source of information. With them, you can track group policies link’s modification at the domain level, the ACL, password policy, etc…


This is only a very few of Active Directory security risks easily identifiable, if you are awar of some more, let me know in the comment, I’ll be happy to add them to the report, if you know how to check them, you can send a pull request on the GitHub repo


You can successfully hack a $2B cryptocurrency net... Blockchains may be secure by design, but researchers continue to show that the same is not true for the thousands of motley cryptocurrencies based on ...
DuPSUG Presents: The 1st PowerShell Saturday! UPDATE: The event is sold out! If you want to participate, send a e-mail to admin at dupsug dot com, and we will put you on a wai...
瞻博网络加码云端应用安全 推动统一的网络安全平台扩展... 如今,越来越多的企业在公有云和私有云环境中构建和部署云应用。随着这些应用不断扩展,它们的组件逐渐被分布到多个异构云环境中,因此会引发安全漏洞并会增加影响业务的安全隐患。 为了应对无处不在的安全隐患,瞻博网络(Juniper)于近日宣布推出全新的瞻博网络Contrail Security微分段安全...
Debugging VisioBot3000 The Setup Sometime around late August of 2016, VisioBot3000 stopped working. It was sometime after the Windows 10 anniversary update, and I not...
Mirai copycats fired the IoT-cannon at game hosts,... The Mirai botnet that took down large chunks of the Internet in 2016 was notable for hosing targets like Krebs on Security and domain host Dyn, but re...
责编内容来自:It For Dummies (源链) | 更多关于

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » Active Directory Security Report PowerShell

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录