Active Directory Module for Windows PowerShell | Basic Auditing for Security Professionals

Install RSAT First

The installation of Microsoft’s Remote Server Administration Tools (RSAT) allows for the enablement of the Windows PowerShell Active Directory module on everyday Windows workstations. This provides security professionals with the capability to monitor the many properties of domain users and computers while maintaining the principle of least privilege. Permissions, by default, allow authenticated users the accesses required to list the contents of Active Directory without administrative privileges.

Introduction to Active Directory

Microsoft’s directory service, Active Directory (AD), enables centralized user and computer management techniques across domain networks. While Active Directory permits an efficient and organized administrative approach, it also provides security professionals with a means to continuously monitor their environment for associated security risks.

Introduction to Windows PowerShell

Windows PowerShell is a command-line shell that leverages .NET Framework to promote, among other things, task automation and configuration management. Built-in commands, known as cmdlets (pronounced Command-Lets), take the form of verb-noun (example: Get-Process) and offer an easily understood and user-friendly experience.

Getting Started: Powershell Active Directory Module

The following steps will need to be performed in order to gain access to the Active Directory module’s PowerShell cmdlets:

1. Install the Remote Server Administration Tools: The Remote Server Administration Tools (RSAT) are available for download on Microsoft’s website at: https://www.microsoft.com/en-us/download/details.aspx?id=45520.
   Note: Starting with Windows 10 October 2018 Update, RSAT is included as a set of “Features on Demand”. The tools can be installed by navigating to Manage Optional Features > Add a Feature. There is also an option to install the entire RSAT suite by running the following command as an Administrator in PowerShell:
   Get-WindowsCapability -Name “RSAT*” -Online | Add-WindowsCapability -Online
2. Enable Active Directory Module for Windows PowerShell: After the Remote Server Administration Tools (RSAT) are successfully installed, navigate to Turn Windows features on or off > Remote Administration Tools > AD DS and AD LDS Tools > Active Directory Module for Windows PowerShell.
3. Reboot the PC.
4. Open Windows PowerShell and run the following command:
   Import-Module ActiveDirectory

Active Directory Module Cmdlets

In order to view the PowerShell cmdlets that are contained within the Active Directory module, run Get-Command -Module ActiveDirectory. Currently, the Active Directory module contains 147 distinct cmdlets. More information on each cmdlet can be found here.

The help menu (Get-Help) related to each of the cmdlets being demonstrated are contained within the following sections.

Get-ADUser

NAME: Get-ADUser
SYNOPSIS: Gets one or more Active Directory users.

SYNTAX:
Get-ADUser [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope {Base | OneLevel | Subtree}] [-Server <String>] -Filter <String> [<CommonParameters>]

Get-ADUser [-Identity] <ADUser> [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADUser [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope {Base | OneLevel | Subtree}] [-Server <String>] -LDAPFilter <String> [<CommonParameters>]

DESCRIPTION:

The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects.

The Identity parameter specifies the Active Directory user to get. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. You can also set the parameter to a user object variable, such as $<localUserObject> or pass a user object through the pipeline to the Identity parameter.

To search for and retrieve more than one user, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.

Get-ADComputer

NAME: Get-ADComputer
SYNOPSIS: Gets one or more Active Directory computers.

SYNTAX:

Get-ADComputer [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope {Base | OneLevel | Subtree}] [-Server <String>] -Filter <String> [<CommonParameters>]

Get-ADComputer [-Identity] <ADComputer> [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADComputer [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope {Base | OneLevel | Subtree}] [-Server <String>] -LDAPFilter <String> [<CommonParameters>]

DESCRIPTION:

The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.

The Identity parameter specifies the Active Directory computer to retrieve. You can identify a computer by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a computer object variable, such as $<localComputerObject> or pass a computer object through the pipeline to the Identity parameter.

To search for and retrieve more than one computer, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.

Active Directory Cmdlet Examples

Each cmdlet has its own set of object associations, called properties. Filters can be applied to an object’s properties to reduce command output (example: only producing enabled users). A few simple examples can be found below:

Formulate a list of enabled Active Directory Users:

Get-ADUser -filter {Enabled -eq $TRUE}

Formulate a list of enabled Active Directory Users that do not require a password to be set:

Get-ADUser -filter {Enabled -eq $TRUE -and PasswordNotRequired -eq $TRUE}

Formulate a list of enabled Active Directory Users whose password is set to never expire:

Get-ADUser -filter {Enabled -eq $TRUE -and PasswordNeverExpires -eq $TRUE}

Formulate a list of enabled Active Directory Users that DO NOT require Smartcard Authentication (PKI environment):

Get-ADUser -filter {Enabled -eq $TRUE -and SmartcardLogonRequired -eq $FALSE}

Formulate a list of a specific Active Directory User’s group membership associations:

Note: Replace ‘username’ with the User Name being assessed.

Get-ADUser -Identity username -properties MemberOf | Select-Object -ExpandProperty MemberOf

Formulate a list of enabled Active Directory Computers:

Get-ADComputer -filter {Enabled -eq $TRUE}

Formulate a list of enabled Active Directory Windows 7 Computers:

Get-ADComputer -filter {Enabled -eq $TRUE -and OperatingSystem -like "*Windows 7*"}

In order to export a cmdlet’s output into an organized .csv file, pipe it to Export-Csv:

Note: Replace ‘ExportPath’ with the path that the .csv file will be stored & replace ‘FileName’ with the desired file name. Be sure to include the ‘.csv’ extension in the ‘FileName’.

Get-ADComputer -filter {Enabled -eq $TRUE} | Export-Csv ExportPath\FileName.csv -NoTypeInformation

For more support with powershell scripting, or to download the PowerStrux tool to support your ConMon requirements visit PowerStrux.com