When I was first being introduced to AD and ADUC in very early 2000s, my mentors pronounced it as 'A Duke' so that's how I've always pronounced it. Honestly, it sounds so much better to me. When I hear 'A Duck', I'm reminded of a vulgar expression I used to hear a lot in the 80s and 90s..."well, f**k a duck!" Also, I'm tempted to make quacking noises.
It has come to my attention that most people probably say 'A Duck' but I'm wondering...Am I the only one that says 'A Duke'?
You don't. You fucking don't decentralise control over user access especially if you're a Microsoft shop and don't want to deal with the immense hassle that will be your life if you were to do away with Active Directory all together.
Fuck I hate ads
So I've been in a tech role for a few years now. Went from help desk to infrastructure architect/product owner. I was doing something in AD and saw the "save search" option. Went and played with that a bit and realized you don't have to navigate to the actual OU to see attribute editor. You can just create a saved search and always search a users name or ID to get to what you want.
Anyone have any other tips?
Hi, former dude who is now a dude. This is just a friendly PSA to let y'all know to NEVER put sensitive information in your Active Directory description fields.
An attacker who has even the lowest level of access in Active Directory can dump all of that information with little effort, it's not safe or secure.
I know most of you will say, "What kind of idiot would ever put a password or social security number in an AD field?!" Well, I'll just say I've seen it more than once during pentests.
Also, don't circumvent your own corporate password policies!
Summary:
Small company, we wear many hats, looking for an AD Analyzer that doesn’t cost us 16k.
Looking to remediate misconfigurations and maintain drift without hiring additional resources.
So I am tasked with building out a network that follows various compliance regulations, and many of the requirements need some way to manage aspects of the devices that would require some centralized device management system, such as Active Directory. The current network uses AD and has an on-prem domain controller, but we are completely re-doing everything. The caveat here is that my manager is adamant against using Active Directory or Azure. The alternatives he has suggested would help manage user sign on to devices, but do not help with the more technical aspects (like group policy to disable USB ports, etc.).
My manager also wants to move a lot of stuff to AWS, so if there is an AWS service that is like a cloud-based Domain Controller (aside from setting up a Windows Server EC2 instance) that can manage on-prem devices that might be "acceptable" for him.
Any input would be much appreciated!
This subreddit is for technical professionals to discuss cybersecurity news, research, threats, etc.
Hi guys, I hope you are all doing well. I have recently created a active directory hacking lab which includes attacks such as Certificates (ESC1,ESC4,ESC8), IPV6 DNS takeover, SMB relay, LLMNR poisoning, Webclient workstation takeover, DCsync, RBCD, Unconstrained Delegation, AS-REP Roasting, Kerberoasting, Shadow Credentials etc. I have created the lab in nat network and I would like to host the OVAs so anyone can download them and practice in the lab. I also have created the playlist explaining all the attacks (). Does anyone know of any platform where I can simply host the OVAs for free and anyone can download from there ?
The Lab Link:
Happy Hacking!!
Hi there,
Just been asked to create AD solution for 28+ million users. For some reason we have to have all valid users credentials in AD. Only going to be used external for authentication at the moment. I can see on that it should be possible but has anyone worked with this scale of users before? The most I've had on an AD before is about 2,000...
And yes, management says it has to be done this way.
Edit: Licensing on this thing looks like it'll be US$300K for just the External Connectors
Edit 2: Looks like will let me do this for free and still meet the security requirement. HA/Clustering looks interesting tho.
Edit 3: AD-LDS is not free for this use case :0(
Edit 4: Will report back when design and costing is done. Think it will be fine if just used for app authentication but more than 4GB RAM will be needed.
As stated in the title if anyone has any good resources they can link to I would appreciate it.
Disclaimer: I made this. It's free and open source. No ads, just clean, useful data provided in blog.
Here's a small PowerShell command/module I've written. It contains the following reports.
Usage:
Find-Events -Report ADGroupMembershipChanges -DatesRange Last3days -Servers AD1, AD2 | Format-Table -AutoSize
ReportTypes:
Computer changes – Created / Changed – ADComputerCreatedChanged
Computer changes – Detailed – ADComputerChangesDetailed
Computer deleted – ADComputerDeleted
Group changes – ADGroupChanges
Group changes – Detailed – ADGroupChangesDetailed
Group changes – Created / Deleted – ADGroupCreateDelete
Group enumeration – ADGroupEnumeration
Group membership changes – ADGroupMembershipChanges
Group policy changes – ADGroupPolicyChanges
Logs Cleared Other – ADLogsClearedOther
Logs Cleared Security – ADLogsClearedSecurity
User changes – ADUserChanges
User changes detailed – ADUserChangesDetailed
User lockouts – ADUserLockouts
User logon – ADUserLogon
User logon Kerberos – ADUserLogonKerberos
User status changes – ADUserStatus
User unlocks – ADUserUnlocked
DatesRanges are also provided. Basically what that command does it scans DC's for event types you want it to scan. It does that in parallel, it overcomes limitations of Get-WinEvent and generally prettifies output.
The output of that command (wrapped in Dashimo to show the data):
GitHub Sources:
Full article (usage/know-how):
The article describes the functionality of just one command but actually, PSWinReportingV2 is much more than that. There are also things I've not touched in the article but that should be a start. It's able to support any kind of Events from Event logs such as ADConnect, Hyper-V and other types of data. I just didn't have time to explain how to build configs for it and I don't work with Hyper-V or other systems to build them myself. If you know a lot about event logs and what to help to build prettified reports for more than Active Directory reach out.
Was talking to a recruiter, and he said one of his other clients wondered if it was worth listing AD experience because "nobody uses it anymore".
What is this attitude supposed to reflect? The impact of the cloud? The notion that MDM obsolesces group policy?
What are you using for monitoring Active Directory?
Hey there, former sysadmin turned pentester here. Recently, in almost every environment, I've been able to privesc from a regular user to Domain Admin using AD CS vulnerabilities.
I definitely recommend running or () to see if you can identify any vulnerabilities in your environment. As far as I know, this stuff won't come up on a Nessus scan. I know when I was a sysadmin I set this up insecurely (has now been fixed). However, AD CS is easy to set up without knowing some of the security implications of the configurations.
The guys over at Spectorops who came out with their paper on attacking AD CS () also have a good talk on "".
Edit: I linked both Certify and Certipy earlier. Certify is a windows application. Certipy is based on python. I prefer certipy. If you want to run certipy it’s pretty easy. One way is to setup a Kali VM. .
Then next through the Kali install. If it pulls dns and up from DHCP you should be good to go. After you’re in, open up a command prompt and type
pip3 install certipy-ad
Then run
certipy find -vulnerable -stdout -u lowprivuser@domain.local -p password
I wanted to introduce you today to my new PowerShell module. Actually a couple of them, and to remind you a bit about my other PowerShell modules. Hope you like this one. This PowerShell module is able to extract Active Directory data as can be seen below. If you want to find out more:
It covers usage, code explanation, examples, and a few other things. Generally all the know/how (no ads/no pay software). It's free and open source. All of it.
Links to sources:
PSWinDocumentation.AD - - the module that provides all the Active Directory data as one command.
Dashimo - - a module that is able to wrap that data into HTML
Emailimo - - a module that is able to wrap that data into Email and send it over
Documentimo - - a module that is able to wrap that data into WORD document (no word required)
Excelimo - - a module that is able to wrap that data into EXCEL document
Example output
HTML Version:
DocX Version:
Xlsx Version: (minimal)
Small code sample 1:
$Forest = Get-WinADForestInformation -Verbose -PasswordQuality $Forest
Small code sample 2:
$Forest = Get-WinADForestInformation -Verbose -PasswordQuality $Forest.FoundDomains $Forest.FoundDomains.'ad.evotec.xyz'
Small code sample 3:
$Forest = Get-WinADForestInformation -Verbose -PasswordQuality -DontRemoveSupportData -TypesRequired DomainGroups -Splitter "`r`n" $Forest
You can install it using:
Install-Module PSWinDocumentation.AD -Force
ForestInformation
ForestFSMO
ForestGlobalCatalogs
ForestOptionalFeatures
ForestUPNSuffixes
ForestSPNSuffixes
ForestSites
ForestSites1
ForestSites2
ForestSubnets
ForestSubnets1
ForestSubnets2
ForestSiteLinks
ForestDomainControllers
ForestRootDSE
ForestSchemaPropertiesUsers
ForestSchemaPropertiesComputers
DomainRootDSE
DomainRIDs
DomainAuthenticationPolicies
DomainAuthenticationPolicySilos
DomainCentralAccessPolicies
DomainCentralAccessRules
DomainClaimTransformPolicies
DomainClaimTypes
DomainFineGrainedPolicies
DomainFineGrainedPoliciesUsers
DomainFineGrainedPoliciesUsersExtended
DomainGUIDS
DomainDNSSRV
DomainDNSA
DomainInformation
DomainControllers
DomainFSMO
DomainDefaultPasswordPolicy
DomainGroupPolicies
DomainGroupPoliciesDetails
DomainGroupPoliciesACL
DomainOrganizationalUnits
DomainOrganizationalUnitsBasicACL
DomainOrganizationalUnitsExtendedACL
DomainContainers
DomainTrustsClean
DomainTrusts
DomainBitlocker
DomainLAPS
DomainGroupsFullList
DomainGroups
DomainGroupsMembers
DomainGroupsMembersRecursive
DomainGroupsSpecial
DomainGroupsSpecialMembers
DomainGroupsSpecialMembersRecursive
DomainGroupsPriviliged
DomainGroupsPriviligedMembers
DomainGroupsPriviligedMembersRecursive
DomainUsersFullList
DomainUsers
DomainUsersCount
DomainUsersAll
DomainUsersSystemAccounts
DomainUsersNeverExpiring
DomainUsersNeverExpiringInclDisabled
DomainUsersExpiredInclDisabled
DomainUsersExpiredExclDisabled
DomainAdministrators
DomainAdministratorsRecursive
DomainEnterpriseAdministrators
DomainEnterpriseAdministratorsRecursive
DomainComputersFullList
DomainComputersAll
DomainComputersAllCount
DomainComputers
DomainComputersCount
DomainServers
DomainServersCount
DomainComputersUnknown
DomainComputersUnknownCount
DomainPasswordDataUsers
DomainPasswordDataPasswords
DomainPasswordDataPasswordsHashes
DomainPasswordClearTextPassword
DomainPasswordClearTextPasswordEnabled
DomainPasswordClearTextPasswordDisabled
DomainPasswordLMHash
DomainPasswordEmptyPassword
DomainPasswordWeakPassword
DomainPasswordWeakPasswordEnabled
DomainPasswordWeakPasswordDisabled
DomainPasswordWeakPasswordList
DomainPasswordDefaultComputerPassword
DomainPasswordPasswordNotRequired
DomainPasswordPasswordNeverExpires
DomainPasswordAESKeysMissing
DomainPasswordPreAuthNotRequired
DomainPasswordDESEncryptionOnly
DomainPasswordDelegatableAdmins
DomainPasswordDuplicatePasswordGroups
DomainPasswordHashesWeakPassword
DomainPasswordHashesWeakPasswordEnabled
DomainPasswordHashesWeakPasswordDisabled
DomainPasswordStats
And just a small update on my Find-Events command... I've added one more report Organizational Unit Changes (move/add/remove). So the default list now covers:
ADComputerChangesDetailed
ADComputerCreatedChanged
ADComputerDeleted
ADGroupChanges
ADGroupChangesDetailed
ADGroupCreateDelete
ADGroupEnumeration
ADGroupMembershipChanges
ADGroupPolicyChanges
ADLogsClearedOther
ADLogsClearedSecurity
ADUserChanges
ADUserChangesDetailed
ADUserLockouts
ADUserLogon
ADUserLogonKerberos
ADUserStatus
ADUserUnlocked
ADOrganizationalUnitChangesDetailed (added in 2.0.10)
I've also added Credentials parameter which should provide a way for you to use a command from normal user PowerShell prompt. If you have no clue about that command yet - have a read here: otherwise:
Update-Module PSWinReportingV2
Enjoy :-)
The Juicy part: Ubuntu machines can join an Active Directory (AD) domain at installation for central configuration. AD administrators can now manage Ubuntu workstations, which simplifies compliance with company policies.
Ubuntu 21.04 adds the ability to configure system settings from an AD domain controller. Using a Group Policy Client, system administrators can specify security policies on all connected clients, such as password policies and user access control, and Desktop environment settings, such as login screen, background and favourite apps.
We have an Active Directory domain that is about to reach 50,000 users. When we built this domain over a decade ago, we built it with two on-prem DC's. We later added a DR site off-site at a server hosting facility, and that DR site has two additional DC's that replicate with the on-prem domain. I haven't thought about checking for any performance-related issues that might be caused by this volume of users so am curious about the following:
What kinds of issues might appear as a result of AD growth?
Is 50,000 users considered "too many" for two on-prem DC's (4 CPU, 16GB RAM each)?
What are the best ways to respond to those issues? Additional resources for existing DC's? or additional DC"s?
This subreddit is for technical professionals to discuss cybersecurity news, research, threats, etc.
Short background: I work as a senior pentester (consulting, not internal) doing primarily network and assumed breach pentests for my clients.
The last few weeks I've been working an assumed breach test for a client and was able to privesc fairly quickly into the test. Nothing strange there, typical client AD weak/misconfigs.
While doing post-ex recon on the domain, I noticed something very strange when running BloodHound. Typically, the first thing I do after importing my collection zip into BH is I take a screenshot of the Domain Admins group as my simple "hey heres what bloodhound looks like" for my report walkthrough. Easy enough, right? Go into bloodhound, type "Domain Admins" into the search bar, select the DA group, expand the group members. Only issue is there wasn't a "Domain Admins" group in BH... like, at all. Okay, odd but I can work around that. Lets look at "Enterprise Admins".Odd again, it wasn't present. I thought maybe I pulled in a bad zip or my data was somehow corrupted in a way i've literally never seen before. So I type in "ADMINISTRATORS@<clientDomain>" to see if thats there and, lo and behold, it was there.
Returning to my assumed breach host, I run a simple powershell script to enumerate domain users that gets output to a csv and also run ldapdomaindump. Checking out ldapdomaindump, I see that "Domain Admins" is referenced in recursive group memberships, but is not an actual entry in my domain_groups* files. However, "Domain Admins" is listed in the group membership of several users in my domain_users* files.
Checking my powershell output, which includes the full DN for users' group membership, i DO see "Domain Admins" and "Enterprise Admins" DNs for several users. This is when i noticed something else strange about these privileged groups.
Typically, and by default, the "Domain Admins" and "Enterprise Admins" groups are within the "CN=Users, DC=<dom>, DC=<dom>" container. so DA for a domain of "shell.smoke" would have a DN of "CN=Domains,DC=shell,DC=smoke". But in my harvested data for my client's domain, the "Domain Admins" and "Enterprise Admins" groups were moved to a different container underneath Active Directory Administrative Center (CN=Domain Admins, OU=ADAC,...). This was absolutely wild to me, because never in my career had I seen an organization move the DA and EA groups to a completely new OU structure within AD.
I did some further testing to see what was going on. I hopped onto a DC with winrm and tried to lookup the groups by name, but got an error saying object not found, which i kind of expected by this point. But also kind of weird and kind of to be expected, using powershell to "resolve"/"translate" the full SID of these groups was successful, translating <DomainSid>-512 gave me "<CLIENTDOM>\Domain Admins". But then trying to get the AD object by directly referencing the SIDs ended up with the same result as referencing by name, object not found. Getting onto RDP on a DC and navigating through ADAC I was hopping I could find SOMETHING, literally anything, pointing to what had happened here. ADAC has a "Recycle Bin" of sorts, and there were entries in there but nothing related to what i was looking for.
Later on in testing I tried making a golden ticket with impacket, using the defaults that'll add the DA and EA SIDs into the ticket, and that did work to effectively give me DA access to hosts. Likewise, requesting a TGT for an account that was supposed to be in the privileged groups and using the describeTicket script from impacket to decrypt the "enc-part" of the ticket showed me it did have the appropriate group SIDs for the privileged groups.
Basically, I'm at a loss at what the hell is going on here. Attempting to do some googling on the topic pretty much just led to dead ends revolving around removing DA from hosts' local administrators group... so completely useless. Referencing Microsoft's documentation on security groups () did show me that you can in fact move some of the privileged groups out of the default container, like DA and EA, but not some others, like Administrators. That's interesting and all, but why would anyone do this and then seemingly remove the groups? I dont have a Windows Server image laying around to play with to see what this looks like from an admin's perspective, but would there be any kind of security or warning prompt if you tried to move these groups, and then again if you attempted to remove them? What kind of implications would these group NOT being present in AD have for their AD security? Clearly, based on my golden ticket, you can still inject the appropriate SIDs into a forged ticket and they'll be recognized, but if the objects don't exist in AD, considering i couldnt even reference them directly by SID, how could a Service properly determine whether an account with those SIDs in a ticket should be given access? Most EDR and AD monitoring services that are configured to monitor and alert on changes to privileged AD groups keep an active watch on the actual containers themselves, with limited ability (pretty much just Windows Event Logging) to identify rogue use of the groups.
Any insights, answers, thoughts on this would be greatly appreciated. I definitely intend to make some mention of this in my report, but since this is my first time encountering this I'm kind of at a loss for what the overall implication of this is and how this can even happen to begin with.
Welcome to Tales From Tech Support, the subreddit where we post stories about helping someone with a tech issue.
Was working on an issue for a user; they called in using this program called ResWare. We're going to call this user "Rani".
In ResWare, they export documents and such to MS office. This is pretty standard with pretty much any LOB programs that do reports/finances en masse. Okay, cool, traditional problem. Here we go, boys.
So she calls in telling me that she's having issues with opening documents in office. It was hard enough to understand with a combination of accent and the phone being muffled, but I like a challenge so let's see. I remote in to the machine and see the issue, office is asking for creds when logging in. Okay, so the product is unlicensed. Simple enough.
At this point, I had Rani log in. No good. Wouldn't take creds. Well, there could be a number of reasons for this but I don't feel like digging into them so I just had her try a few more times, same result. Okay, fine. I see how it is. Site uses O365 though, so let's see if they can even log into that.
So I had Rani log into this and it didn't work. Pass or username is no good. Ha. So it's a password problem. But it's never that simple. Here it comes. You can feel it. I felt it as soon as I saw those dreaded red letters.
Me: "All right! So it appears your password is wrong."
Rani: "It couldn't be. It was just working the other day."
Inner Me: "no. Stop. Don't do this to me, Rani. Don't. You're gonna make me get greasy with you."
Me: "I understand it may have been working the other day but sometimes this happens with O365 systems. Passwords expire or, for some random trick of the ether, they just stop working.
Okay, we all know passwords don't just "stop working", but most users don't inquire after that. I wish it would've been that simple.
Me: "Let me check something real quick for you..." *logs into O365 admin* "We may need to reset your password." *sees that account is synced with Active Directory. Victory, so they're using SSO.* "All right! So it seems your password is synced with AD, meaning they should all be the same. Try your computer login please."
Rani: i shouldn't have to do that. The passwords have always been different.
Inner Me: "I'm gonna have to do it to her. I'm REALLY gonna have to do it to her."
Me: "I understand that, but as of right now your account is synced with the server. This means that every password that is like that will be the same. Almost like one, big, easy to use system. Makes life much more streamlined for you."
Rani: "but I never had to do this before."
Me: "Let's try something..." *locks computer* "Login for me, please."
Rani logs in, after saying something about it. I noticed she typed in a stupid long password.
Me: "What password was that? The one you said your email pass was wasn't anywhere nearly as long as that."
Rani: "Yes, because the passwords are different."
The inner me at this point is furious like that character from Inside Out.
Me: "They're linked together, so let's try that." After she logged in, this verified her AD account wasn't locked
Pass didn't work in O365, I'm guaranteeing she half-assed it but whatever. I'm going to beat this issue to death if it kills me. Tried it several more times, no good.
Rani: "I don't know why this is taking so long. A previous tech from last week was able to do it in 2 seconds and it worked. I don't know why this is so difficult."
Inner Me: "Okay, so you're flipping telling me a tech did this LAST WEEK and did it completely wrong, which is why we're in this boat. I wonder who that was."
At this point she was getting that "you don't know what you're doing attitude" and I wasn't about to put up with that because it wouldn't have been good for either of us.
Me: "Okay, you know what..." *goes into O365 admin* "I'm going to reset your password in O365 here... and it'll work. Watch." *reset pass to what she wanted, had her log in and it worked fine* "Now look, here's what's going to happen. This account is going to work for an hour or two, maybe even a couple of days, BUT this system WILL sync back up to AD and your password WILL NOT WORK. All right?"
I suspected at this point she didn't want to talk to me anymore because she wouldn't hang around to test her original issue; not being able to send files from Resware to office because her products were unlicensed.
Rani: "I'll call you back if there are any other issues."
Me: "Mkay, here's your ticket number for if the issue reoccurs."
Then I proceeded to put in the internal notes about this foolish interaction because I'm not falling on that sword and having my own competency called into question. Nice enough lady to talk to, but as stubborn as a brick.
A subreddit for all things related to the administration of Apple devices.
Hi all,
Appreciate this has been done to death but just wanted some further thoughts and advice.
We have 10-15 mac devices on site, some are laptops the majority are iMacs. We need users to be able to sign into them using their AD credentials.
Currently, we would bind them to AD and use the 'Server' app from a mac-mini acting as a server, what with the Server app becoming more and more useless we're wanting to remove it entirely and more than likely just use Intune for policy and restrictions.
We've found historically after the devices being on the domain they get slow, whether this is just the device getting old or not I really don't know but free space is not the issue.
What do we think is best? It looks like using JAMF (NoMAD) is out of the question as they want 25 licenses minimum, so should we just bind them to AD and use Intune? OR is there another way we can get users to sign-in using their AD credentials?
Thanks in advance all.
This will either be one for the record books or something so dumb that I'll have to retire.
Premise: Trying to load a website and run a query. Works fine...until I add a computer to the domain.
All computers on the domain have a problem with this website. I KNOW WHAT YOURE THINKING, but I disabled ALL GPOs and fresh loaded windows/joined domain after, even then, website breaks.
No 3rd party Antivirus of any kind.
One of the more odd things is that the website works for about 5 minutes after being added to domain. After that Kaput.
I am truly baffled. 12+ years IT and 30+ hours on this issue alone. Please, help T.T
Edit. About to crash, I'll try all the new suggestions tomorrow and let everyone know how it goes.
==UPDATE==
I apologize for being ambiguous. I was being careful not to break any compliance. But I was authorized to give out the actual website this morning. The site we are using is
Simple recall lookup tool but we are bound to use THIS one due to customer restrictions. When the "issue" happens you get an error of.
"You have been redirected to this page because NHTSA's VIN search tool may be experiencing intermittent disruption due to routine maintenance, slow manufacturer response or heavy traffic to this page. To ensure you get the important information you are seeking, you can click on the appropriate vehicle maker below to go to its VIN search tool."
At first glance, I would assume that the issue was with the website. But after extensive testing, we determined that this only happens after adding the computer to our AD Domain. I do manage a couple other domains and none of them have this issue.
If you use Azure Active Directory, do you still need a domain controller? How would you handle permissions on a domain controller? I’m trying to get my head around moving from a Domain Controller to Azure Active Directory. We don't have BYOD. All laptops are company issued and I do have 10 Servers that run on a VM (VM Ware).
I have an older DC and am wondering if I really need to upgrade it or pivot to Microsoft Entra ID.
This subreddit is for technical professionals to discuss cybersecurity news, research, threats, etc.
I had a buddy tell me the other day that his company doesn’t have much of a priority around Active Directory security or recovery (on prem and cloud) meanwhile the company I work at has been spending more and more time on securing pieces to this and improving recovery plans.
Is AD a concern for you guys as well or is it just my company having bad prioritization?
![r/itsaunixsystem - [The Simpsons S31E12] It rubs Unix but with ActiveDirectory Users](https://i.redd.it/oicu5ew8yey91.jpg)
