@eddiejennings said in Logging Domain user authentication failures: @travisdh1 said in Logging Domain user authentication failures: @eddiejennings No OSSEC, Wazuh, or some other security monitoring available? All of them monitor logins by default that I've looked at. Should be easy to customize a report for whatever you need. I haven't had to set this up in a Windows environment yet, so I'm also curious as to what you end up doing. We do have ExtraHop; however, it's not capturing all the traffic it should (and another team is in charge of its configuration), so using auditing on the domain controllers is a bit of a stop-gap measure. Ah. What an ..... effective use of resources. Good luck, ExtraHop is very nice, but like every other tool, it's useless untill deployed properly.

One that I love Get-ADPrincipalGroupMembership -Identity SOMEUSERNAME | Select name List all of the groups in which the user is a member.

I got you # This script will export all users of the specified domain, and their group memberships to a CSV file. The usefulness of this tool is expressed when # setting up new hire employees or reviewing domain membership permissions. # It's not advisable to store the user credentials required to run this script as they can be decrypted. This script is not designed to save these credentials but could be modified to do so. # Use of this script implies that you understand what it does, and will do to with regards to your Active Directory installation members and group memberships. # As designed there are no changes made to your installation, the script simply generates a report of members, and their group memberships. # Any changes to this script are the responsibility of the person/organization which made said changes. # We cannot be held responsible for your misuse or misunderstanding of this script as it was designed. # # # # # Imports Active Directory information Import-Module Activedirectory $credentials = Get-Credential # Prompts for user credentials default user is “ ”, enter an administrator account in the form of “domain-name\administrator-account” Get-ADUser -Credential $credentials -Filter * -Properties DisplayName,EmailAddress,memberof,DistinguishedName,Enabled | % { New-Object PSObject -Property @{ UserName = $_.DisplayName EmailAddress = $_.EmailAddress DistinguishedName = $_.DistinguishedName Enabled = $_.Enabled # Deliminates the document for easy copy and paste using ";" as the delimiter. Incredibly useful for Copy & Paste of group memberships to new hire employees. Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ";" } # The export path is variable change to desired location on domain controller or end user computer. } | Select UserName,EmailAddress,@{l='OU';e={$_.DistinguishedName.split(',')[1].split('=')[1]}},Groups,Enabled | Sort-Object Username | Export-Csv $ENV:UserProfile\Documents\User-Permissions.csv –NTI #Function Get-SaveFile($initialDirectory) #{ #[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | #Out-Null # #$SaveFileDialog = New-Object System.Windows.Forms.SaveFileDialog #$SaveFileDialog.initialDirectory = $initialDirectory #$SaveFileDialog.filter = "All files (*.*)| *.*" #$SaveFileDialog.ShowDialog() | Out-Null #$SaveFileDialog.filename #} # # # open dialog box to select the .nessuss file. #$InputFile = Get-OpenFile #$OutputFile = Get-SaveFile # # #$Contents = [io.file]::ReadAllText($inputfile) #$Contents = [io.file]::ReadAllText('C:\tools\wd\nessus\data\data.xml') #$Global:OutFile = [System.IO.StreamWriter] "c:\tools\wd\nessus\outfile.csv" # ##$InputFile #$OutputFile #

See the following for ideas as to how you can accomplish what you're seeking to do: https://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

I've have used that ProfileWiz before by ForensiT, works really well.

@lakshmana The above helps me and its working but i need the output of that file to be append at the same .csv file which is not working.How to do that ?

@jaredbusch said in Small Restaurant Network Redesign: @scottalanmiller said in Small Restaurant Network Redesign: Also worth noting, there are some problematic switches at each site. Again, because the VAR was clearly trying to add complexity to up the support bill, and I'm having them put in simple, low cost, unmanaged Netgears to make this really simple and reliable. I detest NetGear switches. They generally work, but everytime I try to use one for something even half specific, they puke. Sites this small can use the EdgeSwitch 8 https://www.ubnt.com/edgemax/edgeswitch-8-150w/ And it will report into UNMS along with the routers. Plus it's actually a switch, hardware- and software-wise. Not a breadbox which jumps over the table because you "accidentally" attached a cable to it. (yeah, I know, some NetGears also feature a metal case but it's not the same).

@black3dynamite said in Least Privilege Accounts Setup: @zachary715 said in Least Privilege Accounts Setup: @jaredbusch said in Least Privilege Accounts Setup: @jaredbusch said in Least Privilege Accounts Setup: @zachary715 said in Least Privilege Accounts Setup: @jaredbusch said in Least Privilege Accounts Setup: I create an AD account specifically for local admin rights. This account information is ususally given to department managers. So if software or something needs installed, and they choose not to contact me, they can. They are also warned that fixing something will be billed... So you have one AD account setup that multiple department managers use when they need something that requires admin privileges? And then what you give that account local admin rights on each machine, or give it some sort of admin authority within the domain itself? That account gets local admin rights only. No other access. If I was an on site IT department, I woudl probably do it a bit different. I would have time to experiment and setup better methods. Yeah this is what I'm going through now and why I'm coming to the community to get input. Trying to think through this carefully and make sure I do it right and the way I want it done the first time. With the help of GPO Preferences, you could take advantage of using Item-level targeting for Local Users and Groups to fine tune who should have local admin privileges depending on the user, groups and/or computers. This is what I do. Works like a champ.

@scottalanmiller said in AD Emulation on *Nix: @jrc said in AD Emulation on *Nix: However the company that makes the software could care less about Windows client licensing, and as a franchisee they have zero options on using this software. Of course they don't care, the responsibility for that falls 100% onto the end client to ensure that they have properly licensed their environment. The vendor has zero responsibility here. Reminds me of a PBX appliance vendor that shipped their "server" with Windows XP Pro as the OS.

@dbeato said in Raising Domain/Forest from 2008 to 2016: What do I need to know?: @dashrender said in Raising Domain/Forest from 2008 to 2016: What do I need to know?: @scottalanmiller said in Raising Domain/Forest from 2008 to 2016: What do I need to know?: @tim_g said in Raising Domain/Forest from 2008 to 2016: What do I need to know?: Does Samba / Azure AD Sync allow you to Sync back passwords (and/or accounts) from O365 (to Samba)? I've never looked into that. Never tried, but should, as it is just AD. It shouldn't be able to tell that it isn't Windows. Well - that depends, does the sync client have to run on a Windows AD server? If not, then you probably can sync a Samba solution to Azure AD. You can run it on any Windows server, but the problem with Samba is the password hash doesn't get sync to Azure. https://lists.samba.org/archive/samba/2016-November/204564.html That thread is kinda old - I wonder if 4.5 fixed that?

@fateknollogee said in Server 2008 w Hyper-V infrastructure: needs upgrades!!: @tim_g said in Server 2008 w Hyper-V infrastructure: needs upgrades!!: This was on a MD1000, very old. MD1000...old school! I know those units. I've got 2 of them in storage gathering dust! I have 2x LSI 620J. I might just connect it with LSI 9207E HBA If you don't mind the 3 gbps bus, the MD1000s are amazing.

@kelly said in Setting up Linux to use Active Directory Certificate Services: @momurda said in Setting up Linux to use Active Directory Certificate Services: Have you gone to http://yourCA.domain.com/certsrv/mscep_admin If so is it showing a page like in the walkthrough? Have you tried without enrollment challenge password requirement? Yes to the first. I used the information there to run the mkrequest. I haven't tried without a password. Same error when no password is used in the mkrequest command.

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video: @dave247 said in Do You Need Two AD Domain Controllers? SAMIT Video: .... haven't had the chance to dig in as I am a freaking "IT generalist" where I work. Youtube Video I have a video for everything these days. yep I just watched that one.. guess I can't call myself a Systems Administrator anymore (jk I totally am)

Another example taken from another script: import-module activedirectory $domain = "domain.mydom.com" $DaysInactive = 90 $time = (Get-Date).Adddays(-($DaysInactive)) # Get all AD computers with lastLogonTimestamp less than our time Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp | # Output hostname and lastLogonTimestamp into CSV select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv OLD_Computer.csv -notypeinformation

@dashrender From what I've seen, yeah.

Import-Module activedirectory $target = Get-ADOrganizationalUnit -Identity "OU=Disabled Computer Accounts,OU=Space,DC=Domain,DC=com" $computers = Get-ADComputer -filter {(enabled -eq "false")} foreach ($name in $computers) { Move-ADObject $name -TargetPath $target -verbose } Followup to above... this section would move the disabled computers to a 'disabled' OU.

My Favorite Ultra-VNC setup: Not all issues can fixed from command line alas, thus this recipe: uvnc: file.recurse: - source: salt://uvnc - name: 'c:\salt\uvnc' - makedirs: True cmd.run: - name: 'c:\salt\uvnc\state.cmd' module.run: - name: firewall.disable remeber to re-enable the firewall of the client when finished. (salt "client" firewall.enable) you will need to create uvnc folder (get it from UltraVNC portable builds) folder in your Salt master, in /srv/salt in it : winvnc.exe UltraVNC.ini state.cmd SecureVNCPlugin32.dsm (Optional Encryption plugin) Server_ClientAuth.pubkey (Optional Encryption server SSL handshake check) And in the state.cmd put the following: taskkill /f /im winvnc.exe sc stop uvnc_service sc delete uvnc_service "c:\salt\uvnc\winvnc.exe" -install "c:\salt\uvnc\winvnc.exe" -startservice sc config uvnc_service start= demand ipconfig | findstr /i "ipv4" And whenever you want to connect to client, run this in salt master: salt '172' state.apply uvnc And you will see the IP of the client, you will need to match the IP and if you made any custom setting like port number/encryption plugin with vnc viewer and connect to client.

@dbeato said in AD User Tool: Bulk AD User: @Dashrender Then, he needs to force it with Powershell no just a GUI.... Agreed.

@scottalanmiller said in Always Virtualize Domain Controllers: @black3dynamite said in Always Virtualize Domain Controllers: It would help if Microsoft would also recommend to always virtualize domain controllers. They do. They've been really clear on that from everything that I have seen. Last recommendation seen on microsoft official docs - maybe the italian ones: virtualize the AD first instance, keep a phisical one as second instance... don't understand the logic of this. but hey: their offical business support said I was not allowed to virtualise more than 2 VMs on hyper-v, even if there were linux

I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD.

@msff-amman-Itofficer said in Beginner SaltStack Question: Can minions be placed in folders or groups ? (Coming from AD perspective): @scottalanmiller ohh shit, how did that get passed me... Great, thanks again.

@Mike-Davis said in Authenticate Laptops to Wifi against ActiveDirectory: and on the Meraki side, you chose WPA2 Enterprise, correct? Definitely WPA2 on the Meraki. I'll check my conditions though. Thanks for the tip.

@scottalanmiller said in Nethserver for FTPS/SFTP: @alefattorini said in Nethserver for FTPS/SFTP: It should work flawlessly, do you have any issue? I guess a big question is, with Nethserver is.. does it "just work" or is there a setting that needs to be selected? Not sure if this is the default behaviour or not. Mostly this. I haven't done anything with it yet and before I invest the time, I'd like to know if it possible and/or how difficult it is, especially since a co-worker claims that it did not and he went with IIS to get the same task done (and then he sat there cursing the whole day because he doesn't like Microsoft products).

@Mike-Davis said in AD CS hosed - anyone have any experience?: @scottalanmiller said in AD CS hosed - anyone have any experience?: So the SBS is the one and only AD in this case? Sorry, I think we're interpreting the word cluster differently here. When I read that I though you were talking about Microsoft Cluster Server - which is a different technology than multiple domain controllers. He had three domain controllers. In that case, how do you recover from something like this? Since the FSMO roles are on a 2003 server, do you start running through the various esentutl.exe commands? Right, I'm talking about an AD application cluster (the set of domain controllers for one domain.) SBS has to be the root controller in order to work. And if you have a cluster (this isn't AD specific but is a general thing about clustering) you can't do restores. If you restore a cluster node like this, you corrupt the entire cluster in many cases, if you are lucky just one node. AD DCs form a database cluster under the hood, which is how they handle failovers, but that means that you have to protect them like a normal database cluster and let them resync from a rebuild, never do a restore. https://community.spiceworks.com/topic/1988106-ad-logins-dont-work-after-baremetal-restored-windows-2008-dc Yes, you'll likely need to seize roles on one of the 2012 R2 machines and just retire the SBS 2003 machine.