https://evotec.xyz/fr/tags/ad/index.atom.xml2024-08-25T13:14:39.0000000ZEvotec Main Websitehttps://evotec.xyz/fr/blog/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonster2024-08-25T13:14:39.0000000Z

Have you ever looked at your Active Directory and wondered, “Why do I still have computers listed that haven’t been turned on since World Cup 2016?” Yeah, we’ve all been there. Keeping AD clean and up-to-date is like trying to organize your garage—it’s easy to put off until it becomes a total mess.

https://evotec.xyz/fr/blog/report-active-directory-accounts-that-are-synchronized-with-azure-ad2023-08-07T13:21:18.0000000Z

I was scrolling X (aka Twitter) today and saw this blog post, “PowerShell: Report On-Premises Active Directory Accounts that are Synchronized with Azure AD Connect” by Kevin Trent. I like reading blog posts as I tend to learn some new things and see how people tend to solve their problems.

https://evotec.xyz/fr/blog/strengthening-password-security-in-active-directory-a-powershell-powered-approach2023-05-28T14:40:25.0000000Z

PasswordSolution uses the DSInternals PowerShell module to gather Active Directory hashes and then combines that data into a prettified report. If you have ever used DSInternals, you know that while very powerful, it comes with raw data that is hard to process and requires some skills to get it into a state that can be shown to management or security.

https://evotec.xyz/fr/blog/reporting-group-membership-for-critical-active-directory-groups2022-08-07T11:57:28.0000000Z

I work a lot with Active Directory-related tasks. One of the tasks is to know the group membership of critical Active Directory Groups such as Domain Admins, Enterprise Admins, Schema Admins, Event Log Readers, and a few others that are a bit less known. As I did it, I got bored of typing the group names repeatedly and decided that enough was enough and there must be an easier way for me to do that.

https://evotec.xyz/fr/blog/finding-duplicate-dns-entries-using-powershell2022-07-24T16:48:21.0000000Z

Today’s blog post is about Active Directory-integrated DNS and how to find duplicate entries. By duplicate, I mean those where one DNS name matches multiple IP addresses. While some duplicate DNS entries are expected, in other cases, it may lead to problems. For example, having a static IP assigned to a hostname that later on is also updated with dynamic entries.

https://evotec.xyz/fr/blog/finding-duplicate-spn-with-powershell2021-12-07T15:32:01.0000000Z

Duplicate SPNs aren’t very common but can happen in any Active Directory as there’s no built-in way that tracks and prevent duplicate SPN’s. One has to either know all SPN’s in the environment, track them or check each time whether it already exists or not. Things get more complicated with larger Active Directory environments as people change, new apps are added, old apps are forgotten, but SPNs prevail.

https://evotec.xyz/fr/blog/monitoring-ldaps-connectivity-certificate-with-powershell2021-03-02T17:53:05.0000000Z

Some time ago, I wrote a blog post on checking for LDAP, LDAPS, LDAP GC, and LDAPS GC ports with PowerShell. It mostly works, but it requires a tad bit of effort, and it doesn’t cover the full scope that I wanted. Recently (well over 3 years ago), Chris Dent shared some code that verifies the LDAP certificate, and I thought this would be good to update my cmdlets to support just that with a bit of my own magic on top.

https://evotec.xyz/fr/blog/using-win32_useraccount-wmi-filter-in-powershell-group-policies-and-what-to-avoid2020-06-02T15:45:54.0000000Z

Some months ago, I created PowerShell Script to create local administrative users on workstations – Create a local user or administrator account in Windows using PowerShell. It’s a bit overcomplicated, but the goal was it should work for Windows 7 and up, and that means supporting PowerShell 2.0. As part of that exercise, I’ve been using Win32_UserAccount WMI based query to find local users and manage them to an extent. While Get-LocalUser exists, it’s not suitable for the PowerShell 2.0 scenario. I also use the same query in GPO for WMI filtering. You can say it’s been a good friend of mine.

https://evotec.xyz/fr/blog/what-do-we-say-to-health-checking-active-directory2019-09-08T15:48:39.0000000Z

Setting up a new Active Directory is an easy task. You download and install Windows Server, install required roles and in 4 hours or less have a basic Active Directory setup. In an ideal world that would be all and your only task would be to manage users, computers, and groups occasionally creating some Group Policies. Unfortunately, things with Active Directory aren’t as easy as I’ve pictured it. Active Directory is a whole ecosystem and works well ranging from small companies with ten users to 500k users or more (haven’t seen one myself – but so they say!). When you scale Active Directory adding more servers, more domains things tend to get complicated, and while things on top may look like they work correctly, in practice, they may not. That’s why, as an Administrator, you need to manage Active Directory in terms of its Health and Security. Seems easy right? Not quite. While you may think you have done everything, checked everything, there’s always something missing. Unless you have instructions for everything and can guarantee that things stay the same way as you left them forever, it’s a bit more complicated. That’s why Microsoft delivers you tools to the troubleshoot your Active Directory, such as dcdiag, repadmin and some others. They also sell monitoring solutions such as Microsoft SCOM which can help and detect when some things happen in your AD while you were gone. Surely there are some 3rd party companies give you some tools that can help with a lot of that as well. Finally, there is lo of folks within the community creating PowerShell scripts or functions that help with some Health Checks of your Active Directory.

https://evotec.xyz/fr/blog/active-directory-instant-replication-between-sites-with-powershell2019-07-21T13:31:06.0000000Z

In Active Directory when you change something, it’s replicated to other Domain Controllers regularly. It’s a standard procedure that happens automatically in the background for you. It’s a handy feature because you can have multiple DC’s all over the world and have your users data in sync. You can change almost anything on DC nearest to you and be sure it will be the same value all over the place. But is it always the same? Well, it should be unless it isn’t. Today I was given a new migration from Exchange to Office 365. I started with ADConnect installation and wanted to make sure that UserPrincipalNames have all UPNSuffixes in place.

https://evotec.xyz/fr/blog/getting-bitlocker-and-laps-summary-report-with-powershell2019-07-11T17:07:22.0000000Z

Having Bitlocker and LAPS in modern Active Directory is a must. But just because you enable GPO and have a process that should say Bitlocker and LAPS are enabled doesn’t mean much. Now and then you should verify things yourself. One of the Facebook users on PowerShell group just had this idea of exporting Bitlocker keys and then giving that list to his colleagues for manual verification. He wanted to do it half PowerShell and half manually. While the idea was great, why not take full advantage of PowerShell and have a helpful report with all the necessary information?

https://evotec.xyz/fr/blog/fixing-active-directory-passwordnotrequired-with-powershell2019-06-25T10:29:44.0000000Z

There was I, deploying PSPasswordExpiryNotifications for one of my Clients when I started getting complaints that some users are not getting their Password Expiry Notifications. Well, that’s a new one. I’ve tested this script multiple times, and it worked just fine. So I dive into the details of my script to see what I did in there (I don’t even remember anymore – it just works) to find out this little line:

https://evotec.xyz/fr/blog/the-only-powershell-command-you-will-ever-need-to-find-out-who-did-what-in-active-directory2019-04-28T15:52:32.0000000Z

While the title of this blog may be a bit exaggeration, the command I’m trying to show here does it’s best to deliver on the promise. What you’re about to witness here is something I’ve worked on for a while now, and it meets my basic needs. If you don’t have SIEM product or products that monitor who does what in Active Directory this command makes it very easy, even for people who don’t have much experience in reading Event Logs. If you’d like to learn about working with Windows Event Logs here’s a great article I wrote recently – PowerShell – Everything you wanted to know about Event Logs and then some.

https://evotec.xyz/fr/blog/active-directory-the-directory-service-was-unable-to-allocate-a-relative-identifier2019-03-27T20:39:25.0000000Z

I’ve been testing Disaster Recovery scenario restoring Active Directory. One of the servers was restored, and it worked for a moment after restore. If you can regain your Primary DC, it’s best to do so. If you can’t, a standard thing to do during DR is to move all FSMO roles to the restored server so that it can become a master server. You can find out your FSMO holders by using those commands below:

https://evotec.xyz/fr/blog/how-to-find-different-server-types-in-active-directory-with-powershell2019-02-06T18:25:30.0000000Z

Working as a freelancer is a great thing if you can handle it. Each day, each week something new happens and a new problem shows up on my doorstep. It also means it’s almost never boring at your job and you get to play with new stuff. But there’s one drawback to this. You’re often thrown at the problem, told to fix it but often that’s about as much information as you get. It wasn’t very different today. I was told to switch Office 365 from ADFS to Password Synchronization. While reasons for this are not really important, the important question here is what is the name of AD Connect server that’s responsible for this configuration?

https://evotec.xyz/fr/blog/pswindocumentation-audit-active-directory-passwords2018-10-07T17:57:42.0000000Z

If you’re paying attention to what’s happening around the world now you probably know Have I Been Pwned service by now. You probably know that it has huge lists of hashes of passwords that leaked out over the years from different services (LinkedIn, Adobe, and so on). This means those passwords are now in possession of good guys, but also bad guys. With Active Directory being often a central place to store your password that allows you to access your Office 365 account, ADFS, Microsoft Exchange it’s important that your AD passwords is both secure and safe. Bad guys may want to try and access your email accounts or other data that’s available online. And having a list of passwords you or other people may have used before doesn’t help you in protecting your own data.

https://evotec.xyz/fr/blog/pswindocumentation-version-0-1-with-word-excel-export2018-08-23T20:07:04.0000000Z

A few weeks ago I’ve released my first version of PSWinDocumentation. It was simple, one command module where you start it and get some basic AD stuff into Microsoft Word document. Today… I’m releasing a new version that has a bit bigger feature set. Are you ready for it? Let’s go!

https://evotec.xyz/fr/blog/pswinreporting-1-0-is-out2018-06-10T09:26:45.0000000Z

Few months after initial release a new public version of PSWinReporting 1.0 is released. While the name might not be…

https://evotec.xyz/fr/blog/just-different-approach-to-active-directory-password-notifications2018-05-23T15:12:36.0000000Z

A long time ago I’ve maintained a C# version of Password Expiry reminders. It was working based on HTML templates…

https://evotec.xyz/fr/blog/get-eventslibrary-ps1-monitoring-events-powershell2018-04-19T09:48:35.0000000Z

This event library (Get-EventsLibrary.ps1) is PowerShell script that parses Security (mostly) logs on Domain Controllers. It has few reports capabilities…

https://evotec.xyz/fr/blog/whats-new-event-monitoring-v0-72018-03-27T19:36:29.0000000Z

I’ve further optimized code and added some more health checks so that the process is a bit smoother. You can…

https://evotec.xyz/fr/blog/synchronizing-active-directory-external-time-source2018-01-24T16:33:18.0000000Z

One of the crucial parts in modern IT world is proper time and date. While it may seem that 30…