ADFind

ADFind is a helpful Active Directory search utility that you can use to query the Active Directory. It is developed by Joe Richards, an IT admin who is also a Microsoft MVP who runs ActiveDir.org.

It can be used to query the Active Directory for user accounts, groups, OUs, containers, Schema elements and other resources based on a variety of advanced search criteria. It is a command-line tool and once you have learnt its command line options, it is rather easy to use.


ADFind is a helpful AD search tool and it runs on numerous operating systems ranging from Windows XP to Windows Server 2008. Although LDP.exe can do everything ADFind can, the advantage of AdFind is that it can be run from the command-line. The only noticeable downside is that it is not supported.

Although ADFind is free, and thats good, its not supported, so one can tend to get stuck on one's own, especially when encountering issues, and the only downside of that is that it sucks up time.

+ Pros: Free, Command-line, Can be used for most advanced LDAP querying and reporting as long as you know LDAP, Portable

- Cons: Unsupported, No advanced reports such as True-Last-Logon etc., Not sure how secure it is, or if it is signed.
 
Summary: AdFind is a very good and useful command-line AD reporting tool and can be used to generate numerous basic reports. It falls short in terms of being able to fulfill advanced needs though, such as in helping admins audit Active Directory access correctly.
Posted by MarcJ 0 comments
Labels: , , , ,

Windows Powershell

The Windows Powershell from Microsoft is a free extensible automation engine from Microsoft, consisting of a command-line shell and associated scripting language.

It is NOT (repeat it is not) a TOOL.

It is an automation engine that relies on the Microsoft .NET Framework and involves the execution of cmdlets which are basically specialized .NET classes which implement specific operations.

It can however be used to perform a variety of functions on the Windows Platform. It can also be used to query data from Active Directory and to perform common day-to-day aspects of AD management.



One advantage of using Powershell is that it makes it easy for IT admins to derive greater value out of their efforts in scripting so they can automate (at least parts of) common day-to-day IT management and reporting tasks. It also lets IT admins leverage the work of other admins as these scripts can be shared with the community.

The disadvantage of PowerShell is that it relies largely on the development of scripts and even though it makes it easier to derive greater value from scripts, it certainly leaves the possibility of human error. It also takes additional effort to generate reports that are in a presentable fashion and decent enough for submission for any audit or as regulatory compliance evidence.

In my research, I have found that the disadvantages of PowerShell can be made up with a good Active Directory Audit/Reporting Tool. However, there are many Active Directory reporting tools out there and it is difficult to select one that's right for you. In case it helps, I've found the best collection of Active Directory security tools here.

+ Pros: Free, Can be used to simply day-to-day IT management tasks and perform basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon), Relies on scripts which can be prone to human-error, Relies on executing code written by someone else in a trusted environment

# Download Point: To install Powershell, you need to download and install the Windows Powershell Installation Package

Summary: PowerShell for Windows is very powerful and certainly help automate basic Active Directory reporting needs. However, there are still some things that are very difficult to do with PowerShell, such as how to correctly audit Active Directory permissions.
Posted by MarcJ 0 comments
Labels: , , , , , ,

dsacls

DsAcls is a free command-line utility provided by Microsoft that can be used to view and change security permissions on Active Directory objects.


dsacls

For all practical purposes, it is the command-line equivalent of the Security tab in the Properties dialog box for an Active Directory object in Active Directory tools, such as Active Directory Users and Computers.

It can be used to view the DACL of any Active Directory object. It can also be used to add a new permission or remove an existing permission from an Active Directory object. dsacls is a very useful tool because it can also be manage Active Directory security permissions from a command-line.

One of the capabilities of dsacls is the ability to view effective permissions in Active Directory. AD effective permissions are very important for Active Directory security, because they help determine who actually has what delegated access rights on important Active Directory objects.

However, I have found that it is unable to accurately determine AD effective permissions which unfortunately makes it difficult to rely upon. Upon some research I found that Active Directory Effective Permissions display incorrect information and are thus cannot be relied upon.


+ Pros: Free, Can be used to view and modify the security permissions on a single Active Directory object

- Cons: Cannot be used to identify where all a user/group might have permissions in Active Directory, plus its effective permissions capability yields incorrect results.

Download Point: dsacls can be downloaded from here.

Summary: dsacls is a powerful command-line tool that can help view and dump/export Active Directory permissions/ACLs. It is free however, and supported by Microsoft. Once you know how to use it well, it can also be used to analyze Active Directory permissions, although not as well as one could with a professional-grade Active Directory Permissions Analyzer.
Posted by MarcJ 0 comments
Labels: , , , , , ,

dsrevoke

Dsrevoke is a command-line tool that can be used to identify the location of all permissions that may be specified for a specific user or group in a domain. It can also be used to remove all permissions specified for a particular user or group on OU objects as long as they are explicit in nature.



dsrevoke
It is was primarily provided by Microsoft to complement the functionality provided by Microsoft's Delegation of Control Wizard, which can be accessed from the Microsoft Active Directory Users and Computers (ADU&C) Snap-in and which is used to delegate administrative authority.

dsrevoke complements ADU&C by providing the ability to revoke delegated administrative authority.

+ Pros: Free, Can be used to find out where all a user or group has permissions specified in AD OUs

- Cons: Severely limited in its ability to find out where else a user/group has permissions, and/or identify where all a user/group has what type of permissions

Download Point: dsrevoke can be downloaded from here.

Tip: Although dsrevoke can be used to view Active Directory inherited/delegated permissions, if you're looking to do any kind of serious permissions analysis, checkout Microsoft's acldiag tool.
Posted by MarcJ 0 comments
Labels: , , , , ,

LDP.exe for Active Directory

Microsoft also provides a free Windows 2000 Support Tools utility called LDP.exe which can be used to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given specific search criteria.

LDP can be used to perform advanced LDAP queries against Active Directory, use a variety of LDAP controls, specify advanced connection, binding and search result options and view objects, object meta-data and raw Security Descriptors as well.


LDP
One advantage of LDP is that it is a standards-compliant Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory.

LDP can be used to specify and execute any valid LDAP query and thus generate reports which are more advanced than those generated via the standard Administrative MMC tools provided by Microsoft Windows Server. It can be used to generate advanced time-based reports as well but it requires you to specify all the technical details in LDAP parlance, which can make it a little cumbersome unless you're adept at writing LDAP queries and performing 64-bit time value conversions etc.

Tip: I first looked for ldp in the hope of being able to find which users have restricted logon hours specified in our AD. Unfortunately, I could not do so with LDP, since analyzing logon-hours takes a bit more work.

All in all, its a good tool to have and use if you want to look under the hood of your Active Directory. Another helpful tool to consider if you need to perform advanced AD security analysis is this one.

+ Pros: Free, Can be used for advanced LDAP querying and basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon)

Download: ldp.exe is a part of the Windows Server 2003 Service Pack 2 32-bit Support Tools set and can be downloaded from here.
Posted by MarcJ 0 comments
Labels: , , , , , , , ,

Standard Microsoft Active Directory Management Tools (Active Directory Users and Computers)

Microsoft Windows Server ships with a standard set of Microsoft Management Console (MMC) Snap-Ins that can be used to manage various aspects of Active Directory, including managing your OU hierarchy, implement your delegation model, and create, modify and manage the life-cycle of user accounts and security groups.

  

Active Directory Users and Computers

There are four MMC Snap-Ins that can help you manage various aspects of AD -

  1. Active Directory Users and Computers Snap-In - This MMC snap-in, also know as ADU&C is the main tool used to create and manage your Active Directory hierarchy, create and delete OUs and Containers, and create and manager user accounts, security groups and other IT resources.
  2.  Active Directory Domains and Trusts Snap-In - This snap-in is used to establish, configure and manage trust relationships between various domains and forests. You can use it to create short-cut trust relationships, external trust relationships, and cross-forest trust-relationships as well.
  3.  Active Directory Sites and Services Snap-In - This snap--in is used to define, configure and maintain Active Directory sites, subnets, site-to-subnet mappings and perform other tasks related to site and subnet management.
  4.  ADSIEdit.msc - This is a special and very handy snap-in that can be used to access and edit all attributes of all objects in Active Directory. It is particularly helpful if you wish to make modification to uncommon attributes, and or create a new object of any of the classes defined in the Schema.
If you're an IT administrator responsible for AD management, then you probably already know about the common set of administrative tools that ship with Windows Server, but nonetheless, thought of mentioning them here for anyone starting out in AD administration.

+ Pros: Free, Come with Windows, Can be used for AD management, Good for Basic Search and Reporting

- Cons: Very limited in their ability to generate advanced and/or custom management and security reports

# Download Point: To install these tools, you need to download and install the Windows Server 2003 Administration Tools Pack, which I believe can be found here.
Posted by MarcJ 0 comments
Labels: , , , , , , ,
Subscribe to: Comments (Atom)