ADCMDStuff: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
No edit summary   (change visibility)
No edit summary   (change visibility)
Line 1: Line 1:
CMD stuff related to Active Directory
CMD stuff related to Active Directory


repadmin.exe /showObjMeta
repadmin.exe /showObjMeta domaincontroller cn


gpresult
gpresult

Revision as of 15:47, 4 December 2013

CMD stuff related to Active Directory

repadmin.exe /showObjMeta domaincontroller cn

gpresult


runas /netonly /u:domain\user cmd 
nltest /dsgetdc:domain.lcl

#dsacls
dsacls "cn=users,dc=corp,dc=contoso,dc=com"
dsacls "\\domaincontroller.domain.lcl\DC=domain,DC=lcl"

#in powershell
Import-Module activedirectory
set-location ad:
(Get-Acl 'cn=users,dc=corp,dc=contoso,dc=com').access | ft identityreference, accesscontroltype -AutoSize
(Get-Acl 'cn=users,dc=corp,dc=contoso,dc=com').access | select identityreference, accesscontroltype | out-gridview

#to find everything that ever was admin - http://www.ehloworld.com/1621
([adsisearcher]"(AdminCount=1)").findall()
dsquery * -filter "(admincount=1)"
Get-ADuser -LDAPFilter "(admincount=1)" -Server domaincontroller.domain.lcl | select name
Get-ADgroup -LDAPFilter "(admincount=1)" -Server domaincontroller.domain.lcl | select name
#clear admincount
Get-AdUser [user name] | Set-AdObject -clear adminCount
#re-enforce inheritance
$User = [ADSI] $_.Path
dsacls $User.distinguishedName /p:n

#checkdsacls - http://activedirectoryutils.codeplex.com/releases/view/13664
#Run the following commands once for each domain (root and child)
#
#Check OU Permissions 
#
CheckDSAcls /Target:"distinguishedName of domain" /ShowChildren /SearchFilter:"objectClass=organizationalUnit" /SplitDN /OutputToFile:"<FILENAME>.txt" /ServerName:"Any Domain Controller" /Port:389

#Check domain-level permissions

CheckDSAcls /Target:"distinguishedName of domain" /SplitDN /OutputToFile:"<FILENAME>.txt" /ServerName:"Any Domain Controller" /Port:389


#Run the following commands for each OU (or container) where in-scope objects reside
#Several locations/OUs may contain "interesting" objects like servers, service accounts, etc.:
#	
#Please list these locations and for each locations OUs containing objects of interest, run the following command:
	
CheckDSAcls /Target:"distinguishedName of location" /ShowChildren /SplitDN /OutputToFile:"<FILENAME>.txt" /ServerName:"Any Domain Controller" /Port:389