TechShizz | Tech Guides

Shadow Groups

DS-Tools

The Quick and Dirty version:
dsquery user “<Organizational Unit distinguishedName>” –scope onelevel | dsmod group “<Shadow Group distinguishedName>” –chmbr

This will look for all users found in the specified OU, and limit the search to that OU only. Then it will clear the current group membership of the SG and add all users currently found in the OU.

The Clean and Clever batch file version:
Set OU=Organizational Unit distinguishedName (without quotes)
Set Group=Shadow Group distinguishedName (without quotes)

dsget group %Group% –members | find /v /i “%OU%” | dsmod group “%Group%” –rmmbr
dsquery * “%OU%” –filter “(&(sAMAccountType=805306368)(!memberOf=%Group%))” –scope onelevel | dsmod “%Group%” –addmbr


This will look at the group membership, pipe it to the find command, to find only the users where the OU’s distinguishedName is NOT present, and then pipe it to dsmod group to remove those users from the group. The next step is to look for all users in the specified OU that are NOT member of the Shadow Group already. It will then add any users found to the group.

PowerShell

Windows Server 2008 R2 with Active Directory cmdlets:
$OU=”Organizational Unit distinguishedName”
$Group=”Shadow Group distinguishedName”

Get-ADGroupMember –Identity $Group | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false}
Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}
 

This will do the same thing as the ds-tools clean and clever version, except it’s done in PowerShell with the AD cmdlets.

Once you’ve decided for what approach you want to take, you can easily create a scheduled task for this and ensure that the batch or PowerShell script runs at intervals that suits your organization. Just make sure that the user account the scheduled task runs under has got the proper privileges (such as log on as batch job and permission to update the Shadow Groups (write members) in Active Directory).

Create a Password Security Object (PSO)

Password Security Object

 

Creating a PSO

 

Create a Group to apply the PSO to.

 

ADSI Edit

Connect to Adatum.com

Go to System

Right Click 'Password Settings Container' > New > Object

Enter PSO Name as cn like 'PSO1'

 

msDS-PasswordSettingsPrecedence box, type 10. Click Next.

msDS-PasswordReversibleEncryptionEnabled box, type FALSE. Click Next.

msDS-PasswordHistoryLength box, type 6. Click Next.

msDS-PasswordComplexityEnabled box, type FALSE. Click Next.

msDS-MinimumPasswordLength box, type 6. Click Next.

msDS-MinimumPasswordAge box, type 1:00:00:00. Click Next.

msDS-MaximumPasswordAge box, type 20:00:00:00. Click Next.

msDS-LockoutThreshold box, type 2. Click Next.

msDS-LockoutObservationWindow box, type 0:00:15:00

msDS-LockoutDuration box, type 0:00:15:00. Click Next

 

Done - Now apply the Policy

 

Ensure advanced features is enabled in Active Directory users and computers.

 

Go to Adatum.com > system > password settings container > right click PSO1 > Properties

Attribute tab

Find: msDS-PSOAppliesto

Use the pop up to search AD for the group or OU you want to apply to.

Auditpol

List of users being Audited

AuditPol /List /User

 

To see how a user is being audited

AuditPol /Get /User:UserName / Category:*

 

To see the users SID

AuditPol /List /User /V

 

List all audit categories

AuditPol /List / Category

Test SMTP Email with Telnet

In this example I'll email from test@outlook.com to rich@techshizz.com

 

First ID the SMTP server via it's MX record:

 

Nslookup -q=mx techshizz.com

 

From a Telnet client run:

 

Telnet mail.techshizz.com 25

 

At this point you should get a 220 response which means everything is OK up to this point.

 

Helo techshizz.com    <  just type the domain after helo - (not important)

 

Mail from: test@outlook.com

 

250 OK

 

Rcpt to: rich@techshizz.com

 

Data

This is a test - Ignore

.

    < Hit Enter then  <Period Key> then enter to submit.

 

250 OK

 

Quit