TechShizz | Tech Guides

Auditpol

List of users being Audited

AuditPol /List /User

 

To see how a user is being audited

AuditPol /Get /User:UserName / Category:*

 

To see the users SID

AuditPol /List /User /V

 

List all audit categories

AuditPol /List / Category

Shadow Groups

DS-Tools

The Quick and Dirty version:
dsquery user “<Organizational Unit distinguishedName>” –scope onelevel | dsmod group “<Shadow Group distinguishedName>” –chmbr

This will look for all users found in the specified OU, and limit the search to that OU only. Then it will clear the current group membership of the SG and add all users currently found in the OU.

The Clean and Clever batch file version:
Set OU=Organizational Unit distinguishedName (without quotes)
Set Group=Shadow Group distinguishedName (without quotes)

dsget group %Group% –members | find /v /i “%OU%” | dsmod group “%Group%” –rmmbr
dsquery * “%OU%” –filter “(&(sAMAccountType=805306368)(!memberOf=%Group%))” –scope onelevel | dsmod “%Group%” –addmbr


This will look at the group membership, pipe it to the find command, to find only the users where the OU’s distinguishedName is NOT present, and then pipe it to dsmod group to remove those users from the group. The next step is to look for all users in the specified OU that are NOT member of the Shadow Group already. It will then add any users found to the group.

PowerShell

Windows Server 2008 R2 with Active Directory cmdlets:
$OU=”Organizational Unit distinguishedName”
$Group=”Shadow Group distinguishedName”

Get-ADGroupMember –Identity $Group | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false}
Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}
 

This will do the same thing as the ds-tools clean and clever version, except it’s done in PowerShell with the AD cmdlets.

Once you’ve decided for what approach you want to take, you can easily create a scheduled task for this and ensure that the batch or PowerShell script runs at intervals that suits your organization. Just make sure that the user account the scheduled task runs under has got the proper privileges (such as log on as batch job and permission to update the Shadow Groups (write members) in Active Directory).

PKI Setup (Offline Root CA)

Place CAPolicy.inf in the c:\Windows folder on the CA

Install the Root CA

Configure the Root CA:

Remove ALL CRL Locations BEFORE issuing any certificates

On the root CA run  

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg ca\ValidityPeriodUnits "20"

 Copy files from Root CA from c:\windows\system32\certserv\ to the Sub-CA or Web server in c:\CertEnroll

Make CertEnroll Modify permissions for Cert Publishers and read for everyone.

Install the Sub-CA - Place the CAPolicy.inf file in the C:\Windows folder on the Sub-CA

Import the Request into the Root and Issue cert. The Save it to file and Install on the Sub-CA.

Start the CA Service on the SUB-CA - Errors will occur for the Sub CA in the PKI Hierarchy.

Go to the Webserver

Run Cmd:

C:\windows\system32\inetsrv\Appcmd set config "Default Web Site" /section:system.webserver/Security/requestFiltering -allowDoubleEscaping:True

Iisreset

 

Cd \CertEnroll

certutil -f -DSPublish CA-Root.contoso.com_CAROOT.crt RootCA
 

Finally configure DNS

if domain ends in .local an A record will need to be created to point to the websever.

Active Directory Compaction Script

Compaction Script


@ECHO OFF

ECHO To compact the NTDS.dit file for this domain

ECHO controller ensure you have the following

ECHO folders set up on the c:\

ECHO.

ECHO C:\Temp

ECHO C:\OriginalNTDS

ECHO.

pause

del C:\temp\*.dit

del C:\originalntds\*.dit

net stop ntds /y

ntdsutil "activate instance NTDS" files "compact to C:\temp" quit quit

cd \windows\ntds

del *.log

copy ntds.dit \originalntds

del ntds.dit

copy c:\temp\ntds.dit

ntdsutil "activate instance NTDS" files integrity quit "semantic database analysis" "go fixup" quit quit

ECHO To restart the AD DS press enter.

pause

net start ntds

ECHO Compacting Finished.

pause

Application Directory Partitions

To create a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /CreateDirectoryPartition <FQDN>

This will need to be done only once. It will create the partition in the NTDS.dit file and replicate around AD.

https://technet.microsoft.com/en-us/library/cc772361.aspx

 

To enlist a DNS server in a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /EnlistDirectoryPartition <FQDN>

This will need to be repeated on each DNS Server that requires access to the partition.

https://technet.microsoft.com/en-us/library/cc772361.aspx

 

To remove a DNS server from a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN>

https://technet.microsoft.com/en-us/library/cc772361.aspx