Blog Posts by smith181

Ask a question

Managing Inactive Active Directory Accounts Using PowerShell

Active Directory allows authorized AD accounts (users and computers) to access the organizations data, applications and other resources like printers. Additional security is also ensured through permissions attached to the AD resources or objects. AD user accounts feature in the access control list of one or more objects which enable them to access those AD resources seamlessly. Account authorization / authentication along with the system access control list of network resources ensure that the AD is completely protected from unauthorized accesses.

Inactive AD accounts and security threats
Inactive accounts pose a serious threat to the security of the Active Directory. Inactive accounts and their access permissions can be used to access network resources. Often these kind of activities go unnoticed because of the lack of an all-inclusive auditing solution in the organization.

Using Windows PowerShell to manage inactive AD accounts
In order to use PowerShell with Active Directory, you will require the Active Directory PowerShell module. It (along with Active Directory Administrative Centre) gets installed automatically with the addition of AD DS (Active Directory Domain Services) or AD LDS (Active Directory Lightweight Directory Services) role in Windows Server 2008 R2. Here are some cmdlets that let you perform some basic actions related to inactive accounts:

To find inactive AD accounts
To find all the inactive accounts use the Search-ADAccount cmdlet. It is recommended that you search for computer accounts and user accounts separately.

  • To find inactive computer accounts:

Search-ADAccount –AccountInactive -ComputersOnly


  • To find inactive user accounts:

Search-ADAccount -AccountInactive -UsersOnly


To find AD accounts that are inactive for the past 60 days
To find the AD accounts that are inactive for the past 60 days, you will also need to specify the time period.

  • To find computer accounts that are inactive for the past 60 days:

Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 60.00:00:00


  • To find user accounts that are inactive for the past 60 days

Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 60.00:00:00


To find the inactive AD accounts of a specific OU

PowerShell also allows you to search for inactive accounts within an OU.

  • To find the inactive computer accounts in an OU:

Search-ADAccount -AccountInactive -ComputersOnly -Searchbase "OU=TestOU,DC=www,DC=vdoc,DC=com"


  • To find the inactive user accounts in an OU:

Search-ADAccount -AccountInactive -UsersOnly -Searchbase "OU=TestOU,DC=www, DC=vdoc,DC=Com"


Inactive Account Management
It is possible to use PowerShell cmdlets and scripts for more complex tasks relating to inactive account management but it requires an almost expert knowledge of the platform. Automated Active Directory clean-up solutions like Lepide Active Directory Cleaner can simplify the process, making it easy to perform even the most complex tasks.

Blog Summary
Inactive accounts can be serious security threats if they are used by an unauthorized person wanting access to the network resources. Windows PowerShell cmdlets can help manage the inactive accounts but can only be used for more complex tasks if the AD administrators are adept at scripting. If this isn’t the case then using a third-party solution is often the most effective way of managing inactive users.
Be the first to comment

How to scrutinize privileged AD accounts?

Keeping your Active Directory under close scrutiny is not difficult thanks to the auditing features of Windows Server and the arrival of professional AD auditing solutions. However, auditors sometimes do not pay much attention to privileged user accounts as they are presumed be trustworthy. But such accounts, because of their higher privileges, are attractive targets to hackers. If some security lapses are there with them, they can be dangerous to the entire AD environment. So organizations cannot be negligent about them.

Administrative privileges given to some accounts helps in managing the Active Directory more effectively and in providing easy access to various AD resources. Misuses of such privileges can be limited by following a two-fold approach. First of all, organizations should follow a Least-Privileged Administrative Model for Active Directory to limit the number of privileged accounts, to limit the duration of privileges, and to limit the level privileges Secondly, there should be regular auditing in the AD environment. It is suggested that you use a professional auditing solution to audit Active Directory and Group Policy.

What is the Least-Privileged Administrative Model?
The Least-Privileged Administrative Model focuses on providing the users and computers with the least permissions that are required to perform a particular task. It is aimed at enhancing security and minimizing security risks in the network. Here are some suggestions for implementing this:

  • Limit the number of privileged accounts

Limit the number of accounts in Enterprise Admins (EA) group, Domain Admins (DA) group, and built-in domain local Administrators (BA) group.

  • Limit the level of privileges

Follow the Microsoft’s recommendations and best practices to limit the level of privileges provided to various administrative accounts; implement role-based access control (RBAC) according the business rules of the company.

  • Limit the duration of elevated privileges

When elevated privileges are required for an account, temporarily place it in a group having those rights (instead of giving individual rights) and remove it from the group immediately after the task is done.

  • Follow some special measures

Implement certificate based authentication mechanism, and configure smart card based interactive logon plus auditing for administrative accounts.

Privileged use auditing in Windows Server 2008 R2
Privilege use auditing allows to track the usage of privileges given to users and computers. Windows 2008 R2 provides two options for auditing privilege uses.

While ‘Audit privilege use’ policy setting is configured, the following events are generated :

‘Audit privilege use’ policy setting in Windows Server 2008 R2 tracks:

The table below gives the list of events. Users are recommended to refer Microsoft sites for detailed information on them.

Many experts suggest that auditing privilege uses may lead to enormous number of audit events, especially when Success and Failure events are audited. So it is suggested to use this option with utmost caution.

Professional Active Directory Auditing Solutions
Professional auditing solutions are recommended even if you follow a Least-Privileged Administrative Model and keep the VIP accounts under auditing radar. A complete AD auditing help in securing the entire AD environment and also in meeting regulatory compliances. LepideAuditor Suite helps in auditing Active Directory and Group Policy.

Blog Summary
Privileged accounts have very crucial role in the Active Directory. However, for the security of the entire AD environment, it is essential to follow a Least-Privileged Administrative Model in the organization. Also, it is necessary to audit privilege use events of the AD. And for auditing the entire Active Directory, one can use professional AD auditing solutions like Lepide Auditor Suite.
Be the first to comment

LepideAuditor for File Server - 10 things you should know

File Servers contain crucial business data and any unauthorized access to these files can be harmful. Moreover, irregular auditing leaves them at higher risk of unwanted changes, data loss and theft.

File Server auditing is a time consuming task and, in case of, large organizations with huge number of employees, it’s almost impossible to keep track of every file opened by users. Native file server auditing is not recommended as it lacks many important features and it doesn’t even have reporting capabilities.

LepideAuditor for File Server (LAFS) is an automated auditing solution for Windows File Servers and NetApp Filers. Using this software, you can control and monitor every change made by any user. It provides powerful reporting features which native auditing tools lack completely.

10 things you should know about LepideAuditor for File Server are:

  1. The Four W’s of Audit: It gives detail regarding every change along with reports, showing all information like who did what to which content and when this was done.
  2. Meet Compliance: It helps in meeting compliance requirements like PCI, GLBA, HIPAA, etc. Compliance specific reports allow organizations to practice safe file sharing methods and keep unwanted activities at bay.
  3. Long-Term Log Storage: It allows long-term storage of logs in SQL databases for permanent storage (as long as you wish).  A single captured audit data can be reviewed after a long time and that too without any modification in it.
  4. Real-Time Auditing: It offers customized real-time auditing of File servers based on time, directory, file, file type and process.
  5. Persistent Reporting and Scheduling: Get reports over all activities like file open, create, read, delete, etc. You can filter these reports on the basis of different conditions like user, directory, time span, process, events, etc. Administrators can even schedule reports and get automatic delivery of reports in various formats like PDF, DOC, CSV, HTML and TXT.
  6. Get Instantly Notified: Administrators instantly get notified about any unwanted access to files, folders and permission changes. This allows taking required steps quickly before substantial damage occurs.
  7. Multiplatform Auditing: It supports multiplatform auditing for Windows and NetApp File Servers. It guarantees complete security by ensuring risk free data sharing.
  8. Before and After Values: It offers precise "before and after" change details. It provides reports of both old and new values for every change done across the IT department.
  9. Instant Alert Generation: It generates instant alerts about serious changes. The alerts can be generated through various mediums like SMS, emails and on-screen messages.
  10. Customize Audit Policy: You can also customize the audit policy on the basis of various elements like File Server name, drive, directory, file name, type, events, process, etc. 

LepideAuditor for File Server is available in two versions, Freeware Edition and Enterprise Edition. You can audit File Servers and monitor file integrity by downloading a free trial of LepideAuditor for File Server. It’s fully functional for 15 days. You can download it from here: http://www.lepide.com/file-server-audit/

Be the first to comment

Audit Group Policy Changes to Ensure Secure Active Directory Environment

Group Policy comes handy when applying specific configurations for Users and Computers. These settings are stored in Group Policy Objects which can be linked to Sites, Domains, and Organizational Units. Sometimes, while working on their system, Users find their desktop to have undergone some unexpected change. Such changes might have been done by a central administrator. In many organizations, there are more than one administrator who manage Computer and User objects centrally through Group Policy Management Console (GPMC). Changes done by one administrator might be unknown to others creating a scenario where accountability becomes an issue. In these situations, it becomes mandatory to audit Group Policy changes to know who did what change, when and from which work station.

Understanding the importance of issue, Microsoft provides a Software Assurance (SA) contract program to its clients. Software license and Software Assurance license are available separately. If you have purchased the Software Assurance license, you get the “Advanced Group Policy Management” (AGPM) which comes with “Desktop Optimization Pack”. The AGPM goes a long way in securing your Group Policy environment as it creates an intermediate stage – “Review Stage” - between editing Group Policy Objects and implementing those changes to the live project environment. Thus all changes made to GPO by all Users can be reviewed and their impacts analyzed before they are rolled out to the live project environment. Even in the absence of AGPM which comes with Software Assurance, a lot can be done using GPO auditing feature. 

Windows auditing option for GPO has existed since Windows 2000. However, that auditing was a bit noisy as you could not determine which objects to audit and which not to audit. Enabling auditing on Windows 2000 means a lot of log through flip-through as you cannot enable auditing granularly. With Windows Server 2008, Microsoft introduced advanced auditing option where users can granularly determine what to audit and what not to, in the process creating a manageable amount of logs. In this article we will see how to enable audit for Windows Server 2008.

Whenever you create a domain, a default domain policy is automatically created. To create a new advanced security audit policy, you need to edit the default domain policy and add advanced security audit policy settings. The approach to apply and validate an advanced audit policy should be:

  • Create an advanced audit policy.

  • Make sure basic audit policy doesn’t override advanced audit policy settings.

  • Update Group Policy Settings.

  • Ensure you have got everything right.

To create an advanced audit policy:

  1. Go to Start -> Administrative Tools -> Group Policy Management. 
  2. In the Console tree, double-click on the domain.
  3. Right-click Default Domain Policy, and then click Edit.
  4. Double-click Computer Configuration, double-click Policies, and double-click Windows Settings.
  5. Double-click Security Settings, double-click Advanced Audit Policy Configurations, and then Double-click System Audit policies.
  6. Double-click the policy which you want to configure.
  7. Select the Configure the following audit events check-box.
  8. Select Success and Failure check-box.
  9. Click OK.

This is the first step of implementing a successful audit policy. As mentioned above, after this you have to update Group Policy settings, ensure basic audit policy doesn’t override this advanced policy and verify if everything has been configured the correct way. Following the above mentioned steps you can configure a number of audit settings to ensure every important change made to GPO is logged. You can then go on and view the logs to determine who did, what, when, where and from which computer. You can also take help of third party tools to audit GPO. Group Policy Auditor ( http://www.lepide.com/lepideauditor/group-policy.html ) which comes as part of LepideAuditor Suite can also be used to audit GPO. 

Be the first to comment

Restore Deleted Objects of Active Directory through LDP.exe

Active Directory well acts as a hierarchical database storing information about the network’s resources such as computers, users, groups, servers and more. It facilitates you as to easily perform tasks like creating, moving, modifying and deleting multiple objects such as users, computers, groups, OUs etc. However, incidents do take place when objects of Active Directory do get deleted incidentally or intentionally, but a right usage of LDP.exe allows in easy restoration of deleted objects back to the Active Directory.

Performing the Deleted Object Restoration

Generally, an object deleted from Active Directory never gets erased immediately, but just gets marked for future deletion. Important point that you must understand is that the deleted objects are just "tombstoned" for a period of time. The time period for which the tombstoned objects remain in the AD before being deleted is 60 days for Windows Server 2000/2003, and 180 days for Windows Server 2003 SP1/ 2008 (by default).

Deleted Objects container is hidden and Active Directory user cannot view it easily, but with the right usage of LDP.exe, it is actually possible to restore deleted objects. Ldp.exe is a part of the Windows Server Support Tools set and can be used to carry out Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information.

This tool is effective in restoring deleted objects of Active Directory if you are working on Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, or higher version.

Note: However, if you are working on restoration of deleted Active Directory objects on Windows Server 2008 R2 then it is recommended to use Active Directory Recycle Bin feature.

Steps to Restore Deleted Objects with LDP.EXE

Open Ldp.exe from an elevated command prompt. First of all, you got to open a command prompt (Cmd.exe) as an administrator in elevated mode. 

1) Type ldp.exe and after that press enter

2)  It gets essential to create a proper connection between bind to the server that hosts the forest root domain of your AD DS environment. To do so, under Connections, click Connect option.

3) Fill up the required essential like the server name with which you want to connect and after that click on Bind and click OK.

4) On the Options menu, click Controls.

5) In the Controls dialog box, expand the Load Predefined drop-down list, after that click Return Deleted Objects, and then click OK.

6) Now from the console tree, select the CN=Deleted Objects container.
7) After identifying the deleted Active Directory object that you want to restore, right-click on it and then click on Modify.

Now, as the Modify dialog box appears on the screen, follow the instructions as mentioned below:

  • In Edit Entry Attribute, type isDeleted. However, you got to ensure that you leave the Values box empty.
  • Then under Operation select Delete and press Enter.
  • In Edit Entry Attribute, enter the distinguishedName.
  • Now in Values section, type the original distinguished name, also known as DN of this Active Directory object.

Under Operation select Replace and after that press Enter and click Run. Although, you got to ensure that you enable the Extended check box. 

It is always important to make a note of the object from where it was deleted as this simple exercise can prove very beneficial in fetching the DN of the object.

It is no wonder that Microsoft's LDP.exe tool provides administrator with in-built AD object recovery method, but some experts do consider it as a bit delicate program. While you use LDP.exe, complications can arise in restoring the attributes of the objects as it does not display all the attribute data. In addition, the tool can be used only if the Deleted object is under tombstoned life.

Nevertheless, today various highly automated tools are available that can help in tracing unwanted changes or restoring deleted objects in almost every situation. In fact, LepideAuditor for Active Directory (http://www.lepide.com/lepideauditor/active-directory.html) is one among those smartly programmed applications that could very well provide you with a reliable option to retrieve AD objects from its “Restore from tombstone” feature as well as it facilitate to do in-depth auditing of changes made in Active Directory.

View comments (1)
Showing 1 - 5 of 6 results

Top Contributors

Talk About K1000 Agent