/bundles/itninjaweb/img/Breadcrumb_cap_w.png

Blog Posts by tholmes

Ask a question

Audit Active Directory Extended Rights

This is a powershell script that will scan and audit your active directory structure for any users with permissions on extended rights, and the organizational unit paths that those permissions are granted on. Requires active directory module. No changes need to be made to the script, however if you wish to alter the output log paths or add users to be filtered out of the output, such as your known administrators, these can be added to the variables via ISE or notepad prior to execution. 

The script is benefitial for users who have deployed a LAPS Local Administrator Password Solution in their environment. This script will allow you to quickly audit exactly who has access to what LAPS information (computer object extended rights) in AD.

 

###################################################################################

################### Variables #####################################################

###################################################################################

$LoggedAccessLocation = "C:\Temp\" ## Location to store output ####################

$NotMe = "*DasAdmins*" ## Account Filter ##########################################

###################################################################################

## Note: BuiltIn, NT Authority and Orphaned SIDs are automatically filtered out ###

###################################################################################
 

$TP = $False

$TP = Test-Path $LoggedAccessLocation

IF ($TP -eq $False)

{New-Item -ItemType Directory -Force -Path $LoggedAccessLocation}

$Date = Get-Date -UFormat "%Y / %m / %d"

$Date = $Date -replace('/','-')

$Date = $Date -replace(' ','')

$I = 0

$ACLList =@()

Import-Module ActiveDirectory

set-location ad:
 

$OUs = (Get-ADOrganizationalUnit -filter *).DistinguishedName
 

foreach ($OU in $OUs){

CLS

Write-Progress -activity "Checking: $OU... " -status "Scanned: $i of $($OUs.Count)folders..." -percentComplete (($i / $OUs.Count)  * 100)

$I ++

     $ACLS = (Get-Acl $OU).access | where {$_.ActiveDirectoryRights -Like"*ExtendedRight*" -and $_.IsInherited -ne 'True' -and `

        ($_.IdentityReference -notlike "BUILTIN\*" -and $_.IdentityReference -ne "NT AUTHORITY\*" -and `

        $_.IdentityReference -notlike "S-1-5*" -and $_.IdentityReference -notlike "$NotMe"`

)} | Select ActiveDirectoryRights, IdentityReference, AccessControltype
 

    Foreach ($ACL in $ACLs)

    {

    $OutInfo = New-Object -TypeName psobject `

    -Property @{

        IDRef = $ACL.IdentityReference.ToString()

        Path = $OU

        Access = $ACL.AccessControlType.ToString()

        }

    $ACLList+=$OutInfo

    }

}

$FP = -join("$LoggedAccessLocation","$Date","_ExtRights_Audit.CSV" )

$ACLList | select Path,IDRef,Access | export-csv $FP -NoTypeInformation

CLS

$ACLList | FT -AutoSize

Write-Host "Output logged to: $FP"

Be the first to comment

Clean User Permissions from Additional Mailboxes in 365

This is a simple script to remove a users permissions on additional mailboxes within the organizations 365 domain. Also can be configured to block login in 365 for those specific users. Is setup to use an OU of users but can be edited quickly to setup for a single user as well. Or a OU with a single user could be used. Requires Office 365 powershell modules and pre-requisites to be loaded ahead of time. Script should be downloaded and variables set in ISE or notepad before execution.


#######################################################################

################### Variables #########################################

#######################################################################

$OU = "OU=YOUROU,DC=DOMAIN,DC=DOMAIN" ################ Who to revoke ##

$Cred = Get-Credential ########### Credentials for connecting to 365 ##

$FromAddress = "From@who.com" ########################## for logging ##

$ToAddress = "To@who.com" ############################## for logging ##

$LogPath = "\\FOLDER.TO.STORE\LOG\" #################### for logging ##

$SMTP = "SMTP.RELAY.FORLOG" ############################ for logging ##

$BlockLogin = $False ######## Change to true to also block 365 login ##

#######################################################################

### Requires Modules and pre-requisites for Office 365 Powershell #####

#######################################################################
 

$date = Get-Date -format o

$date = $date -replace('/','--')

$date = $date -replace(':','-')

Import-Module ActiveDirectory

$filename = -join("$date","___RevokeFolderPermsLog.csv")

$termlog =  -join("$logpath","$filename")

$blk = ".",".",".","."

[System.Collections.ArrayList]$emaillog = $blk

$br="<br>"

$emaillog.add("$br")

$emaillog.add("$br")

$found = $false

$ms = ''

$i = 1

$j = 0
 

Import-Module MSOnline

Connect-MsolService –Credential $Cred

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange `

-ConnectionUri https://ps.outlook.com/powershell `

-Credential $Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session -AllowClobber

Write-Progress -activity "Getting Users: $OU"

Write-Host "Getting Users: $OU"

$users = Get-ADUser -SearchBase $OU -Filter * -properties *
 

foreach ($user in $users)

 {

 $upn=$user.userprincipalname

$username = $user.samaccountname

if ($blocklogin = $true)

{

Set-MsolUser -UserPrincipalName $upn -blockcredential $true

write-host "Blocked 365 login: $upn"

}

$permissions = Get-MailboxPermission -Identity * -User "$upn"

    foreach ($mbx in $permissions)

        {

        $mbxname = $mbx.identity

        if ($mbxname -ne $username)

            {

            Remove-MailboxPermission -Identity $mbxname -User $upn -AccessRightsFullAccess -InheritanceType All -Confirm:$false

            Add-MailboxPermission $mbxname -User $upn -AccessRights FullAccess -InheritanceType All -AutoMapping $False

            Remove-MailboxPermission -Identity $mbxname -User $upn -AccessRightsFullAccess -InheritanceType All -Confirm:$false

    $MS = -join("Removed: ","$upn"," permissions from:","$mbxname")

    $MS | out-file $termlog -Append

    $emaillog.add("$MS")  

    $emaillog.add("$br")

    Write-Progress -activity "Removed: $upn permissions from: $mbxname"

    Write-Host "Removed: $upn permissions from: $mbxname"

    $found = $true

 

            }

        }

}
 

if ($found = $true)

{

send-mailmessage -from "$FromAddress" -to "$ToAddress" -subject "365 Mailbox Permissions Revocation Log" -body "The following actions have been taken and logged.<br> Log: '$termlog'  <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer$SMTP

}

if ($found = $false)

{

send-mailmessage -from "$FromAddress" -to "$ToAddress" -subject "365 Mailbox Permissions Revocation Log" -body "No permissions found for users. <br> Log: '$termlog'  <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer $SMTP

}

Be the first to comment

clear NTFS permissions for specific users on set of folders

Here's a simple powershell script to remove NTFS permissions on a set of folders from a given root. Uses a list of users from a specific OU, but can quickly be edited for a single username. Any question about actual changes run without the set verbs. Always know what your running and use carefully! Simple logged output incase needed. See the highlighted portions for changing.


#######################################################################
################### Variables #########################################
#######################################################################
$RootPath = "\\WHAT.FOLDER.TO\CLEANUP
$OU = "OU=YOUROU,DC=DOMAIN,DC=DOMAIN" ## who to revoke 
#######################################################################
### Note: Its assumed Group Membership secure access will be removed ## 
### by separate term process ##########################################
#######################################################################


$date = Get-Date -format o
$date = $date -replace('/','--')
$date = $date -replace(':','-')
import-module activedirectory
$filename = -join("$date","___RevokeFolderPermsLog.csv")
$termlog = "\\YOUR.FILE.SHARE\Terms\FolderPermissionRevocation\$filename" 
$blk = ".",".",".","."
[System.Collections.ArrayList]$emaillog = $blk
$br="<br>"
$emaillog.add("$br")
$emaillog.add("$br")
$found = $false

Write-Progress -activity "Getting users in: $OU"
Write-Host "Getting users in: $OU"
$users = Get-ADUser -SearchBase $OU -Filter * -properties * 
#$users
Write-Progress -activity "Pre-load subfolders..."
Write-Host "Pre-Load subfolders..."
$SubFolders = Get-ChildItem -path $RootPath -recurse -ev err -ea SilentlyContinue| ? {$_.psIscontainer -eq $true}

foreach ($client in $users)
{
$username = $client.SamAccountName
$ms = ''
$TermACLAccess=''
$TermACL=''
$AccessRule = ''
$i = 1
$j = 0

$RootFolder = Get-Item $RootPath
Write-Progress -activity "Startling trawl of: $RootFolder"
Write-Host -activity "Startling trawl of: $RootFolder"
$idref = -join("YOURNETBIOSNAME\","$Username")
$TermACLAccess = ($RootFolder | Get-Acl).Access | Where {$_.IdentityReference -eq $idref} | Add-Member -MemberType NoteProperty -Name "Path" -Value $($RootFolder.fullname).ToString() -PassThru
if ($TermACLAccess.IdentityReference -eq $idref)
{
    #$TermACLAccess
    $TermACL = Get-Acl $TermACLAccess.path
    #$TermACL
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `
    ($TermACLAccess.identityreference, $TermACLAccess.FileSystemRights, $TermACLAccess.InheritanceFlags, $TermACLAccess.PropagationFlags, $TermACLAccess.AccessControlType) 
    #$AccessRule

    $TermACL.RemoveAccessRuleAll($AccessRule)
    Set-Acl -Path $TermACLAccess.path -AclObject $TermACL

    $MS = -join("Wiped: ","$username"," from RootFolder:","$RootFolder")
    $MS | out-file $termlog -Append 
    $emaillog.add("$MS")  
    $emaillog.add("$br")
    Write-Progress -activity "Wiped $Username from RootFolder: $RootFolder"
    Write-Host "Wiped $Username from RootFolder: $RootFolder"
    $found = $true

}

#$SubFolders
    if ($SubFolders -eq $null) {break}
        foreach ($SubFolder in $SubFolders)
        {
        $i++  
        $TermACLAccess=''
        $TermACL=''
        $AccessRule = ''
        $TermACLAccess = ($SubFolder | Get-Acl).Access | Where {$_.IdentityReference -eq $idref -and $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($SubFolder.fullname).ToString() -PassThru
        #$TermACLAccess
        Write-Progress -activity "Checking for: $username in: $subfolder... " -status "Cleared: $i of $($SubFolders.Count) folders... Located: $j instances." -percentComplete (($i / $SubFolders.Count)  * 100)
            if ($TermACLAccess.IdentityReference -eq $idref)
            {
            $j++
            $TermACL = Get-Acl $TermACLAccess.path
            #$TermACL
            $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `
            ($TermACLAccess.identityreference, $TermACLAccess.FileSystemRights, $TermACLAccess.InheritanceFlags, $TermACLAccess.PropagationFlags, $TermACLAccess.AccessControlType) 
            #$AccessRule

            $TermACL.RemoveAccessRuleAll($AccessRule)
            Set-Acl -Path $TermACLAccess.path -AclObject $TermACL
            $Pathy = $TermACLAccess.path
            Write-Progress -activity "Wiped $Username from SubFolder: $Pathy"
            Write-Host "Wiped $Username from SubFolder: $Pathy"
            $MS = -join("Wiped: ","$username"," from SubFolder:","$Pathy")
            $MS | out-file $termlog -Append 
            $emaillog.add("$MS")  
            $emaillog.add("$br")
            $found = $true
            }
        } 
}
if ($found = $true)
{
send-mailmessage -from "FolderRevocationReport@DOMAIN.DOMAIN" -to "SERVER@ADMINS.DOMAIN" -subject "Folder Permission Revocation Log" -body "The following actions have been taken and logged.<br> Log: '$termlog'  <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer YOUR.SMTP.RELAY
}
Be the first to comment

Bypass 365 clutter for domain email

New-TransportRule -Name “AllowDomainClutter” –priority “0” -FromAddressContainsWords {DOMAIN.DOMAIN} -SetHeaderName "X-MS-Exchange-Organization-BypassClutter" -SetHeaderValue "true" –SetSCL “0”
Be the first to comment

gpresult verbose one-liner

gpresult /z >c:\users\%username%\desktop\GPResult%TIME::=%.txt

One-liner that can be used repeatedly to generate a verbose txt dump of group policy information.
Be the first to comment
Showing 1 - 5 of 25 results

Top Contributors

Talk About Security