zoukankan      html  css  js  c++  java
  • Active Directory PowerShell模块收集AD信息

    0x00 前言简介

    Microsoft为Windows Server 2008 R2(以及更高版本)提供了多个Active Directory PowerShell cmdlet,这大大简化了以前需要将涉及到的ADSI冗长代码行放在一起的任务。

    在Windows客户端上,需要安装远程服务器管理工具(RSAT并确保已安装Active Directory PowerShell模块。而在Windows服务器(2008 R2或更高版本)上的 PowerShell控制台(作为管理员)中运行如下命令:Import-Module  ServerManager ; Add-WindowsFeature RSAT-AD-PowerShell

    0x01  AD的目录预览

    AD PowerShell cmdlet和以下方式执行效果一样:

    Import-module  activeDirectory

    $UserID = “JoeUser”

    Get-ADUser $UserID –property *

    需要值得注意的是使用PowerShell v3版本以及高版本,你无需运行第一行命令,因为PowerShell的将识别必要的模块和自动加载它。一旦加载了Active Directory PowerShell模块,就可以像浏览文件系统那样浏览AD。命令如下:

    Ps> Import-module  activeDirectory

    Ps>dir ad:

    Ps>set-location  ad:

    Ps >set-location  “dc=lab,dc=adsecurity,dc=org”

    Ps>dir

    0x02 查找有用的命令(Cmdlet)

    1.基本的模块和统计

    发现可用的PowerShell模块:Get-Module -ListAvailable

    PowerShell模块中发现cmdlet:Get-Command -module ActiveDirectory

    PowerShell AD模块的Cmdlet个数:

    (Get-Command -module ActiveDirectory).count

    • Windows Server 2008 R2: 76 cmdlets
    • Windows Server 2012: 135 cmdlets
    • Windows Server 2012 R2: 147 cmdlets
    • Windows Server 2016: 147 cmdlets

    WINDOWS SERVER 2008 R2主要的cmdlets:

    Get/Set-ADForest

    Get/Set-ADDomain

    Get/Set-ADDomainController

    Get/Set-ADUser

    Get/Set-ADComputer

    Get/Set-ADGroup

    Get/Set-ADGroupMember

    Get/Set-ADObject

    Get/Set-ADOrganizationalUnit

    Enable-ADOptionalFeature

    Disable/Enable-ADAccount

    Move-ADDirectoryServerOperationMasterRole

    New-ADUser

    New-ADComputer

    New-ADGroup

    New-ADObject

    New-ADOrganizationalUnit

    WINDOWS SERVER 2012含以版本一些新的cmdlets:

    *-ADResourcePropertyListMember

    *-ADAuthenticationPolicy

    *-ADAuthenticationPolicySilo

    *-ADCentralAccessPolicy

    *-ADCentralAccessRule

    *-ADResourceProperty

    *-ADResourcePropertyList

    *-ADResourcePropertyValueType

    *-ADDCCloneConfigFile

    *-ADReplicationAttributeMetadata

    *-ADReplicationConnection

    *-ADReplicationFailure

    *-ADReplicationPartnerMetadata

    *-ADReplicationQueueOperation

    *-ADReplicationSite

    *-ADReplicationSiteLink

    *-ADReplicationSiteLinkBridge

    *-ADReplicationSubnet

    *-ADReplicationUpToDatenessVectorTable

    Sync-ADObject

    2.发现全局目录 GLOBAL CATALOGS (GCS)

    Forest GCs(森林全局目录):

    import-module ActiveDirectory

    $ADForest = Get-ADForest

    $ADForestGlobalCatalogs = $ADForest.GlobalCatalogs

    Domain DCs that are GCs(以域DCS的全局目录):

    import-module ActiveDirectory

    $DCsNotGCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $True}

    Domain DCs that are not GCs(以非域DCS的全局目录):

    import-module ActiveDirectory

    $DCsNotGCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $False }

    3.查找Active Directory灵活单主机操作(FSMO)角色

    活动目录模块:

    GET-ADForest).SchemaMaster

    GET-ADForest).DomainNamingMaster

    GET-ADDomain).InfrastructureMaster

    GET-ADDomain).PDCEmulator

    GET-ADDomain).RIDMaster

    .NET调用:

    •Get the Current Domain:
    [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name


     [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name
    • Get the Computer’s Site:
    [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()
    • List All Domain Controllers in a Domain:
    [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
    • Get Active Directory Domain Mode:
    [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainMode
    • List Active Directory FSMOs:
    ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).SchemaRoleOwner


    ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).NamingRoleOwner


    ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).InfrastructureRoleOwner


    ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner


    ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).RidRoleOwner

    •Get Active Directory Forest Name:

     [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name

    • Get a List of Sites in the Active Directory Forest:

     [array] $ADSites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites

    • Get Active Directory Forest Domains:

    [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Domains

    • Get Active Directory Forest Global Catalogs:

    [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs

    • Get Active Directory Forest Mode:

    [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().ForestMode

    • Get Active Directory Forest Root Domain:

    [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain

    4.FSMO角色从一个DC移动到另一个DC

    get-command -module activedirectory -noun *Master*

    •Moving FSMO Roles:

     Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole RIDMaster

    Move-ADDirectoryServerOperationMasterRole -Identity $DCName -

    OperationMasterRole DomainNamingMaster

    Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole PDCEmulato

    •Seizing FSMO Roles:

    Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole PDCEmulator –FORCE

    0x03 Active Directory PowerShell模块Cmdlet示例

    1.Get-RootDSE

    获取有关LDAP服务器(域控制器)的信息并显示其内容,结果中有一些有趣的信息,比如DC运行的操作系统信息。

    2.Get-ADForest

    提供有关运行该命令计算机所在的Active Directory森林信息。

    3.Get-ADDomain

    提供有关当前所在域的信息

    4.Get-ADDomainController

    提供特定于域控制器的计算机信息,通过cmdlet命令,可轻松查找到特定站点中的所有DC或运行OS版本信息。

    5.Get-ADComputer

    提供了关于AD中大多数计算机对象的信息,使用“-Prop *”参数运行的命令可以显示所有标准属性信息。

    6. AD计算机的统计

    $Time = (Measure-Command `

    {[array] $AllComputers = Get-ADComputer -filter * -properties

    Name,CanonicalName,Enabled,passwordLastSet,SAMAccountName,LastLogonTimeSt

    amp,DistinguishedName,OperatingSystem }).TotalMinutes

    $AllComputersCount = $AllComputers.Count

    Write-Output “There were $AllComputersCount Computers discovered in

    $DomainDNS in $Time minutes… `r “

    7.Get-ADUser

    提供了想要了解有关AD用户的大部分内容信息,使用“-Prop *”参数运行的命令可以显示所有标准属性信息。

     8. AD用户的统计

    import-Module ActiveDirectory

    $DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name

    [array]$AllUsers = Get-ADUser -filter * -properties

    Name,DistinguishedName,Enabled,LastLogonDate,LastLogonTimeStamp,LockedOut,msExchHom

    eServerName,SAMAccountName

    $AllUsersCount = $AllUsers.Count

    Write-Output “There were $AllUsersCount user objects discovered in $ADDomainDNSRoot … “

    [array] $DisabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $False }

    $DisabledUsersCount = $DisabledUsers.Count

    [array] $EnabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $True }

    $EnabledUsersCount = $EnabledUsers.Count

    Write-Output “There are $EnabledUsersCount Enabled users and there are $DisabledUsersCount

    Disabled users in $DomainDNS “

    9.Get-ADGroup

    提供有关AD组的信息,运行如下命令可查找所有安全组:
    Get-ADGroup -Filter {GroupCategory -eq ‘Security}

    10.Get-ADGroupMember

    枚举并返回组成员信息,使用”-Recursive”参数可包括嵌套组的所有成员。
    Get-ADGroupMember ‘Administrators’ -Recursive

    11.查找非活动计算机

    以下示例查找非活动(旧版本)计算机和用户:在过去10天内未更改其密码的帐户。请注意,这是一个测试示例。对于实际的生产环境,将此建议更改为计算机的60到90天,用户的180到365天的策略。

    12.查找非活动用户

    13.枚举域信任

    14.获取活动目录的实施日期

    15.获取AD密码策略

    16.获取AD站点信息
    请注意Windows 2012模块中包含站点的cmdlet(Get-ADReplicationSite *)。

    17. 获得tombstonelifetime信息

    18.AD的回收信息

    Requires Forest Functional Mode = Windows Server 2008 R2

    • Enable the Recycle Bin (as Enterprise Admin)

    Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory

    Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=COM’ –Scope

    ForestOrConfigurationSet –Target ‘DOMAIN.COM’

    • Find all Deleted Users

    $DeletedUsers = Get-ADObject -SearchBase “CN=Deleted Objects,DC=DOMAIN,DC=COM” -Filter

    {ObjectClass -eq “user”} -IncludeDeletedObjects -Properties lastKnownParent

    • Restore all Deleted Users

    $DeletedUsers | Restore-ADObject

    • Restore users deleted on a specific date

    $ChangeDate = Get-Date (“1/1/2015″)

    Get-ADObject -Filter { (whenChanged -eq $changeDate) -and (isDeleted -eq $true) -and (name -ne

    “Deleted Objects”) -and (ObjectClass -eq “user”) } -IncludeDeletedObjects -Properties * | RestoreADObject

    19.DOMAIN RID STATS(域 rid 统计)

    20.备份域GPO
    请注意,这需要安装组策略PowerShell模块,该模块与Active Directory模块分开。

    21.查找AD Kerberos服务帐户

    22. 服务账号脚本

    https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts

    使用SPNS在AD中发现服务:SQl

    列出SQL服务:

    https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSSQLServers

    23.列出域控制器
    Get-ADDomainController-filter * | `select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem | `format-table -auto

    24.DOMAIN CONTROLLERS DISCOVERY(域控制器的发现)

    • Discover PDCe in domain(发现域的PDCe
    Get-ADDomainController –Discover –ForceDiscover –Service “PrimaryDC” –
    DomainName “lab.adsecurity.org”
    • Discover DCs in a Site(发现站点的DCs
    Get-ADDomainController –Discover –Site “HQ”
    • Find all Read-Only Domain Controllers that are GCs(查找所有作为GCs的只读域控制器)
    Get-ADDomainController –filter `
    { (isGlobalCatalog –eq $True) –AND (isReadOnly –eq $True) }

    25.AD数据库完整性检查

    Write-Output "Checking the NTDS database for errors (semantic database

    analysis) `r "

    Stop-Service ntds -force

    $NTDSdbChecker = ntdsutil "activate instance ntds" "semantic database

    analysis" "verbose on" "Go" q q

    Start-Service ntds

    Write-Output "Results of Active Directory database integrity check: `r "

    $NTDSdbChecker

    26.Get-ADReplicationPartnerMetadata

    Windows Server 2012及更高版本,此命令用于显示目标DC复制伙伴的复制元数据

     

    27.Get-ADReplicationPartnerFailure

    提供有关DC复制失败状态的信息,此命令显示AD复制错误的描述,CMDLETS (2012)

    28.Get-ADReplicationUptodatenessVectorTable

    跟踪域控制器之间的复制状态,CMDLETS (2012)

    29.AD Web服务(ADWS)

    需要在目标DC上运行AD Web服务(ADWS)(TCP 9389

    Get-ADDomainController –Discover –Service “ADWS”

    30.REPADMIN(目录复制工具) VS. POWERSHELL

    REPADMIN

    PowerShell

     

    2012 Cmdlets

    /FailCache

    Get-ADReplicationFailure

    /Queue

    Get-ADReplicationQueueOperation

    /ReplSingleObj

    Sync-ADObject

    /ShowConn

    Get-ADReplicationConnection

    /ShowObjMeta

    Get-ADReplicationAttributeMetadata

    /ShowRepl
    /ReplSum

    Get-ADReplicationPartnerMetadata

    /ShowUTDVec

    Get-ADReplicationUpToDatenessVectorTable

    /SiteOptions

    Set-ADReplicationSite

     

    2008 R2 Cmdlets

    /ShowAttr

    Get-ADObject

    /SetAttr

    Set-ADObject

    /PRP

    Get-ADDomainControllerPasswordReplicationPolicy

    Add-ADDomainControllerPasswordReplicationPolicy

     

    Remove-ADDomainControllerPasswordReplicationPolicy

     

    Get-ADAccountResultantPasswordReplicationPolicy

     

    Get-ADDomainControllerPasswordReplicationPolicyUsage

     



     
     
     
  • 相关阅读:
    java-抽象类
    java-接口
    java-面向对象总结
    java-单例设计模式
    java数组
    .Net框架整理
    PHP结合memcacheq消息队列解决并发问题
    浅谈DDos攻击
    PHP+ffmpeg+nginx的配置实现视频转码(转)
    使用Nginx的X-Accel-Redirect实现大文件下载
  • 原文地址:https://www.cnblogs.com/backlion/p/9267100.html
Copyright © 2011-2022 走看看