Active Directory
Domain controller
dcdiag
Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting.
Powershell
https://docs.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2019-ps
Get-ADUser – Gets one or more Active Directory users
Get-ADUser -Identity leo -Properties *Get-ADUser -Filter 'Name -like "*lo*"' | Format-Table Name,SamAccountName,DistinguishedName -AGet-ADUser -Filter "Enabled -eq 'True'" -SearchBase "OU=Users,DC=company,DC=com" | Select-Object DistinguishedName,Enabled,GivenName,Name,ObjectClass,ObjectGUID,SamAccountName,SID,Surname,UserPrincipalName | export-csv -path C:\Users\myuser\Documents\userexport.csvGet-ADComputer – Gets one or more Active Directory computers
Get-ADComputer -Identity "User01-SRV1" -Properties *Get-ADOrganizationalUnit – Gets one or more Active Directory organizational units
Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -AWorking with SIDs
DSQuery
Queries the directory by using search criteria that you specify.
Finding the User Base DN
dsquery user -name <known username>
dsquery user -name Leo*
dsquery ou -name *myou*The result wil be with double quotes. Those must be removed in LDAP fields.
To find all computers that have been inactive for the last four weeks and remove them from the directory:
dsquery computer -inactive 4 | dsrm -nopromptTo find all users in the organizational unit "ou=Marketing,dc=microsoft,dc=com" and add them to the Marketing Staff group:
dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group "cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbrTo find all users with names starting with “John” and display his office number:
dsquery user -name John* | dsget user -officeTo display an arbitrary set of attributes of any given object in the directory use the dsquery * command. For example, to display the sAMAccountName, userPrincipalName and department attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:
dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr sAMAccountName userPrincipalName departmentTo read all attributes of the object whose DN is ou=Test,dc=microsoft,dc=com:
dsquery * ou=Test,dc=microsoft,dc=com -scope base -attr *To find all computers in the current domain whose names start with “ms” and whose descriptions start with “desktop”, and then display their distinguished names, type:
dsquery computer domainroot -name ms* -desc desktop*To find all OUs in the domain that you specify in DC=Contoso,DC=Com, and then display their distinguished names, type:
dsquery ou DC=Contoso,DC=ComSID
SID defined as S-1-5-21–513
S-1: Indicates a revision or version 1 SID.
5: SECURITY_NT_AUTHORITY, indicates it’s a Windows specific SID.
21: SECURITY_NT_NON_UNIQUE, indicates a domain id will follow.
1-2-3: The next three SubAuthority arrays contain 32-bit random numbers to uniquely identify the domain.
RID: Indicates a unique object ID within the domain.
The actual constructed SID would be S-1-5-21-1-2-3-513.
| S-1-5-21-<domain>-513 | DOMAIN_USERS |
| S-1-5-21-<machine>-500 | ADMINISTRATOR |
Get a list of users and their SIDs
Get-WmiObject win32_useraccount | Select-Object Caption,SIDFind user/group from SID
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("S-1-5-21-3274805877-1740924817-4269325941-2644648192")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value