chadmcox / active_directory_scripts Goto Github PK
View Code? Open in Web Editor NEWMaking my local storage of useful AD Scripts available to everyone.
License: MIT License
Making my local storage of useful AD Scripts available to everyone.
License: MIT License
As it says in the title, wouldn't it be good for the findandfix script to also re-enable inheritance?
Every group in $default_admin_groups are queried via Get-ADGroup for every flagged object in the domain. As a result, with large numbers of admin groups and/or flagged objects, this can take a very long time to run.
It would be more efficient to pull all members of those admin groups into a collection of some sort and that collection queried for presence of the flagged object vs a new call to Get-ADGroup each time.
It seems FindandFixADObjectswithStaleAdminSDHolder.ps1 only identifies the default set of admin groups and ignores recursive groups that are nested within. As a result, the resulting output file for valid privileged members is missing users that are members of said nested groups. I noticed this when users I know to be members of nested groups within the admin groups were missing from the default report.
With that said, when determining orphaned users, it appears you are querying recursively (get-adgroup -recursivematch), so the orphaned results seems fine.
There is a problem with FindandFixADObjectswithStaleAdminSDHolder.ps1 that results in ALL users...even those with current membership in protected groups...having adminCount=1 cleared.
When I run FindandFixADObjectswithStaleAdminSDHolder.ps1 on Windows Server 2019 standard in an AD environment that has fewer than 10 users, the script finds and "fixes" 52 users.
Additionally, in AD there were a half dozen or so users that were a member of Administrators (a protected group) and the script detects these as "stale" and "fixes" them by clearing adminCount even though they should remain protected.
Within the hour when SDPROP runs the adminCount of these users is automatically set back to 1 (as it should be, as far as I can tell), so no harm done.
But the behavior I saw is that the script essentially clears adminCount for ALL users...and then the next run of SDPROP sets adminCount=1 for the users that should have it. This is still useful...but is not what I expected the script to do.
What is the ADROOT account living in RootDSE? This powershell script was able to find it but when I browse RootDSE using ADSI Edit I can't see it but I can find it and manipulate it when running powershell through ISE when debugging. I can't find any documentation on the existence of this account but it was privileged at one time because the script finds it and resets it's AdminCount flag. Why does this script find it and since it reset the flag on it should I be concerned?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.