Active Directory PowerShell模块收集AD信息
0x00 前言簡介
Microsoft為Windows Server 2008 R2(以及更高版本)提供了多個Active Directory PowerShell cmdlet,這大大簡化了以前需要將涉及到的ADSI冗長代碼行放在一起的任務(wù)。
在Windows客戶端上,需要安裝遠(yuǎn)程服務(wù)器管理工具(RSAT)并確保已安裝Active Directory PowerShell模塊。而在Windows服務(wù)器(2008 R2或更高版本)上的 PowerShell控制臺(作為管理員)中運行如下命令:Import-Module? ServerManager ; Add-WindowsFeature RSAT-AD-PowerShell。
0x01? AD的目錄預(yù)覽
AD PowerShell cmdlet和以下方式執(zhí)行效果一樣:
Import-module ?activeDirectory
$UserID = “JoeUser”
Get-ADUser $UserID –property *
需要值得注意的是使用PowerShell v3版本以及高版本,你無需運行第一行命令,因為PowerShell的將識別必要的模塊和自動加載它。一旦加載了Active Directory PowerShell模塊,就可以像瀏覽文件系統(tǒng)那樣瀏覽AD。命令如下:
Ps> Import-module? activeDirectory
Ps>dir ad:
Ps>set-location? ad:
Ps >set-location? “dc=lab,dc=adsecurity,dc=org”
Ps>dir
0x02 查找有用的命令(Cmdlet)
1.基本的模塊和統(tǒng)計
發(fā)現(xiàn)可用的PowerShell模塊:Get-Module -ListAvailable
在PowerShell模塊中發(fā)現(xiàn)cmdlet:Get-Command -module ActiveDirectory
PowerShell AD模塊的Cmdlet個數(shù):
(Get-Command -module ActiveDirectory).count
- Windows Server 2008 R2: 76 cmdlets
- Windows Server 2012: 135 cmdlets
- Windows Server 2012 R2: 147 cmdlets
- Windows Server 2016:?147 cmdlets
WINDOWS SERVER 2008 R2主要的cmdlets:
? Get/Set-ADForest
? Get/Set-ADDomain
? Get/Set-ADDomainController
? Get/Set-ADUser
? Get/Set-ADComputer
? Get/Set-ADGroup
? Get/Set-ADGroupMember
? Get/Set-ADObject
? Get/Set-ADOrganizationalUnit
? Enable-ADOptionalFeature
? Disable/Enable-ADAccount
? Move-ADDirectoryServerOperationMasterRole
? New-ADUser
? New-ADComputer
? New-ADGroup
? New-ADObject
? New-ADOrganizationalUnit
WINDOWS SERVER 2012含以版本一些新的cmdlets:
? *-ADResourcePropertyListMember
? *-ADAuthenticationPolicy
? *-ADAuthenticationPolicySilo
? *-ADCentralAccessPolicy
? *-ADCentralAccessRule
? *-ADResourceProperty
? *-ADResourcePropertyList
? *-ADResourcePropertyValueType
? *-ADDCCloneConfigFile
? *-ADReplicationAttributeMetadata
? *-ADReplicationConnection
? *-ADReplicationFailure
? *-ADReplicationPartnerMetadata
? *-ADReplicationQueueOperation
? *-ADReplicationSite
? *-ADReplicationSiteLink
? *-ADReplicationSiteLinkBridge
? *-ADReplicationSubnet
? *-ADReplicationUpToDatenessVectorTable
? Sync-ADObject
2.發(fā)現(xiàn)全局目錄 GLOBAL CATALOGS (GCS)
? Forest GCs(森林全局目錄):
import-module ActiveDirectory
$ADForest = Get-ADForest
$ADForestGlobalCatalogs = $ADForest.GlobalCatalogs
? Domain DCs that are GCs(以域DCS的全局目錄):
import-module ActiveDirectory
$DCsNotGCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $True}
? Domain DCs that are not GCs(以非域DCS的全局目錄):
import-module ActiveDirectory
$DCsNotGCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $False }
3.查找Active Directory靈活單主機操作(FSMO)角色
活動目錄模塊:
(GET-ADForest).SchemaMaster
(GET-ADForest).DomainNamingMaster
(GET-ADDomain).InfrastructureMaster
(GET-ADDomain).PDCEmulator
(GET-ADDomain).RIDMaster
.NET調(diào)用:
?Get the Current Domain:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
?[System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name
? Get the Computer’s Site:
[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()
? List All Domain Controllers in a Domain:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
? Get Active Directory Domain Mode:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainMode
? List Active Directory FSMOs:
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).SchemaRoleOwner
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).NamingRoleOwner
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).InfrastructureRoleOwner
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).RidRoleOwner
?Get Active Directory Forest Name:
?[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name
? Get a List of Sites in the Active Directory Forest:
?[array] $ADSites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites
? Get Active Directory Forest Domains:
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Domains
? Get Active Directory Forest Global Catalogs:
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs
? Get Active Directory Forest Mode:
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().ForestMode
? Get Active Directory Forest Root Domain:
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain
4.FSMO角色從一個DC移動到另一個DC
get-command -module activedirectory -noun *Master*
?Moving FSMO Roles:
?Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole RIDMaster
Move-ADDirectoryServerOperationMasterRole -Identity $DCName -
OperationMasterRole DomainNamingMaster
Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole PDCEmulato
?Seizing FSMO Roles:
Move-ADDirectoryServerOperationMasterRole -Identity $DCName -OperationMasterRole PDCEmulator –FORCE
0x03 Active Directory PowerShell模塊Cmdlet示例
1.Get-RootDSE
獲取有關(guān)LDAP服務(wù)器(域控制器)的信息并顯示其內(nèi)容,結(jié)果中有一些有趣的信息,比如DC運行的操作系統(tǒng)信息。
?
2.Get-ADForest
提供有關(guān)運行該命令計算機所在的Active Directory森林信息。
?
3.Get-ADDomain
提供有關(guān)當(dāng)前所在域的信息
4.Get-ADDomainController
提供特定于域控制器的計算機信息,通過cmdlet命令,可輕松查找到特定站點中的所有DC或運行OS版本信息。
?
5.Get-ADComputer
提供了關(guān)于AD中大多數(shù)計算機對象的信息,使用“-Prop *”參數(shù)運行的命令可以顯示所有標(biāo)準(zhǔn)屬性信息。
6.?AD計算機的統(tǒng)計
$Time = (Measure-Command `
{[array] $AllComputers = Get-ADComputer -filter * -properties
Name,CanonicalName,Enabled,passwordLastSet,SAMAccountName,LastLogonTimeSt
amp,DistinguishedName,OperatingSystem }).TotalMinutes
$AllComputersCount = $AllComputers.Count
Write-Output “There were $AllComputersCount Computers discovered in
$DomainDNS in $Time minutes… `r “
7.Get-ADUser
提供了想要了解有關(guān)AD用戶的大部分內(nèi)容信息,使用“-Prop *”參數(shù)運行的命令可以顯示所有標(biāo)準(zhǔn)屬性信息。
?8.?AD用戶的統(tǒng)計
import-Module ActiveDirectory
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
[array]$AllUsers = Get-ADUser -filter * -properties
Name,DistinguishedName,Enabled,LastLogonDate,LastLogonTimeStamp,LockedOut,msExchHom
eServerName,SAMAccountName
$AllUsersCount = $AllUsers.Count
Write-Output “There were $AllUsersCount user objects discovered in $ADDomainDNSRoot … “
[array] $DisabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $False }
$DisabledUsersCount = $DisabledUsers.Count
[array] $EnabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $True }
$EnabledUsersCount = $EnabledUsers.Count
Write-Output “There are $EnabledUsersCount Enabled users and there are $DisabledUsersCount
Disabled users in $DomainDNS “
9.Get-ADGroup
提供有關(guān)AD組的信息,運行如下命令可查找所有安全組:
Get-ADGroup -Filter {GroupCategory -eq ‘Security}
10.Get-ADGroupMember
枚舉并返回組成員信息,使用”-Recursive”參數(shù)可包括嵌套組的所有成員。
Get-ADGroupMember ‘Administrators’ -Recursive
11.查找非活動計算機
以下示例查找非活動(舊版本)計算機和用戶:在過去10天內(nèi)未更改其密碼的帳戶。請注意,這是一個測試示例。對于實際的生產(chǎn)環(huán)境,將此建議更改為計算機的60到90天,用戶的180到365天的策略。
?
12.查找非活動用戶
13.枚舉域信任
14.獲取活動目錄的實施日期
15.獲取AD密碼策略
16.獲取AD站點信息
請注意Windows 2012模塊中包含站點的cmdlet(Get-ADReplicationSite?*)。
17.?獲得tombstonelifetime信息
18.AD的回收信息
Requires Forest Functional Mode = Windows Server 2008 R2
? Enable the Recycle Bin (as Enterprise Admin)
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=COM’ –Scope
ForestOrConfigurationSet –Target ‘DOMAIN.COM’
? Find all Deleted Users
$DeletedUsers = Get-ADObject -SearchBase “CN=Deleted Objects,DC=DOMAIN,DC=COM” -Filter
{ObjectClass -eq “user”} -IncludeDeletedObjects -Properties lastKnownParent
? Restore all Deleted Users
$DeletedUsers | Restore-ADObject
? Restore users deleted on a specific date
$ChangeDate = Get-Date (“1/1/2015″)
Get-ADObject -Filter { (whenChanged -eq $changeDate) -and (isDeleted -eq $true) -and (name -ne
“Deleted Objects”) -and (ObjectClass -eq “user”) } -IncludeDeletedObjects -Properties * | RestoreADObject
19.DOMAIN RID STATS(域 rid 統(tǒng)計)
?
20.備份域GPO
請注意,這需要安裝組策略PowerShell模塊,該模塊與Active Directory模塊分開。
21.查找AD Kerberos服務(wù)帳戶
22.?服務(wù)賬號腳本
https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts
使用SPNS在AD中發(fā)現(xiàn)服務(wù):SQl
列出SQL服務(wù):
https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSSQLServers
?
23.列出域控制器
Get-ADDomainController-filter * |?`select hostname,IPv4Address,IsGlobalCatalog,IsReadOnly,OperatingSystem |?`format-table -auto
24.DOMAIN CONTROLLERS DISCOVERY(域控制器的發(fā)現(xiàn))
? Discover PDCe in domain(發(fā)現(xiàn)域的PDCe)
Get-ADDomainController –Discover –ForceDiscover –Service “PrimaryDC” –
DomainName “l(fā)ab.adsecurity.org”
? Discover DCs in a Site(發(fā)現(xiàn)站點的DCs)
Get-ADDomainController –Discover –Site “HQ”
? Find all Read-Only Domain Controllers that are GCs(查找所有作為GCs的只讀域控制器)
Get-ADDomainController –filter `
{ (isGlobalCatalog –eq $True) –AND (isReadOnly –eq $True) }
25.AD數(shù)據(jù)庫完整性檢查
Write-Output "Checking the NTDS database for errors (semantic database
analysis) `r "
Stop-Service ntds -force
$NTDSdbChecker = ntdsutil "activate instance ntds" "semantic database
analysis" "verbose on" "Go" q q
Start-Service ntds
Write-Output "Results of Active Directory database integrity check: `r "
$NTDSdbChecker
26.Get-ADReplicationPartnerMetadata
Windows Server 2012及更高版本,此命令用于顯示目標(biāo)DC復(fù)制伙伴的復(fù)制元數(shù)據(jù)
?
27.Get-ADReplicationPartnerFailure
提供有關(guān)DC復(fù)制失敗狀態(tài)的信息,此命令顯示AD復(fù)制錯誤的描述,CMDLETS (2012)
?
28.Get-ADReplicationUptodatenessVectorTable
跟蹤域控制器之間的復(fù)制狀態(tài),CMDLETS (2012)
29.AD Web服務(wù)(ADWS)
需要在目標(biāo)DC上運行AD Web服務(wù)(ADWS)(TCP 9389)
Get-ADDomainController –Discover –Service “ADWS”
?
30.REPADMIN(目錄復(fù)制工具) VS. POWERSHELL
| REPADMIN | PowerShell |
| ? | 2012 Cmdlets |
| /FailCache | Get-ADReplicationFailure |
| /Queue | Get-ADReplicationQueueOperation |
| /ReplSingleObj | Sync-ADObject |
| /ShowConn | Get-ADReplicationConnection |
| /ShowObjMeta | Get-ADReplicationAttributeMetadata |
| /ShowRepl | Get-ADReplicationPartnerMetadata |
| /ShowUTDVec | Get-ADReplicationUpToDatenessVectorTable |
| /SiteOptions | Set-ADReplicationSite |
| ? | 2008 R2 Cmdlets |
| /ShowAttr | Get-ADObject |
| /SetAttr | Set-ADObject |
| /PRP | Get-ADDomainControllerPasswordReplicationPolicy |
| Add-ADDomainControllerPasswordReplicationPolicy | ? |
| Remove-ADDomainControllerPasswordReplicationPolicy | ? |
| Get-ADAccountResultantPasswordReplicationPolicy | ? |
| Get-ADDomainControllerPasswordReplicationPolicyUsage | ? |
?
轉(zhuǎn)載于:https://www.cnblogs.com/backlion/p/9267100.html
總結(jié)
以上是生活随笔為你收集整理的Active Directory PowerShell模块收集AD信息的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: appium历史版本下载
- 下一篇: Elasticsearch及相关插件的安