Denetimler için farklı bir etki alanı (SIRKET / sirket.local) ve etki alanı denetleticisi üzerinde (DC01.sirket.local) kontroller yapılacaksa, bu etki alanındaki kimlik bilgileri (Denetci & Dd123456) ile kontrol yapılması gerekir. Kullanılabilecek örnek komut aşağıdaki gibidir.
$KullaniciAdi = “Sirket\Denetci”
$Parola = ConvertTo-SecureString Dd123456 -AsPlainText -force
$KimlikBilgisi = New-Object System.Management.Automation.PSCredential -ArgumentList $KullaniciAdi, $Parola
Get-ADUser -Credential $KimlikBilgisi -Server DC01.sirket.local -Filter * -Properties * | sort-object -property name | Format-Table -Property Name, SamAccountName, Enabled, PasswordLastSet, Description -AutoSize –Wrap
Nesneleri Filtreleme
([adsisearcher]'(OperatingSystem=Windows Server 20*)’).FindAll() | ForEach { $_.Properties }
Hesap Denetimleri
- Get-ADUser -Filter * -Properties “LastLogonDate” | sort-object -property lastlogondate -descending | Format-Table -property name, lastlogondate -AutoSize
- Get-ADUser -Filter ‘PasswordNeverExpires -eq $true’ -Server DCMakinesi | select name
- Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name,ObjectClass -A
- Get-ADUser -filter {(Description -notlike “Service*”) -and (Enabled -eq “True”) -and (PasswordNeverExpires -eq “True”)} -properties *) | select samaccountname,description
- dsquery user -samid SIRKETGalip.Tekinli | dsget user -office -desc -display > Galip.TekinliBilgileri.txt
- dsquery * domainroot -limit 800 -filter “(&(objectClass=user) (userAccountControl>=65536))” -attr sAMAccountName userPrincipalName userAccountControl -d sirket.local
- dsquery * domainroot -filter “(&(objectcategory=person)(objectclass=user)(lockoutTime=*))” -limit 0
- Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90 | ?{$_.enabled -eq $True} | where {$ _.ObjectClass -eq ‘user’}
- dsquery user “OU=Kullanicilar,DC=sirket,DC=local” -disabled -limit 0 | dsget user -samid > DevreDisiKalmisHesaplar.txt
- Search-ADaccount –AccountDisabled –UsersOnly > DevreDisiKalmisHesaplar.txt
- Search-ADaccount –AccountInactive –Timespan (New-TimeSpan –Days 180) –UsersOnly > AktifOlmayanHesaplar.txt
- Get-ADUser -Properties EmailAddress, DisplayName, Name, sn, lastlogondate, passwordlastset -Filter * | Select EmailAddress, Name, lastlogondate, passwordlastset
- $AyAdedi = (Get-Date).AddMonths(-6)
Search-ADAccount -accountinactive -usersonly -datetime “$AyAdedi” - dsquery user “OU=Kullanicilar,dc=sirket,dc=local” -stalepwd 60 > 60GundurParolasiniDegistirmeyenHesaplar.txt
- dsquery user “OU=Kullanicilar,dc=sirket,dc=local” -inactive 4 | dsmod user -disabled yes > 4HaftadirAktifOlmayanHesaplar.txt
- wmic useraccount where PasswordExpires=’False’ get Name, FullName, Domain, Lockout, Disabled, PasswordChangeable, PasswordExpires, PasswordRequired, SID, Status
Grup Denetimleri
- Get-ADGroup -Filter {GroupCategory -eq ‘Security’} | ?{@(Get-ADGroupMember $_).Length -eq 0} | select DistinguishedName > BosGruplar
- Get-ADGroupMember -Identity “Domain Admins” -Recursive | select samaccountname,name
Bilgisayar Denetimleri
- Get-ADComputer -Filter {OperatingSystem -Like “Windows Server*2008*”} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto
- Get-ADComputer -filter * -Properties * | where{$_.lastlogondate -lt (get-date).adddays(-30)} > 30GundurOturumAcilmamisBilgisayarlar
- Get-ADComputer -Filter * -Property * | Select-Object Name,IPv4Address,Enabled,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion,Created,LastLogonDate,SID,GUID
- Get-ADComputer –Filter {OperatingSystem -Like “*2003*“ -or OperatingSystem -Like “*XP*“} –Property *
OU Denetimi
Get-ADOrganizationalUnit -Filter * -Property * | Select-Object DistinguishedName , Name, ProtectedFromAccidentalDeletion, CanonicalName,SID,GUID
Get-ADOrganizationalUnit -Filter * | Where-Object {-not ( Get-ADObject -Filter * -SearchBase $_.Distinguishedname -SearchScope OneLevel -ResultSetSize 1 )} > BosOUListesi
Güven İlişkileri
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetAllTrustRelationships()
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GetAllTrustRelationships()Get-ADObject -Filter {objectClass -eq “trustedDomain”} -Properties TrustPartner,TrustDirection,trustType,trustAttributes
LAPS Mevcudiyeti
Get-ADObject “CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,$((Get-ADDomain).DistinguishedName)“ –ErrorAction Stop | Out-Null
Parola Politikası
Get-ADDefaultDomainPasswordPolicy
Get-ADFineGrainedPasswordPolicy –Filter *
Grup İlkeleri
Get-GPOReport -All -ReportType HTML -Path TumGrupIlkeleriListesi.html
Get-ADObject -Identity (Get-ADDomain).distinguishedName -Properties name, distinguishedName, gPLink, gPOptions | Select-Object name, distinguishedName, gPLink, gPOptions, @{name=’Depth’;expression={0}} > EtkiAlani-GPO-EslesmeListesi
Get-ADOrganizationalUnit -Filter * -Properties name, distinguishedName, gPLink, gPOptions | Select-Object name, distinguishedName, gPLink, gPOptions, @{name=’Depth’;expression={($_.distinguishedName -split ‘OU=’).count – 1}} > OU-GPO-EslesmeListesi
Get-GPO -All | Select-Object Path, DisplayName, GPOStatus, WMIFilter | Format-Table -autosize > OU-GPO-EslesmeListesi
Get-ADObject -LDAPFilter ‘(objectClass=site)’ -SearchBase “CN=Sites,$((Get-ADRootDSE).configurationNamingContext)” -SearchScope OneLevel -Properties name, distinguishedName, gPLink, gPOptions | Select-Object name, distinguishedName, gPLink, gPOptions, @{name=’Depth’;expression={0}} > Site-GPO-EslesmeListesi
Önemli Özellikler
- adminCount
- badPwdCount
- comment
- description
- lastLogon
- msDS-AllowedToDelegateTo
- objectSid
- pwdLastSet
- sIDHistory
- title
- userAccountControl