Active Directory

Auditing Active Directory Password Quality

Posted by robd on April 24, 2018
Active Directory, powershell / No Comments

Hi All,

A chap called Michael Grafnetter has created a brilliant PowerShell script to check password hashes in Active Directory against a list of simple or common passwords.

This is great to encourage users not to use obvious passwords, for example if a company is called Contoso then you’d want to encourage users not to use Contoso1 etc.

Here’s how:

Download the software:

https://github.com/MichaelGrafnetter/DSInternals/releases/tag/v2.22

Copy the DSInternals directory to your PowerShell modules directory, e.g.

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals
C:\Users\John\Documents\WindowsPowerShell\Modules\DSInternals.

Launch Windows PowerShell.
(Optional) If you copied the module to a different directory than advised in step 4, you have to manually import it using the Import-Module .\DSInternals\DSInternals.psd1 command.

Next create a text file called passwords.txt and fill it with passwords you’d like to scan for, example:

Password
Password1
Contoso1

Then here’s an example script:

First set the password txt file.

Then set the Domain Contoller, in this case DC1

Then set the distinguished name of the OU and sub OUs you can to scan:

Note ” and ‘ are not showing up properly,

$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary Get-ADReplAccount -All -Server DC1 -NamingContext ‘dc=adatum,dc=com’ | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts

$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary
Get-ADReplAccount -All -Server DC1 -NamingContext 'dc=adatum,dc=com' |
Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts

Here’s an output:

Active Directory Password Quality Report
----------------------------------------
 
Passwords of these accounts are stored using reversible encryption:
  April
  Brad
  Don
 
LM hashes of passwords of these accounts are present:
 
These accounts have no password set:
  Guest
  nolan
  test
 
Passwords of these accounts have been found in the dictionary:
  adam                Pa$$w0rd
  peter               July2016
 
Historical passwords of these accounts have been found in the dictionary:
  april               Pa$$w0rd
  brad                Pa$$w0rd
 
These groups of accounts have the same passwords:
  Group 1:
    Aidan
    John
  Group 2:
    Joe
    JoeAdmin
    JoeVPN
 
These computer accounts have default passwords:
  LON-CL2$
 
Kerberos AES keys are missing from these accounts:
  Julian
 
Kerberos pre-authentication is not required for these accounts:
  Holly
  Chad
 
Only DES encryption is allowed to be used with these accounts:
  Holly
  Jorgen
 
These administrative accounts are allowed to be delegated to a service:
  Administrator
  April
  krbtgt
 
Passwords of these accounts will never expire:
  Administrator
  Guest
 
These accounts are not required to have a password:
  Guest
  Magnus
  Maria

Tags: , ,

Enabling Active Directory Users and Computers in Windows 7

Posted by robd on February 28, 2017
Domain Controller / No Comments

Enabling Active Directory Users and Computers in Windows 7

I had to download the update mentioned: http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

Then I had to run these command lines as an administrator:

dism /online /enable-feature /featurename:RemoteServerAdministrationTools
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS
dism /online /enable-feature /featurename:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns

 

Tags: ,

Windows 7 Login Wallpaper with Group Policies

Posted by robd on October 09, 2012
Group Policies, Windows 7 / 1 Comment

I’m sure you all know what group policiesare as I’m guessing you wouldn’t be here otherwise!

Well here’s a quick how to on the settings you need to set up a login Wallpaper for Win 7:

Firstly you’ll need a Domain Controller running Server 2008 (I used R2) or a Windows 7 workstation with the AD tools installed and be logged on as a admin of some sort (preferably a Domain Admin):

1. open group policy Management.

2. Go to: Computer Configuration\Preferences\Windows Settings\Files

3. Right-click the “Files” icon and click:  New > File

4. Select Replace

5. Type in the UNC path for your source file i.e. \\Server\Share\LogonWallpaper.jpg
     •Remember this file needs to be small, less than 256K
     •Also the permissions on this share need to allow the computer account READ access. If in doubt use “Authenticated Users”.
6. For the Destination File, type this (without the quotes): “%windir%\system32\oobe\info\backgrounds\backgrounddefault.jpg
7. Click the “Common” tab

8. Select “Remove this item when it is no longer applied”. This will ensure your file is removed if:
     •The GPO is deleted or disabled
     •The workstation is moved to another OU
     •The policy is filtered out
     •You update your policy to send a new wallpaper file
9. Select Item-level targeting to specify only Windows 7 computers. This will ensure your file isn’t sent to versions of Windows that wouldn’t make use of it anyway i.e. XP.
10. Go to: Computer Configuration\Policies\Administrative Templates\System\Logon
11. Click “Always use custom logon background” and set it to “Enabled”
Done.

Tags: , , ,