Active
Directory Inventory
An inventory of Active Directory is a fundamental
component of effective IT management and security practices. It provides
valuable insights into the network environment, facilitates compliance with
industry regulations, and helps organizations maintain a secure and
well-organized IT infrastructure.
1.
List all OUs:
dsquery ou DC=<DOMAIN>,DC=<DOMAIN EXTENSION>
2.
List of organizational units under which
the specified user can create a machine object:
netdom query ou
Note: This API was patched to reduce attack surface.
Source: https://www.itprotoday.com/windows-78/jsi-tip-10226-netdom-query-domain-ou-command-errors-requested-api-not-supported-remote
3.
List Machines on the domain:
netdom query workstation
4.
List Servers on the domain:
netdom query server
Note: This is blank because there are no member servers in this lab. As the
Domain Controller TCDC is not showing up in this listing.
5.
List Domain Controllers:
netdom query dc
6.
List Primary DC:
netdom query PDC
7.
List Domain Trusts:
netdom query trust
Note: As were dealing with 1 Domain this is empty. There is no trust
relationship configured with another Domain.
8.
List FSMO role owners:
netdom query FSMO
9.
List all contents of a given OU:
dsquery computer ou=Domain
controllers,DC=tc,DC=local
10. List user accounts inactive for 3 weeks or
longer:
dsquery user domainroot
-inactive 3
Note: In this lab all users have been active, so the results are empty
11. Find anything created in AD at the date and
time specified (Format: YYYYMMDDHHMMSS.sZ):
dsquery * -filter (whenCreated>=20230717125405.0Z)
12. Filter for user created at specified time and
date:
dsquery * -filter (&(whenCreated>=20230717125405.0Z)(objectClass=user))
13. Another way to get creation and change
information from specified OU:
ldifde -d ou=DomainUsers,DC=tc,dc=local
-l whencreated,whenchanged -p onelevel
-r (ObjectCategory=user) -f alternative.txt
14. Another option
dsquery * dc=tc,dc=local
-filter
(&(objectCategory=person)(objectClass=user)(whencreated>=20230717125405.0Z))
15. The other option adfind
is a 3rd party tool. It was not included as malware was detected in
the packages I found for installation.
adfind -csv -b dc=tc,dc=local -f
(&(object-Category=Person)(objectClass=User)(whenCreated>=20230717125405.0Z))
16. Using PowerShell
Get all Active Directory user objects that were created in the last 90 days:
Import-Module ActiveDirectory
$90DaysAgo = (Get-Date).AddDays(-90)
Get-ADUser -Filter {Created -ge
$90DaysAgo}
Another way:
Get-ADUser -Filter * -Properties whenCreated
| Where-Object {$_.whenCreated -ge
((Get-Date).AddDays(-90)).Date}