Active Directory Inventory

 

An inventory of Active Directory is a fundamental component of effective IT management and security practices. It provides valuable insights into the network environment, facilitates compliance with industry regulations, and helps organizations maintain a secure and well-organized IT infrastructure.

 

1.     List all OUs:

dsquery ou DC=<DOMAIN>,DC=<DOMAIN EXTENSION>

A screen shot of a computer

Description automatically generated

2.     List of organizational units under which the specified user can create a machine object:

netdom query ou



Note: This API was patched to reduce attack surface.
Source: 
https://www.itprotoday.com/windows-78/jsi-tip-10226-netdom-query-domain-ou-command-errors-requested-api-not-supported-remote

3.     List Machines on the domain:

netdom query workstation

A screenshot of a computer

Description automatically generated


4.     List Servers on the domain:

netdom query server

A screenshot of a computer screen

Description automatically generated

Note: This is blank because there are no member servers in this lab. As the Domain Controller “TCDC” is not showing up in this listing.

5.     List Domain Controllers:

netdom query dc

A computer screen with white text

Description automatically generated

6.     List Primary DC:

netdom query PDC

A screenshot of a computer program

Description automatically generated

7.     List Domain Trusts:

netdom query trust

A computer screen with white text

Description automatically generated

Note: As we’re dealing with 1 Domain this is empty. There is no trust relationship configured with another Domain.

8.     List FSMO role owners:

netdom query FSMO

A screenshot of a computer program

Description automatically generated

9.     List all contents of a given OU:

dsquery computer “ou=Domain controllers”,DC=tc,DC=local”



10.  List user accounts inactive for 3 weeks or longer:

dsquery user domainroot -inactive 3

 

Note: In this lab all users have been active, so the results are empty

11.  Find anything created in AD at the date and time specified (Format: YYYYMMDDHHMMSS.sZ):

dsquery * -filter “(whenCreated>=20230717125405.0Z)”

A screenshot of a computer program

Description automatically generated

12.  Filter for user created at specified time and date:

dsquery * -filter “(&(whenCreated>=20230717125405.0Z)(objectClass=user))”

A screenshot of a computer screen

Description automatically generated

13.  Another way to get creation and change information from specified OU:

ldifde -d ou=DomainUsers,DC=tc,dc=local -l whencreated,whenchanged -p onelevel -r “(ObjectCategory=user)” -f alternative.txt

A computer screen with a black background

Description automatically generated

A screenshot of a computer program

Description automatically generated

14.  Another option

dsquery * dc=tc,dc=local -filter “(&(objectCategory=person)(objectClass=user)(whencreated>=20230717125405.0Z))”



15.  The other option “adfind” is a 3rd party tool. It was not included as malware was detected in the packages I found for installation.

adfind -csv -b dc=tc,dc=local -f “(&(object-Category=Person)(objectClass=User)(whenCreated>=20230717125405.0Z))”

16.  Using PowerShell

Get all Active Directory user objects that were created in the last 90 days:

Import-Module ActiveDirectory
$90DaysAgo = (Get-Date).AddDays(-90)
Get-ADUser -Filter {Created -ge $90DaysAgo}

A screenshot of a computer program

Description automatically generated

Another way:

Get-ADUser -Filter * -Properties whenCreated | Where-Object {$_.whenCreated -ge ((Get-Date).AddDays(-90)).Date}

A screenshot of a computer program

Description automatically generated