I had a free day yesterday, and I always love to spend my free time on the Xbox or PlayStation, depends on the mood. So, while I’m rushing and jumping all over Australia with my Lamborghini, I got a phone call, my first instinct was to mute it and continue with my race, but it was a good friend… so I muted it anyway 😶. When I finished the race, I called him back (yes, I’m a good friend😜). after a quick chit chat, he told me that he needs help to assess a new domain environment he needs to work on.

can you blame me for not answering the phone?

Image of Forza Horizon game

He told me that he needs to get some basic information about those topics:

  • Forest information
  • Domain information
  • GPO information
  • DHCP authorized server information
  • Users information
  • Group information

I asked him to prepare a computer in the domain with Remote Server Administration Tools (RSAT) and get a user credentials in the domain (no special privilege) while I’m writing him a guide.

Forest Information

When we install the RSAT, we get lot of new Powershell cmdlet. One of them is Get-ADForest cmdlet. Using this command, we can get information about the active directory forest (surprised?)

$ForestInformation = Get-ADForest

Each cmdlet can give us lot of information, and we don’t want to get lost, so in each cmdlet, we will focus on the information I think most relevant, I encourage you to investigate every cmdlet you see here if you don’t familiar with.

We would like to get information about the forest functional level, the domains in the forest, the root domain and schema master dc:

$ForestInformation | Select-Object ForestMode,Domains,RootDomain,SchemaMaster | Format-List
ForestMode   : Windows2008R2Forest
Domains      : {saggiehaim.net}
RootDomain   : saggiehaim.net
SchemaMaster : SHDC01.saggiehaim.net

The reason we put it into a variable first is because we will use it later.

Domain Information

In this part we will use two cmdlets, Get-ADDomain and Get-ADDomainController. We will use those cmdlets to find the functional level of the domains, the PDC and RID master, and information about the domain controllers.

First, we will use the Get-ADDomain, we will use it to get the following information: Name,Child Domains,Domain functional level,Infrastructure Master, PDC Emulator, RID Master.

# Single Domain Forest
Get-ADDomain | Select-Object Name,DomainMode,InfrastructureMaster,PDCEmulator,RIDMaster | Format-List
 
# Multi Domain Forest
($ForestInformation).Domains | Get-ADDomain | Select-Object Name,ChildDomains,DomainMode,InfrastructureMaster,PDCEmulator,RIDMaster | Format-List

Now we will use the Get-ADDomainController to get information about the Domain Controllers in each domain, it will be useful to get information about: Hostname, IPv4Address, Operating System, the LDAP and SSL Ports, and which site it belongs to:

# Single Domain Forest
Get-ADDomainController -Filter * -Server saggiehaim.net  | Select-Object Hostname,IPv4Address,OperatingSystem,LDAPport,sslport,site | Format-List
 
# Multi Domain Forest
($ForestInformation).Domains | Get-ADDomainController -Filter * -Server $_  | Select-Object Domain,Hostname,IPv4Address,OperatingSystem,LDAPport,SSLport,site | Format-List

This will give us a nice list:

Hostname    : SHDC01.saggiehaim.net
IPv4Address : 10.10.0.1
OperatingSystem : Windows Server 2012 R2 Standard
LDAPport    : 389
sslport     : 636
site        : Lab

GPO Information

Now GPO is super important, and every Domain Services guy will tell you, it can make or break your environment. When we start working on a new environment, we would like to know how many GPO we got and how many of them are not in use.

To get the GPO’s quantity, we can just run:

$GPOs = Get-GPO -All
$GPOs.Count

To get the unlinked GPO’s we can use the following script:

import-module GroupPolicy
 
$unlinkedGPOs = @()
$GPOs = Get-GPO -All  
ForEach($gpo  in $GPOs){ 
    [xml]$GPOXMLReport = $gpo | Get-GPOReport -ReportType xml 
    if ($GPOXMLReport.GPO.LinksTo -eq $null){ 
        $unlinkedGPOs += $gpo 
    }  
 }

When it’s done, we can get the information from the $unlinkedGPOs variable.

DisplayName      : Test GPO
DomainName       : saggiehaim.net
Owner            : saggiehaim\Domain Admins
Id               : eb9bf117-81c1-40f9-813a-ce211796189d
GpoStatus        : AllSettingsEnabled
Description      : 
CreationTime     : 9/23/2018 12:38:02 PM
ModificationTime : 9/23/2018 12:40:56 PM
UserVersion      : AD Version: 3, SysVol Version: 3
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        : 

DHCP Authorized Server Information

DHCP can be a vulnerability, and it’s something we want to control, we don’t want rogue DHCP servers that will serve wrong IP’s or worst, won’t be sync with the rest and will serve duplicated IP’s.

To get the list of the authorized DHCP Servers we can use the cmdlet:

Get-DhcpServerInDC

Users’ Information

It’s all about the users, the most critical resource we have in our environment. There are so many things we want to know about them, but we will limit it to the most important in my opinion:

  • Number of users
$users = Get-ADUser -Filter *
$users.Count
  • Count Number of active users
($users | where {$_.Enabled -eq $true}).count
  • Get Number of locked out users
(Search-ADAccount -LockedOut).count

Group Information

Groups can often be a pain, and it easy to lose control over them, those cmdlets will help us get some control over them:

  • Number of groups
(Get-ADGroup -Filter *).count
  • Getting all empty groups
Get-ADGroup -Properties Members -Filter * | Where-Object {$_.Members.Count -eq 0 } | Select-Object Name,DistinguishedName | Format-List

Today security is everywhere, and we all share the responsibility to keep our environment secure, we also like to get all the members of the Domain Admins and Enterprise Admins groups, we will ask questions about every member.

# Get Domain Admins members
(Get-ADGroup -Properties Members -Identity 'Domain Admins').Members
 
# Get Enterprise Admins members
(Get-ADGroup -Properties Members -Identity 'Enterprise Admins').Members

Don’t take it lightly. I once saw a company with Domain Users in the Domain Admins group…

Conclusion

One of the most challenging tasks in my job is taking over a domain environment. It can be very complicated, and it can take so much time just to understand what’s going on. There is a lot more information to look for, and lot more topics to investigate, but I think I gave you something to start with.

How will you counter this task? I would love to hear about it!