Active Directory PowerShell模块收集AD信息

0x00 前言简介

Microsoft为Windows Server 2008 R2（以及更高版本）提供了多个Active Directory PowerShell cmdlet，这大大简化了以前需要将涉及到的ADSI冗长代码行放在一起的任务。

在Windows客户端上，需要安装远程服务器管理工具（RSAT）并确保已安装Active Directory PowerShell模块。而在Windows服务器（2008 R2或更高版本）上的 PowerShell控制台（作为管理员）中运行如下命令：Import-Module  ServerManager ; Add-WindowsFeature RSAT-AD-PowerShell。

0x01  AD的目录预览

AD PowerShell cmdlet和以下方式执行效果一样：

Import-module  activeDirectory

$UserID = “JoeUser”

Get-ADUser $UserID –property *

需要值得注意的是使用PowerShell v3版本以及高版本，你无需运行第一行命令，因为PowerShell的将识别必要的模块和自动加载它。一旦加载了Active Directory PowerShell模块，就可以像浏览文件系统那样浏览AD。命令如下：

Ps> Import-module  activeDirectory

Ps>dir ad:

Ps>set-location  ad:

Ps >set-location  “dc=lab,dc=adsecurity,dc=org”

Ps>dir

0x02 查找有用的命令（Cmdlet）

1.基本的模块和统计

发现可用的PowerShell模块：Get-Module -ListAvailable

在PowerShell模块中发现cmdlet：Get-Command -module ActiveDirectory

PowerShell AD模块的Cmdlet个数：

(Get-Command -module ActiveDirectory).count

• Windows Server 2008 R2: 76 cmdlets
• Windows Server 2012: 135 cmdlets
• Windows Server 2012 R2: 147 cmdlets
• Windows Server 2016: 147 cmdlets

WINDOWS SERVER 2008 R2主要的cmdlets：

• Get/Set-ADForest

• Get/Set-ADDomain

• Get/Set-ADDomainController

• Get/Set-ADUser

• Get/Set-ADComputer

• Get/Set-ADGroup

• Get/Set-ADGroupMember

• Get/Set-ADObject

• Get/Set-ADOrganizationalUnit

• Enable-ADOptionalFeature

• Disable/Enable-ADAccount

• Move-ADDirectoryServerOperationMasterRole

• New-ADUser

• New-ADComputer

• New-ADGroup

• New-ADObject

• New-ADOrganizationalUnit

WINDOWS SERVER 2012含以版本一些新的cmdlets:

• *-ADResourcePropertyListMember

• *-ADAuthenticationPolicy

• *-ADAuthenticationPolicySilo

• *-ADCentralAccessPolicy

• *-ADCentralAccessRule

• *-ADResourceProperty

• *-ADResourcePropertyList

• *-ADResourcePropertyValueType

• *-ADDCCloneConfigFile

• *-ADReplicationAttributeMetadata

• *-ADReplicationConnection

• *-ADReplicationFailure

• *-ADReplicationPartnerMetadata

• *-ADReplicationQueueOperation

• *-ADReplicationSite

• *-ADReplicationSiteLink

• *-ADReplicationSiteLinkBridge

• *-ADReplicationSubnet

• *-ADReplicationUpToDatenessVectorTable

• Sync-ADObject

2.发现全局目录 GLOBAL CATALOGS (GCS)

• Forest GCs（森林全局目录）：

import-module ActiveDirectory

$ADForest = Get-ADForest

$ADForestGlobalCatalogs = $ADForest.GlobalCatalogs

• Domain DCs that are GCs（以域DCS的全局目录）：

import-module ActiveDirectory

$DCsNotGCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $True}

• Domain DCs that are not GCs（以非域DCS的全局目录）：

import-module ActiveDirectory

$DCsNotGCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $False }

3.查找Active Directory灵活单主机操作（FSMO）角色

活动目录模块：

（GET-ADForest）.SchemaMaster

（GET-ADForest）.DomainNamingMaster

（GET-ADDomain）.InfrastructureMaster

（GET-ADDomain）.PDCEmulator

（GET-ADDomain）.RIDMaster

.NET调用：

•Get the Current Domain:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name

[System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name
• Get the Computer’s Site:
[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()
• List All Domain Controllers in a Domain:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
• Get Active Directory Domain Mode:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainMode
• List Active Directory FSMOs:
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).SchemaRoleOwner

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).NamingRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).InfrastructureRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).RidRoleOwner

•Get Active Directory Forest Name:

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Name

• Get a List of Sites in the Active
Directory Forest:

[array] $ADSites =
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites

• Get Active Directory Forest Domains:

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Domains

• Get Active Directory Forest Global
Catalogs:

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs

• Get Active Directory Forest Mode:

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().ForestMode

• Get Active Directory Forest Root
Domain:

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain

4.FSMO角色从一个DC移动到另一个DC

get-command
-module activedirectory -noun *Master*

•Moving FSMO Roles:

Move-ADDirectoryServerOperationMasterRole
-Identity $DCName -OperationMasterRole RIDMaster

Move-ADDirectoryServerOperationMasterRole
-Identity $DCName -

OperationMasterRole
DomainNamingMaster

Move-ADDirectoryServerOperationMasterRole
-Identity $DCName -OperationMasterRole PDCEmulato

•Seizing FSMO Roles:

Move-ADDirectoryServerOperationMasterRole
-Identity $DCName -OperationMasterRole PDCEmulator –FORCE

0x03 Active Directory PowerShell模块Cmdlet示例

1.Get-RootDSE

获取有关LDAP服务器（域控制器）的信息并显示其内容，结果中有一些有趣的信息，比如DC运行的操作系统信息。

2.Get-ADForest

提供有关运行该命令计算机所在的Active
Directory森林信息。

3.Get-ADDomain

提供有关当前所在域的信息

4.Get-ADDomainController

提供特定于域控制器的计算机信息，通过cmdlet命令，可轻松查找到特定站点中的所有DC或运行OS版本信息。

5.Get-ADComputer

提供了关于AD中大多数计算机对象的信息，使用“-Prop *”参数运行的命令可以显示所有标准属性信息。

6. AD计算机的统计

$Time = (Measure-Command `

{[array] $AllComputers =
Get-ADComputer -filter * -properties

Name,CanonicalName,Enabled,passwordLastSet,SAMAccountName,LastLogonTimeSt

amp,DistinguishedName,OperatingSystem
}).TotalMinutes

$AllComputersCount =
$AllComputers.Count

Write-Output “There were
$AllComputersCount Computers discovered in

$DomainDNS in $Time minutes… `r “

7.Get-ADUser

提供了想要了解有关AD用户的大部分内容信息，使用“-Prop *”参数运行的命令可以显示所有标准属性信息。

 8. AD用户的统计

import-Module ActiveDirectory

$DomainDNS =
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name

[array]$AllUsers = Get-ADUser
-filter * -properties

Name,DistinguishedName,Enabled,LastLogonDate,LastLogonTimeStamp,LockedOut,msExchHom

eServerName,SAMAccountName

$AllUsersCount = $AllUsers.Count

Write-Output “There were
$AllUsersCount user objects discovered in $ADDomainDNSRoot … “

[array] $DisabledUsers =
$AllUsers | Where-Object { $_.Enabled -eq $False }

$DisabledUsersCount =
$DisabledUsers.Count

[array] $EnabledUsers = $AllUsers
| Where-Object { $_.Enabled -eq $True }

$EnabledUsersCount =
$EnabledUsers.Count

Write-Output “There are
$EnabledUsersCount Enabled users and there are $DisabledUsersCount

Disabled users in $DomainDNS “

9.Get-ADGroup

提供有关AD组的信息，运行如下命令可查找所有安全组：
Get-ADGroup -Filter {GroupCategory -eq ‘Security}

10.Get-ADGroupMember

枚举并返回组成员信息，使用”-Recursive”参数可包括嵌套组的所有成员。
Get-ADGroupMember ‘Administrators’ -Recursive

11.查找非活动计算机

以下示例查找非活动（旧版本）计算机和用户：在过去10天内未更改其密码的帐户。请注意，这是一个测试示例。对于实际的生产环境，将此建议更改为计算机的60到90天，用户的180到365天的策略。

12.查找非活动用户

13.枚举域信任

14.获取活动目录的实施日期

15.获取AD密码策略

16.获取AD站点信息
请注意Windows 2012模块中包含站点的cmdlet（Get-ADReplicationSite *）。

17. 获得tombstonelifetime信息

18.AD的回收信息

Requires Forest Functional Mode =
Windows Server 2008 R2

• Enable the Recycle Bin
(as Enterprise Admin)

Enable-ADOptionalFeature
–Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory

Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=COM’ –Scope

ForestOrConfigurationSet –Target
‘DOMAIN.COM’

• Find all Deleted Users

$DeletedUsers = Get-ADObject
-SearchBase “CN=Deleted Objects,DC=DOMAIN,DC=COM” -Filter

{ObjectClass -eq “user”}
-IncludeDeletedObjects -Properties lastKnownParent

• Restore all Deleted
Users

$DeletedUsers | Restore-ADObject

• Restore users deleted on
a specific date

$ChangeDate = Get-Date (“1/1/2015″)

Get-ADObject -Filter {
(whenChanged -eq $changeDate) -and (isDeleted -eq $true) -and (name -ne

“Deleted Objects”) -and
(ObjectClass -eq “user”) } -IncludeDeletedObjects -Properties * |
RestoreADObject

19.DOMAIN RID STATS（域 rid 统计）

20.备份域GPO
请注意，这需要安装组策略PowerShell模块，该模块与Active Directory模块分开。

21.查找AD Kerberos服务帐户

22. 服务账号脚本

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts

使用SPNS在AD中发现服务：SQl

列出SQL服务：

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSSQLServers

23.列出域控制器
Get-ADDomainController-filter
* | `select hostname，IPv4Address，IsGlobalCatalog，IsReadOnly，OperatingSystem
| `format-table -auto

24.DOMAIN CONTROLLERS DISCOVERY（域控制器的发现）

• Discover
PDCe in domain（发现域的PDCe）
Get-ADDomainController –Discover –ForceDiscover –Service “PrimaryDC” –
DomainName “lab.adsecurity.org”
• Discover
DCs in a Site（发现站点的DCs）
Get-ADDomainController –Discover –Site “HQ”
• Find all
Read-Only Domain Controllers that are GCs(查找所有作为GCs的只读域控制器)
Get-ADDomainController –filter `
{ (isGlobalCatalog –eq $True) –AND (isReadOnly –eq $True) }

25.AD数据库完整性检查

Write-Output
"Checking the NTDS database for errors (semantic database

analysis)
`r "

Stop-Service
ntds -force

$NTDSdbChecker
= ntdsutil "activate instance ntds" "semantic database

analysis"
"verbose on" "Go" q q

Start-Service
ntds

Write-Output
"Results of Active Directory database integrity check: `r "

$NTDSdbChecker

26.Get-ADReplicationPartnerMetadata

Windows
Server 2012及更高版本，此命令用于显示目标DC复制伙伴的复制元数据

27.Get-ADReplicationPartnerFailure

提供有关DC复制失败状态的信息，此命令显示AD复制错误的描述，CMDLETS (2012)

28.Get-ADReplicationUptodatenessVectorTable

跟踪域控制器之间的复制状态，CMDLETS (2012)

29.AD Web服务（ADWS）

需要在目标DC上运行AD Web服务（ADWS）（TCP 9389）

Get-ADDomainController
–Discover –Service “ADWS”

30.REPADMIN（目录复制工具） VS.
POWERSHELL

REPADMIN	PowerShell
	2012 Cmdlets
/FailCache	Get-ADReplicationFailure
/Queue	Get-ADReplicationQueueOperation
/ReplSingleObj	Sync-ADObject
/ShowConn	Get-ADReplicationConnection
/ShowObjMeta	Get-ADReplicationAttributeMetadata
/ShowRepl /ReplSum	Get-ADReplicationPartnerMetadata
/ShowUTDVec	Get-ADReplicationUpToDatenessVectorTable
/SiteOptions	Set-ADReplicationSite
	2008 R2 Cmdlets
/ShowAttr	Get-ADObject
/SetAttr	Set-ADObject
/PRP	Get-ADDomainControllerPasswordReplicationPolicy
Add-ADDomainControllerPasswordReplicationPolicy
Remove-ADDomainControllerPasswordReplicationPolicy
Get-ADAccountResultantPasswordReplicationPolicy
Get-ADDomainControllerPasswordReplicationPolicyUsage