本文讲的是
内网域渗透之无管理员权限的重要信息搜集,
经常被遗忘(或被误解)的一个事实是,大多数对象及其属性可以被验证的用户(通常是域用户)查看(或读取)。管理员可能会认为,由于通过管理工具(如“Active Directory用户和计算机”(dsa.msc)或“Active Directory管理中心”(dsac.msc))可以轻松访问此数据,因此其他人就无法查看用户数据(超出了Outlook的GAL中暴露的内容)。这通常导致密码数据被放置在用户对象属性或
SYSVOL中
。
PS C:> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() Name: lab.adsecurity.org Sites: {Default-First-Site-Name} Domains: {lab.adsecurity.org, child.lab.adsecurity.org} GlobalCatalogs: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org, ADSDC11.child.lab.adsecurity.org} ApplicationPartitions: {DC=DomainDnsZones,DC=child,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org, DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org} ForestMode: Windows2008R2Forest RootDomain: lab.adsecurity.org Schema: CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org SchemaRoleOwner: ADSDC03.lab.adsecurity.org NamingRoleOwner: ADSDC03.lab.adsecurity.org
PS C:> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() Forest: lab.adsecurity.org DomainControllers: {ADSDC01.lab.adsecurity.org, ADSDC02.lab.adsecurity.org, ADSDC03.lab.adsecurity.org} Children: {child.lab.adsecurity.org} DomainMode: Windows2008R2Domain Parent: PdcRoleOwner: ADSDC03.lab.adsecurity.org RidRoleOwner: ADSDC03.lab.adsecurity.org InfrastructureRoleOwner: ADSDC03.lab.adsecurity.org Name: lab.adsecurity.org
$ForestRootDomain = ‘lab.adsecurity.org’ ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(‘Forest’, $ForestRootDomain)))).GetAllTrustRelationships()
PS C:> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() SourceName: lab.adsecurity.org TargetName: child.lab.adsecurity.org TrustType: ParentChild TrustDirection: Bidirectional
PS C:> [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs Forest : lab.adsecurity.org CurrentTime : 1/27/2016 5:31:36 PM HighestCommittedUsn : 305210 OSVersion : Windows Server 2008 R2 Datacenter Roles : {} Domain : lab.adsecurity.org IPAddress : 172.16.11.11 SiteName : Default-First-Site-Name SyncFromAllServersCallback : InboundConnections : {36bfdadf-777d-4bad-9427-bc148cea256f, 48594a5d-c2a3-4cd1-a80d-bedf367cc2a9, 549871d2-e238-4423-a6b8-1bb OutboundConnections : {9da361fd-0eed-414a-b4ee-0a9caa1b153e, 86690811-f995-4c3e-89fe-73c61fa4a3a0, 8797cbb4-fe09-49dc-8891-952 Name : ADSDC01.lab.adsecurity.org Partitions : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org, CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org… Forest : lab.adsecurity.org CurrentTime : 1/27/2016 5:31:37 PM HighestCommittedUsn : 274976 OSVersion : Windows Server 2012 R2 Datacenter Roles : {SchemaRole, NamingRole, PdcRole, RidRole…} Domain : lab.adsecurity.org IPAddress : fe80::1881:40d5:fc2e:e744%12 SiteName : Default-First-Site-Name SyncFromAllServersCallback : InboundConnections : {86690811-f995-4c3e-89fe-73c61fa4a3a0, dd7b36a8-a52e-446d-95a8-318b69bd9765} OutboundConnections : {f901f0b5-8754-44e9-92e8-f56b3d67197b, 549871d2-e238-4423-a6b8-1bb258e2a62f} Name : ADSDC03.lab.adsecurity.org Partitions : {DC=lab,DC=adsecurity,DC=org, CN=Configuration,DC=lab,DC=adsecurity,DC=org, CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=DomainDnsZones,DC=lab,DC=adsecurity,DC=org… Forest : lab.adsecurity.org CurrentTime : 1/27/2016 5:31:38 PM HighestCommittedUsn : 161898 OSVersion : Windows Server 2012 R2 Datacenter Roles : {PdcRole, RidRole, InfrastructureRole} Domain : child.lab.adsecurity.org IPAddress : 172.16.11.21 SiteName : Default-First-Site-Name SyncFromAllServersCallback : InboundConnections : {612c2d75-1c35-4073-a8a9-d41169665000, 8797cbb4-fe09-49dc-8891-952f38822eda} OutboundConnections : {71ea129f-8d56-4bd0-9b68-d80e89ae7385, 36bfdadf-777d-4bad-9427-bc148cea256f} Name : ADSDC11.child.lab.adsecurity.org Partitions : {CN=Configuration,DC=lab,DC=adsecurity,DC=org, CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org, DC=ForestDnsZones,DC=lab,DC=adsecurity,DC=org, DC=child,DC=lab,DC=adsecurity,DC=org…}
PS C:> get-adcomputer -filter {ServicePrincipalName -like “*TERMSRV*”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack, PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation DistinguishedName : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSDC02.lab.adsecurity.org Enabled : True LastLogonDate : 1/20/2016 6:46:18 AM Name : ADSDC02 ObjectClass : computer ObjectGUID : 1efe44af-d8d9-420b-a66a-8d771d295085 OperatingSystem : Windows Server 2008 R2 Datacenter OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 12/31/2015 6:34:15 AM SamAccountName : ADSDC02$ ServicePrincipalName : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB, GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org…} SID : S-1-5-21-1581655573-3923512380-696647894-1103 TrustedForDelegation : True TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSDC01.lab.adsecurity.org Enabled : True LastLogonDate : 1/20/2016 6:47:21 AM Name : ADSDC01 ObjectClass : computer ObjectGUID : 31b2038d-e63d-4cfe-b7b6-77206c325af9 OperatingSystem : Windows Server 2008 R2 Datacenter OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 12/31/2015 6:34:14 AM SamAccountName : ADSDC01$ ServicePrincipalName : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org, ldap/ADSDC01.lab.adsecurity.org/DomainDnsZones.lab.adsecurity.org, TERMSRV/ADSDC01, TERMSRV/ADSDC01.lab.adsecurity.org…} SID : S-1-5-21-1581655573-3923512380-696647894-1000 TrustedForDelegation : True TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSDC03.lab.adsecurity.org Enabled : True LastLogonDate : 1/20/2016 6:35:16 AM Name : ADSDC03 ObjectClass : computer ObjectGUID : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8 OperatingSystem : Windows Server 2012 R2 Datacenter OperatingSystemServicePack : OperatingSystemVersion : 6.3 (9600) PasswordLastSet : 12/31/2015 6:34:16 AM SamAccountName : ADSDC03$ ServicePrincipalName : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB, RPC/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org…} SID : S-1-5-21-1581655573-3923512380-696647894-1601 TrustedForDelegation : True TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSWRKWIN7.lab.adsecurity.org Enabled : True LastLogonDate : 8/29/2015 6:40:16 PM Name : ADSWRKWIN7 ObjectClass : computer ObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70 OperatingSystem : Windows 7 Enterprise OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 8/29/2015 6:40:12 PM SamAccountName : ADSWRKWIN7$ ServicePrincipalName : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7…} SID : S-1-5-21-1581655573-3923512380-696647894-1104 TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSAP01.lab.adsecurity.org Enabled : True LastLogonDate : 1/24/2016 11:03:41 AM Name : ADSAP01 ObjectClass : computer ObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681 OperatingSystem : Windows Server 2008 R2 Datacenter OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 1/4/2016 6:38:16 AM SamAccountName : ADSAP01$ ServicePrincipalName : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01…} SID : S-1-5-21-1581655573-3923512380-696647894-1105 TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSWKWIN7.lab.adsecurity.org Enabled : True LastLogonDate : 1/20/2016 7:07:11 AM Name : ADSWKWIN7 ObjectClass : computer ObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96 OperatingSystem : Windows 7 Enterprise OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 12/31/2015 8:03:05 AM SamAccountName : ADSWKWIN7$ ServicePrincipalName : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7…} SID : S-1-5-21-1581655573-3923512380-696647894-1602 TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSAP02.lab.adsecurity.org Enabled : True LastLogonDate : 1/24/2016 7:39:48 AM Name : ADSAP02 ObjectClass : computer ObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541 OperatingSystem : Windows Server 2012 R2 Datacenter OperatingSystemServicePack : OperatingSystemVersion : 6.3 (9600) PasswordLastSet : 1/4/2016 6:39:25 AM SamAccountName : ADSAP02$ ServicePrincipalName : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02…} SID : S-1-5-21-1581655573-3923512380-696647894-1603 TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName :
PS C:> get-aduser -filter {ServicePrincipalName -like “*”} -Properties PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,Truste dtoAuthForDelegation DistinguishedName : CN=svc-adsMSSQL11,OU=Test,DC=lab,DC=adsecurity,DC=org Enabled : False GivenName : LastLogonDate : Name : svc-adsMSSQL11 ObjectClass : user ObjectGUID : 275d3bf4-80d3-42ba-9d77-405c5cc63c07 PasswordLastSet : 1/4/2016 7:13:03 AM SamAccountName : svc-adsMSSQL11 ServicePrincipalName : {MSSQL/adsMSSQL11.lab.adsecurity.org:7434} SID : S-1-5-21-1581655573-3923512380-696647894-3601 Surname : TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=svc-adsSQLSA,OU=Test,DC=lab,DC=adsecurity,DC=org Enabled : False GivenName : LastLogonDate : Name : svc-adsSQLSA ObjectClass : user ObjectGUID : 56faaab2-5b05-4bb2-aaea-0bdc1409eab3 PasswordLastSet : 1/4/2016 7:13:13 AM SamAccountName : svc-adsSQLSA ServicePrincipalName : {MSSQL/adsMSSQL23.lab.adsecurity.org:7434, MSSQL/adsMSSQL22.lab.adsecurity.org:5534, MSSQL/adsMSSQL21.lab.adsecurity.org:9834, MSSQL/adsMSSQL10.lab.adsecurity.org:14434…} SID : S-1-5-21-1581655573-3923512380-696647894-3602 Surname : TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=svc-adsMSSQL10,OU=Test,DC=lab,DC=adsecurity,DC=org Enabled : False GivenName : LastLogonDate : Name : svc-adsMSSQL10 ObjectClass : user ObjectGUID : 6c2f15a2-ba4a-485a-a367-39395ad82c86 PasswordLastSet : 1/4/2016 7:13:24 AM SamAccountName : svc-adsMSSQL10 ServicePrincipalName : {MSSQL/adsMSSQL10.lab.adsecurity.org:7434} SID : S-1-5-21-1581655573-3923512380-696647894-3603 Surname : TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName :
Created Modified Enabled Description LastLogonDate (Reboot) PrimaryGroupID (516 = DC) PasswordLastSet (Active/Inactive)OperatingSystem OperatingSystemVersion OperatingSystemServicePack PasswordLastSet LastLogonDate (PowerShell cmdlet attribute) ServicePrincipalName TrustedForDelegation TrustedToAuthForDelegation
PS C:> get-adcomputer -filter {PrimaryGroupID -eq “515”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Passwo t,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation DistinguishedName : CN=ADSWRKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSWRKWIN7.lab.adsecurity.org Enabled : True LastLogonDate : 8/29/2015 6:40:16 PM Name : ADSWRKWIN7 ObjectClass : computer ObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70 OperatingSystem : Windows 7 Enterprise OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 8/29/2015 6:40:12 PM SamAccountName : ADSWRKWIN7$ ServicePrincipalName : {TERMSRV/ADSWRKWin7.lab.adsecurity.org, TERMSRV/ADSWRKWIN7, RestrictedKrbHost/ADSWRKWIN7, HOST/ADSWRKWIN7…} SID : S-1-5-21-1581655573-3923512380-696647894-1104 TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSAP01,CN=Computers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSAP01.lab.adsecurity.org Enabled : True LastLogonDate : 1/24/2016 11:03:41 AM Name : ADSAP01 ObjectClass : computer ObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681 OperatingSystem : Windows Server 2008 R2 Datacenter OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 1/4/2016 6:38:16 AM SamAccountName : ADSAP01$ ServicePrincipalName : {WSMAN/ADSAP01.lab.adsecurity.org, WSMAN/ADSAP01, TERMSRV/ADSAP01.lab.adsecurity.org, TERMSRV/ADSAP01…} SID : S-1-5-21-1581655573-3923512380-696647894-1105 TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSWKWIN7,CN=Computers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSWKWIN7.lab.adsecurity.org Enabled : True LastLogonDate : 1/20/2016 7:07:11 AM Name : ADSWKWIN7 ObjectClass : computer ObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96 OperatingSystem : Windows 7 Enterprise OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 12/31/2015 8:03:05 AM SamAccountName : ADSWKWIN7$ ServicePrincipalName : {TERMSRV/ADSWKWin7.lab.adsecurity.org, TERMSRV/ADSWKWIN7, RestrictedKrbHost/ADSWKWIN7, HOST/ADSWKWIN7…} SID : S-1-5-21-1581655573-3923512380-696647894-1602 TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSAP02,CN=Computers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSAP02.lab.adsecurity.org Enabled : True LastLogonDate : 1/24/2016 7:39:48 AM Name : ADSAP02 ObjectClass : computer ObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541 OperatingSystem : Windows Server 2012 R2 Datacenter OperatingSystemServicePack : OperatingSystemVersion : 6.3 (9600) PasswordLastSet : 1/4/2016 6:39:25 AM SamAccountName : ADSAP02$ ServicePrincipalName : {WSMAN/ADSAP02.lab.adsecurity.org, WSMAN/ADSAP02, TERMSRV/ADSAP02.lab.adsecurity.org, TERMSRV/ADSAP02…} SID : S-1-5-21-1581655573-3923512380-696647894-1603 TrustedForDelegation : False TrustedToAuthForDelegation : False UserPrincipalName :
PS C:> get-adcomputer -filter {PrimaryGroupID -eq “516”} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSe t,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation DistinguishedName : CN=ADSDC02,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSDC02.lab.adsecurity.org Enabled : True LastLogonDate : 1/20/2016 6:46:18 AM Name : ADSDC02 ObjectClass : computer ObjectGUID : 1efe44af-d8d9-420b-a66a-8d771d295085 OperatingSystem : Windows Server 2008 R2 Datacenter OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 12/31/2015 6:34:15 AM SamAccountName : ADSDC02$ ServicePrincipalName : {DNS/ADSDC02.lab.adsecurity.org, HOST/ADSDC02/ADSECLAB, HOST/ADSDC02.lab.adsecurity.org/ADSECLAB, GC/ADSDC02.lab.adsecurity.org/lab.adsecurity.org…} SID : S-1-5-21-1581655573-3923512380-696647894-1103 TrustedForDelegation : True TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSDC01,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSDC01.lab.adsecurity.org Enabled : True LastLogonDate : 1/20/2016 6:47:21 AM Name : ADSDC01 ObjectClass : computer ObjectGUID : 31b2038d-e63d-4cfe-b7b6-77206c325af9 OperatingSystem : Windows Server 2008 R2 Datacenter OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordLastSet : 12/31/2015 6:34:14 AM SamAccountName : ADSDC01$ ServicePrincipalName : {ldap/ADSDC01.lab.adsecurity.org/ForestDnsZones.lab.adsecurity.org, ldap/ADSDC01.lab.adsecurity.org/DomainDnsZones.lab.adsecurity.org, TERMSRV/ADSDC01, TERMSRV/ADSDC01.lab.adsecurity.org…} SID : S-1-5-21-1581655573-3923512380-696647894-1000 TrustedForDelegation : True TrustedToAuthForDelegation : False UserPrincipalName : DistinguishedName : CN=ADSDC03,OU=Domain Controllers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSDC03.lab.adsecurity.org Enabled : True LastLogonDate : 1/20/2016 6:35:16 AM Name : ADSDC03 ObjectClass : computer ObjectGUID : 0a2d849c-cc59-4785-8ba2-997fd6ca4dc8 OperatingSystem : Windows Server 2012 R2 Datacenter OperatingSystemServicePack : OperatingSystemVersion : 6.3 (9600) PasswordLastSet : 12/31/2015 6:34:16 AM SamAccountName : ADSDC03$ ServicePrincipalName : {DNS/ADSDC03.lab.adsecurity.org, HOST/ADSDC03.lab.adsecurity.org/ADSECLAB, RPC/c8e1e99e-2aaa-4888-a5d8-23a4355fac48._msdcs.lab.adsecurity.org, GC/ADSDC03.lab.adsecurity.org/lab.adsecurity.org…} SID : S-1-5-21-1581655573-3923512380-696647894-1601 TrustedForDelegation : True TrustedToAuthForDelegation : False UserPrincipalName :
OperatingSystem -Like “*Samba*” OperatingSystem -Like “*OnTap*” OperatingSystem -Like “*Data Domain*” OperatingSystem -Like “*EMC*” OperatingSystem -Like “*Windows NT*”
PS C:> get-aduser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf AdminCount : 1 DistinguishedName : CN=ADSAdministrator,CN=Users,DC=lab,DC=adsecurity,DC=org Enabled : True GivenName : LastLogonDate : 1/27/2016 8:55:48 AM MemberOf : {CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org, CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=Group Policy Creator Owners,CN=Users,DC=lab,DC=adsecurity,DC=org, CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=org…} Name : ADSAdministrator ObjectClass : user ObjectGUID : 72ac7731-0a76-4e5a-8e5d-b4ded9a304b5 PasswordLastSet : 12/31/2015 8:45:27 AM SamAccountName : ADSAdministrator SID : S-1-5-21-1581655573-3923512380-696647894-500 Surname : UserPrincipalName : AdminCount : 1 DistinguishedName : CN=krbtgt,CN=Users,DC=lab,DC=adsecurity,DC=org Enabled : False GivenName : LastLogonDate : MemberOf : {CN=Denied RODC Password Replication Group,CN=Users,DC=lab,DC=adsecurity,DC=org} Name : krbtgt ObjectClass : user ObjectGUID : 3d5be8dd-df7f-4f84-b2cf-4556310a7292 PasswordLastSet : 8/27/2015 7:10:22 PM SamAccountName : krbtgt ServicePrincipalName : {kadmin/changepw} SID : S-1-5-21-1581655573-3923512380-696647894-502 Surname : UserPrincipalName : AdminCount : 1 DistinguishedName : CN=LukeSkywalker,OU=AD Management,DC=lab,DC=adsecurity,DC=org Enabled : True GivenName : LastLogonDate : 8/29/2015 7:29:52 PM MemberOf : {CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=org} Name : LukeSkywalker ObjectClass : user ObjectGUID : 32b5226b-aa6d-4b35-a031-ddbcbde07137 PasswordLastSet : 8/29/2015 7:26:02 PM SamAccountName : LukeSkywalker SID : S-1-5-21-1581655573-3923512380-696647894-2629 Surname : UserPrincipalName :
PS C:> get-adgroup -filter {GroupCategory -eq ‘Security’ -AND Name -like “*admin*”} DistinguishedName : CN=Domain Admins,CN=Users,DC=lab,DC=adsecurity,DC=org GroupCategory : Security GroupScope : Global Name : Domain Admins ObjectClass : group ObjectGUID : 5621cc71-d318-4e2c-b1b1-c181f630e10e SamAccountName : Domain Admins SID : S-1-5-21-1581655573-3923512380-696647894-512 DistinguishedName : CN=Workstation Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=org GroupCategory : Security GroupScope : Global Name : Workstation Admins ObjectClass : group ObjectGUID : 88cd4d52-aedb-4f90-9ebd-02d4c0e322e4 SamAccountName : WorkstationAdmins SID : S-1-5-21-1581655573-3923512380-696647894-2627 DistinguishedName : CN=Server Admins,OU=AD Management,DC=lab,DC=adsecurity,DC=org GroupCategory : Security GroupScope : Global Name : Server Admins ObjectClass : group ObjectGUID : 3877c311-9321-41c0-a6b5-c0d88684b335 SamAccountName : ServerAdmins SID : S-1-5-21-1581655573-3923512380-696647894-2628 DistinguishedName : CN=DnsAdmins,CN=Users,DC=lab,DC=adsecurity,DC=org GroupCategory : Security GroupScope : DomainLocal Name : DnsAdmins ObjectClass : group ObjectGUID : 46caa0dd-6a22-42a3-a2d9-bd467934aab5 SamAccountName : DnsAdmins SID : S-1-5-21-1581655573-3923512380-696647894-1101 DistinguishedName : CN=Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org GroupCategory : Security GroupScope : DomainLocal Name : Administrators ObjectClass : group ObjectGUID : d03a4afc-b14e-48c6-893c-bbc1ac872ca2 SamAccountName : Administrators SID : S-1-5-32-544 DistinguishedName : CN=Hyper-V Administrators,CN=Builtin,DC=lab,DC=adsecurity,DC=org GroupCategory : Security GroupScope : DomainLocal Name : Hyper-V Administrators ObjectClass : group ObjectGUID : 3137943e-f1c3-46d0-acf2-4711bf6f8417 SamAccountName : Hyper-V Administrators SID : S-1-5-32-578 DistinguishedName : CN=Enterprise Admins,CN=Users,DC=lab,DC=adsecurity,DC=org GroupCategory : Security GroupScope : Universal Name : Enterprise Admins ObjectClass : group ObjectGUID : 7674d6ad-777b-4db1-9fe3-e31fd664eb6e SamAccountName : Enterprise Admins SID : S-1-5-21-1581655573-3923512380-696647894-519 DistinguishedName : CN=Schema Admins,CN=Users,DC=lab,DC=adsecurity,DC=org GroupCategory : Security GroupScope : Universal Name : Schema Admins ObjectClass : group ObjectGUID : 420e8ee5-77f5-43b8-9f51-cde3feea0662 SamAccountName : Schema Admins SID : S-1-5-21-1581655573-3923512380-696647894-518
PS C:> get-adobject -filter {ObjectClass -eq “Contact”} -Prop * CanonicalName : lab.adsecurity.org/Contaxts/Admiral Ackbar CN : Admiral Ackbar Created : 1/27/2016 10:00:06 AM createTimeStamp : 1/27/2016 10:00:06 AM Deleted : Description : DisplayName : DistinguishedName : CN=Admiral Ackbar,OU=Contaxts,DC=lab,DC=adsecurity,DC=org dSCorePropagationData : {12/31/1600 4:00:00 PM} givenName : Admiral instanceType : 4 isDeleted : LastKnownParent : mail : admackbar@RebelFleet.org Modified : 1/27/2016 10:00:24 AM modifyTimeStamp : 1/27/2016 10:00:24 AM Name : Admiral Ackbar nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org ObjectClass : contact ObjectGUID : 52c80a1d-a614-4889-92d4-1f588387d9f3 ProtectedFromAccidentalDeletion : False sDRightsEffective : 15 sn : Ackbar uSNChanged : 275113 uSNCreated : 275112 whenChanged : 1/27/2016 10:00:24 AM whenCreated : 1/27/2016 10:00:06 AM CanonicalName : lab.adsecurity.org/Contaxts/Leia Organa CN : Leia Organa Created : 1/27/2016 10:01:25 AM createTimeStamp : 1/27/2016 10:01:25 AM Deleted : Description : DisplayName : DistinguishedName : CN=Leia Organa,OU=Contaxts,DC=lab,DC=adsecurity,DC=org dSCorePropagationData : {12/31/1600 4:00:00 PM} givenName : Leia instanceType : 4 isDeleted : LastKnownParent : mail : LeiaOrgana@TheAlliance.org Modified : 1/27/2016 10:09:15 AM modifyTimeStamp : 1/27/2016 10:09:15 AM Name : Leia Organa nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org ObjectClass : contact ObjectGUID : ba8ec318-a0a2-41d5-923e-a3f646d1c7f9 ProtectedFromAccidentalDeletion : False sDRightsEffective : 15 sn : Organa uSNChanged : 275157 uSNCreated : 275132 whenChanged : 1/27/2016 10:09:15 AM whenCreated : 1/27/2016 10:01:25 AM
PS C:> Get-ADDefaultDomainPasswordPolicy ComplexityEnabled : True DistinguishedName : DC=lab,DC=adsecurity,DC=org LockoutDuration : 00:30:00 LockoutObservationWindow : 00:30:00 LockoutThreshold : 0 MaxPasswordAge : 42.00:00:00 MinPasswordAge : 1.00:00:00 MinPasswordLength : 7 objectClass : {domainDNS} objectGuid : bbf0907c-3171-4448-b33a-76a48d859039 PasswordHistoryCount : 24 ReversibleEncryptionEnabled : False
PS C:> Get-ADFineGrainedPasswordPolicy -Filter * AppliesTo : {CN=Special FGPP Users,OU=Test,DC=lab,DC=adsecurity,DC=org} ComplexityEnabled : True DistinguishedName : CN=Special Password Policy Group,CN=Password Settings Container,CN=System,DC=lab,DC=adsecurity,DC=org LockoutDuration : 12:00:00 LockoutObservationWindow : 00:15:00 LockoutThreshold : 10 MaxPasswordAge : 00:00:00.0000365 MinPasswordAge : 00:00:00 MinPasswordLength : 7 Name : Special Password Policy Group ObjectClass : msDS-PasswordSettings ObjectGUID : c1301d8f-ba52-4bb3-b160-c449d9c7b8f8 PasswordHistoryCount : 24 Precedence : 100 ReversibleEncryptionEnabled : True
PS C:> Get-ADServiceAccount -Filter * -Properties * AccountExpirationDate : 12/27/2017 11:14:38 AM accountExpires : 131588756787719890 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 0 badPwdCount : 0 CannotChangePassword : False CanonicalName : lab.adsecurity.org/Managed Service Accounts/ADSMSA12 Certificates : {} CN : ADSMSA12 codePage : 0 CompoundIdentitySupported : {False} countryCode : 0 Created : 1/27/2016 11:14:38 AM createTimeStamp : 1/27/2016 11:14:38 AM Deleted : Description : gMSA for XYZ App DisplayName : ADSMSA12 DistinguishedName : CN=ADSMSA12,CN=Managed Service Accounts,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSAP02.lab.adsecurity.org DoesNotRequirePreAuth : False dSCorePropagationData : {12/31/1600 4:00:00 PM} Enabled : True HomedirRequired : False HomePage : HostComputers : {} instanceType : 4 isCriticalSystemObject : False isDeleted : KerberosEncryptionType : {RC4, AES128, AES256} LastBadPasswordAttempt : LastKnownParent : lastLogoff : 0 lastLogon : 0 LastLogonDate : localPolicyFlags : 0 LockedOut : False logonCount : 0 ManagedPasswordIntervalInDays : {21} MemberOf : {} MNSLogonAccount : False Modified : 1/27/2016 11:14:39 AM modifyTimeStamp : 1/27/2016 11:14:39 AM msDS-ManagedPasswordId : {1, 0, 0, 0…} msDS-ManagedPasswordInterval : 21 msDS-SupportedEncryptionTypes : 28 msDS-User-Account-Control-Computed : 0 Name : ADSMSA12 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=lab,DC=adsecurity,DC=org ObjectClass : msDS-GroupManagedServiceAccount ObjectGUID : fe4c287b-f9d2-45ce-abe3-4acd6d09c3ff objectSid : S-1-5-21-1581655573-3923512380-696647894-3605 PasswordExpired : False PasswordLastSet : 1/27/2016 11:14:38 AM PasswordNeverExpires : False PasswordNotRequired : False PrimaryGroup : CN=Domain Computers,CN=Users,DC=lab,DC=adsecurity,DC=org primaryGroupID : 515 PrincipalsAllowedToDelegateToAccount : {} PrincipalsAllowedToRetrieveManagedPassword : {} ProtectedFromAccidentalDeletion : False pwdLastSet : 130983956789440119 SamAccountName : ADSMSA12$ sAMAccountType : 805306369 sDRightsEffective : 15 ServicePrincipalNames : SID : S-1-5-21-1581655573-3923512380-696647894-3605 SIDHistory : {} TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 4096 userCertificate : {} UserPrincipalName : uSNChanged : 275383 uSNCreated : 275380 whenChanged : 1/27/2016 11:14:39 AM whenCreated : 1/27/2016 11:14:38 AM
PS C:> Get-NetGPOGroup GPOName : {E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212} GPOPath : lab.adsecurity.orgSysVollab.adsecurity.orgPolicies{E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212} Members : {Server Admins} MemberOf : {Administrators} GPODisplayName : Add Server Admins to Local Administrator Group Filters : GPOName : {45556105-EFE6-43D8-A92C-AACB1D3D4DE5} GPOPath : lab.adsecurity.orgSysVollab.adsecurity.orgPolicies{45556105-EFE6-43D8-A92C-AACB1D3D4DE5} Members : {Workstation Admins} MemberOf : {Administrators} GPODisplayName : Add Workstation Admins to Local Administrators Group
PS C:> get-netOU -guid “E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212” LDAP://OU=Servers,DC=lab,DC=adsecurity,DC=org PS C:> get-netOU -guid “45556105-EFE6-43D8-A92C-AACB1D3D4DE5” LDAP://OU=Workstations,DC=lab,DC=adsecurity,DC=org
PS C:> get-adcomputer -filter * -SearchBase “OU=Servers,DC=lab,DC=adsecurity,DC=org” DistinguishedName : CN=ADSAP01,OU=Servers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSAP01.lab.adsecurity.org Enabled : True Name : ADSAP01 ObjectClass : computer ObjectGUID : b79bb5e3-8f9e-4ee0-a30c-5f66b61da681 SamAccountName : ADSAP01$ SID : S-1-5-21-1581655573-3923512380-696647894-1105 UserPrincipalName : DistinguishedName : CN=ADSAP02,OU=Servers,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSAP02.lab.adsecurity.org Enabled : True Name : ADSAP02 ObjectClass : computer ObjectGUID : 1006978e-8627-4d01-98b6-3215c4ee4541 SamAccountName : ADSAP02$ SID : S-1-5-21-1581655573-3923512380-696647894-1603 UserPrincipalName : PS C:> get-adcomputer -filter * -SearchBase “OU=Workstations,DC=lab,DC=adsecurity,DC=org” DistinguishedName : CN=ADSWRKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSWRKWIN7.lab.adsecurity.org Enabled : True Name : ADSWRKWIN7 ObjectClass : computer ObjectGUID : e8b3bed2-75b4-4512-a4f0-6d9c2d975c70 SamAccountName : ADSWRKWIN7$ SID : S-1-5-21-1581655573-3923512380-696647894-1104 UserPrincipalName : DistinguishedName : CN=ADSWKWIN7,OU=Workstations,DC=lab,DC=adsecurity,DC=org DNSHostName : ADSWKWIN7.lab.adsecurity.org Enabled : True Name : ADSWKWIN7 ObjectClass : computer ObjectGUID : 2f164d63-d721-4b0e-a553-3ca0e272aa96 SamAccountName : ADSWKWIN7$ SID : S-1-5-21-1581655573-3923512380-696647894-1602 UserPrincipalName :
原文发布时间为:2017年5月31日
本文作者:丝绸之路
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。
原文链接