Active Directory and PowerShell Part 1, Query Users, Computers, Groups and Calculated Properties

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone this is Mike and welcome back to the channel in today's video we're going to be looking at how to use the active directory module within Powershell uh this will be part one of probably a couple uh uh videos that I'm going to put out and this one's going to go over querying your common objects you're going to find in active directory so looking at users looking at computers and looking at groups now the output for them is sometimes not in the form that we like so we could kind of dress that output up a bit by using calculated properties so this is something that you may have used in other things but uh you know comes in handy for for these kinds of components all right so with that let's head over to my lab environment and in here I've got just kind of a simple uh domain controller happening with a very simple active directory all right where I've got a domain uh that I named chassis attack.com off of my channel obviously and I've got a few OU's built into here I've got the default users container the computer's container um I've got a sales OU I've got a child OU underneath that intern um I've got a test OU I've got some group groups OU over here right so some basic structure to play around with all right so the first thing if we're going to want to use active directory and Powershell together you're obviously going to need the active directory module and so this can be had from a few different spots if you're on a domain controller you can just install the the rsat tools onto here and that would give you the active directory module the rsat tools are also available for separate download if you want to install them like a Windows 10 client and the rsat tools are actually automatically built into the windows 11 client if you kind of go look at like the optional features that you want to add so either way you get the base code in there from within Powershell uh if you type get module list available uh that would let you know what you what you have to play with in here and specifically I'm looking for uh within the windows directory for modules here uh looking for active directory right so so that is here and it will be by default on a domain controller okay that's one of the uh one of the uh feature components that does get installed right so you just have to do a little more work if you want to install that Powershell module on your client or on a member server or something like that all right so now first thing we're probably going to want to query uh users right so the command list that you have to play with users if you use kind of like powershell's help system and this is not typing here let's see capture the keyboard there we go all right so let's use the help command and maybe look at um uh commandlets that have user into their name right so I could see from the results that come back there's a few from the active directory module right here and you can see uh get 80 user new 80s or remove and set 80 user so the one that we're going to work with obviously here if we're talking querying is going to be get 80 user and you could open up the help individually on that commandlet buy it like so and you could see what it could take for let's say the the basic amount of information the basic parameters here so I could see that it takes a filter I can look at the identity here and ldap filter and so on so so those are kind of like the main different ways you can interact with this so for instance if I wanted to see like one particular user um I could you know run git 80 user identity and then whatever like the username would be for the user you're looking for so in this case I think I made an account after myself yes I did all right so I can get information from that one particular account now notice it will also take a filter right so the filter takes a string and if you want to see some Syntax for that you can go look at the help for get 80 user and then specifically the online version of The Help so that should crack open in the browser here um and yep got it and if I scroll down and again the online help is the only one that really has this if you go look to the filter uh the the details about the filter this is probably the most level of information most the most amount of information you're going to get for that individual parameter right so it lists a whole bunch of syntax components that could go along with that filter so the only spot you know usually again I'm a big proponent of help um opening it locally using um show window version of help but the online one is the only one that has all of this detail about using uh filter all right so that can definitely come in handy so if I'm looking at the user here so get 80 user let's just do the easiest filter in the world filter star okay or asterisk I go ahead and I run that and I get everybody coming back who is in my ad environment here now my little sample ad environment's not that big um so in fact if I kind of let's go back down to the bottom here and let me uh pipe this over to measure object uh you know I've got a whopping 11 users in my sample environment here that's it's not that much right all right so what if I wanted to cut down a bit on the results coming back well that's where potentially the filter could come into play right so so let's say if I just do filter star and maybe select name I could see everybody and let's maybe use the filter here uh where we'll filter off of like some maybe I'll filter off of like the uh the department attribute so Department equals sales right something like that and notice I only get one result coming back because that's the only user I have with the uh with the ldap property here so if I actually go look into here go find uh that user ah there he is go look at the organization and you see the department is sales so that's what it's after all right so you could use just a simple you know Powershell um Powershell comparison operator to you know do something like that all right so that could yield the results there now what if though I you know I didn't want to see like everybody right with with Filter star uh I don't know what potential attribute I want to filter on so what if I just want to see everybody in an OU you know something like that so I can come back in here still utilize filter star but utilize a search based parameter as well where you could put in the distinguished name of the OU uh that you want to search so if I want to look at OU equals sales DC equals chass attack BC equals com okay so I give it a search base and notice I get a few results coming back right so I see there's my Jeff user there's intern one there's intern two so I get three results coming back and that matches what sales looks like right so I look at the sales of you there's one user in there if I look at the interns child OU and there's two users in there so can I tell it to just give me the the OU I'm asking for and not any children underneath it so you could utilizing uh search on a Search scope parameter so Search scope uh base probably not what you're going to want here uh one level right so you could do one level and notice that brings back just uh Jeff so it's just searching the oh just searching the path you told it to search it's not going any deeper than that uh and then search scope uh instead of one level we do subtree and then that will search all the children as well so there's Jeff and the main OU and then my interns in the child OU all right so your search so it's search base combined with Search scope you have a little more detailed way of querying let's say exactly what you're looking for right so that could be a way to to get the information that we want in in the form of the objects now what is kind of interesting though is you know like if we look at the results coming back like this one here department sales only brought like one user object back because that's the only one I have the uh the sales department uh filled in on right but you look at it and you only see one two three four five six seven eight nine ten you only see 10 properties coming back now on a user there's gonna be a lot more than that okay so what's going on here is this just default output and there's more stuff to be had well yes but again we need to figure out the way to do it right so like for instance if I did something like uh get service name bits right so this only brings back three properties but we know there's more there the pipeline object has more right and if I went to get member I could see what those more properties were if you will all right so it brought back you know name status and display name right so those are all properties here there's display name there's status and name is actually just the Alias for service name right which is down here so so the default output on the screen just shows three properties but the actual object and the pipeline has a lot more okay so get member fleshes that out now let's go back to our user of active directory here we see the 10 properties but are there more right so the first way to tell would be maybe to pipe it to get member and we could see oh wait a minute there's actually not right so for each object the commandlet only brings back 10 properties so it's made to be um made to give kind of a nod to Performance rather than detail okay so you know why bring back every property if we if we're not going to use it gay is kind of the thought of the commandlet so in the commandlet you could further use a properties parameter to specify what extra stuff you want to bring back so again without it here's the tend to come back but let's say I tell it uh let's let's do properties and let's bring back uh the Department property and notice that's now added onto the result that's coming back okay so I could see you know here was the original 10 coming back and then here's this extra one that we saw that we wanted to see right so you know I can bring back more than one through that maybe we'll do a PWD last set that's when your password was last set and notice you know there that one is right there all right so it does allow me to bring extra properties in the output that would normally not show by default now you might be thinking well what if I want to see all of them so that's actually not that uh not that complex to do you just do properties and throw a wild card in there and that brings back everything so every property that could be queried from the user all right so starting at you know account expiration date and scrolling all the way down you know to when created and what I like about the output for the active directory commandlets is the properties come back in alphabetical order so that's that's kind of a pet peeve of mine because other things do not do that so sometimes you're you're looking to to hunt around to find the find the property you're looking for uh when it's buried in a list of a whole bunch so these at least come back in alphabetical order which I kind of like right okay so that's how we could see all of the properties all right now some of the properties though are not in a state that we might want to use them with uh so for instance like if you look at uh the the PWD last set one that I examined a moment ago or that I brought back a moment ago um that is in a weirdo number that you know should look like a date but it really is not all right so if you examine it if I take this output here and pipe it to get member uh we could see like um uh PWD last set you could see um it's coming back as like an integer right so so that's not you know I thought that should be like a date time thing right uh because normally you know if you look at the output um a lot of things are you know like you could see here um password last set so that one you know kind of uh looks like a looks like a normal date time right um and so that sometimes uh presents a bit of a of an issue here like when you have to work with one of these that's in one of these weird formats all right so things like if I come up here uh you can see like like last log on last logon timestamp last long on date so that's also in uh in this this kind of weirdo integer and what that basically is if you look at the the details of that it's formatted as what's called a file time object which is um a count of like 100 nanosecond intervals since the year like 1601 or 1604 or something like that all right so it actually is a a DOT net thing if you kind of you know look up in.net file a file time object uh you'll find information about it right so let's say though um let's say though I want um you know we could see things like um um the password last set for instance um and again let's say you know we wanted to uh you know maybe do some you know baby do some work with that so first of all um you know how might be the way that we could convert that into something else right so I know you're probably thinking there's PWD last set and there's password last set um you know are they actually the same so with this number here this is a file time object and I need to convert it into let's say um something that's a little easier to work with which would be a date time object right so if I do something like get date and pipe that to get member you know I could see that this is um a daytime object right so can I convert one to the other and potentially right so so usually anything can be converted to anything else provided uh we have the the means to be able to do it right so so let's take that that number there that we had uh with the user uh PWD last set so so this number right here and let's say we want to convert that to a uh just a regular date time object so that is something we could do utilizing a method from the date time object uh called from file time so I can kind of you know load uh load the date time class uh call a method so again this is just using some.net stuff here from file time and then there's what we want to convert right into the end of that converts it into the date time so if we kind of pipe this over to get number we can see that we have turned this into a date time so and it shows Sunday November 20th uh 2022 all right so Sunday November 20th uh 2022 okay so it looks like it's you know the same uh 1004 was that it as well yep all right so it looks like that's the same value right so you're not always guaranteed that sometimes active directory plays some tricks on you uh you know where you might have a value that's local on the domain controller uh that's stored in the Raw format like file time and then you have a different what looks like the same but it might be different that's then replicated to the rest of the domain controllers that's the scenario here with the the last logon uh Trifecta over here right so this one is locally specific to a particular domain controller uh this one is the replicated value so so the one here the last logon timestamp that that changes by default every 14 days um so so when a value is put in there it's held in place for 14 days and then after the 14 days are up if a new logon occurs the new date would be put in there all right and that's the value that replicates everywhere else now you might be thinking why the heck did they do something like that it's to stop active directory from replicating every time someone logs on right so the last logon um is specific to an individual domain controller so if someone you know logged in and five different domain controllers processed the login over the course of five days uh this would differ you know on each of those domain controllers so with this one uh this would be once obviously replication has been achieved once um everything has been converged uh that would be the same and last log on date is just this value converted to uh date time right all right so let's say though um you wanted to get um the the most current logon uh for let's say you know all of the users um in active directory you know let's say if I wanted to do something like that okay so so let's say uh we have our list of users here so let's do get 80 user uh filter star all right so that's going to be everybody and how about we bring this over to select object and let's grab maybe name and last logon all right uh oh now why didn't that show well last logon is normally not one of the properties brought back right so so I would need to tell get a user that hey we want that property so let's do properties last logon right and now there we go okay now some of these users I've never logged in with uh guess the the kerbero ticket granny ticket account uh user two and turn one and turn two I don't think I've ever logged in with those ever so I've just never used them in the different demos for the for the videos that I've put together all right so but let's say though I want the um I want the output to not be in file time I would like it to be in date time format so this is where a calculated property might be nice here um so that way I could change what was happening in there okay so let's say I have a name and I would like to do last log on but I'd like to do it in a different format I'd like to change it from file time over to a daytime object right so how forever can I do that uh so let's say uh we want to use a for use a calculator property to do it so let's let's do start off with an at and then we have a hash table which is going to represent the calculated property uh then inside of it we're going to give it a name so we'll just do n equal and then in quotes uh what do we want to call our property maybe last log on DT for for date time right so we'll close the uh the string on that and then a semicolon and then we're going to do expression equals or E equals and then that's going to take a script block as its output type all right so for the script block we're going to grab the current object we're going to need to work with the object that's in the pipeline and specifically its last logon all right so what we're going to do um is we're going to want to uh let's see here so we're going to want to do a date time a double colon uh two um not two file time from file time and then what value do we want to change over so we want the object in the pipeline so that would be the 80 user itself and we want the last log on date right so let's see if this all matches and there we go so we've converted that over right so let me take this though because I apologize The Carriage returns probably messing some people up or the line break let me just kind of put that um let me just take that and just so it's kind of easier for for you all to read it um so let's uh carriage return to that and then there's the um uh there's your calculated property you know fully done out right um so again what we're calling it and then the expression where you have the script block um and then what's happening inside of the script block okay so we're using the uh the date time class we're grabbing the from file time method on it and uh we're using the value from the object in the pipeline the and the last logon property there right so so that allows me to uh to work with that okay so now let's say uh so that was last logon so let's say though if I want to go back and I want to mess with how about um uh the password last set all right so um so we'll just use uh PWD last set right there all right so I know I could use this one but uh but either way this this one might be more fun to play with okay it'll demonstrate an example right so let's say I wanted to uh find users whose passwords have changed in like I don't know the last uh the last seven days let's say all right so what I could do um is first of all figure out the last seven days right so that's from today going back seven days so how do I you know get that so if we look at just the commandlet get date that spits out the current date time which is again exactly when I am recording this right so uh you could take the output from that and um use the uh to file time um method on it to get the date in the uh the file time format so again with uh with get date pipe it to get member you know and you can see you know like right here um you know here's to file time right so you can also utilize um add days add hours add minutes add months um so you have the ability to alter it that way as well which again is another thing that we'll do so like for instance here let's say um if I want to take whatever the date is right now uh so we'll do the the get date I'm putting it in parentheses so I can work with the output of it outside of the parentheses so that's where we'll do the the two file time right so that gives me the date in file time format right now um and I want the date seven days ago right so let's say that's going to be dollar then uh and we'll do same thing we'll start off with uh with get date and this time we're going to do the add days method where we're going to push it back seven days in the past um and we're also going to convert this to file time all right so if we look at Dollar then we have a file time and if we look at Dollar now we also have a file time all right all right so what do we want to do with this next so now I want the users who haven't uh who's who have changed their password in the past week right so let's do a get 80 user and this is going to be a filter so inside of the filter what we're going to do is we're going to look at that that password last set and get uh get a comparison from that right so if we take PWD last set which was again the name of the property in active directory if we can go back in here PWD last set right that's the one we're working on and so PWD last set if someone's changed their password in the past week it has to be greater than uh the date a week ago right and so we'll use an and uh and we'll say PWD last set has to be less than now if you kind of stack them up right um and so let's uh bring that over let's maybe just select the name property just to keep the output simple and those are the users who have changed their password in the week right now these two I just made Fairly recently so I haven't even logged in so it's reflecting uh when their accounts were made uh but these were the accounts that have had their password changed in the last week right so yeah use that for for whatever uh you like but that's how we could find that out so the point here is the filter you can get pretty detailed with it all right um so if you wanted to do some queries with it that's potentially one way to do it right so you know you're only as good as let's say you're filtering there all right so let's move on to talk about computers so if we look at the help on Star computer star uh we could see within the active directory command within the after directory module uh there's some computer stuff happening here as well all right um so specifically I get a the computer all right so if I um so if I want to run this it behaves kind of similar so if I do get 80 computer um and I could give it an identity like hey you know tell me about dc1 um and notice uh if I pipe this to get member it is still just returning like the 10 objects all right so um so let's say you know I want more can I do a property a partition um property star that will work right so that will bring back uh the property information from the computer account right and it's more than just the 10. so it's bringing back everything it has uh that we might want to have a look at so uh so we'll play with the uh the last logon in a moment here uh but also notice like in here you know things like ipv4 address IPv6 address um the let's see um that might also be nice here um oh uh here's a good one um operating system right so that can give you the OS you can see the OS version um so that could be nice uh you could see when the account was created right I could let you know when it was uh added to the environment here um so yeah so there could be some interesting info in here right so um so you could bring that back again just like uh with the other uh the other information so if I wanted let's say all of the computers so let's maybe do filter star and property ipv4 address um yeah let's run that and then we could see for all of the computers and I've got like you know four of them in this environment uh it brought back the regular 10 things and that ipv4 address property right so if you want to see some of that extra information that's there to be able to use all right so now what might also be fun with Filter is you could still kind of put together a filter for you know whatever um whatever query you want to do so like for instance here let's say I wanted to do how about operating system like and then in a string do wild card 2022 wild card and so that would bring back all of the computer objects whose operating system property right which again when you're looking at operating system you could see uh what's there right so it brought back all of the ones that had 2022 in their name so that's why I use the wild cards here right so wild card 2022 wild card okay so there's my 2022 servers um if I wanted to do just 10 that would bring back my Windows 10 computers and if I wanted to do 11 there's my windows 11 computer uh that I currently have okay now you could also um combine this with um you know with search base if you wanted to you know like lessen the results back so if I wanted all of the windows 11 computers that were in the search base of maybe CN equals computers so the computers container o u equals uh not oudc equals DC equals chassis attack comma DC equals com all right so something like that and again it's going to be the same result for this but the point is I'm you know using a filter here and then using the search base to again bring results back from one specific area of the active directory domain uh so again you know you could combine Search scope as well if you just wanted you know that uh rather than any child OU's or containers that lived underneath it and so on all right so allows me to again be you know be specific in what I'm looking for all right so another thing if we wanted to again take advantage of some of the properties that were there let's say for instance I'm looking for a particular age so maybe I want like 30 days in the past right so let's maybe do a get date um add days and let's do a minus 30 and then let's uh throw this to file time all right so that was the date 30 days ago and let's say I wanted to do my get 80 computer and let's do a filter uh where maybe we'll say the last log on is less than that age and then this would give me the computers again out of my four the only two I've used in the last 30 days have been uh client one and DC One so client two and client three they are they haven't logged in I don't know when but it hasn't been in the last 30 days so if I want just a scan of active directory finding computers to have it logged in in the last 30 days or more okay so again it's less than what the date was 30 days ago that's how you could do it all right all right so last thing uh groups so groups uh pretty not really too complex with groups here so if we do a help for um help for the name um let's see asterisk group closed asterisk all right we can see that there is a get 80 group and a get 80 group member right as the two things there right the two main things we want to query so if I type in get 80 group um obviously I could fill I could grab all of my groups by doing the filter star so in fact let me just cancel that and just do that straight off here get a group uh filter star so we could see all of the groups and maybe I want to just look at um instead of filter maybe we'll look at identity and we'll do um how about my Global it Group which is actually that's the name of a GL space it right so I could see I have one particular group there again same info as in it's bringing back a limited amount of properties so if I do uh property partition uh property star that that could bring back the rest of the properties for for it all right so uh for instance here so we could see with that it brought back uh the members all right the member uh the member of so this is showing me that this group is a member of another group um and the actual individual members uh that are in there all right so again if I kind of go look at this group in the graphical tools you could see there's you know one user is a member and then the member of um so those things are actually populated all right if we look at sales uh there's two users in there right so maybe I want to pick on that one um so let's do a GL sales all right and then if we look at the member we could see uh kind of you know we just have you know those those things in there so if I wanted to uh maybe you know grab those out I could um uh maybe a couple ways I could do this I could isolate this in parentheses and then outside the parentheses you're now working with the object produced by what was in the parentheses and then say I want to look at the member property and then that could grab those things out and what is that looking like uh it's looking like strings right so these come out as just simple strings uh maybe that's what you want for the members but maybe you don't okay so that's why they give you a commandlet so if I take something like like this right and pipe it to get ad group member uh that would spit out the members as an ad principle object where you could see that there are properties there you know if you wanted to work with that you know because if I look at this output up here this is uh this is kind of a pain right what if you just want the names of the users okay well I could you know dust off my regex queries to maybe clean that up but instead to make life easy for myself you know I could take the output of that pipe it to get 80 group member and then maybe pipe that over to you know select object uh property you know name grab the name property there you go so a lot easier right so so typically that's uh you know get 80 group combined with get 80 group member you know does that good job of enumerating the groups um in you know an object format that then has some properties that you could work with right so that's uh just a little tour there of uh working with groups get 80 group and get 80 group member all right so that's where I'm going to leave this video for now um and I will be posting another one at some point on how to modify objects uh using the commandlets in active directory okay so stay tuned for that one uh that'll be coming up in the future so once again thanks everybody for watching uh if you haven't already I would greatly appreciate a like and a subscribe uh just to help the growth of the channel uh cost you nothing and helps the growth of my channel a lot so if you could it'd be most appreciated thank you and we'll see in the next video

Info

Channel: Chasse TAC

Views: 595

Rating: undefined out of 5

Keywords:

Id: cjW6HoU6owM

Channel Id: undefined

Length: 44min 17sec (2657 seconds)

Published: Sun Apr 30 2023