Why it is important to check users on Active Directory?

Posted on by hecsan9634

It is important to check users on Active Directory because it helps to ensure the security and integrity of the network. Active Directory (AD) is a central repository for storing information about users, computers, and other resources on a Windows-based network. Checking users on AD involves verifying that the users who have been granted access to the network are legitimate and have the appropriate permissions. This can help to prevent unauthorized access to sensitive information and resources, and can also help to detect and respond to security breaches. Additionally, checking users on AD can also help to ensure compliance with regulatory requirements and company policies.

What should you check?

When checking users on Active Directory, there are several key things that you should look for to ensure the security and integrity of the network:

  1. Accurate user information: Verify that the user’s name, contact information, and other details are correct and up-to-date.

You can use PowerShell to check the accurate user information on Active Directory (AD) by using the Get-ADUser cmdlet. This cmdlet allows you to retrieve information about one or more AD users, and you can use it to check specific attributes of a user account, such as name, email address, and phone number.

Here’s an example of how you can use the Get-ADUser cmdlet to check the name and email address of a user account:

#Retrieve the user account $user = Get-ADUser -Identity "jdoe" # Display the user's name and email address Write-Host "Name: $($user.Name)" Write-Host "Email: $($user.EmailAddress)"

This will output the name and email address of the user whose AD account is “jdoe”.

You can also use the -Filter parameter to retrieve all the user’s information, you can use -Properties * to get all the properties of the user and filter based on the attributes you want.

# Retrieve all the user's information
$users = Get-ADUser -Filter * -Properties *

# Display the user's name, email address, and phone number for all users
$users | ForEach-Object {Write-Host "Name: $($_.Name)"
Write-Host "Email: $($_.EmailAddress)"
Write-Host "Phone: $($_.TelephoneNumber)"
}

This will output the name, email address, and telephone number of all the users in the active directory.

You can use different properties of Get-ADUser cmdlet to check various information of the user like City, Office, JobTitle, etc.

2. Appropriate permissions: Ensure that each user has been assigned the appropriate permissions and access rights to network resources based on their job function and role within the organization.

You can use PowerShell to check the appropriate permissions on Active Directory (AD) by using the Get-ADPrincipalGroupMembership cmdlet. This cmdlet allows you to retrieve the group memberships of a user or a group, and you can use it to check what permissions and access rights a user has been assigned to network resources.

Here’s an example of how you can use the Get-ADPrincipalGroupMembership cmdlet to check the group memberships of a user account:

# Retrieve the group memberships of a user account
$groups = Get-ADPrincipalGroupMembership -Identity "jdoe"

# Display the names of the groups the user is a member of
$groups | ForEach-Object {Write-Host $_.Name}

This will output the names of all the groups the user “jdoe” is a member of.

You can also use the -Filter parameter to retrieve the group memberships for all users, and filter based on the groups you are interested in.

# Retrieve group memberships for all users
$all_users = Get-ADUser -Filter *

# Loop through each user and display the group memberships
foreach ($user in $all_users) {
    $groups = Get-ADPrincipalGroupMembership -Identity $user.DistinguishedName
    Write-Host "User: $($user.Name)"
    $groups | ForEach-Object {Write-Host "  Group: $($_.Name)"}
}

This will output the name of all the users and the group they are members of, you can use this information to verify that each user has been assigned the appropriate permissions and access rights to network resources based on their job function and role within the organization.

You can also use other cmdlets like Get-ACL to check the permissions on specific folder, file, or even registry keys. You can use Get-ACL and specify the path or the object you want to check the permissions on.

3. Compliance with company policies: Verify that each user’s account settings and permissions are in compliance with company policies and regulatory requirements.

You can use PowerShell to check for compliance with company policies and regulatory requirements on Active Directory (AD) by using a combination of different cmdlets. Depending on the specific policies and requirements you need to check for, different cmdlets and techniques may be more appropriate.

For example, you can use the Get-ADUser and Set-ADUser cmdlets to check and enforce password policies, such as minimum length, complexity, and expiration. Here’s an example of how you can use these cmdlets to check that all user accounts have a password length of at least 8 characters:

# Retrieve all the user accounts
$users = Get-ADUser -Filter *

# Loop through each user account and check the password length
foreach ($user in $users) {
    $password = (Get-ADUser -Identity $user.DistinguishedName -Properties PasswordLastSet).PasswordLastSet
    if ($password.Length -lt 8) {
        Write-Host "User $($user.Name) has a password that is less than 8 characters long"
    }
}

4. Security settings: Ensure that each user’s account has appropriate security settings, such as strong passwords and multi-factor authentication, to protect against unauthorized access.

Another example, to check if the users are using Multi-factor Authentication, you can use the Get-ADUser cmdlet to retrieve the user’s account options and check if the value of the “smartcardLogonRequired” property is set to true: 

# Retrieve all the user accounts
$users = Get-ADUser -Filter * -Properties "msDS-User-Account-Control-Computed"

# Loop through each user account and check if the user has smartcardLogonRequired enabled
foreach ($user in $users) {
    if (($user."msDS-User-Account-Control-Computed" -band 2147483648) -eq 2147483648) {
        Write-Host "User $($user.Name) is using Multi-factor authentication."
    } else {
        Write-Host "User $($user.Name) is not using Multi-factor authentication."
    }
}

5. Account status: Check that the account is enabled or disabled based on the user’s employment status or if they are an intern.

# Retrieve the user account
$user = Get-ADUser -Identity "jdoe"

# Check the value of the "Enabled" property
if ($user.Enabled -eq $true) {
    Write-Host "User account is enabled"
} else {
    Write-Host "User account is disabled"
}

6. Auditing: Regularly review the logs of AD to track the activity of users, check for any suspicious behavior, compliance and identify any potential security threats.

You can use PowerShell to regularly review the logs of Active Directory (AD) to track the activity of users, check for any suspicious behavior, compliance and identify any potential security threats.

There are a few different ways to accomplish this, but one way is by using the Get-EventLog cmdlet to retrieve events from the AD event log. This cmdlet can be used to filter and view events related to user activity, such as account logon and logoff events, password changes, and object access events.

Here’s an example of how you can use the Get-EventLog cmdlet to retrieve account logon and logoff events:

# Retrieve account logon and logoff events
$logonEvents = Get-EventLog -LogName Security -InstanceId 4624 -After (Get-Date).AddDays(-30)
$logoffEvents = Get-EventLog -LogName Security -InstanceId 4634 -After (Get-Date).AddDays(-30)

You can also use the Get-WinEvent cmdlet to retrieve events from the security event logs, it is useful for retrieving events from older version of windows or from a remote computer.

# Retrieve account logon and logoff events
$logonEvents = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 100
$logoffEvents = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4634} -MaxEvents 100

Once you have retrieved the events, you can use the properties of the events, such as the UserName, TimeGenerated, and Message properties, to track the activity of specific users, check for suspicious behavior, and identify potential security threats.

You can also use the same approach to retrieve other types of events, such as object access events, password change events, and events related to other types of activity, such as GPO changes, Group Policy changes or even events in DNS, DHCP, and other services provided by AD.

It is also worth noting that there are third-party solutions and audit tools which can be used to monitor AD, but by using PowerShell you can retrieve the audit logs and process the logs in the way that suits your organization the best.

Another way to audit AD activity with PowerShell is by using the AD PowerShell module (ActiveDirectory) and the cmdlets that it provides, such as Search-ADAccount and Get-ADAudit* cmdlets. These cmdlets allow you to easily search for specific user accounts and retrieve audit information about AD activity, such as who made a change and when, and on which object the change was made.

Here’s an example of how you can use the Search-ADAccount cmdlet to retrieve all the user accounts that have been locked out in the past 24 hours:

#Retrieve locked out users in the past 24 hours
Search-ADAccount -LockedOut -TimeSpan (New-TimeSpan -Hours 24)

You can use the filter parameter to specify different criteria and narrow down the search, this cmdlet is useful to retrieve information about the users that had suspicious activity.

You can also use the Get-ADAudit* cmdlets to retrieve information about specific types of activity, such as changes to user accounts or groups, and other AD objects. Here’s an example of how you can use the Get-ADAuditUser cmdlet to retrieve information about changes to user accounts in the past 24 hours:

# Retrieve information about changes to user accounts in the past 24 hours
$start = (Get-Date).AddDays(-1)
Get-ADAuditUser -StartDate $start

You can also specify other parameters such as -Identity, -EventId, -EndDate to narrow down the search.

By regularly reviewing the logs of AD, you can identify potential security threats, suspicious behavior, and compliance issues, and take appropriate action to mitigate them. Additionally, you can use scripts to automate this process so that you can have an ongoing monitoring and early detection of issues, and also have an automatic report generation to share with your team.

7. Group membership: Review the group membership of the user and make sure they are added to the right group, and there is no unnecessary inclusion in sensitive group.

You can use PowerShell to review the group membership of users on Active Directory (AD) and make sure they are added to the right groups and that there is no unnecessary inclusion in sensitive groups.

One way to accomplish this is by using the Get-ADPrincipalGroupMembership cmdlet to retrieve the group memberships of a specific user. This cmdlet allows you to see what groups a user is a member of and check if they are added to the right groups based on their job function and role within the organization.

Here’s an example of how you can use the Get-ADPrincipalGroupMembership cmdlet to retrieve the group memberships of a specific user:

# Retrieve the group memberships of a user account
$user = "jdoe"
$groups = Get-ADPrincipalGroupMembership -Identity $user

# Display the names of the groups the user is a member of
$groups | ForEach-Object {Write-Host $_.Name}

You can also use the -Filter parameter to retrieve the group memberships for all users, and filter based on the groups you are interested in.

# Retrieve group memberships for all users
$users = Get-ADUser -Filter *

# Loop through each user and display the group memberships
foreach ($user in $users) {
    $groups = Get-ADPrincipalGroupMembership -Identity $user.DistinguishedName
    Write-Host "User: $($user.Name)"
    $groups | ForEach-Object {Write-Host "  Group: $($_.Name)"}
}

Another way to check the group membership is by using the Get-ADGroup cmdlet to retrieve the members of specific group, and filter based on the attribute you are interested in like name or userPrincipalName, you can use -Members parameter to retrieve the members of the group.

# Retrieve members of specific group
$group = "Group-Name"
$members = Get-ADGroupMember -Identity $group

Once you have retrieved the group memberships of the users or the members of a specific group, you can use the information to make sure that the users are added to the right groups, and that there is no unnecessary inclusion in sensitive groups.

For example, you can check if any users who have left the company are still members of sensitive groups and remove them from those groups to prevent unauthorized access to sensitive resources. You can also check if any temporary or intern users have been added to sensitive groups that they should not have access to, and remove them from those groups.

In addition to the above examples, you can also use the compare-object cmdlet to compare the group membership of users to the expected group membership based on their role and responsibilities, this way you can detect any deviation in group membership.

Here is an example of how you can use the Compare-Object cmdlet to compare the group memberships of users to the expected group membership:

# Define the expected group memberships
$expectedGroups = @("group1", "group2", "group3")

# Retrieve the group memberships of the user
$user = "jdoe"
$groups = (Get-ADPrincipalGroupMembership -Identity $user).Name

# Compare the group memberships of the user to the expected group memberships
$comparison = Compare-Object -ReferenceObject $expectedGroups -DifferenceObject $groups -IncludeEqual

# Display any deviations from the expected group memberships
$comparison | Where-Object {$_.SideIndicator -eq "<="} | ForEach-Object {Write-Host "User is not a member of group: $($_.InputObject)"}

Additionally, You can also use the script to regularly check the group membership and you can schedule it to run on regular interval, this way you can maintain the group membership in an automated and consistent way, and you can also use the scripts to automate the process of removing or adding users to groups based on their role or even based on their status (i.e. terminated, Intern, etc).

You can also use the Active Directory Role Management tools to check the group membership, these tools are typically provided by third-party vendors, but they can be helpful in managing group memberships in a more automated and efficient way, by using these tools you can check for compliance with organization policies and detect any suspicious activity or potential security threats.

In summary, by regularly reviewing the group membership of users on Active Directory, you can help to ensure that each user has been assigned the appropriate permissions and access rights to network resources based on their job function and role within the organization, and that there is no unnecessary inclusion in sensitive groups. PowerShell is a powerful tool that can help you to automate this process and make it more efficient.

This is all for now!

PEACE!

Published by hecsan9634