Check out my new post on technet:
https://gallery.technet.microsoft.com/Scan-for-Ransomware-and-cb075ccb
Showing posts with label Windows 8. Show all posts
Showing posts with label Windows 8. Show all posts
Friday, March 18, 2016
Tuesday, March 15, 2016
Protect your systems against Ransomware / CrypVault using GPO
Hi guys,
In this post I will show you how to block the gpg.exe that is used by Ransomware named CrypVault for file encryption.
Create a GPO (I will attach my GPO so you can import the settings!)
User Configuration/Policies/Windows Settings/Software Restriction Policies/Additional Rules
Create Path and Hash Rules for the known gpg.exe Versions.
The virus will not able to execute the tool anymore.
I would recommend to add all gpg.exe hashes to the Policy, because the exclusion of gpg.exe and gpg2.exe will not apply if the EXE will be renamed!
The attached GPO including the paths and all Hashes of gpg.exe up to version 2.3.0.
You can import this GPO by creating a new GPO, right-click it and Select Import Settings. Follow the wizard to import the settings.
Please test before you implement this setting and also verify that this tool is not used by your users.
If your users are using the gpg.exe, you can only restrict the execution to %temp%, because the virus will copy the gpg.exe to this location the most time...
In this post I will show you how to block the gpg.exe that is used by Ransomware named CrypVault for file encryption.
Create a GPO (I will attach my GPO so you can import the settings!)
User Configuration/Policies/Windows Settings/Software Restriction Policies/Additional Rules
Create Path and Hash Rules for the known gpg.exe Versions.
The virus will not able to execute the tool anymore.
I would recommend to add all gpg.exe hashes to the Policy, because the exclusion of gpg.exe and gpg2.exe will not apply if the EXE will be renamed!
The attached GPO including the paths and all Hashes of gpg.exe up to version 2.3.0.
You can import this GPO by creating a new GPO, right-click it and Select Import Settings. Follow the wizard to import the settings.
Please test before you implement this setting and also verify that this tool is not used by your users.
If your users are using the gpg.exe, you can only restrict the execution to %temp%, because the virus will copy the gpg.exe to this location the most time...
Monday, February 29, 2016
Powershell Active Directory Excel Report
This script reports information about your Active Directory infrastructure and save it in an Excel file.
It´s using Powershell in combination of the Acitve Directory module. If you want to run this script, RSAT must be installed.
The following information will be saved into the Excel file.
DOWNLOAD the script
It´s using Powershell in combination of the Acitve Directory module. If you want to run this script, RSAT must be installed.
The following information will be saved into the Excel file.
- users that was created in the last 24 hrs
- users with the flag password never expires set
- disabled users
- users that never changed there passwords
- computers that have not logged on for more then 90 days
- disabled computers
- all DCs in your domain
- all DHCP servers in your Forest
- all Subnets with the associated Site and Location name in your Forest
- FSMO role holders in your Forest
- FSMO role holders in your Domain
- DOMAINNAME PW Policy
- DOMAINNAME GPOs
- DOMAINNAME OUs
DOWNLOAD the script
Wednesday, November 4, 2015
LDAP Queries for Users, Computers, Groups and Service Connection Points v2
Find attached a lot of ldap queries. An example how to use this queries using ADUC, see this post.
Computer accounts
Computer accounts starting with WS
(objectcategory=computer)(samaccountname=WS*)
(objectcategory=computer)(samaccountname=WS*)
Computer
accounts with "COP" in the attribute "description"
(&(objectCategory=computer)(description=*COP*))
or
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description
(&(objectCategory=computer)(description=*COP*))
or
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description
Computer
accounts with MS-SQL installed
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))
Computer
accounts with a Server OS
(&(objectCategory=computer)(operatingsystem=*server*))
(&(objectCategory=computer)(operatingsystem=*server*))
Find all
Computers that do not have a Description
(objectCategory=computer)(!description=*)
(objectCategory=computer)(!description=*)
Find all
computer accounts for whom a manager is specified
(&(&(objectCategory=computer)(objectClass=computer))
(managedBy=*))
(&(&(objectCategory=computer)(objectClass=computer))
(managedBy=*))
Find All
Workstations
(sAMAccountType=805306369)
or
(&(objectCategory=computer)(objectClass=computer))
(sAMAccountType=805306369)
or
(&(objectCategory=computer)(objectClass=computer))
Find all
2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))
Find all
2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))
Find all
Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))
Find all
2008 Servers – DCs
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))
Disabled
Computer Acounts
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))
Enabled
Computer Acounts
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))
SQL Servers
any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))
Exchange
Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))
Find all
Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))
Find all
Windows Vista SP1 computers
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))
Find all
Windows Server 2008 Enterprise computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))
Find all Windows
Server 2008 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))
Find
all Windows 8.0 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows
8*)(operatingSystemVersion=6.2 (9200)))
Find all
Windows 8.1 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows
8.1*))
Find all Windows Server 2012 (all
versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))
Find all Windows Server 2012 no R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*)(operatingSystemVersion=6.2 (9200)))
Find all Windows Server 2012 R2 (all versions)
computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*))
Find all
Windows 10 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows 10*))
User accounts
Find all user accounts
(&(objectCategory=person)(objectClass=user))
(&(objectCategory=person)(objectClass=user))
Find all
user accounts for whom a password is not required
(&(&(objectCategory=person)(objectClass=user))
(UserAccountControl:1.2.840.113556.1.4.803:=32))
(&(&(objectCategory=person)(objectClass=user))
(UserAccountControl:1.2.840.113556.1.4.803:=32))
Find all
user accounts that do not require a SmartCard for logon
(&(&(objectCategory=person)(objectClass=user))
(!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))
(&(&(objectCategory=person)(objectClass=user))
(!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))
Find users
that have non-expiring passwords
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
To find all
user accounts that have the name “Mueller” in them
(objectcategory=person)(samaccountname=*Mueller*)
(objectcategory=person)(samaccountname=*Mueller*)
Locked out
user accounts
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))
Useraccounts
starting with "A" in the Attribute "Common Name"
(&(objectCategory=user)(cn=A*))
(&(objectCategory=user)(cn=A*))
Diabled user
accounts
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
Useraccounts
without an value in Attribute "Mail"
(&(objectCategory=person)(objectClass=user)(!mail=*))
(&(objectCategory=person)(objectClass=user)(!mail=*))
Useraccounts
with Mail Enabled
(objectClass=user)(mail=*)
(objectClass=user)(mail=*)
Useraccounts
that have never logged on
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))
Users that
have been given dial-in permissions
(objectCategory=user)(msNPAllowDialin=TRUE)
(objectCategory=user)(msNPAllowDialin=TRUE)
Users find who have admin in
description field
(objectcategory=person)(description=*admin*)
(objectcategory=person)(description=*admin*)
Find user
accounts with no log on script
(objectcategory=person)(!scriptPath=*)
(objectcategory=person)(!scriptPath=*)
Find user
accounts with no profile path
(objectcategory=person)(!profilepath=*)
(objectcategory=person)(!profilepath=*)
Find non
disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Find all
Users that need to change password on next login
(&(objectCategory=user)(pwdLastSet=0))
(&(objectCategory=user)(pwdLastSet=0))
Finds all
locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Finds all
Users with Email Address set
(objectcategory=person)(mail=*)
(objectcategory=person)(mail=*)
Finds all
Users with no Email Address
(objectcategory=person)(!mail=*)
(objectcategory=person)(!mail=*)
Find all
Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)
(objectCategory=user)(msNPAllowDialin=TRUE)
Finds all
disabled accounts in active directory
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)
Find all
Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)
Find all
mail-enabled groups hidden from the Global Address list (GAL)
(&(&(objectCategory=group)(objectClass=group))
(&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))
(&(&(objectCategory=group)(objectClass=group))
(&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))
Find all
mail-enabled security groups
(&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
(mailnickname=*))
(&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
(mailnickname=*))
Find all
mailbox-enabled accounts
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))
Find all
mailbox-enabled accounts with Outlook Web Access (OWA) disabled
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
(|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
(|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))
Find all
users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))
(&(&(objectCategory=person)(objectClass=user))(lastLogon>=129772445240000000))
Groups
To find all groups that have no members
(objectCategory=group)(!member=*)
(objectCategory=group)(!member=*)
Find Groups
that contains the word admin
(objectcategory=group)(samaccountname=*admin*)
(objectcategory=group)(samaccountname=*admin*)
Find all
Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)
(groupType:1.2.840.113556.1.4.803:=8)
Find all
global security groups
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))
Finds Domain
Local Groups
(groupType:1.2.840.113556.1.4.803:=4)
(groupType:1.2.840.113556.1.4.803:=4)
Find all
distribution groups
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))
List all
groups with sec- prefix convention
(&(objectCategory=group)(name=*sec-*))
(&(objectCategory=group)(name=*sec-*))
Find all
security groups with members
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))
Service connection Points
Find all service connection points
(objectCategory=serviceConnectionPoint)
(objectCategory=serviceConnectionPoint)
Find all
service connection points that do not have service bindings specified
(&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))
(&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))
Find all
service connection points that do not have a service DNS name specified
(&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))
(&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))
Wednesday, March 25, 2015
Change AD Group membership for multiple Users using Powershell
You can download my script from technet.
Also edit the marked groups in the script matching to your environment. You can extend this as needed.
# Add the specified users to the groups "Petun" and "Petun2" in AD
Add-ADGroupMember -Identity Petun -Member $User.username
Add-ADGroupMember -Identity Petun2 -Member $User.username
- Requirements:
You have to create c:\ADUser.csv looking like this:Also edit the marked groups in the script matching to your environment. You can extend this as needed.
# Add the specified users to the groups "Petun" and "Petun2" in AD
Add-ADGroupMember -Identity Petun -Member $User.username
Add-ADGroupMember -Identity Petun2 -Member $User.username
Wednesday, December 17, 2014
LDAP Queries for Users, Computers, Groups and Service Connection Points
Find attached a lot of ldap queries. An example how to use this queries using ADUC, see this post.
Computer accounts
Computer accounts starting with WS
(objectcategory=computer)(samaccountname=WS*)
(objectcategory=computer)(samaccountname=WS*)
Computer
accounts with "COP" in the attribute "description"
(&(objectCategory=computer)(description=*COP*))
or
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description
(&(objectCategory=computer)(description=*COP*))
or
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description
Computer
accounts with MS-SQL installed
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))
Computer
accounts with a Server OS
(&(objectCategory=computer)(operatingsystem=*server*))
(&(objectCategory=computer)(operatingsystem=*server*))
Find all
Computers that do not have a Description
(objectCategory=computer)(!description=*)
(objectCategory=computer)(!description=*)
Find All
Workstations
(sAMAccountType=805306369)
or
(&(objectCategory=computer)(objectClass=computer))
(sAMAccountType=805306369)
or
(&(objectCategory=computer)(objectClass=computer))
Find all
2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))
Find all
2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))
Find all
Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))
Find all
2008 Servers – DCs
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))
Disabled
Computer Acounts
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))
Enabled
Computer Acounts
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))
SQL Servers
any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))
Exchange
Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))
Find all
Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))
Find all
Windows Vista SP1 computers
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))
Find all
Windows Server 2008 Enterprise computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))
Find all Windows
Server 2008 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))
Find
all Windows 8.0 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows
8*)(operatingSystemVersion=6.2 (9200)))
Find all
Windows 8.1 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows
8.1*))
Find all
computer accounts for whom a manager is specified
(&(&(objectCategory=computer)(objectClass=computer))
(managedBy=*))
(&(&(objectCategory=computer)(objectClass=computer))
(managedBy=*))
Find all Windows Server 2012 (all
versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))
Find all Windows Server 2012 no R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*)(operatingSystemVersion=6.2 (9200)))
Find all Windows Server 2012 R2 (all versions)
computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*)) User accounts
Find all user accounts
(&(objectCategory=person)(objectClass=user))
(&(objectCategory=person)(objectClass=user))
Find all
user accounts for whom a password is not required
(&(&(objectCategory=person)(objectClass=user))
(UserAccountControl:1.2.840.113556.1.4.803:=32))
(&(&(objectCategory=person)(objectClass=user))
(UserAccountControl:1.2.840.113556.1.4.803:=32))
Find all
user accounts that do not require a SmartCard for logon
(&(&(objectCategory=person)(objectClass=user))
(!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))
(&(&(objectCategory=person)(objectClass=user))
(!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))
Find users
that have non-expiring passwords
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
To find all
user accounts that have the name “Mueller” in them
(objectcategory=person)(samaccountname=*Mueller*)
(objectcategory=person)(samaccountname=*Mueller*)
Locked out
user accounts
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))
Useraccounts
starting with "A" in the Attribute "Common Name"
(&(objectCategory=user)(cn=A*))
(&(objectCategory=user)(cn=A*))
Diabled user
accounts
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
Useraccounts
without an value in Attribute "Mail"
(&(objectCategory=person)(objectClass=user)(!mail=*))
(&(objectCategory=person)(objectClass=user)(!mail=*))
Useraccounts
with Mail Enabled
(objectClass=user)(mail=*)
(objectClass=user)(mail=*)
Useraccounts
that have never logged on
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))
Users that
have been given dial-in permissions
(objectCategory=user)(msNPAllowDialin=TRUE)
(objectCategory=user)(msNPAllowDialin=TRUE)
Users find who have admin in
description field
(objectcategory=person)(description=*admin*)
(objectcategory=person)(description=*admin*)
Find user
accounts with no log on script
(objectcategory=person)(!scriptPath=*)
(objectcategory=person)(!scriptPath=*)
Find user
accounts with no profile path
(objectcategory=person)(!profilepath=*)
(objectcategory=person)(!profilepath=*)
Find non
disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Find all
Users that need to change password on next login
(&(objectCategory=user)(pwdLastSet=0))
(&(objectCategory=user)(pwdLastSet=0))
Finds all
locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Finds all
Users with Email Address set
(objectcategory=person)(mail=*)
(objectcategory=person)(mail=*)
Finds all
Users with no Email Address
(objectcategory=person)(!mail=*)
(objectcategory=person)(!mail=*)
Find all
Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)
(objectCategory=user)(msNPAllowDialin=TRUE)
Finds all
disabled accounts in active directory
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)
Find all
Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)
Find all
mail-enabled groups hidden from the Global Address list (GAL)
(&(&(objectCategory=group)(objectClass=group))
(&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))
(&(&(objectCategory=group)(objectClass=group))
(&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))
Find all
mail-enabled security groups
(&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
(mailnickname=*))
(&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
(mailnickname=*))
Find all
mailbox-enabled accounts
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))
Find all
mailbox-enabled accounts with Outlook Web Access (OWA) disabled
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
(|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
(|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))
Find all
users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))
(&(&(objectCategory=person)(objectClass=user))(lastLogon>=129772445240000000))
Groups
To find all groups that have no members
(objectCategory=group)(!member=*)
(objectCategory=group)(!member=*)
Find Groups
that contains the word admin
(objectcategory=group)(samaccountname=*admin*)
(objectcategory=group)(samaccountname=*admin*)
Find all
Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)
(groupType:1.2.840.113556.1.4.803:=8)
Find all
global security groups
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))
Finds Domain
Local Groups
(groupType:1.2.840.113556.1.4.803:=4)
(groupType:1.2.840.113556.1.4.803:=4)
Find all
distribution groups
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))
List all
groups with sec- prefix convention
(&(objectCategory=group)(name=*sec-*))
(&(objectCategory=group)(name=*sec-*))
Find all
security groups with members
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))
Service connection Points
Find all service connection points
(objectCategory=serviceConnectionPoint)
(objectCategory=serviceConnectionPoint)
Find all
service connection points that do not have service bindings specified
(&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))
(&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))
Find all
service connection points that do not have a service DNS name specified
(&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))
(&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))
Subscribe to:
Posts (Atom)