Clik here to view.
How to check the status of the SYSVOL and Netlogon shares
To check the status of the SYSVOL and Netlogon shares: On the Start menu, point to Administrative Tools, and then click Services. Verify that the DFS Replication service and the Netlogon service have a...
View ArticleClik here to view.
You have been hacked? first things to check…
Obviously, you need to find a hack before you can take measures to stop the attack and recover from it. Where do you begin? Every hack is unique, but you should always check certain places first. Here...
View ArticleClik here to view.
ADFS 3.0: How to renew SSL certificate?
RDP to your ADFS internal primary server Import the new certificate to the Machine’s Personal Store Make sure you have a private key that corresponds to this certificate. If not, go to the PC you...
View ArticleClik here to view.
Which permissions rights does a user need to have WMI access on remote...
Which permissions rights does a user need to have WMI access on remote Machines: http://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines...
View ArticleClik here to view.
EventID 4625 – An account failed to log on
Subject: Identifies the account that requested the logon – NOT the user who just attempted logged on. Subject is usually Null or one of the Service principals and not usually useful information. See...
View ArticleClik here to view.
PKI – how to delete certificate issued by a specific CA in PowerShell?
To display certificates on local computer store: C:\Windows\system32>powershell -command “get-item cert:\\LocalMachine\\My\\* | foreach { echo $_.issuer }” CN=ISSUINGCASERVER, O=company IT Group SA...
View ArticleClik here to view.
PKI – How to audit a CA ?
Reference article:https://technet.microsoft.com/en-us/library/dn786432.aspx?f=255&MSPPError=-2147217396 Enable CA auditing: a) Start PKIview, select the CA and right-click Manage, on Properties, go...
View ArticleClik here to view.
ADFS – How to rename a ADFS server ?
How to rename a internal ADFS server or ADFS proxy server ? Please check that you don’t have any reference for certificate, federation name (ex: sts.domain.com) or alias on DNS record, then for the...
View ArticleClik here to view.
AD – Do You Allow Blank Passwords In Your Domain?
Reference article: http://blogs.technet.com/b/pfesweplat/archive/2012/12/11/do-you-allow-blank-passwords-in-your-environment.aspx Explanation in the article above. So basically you will have to make...
View ArticleClik here to view.
AD – how to detect usage of NTLM v1 ?
Here is piece of code to extract from AD domain controllers security event logs the authentication protocol NTLM v1: Get-WinEvent -FilterHashtable @{ Logname=”Security” ID=4624 Data=”NTLM V1″ }...
View ArticleClik here to view.
PowerShell – How to add all users in an OU to a Security Group
Import-module ActiveDirectory $rootOU = “OU=Special Users,OU=Users,DC=MyDomain,DC=com” $group = “mydomain\group1” Get-ADUser -SearchBase $rootOu -Filter * | ForEach-Object {Add-ADGroupMember -Identity...
View ArticleClik here to view.
AD – MS Advanced Threat Analytics (ATA)
ATA on Technet: https://technet.microsoft.com/en-us/library/dn707706.aspx ATA deployment demo: https://www.youtube.com/watch?v=xvWJssUpU6w Blog:...
View ArticleClik here to view.
What if PSRemoting and Unrestricted Execution are disabled?
Remotely enable PSRemoting and Unrestricted PowerShell Execution using PsExec and PSSession, then run PSRecon Option 1 — WMI: PS C:\> wmic /node:”10.10.10.10″ process call create “powershell...
View ArticleClik here to view.
How to force a synchro with AAD connect 1.1.x?
With AAD Connect 1.1, Microsoft no longer have a Windows scheduled task running every 3 hours. The tool now has a built-in scheduler, performing a delta sync every 30 minutes....
View ArticleClik here to view.
AAD Connect filtering options
With AAD Connect 1.1, https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-configure-filtering/ The following filtering configuration types can be applied to the...
View ArticleClik here to view.
IIS and Kerberos authentication
To configure IIS with Kerberos, It is explained in the technet blog: https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/ In short, you must...
View ArticleClik here to view.
Monitoring ADFS and AAD Connect using Azure AD connect health
Monitoring ADFS and the AAD Connect Sync Engine using AAD connect health:...
View ArticleClik here to view.
Portqry failed with UDP/389
Understanding UDP 389 portqry error and how to solve this issue: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a6d07279-6852-4dfb-afc7-f06f5b1034c2/port-389udp?forum=winserverDS...
View ArticleClik here to view.
Detecting hackers (or intrusions) using Windows event log monitoring
The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time....
View ArticleClik here to view.
PowerShell – Adding/Removing group members ?
https://blogs.msdn.microsoft.com/adpowershell/wp-content/themes/microsoft/js/html5.js Adding/removing members from another forest or domain to groups in Active Directory:...
View Article