Audit Windows Active Directory Security With Powershell

Auditing is a fairly old concept and has been utilized for quite some time in the computer world. Auditing in security is relatively recent and has increased dramatically over the last ten years. There are plenty of manual techniques and tools available to assist in auditing the security of different hardware and software components inside a network.

Auditing Windows systems is a big task, and having helpful tools would surely make a difference to the speed and accuracy of the necessary audits. Once such a tool is available to auditors, the active directory security is called PowerShell. The concept of continuous auditing comes into play here, and it can be defined as asking for the security settings of a system in real-time.

There is also another way of defining continuous auditing. It is defined as the gathering of information about systems without the need of the administrator or administrative privileges, along with the capability of obtaining reports on the various security aspects of a component. Windows PowerShell is one such tool that can audit Windows active directory security without the need for domain-level administrative rights.

Windows PowerShell is available and supports Windows XP SP3, Windows Vista SP1, Windows Server 2003, Windows Server 2008, and Windows 7. The latest version available is version 2, and it can be downloaded from here. Once the PowerShell is installed onto the system, some additional tasks need to be performed to run the cmdlets (short for Commandlets).

Windows PowerShell comes with its security, and we need to loosen it a bit to be able to execute the necessary cmdlets. To do that, run Windows PowerShell on the system as the local administrator. In the prompt, type set-execution policy

Once that is done, you shall be prompted for the next entry. Type in remote signed

As a result of these commands, now you can run the cmdlets without any errors.

The next step is to get the cmdlet for AD.

This cmdlet will allow us to issue commands and provide us with output that will be helpful in the security auditing of AD. The cmdlet for AD can be obtained from here.

– Considering the code in the first URL, copy the content in the highlighted area and paste it into a notepad.

– Save the notepad file as .ps1. The extension has to be .ps1, and make sure that you get rid of the standard .txt extension while saving the notepad file.

Once that is done, open the cmd prompt and navigate to the folder containing the cmdlet.

cd z:\cmdlets

The above command assumes that the cmdlet is in the z drive under the cmdlets directory. Make sure you change the directory and the drive according to the location of your .ps1 file.

Once you have navigated to the correct directory, execute the following command.

.\.ps1

Do not forget the .\ as it is required to execute the cmdlets.

This will produce the necessary information and print it out on the screen. Some other commands that can be run are:

.\.ps1 -Domain -User administrator
.\ .ps1 -Domain -ToCsv C:\MyFolder\MyFile.csv
.\ .ps1 -Domain -Group "Domain Admins"