• Hi Leos,

    I had that issue in a  government setting, loooooooong time ago.  (2003 ad controller)
    As far as i know it is based on (a combination of) best practices: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits
    I didn't configure those machines, just used Delphi to replace the user manager (as it was crap then). During my development i did numerous requests to read. (and find certain accountnames, status etc.) // as i remember : i could relate the (harmless read) actions to the logging that filled up that machine.)

    Now for the practical part:
    I have tried to do requests that fill up a log (on a fresh installed DC with 3 new user accounts), but wasn't able to. (at least i could not find a log with growing numbers by my requests)  Maybe just because i am doing it on a local DC (not accessing it from a remote machine), maybe i need to configure something more... or it is not logged at all (as your response might suggest) .  If so then the only reason not to do the same requests over and over is then just load based.

    I have kept it as much "safe" in my environments by not testing all querys against all possible records. i prefer no tests on production, running tested code on a small environment for me only shows that the functionality does what it says... in larger environments you might run into weird problems, especially with using powershell and variables (requesting all records from a database (or AD) into a local variable ... it takes some time and then the machine you use has suddenly no memory left).

    Need to research it a little more into what is logged and what is not.
    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662
    ...Active Directory logs this event when a user accesses an AD object. ...
    ...this is the only event that reports accesses defined for auditing that do not qualify as property changes. ...

    0
  • Hi,

    I have no AD to test against, but i would suggest to break it up a little.  if you are testing your script against large environments...  don't test by  running the script 50 times with small changes. (1. takes too long, 2. it fills some specific AD controller security logs really fast)
    thats why testing should be done agianst a test domain.

    how i would do it is something like:

    #GetOnceKeepInMemory
    $MyUsers = Get-ADuser  -SearchBase "OU=WAT,DC=wt,DC=ad,DC=city,DC=aa"
    $MyUsers.count #should a quick indication of found number of users
    # the object contains almost (not all) information about the AD users you are allowed to view.

    with the memory filled you can easily do the following (be aware that filling the memory can be a lot of data... but that also makes my point 😉 ):

    $myusers  <enter>

    and watch the list (over and over without asking the AD over and over.) you can use
    $myusers | GM   <enter>  to find out more about the object.

    a sample i used gets two specific OU's of users and adds them together in a report.... :

    $Date = Get-Date -Format yyyy-MM-dd
    
    $report = @() #create a new report
    
    #add people from OU 1
    $report += Search-ADAccount -AccountInactive -TimeSpan 45.00:00:00 -UsersOnly -SearchBase "OU=Internal User Accounts,OU=User Objects,OU=dodoclub,DC=dodoclub,DC=local" | `
        Where-Object {$_.Enabled -eq $true -and $_.WhenCreated -lt (Get-Date).AddDays(-45)} | `
        Get-ADUser -Properties Department,LastLogonTimestamp | Where-Object {$_.LastLogonTimeStamp -gt "1"} | `
        Select-Object Name, SamAccountName, LastLogonTimestamp, Department
    
    #add people from OU 2
    $report += Search-ADAccount -AccountInactive -TimeSpan 45.00:00:00 -UsersOnly -SearchBase "OU=External User Accounts,OU=User Objects,OU=dodoclub,DC=dodoclub,DC=local" | `
        Where-Object {$_.Enabled -eq $true -and $_.WhenCreated -lt (Get-Date).AddDays(-45)} | `
        Get-ADUser -Properties Department,LastLogonTimestamp | Where-Object {$_.LastLogonTimeStamp -gt "1"} | `
        Select-Object Name, SamAccountName, LastLogonTimestamp, Department
    
    $report #| Export-Csv -NoTypeInformation -Path $[OutputPath]InactiveUsers_$Date.csv
    
    <# 
    #use the report data as input to actually do something with accounts. be carefull with this.
    $report | ForEach {
    	$DisableDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    	Echo "User $($_.SamAccountname) is disabled on $DisableDate." #| Out-File $[OutputPath]InactiveUsers_Disabled.log -Append              
    	#actually disable the account 
            #Set-ADUser -Identity $_.SamAccountname -Enabled $false
    	}
    #>
    
    

    This script gets a list my support team wanted to call people bla bla bla...
    i've no access to a AD at the moment... so testing is a little awkward for me. but i hope that the way i used it might help a little in getting what you want and  this a little helps. if not.. let me know 🙂

    0
  • Other options are to use HyperV on a workstation to build some machines. (as suggested in previous post #post-1556496)

    The needed ISO's are free to download and install (mostly for 180 days)
    I use that a lot to experiment with powershell scripts that run on servers. I have written posh scripts to fully build a (set of) server(s) that are working together in a domain with web and sql.
    (not a part of this discussion: a domain has cons and pros, is mostly usefull, but not always necessary -  my current company has no domain for the 8 or 9 machines we have)

    Learning to write the scripts and steps to do remote stuff on those vm gave me a good headstart on using powershell, learning server stuff, hyper-v, (vmware as well) and deployment tools on servers. Skills that i now use to deploy servers and will use to enhance the current platform. (agile as in faster deployment cycles, CI/CD and DevSecOps.  The development team and me as sole support for system engineering are working together to implement / utilize microservices and docker (containers), kubernetes etc. to deliver the application to a growing population of users. (20k+)

    If you have questions just let me know.

    0
  • try it like this?

    $volumes = get-volume
    foreach($volume in $volumes){
      $volume.ObjectId
      $volume
      $volume | get-partition
    }
    

    with 

    get-volume | select * 

    you can see all the items, i dunno where it internally sorts on. I guess thats the reason it switches things around in output.

    0
  • Paul Fijma's profile was updated 2 years, 1 month ago

    0
  • Paul Fijma became a registered member 2 years, 1 month ago

    0