For user and computer-centric alerts how are you pulling AD data (attributes) on users or computers besides using MMC?
Thanks!
@Java I often use the below PowerShell resources:
Get-ADUser:
https://ss64.com/ps/get-aduser.html
Get-ADComputer:
https://ss64.com/ps/get-adcomputer.html
2 Likes
My guess is @SwedishMike’s Powersheel tools might be easier to use, but historically I’ve used dsquery…and for what it’s worth its also a good thing to monitor for in your environment as it can be a common lateral movement reconnaissance tool.
Some examples of using dsquery:
Search users in a specific OU, in this case “HR” that have the string that starts with “Johnson”
dsquery user OU=hr,DC=us,DC=acme,DC=com -name "Johnson*"
Search all objects in the domain context, but only show results for when SAM Account Name matches “Ajohnson”, and only return the specific attributes lastlogon, samaccountname, and displayname
dsquery * DC=us,DC=acme,DC=com -filter sAMAccountName=ajohnson -attr lastlogon sAMaccountName displayname
Search all objects in the domain context, but only show results when the common name (CN) is “webus001”, and only return attributes of common name (CN), operating system, operating system service pack, and OS version.
dsquery * DC=us,DC=acme,DC=com -filter cn=webus001 -attr cn operatingsystem operatingsystemservicepack operatingsystemversion
Good resources for dsquery:
1 Like