Imagine being named XYZ in a crowd of other XYZs – a purposeless name that creates confusion and does not communicate a purpose, adding to the cognitive pile of everyone’s day-to-day tasks. Similarly, Active Directory groups created by users need to have logical names so that current and future users do not find themselves stuck in a pickle.
Administrators have several options for managing the properties of Active Directory users. The Active Directory Users and Computers (ADUC) console is convenient for making a few basic changes, such as modifying a user’s description or office location. For more functionality, however, consider using PowerShell. This article illustrates how you can address many common use cases with the PowerShell cmdlet Set-ADUser.
The PowerShell cmdlet Get-ChildItem obtains objects from one or more specified locations, such as a file system directory, registry hive or certificate store. These locations are exposed by PowerShell providers. If the location is a container, the cmdlet gets the child items in that container. The -Recurse parameter can be used to get items from all child containers, while the -Depth parameter can be used to limit how many levels to recurse to.
Once an adversary has compromised privileged credentials, for example, by exploiting an attack path, they want to make sure they don’t lose their foothold in the domain. That is, even if the accounts they have compromised are disabled or have their passwords reset, they want to be able to easily regain Domain Admin rights. One way to achieve this persistence is to exploit features of Active Directory that are intended to keep privileged accounts protected: AdminSDHolder and SDProp.
The Exchange Administration Center (EAC) is an easy-to-use interface for managing Exchange. However, it enable you to change only a handful of mailbox settings, and you can modify only one mailbox at a time. For more comprehensive management, you turn to Microsoft PowerShell (or, to be exact, Exchange Management Shell).
A distribution group is a mail-enabled Active Directory group used to send a message to a group of recipients who are members of that group. Administrators can manage some of the properties and permissions of distribution groups using the Exchange Administration Center (formerly Exchange Management Console). However, this article explains how to perform many common distribution group management tasks using the Exchange Management Shell cmdlets Set-DistributionGroup and Add-DistributionGroupMember.