Why AD Defaults Are an Attacker’s Dream

Out of the box, Active Directory ships with configurations that made sense in the early 2000s but are dangerous today. Pre-Windows 2000 compatibility groups, default permissive ACLs on objects like AdminSDHolder, unrestricted Kerberos delegation, and the universal availability of NTLM authentication all create conditions that attackers exploit with freely available tools like BloodHound, Mimikatz, and Impacket.

BloodHound analysis on a typical enterprise AD environment consistently reveals hundreds of unintended privilege escalation paths — most of them created not by attackers, but by years of accumulated admin shortcuts. A user gets added to Domain Admins “temporarily” and never removed. A service account gets unnecessary replication rights. These misconfigurations compound over time, and without deliberate hardening, your AD becomes a house of cards.

Implement a Tiered Administration Model

Microsoft’s tiered administration model (also called the Enterprise Access Model) separates administrative access into three distinct tiers. Tier 0 covers your most critical assets: domain controllers, ADFS servers, PKI infrastructure, and identity management systems. Tier 1 covers server workloads and applications. Tier 2 covers end-user workstations and devices. Credentials from a lower tier must never be able to access a higher tier.

Privileged Access Workstations (PAWs) are a critical implementation detail. Tier 0 administrators should only perform privileged actions from dedicated, hardened workstations that are not used for email, web browsing, or general productivity work. These PAWs should be enrolled in their own OU with restrictive GPOs, application whitelisting via AppLocker or WDAC, and credential guard enabled. Yes, it adds friction — that friction is the point.

Lock Down NTLM and Legacy Protocols

NTLM is responsible for more lateral movement and credential relay attacks than almost any other protocol in Windows environments. Pass-the-Hash, NTLM relay (via tools like Responder + ntlmrelayx), and credential capture attacks all depend on NTLM being available. The good news: you can audit and progressively restrict it without breaking things, if you’re systematic about it.

Start by auditing who is using NTLM and why. Enable NTLM auditing via Group Policy, collect the logs in your SIEM, and identify which applications still require it. Modern applications should use Kerberos. Once you’ve cleaned up the dependencies, move to restricting outbound NTLM from workstations and eventually enabling the “Deny all” policy on DCs. Don’t rush this — a phased approach prevents outages.

# Audit NTLM authentication events via PowerShell
# Enable NTLM auditing first via GPO:
# Security Settings > Local Policies > Security Options
# "Network security: Restrict NTLM: Audit NTLM authentication in this domain" = Enable all

# Then query the Security event log for NTLM events (Event ID 8004)
Get-WinEvent -LogName "Microsoft-Windows-NTLM/Operational" |
    Where-Object { $_.Id -eq 8004 } |
    Select-Object TimeCreated,
        @{N='User';E={$_.Properties[0].Value}},
        @{N='Workstation';E={$_.Properties[1].Value}},
        @{N='TargetServer';E={$_.Properties[2].Value}} |
    Sort-Object TimeCreated -Descending |
    Export-Csv -Path "C:\Logs\ntlm-audit.csv" -NoTypeInformation

Write-Host "NTLM audit exported to C:\Logs\ntlm-audit.csv"

Privileged Access Controls That Actually Work

Local Administrator Password Solution (LAPS) should be non-negotiable in any environment with more than a handful of machines. Without LAPS, local administrator accounts typically have the same password across all machines — one credential compromise means every workstation is owned. LAPS rotates unique passwords per machine and stores them in AD with ACL-controlled access. Microsoft LAPS (the updated version shipping with Windows 2022/11) adds even more capability including managed service account support.

Just-in-Time (JIT) administration takes privilege reduction further by eliminating standing privileged access entirely. Instead of accounts permanently in Domain Admins, admins request elevated access for a specific time window and purpose. Microsoft Privileged Identity Management (PIM) in Entra ID handles this for cloud/hybrid scenarios. For pure on-prem, Microsoft Identity Manager or third-party PAM solutions like CyberArk or BeyondTrust can provide JIT. The Protected Users security group is a quick, free win — adding privileged accounts to it disables NTLM, DES, and RC4 Kerberos, and prevents credential caching.

The post Active Directory Hardening: 10 Security Controls You Should Implement Today appeared first on InfoTech Ninja.

Why PS7 Changes Everything for SysAdmins

The headline feature for infrastructure work is ForEach-Object -Parallel. In PowerShell 5.1, looping over hundreds of servers to run a command was sequential — painfully slow when each operation involves a network call. In PS7, adding -Parallel to your ForEach-Object pipeline runs iterations concurrently (up to a configurable throttle limit), collapsing a 10-minute sequential run to under a minute. Combined with the -ThrottleLimit parameter, you get controlled parallelism without overwhelming your network or target systems.

PowerShell 7 also ships with null-coalescing operators (?? and ??=), pipeline chain operators (&& and ||), ternary expressions, and significantly improved error handling. The Get-Error cmdlet provides structured, detailed error information that makes debugging complex scripts far easier. Module compatibility has improved too — most PS 5.1 modules work in PS7 via a compatibility shim, though a handful of modules that rely on Windows-only COM components remain PS5.1-only.

Bulk AD User Management

Managing Active Directory users at scale through the GUI is tedious and error-prone. PowerShell with the ActiveDirectory module makes bulk operations straightforward and auditable. Common tasks like disabling accounts for departed employees, resetting passwords, updating department attributes for an org restructure, or moving users between OUs all lend themselves to one-liners or short scripts that you can test in a non-production OU first.

The script below processes a CSV file of user updates — useful when HR sends over a spreadsheet of 200 employees who need their department and manager attributes updated after a reorg. Run it with -WhatIf first to preview changes without applying them, then remove the switch for the actual run.

# BulkUpdateADUsers.ps1 — Update AD attributes from CSV
# CSV columns: SamAccountName, Department, Manager, Title
#Requires -Modules ActiveDirectory

param(
    [Parameter(Mandatory)][string]$CsvPath,
    [switch]$WhatIf
)

$users = Import-Csv -Path $CsvPath
$results = [System.Collections.Concurrent.ConcurrentBag[object]]::new()

$users | ForEach-Object -Parallel {
    $bag = $using:results
    $whatIf = $using:WhatIf
    try {
        $params = @{
            Identity   = $_.SamAccountName
            Department = $_.Department
            Title      = $_.Title
            Manager    = (Get-ADUser $_.Manager).DistinguishedName
            WhatIf     = $whatIf.IsPresent
        }
        Set-ADUser @params
        $bag.Add([pscustomobject]@{ User=$_.SamAccountName; Status="OK" })
    } catch {
        $bag.Add([pscustomobject]@{ User=$_.SamAccountName; Status="FAIL: $_" })
    }
} -ThrottleLimit 20

$results | Export-Csv -Path ".\update-results.csv" -NoTypeInformation
Write-Host "Done. Results at .\update-results.csv"

Automated Patch Reporting

Keeping track of patch status across a fleet of Windows servers is a common pain point. WSUS gives you a dashboard, but exporting useful reports for management or auditors is clunky. A PowerShell script that queries hotfix history across multiple servers and generates a clean report is something every Windows admin should have. The script below uses PS7’s parallel foreach to query multiple servers simultaneously, dramatically reducing the time it takes to gather data.

Combine this with a scheduled task or Azure Automation runbook to generate weekly patch compliance reports automatically. Export to CSV for easy import into Excel or your ITSM tool, or format as HTML for email distribution. Adding logic to flag servers that haven’t received updates in more than 30 days gives you an actionable compliance metric for your next audit.

# Get-PatchReport.ps1 — Query hotfix status across multiple servers
param([string[]]$Servers = @("SRV01","SRV02","SRV03"))

$report = $Servers | ForEach-Object -Parallel {
    $server = $_
    try {
        $hotfixes = Get-HotFix -ComputerName $server -ErrorAction Stop |
            Sort-Object InstalledOn -Descending |
            Select-Object -First 1
        [pscustomobject]@{
            Server       = $server
            LastPatch    = $hotfixes.HotFixID
            InstalledOn  = $hotfixes.InstalledOn
            DaysSince    = (New-TimeSpan -Start $hotfixes.InstalledOn -End (Get-Date)).Days
            Status       = "Online"
        }
    } catch {
        [pscustomobject]@{ Server=$server; LastPatch="N/A"; InstalledOn="N/A"; DaysSince=999; Status="Error: $_" }
    }
} -ThrottleLimit 10

$report | Sort-Object DaysSince -Descending | Format-Table -AutoSize
$report | Export-Csv ".\patch-report-$(Get-Date -f yyyyMMdd).csv" -NoTypeInformation

Calling REST APIs from PowerShell

Invoke-RestMethod is PowerShell’s built-in REST client, and it’s surprisingly capable. It automatically deserializes JSON responses into PowerShell objects, handles common authentication schemes, and supports all HTTP methods. Combined with PS7’s improved performance and parallelism, you can build lightweight integration scripts between your on-prem tooling and cloud APIs without pulling in external dependencies or standing up middleware.

A common use case: querying your monitoring tool’s API to get a list of alerts, then correlating them with your CMDB API to enrich the data before posting to a Teams channel via the incoming webhook API. Three API calls, all handled with Invoke-RestMethod, tied together in a script that runs every 15 minutes as a scheduled task. It’s not glamorous, but it’s the kind of practical automation that saves your team hours every week.

The post PowerShell 7: 10 Scripts Every SysAdmin Should Have in Their Toolkit appeared first on InfoTech Ninja.