Knowing Your Active Directory Environment.

A topic I return to frequently is what I call “IT Epistemology” – what do we know about our IT environment, and how do we know it? It’s one thing to have a general working knowledge of this system or that process, but another thing entirely to know for sure that it works and achieves it’s goal.

Endpoint management is a common element of the managed IT services landscape, usually accomplished by a lightweight management agent deployed onto enterprise computers. The ability to exercise control over workstations and servers is key to keeping the network stable, secure, and functioning as expected. But what if there are machines which avoid discovery, only to resurface later?

Unmanaged rogue workstations can present a serious security risk – especially when the MSP has become complacent, assuming that all machines on the network have been identified and incorporated into the management system. An endpoint not being managed is an endpoint which is probably not being patched or protected by enterprise-grade antivirus either.

This is where IT epistemology comes in. If we believe that all workstations within a company domain are being managed, how can we know that for sure? We need to verify what we think is true against some hard evidence.

Thankfully, this isn’t difficult in an Active Directory environment. With the running of a simple Powershell script, you can pull a complete list of all enabled computer accounts in AD – alongside Last Logon dates, to get a sense of any machines which could potentially be disabled in AD as well.

In an elevated Powershell instance on a domain controller, run the following command:

Get-ADComputer -Filter {(Enabled -eq $True)} -ResultPageSize 2000 -ResultSetSize $null -Server -Properties Name,OperatingSystem,LastLogonDate | Export-CSV “C:EnabledPCs.csv” -NoTypeInformation

This will generate a CSV file to the notated path with a listing of all enabled computer accounts in Active Directory across all OUs. Take this list and compare it to the workstations shown in your endpoint management console; anything showing up in the Powershell report but not in the management system is a computer to investigate. Look at the logon date; has it not logged into the domain for a while? It might be a decommissioned workstation and can be considered for disabling. Otherwise, computers showing up in AD which don’t show up in the management console may be rogue machines and should be tracked down.

Even still, this technique may not give us the complete picutre. What if there are machines not on the domain? This report won’t tell us anything about rogue machines which might be outside the domain. There are a few different ways these could be tackled; checking DNS and an IP scanner can help you figure out what else may be accessing the network, and are good places to start.

While the report might not be able to capture every last machine which may be on the premises, it can at least give you a good audit of domain-level access. Don’t just presume your endpoints are managed; verify it. Go the extra mile and show your clients some value!

Categories: Tips

Tags: , ,

%d bloggers like this: