SysAdminMAGAZINE

Mastering AD
Management Secrets
 Contents SysAdmin Magazine July 2023

SysAdmin
Magazine Contents

75
3 How to Back Up and Restore Group Policy Objects (GPOs)
№ July ‘23

11 Stealing Credentials with a Security Support Provider (SSP)

SysAdmin Magazine is a free 13 How to Clean Up Your Active Directory

source of knowledge for IT Pros
who are eager to keep a tight
grip on network security and do
15 Top Strategies to Harden Your Active Directory Infrastructure
the job faster.
18 How to: Detect Password Changes in Active Directory

19 Tool of the Month: Netwrix Recovery for AD

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 Contents SysAdmin Magazine July 2023

How to Back Group Policy Refresher

Up and Restore
Before we dive into Group Policy object backup and recovery, let’s review some important details about how GPOs are created
and used.

Group Policy GPO Components

Objects (GPOs) When a new Group Policy object is created, it is assigned a unique identifier called a GUID. Each GPO has two parts:

▪ Group Policy template (GPT) — The GPT comprises a set of folders in the SYSVOL file share (“C:\\WindowsSYSVOL\domain\
Policies\{GUID}”). These folders are used to store the majority of the content of a Group Policy object, including the templates,
Joe Dibley settings, scripts and details about MSI packages. The GPT is replicated to every DC in the domain by File Replication Services
Security Researcher at Netwrix (FRS) or Distributed File System Replication (DFSR), depending on the version of Windows. In fact, GPOs are effectively domain-
specific because SYSVOL is replicated only within a domain.

Group Policy objects are critical for managing Windows

Server infrastructure. To avoid severe service issues, ad-
ministrators must configure GPOs carefully and be pre-
pared to revert any changes quickly by backing them up
before modifying them.

3
 Contents SysAdmin Magazine July 2023

▪ Group Policy container (GPC) — The GPC is a groupPolicyContainer object located in the domain naming context under GPO Associations
CN=System,CN=Policies. This AD object’s attributes are used to store referential information related to the GPO. Significantly,
Once a GPO has been created, it can be associated with
this includes the gPCFileSysPath attribute, which contains the path to the GPO’s GPT in SYSVOL. Unlike the GPT, the GPC is
one or more Active Directory objects: organizational units
replicated by Active Directory Domain Services according to the configured replication cost, schedule and interval.
(OUs), domains and the sites. This association is not main-
tained by the GPO but by each of the associated AD ob-
jects, in its gPLink attribute. The value of an object’s gPLink
attribute is a list of the GPC paths of each GPO that the
object has been associated with. When a GPO’s associa-
tion to an object is created or deleted, only the value of the
affected object’s gPLink attribute is modified.

An important remark is that while the replication of SYS-

VOL effectively makes GPOs domain-specific, the fact that
GPOs can be linked to a site object means that GPO-re-
lated information is not necessarily confined to a domain.
Site objects are stored in the Active Directory Configura-
tion partition, which is replicated to all domain controllers
in the forest. This results in the path to a Group Policy ob-
ject’s GPC contained in the gPLink attribute sneaking out
of the domain during Active Directory replication.

4
 Contents SysAdmin Magazine July 2023

User and computer configurations ▪ Backup-GPO — This cmdlet makes it very easy to take
Group policy processing One last thing to note is that GPOs contain both a Computer
a snapshot of all of a domain’s Group Policy objects or a

order Configuration and a User Configuration. These subgroups

single specified GPO.

contain nearly identical sets of Policy settings, but they

Active Directory applies GPOs in the following order: ▪ Restore-GPO — This cmdlet can restore a Group Policy
differ in when the GPO settings are applied.
object to its state as captured in a backup made by the
1. Local GPOs Backup-GPO cmdlet.
Computer Configuration settings are applied to computers
2. Site-linked GPOs
during boot, and User Configuration settings are applied
3. Domain-linked GPOs
during logon. This means that options in the Computer
4. OU-linked GPOs (processed beginning from the root, so
a GPO linked to a nested OU will take precedence over a
Configuration are always enforced against associated Creating a backup of all GPOs
computers, while options in the User Configuration are
GPO linked to its parent OU) The following PowerShell script uses the Backup-GPO
enforced only when an associated user account is logged
cmdlet’s -All parameter to create backups of all of the GPOs
on to a computer.
The policy that is applied last “wins” (unless the “Enforce” in the specified domain using a specified DC:
option is used, which prevents a policy from being
If a user logs on to a computer and there is a conflict between
overridden by a subsequently applied policy).
a Computer Configuration setting and a User Configuration
$BackupPath = '\\HOSTNAME\GPOBackup'
setting, the Computer Configuration setting will always take
$Domain = 'domain.local'
precedence.
$DomainController = 'DC.domain.local'

$BackupFolder = New-Item -Path $Backup-

Path -Name (Get-Date -format yyyyMMd-
GPO backup and restore dTHHmmss) -ItemType Directory

process using PowerShell Backup-GPO -All -Domain $Domain -Server

$DomainController -Path $BackupFolder
We’ll begin with the two relevant Group Policy PowerShell
cmdlets available as part of Microsoft’s Windows Remote
Server Administration Tools:

5
 Contents SysAdmin Magazine July 2023

The output of the Backup-GPO cmdlet consists of a separate subfolder for each GPO’s backup information and a manifest.xml Backup version control
file that contains the information necessary to associate each of the subfolders to their respective GPO:
Repeatedly backing up Group Policy objects to a single
location is supported, but each execution of this script
creates a unique subfolder for its output. The subfolders
are named using backup-specific GUIDs generated during
cmdlet execution, which all but eliminates the chance
of naming collisions with repeated backups to a single
location.

Segregating the output of each execution into unique

Looking inside one of the subfolders, we find that each backup consists of a folder and three XML files: folders is not strictly necessary, but the behavior of the
Restore-GPO cmdlet creates a benefit for doing so. The
Restore-GPO cmdlet will allow you to restore all GPOs
at once, but it will use the most recent backup of each
Group Policy object as identified within the manifest.xml.
By separating each set of backups into its own folder, you
ensure that each set of backups gets its own manifest.
xml. This allows the restoration of all of the GPOs in any of
these backup sets in a single operation.

A downside to using the Backup-GPO cmdlet’s -All

The folder contains a copy of the Group Policy object’s GPT, and the XML files contain the data from the Group parameter is that it backs up all of the Group Policy objects
Policy’s GPC, information specific to the backup’s execution and a report that describes the contents of the GPO. in the domain every time it is executed, rather than only
the ones that have changed. One way to get around that
issue is by using a script like the one below. It forces the
Backup-GPO cmdlet to use a file the script creates in the
update folder to maintain the timestamp of the script’s

6
 Contents
last runtime. If the file exists, the script backs up any of
the domain’s GPOs that have been modified since the
timestamp in the file. If the file doesn’t exist, the script
creates the file, sets the timestamp and backs up all of the
domain’s GPOs.
$BackupPath = '\\DC\GPOBackup'
$Domain = 'domain.local'
$DomainController = 'DC.domain.local'
$BackupPathTracker = "$BackupPath\Last-
Backup.txt"
if((Test-Path "$BackupPathTracker")) {
$LastBackup = Get-Date (Get-Content
-Path "$BackupPathTracker")
Set-Content -Path "$BackupPath-
Tracker" -Value (Get-Date)
$GPOs = Get-GPO -All -Domain $Domain
-Server $DomainController
$GPOs | Where-Object { $_.Modifica-
tionTime -gt $LastBackup } | ForEach-Ob-
ject {
Backup-GPO -Guid $_.Id -Domain
$Domain -Server $DomainController -Path
$BackupPath
7
SysAdmin Magazine July 2023
} BackupPath = '\\HOSTNAME\GPOBackup'
} else { $Domain = 'domain.local'
Set-Content -Path "$BackupPathTrack- $DomainController = 'DC.domain.local'
er" -Value (Get-Date)
Backup-GPO -All -Domain $Domain -Serv- $BackupPathTracker = "$BackupPath\Last-
er $DomainController -Path $BackupPath Backup.txt"
} $BackupFolder = New-Item -Path $Backup-
Path -Name (Get-Date -format yyyyMMd-
dTHHmmss) -ItemType Directory
While this approach will save space by limiting unnecessary if((Test-Path "$BackupPathTracker")) {
backups, the backups it does make all end up in the same $LastBackup = Get-Content -Path
folder, which makes it difficult to restore Group Policy "$BackupPathTracker"
objects to a specific point in time. Set-Content -Path "$BackupPath-
Tracker" -Value (Get-Date)
Combining the approaches taken in each of the two scripts $GPOs = Get-GPO -All -Domain $Domain
would solve all of our problems, right? -Server $DomainController
$GPOs | Where-Object { $_.Modifica-
tionTime -gt $LastBackup } | ForEach-Ob-
ject {
Backup-GPO -Guid $_.Id -Domain
$Domain -Server $DomainController -Path
$BackupFolder
}
}
 Contents SysAdmin Magazine July 2023

else { # Restore a single GPO from its most

Set-Content -Path "$BackupPath- recent backup
Tracker" -Value (Get-Date)
How version numbers can get out of
Restore-GPO -Name 'GpoName' -Path '\\
Backup-GPO -All -Domain $Domain HOSTNAME\GPOBackup' -Domain 'domain.
-Server $DomainController -Path $Back- local' -Server 'DC.domain.local'
upFolder
} # Restore a single GPO from a specific
backup
Restore-GPO -BackupId 12345678-09ab-
As it turns out, isolating each of the differential backup cdef-1234-567890abcdef -Path '\\HOST-
results in their own folders actually makes everything far NAME\GPOBackup' -Domain 'domain.local'
worse. This approach also isolates each of the manifest. -Server 'DC.domain.local' How version numbers can get out of
xml files in their own folders, both effectively eliminating sync
the ability to restore all GPOs at once while also making it # Restore all of a domain’s GPOs from
The output from the Restore-GPO cmdlet includes two sets
incredibly difficult to find the backups associated with any their most recent backup
of version numbers, one for the Computer Configuration
specific Group Policy object. Restore-GPO -All -Path '\\HOSTNAME\GPO-
and one for the User Configuration.
Backup' -Domain 'domain.local' -Server
'DC.domain.local'
The GPT and the GPC are each responsible for maintaining
their own version number, with the separate UserVersion
Restoring GPOs from backup
and ComputerVersion values being calculated from the User
When a Group Policy object is restored from backup, the
In practice, these approaches are running into a limitation of Configuration version and Computer Configuration version
version of the GPO is incremented as part of the restoration
the Restore-GPO cmdlet: Restore-GPO can restore a specific numbers, respectively. This is possible as a result of the way
process in order to force replication to favor the restored
Group Policy object from either the most recent backup the version number is incremented. It is increased by 1 when
copy of the GPO.
referenced in a manifest.xml file or a specified backup — but a GPO’s Computer Configuration is modified and by 65536
restoring all of a domain’s GPOs at once is limited to using each time the User Configuration is modified.
the most recent backups in a specified manifest.xml file.

8
 Contents SysAdmin Magazine July 2023

All of this is necessary because, as discussed above, a Group Policy object’s GPT and GPC are replicated separately by different While this process can recover a deleted GPO, it cannot
services, which can result in the version numbers of a GPO’s GPT and GPC on any specific domain controller being out of sync restore the gPLink values that existed prior to the GPO’s
— which will prevent it from being processed. deletion. This is because those values existed only on the
linked objects. The only safe way around this limitation is to
leverage external backups of Active Directory that contain
the gPLink values.
Restoring a deleted GPO
A documented limitation of the Restore-GPO cmdlet is that it cannot be used to recover a Group Policy object that has been
deleted, because it will be unable to find the GPC piece of the GPO in Active Directory. Attempting to recover a deleted GPO will
result in an error that looks like this:
Using GPMC and AGPM for
GPO backup and restore
Group Policy PowerShell cmdlets are not your only option
for GPO backup and restore. Microsoft also provides the
Group Policy Management Console (GPMC), an MMC snap-
in that can be used to back up and restore Group Policy
Objects. Like the Backup-GPO cmdlet, it can back up either
However, if you are able to recover the GPC first, Restore-GPO can be used to recover the deleted GPO. To do so, we can use the a single specified GPO or all of a domain’s GPOs. Unlike
Restore-ADObject cmdlet to fully recover the Active Directory piece of the GPO from the Active Directory Recycle Bin, and then the the Restore-GPO cmdlet, it is limited to restoring a single
Restore-GPO cmdlet is able to restore the GPO: GPO at a time.

GPMC does provide a method to restore deleted GPOs

from backup, but it doesn’t actually recover the deleted
GPO; it actually just creates a new GPO and populates it
using the information in the backup.

Another benefit of the GPMC is improved visibility into the

9
 Contents SysAdmin Magazine July 2023

Group Policy PowerShell cmdlets are not your only option
for GPO backup and restore. Microsoft also provides the
Group Policy Management Console (GPMC), an MMC snap-
in that can be used to back up and restore Group Policy
Objects. Like the Backup-GPO cmdlet, it can back up either
a single specified GPO or all of a domain’s GPOs. Unlike the
Restore-GPO cmdlet, it is limited to restoring a single GPO
at a time.
managed GPO outside of AGPM can result in corruption of
the AGPM database). That said, it’s not necessarily a bad
tool; I just suggest you mess around with it quite a bit it
in a lab environment before attempting to deploy it into
production.

GPMC does provide a method to restore deleted GPOs

How can Netwrix help? FREE GUIDE

from backup, but it doesn’t actually recover the deleted
GPO; it actually just creates a new GPO and populates it
using the information in the backup.
Another benefit of the GPMC is improved visibility into the
contents of the GPO backups, though it remains difficult to
compare the settings in a backup to the current settings of
the live GPO.
Netwrix Recovery for Active Directory provides a unified
web interface that enables you to back up both Active
Directory objects and Group Policy objects in a single
Active Directory
snapshot, search and manage backups, roll back attribute
changes to live objects, and even recover deleted GPOs
Group Management
and their associated gPLinks.
Best Practices

Free Download
Microsoft’s Advanced Group Policy Management (AGPM)
tool, which is available as part of the Microsoft Desktop
Optimization Pack, extends the GPMC with version control
functionality that helps you view and understand the
contents of your backups. However, the benefits of AGPM
tend to be outweighed by two factors: It doesn’t seem to
be very well maintained, and it has a reputation for not
playing well with others (for example, modifying an AGPM-

10
 Contents
Stealing
Credentials with a
Security Support
Provider (SSP)
Jeff Warren
Security Expert, SVP of Products at Netwrix
Mimikatz provides attackers with several different ways
to steal credentials from memory or extract them from
Active Directory. One of the most interesting options is the
MemSSP command. An adversary can use this command
to register a malicious Security Support Provider (SSP) on a
Windows member server or domain controller (DC) — and
that SSP will log all passwords in clear text for any users
who log on locally to that system.
In this article, we will explore this attack and how attackers
can use it to elevate their privileges.
11
SysAdmin Magazine July 2023
SSP Attack Scenarios
and want to inject a malicious SSP into memory. All we need
to do is issue the misc::memssp command in Mimikatz:
A Security Support Provider is a dynamic-link library
(DLL) involved in security-related operations, including
authentication. Microsoft provides a number of SSPs,
including packages for Kerberos and NTLM. Let’s look at
some of the reasons an attacker might want to register a
malicious SSP on a computer:
▪ An attacker has compromised a member server as
a local Administrator but has limited rights to move
Now the SSP is injected into memory. However, if the DC is
rebooted, the SSP will be lost and must be injected again.
laterally throughout the domain. This can be solved by registering a DLL as an SSP that is
▪ An attacker has compromised a DC as a Domain Admin provided with Mimikatz.
or Administrator but wants to elevate their privileges to
Enterprise Admin to move laterally across domains.
▪ An attacker has compromised a DC as a Domain Admin
using a Pass-the-Hash attack but wants to leverage
the clear text password of the admin to log into other
applications, such as Outlook Web Access or a remote
desktop connection.
Once the SSP is registered, all users who log on to the DC,
In any of these scenarios, an SSP attack can be very effective. as well as all local services, will log their passwords to the
c:WindowsSystem32mimilsa.log file. That file will contain
the clear text passwords for all users who have logged on
and service accounts running on the system:
Performing an SSP Attack
Performing an SSP attack is very simple. For this post, let’s
focus on the attacks that target a domain controller. Let’s
assume we have compromised a Domain Admin account
 Contents SysAdmin Magazine July 2023

Prevention
Since SSP attacks on DCs require an attacker to have compromised the DC as a Domain Admin or Administrator, the best
prevention is to keep those accounts from being compromised by strictly limiting membership in those groups, enforcing strong
account governance and monitoring the activity of privileged accounts.

Protecting Against SSP How Netwrix Can Help

Attacks Identify security issues in your AD environment and fix the gaps before bad actors exploit them using tools like Mimikatz with
the Netwrix Active Directory security solution. It will enable you to:

Detection ▪ Uncover security risks in Active Directory and prioritize your mitigation efforts.
▪ Harden security configurations across your IT infrastructure.
SSP attacks can be difficult to detect. To see whether any
▪ Promptly detect and contain even advanced threats, such as DCSync and Golden Ticket attacks.
of your DCs have already been compromised, you can run
▪ Respond to known threats instantly with automated response options.
the following PowerShell command to check each DC in the
▪ Minimize business disruptions with fast Active Directory recovery.
domain for the existence of the mimilsa.log file. Hopefully,
the results come back empty.

12
 Contents
How to Clean
Up Your Active
Directory
Joe Dibley
Security Researcher at Netwrix
Despite the popularity of the cloud, Microsoft Active Direc-
tory (AD) remains a crucial component of the IT infrastruc-
ture for many organizations. Indeed, Active Directory often
serves as the central identity repository and provides vital
authentication and authorization services — so keeping it
clean and well organized is vital.
Discover exactly why regular AD cleanup is critical — and
the key signs of a poorly maintained AD environment. Then
get valuable tips for cleaning up your Active Directory and
learn about a solution that can help.
13
SysAdmin Magazine July 2023
tion achieve and prove compliance with these provisions.
Benefits of a Clean Active ▪ IT operations — A cluttered AD makes management
Directory
much harder for administrators. By cleaning it, you can
reduce the time they have to spend supporting it, giv-
Active Directory is the central repository for user accounts, ing them more time for strategic initiatives.
computer accounts, server objects, Group Policy objects
and other important information. But the AD database
can become cluttered and fragmented over time as users
▪ Business agility — Mergers and acquisitions often
involve consolidating Active Directory environments,
often on a tight schedule. Meeting those deadlines is
join and leave the organization, computer hardware is re-
much easier when AD is clean and organized. More
freshed, Windows Server is updated on domain control-
broadly, AD cleanup simplifies the job of adding new
lers, and other changes are made. By cleaning up your AD,
applications, updating workflows and making other
you can improve all of the following:
changes to drive the business forward.
▪ Performance — Changes to the Active Directory da-
tabase are constantly being replicated among your
multiple domain controllers, and a bloated AD creates
unnecessary replication traffic. It can take longer to au-
Signs of a Poorly
thenticate users, search for AD objects and download Maintained Active
Group Policy objects. Cleaning up your AD regularly
helps these processes perform optimally.
Directory
▪ Security — Threat actors often seek to gain access to Signs of a poorly maintained AD environment include the
networks by taking over Active Directory user accounts following:
of former employees that were never deleted. Regular-
▪ Stale, duplicate or orphaned user accounts
ly removing unused accounts shuts off this attack path.
▪ Empty or duplicate security and distribution groups
▪ Compliance — Many regulatory mandates require organi- ▪ Little insight into security group access permissions
zations to implement strong controls over user identities. ▪ Lack of an established process for provisioning and
Regular Active Directory cleanup can help your organiza- de-provisioning accounts
 Contents
▪ Inability to determine ownership of objects and groups
▪ Inaccurate or incomplete object attribute details
How to Clean Up Active
Directory
The following best practices can help you clean up you
Active Directory:
▪ Regularly identify stale, disabled, inactive and or-
phaned user accounts — Adversaries look for unused
Active Directory user accounts they can compromise in
order to gain access to sensitive data. Some AD man-
agement products not only identify risky AD user ac-
counts but provide customizable workflows that can
automatically move them to a staging OU so you can re-
view the impact of deleting them individually or in bulk.
▪ Identify duplicate user accounts — Users can end
up with multiple accounts after changing roles with-
in the organization, especially if you have multiple AD
domains. Cleaning up these duplicate accounts can re-
duce complexity and confusion that can lead to security
risks associated with overprovisioning.
▪ Ensure user account attributes are complete and
accurate — Active Directory cleanup is about more
14
SysAdmin Magazine July 2023
than just deleting objects. It’s also about ensuring that up to date. Make sure your solution can identify these
your AD objects are properly populated with all the in- groups and help you clean them up.
formation required for proper account management.
▪ Ensure each group has an owner and require reg-
Be sure to perform metadata cleanup as well.
ular attestation — Each group should have an own-
▪ Leverage historical SIDS — Eliminate token bloat and
broken access control by identifying and cleaning up
er who is required to regularly attest that the group is
still needed and that it has the correct permissions and
historical SIDS to improve performance. membership.
▪ Identify expired passwords — Identify Active Directo-
ry accounts with expired passwords, since they can in-
dicate that the account is infrequently used or inactive.
Settings. How Netwrix Can Help
▪ Find empty, duplicate and circularly nested groups Using native tools like PowerShell to clean up your AD is
— Identify and remove empty or duplicate AD groups time-consuming, and writing and maintaining scripts re-
that serve no purpose. Solutions like Netwrix Active Di- quires expertise. But the Netwrix Active Directory Security
rectory Security Solution can also identify and help you Solution enables you to easily query, analyze, report on
remediate circularly nested groups that hinder AD per- and remediate unwanted objects in your Active Directory
formance. and file systems so you can finally bring Active Directory
under control. As a result, you can strengthen security,
▪ Review security groups with large membership —
achieve and prove compliance, make your IT teams more
While some security groups, such as Everyone, are
efficient, and improve business agility.
meant to be large, most security groups should be much
smaller. Make sure each group includes only the users
who need the resource access that the group provides.
▪ Clean up mail-enabled groups — Distribution lists
and mail-enabled security groups often become bloat-
ed over time because their owners fail to keep them
 Contents
Top Strategies
to Harden Your
Active Directory
Infrastructure
Joe Dibley
Security Researcher at Netwrix
Microsoft Active Directory (AD) is the central credential
store for 90% of organizations worldwide. As the gate-
keeper to business applications and data, it’s not just ev-
erywhere, it’s everything! Managing AD is a never-ending
task, and securing it is even harder. At Netwrix, we talk to
a lot of customers who are using our tools to manage and
secure AD, and over the years, key strategies for tightening
security and hardening AD to resist attacks have emerged.
Here are 10 Active Directory security hardening tips that
you can use in your environment:
15
SysAdmin Magazine July 2023
However, with an enterprise password management solu-
Tip #1: Clean up stale objects
tion, you can make it easy for users to create unique and
highly secure passwords and manage them effectively,
Active Directory includes thousands of items and many
so you do not have to compromise on strong password
moving elements to safeguard. A core method for in-
requirements. A user needs to memorize just one strong
creasing security is to decrease clutter by removing un-
password, and the tool manages all the others for them.
used users, groups and machines. Stale AD objects may
be abused by attackers, so deleting them reduces your
attack surface.
You may also find seldom-used items. Use HR data and Tip #3: Don’t let employees
work with business stakeholders to determine their sta- have admin privileges on their
tus; for example, for user accounts, determine the user’s workstations
manager. While this takes time, you’ll appreciate having it
done during your next audit or compliance review. If an attacker gains control of a user account (which we all
know happens quite a bit), their next step is often to install
hacking software on the user’s workstation to help them
move laterally and take over other accounts. If the com-
Tip #2: Make it easy for users to promised account has local admin rights, that task is easy.
choose secure passwords
But most business users do not actually need to install
To prevent adversaries from compromising user creden-
software or change settings very often, so you can reduce
tials to enter your network and move laterally, passwords
your risk by not giving them admin permissions. If they do
need to be hard to crack. But users simply cannot remem-
need an additional application, they can ask the helpdesk
ber and manage multiple complex passwords on their
to install it. Don’t forget to use Microsoft LAPS ensure all
own, so they resort to practices that weaken security, such
remaining local admin accounts have strong passwords
as writing their passwords on sticky notes or simply incre-
and change them on a regular schedule.
menting a number at the end when they need to change
them. That led security experts to weaken their recom-
mendations concerning password complexity and resets.
 Contents
Tip #4: Lock down service accounts
Service accounts are used by applications to authenticate
to AD. They are frequently targeted by attackers because
they are rarely monitored, have elevated privileges and
typically have passwords with no expirations. According-
ly, take a good look at your service accounts and restrict
their permissions as much as possible. Sometimes service
accounts are members of the Domain Admin’s group, but
typically don’t need all of that access to function — you
may need to check with the application vendor to find out
the exact privileges needed.
It’s also important to change service account passwords
periodically to make it even more difficult for attackers to
exploit them. Doing this manually is difficult, so consider
using the group managed service account (gMSA) feature,
introduced in Windows Server 2016. When you use gM-
SAs, the operating system will automatically handle the
password management of service accounts for you.
Tip #5: Eliminate permanent
membership in security groups
The Enterprise Admin, Schema Admin and Domain Admin
security groups are the crown jewels of Active Directory,
and attackers will do everything they can to get member-
ship in them. If your admins have permanent member-
16
ship in these groups, an attacker who compromises one
of their accounts will have permanent elevated access in
your domain.
To reduce this risk, strictly limit membership in all of
these highly privileged group and, furthermore, make
membership temporary. The Enterprise Admin and Sche-
ma Admin groups are not frequently used, so for these,
this won’t be an issue. Domain Admin is needed much
more, so a system for granting temporary membership
will have to be set up.
Tip #6: Eliminate elevated
permissions wherever possible
There are three fairly common permissions that attack-
ers need to execute attacks against AD: Reset Password,
Change Group Membership and Replication. These per-
missions are harder to secure since they are so frequent-
ly used in daily operations.
Accordingly, you should monitor all changes to securi-
ty group permissions or membership that would grant
these rights to additional users. Even better, implement a
privileged access management (PAM) solution that enables
just-in-time temporary provisioning of these privileges.
SysAdmin Magazine July 2023
Tip #7: Implement multifactor
authentication (MFA)
MFA adds an extra layer of security by requiring users to
verify their identity by providing at least two of the follow-
ing types of authentication factors:
▪ Something they know, such as a password, PIN or an-
swer to a security question
▪ Something they have, such as a code from a physical
token or a smart card
▪ Something they are, which means biometrics like a fin-
gerprint, iris or face scan
Tip #8: Closely audit your Active
Directory
It is important to audit Active Directory for both non-se-
cure settings and suspicious activity. In particular, you
should perform regular risk assessment to mitigate se-
curity gaps, monitor for anomalous user activity, and
promptly identify configuration drift in critical system
files. It’s ideal to invest in tools that will automatically alert
you to suspicious events and even respond automatically
to block threats.
 Contents SysAdmin Magazine July 2023

Tip #9: Secure DNS

Securing DNS can help you to block a variety of attacks,
including as domain hijacking and DNS spoofing. Steps to
take include implementing DNSSEC, using a secure DNS
server and regularly reviewing DNS settings.
FREE GUIDE

Tip #10: Regularly back up Active Active Directory

Directory
Having a recent backup of your Active Directory is crucial
Delegation Best
for recovery from cyber incidents, including ransomware
attacks and natural disasters. Backups should be stored
Practices
securely, tested regularly and be readily accessible to
ensure your critical AD settings are recoverable in the event
Free Download
of a disaster.

Conclusion
Active Directory is an amazing system for controlling access.
However, it’s only secure when it’s clean, understood,
properly configured, closely monitored and tightly
controlled. These tips are practical ways that you can tighten
security and harden your Active Directory.

17
 Contents
How-to for IT Pro
HOW TO: RESTORE DELETED AD OBJECTS
The Active Directory Recycle Bin is disabled by default. In
order to use it to restore deleted objects, you must enable
it. You cannot restore any objects deleted before Recycle
Bin was enabled. Note that Recycle Bin can be enabled only
once without a possibility to disable it afterwards.
Prerequisite: Enable the Recycle Bin
in Active Directory
1. Open the Server Manager management console ->
Click Tools -> Active Directory Administrative Center
(Alternatively: Open the “run” box (click Start -> Run or
use the Win-R keyboard shortcut) -> Type dsac.exe ->
Click OK.)
2. Click on your domain name. In the Tasks pane, click En-
able Recycle Bin.
3. In the confirmation window, click OK.
18
SysAdmin Magazine July 2023
3. Select the deleted object. Then do one of the following:
Restore an Object with the Active
Directory Administrative Center
▪ To restore the object to its original container, click
Restore:
(ADUC)
1. Open the Server Manager management console ->
Click Tools -> Active Directory Administrative Center
(Alternatively: Open the “run” box (click Start -> Run or
use the Win-R keyboard shortcut) -> Type dsac.exe ->
Click OK.)
2. In the left pane of the ADUC,select the domain in which
the deleted object resided. In the center pane, select the
Deleted Objects container:
Restore an Object using PowerShell
Alternatively, you can restore an AD object using the
Restore-ADObject PowerShell cmdlet:
Get-ADObject -Filter {displayName -eq "userdel tobegone"}
-IncludeDeletedObjects | Restore-ADObject
 Contents SysAdmin Magazine July 2023

ц Swiftly restore Active Directory (AD) objects or specific Restore accounts and permissions quickly — without
attributes to a trusted, pristine state — right from your having to reboot a single domain controller.
browser and without any downtime. Netwrix Recovery
TOOL OF THE MONTH
for Active Directory empowers you to easily back up
and restore your critical AD users, computers, security
groups, DNS entries, Group Policy objects (GPOs), organi-
zational units (OUs), domain controllers (DCs) and more,
overcoming the myriad limitations of the AD Recycle Bin.
With its unparalleled flexibility and control, you can help

Netwrix
ensure your organization remains resilient against secu-
rity breaches and business disruptions.

Recovery for Revert an entire AD object — or just a single attribute —

Active Directory to a known good state, in a few clicks.

Back up and quickly restore DCs to facilitate AD forest
recovery.

Request Free Trial

19
 Contents SysAdmin Magazine July 2023

[On-Demand Webinar]

The Jedi Path: Your

Some of the highest-profile attacks in the last few years spread using Active Directory. That’s
no surprise — Active Directory is the prime path for getting to critical systems and data, and it

Strategy for Active

is notoriously complex and therefore undermanaged. How can you reduce risks you can't see?

Netwrix solutions are the Force that will give you the power to secure AD from end to end and

Directory Security gain peace of mind.

Join our own AD Jedi Master, Anthony Moillic, as he explains how you can:

▪ Gain Deep Insight: identify and mitigate security risks in your AD environment before
Anthony Moillic
attackers exploit them
Field CISO EMEA & APAC
▪ Fight the Dark Side: thwart clever foes by promptly detecting and containing even advanced
threats
▪ Be the Hero: recover from improper Active Directory changes quickly to ensure business
continuity

Watch Now

20
 About Netwrix
What did you think
Netwrix is a software company that enables information security and governance professionals to reclaim control over
of this issue? sensitive, regulated and business-critical data, regardless of where it resides.

Over 11500 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW