Audit

How to clean up Active Directory: Step 2 – delete Distributed Link Tracking objects

Posted by

0

Continued from How to clean up Active Directory: Step 1 – old computer objects

I found tens of thousands of unused records in AD left over from the Windows 2000/2003 days. In fact, almost 80% of my AD Database consisted of records that served no purpose.

If you AD Domain has been around since the Windows 2000 days, you need to check this.

Windows 2000 used to store records in AD about file locations on NTFS volumes. In my domain that meant tens of thousands of records. In a child domain we found hundreds of thousands of records. This feature has been disabled since Windows 2008 so if your domain is Windows 2008 or higher, these records are trash.

Finding FileLink objectsPath to FileLink

Open AD Users and Computers –> Expand you domain –> System –> FileLinks

This is a good time to make a backup of your AD Database and verifying you know how to restore it. 

Look in the ObjectMoveTable and VolumeTable folders. If you see any records there, you can delete them.

Deleting FileLink records

You can delete any object under the ObjectMoveTable and VolumeTable folders. I did not delete the folders.

Microsoft has a script which is supposed to delete them but I was never able to get it to work. I ended up deleting the items one page at a time using AD Users & Computers. This took a little time but ended up being faster than fixing the script.

If you are a script guru it might be worth your time to write something but since this is a “Do One Time” task, I didn’t see the value. I just drank some coffee, clicked select all, delete, sip, repeat.

How to clean up Active Directory: Step 1 – Old Computer Objects

Posted by

0

Keeping Active Directory clean and organized is important. It doesn’t take long for hundreds of unused objects or accounts to accumulate which leads to security problems and management nightmares. Auditors seem to have a special hatred for stale objects in Active Directory so keeping everything neat and tidy is a necessity.

Computer Accounts

When you join a computer to the domain, a computer account is created in AD. When you retire the computer it is best to remove it from AD. Many times IT departments forget to do this. Over time AD can easily contain hundreds of unused computer objects.

Getting rid of unused computer objects

Computer objects are easy to clean up. Every Windows computer has a domain account and password. Nobody ever sees the password but the computer knows it. Windows computers change their password every 30 days.

Unused computer account are those that have passwords that have not changed in more than 30 days.

If you want to know more about computer accounts and passwords read Microsoft’s Machine Account Password Process blog post.

Using a PowerShell script we can easily find unused computer accounts.

$lastSetdate = [DateTime]::Now - [TimeSpan]::Parse("200")

Get-ADComputer -Filter {PasswordLastSet -le $lastSetdate} -Properties passwordLastSet -ResultSetSize $null | FL

This script finds any computer that has not changed it’s password in the last 200 days. That means the password should have been reset 170 days ago. Change the 200 to whatever value you think is appropriate but I can’t think of a reason to use a value less than 60.

Computer Object

Notice the PasswordLastSet field. This computer has not been used in over six months.

Remember that some computers don’t get used very often. Perhaps there is a computer in the conference room, a test server that is off most of the time, or some other rarely used computer. Those devices could easily go a long time without being used and thus have very old passwords. You probably don’t want to delete those.

What happens if you delete a computer account and need it?

If you delete a computer account and then find the computer in a store room, you will have to rejoin it to the domain. That is a simple process as long as you know the local administrator’s password.

Deleting computer accounts … the slow way.

Before you delete computer accounts you should verify that everything the script finds is unused. It might be best to simply open Active Directory Users and Computers, find the offending accounts, and delete them one at a time as you validate they are no longer in use. This is the cautions approach.

Deleting computer accounts … the fast way.

Once you are positive the script is returning computer accounts that you no longer need, you can modify the script to automatically delete them.

Be careful! Being careless could bring your network down. Verify the script is only returning items you want to delete. If in doubt STOP HERE.

$lastSetdate = [DateTime]::Now - [TimeSpan]::Parse("200")

Get-ADComputer -Filter {PasswordLastSet -le $lastSetdate} -Properties passwordLastSet -ResultSetSize $null | Remove-ADComputer

If you still have the same PowerShell window open you do not need to execute the first line again.

Notice the second line now ends with “Remove-ADComputer.” Hit enter and a few seconds later, all your old unused computer accounts are gone.

Cleaning up AD Computer Objects is simple and should be done regularly. Hopefully this makes the process simple for you.

Next: Clean up AD: Step 2!

Why you should check your firewall configuration … now.

Posted by

0

When was the last time you checked your firewall configuration? Well … that’s too long.

If you are a firewall administrator, you probably live in your configuration files. Everyone else looks at them when they need to make a change.  This leads to the ever common problem of “Why is that there?

Every time I start a new job, I eventually have to look into the firewall and see what lives there and why. Many of the rules make sense. Here is one for an email server. Here is another for remote access to some application. Here is one for some system … to do something … for some reason. Firewall rules without a documented purpose are a problem waiting to happen.

Imagine finding rules in firewalls that allow access for vendors that were fired years ago or  administrators long departed. Firewall configurations never seem to shrink. We add new rules when we need them but deleting a rule … well … that’s terrifying.

Do I delete the rule? What will break? How long will it take to break? Do I risk it?

Manage your firewall

Managing the firewall is a process that never ends. It is also very easy to forget to do. Here’s a program that works well for most companies without a dedicated firewall administrator:

  1. Backup your config file. Seriously, back it up to a secure location where you can store it for at least a year.
  2. Change your password. It should be changed once a year.
  3. Go through your rules. Most firewalls have a hit counter that shows how many times a rule is used. Reset the counter and wait a day or so. You will quickly see which rules are important.
  4. Delete any disabled rules unless you just disabled them. No reason to keep old disabled rules in the config file for a decade or more.
  5. Label everything. Don’t use rules like “Allow 25 to 10.0.0.1 from 0.0.0.0.” Try to use names when you can. Rules should be human readable if possible. “Allow  SMTP (email) to CorpSpamFilter from TheInternet” is much easier to read.
  6. If you don’t know what it is and nobody else does either, disable the rule. You can always enable it within seconds but it would be better to know why a rule is there than to let unknown traffic through. In all fairness, be very careful. Do lots of research. Just turning a rule off can be a disaster so cross your Ts and dot your Is before disabling a rule.  Do NOT delete the rules yet.
  7. Schedule your next firewall audit. If you rarely make rule changes, you may only need to check the firewall every year. If you are on the firewall every week, you may need monthly audits. Put this on your calendar even if it is a year away.
  8. Smile, you just made your network a safer place. Repeat this process every month, quarter, or year.

Know what you know and when to say NO!

I know my way around a firewall. I have been configuring them for 15 years. Access control lists are something I can do in my sleep. But on a Cisco firewall, I don’t touch the VPN settings. I call in an expert to keep me from breaking my own network.

I audit my VPN configuration at the same time as my firewall configuration. My Cisco consultant works across from me looking through VPN config files for things we no longer use or could use better. I look through the firewall rules. In the event I need help with something, I have help.

Since I am a generalist in my job, I cannot know everything there is to know about every system I manage. When I know I am over my head, I get an expert. Firewalls are too important to tinker with.

Save your work

Don’t forget that some firewalls have a running configuration that is lost every time you reboot. That’s great when you fry the config and need it back the way it was before you started. That’s terrible when all the changes you made last month got lost when you updated the firmware. Remember to save the running config to the startup config once you know everything works as it should. (Put an event on your calendar to remind you if you need to.)

Take you time but it does get easier

The first time you do this it will be a slow process. There will be lots of research and issues. The second time will be easier. You will remember why most of the rules are there. You will be able to read them. After a few years, firewall maintenance will be a simple task.