-
Notifications
You must be signed in to change notification settings - Fork 3
Install
- PowerShell v5 or higher.
- Domain Admin rights.
- Install the script on a Domain Controller.
- Download the breached password list from Have-I-Been-Pwned "https://haveibeenpwned.com/Passwords"
- Build a list of weak passwords.
To get started download the latest release ZIP file or clone this repositories.
PS C:\Scripts> git clone https://github.com/Brets0150/AD-PowerAdmin.git
PS C:\Scripts> cd AD-PowerAdmin
You need to edit the settings file, "AD-PowerAdmin_settings.ps1", that resides within the "AD-PowerAdmin" folder. The settings that you need to change are indicated with a "[Mandatory]" flag.
After updating the AD-PowerAdmin file you can then run the AD-PowerAdmin scripts.
PS C:\Scripts> ./AD-PowerAdmin.ps1
AD-PowerAdmin can be run manually, on-demand, or installed for full automation. To install the fully automated version, manually run the script, and in the main menu, enter "i" and enter to start the installer process. The install process does a few things that are required to manage Windows Scheduled Tasks automatically. To manage schedule tasks, the following configurations are made to Active Directory.
- A standalone Managed Service(sMSA) account named "ADPowerAdmMSA" is created. The sMSA account, "ADPowerAdmMSA", user account is restricted to the one computer it is installed on.
- The sMSA account, "ADPowerAdmMSA", is given Domain Admins rights. Its is required, and no, there is not a more limited permissions set to preformed the tasks needed.
- A new Group Policy is created named "AD-PowerAdminGPO". This GPO gives the "ADPowerAdmMSA" user account the "Log on as a service" permissions.
- A Scheduled Task is created with the sMSA account, "ADPowerAdmMSA", that will launch the AD-PowerAdmin script daily at 9AM.