pingcastle
pingcastle copied to clipboard
vletoux
Suggestion: add primary group ID and name for "objects having the primary group attribute changed"
Currently PingCastle shows in the report data about the object itself, but we have to fetch the unusual primary group ID and name ourselves. It would be easier to have this info directly in the report :)
it is displayed below in the user & computer section will all the users / computers impacted.
I see the concerned user in this example:
But I don't see which abnormal primary group ID/name it has.
@cnotin is there any need to know what the primary group was? did you notice any wrong detection or were you able to change the primary group just to be "domain-users". Reading the text you could user PowerShell.... later more about that.
i would add the following questions:
- how about a user that is ONLY a member in a self created group "service accounts" or something like that.
- Am i wrong with that assumption that you should focus on admins here? The detection rule and the PowerShell search example should be more detailed or it should be split in two RuleIDs. 2.1. One rule (the existing one) could validate the critical objects (any admincount=1 user & DomainController) and add a total of 15 points 2.2. Second rule (a new one) could validate any non critical object and add a total of 0 Points just to make someone aware of that uncommon configuration.
- The Powershell Example only is for users and misses Computers and DomainController!
Regarding the Powershell check:
i was just doing the following that lists users not having the common primary group
Get-ADUser -Properties PrimaryGroupID -Filter 'PrimaryGroupID -ne 512 -and PrimaryGroupID -ne 513 -and PrimaryGroupID -ne 514'
But you might need some more complex query for user check like that:
$DefaultUserMemberOfGroupsDNs = @()
$DomainSID = (Get-ADDomain).DomainSID
foreach ($ID in "512","513","514") {
$WellKnownSid = $DomainSID.value + '-' + $ID
$DefaultUserMemberOfGroupsDNs += (Get-ADGroup -Filter 'SID -eq $WellKnownSid').DistinguishedName
}
Write-Host -ForegroundColor Green "Default Groups detected:"
$DefaultUserMemberOfGroupsDNs
""
$NonDefaultUsers = Get-ADUser -Properties PrimaryGroupID,MemberOf -Filter 'PrimaryGroupID -ne 512 -and PrimaryGroupID -ne 513 -and PrimaryGroupID -ne 514'
Write-Host -ForegroundColor Green "Listing all Users not having one of the three memberships as default"
$NonDefaultUsers
Write-Host -ForegroundColor Green "Listing all Users not having one of the three memberships as default that could be corrected"
$NonDefaultUsers | where {@(Compare-Object $_.memberof $DefaultUserMemberOfGroupsDNs -ExcludeDifferent -IncludeEqual).count -gt 0}
Write-Host -ForegroundColor Green "Listing all Users not having one of the three memberships as default but that might be normal for these"
$NonDefaultUsers | where {@(Compare-Object $_.memberof $DefaultUserMemberOfGroupsDNs -ExcludeDifferent -IncludeEqual).count -eq 0}
if you are interested i might do one for computer/domaincontroller too
Extending Pingcastle would mean to edit / duplicate this function to have "PrimaryGroup" (DistinguishedName) included here: https://github.com/vletoux/pingcastle/blob/master/Healthcheck/HealthcheckAnalyzer.cs#L608
use the new function here https://github.com/vletoux/pingcastle/blob/master/Healthcheck/Healthcheck.cs#L411 ...and here https://github.com/vletoux/pingcastle/blob/master/Healthcheck/Healthcheck.cs#L428
and for the output need a if query if "id" is "sectionbadprimarygroup" then add "PrimaryGroup" data to https://github.com/vletoux/pingcastle/blob/master/Report/ReportHealthCheckSingle.cs#L1098
as c# is not my native language ;D cannot go more into detail without having to waste a lot of hours.
if @vletoux wants to expand the table, but make it very wide this data might help.