Some auditors may not know it, but a useful audit tool has been sitting right at your fingertips all along. The tool is PowerShell, a command-line utility you can use to answer many useful audit questions during your engagements. The benefits to the auditor are at least twofold: it allows you to save time by directly gathering authoritative information from the environment, and it helps you develop a useful industry skill with universal appeal.
First, you must be provided access to the tool on your desktop. Second, you must point PowerShell to directly query Active Directory for the information you want. This is accomplished using the set-location AD: command after launching PowerShell. Once issued, your cursor should change to reflect that you are executing queries against an Active Directory domain controller, so it looks like this: PS AD :\>. All the below commands can be paired with Out-GridView or Out-File to provide report-based output.
Get-ADPrincipalGroupMembership: This command generates a complete list of security groups where a particular user account is a member. From an audit perspective, you can identify potential segregation of duty conflicts or assess the appropriateness of access based on defined job responsibilities.
Get-ADGroupMember: This is the inverse of the previous command, and provides a list of user accounts that exist in a particular security access group. This command also can be useful to test access authorizations for appropriateness.
Get-ADUser <username> -property*: A slightly more complex example, the following command would provide a more detailed output for a single, specific user account. From an audit perspective, this helps determine when an account was created, if the account is enabled, when the account last logged onto the network, and if and when bad password attempts occurred. This command can be combined with other PowerShell commands using the vertical pipe symbol (|) above the enter key to generate more complex data sets. Similar commands exist for Organizational Units, Service Accounts and Groups – just swap User in the above command with these terms.
Get-Hotfix: This simple and effective command provides a list of Microsoft patches applied to a specific machine or set of specified machines, which is helpful when auditing compliance with patch cycles and the overall patch management process. The command provides the specific type of installed items (whether it’s an actual hotfix, update or security update), the time the item was installed and the user account that installed the patch.
Get-ADObject: Using the -Filter and -Property switches with this command allows an auditor to understand when certain object classes, such as security groups, initially came into existence, among other useful information. This information can be compared to monitored groups to detect changes and determine the effectiveness of logging controls.
Honorable mentions: Get-Forest, Get-Domain, Get-GPResultantSetOfPolicy and Get-GPO all allow successful profiling of the current AD environment. As a result, an auditor can understand functional levels of the forest and domain, which servers are acting in flexible single master operation (FSMO) roles, which servers serve as catalog servers and much more. These commands are a useful basis for planning any Active Directory audit.