Create AD dynamic user
# L'objet sera supprimé dans une heure (3600 secondes)
$TTLSeconds = 3600
$objectType = 'user'
$objectName= 'DynamicUser01'
# Choisir l'OU
$destinationOu="OU=Users,OU=Dynamic,DC=ad,DC=itprotips,DC=com"
$destinationOuObject = [ADSI]("LDAP://$destinationOu")
$dynamicObject = $destinationOuObject.Create($objectType,"CN=$objectName")
# On ajoute la classe dynamicObject et la classe de l'objet
$dynamicObject.PutEx(2,'objectClass',@('dynamicObject',$objectType))
$dynamicObject.Put('entryTTL', $TTLSeconds)
$dynamicObject.Put('sAMAccountName', $objectName)
# on ajoute un nom d'affichage et une description (facultatif)
$dynamicObject.Put('displayName', $objectName)
$removalTime = (Get-Date).AddSeconds($TTLSeconds)
$dynamicObject.Put('description',"This object will be deleted on $removalTime")
$dynamicObject.SetInfo()
# On ajoute un mot de passe
$dynamicObject.SetPassword('CHANGEYOURPASSWORD')
# et on active le compte
$dynamicObject.Put('userAccountcontrol','512')
$dynamicObject.SetInfo()
Create AD dynamic group
# L'objet sera supprimé dans une heure (3600 secondes)
$TTLSeconds = 3600
$objectType = 'group'
$objectName= 'DynamicGroup02'
# Choisir l'OU
$destinationOu="OU=Groups,OU=Dynamic,DC=ad,DC=itprotips,DC=com"
$destinationOuObject = [ADSI]("LDAP://$destinationOu")
$dynamicObject = $destinationOuObject.Create($objectType,"CN=$objectName")
# On ajoute la classe dynamicObject et la classe de l'objet
$dynamicObject.PutEx(2,'objectClass',@('dynamicObject',$objectType))
$dynamicObject.Put('entryTTL', $TTLSeconds)
$dynamicObject.Put('sAMAccountName', $objectName)
# on ajoute un nom d'affichage et une description (facultatif)
$dynamicObject.Put('displayName', $objectName)
$removalTime = (Get-Date).AddSeconds($TTLSeconds)
$dynamicObject.Put('description',"This object will be deleted on $removalTime")
$dynamicObject.SetInfo()
Detect the creation of AD dynamic objects
Monitoring creation events is important to ensure that these objects are not used for malicious activities. See this article for a detection method using Windows logs.
Clap
Comments