The Bulk Import tool makes it easy to import new user accounts into Active Directory from CSV. Includes a CSV template, sets multiple user attributes and adds users to groups during the import. Automate the creation of new user accounts and simplify the user account provisioning process.
The user export tool lets you export all uses plus all common user fields to a CSV. Over 40 user fields can be added to the export by clicking the change columns button. This is a great tool if you need a report of all users, the groups they are a member of, OU, and more.
The main benefit is it simplifies active directory management. One of the most popular tasks of working with Active Directory is to create new user accounts. The built-in tools provide no options for bulk importing new accounts so it becomes very time-consuming. With the AD Pro Toolkit you can easily bulk import, bulk update, and disable user accounts.
Using Active Directory tools like the AD Bulk Import tool, you can bulk import thousands of accounts at once. Plus you can automatically set user accounts fields and add users to groups. Let me show you how easy it is to manage user accounts.
You will at some point be asked to export users to a CSV and again there is no easy built in option for this. When I was an administrator at a large organization I would get this request at least once a week and it was a pain. When I developed the user export tool this process became so easy I was able to have other staff members take it over.
To create and bulk modify users you will need these rights in your Active Directory domain. This is often done by putting your account in the domain administrator group but can also be done by delegating these rights. Some tools like the last logon reporter, export, and group membership require no special permissions.
The tool has some great visualizations of user groups and inherited permissions. This is a factor that is often difficult to keep track of, so the attractive layout of the Access Right Manager dashboard is a great help. The tool will help you to manage:
A number of standard Active Directory user, group, and object management tasks can be automated through ADManager Plus and it also enables you to create, adapt, or remove objects in bulk. Facilities in the tool enable you to identify defunct object records and inactive user accounts.
This small utility offers a better interface to your domain controllers than the native Active Directory front-end. Search results from the tool can be exported to XLS or CSV files. Searches can be saved in order to be re-executed with ease.
The tool is available in free and paid versions. You can export search results to CSV and HTML format in the free version and ADPR and XLS formats are also available in the paid version. The paid version is available in a command line version to enable searches of the object permissions to be integrated into scripts.
The tool will search through your domain controllers, identifying accounts with weak passwords. The tool will also identify inactive user accounts. The results of this scan are a series of reports, which will identify accounts that represent security weaknesses. These system checks and reports also enable you to prove standards compliance for NIST, PCI, Microsoft, and SANS.
This quick tool searches through your domain controllers and checks on the last login dates for each listed account. This catches stale accounts. Inactive accounts are great opportunities for hackers, so they represent a security weakness.
These two tools ease the burden of migrating data between AD domains or importing data from non-AD LDAP directory services. They do this by allowing you to use standard plain text files (CSV and LDIF) to move AD data.
Comma Separated Value Directory Exchange (CSVDE) and LDAP Data Interchange Format Data Exchange (LDIFDE) are a pair of tools designed to manage the import and export of Active Directory (AD) data to and from text files. CSVDE imports and exports from Comma Separated Values (CSV) files. Ldifde, on the other hand, imports and exports from LDAP Data Interchange Format (LDIF) files.
Csvde changes some of the information returned by AD when you export it. It does this so that it can be stored in a plain text format like CSV. This behavior might catch you by surprise if you are modifying the data in Microsoft Excel, or the system you are importing it into is not Active Directory.
When you use csvde or ldifde to export AD object to a file, the objects in the file are listed in a particular order. This is the order that will be used when when the data is imported into another domain or LDAP service.
While csvde and ldifde are both designed for bulk data import and export, ldifde can make changes to AD objects. As an example, Microsoft uses LDIF files to extend the AD schema. The LDIF file format is designed to support these actions.
Use the -j parameter to create logs of the import or export. This parameter should point to a directory where the log files will be created. The logs themselves are plain text files, called csv.err and csv.log for csvde and ldif.err and ldif.log for ldifde. The *.log files contain logs of all activity, whilst the *.err files only contain any errors.
The Kerberoast toolkit by Tim Medin has been re-implemented to automate the process. Auto-Kerberoast contains the original scripts of Tim including two PowerShell scripts that contain various functions that can be executed to request, list and export service tickets in Base64, John and Hashcat format.
Mimikatz is the standard tool which can export Kerberos service tickets. From a PowerShell session the following command will list all the available tickets in memory and will save them in the remote host.
Metasploit framework has a module which authenticates directly with the domain controller via the server message block (SMB) service, creates a volume shadow copy of the system drive and download copies of the NTDS.DIT and SYSTEM hive into the Metasploit directories. These files can be used with other tools like impacket that can perform extraction of active directory password hashes.
Once an attacker has extracted the password hashes from the Ntds.dit file, they can use tools like Mimikatz to perform pass-the-hash (PtH) attacks. Furthermore, they can use tools like Hashcat to crack the passwords and obtain their clear text values. Once an attacker has those credentials, there are no limitations on what they can do with them.
Kerberoasting is an extremely common attack in active directory environments which targets Active Directory accounts with the SPN value set. Common accounts with the SPN (Service Principal Name) set are service accounts such as IIS User/MSSQL etc.
Unconstrained Delegation is a privilege that can be granted to User Accounts or Computer Accounts in a active directory environment that allows a resources to authenticate to another resource on BEHALF of a user. Confusing right?
Free version allows you to view existing images for Users and Contacts in active directory, Export Images, Remove Existing Images, Upload New images, Rotate/Resize/Adjust Quality of Images and much more.
As the name of the software implies, this utility allows you to change passwords on Multiple/Bulk accounts at the same time using their Password generator feature. You can also use the same password for every account if needed as well. Additional features of this utility include enabling and disable active directory accounts in bulk, as well as Unlocking them in bulk.
The tool scans Active Directory to identify accounts that are utilizing leaked passwords against a list of close to billion previously leaked passwords, in addition to gauging password policy strength against brute force attacksand compliance requirements such as NIST and PCI.The tool can also pin-point stale or inactive admin accounts in addition to the following:
The collected information will be used to display multiple interactive reports depicting the aforementioned vulnerabilities. The reports are exportable to csv files and some useful display features include:
Cain & Abel is a Windows-based tool with a host of useful features, including a password cracker. Lots of antivirus products incorrectly flag it as malware (mostly due to the Abel component, which can be remotely installed to sniff packets and dump passwords), so your AV may not be happy with you downloading or installing it.
John gives you a great deal of customisation, and supports a lot of different cracking modes and hash types. You can also chain together different modes (such as a combined wordlist and mask attack, or applying rules to a PRINCE attack). It can comfortably handle large (multi GB) wordlists and pwdump files (hundreds of thousands of users). Because John has been around for so long there are lots of other tools that are designed to work with it (and its output).
Part 3 of this series explores some of the different tools and techniques that can be used to obtain useful metrics from cracked password hashes in order to determine improvements to a password policy.
Recent cyber-attacks are frequently targeting the vulnerable active directory services used in enterprise networks where the organization handling the 1000's of computers in the single point of control called "Domain controller" which is one of the main targeted services by the APT Hackers.
Bug Fixes Cannot connect to directory server from ldap admin tool (Windows and Linux) with SSL after NSS upgrade on Solaris 10 Cannot connect to OpenLDAP 2.4 servers on CentOS or RHEL 6.8 with latest patches
* 5.6 is a minor bug fix release with two bug fixes Bug Fixes 1. While browsing Edirectory 8.8.6 all objects are displayed twice - see bug 2. LDIF Export showing a sizelimit exceeded error and quits although the file is exported completely 3. TO mimic AD for certain applications, Can we specify the way the connection is treated instead of auto detected - see bug 2b1af7f3a8