If not well designed or managed, User and Administrator privilege separation for users/system administrators on a Windows OS can be painful for both sides. Indeed, Windows OS doesn’t have a simple and neat management like a SUDO on Linux OS, but settings need to be tailored with GPO or at least with different users.
Regular user accounts (e.g. Domain Users) should not be a member of the local administrators group for a security point of view.
Using separate users: a standard one and an admin member of the local administrators group is at least a good way to mitigate the risk of potential/malicious/accidental damage to the system. It doesn’t matter if most of the today’s threats can deal with the regular user context.
Nothing new if you’re familiar with the least privilege access, if is something you’ve never think about it… Well, I can use a simple effective analogy for allowing user with local admin rights on their workstation.. it’s like to let them run with the scissors all the time… is it worthy or simply asking for trouble?
Continue reading “How To Create a Local Admin Account with Powershell”
Is it very useful to run simple checks to validate the user environment, especially when checking if the context while user is working is aligned with out expectations or requirements. But is not always easy to get a simple information such as if the current user is a local admin or not.
It’s very easy to check it from the user interface, but I found that can be important to gather that information with powershell without running as an administrator.
Continue reading “PowerShell: Test-CurrentUserIsLocalAdmin”
A common method to investigate for Active Directory authentication issues is inspecting logs and event viewer, it’s simple and effective. But this means that the issue already occurred. What if the problem was a wrong password generated and communicate to the user? Can we be more proactive and avoid this issue from happening?
Whenever I wanted to check if the credentials that were provided by the third party for a large number of accounts were valid/correct (to prevent support requests and don’t let end-users wait for their access any longer) performing this task manually was never an option for me.
Continue reading “Automate AD Authentication Tests with PowerShell”