Duo has thorough documentation for adding MFA to your SSH sessions, but there are a couple additional steps needed to also integrate with Active Directory. This post will go through the installation for both Duo and Active Directory for Ubuntu 16.04. For other Linux distros, the Duo documentation linked above has you covered.
Using this page to keep track of all the useful powershell "mini-scripts" I've used:
Copy users from one security group to another security group
Add-ADGroupMember -Identity destination-group-name -Members (Get-ADGroupMember -Identity source-group-name -Recursive)
Add enabled users from an OU to a security group
Get-ADUser -SearchBase 'OU=Your-OU,DC=corp,DC=company,DC=com' -Filter {Enabled -eq $true} | ForEach-Object {Add-ADGroupMemberIf you need to transfer the Active Directory FSMO roles to a new server, these simple steps were easy to follow. Took about 5 minutes.
http://www.techieshelp.com/how-to-transfer-fsmo-roles-graphical-and-command-line/
The Digicert cert utility for Windows make the process so much easier:
To generate the CSR:
https://www.digicert.com/util/csr-creation-microsoft-active-directory-ldap-2012-digicert-utility.htm
To install the Cert:
https://www.digicert.com/ssl-certificate-installation-microsoft-active-directory-ldap-2012.htm
For LDAPS on a domain controller, I did not have to import the cert file into the AD DS personal store.
Migrated a DC and wanted to do some basic AD health checks.
From the cmd prompt (domain joined pc with sufficient privileges or on the DC):
Replication Info:
repadmin /replsummary
repadmin /showrepl
Query FSMO role holders, which should confirm that they are online:
netdom query fsmo
General Server Diagnosis:
dcdiag /a /s:<DC server name>
If you want
If you need to get a list of all members in an AD Security Group, open up powershell and try the following commands from a DC:
dsquery group -name "GroupName" | dsget group -members
I needed to delegate permissions to helpdesk (instead of making them domain admins) to create and modify users, and modify group membership. This is slightly different from some of the built in permission groups, since we didn't want helpdesk to delete users. Permissions are delegated at the OU level, and remember that permissions are pushed down and inherited.
This is
These commands will help troubleshoot and resolve issues with Active Directory groups on your PAN firewall.
1. Shows every AD group added to the PAN firewall:
show user group list
2. Shows the user and IP address mapping (or specific user):
show user ip-user-mapping all
3. Gives more detailed statistics of the command above:
show user group-mapping state all
4.