Monthly Archive



Constrained PowerShell or JEA?

PowerShell remoting gives you access to all of the functionality on the box by default. You can created constrained (or restricted) endpoints that limit that functionality to specific cmdlets.


Alternatively you can use Just Enough Admin (JEA) to lock down an endpoint through  a Role Based access Control (RBAC) system.


JEA is the later option and is more flexible.


The PowerShell Team has an interesting (and new to me) take on Constrained Language and JEA.


I recommend you read it

PowerShell Attacks–advice on defending

PowerShell Attacks–advice on defending from Lee Holmes – PowerShell security expert – is available at

Read, learn, inwardly digest and apply

Generating passwords

Generating new passwords can be a painful business. There are many ways of accomplishing password generation – depending on your needs.  One suggestion for generating passwords is to use a GUID as the basis of the password

PS> New-Guid


You could then remove the hyphens and extract part of the guid

PS> (New-Guid).Tostring() -replace '-' 

You need to decide the length of the password.  Guids are 32 characters so make sure you start your extraction in a position that gives room for the length you need

$length = 8

((New-Guid).Tostring() -replace '-').Substring((Get-Random -Minimum 0 -Maximum (31-$length)), $length)

Your results will look like these examples


The drawback is that you only have numbers and lower case characters

If you use the Membership class from System.Web you can do this

PS> Add-Type -AssemblyName System.Web 
PS> [System.Web.Security.Membership]::GeneratePassword(8,2) 

The GeneratePassword method takes 2 arguments – the first is the length of the password and the second is the number of non-alphanumeric characters

If you’re running PowerShell v5 you can utilise the using keyword instead of Add-Type

PS> using assembly System.Web 
PS> [System.Web.Security.Membership]::GeneratePassword(8,1) 

How many domain admins do you need?

I was working on a book chapter this afternoon and  something I was reading made me  stop and think for a moment. How many people are members of your domain admins group – or even worse the enterprise admins or schema admins groups.


Many of the organisations where I’ve reviewed their AD have 15, 20, 50 or even 70 people in the domain admins group – this is for a single domain!

Is this necessary?


Most often the answer is no, no and no again.


Way back in NT times you had to be a domain admin to do practically any administration. Now things are different.

You can be much more granular in assigning permissions  -remember the principal of least privilege – there a a whole raft of groups for administering facets of your environment.


You can use tools like JEA and PowerShell to delegate permissions rather than lumping everyone in domain admins


  In this day and age there is no excuse for having a domain admins group with huge numbers of members unless you prescribe to the “that’s how we’ve always done it” school of thought. If you do then expect problems sooner rather than later