Latest

Using PowerShell to block unauthorized access


In a prior blog post titled ‘Using PowerShell to report on failed Remote Desktop logon attempts‘, I described how to use AZSBTools PowerShell module functions Report-FailureAudit and Summarize-FailureAudit to report on and summarize certain event log events that indicate an attempt to gain unauthorized access to a Windows computer.

In this post I expand on this effort by automating remediation in the form of creating/updating Windows firewall rule to block the IP addresses from which the unauthorized access attempts originate. This is achieved by the Update-WindowsFirewall and the Block-FailedLogonIPs functions with support from the Backup-EventLog and the Clear-SBEventLog functions of the AZSBTools PowerShell module.

Backup-EventLog is a function to backup one or more Windows Event Logs. For example:

Backup-EventLog -EventLogName Application,Security,Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational -BackupFolder C:\Logs

Note that backing up some logs like Security log may require elevated permissions

Clear-SBEventLog is a function to clear one or more Windows event logs. Unlike the native Clear-EventLog, this function can clear all Windows event logs. This function requires elevated permissions. Example:

$LogList = @(‘Application’,’Security’,’Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational’)
Backup-EventLog -EventLogName $LogList -BackupFolder C:\Logs
Clear-SBEventLog -EventLogName $LogList -Confirm:$false

 

Update-WindowsFirewall

This function accepts as input one or more IPv4 addresses or CIDR ranges to be blocked (BlockIPList), and one or more IPv4 addresses or CIDR ranges (AllowIPList) to ensure that they’re not blocked (you don’t want to cut off legitimate users if they enter the wrong password once :)). The firewall rule name defaults to BlockAttackers but you can enter your own.

Example

If you have one or more CSV reports from the Summarize-FailureAudit function such as

$BlockIPList = (Get-ChildItem -Path .\ -Filter Summarize-FailureAudit_All*.csv | foreach { Import-Csv $_.FullName }).SourceIP | select -Unique | sort

This line searches for CSV reports generated by the Summarize-FailureAudit function in the current folder,  imports the SourceIP column, and deduplicates the IP List.

$AllowIPList = @(
    ‘123.45.67.48/29’ # My WAN subnet
    ‘10.0.1.0/16’        # My LAN subnet
    (Resolve-DnsName -Name someallowedhost.domain.com).IPAddress
    ‘123.45.67.89’     # Some known remote user IP
)

The above code block identifies a number of subnets and IPs that should not be blocked by this firewall rule.

$BlockedIPs = Update-WindowsFirewall -BlockIPList $BlockIPList -AllowIPList $AllowIPList -Verbose

Finally, the above line creates a firewall rule named BlockAttackers and blocks the listed IP addresses

Using the $AllowIPList ensures that ligitimate IPs are not blocked if they show up in the logs due to occasional failed logon. $BlockedIPs list above could have thousands of IPs.

And you can see the firewall rule in the Windows Defender Firewall GUI:


Block-FailedLogonIPs

This function completes this solution. It automates blocking the IPs/subnets of failed Windows and SQL logon attempts. Using the default parameter values, this function will:

  • Create Logs and Reports folders under its current location, with _Archive subfolder under each
  • Schedule itself to run hourly (under LocalSystem context) if not already scheduled
  • Read and parse Security and RDP (Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational) event logs for failed Windows logon events
  • Read and parse Application event log for failed SQL logon events
  • Summarize the data in 6 time-stamped CSV reports under the Reports folder
  • Combine and deduplicate the IP list from the above reports
  • Create/update a windows firewall rule to block these IPs, ensuring the IPs/subnets in the AllowIPList parameter are not blocked
  • Clear the Security, RDP, and Application event logs for faster processing next hour
  • Archive the Log and Report files under the corresponding _Archive folders

Example

Block-FailedLogonIPs -AllowIPList @(
    ‘123.45.67.48/29’ # My WAN subnet
    ‘10.0.1.0/16’        # My LAN subnet
    (Resolve-DnsName -Name someallowedhost.domain.com).IPAddress
    ‘73.45.67.89’       # Some known remote user IP
) -WorkFolder C:\myScriptFolder -ScheduleHourly

All you need to do is:

  1. Save the above example as Block-Attackers.PS1, replace c:\myScriptFolder and the content of AllowIPList as needed
  2. Invoke it once under elevated permissions to let it schedule itself hourly
  3. Comment out or delete the ( -ScheduleHourly) part on the last line and save it

That’s all. What you should expect to see:

  • Logs and Reports folders under C:\myScriptFolder with _Archive subfolders
  • Script logs and Event logs under Logs\_Archive folder hourly
  • CSV reports under Reports\_Archive folder hourly
  • Windows firewall rule named ‘BlockAttackers’
  • Scheduled task named ‘PowerShell-BlockAttackers’ like shown below


To use/update the AZSBTools PowerShell module which is available in the PowerShell Gallery, you can use the following code:

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 
# PowerShellGallery dropped Ssl3 and Tls as of 1 April 2020
Remove-Module AZSBTools -Force -EA 0 
Install-Module AZSBTools -Force -AllowClobber -SkipPublisherCheck # -Scope CurrentUser
Import-Module AZSBTools -DisableNameChecking -Force 
Get-Command -Module AZSBTools

You need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help Get-DayOfMonth -show

Using PowerShell to report on failed Remote Desktop logon attempts


Many organizations and small businesses use Microsoft Remote Desktop RDP to remotely connect to their work computers, without protections such as end-to-end encryption/VPN tunneling, or MFA (Multi-factor Authentication). Even if the RDP port is changed from the default TCP 3389 to an arbitrary port, attackers are able to:

  • Identify open inbound ports via port scans and other techniques, including non-standard arbitrary ports
  • Identify the service running on that open port via sending test commands/protocol handshake.
  • In the case of RDP, they’re also able to identify the machine name (hostname) and Windows domain name (if the machine is domain-joined)

Next, the attacker will try to gain access by figuring out a name/password to login to the identified RDP server. Attackers commonly try the Windows default admin account ‘Administrator’. They use automated software to attempt different passwords, making several thousand attempts per hour. Every failed RDP connection leaves one or more log entries in the Windows Event logs.

This post describes functions in the AZSBTools PS module that automate the discovery and collection of failed RDP connection logs, report on an RDP attack across one or many computers, and provide some mitigation measures.

Report-FailureAudit

Report-FailureAudit is a new function of the AZSBTools PS module. This function will search Windows Security and RdpCoreTS (Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational) event logs for Failure Audit events (Event IDs 4625, 5061, 140)

This function accepts 2 optional parameters:

PARAMETER MaxCount
If an integer value of this optional parameter is provided, this function will limit its search to the newest $MaxCount events of each of the Security and Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational event logs

PARAMETER LogFile
Path to a file where this function will log its console output

Example

$LogFile = “.\Logs\Report-FailureAudit_$(Get-Date -Format ‘ddMMMMyyyy_hh-mm-ss_tt’).txt”
$EventList = Report-FailureAudit -LogFile $LogFile -Verbose

You can see the count of captured events and the last (most recent) of the returned PS objects using:

$EventList.Count
$EventList[-1]


The next function Summarize-FailureAudit helps sort through that data and answer some questions like where is the attack coming from (which IP addresses, geographical locations), what user accounts are being attempted, …

Summarize-FailureAudit

This is a function to provide summary report on data returned from Report-FailureAudit function. This function is designed to aggregate reporting on multiple computers in the same environment
Summary reporting is provided by:

  • Event Log: Security and RdpCoreTS (Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational)
  • Source IP
  • Source Computer name
  • Logon Type: such as Network/Interactive/…
  • Attempted User Name(s)

This function accepts a few parameters:

PARAMETER FailureAuditData
This function accepts as input the PS objects returned from the previous function Report-FailureAudit. This is a required parameter.

PARAMETER ShowTop
This is an optional parameter containing the count of records to report on, such as show top 20 most frequent source IP addresses. This defaults to 10.

PARAMETER ReportFolder
Path to a folder where this function will save its CSV output reports

PARAMETER LogFile
Path to a file where this function will log its console output

PARAMETERS PerLog, PerSourceIP, PerSourceName, PerLogonType, PerUserName
This optional group of Switch (True/False) parameters help to limit what type of reports you’d like to see. By default, 7 reports are produced such as:

  • Summarize-FailureAudit_All_16April2020_04-22-39_PM.CSV
    This file has all the records from Report-FailureAudit
  • Summarize-FailureAudit_PerLogonType_16April2020_04-22-39_PM.CSV
    This file has break down per Logon Type
  • Summarize-FailureAudit_PerSourceIP_16April2020_04-22-39_PM.CSV
    This file has break down per Source IP
  • Summarize-FailureAudit_PerSourceName_16April2020_04-22-39_PM.CSV
    This file has break down per Source Computer Name
  • Summarize-FailureAudit_PerUserName_16April2020_04-22-39_PM.CSV
    This file has break down per Attempted Account
  • Summarize-FailureAudit_PerLog_Security_16April2020_04-22-39_PM
    This file has break down per Security Event Log
  • Summarize-FailureAudit_PerLog_RdpCoreTS_16April2020_04-22-39_PM
    This file has break down per rdpCoreTS Event Log

Example

Summarize-FailureAudit -FailureAuditData (Report-FailureAudit) -ReportFolder .\Reports

The Summarize-FailureAudit_All file is a dump of the input PS objects into a CSV file. When sorted by ‘DateCreated’ it helps provide a look at attack progression across multiple Windows event logs

This particular view suggests a password spray type attack

You can even have summary reports of failed RDP logons across multiple computers such as:

$ComputerList = @('comp1','comp2','comp3')
$EventList = foreach ($ComputerName in $ComputerList) {
  Invoke-Command -ComputerName $ComputerName -ScriptBlock { Report-FailureAudit }
}
Summarize-FailureAudit -FailureAuditData $EventList -ReportFolder .\Reports

With output similar to:

 

Most of the source IP addresses/source computer names represent other compromised computers used by the attacker.

The default sizes of the Windows event logs can be as small as 1 MB, and by default these logs are configured in a circular fashion where the newest entries over-write the oldest. During an active attack such a small log file can only hold about a single minute’s worth of entries

Mitigation measures:

  • Configure and use a VPN tunnel to connect to the remote office before using RDP
  • Configure your VPN to use MFA
  • Configure the relevant Windows event log files to larger sizes than the default settings. This can be done domain-wide via group policy
  • Configure Windows event logs to be forwarded to a SEIM such as Splunk
  • Rename the Local and Domain ‘Administrator’ accounts, configure it with a long complex password.
  • Identify the WAN IPs/subnet of legitimate RDP users, configure your perimeter firewall to allow only these subnets for inbound RDP traffic
  • Monitor failed RDP logons – such as using the PS Summarize-FailureAudit and Report-FailureAudit functions
  • Possible PS automations can be developed to configure the windows firewall to block incoming RDP connections from the IPs/subnets identified from Report-FailureAudit function. (May first 2020 update: see Using PowerShell to block unauthorized access post for actual implementation)

To use/update the AZSBTools PowerShell module which is available in the PowerShell Gallery, you can use the following code:

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 
# PowerShellGallery dropped Ssl3 and Tls as of 1 April 2020
Remove-Module AZSBTools -Force -EA 0 
Install-Module AZSBTools -Force -AllowClobber -SkipPublisherCheck # -Scope CurrentUser
Import-Module AZSBTools -DisableNameChecking -Force 
Get-Command -Module AZSBTools

You need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help Get-DayOfMonth -show

Fixing issue: Source Location ‘https://www.powershellgallery.com/api/v2/package/’ is not valid


Recently, you may have seen this error when trying to download any module from the PowerShell Gallery. For example:

Install-Module AZSBTools -Force -AllowClobber -SkipPublisherCheck

 

This is because Microsoft’s PowerShellGallery.com has dropped support for SSL3 and TLS 1.0 protocols to secure HTTPS as of 1 April 2020. PowerShell 5 defaults to using SSL3 and TLS1:

[Net.ServicePointManager]::SecurityProtocol

 

 

You can fix that by specifying TLS 1.2 as in:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

 

You can now download PS Gallery modules without getting the above error.

This protocol setting however does not persist past your current PS session. To make this setting available on all your future PS sessions, you can add it to your PS profile as in:

New-Item -Path “$([Environment]::GetFolderPath(“MyDocuments”))\WindowsPowerShell” -ItemType Directory -EA 0

“[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12” | Out-File $profile -Append -Encoding ascii

 


To use/update the AZSBTools PowerShell module which is available in the PowerShell Gallery, you can use the following code:

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 
# PowerShellGallery dropped Ssl3 and Tls as of 1 April 2020
Remove-Module AZSBTools -Force -EA 0 
Install-Module AZSBTools -Force -AllowClobber -SkipPublisherCheck # -Scope CurrentUser
Import-Module AZSBTools -DisableNameChecking -Force 
Get-Command -Module AZSBTools

You need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help Get-DayOfMonth -show

Get-DayOfMonth function added to AZSBTools PowerShell module


You may come across a situation where you need to find out the first/last day-of-week as Sunday of a given month/year. For example, when setting up a PowerShell automation to perform a GFS (Grandfather Father Son) type backup schedule. This Get-DayOfMonth function helps identify last/first Day (Sun/Mon/Tue/…) of the current or any given month/year.

Example: First Sunday of the current month

Get-DayOfMonth -DayofWeek Sunday -First

 

Example: First Sunday of the next month

Get-DayOfMonth -DayofWeek Sunday -Month (Get-Date).AddMonths(1).Month -First

 

Example: Last Saturday in October 1911

Get-DayOfMonth -DayofWeek Saturday -Month 10 -Year 1911

 

Example: Last Tuesday in July 2165

Get-DayOfMonth -DayofWeek Tuesday -Month 7 -Year 2165

 

See; time travel is not that hard 🙂

Example: Second Monday in November 2063

(Get-DayOfMonth -DayofWeek Monday -Month 11 -Year 2063 -First).AddDays(7)

 

The function return first or last given day-of-week of the given month/year. But since it returns a DateTime object, we can use its .AddDays method to get the second Monday in November 2063 as shown above.

 


To use the AZSBTools PowerShell module which is available in the PowerShell Gallery, you need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help Get-DayOfMonth -show

Deploy-ARMVnet function added to AZSBTools PowerShell module


Deploy-ARMVnet function has been added to AZSBTools PowerShell module. This function will deploy a Vnet in a given Azure subscription including details such as subnets and the level of DDoS protection. This function uses API version 2019-09-01 which addresses the issue of having to make each subnet dependent on prior subnets.

To use this function, you need to be connected to Azure, such as using the Login-AzAccount cmdlet.

This function uses an optional Parameter; SubscriptionId. This is used to ensure that you’re deploying the Vnet in the correct Azure subscription.

You can obtain the desired SubscriptionId via the Get-AzSubscription cmdlet.

Here’s an example of using this function:

$Subscription = Get-AzSubscription -SubscriptionName 'Visual Studio Enterprise Subscription – MPN'
$ParameterSet = @{
   SubscriptionId = $Subscription.Id 
   ResourceGroupName = 'Picard_Hub_RG'
   AzureLocation = 'centralus'
   VnetName = 'Picard_Hub_Vnet'
   VnetPrefix = '10.12.0.0/16'
   SubnetList = @(
      @{ Name = 'Hub_Gateway_Subnet'; Prefix = '10.12.0.0/27' } 
      @{ Name = 'Hub_NVA_Subnet'; Prefix = '10.12.0.32/27' }
      @{ Name = 'Hub_Infra_Subnet'; Prefix = '10.12.0.64/27' }
   )
   DdosProtection = $false
   ShowTemplate = $true
}
Deploy-ARMVnet @ParameterSet

and the output may be similar to:

The ResourceGroupName parameter is used to specify which RG to deploy the Vnet into. This function will create the specified RG if it did not exist

DdosProtection is a switch that defaults to False. The False setting enables ‘Basic DDoS Protection’ while the True setting enables ‘Standard DDoS Protection’. See this link for more details.

ShowTemplate is also a switch that defaults to False. When set to True, this function will display the resulting ARM template in notepad, will display the ARM template to the console before deploying it (see above), and will also make it part of the script log file.

Here’s an example of the resulting ARM template displayed in notepad when setting the ShowTemplate switch to True.

The script logs the console output to a log file such as “Deploy-ARMVnet – 11February2020_12-42-18_PM.txt

The SubnetList parameter takes zero or more hashtables, each containing the following 2 keys:

  • Name: This is the subnet name
  • Prefix: This is the subnet Prefix in CIDR format.

Each subnet Prefix must fall inside the Vnet Prefix specified by the VnetPrefix parameter.

If no value is provided for the SubnetList parameter, no subnets will be provisioned in this Vnet. Furthermore, any existing subnets in this Vnet will be removed. Although ARM templates are deployed in ‘incremental mode‘ by default, where resources in the template are added to the resource group without deleting resources not specified in the ARM template, Subnets are considered part of the Vnet resource. Meaning that this function may delete existing subnets, and only subnets specified in the input of this function will remain.

This function will display verbose details during ARM Template processing.

You can review the new Vnet in the Azure portal

 

Notice that Azure creates the NetworkWatcherRG and a Network Watcher

The new RG shows the new Vnet

Which shows the 3 configured subnets

 


To use the AZSBTools PowerShell module which is available in the PowerShell Gallery, you need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help New-SBAZServicePrincipal -show

Get-MyWANIP function added to AZSBTools PowerShell module


Get-MyWANIP function has been added to AZSBTools PowerShell module. As the name implies this function will return the current WAN IP address where the function is invoked. This is done by querying a number of available online sites such as

The function returns a System.Net.IPAddress object.

Example:

Write-Log 'My WAN IP is', (Get-MyWANIP).IPAddressToString Green,Cyan

 


To use the AZSBTools PowerShell module which is available in the PowerShell Gallery, you need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help New-SBAZServicePrincipal -show

Quantum supremacy – Google Sycamore superconducting processor


Google new Sycamore processor is over 1.5 billion times faster than a million core super computer!!
So, a 10,000 year process on a million core super computer takes 200 seconds on the Google Sycamore superconducting quantum processor.
How does that impact
  • Brute Force attacks
  • Encryption and related issues like hash calculation, certificates
  • AI, machine learning
  • Simulations, modeling
“obtaining a million samples on the quantum processor takes 200 seconds, whereas an equal-fidelity classical sampling would take 10,000 years on a million cores”

Get-SBADUser function added to AZSBTools PowerShell module


Get-SBADUser function has been added to the AZSBTools PowerShell module to provide details on Active Directory user objects. This comes in handy when you need to list AD users but do not have Active Directory PowerShell module or do not have the necessary permissions to login to a Domain Controller.

  • This function must be run from a domain-joined computer
  • This function does not require or depend on the Active Directory PowerShell module
  • This function does not require permission/rights to login or connect to a Domain Controller
  • Other than console output, the function will return no output if the provided group does not exist
  • If a user samaccountname is specified as a parameter the function will return output similar to:
  • If the function is used without any parameters, it will return information on all AD users in the current domain

To use the AZSBTools PowerShell module which is available in the PowerShell Gallery, you need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help New-SBAZServicePrincipal -show

Get-SBADGroupMembers function added to AZSBTools PowerShell module


Get-SBADGroupMembers function has been added to the AZSBTools PowerShell module to provide member list information for Active Directory group objects including members of sub-groups. This function does not depend on or require Active Directory PowerShell module or the necessary permissions to login to a Domain Controller.

  • This function must be run from a domain-joined computer
  • This function does not require or depend on the Active Directory PowerShell module
  • This function does not require permission/rights to login or connect to a Domain Controller
  • The function returns output similar to:

So this function’s emphasis is not on the provided group information such as it’s DN (Distinguished Name), OU (Organizational Unit), … Group properties can be obtained via the Get-SBADGroup function. The emphasis of Get-SBADGroupMembers is on a group’s member users, and whether a user is a direct member of the given group, or a member of a subgroup.

The ‘MemberOf’ field provides that visibility by listing the group hierarchy of each member user separated by dots. In the example above, testuser2 is member of testgroup2.testgroup1 which indicates that he’s a member of testgroup2 AD group which is a member of testgroup1 AD group. In the same example above, testuser1 is a direct member of testgroup1 AD group.


To use the AZSBTools PowerShell module which is available in the PowerShell Gallery, you need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help New-SBAZServicePrincipal -show

Get-SBADGroup function added to AZSBTools PowerShell module


Get-SBADGroup function has been added to the AZSBTools PowerShell module to provide details on Active Directory group objects including its members. This comes in handy when you need to list AD group members but do not have Active Directory PowerShell module or do not have the necessary permissions to login to a Domain Controller.

  • This function must be run from a domain-joined computer
  • This function does not require or depend on the Active Directory PowerShell module
  • This function does not require permission/rights to login or connect to a Domain Controller
  • The function will return no output if the provided group does not exist
  • If a group is specified as a parameter the function will return output similar to:
  • If the function is used without any parameters, it will return information on all AD groups in the current domain:

To see group members including sub-groups use the Get-SBADGroupMembers function.


To use the AZSBTools PowerShell module which is available in the PowerShell Gallery, you need PowerShell 5. To view your PowerShell version, in an elevated PowerShell ISE window type

$PSVersionTable

To download and install the latest version of AZSBTools from the PowerShell Gallery and its dependencies, type

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

To trust the Microsoft PowerShell Gallery repository, then

Install-Module AZSBTools,Az -Force -AllowClobber -Scope CurrentUser

AZSBTools contains functions that depend on Az module, and they’re typically installed together.

To load the AZSBTools, and Az modules type:

Import-Module AZSBTools,Az -DisableNameChecking

To view a list of cmdlets/functions in AZSBTools, type

Get-Command -Module AZSBTools

To view the built-in help of one of the AZSBTools functions/cmdlets, type

help <function/cmdlet name> -show

such as

help New-SBAZServicePrincipal -show