PowerShell on Mexicali IT

Zero-Trust Endpoint Isolation: Containment via Offline SIDs

Mon, 30 Mar 2026 16:20:00 -0700

When a user is terminated in Active Directory, the first line of defense is instantly engaged: denial of corporate access, which disconnects their VPN sessions and blocks interactive logins through the Domain Controller (DC).

However, there is a critical risk vector. If the employee (or a malicious attacker) has their corporate laptop, the local Windows Cached Credentials will continue to operate. This allows them to log into the machine “offline” (from the domain) and extract sensitive files locally onto a USB drive without needing to be connected to the corporate VPN or internal network.

PowerShell: How to Transfer Security Groups from One User to Another

Thu, 14 Oct 2021 22:39:01 -0800

Introduction

A couple of days ago, I was asked for help copying security groups from one user to a new user. While it’s true that we can perform this task manually, sometimes a simple line of code can save us this work. This is helpful when the new user belongs to the same department as the user whose groups we want to copy.

There’s something to keep in mind before doing this: you should be aware that the user with the groups belonging to the department may have additional, previously authorized access. For example, they might have access to shared files because they’re part of a project, etc. This is why you should be careful when copying the groups in their entirety. If this isn’t the case, then the following script can be very helpful.

PowerShell: Send email to users when password will soon expire.

Fri, 08 Oct 2021 22:39:01 -0800

Introduction

In this post, we’ll see how to alert users when their domain password will soon expire. To do this, we’ll create a PowerShell script.

This script is divided into three functions, which I will explain.

Send-Email

Send-Email This function basically receives three parameters: Username, user email address, and the number of days remaining until the password expires.

In this case, I’m using unauthenticated email. Please note that using unauthenticated email (no SSL and no password, using port 25) means you can only send internal emails. If you want to send emails outside your organization, you must use port 587, enable SSL, and enter a username and password. This will depend on your specific requirements.

PowerShell: Create security groups for each server, remove local administrators and add them to the new group.

Mon, 13 Sep 2021 22:39:01 -0800

Introduction

Security Procedure: Local Administrator Control

Some time ago, I was asked to find a method to implement certain security and control measures for users who are local administrators on each server. These measures required the following:

Creation of Groups in AD: Create a security group in Active Directory for each server.

Assignment of Permissions: Add the created group to the corresponding server with the local administrator role.

User Migration: Find all current local administrators on the server and add them to the new AD group.

Account Removal: Once the users are added to the AD group, remove them from the server’s local administrators group.

Audit Log: Save a log of the users who are administrators on each server.

Notification: Send an email with a report of the changes made.

The idea behind all of this is to have control and know which users are local administrators on the servers. We’re talking about more than 500 servers, and managing them one by one would be quite complicated.

PowerShell: How to Create New Users in AD

Tue, 31 Aug 2021 22:39:01 -0800

Introduction

The easiest way to create users in AD is undoubtedly using Active Directory Users and Computers, provided you only want to create one or two users. But what if you want to create multiple users? In that case, I don’t think this method is the most suitable. For this, we will use PowerShell with the New-ADUser cmdlet.

There are multiple parameters we can use with the New-ADUser cmdlet. If we check the syntax, we get the following: