Category: Active Directory

Posted on

Powershell – One liner from one of the best

Let’s talk about re-setting passwords.

I know this is hardly news but, I saw this small one liner in a MVA video with Ashley McGlone and thought I would share it.
This is very useful for all junior team members suffering with the password change onslaught. That way, there’s no need to open AD Users and Computers, and when pressed for time, there is nothing quite like a quick and fast one liner.
 
Just put it in a .bat or .cmd file and distribute and start re-setting passwords.
@echo off&&powershell -NoE -C “&{ipmo ActiveDirectory;Set-ADAccountPassword -I ($u=Read-Host ‘User’) -R;Set-ADUser $u -Ch 1}”
Posted on

Active Directory accounts – Security Auditing (The very basics – part 2)

How many Domain Admins are there in my ActiveDirectory domain?

Have you ever asked yourself this question? If you haven’t, you should … or you landed in the wrong blog!!

If you have, there is a very usefull script to have in your utility belt. And before anyone asks, no, this is not my code, but it is available in Technet and there is no use in re-inventing the wheel.

 

I’m attaching a copy of it here, but do go onto https://gallery.technet.microsoft.com/scriptcenter/List-Membership-In-bff89703 and find out more.

PrivilegedUser3.0.ps1

Now let’s have some fun and start cleaning those priviledged accounts.

Posted on

AD Recycle Bin

Dear reader,

Do yourself a favor and enable AD Recycle Bin. You might never use, but if you ever do, I’m sure you’ll be thankful.

Enable AD Recycle Bin

Before hand make sure you are running your domain and forest at least as 2008 level.
Then, run the following command in a Active Directory Powershell console:

Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target (Get-ADForest).RootDomain -Server (Get-ADForest).DomainNamingMaster

After this, your action in Active directory will be protected by AD Recycle Bin.

Protect from accidental deletion

The next step is to protect your objects form deletion. This will make sure that you can’t just press delete. you have to disable this option for that object and then delete.
You can run the below commands in an Active Directory Powershell console:

Get-ADUser -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADGroup -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADOrganizationalUnit -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

This step is not required, but it also helps prevent accidents. Depending on your environment you might not want to enable Accidental Deletion Protection for all objects, but in my experience, Groups and Organizational Units are a must.

Recover user

Let’s say you’ve deleted a user, and for some reason you need it back.
Well, now that you’ve enable AD Recycle Bin, you don’t need to go get that weekly backup anymore and use AD Restore Mode.
Just run the below commands in powershell:
 
1. List deleted : Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property *
2. Restore-ADObject -identity “GUID”

 

And there you go. You have your user back. With any luck, no one will notice.

Posted on

Active Directory accounts – Security Auditing (The very basics – part 1)

Dear reader,

 

How many times have you been confronted with bad passwords, and accounts set to never expire?

How many times you were asked to audit and Active Directory of a client ora new organization you just joined?

How about users that “forgot” they changed their own password?

 

Well fear no more, this post is for you!

Open your PowerShell and let’s get started.

 

Scenario 1 – “I can’t login! My password isn’t working!”

 

For this scenario be prepared to quick draw your PowerShell Fu and type the following command:

Get-ADUser -identity username -properties PasswordLastSet, PasswordExpired

 

This will quickly tell you if the password is expired or if it was recently changed and forgotten!

 

Scenario 2 – (Angry Boss/Security guy) Why is this user account password not expiring? How many of these exist?

 

This is usually B A D!

But worry not. hopefully you are proactively workign on this (if your not, get on it) and you have at hand the latest list, obtained with:

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | Sort-Object Name | Select-Object Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires | Export-Csv -Path <LocalPath><filename>.csv

 

And you are done. With this list, you can identify all users with passwords not expiring and with the added bonus of understanding if the current passwords are expired or not.

(Pro Tip: Why the PasswordExpired and PasswordLastSet? Well, as soon as you start updating the PasswordNeverExpires to False, users will start being asked to change their passwords, and that can cause a lot of havoc. Those two fields will help with the correction plan for all those accounts.)

 

And there you have it. You can start owning your Active Directory.

Posted on

Find Zombie computers in Active Directory

I’ve been trying out some things with Powershell and wanted to share this.

Active Directory is a great thing, but more often than we like to admit, it tends to become … messy.

So as a small cleanup exercise, here’s how you’d find “zombie” computers in Active  Directory using PowerShell:

Get-ADComputer -filter * -properties * | Where-Object {$_.whenChanged -lt $((Get-Date).AddDays(-180))} | Select-Object CN, whenChanged

 

There you go. After this you’ll have a very nice list of computers that have not contacted Active Directory domain in 180 days or more.

 

Happy cleaning!

Posted on

Active Directory – Authenticating Domain Controller

When, for some reason, you need to know which domain controller is authenticating a user, just open a command line on the user’s machine and run:

echo %logonserver%

The result will be, as expected, the domain controller that authenticated that user.

Posted on

How to monitor Active Directory Global Catalog replication

If you just added a new global catalog, and you want to know how the replication is going along, here’s what you do.

  1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type the following command, and then press ENTER:

    dcdiag /s:<servername> /v | find "%"

Posted on

Verify replication with other domain controllers

When you need to test your domain replication, you can run a couple of tests from the command line.

To verify replication is functioning

  1. Open a Command Prompt.
  2. Type dcdiag /test:replication and press Enter.
  3. To verify that the proper permissions are set for replication, type dcdiag /test:netlogonsand then press Enter.Messages indicate if the connectivity and netlogons tests passed.
Posted on

Active Directory replication fails Event ID 1265

If you get the Event ID 1265 from NTDS KCC in your Domain Controller Event Viewer or you get the error: “The naming context is in the process of being removed or is not replicated from the specified server.” when replicating from Active Directory Sites and Services, that is caused by a missing SRV record in your DNS.
To fix this issue just there a couple of simple steps.
1. Open a CMD prompt.

2. ping <YourDomainController>.<YourDomain.com>. If the PING could NOT find the host, the DNS database does NOT have a SRV resource record for <YourDomainController>.<YourDomain.com>.

3. Open Administrative Tools / DNS and expand the DNS server.

4. Expand Forward Lookup Zones.

5. Right-click each zone and press Properties.

6. Set Allow dynamic updates to Yes or Only secure updates.

7. Press OK.

8. Open a CMD prompt on your DNS server and type net stop dns followed by net start dns.

9. Open a CMD prompt on your <YourDomainController> and type net stop netlogon followed by net start netlogon.