Powershell - A Wary SysAdmin Blog

September 24, 2015September 24, 2017

Powershell – One liner from one of the best

Let’s talk about re-setting passwords.

I know this is hardly news but, I saw this small one liner in a MVA video with Ashley McGlone and thought I would share it.

This is very useful for all junior team members suffering with the password change onslaught. That way, there’s no need to open AD Users and Computers, and when pressed for time, there is nothing quite like a quick and fast one liner.

Just put it in a .bat or .cmd file and distribute and start re-setting passwords.

@echo off&&powershell -NoE -C “&{ipmo ActiveDirectory;Set-ADAccountPassword -I ($u=Read-Host ‘User’) -R;Set-ADUser $u -Ch 1}”

July 30, 2015September 24, 2017

Active Directory accounts – Security Auditing (The very basics – part 2)

How many Domain Admins are there in my ActiveDirectory domain?

Have you ever asked yourself this question? If you haven’t, you should … or you landed in the wrong blog!!

If you have, there is a very usefull script to have in your utility belt. And before anyone asks, no, this is not my code, but it is available in Technet and there is no use in re-inventing the wheel.

I’m attaching a copy of it here, but do go onto https://gallery.technet.microsoft.com/scriptcenter/List-Membership-In-bff89703 and find out more.

PrivilegedUser3.0.ps1

Now let’s have some fun and start cleaning those priviledged accounts.

November 17, 2014

AD Recycle Bin

Dear reader,

Do yourself a favor and enable AD Recycle Bin. You might never use, but if you ever do, I’m sure you’ll be thankful.

Enable AD Recycle Bin

Before hand make sure you are running your domain and forest at least as 2008 level.
Then, run the following command in a Active Directory Powershell console:

Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target (Get-ADForest).RootDomain -Server (Get-ADForest).DomainNamingMaster

After this, your action in Active directory will be protected by AD Recycle Bin.

Protect from accidental deletion

The next step is to protect your objects form deletion. This will make sure that you can’t just press delete. you have to disable this option for that object and then delete.
You can run the below commands in an Active Directory Powershell console:

Get-ADUser -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADGroup -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADOrganizationalUnit -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

This step is not required, but it also helps prevent accidents. Depending on your environment you might not want to enable Accidental Deletion Protection for all objects, but in my experience, Groups and Organizational Units are a must.

Recover user

Let’s say you’ve deleted a user, and for some reason you need it back.
Well, now that you’ve enable AD Recycle Bin, you don’t need to go get that weekly backup anymore and use AD Restore Mode.
Just run the below commands in powershell:

1. List deleted : Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property *
2. Restore-ADObject -identity “GUID”

And there you go. You have your user back. With any luck, no one will notice.

September 16, 2014

Active Directory accounts – Security Auditing (The very basics – part 1)

Dear reader,

How many times have you been confronted with bad passwords, and accounts set to never expire?

How many times you were asked to audit and Active Directory of a client ora new organization you just joined?

How about users that “forgot” they changed their own password?

Well fear no more, this post is for you!

Open your PowerShell and let’s get started.

Scenario 1 – “I can’t login! My password isn’t working!”

For this scenario be prepared to quick draw your PowerShell Fu and type the following command:

Get-ADUser -identity username -properties PasswordLastSet, PasswordExpired

This will quickly tell you if the password is expired or if it was recently changed and forgotten!

Scenario 2 – (Angry Boss/Security guy) Why is this user account password not expiring? How many of these exist?

This is usually B A D!

But worry not. hopefully you are proactively workign on this (if your not, get on it) and you have at hand the latest list, obtained with:

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | Sort-Object Name | Select-Object Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires | Export-Csv -Path <LocalPath><filename>.csv

And you are done. With this list, you can identify all users with passwords not expiring and with the added bonus of understanding if the current passwords are expired or not.

(Pro Tip: Why the PasswordExpired and PasswordLastSet? Well, as soon as you start updating the PasswordNeverExpires to False, users will start being asked to change their passwords, and that can cause a lot of havoc. Those two fields will help with the correction plan for all those accounts.)

And there you have it. You can start owning your Active Directory.

June 20, 2014

Find Zombie computers in Active Directory

I’ve been trying out some things with Powershell and wanted to share this.

Active Directory is a great thing, but more often than we like to admit, it tends to become … messy.

So as a small cleanup exercise, here’s how you’d find “zombie” computers in Active Directory using PowerShell:

Get-ADComputer -filter * -properties * | Where-Object {$_.whenChanged -lt $((Get-Date).AddDays(-180))} | Select-Object CN, whenChanged

There you go. After this you’ll have a very nice list of computers that have not contacted Active Directory domain in 180 days or more.

Happy cleaning!