Tag: Active Directory

Posted on

Powershell – One liner from one of the best

Let’s talk about re-setting passwords.

I know this is hardly news but, I saw this small one liner in a MVA video with Ashley McGlone and thought I would share it.
This is very useful for all junior team members suffering with the password change onslaught. That way, there’s no need to open AD Users and Computers, and when pressed for time, there is nothing quite like a quick and fast one liner.
 
Just put it in a .bat or .cmd file and distribute and start re-setting passwords.
@echo off&&powershell -NoE -C “&{ipmo ActiveDirectory;Set-ADAccountPassword -I ($u=Read-Host ‘User’) -R;Set-ADUser $u -Ch 1}”
Posted on

AD Recycle Bin

Dear reader,

Do yourself a favor and enable AD Recycle Bin. You might never use, but if you ever do, I’m sure you’ll be thankful.

Enable AD Recycle Bin

Before hand make sure you are running your domain and forest at least as 2008 level.
Then, run the following command in a Active Directory Powershell console:

Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target (Get-ADForest).RootDomain -Server (Get-ADForest).DomainNamingMaster

After this, your action in Active directory will be protected by AD Recycle Bin.

Protect from accidental deletion

The next step is to protect your objects form deletion. This will make sure that you can’t just press delete. you have to disable this option for that object and then delete.
You can run the below commands in an Active Directory Powershell console:

Get-ADUser -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADGroup -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADOrganizationalUnit -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

This step is not required, but it also helps prevent accidents. Depending on your environment you might not want to enable Accidental Deletion Protection for all objects, but in my experience, Groups and Organizational Units are a must.

Recover user

Let’s say you’ve deleted a user, and for some reason you need it back.
Well, now that you’ve enable AD Recycle Bin, you don’t need to go get that weekly backup anymore and use AD Restore Mode.
Just run the below commands in powershell:
 
1. List deleted : Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property *
2. Restore-ADObject -identity “GUID”

 

And there you go. You have your user back. With any luck, no one will notice.

Posted on

Active Directory accounts – Security Auditing (The very basics – part 1)

Dear reader,

 

How many times have you been confronted with bad passwords, and accounts set to never expire?

How many times you were asked to audit and Active Directory of a client ora new organization you just joined?

How about users that “forgot” they changed their own password?

 

Well fear no more, this post is for you!

Open your PowerShell and let’s get started.

 

Scenario 1 – “I can’t login! My password isn’t working!”

 

For this scenario be prepared to quick draw your PowerShell Fu and type the following command:

Get-ADUser -identity username -properties PasswordLastSet, PasswordExpired

 

This will quickly tell you if the password is expired or if it was recently changed and forgotten!

 

Scenario 2 – (Angry Boss/Security guy) Why is this user account password not expiring? How many of these exist?

 

This is usually B A D!

But worry not. hopefully you are proactively workign on this (if your not, get on it) and you have at hand the latest list, obtained with:

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | Sort-Object Name | Select-Object Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires | Export-Csv -Path <LocalPath><filename>.csv

 

And you are done. With this list, you can identify all users with passwords not expiring and with the added bonus of understanding if the current passwords are expired or not.

(Pro Tip: Why the PasswordExpired and PasswordLastSet? Well, as soon as you start updating the PasswordNeverExpires to False, users will start being asked to change their passwords, and that can cause a lot of havoc. Those two fields will help with the correction plan for all those accounts.)

 

And there you have it. You can start owning your Active Directory.

Posted on

Find Zombie computers in Active Directory

I’ve been trying out some things with Powershell and wanted to share this.

Active Directory is a great thing, but more often than we like to admit, it tends to become … messy.

So as a small cleanup exercise, here’s how you’d find “zombie” computers in Active  Directory using PowerShell:

Get-ADComputer -filter * -properties * | Where-Object {$_.whenChanged -lt $((Get-Date).AddDays(-180))} | Select-Object CN, whenChanged

 

There you go. After this you’ll have a very nice list of computers that have not contacted Active Directory domain in 180 days or more.

 

Happy cleaning!

Posted on

Active Directory – Authenticating Domain Controller

When, for some reason, you need to know which domain controller is authenticating a user, just open a command line on the user’s machine and run:

echo %logonserver%

The result will be, as expected, the domain controller that authenticated that user.

Posted on

Verify replication with other domain controllers

When you need to test your domain replication, you can run a couple of tests from the command line.

To verify replication is functioning

  1. Open a Command Prompt.
  2. Type dcdiag /test:replication and press Enter.
  3. To verify that the proper permissions are set for replication, type dcdiag /test:netlogonsand then press Enter.Messages indicate if the connectivity and netlogons tests passed.
Posted on

Delete Failed DCs from Active Directory

S#!” Happens!!!
The hardware failed, some software installation killed you DC or you just formatted it without demoting it first.
This will leave the entries in you Active Directory database and will eventually give you some trouble.
So, to remove this information all you need is to open a command line and be a member of the Enterprise Admins universal group.
So, open a command line and type ntdsutil. This will give you a new prompt.
At the ntdsutil: prompt, type metadata cleanup and press Enter.
At the metadata cleanup: prompt, type connections and press Enter.
At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.
Type quit and press Enter to return you to the metadata cleanup: prompt.
Type select operation target and press Enter.
Type list domains and press Enter. This lists all domains in the forest with a number associated with each.
Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.
Type list sites and press Enter.
Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.
Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.
Type quit and press Enter. The Metadata cleanup menu is displayed.
Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed from the domain controller.

Type quit, and press Enter until you return to the command prompt.

After you just need to confirm if the object was completely removed from Active Directory.

To remove the failed server object from the sites

In Active Directory Sites and Services, expand the appropriate site.

If the object exists, delete the server object associated with the failed domain controller, then open Active Directory Users and Computers go to the Domain Controllers container and, again, if exists, delete the computer object associated with the failed domain controller

You might get a warning asking you if you want to delete the server object without performing a DCPROMO operation (which, of course, you cannot perform). Just select “This DC is permanently offline…” and click on the Delete button.AD will display another confirmation window. If you’re sure that you want to delete the failed object, click Yes.

All that’s missing now is the DNS entries. So open the DNS mmc console.

In the DNS snap-in, expand the zone that is related to the domain from where the server has been removed.
Remove the CNAME record in the _msdcs.root domain of forest zone in DNS. You should also delete the HOSTNAME and other DNS records.
If you have reverse lookup zones, also remove the server from these zones.
Just a couple of word of advice.
Using the ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
If the Domain Controller was responsible for any FSMO, don’t forget to seize the roles first.
Posted on

Reset the DSRM Administrator Password

Let’s say your new at some organization and you need to be sure of the Directory Services Restore Mode password.

Here’s how:

Open a command line and type ntdsutil.

At the Ntdsutil command prompt, type set dsrm password.

At the DSRM command prompt, type one of the following lines:

To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.

-or-

To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.

When your done, just quit by typing q at the DSRM command prompt, and then at the ntdsutil command prompt.