Tag: Powershell

Posted on

Powershell – One liner from one of the best

Let’s talk about re-setting passwords.

I know this is hardly news but, I saw this small one liner in a MVA video with Ashley McGlone and thought I would share it.
This is very useful for all junior team members suffering with the password change onslaught. That way, there’s no need to open AD Users and Computers, and when pressed for time, there is nothing quite like a quick and fast one liner.
 
Just put it in a .bat or .cmd file and distribute and start re-setting passwords.
@echo off&&powershell -NoE -C “&{ipmo ActiveDirectory;Set-ADAccountPassword -I ($u=Read-Host ‘User’) -R;Set-ADUser $u -Ch 1}”
Posted on

AD Recycle Bin

Dear reader,

Do yourself a favor and enable AD Recycle Bin. You might never use, but if you ever do, I’m sure you’ll be thankful.

Enable AD Recycle Bin

Before hand make sure you are running your domain and forest at least as 2008 level.
Then, run the following command in a Active Directory Powershell console:

Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target (Get-ADForest).RootDomain -Server (Get-ADForest).DomainNamingMaster

After this, your action in Active directory will be protected by AD Recycle Bin.

Protect from accidental deletion

The next step is to protect your objects form deletion. This will make sure that you can’t just press delete. you have to disable this option for that object and then delete.
You can run the below commands in an Active Directory Powershell console:

Get-ADUser -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADGroup -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADOrganizationalUnit -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

This step is not required, but it also helps prevent accidents. Depending on your environment you might not want to enable Accidental Deletion Protection for all objects, but in my experience, Groups and Organizational Units are a must.

Recover user

Let’s say you’ve deleted a user, and for some reason you need it back.
Well, now that you’ve enable AD Recycle Bin, you don’t need to go get that weekly backup anymore and use AD Restore Mode.
Just run the below commands in powershell:
 
1. List deleted : Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property *
2. Restore-ADObject -identity “GUID”

 

And there you go. You have your user back. With any luck, no one will notice.

Posted on

Active Directory accounts – Security Auditing (The very basics – part 1)

Dear reader,

 

How many times have you been confronted with bad passwords, and accounts set to never expire?

How many times you were asked to audit and Active Directory of a client ora new organization you just joined?

How about users that “forgot” they changed their own password?

 

Well fear no more, this post is for you!

Open your PowerShell and let’s get started.

 

Scenario 1 – “I can’t login! My password isn’t working!”

 

For this scenario be prepared to quick draw your PowerShell Fu and type the following command:

Get-ADUser -identity username -properties PasswordLastSet, PasswordExpired

 

This will quickly tell you if the password is expired or if it was recently changed and forgotten!

 

Scenario 2 – (Angry Boss/Security guy) Why is this user account password not expiring? How many of these exist?

 

This is usually B A D!

But worry not. hopefully you are proactively workign on this (if your not, get on it) and you have at hand the latest list, obtained with:

Get-ADUser -Filter * -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | Sort-Object Name | Select-Object Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires | Export-Csv -Path <LocalPath><filename>.csv

 

And you are done. With this list, you can identify all users with passwords not expiring and with the added bonus of understanding if the current passwords are expired or not.

(Pro Tip: Why the PasswordExpired and PasswordLastSet? Well, as soon as you start updating the PasswordNeverExpires to False, users will start being asked to change their passwords, and that can cause a lot of havoc. Those two fields will help with the correction plan for all those accounts.)

 

And there you have it. You can start owning your Active Directory.

Posted on

Find Zombie computers in Active Directory

I’ve been trying out some things with Powershell and wanted to share this.

Active Directory is a great thing, but more often than we like to admit, it tends to become … messy.

So as a small cleanup exercise, here’s how you’d find “zombie” computers in Active  Directory using PowerShell:

Get-ADComputer -filter * -properties * | Where-Object {$_.whenChanged -lt $((Get-Date).AddDays(-180))} | Select-Object CN, whenChanged

 

There you go. After this you’ll have a very nice list of computers that have not contacted Active Directory domain in 180 days or more.

 

Happy cleaning!

Posted on

Exchange 2007 – Convert Legacy Mailbox to User Mailbox

When you move mailboxes from Exchange Server 2003 to Exchange Server 2007 you will end up with Legacy Mailboxes.

To convert these mailboxes you need to run the following command in a Exchange powershell window:

Set-Mailbox -id <mailbox alias> -ApplyMandatoryProperties

If, in the process, you get this error:

“Set-Mailbox : The operation could not be performed because object ‘<alias>’ could not be found on domain controller ‘<FQDN of domain controller>’.
At line:1 char:12
+ Set-Mailbox  <<<< -id <alias> -ApplyMandatoryProperties”

That might happen because you are running the command in a Domain Controller not of the same domain as the mailbox owner.

In that case, you should run the command in a Domain Controller of the mailbox owner domain.

For that you can use these commands:

$adminsessionadsettings.defaultscope = “<Mailbox owner domain>”

$adminsessionadsettings.preferreddomaincontrollers = “<Mailbox owner domain domain controller>”

After that. just run the first command again.