Thursday, February 15, 2018

Characters to escape in Active Directory in distinguishedName and canonicalName

In this post I want to show you which characters have to be escaped in AD in distinguishedName and canonicalName Attribute.


Some characters in Active Directory have to be escaped with the backslash "\" character, if they appear in components of a distinguished name.

Characters that aren´t allowed in distinguished names:

# + < > ; , \ " = and SPACE

The space character must be escaped only if it is the leading or trailing character in any component of a distinguished name. The commas that separate components in a distinguished name are not escaped. The following table shows example relative distinguished names as they would appear


Distinguished Name
Petun, Arnold J.
cn=Petun\, Arnold J.,ou=Sales,dc=Domain,dc=com
IT"Ext + Lab
cn=IT\"Ext \+ Lab,ou=IT,dc=Domain,dc=com
 Tim Black
cn=\ Tim Black \ ,ou=HR,dc=Domain,dc=com


In other AD attributes, like Name, Description, givenName, or even cn thos characters wouldn´t be escaped!

Find attached some characters that are allowed in distinguished names:

| @ $ % ^ ? : { } ! ' * ( ) . ` ~ & - _ [ ]



The escaping in canonicalName attribute  is different. The canonicalName is a constructed attribute, so you can´t modify this attribute. In this attribute slash and backslash characters are escaped using the backslash escape character.

/ \

Get available RIDs using dcdiag or Powershell


dcdiag / /test:ridmanager /v | find /i "Available RID"

Machine generated alternative text:
* Available RID Pool for the Domain is 191184 to 1873741823 
* Warning : There is less than 16% available RIDs in the current Pool


Using PowerShell to convert the parts of riDAvailablePool into issued and remaining RIDs.


$DomainDN = (Get-ADDomain).DistinguishedName

$property = get-adobject “cn=rid manager$,cn=system,$DomainDN” -property ridavailablepool -server (Get-ADDomain).RidMaster

$rid = $property.ridavailablepool   

[int32]$totalSIDS = $($rid) / ([math]::Pow(2,32))

[int64]$temp64val = $totalSIDS * ([math]::Pow(2,32))

[int32]$currentRIDPoolCount = $($rid) – $temp64val

$ridsremaining = $totalSIDS – $currentRIDPoolCount

Write-Host “RIDs issued: $currentRIDPoolCount”

Write-Host “RIDs remaining: $ridsremaining”


Machine generated alternative text:
RIDs issued: 191104 
RIDs remaining: 1073550719

DNS console missing for RSAT on Windows 10 1709

Microsoft posted a workaround on the following support page:

Tuesday, January 30, 2018

Viewing CRL in Windows Certification Authority console

The CA Console will not display CRL by default, as shown in the attached screenshot.

You have to run the following command to view it:
certsrv.msc /e

You can also run the following command to view it.
certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL

Tuesday, January 23, 2018

Get new group membership to apply a GPO to a computer without a restart

If you add a computer to an AD group that is assigned to a GPO, you need to restart the computer to get the new group membership.

If you want to bypass this, you can delete the Kerberos ticket.

Run the following command as an admin to do this:
klist -li 0x3e7 purge

Et voila, your computer get its new membership!

After that you can run a gpupdate to apply the assgined Policies.

Wednesday, January 17, 2018

Import User Photo to Active Directory

If you want to have an image in Outlook, Skype for Business or SharePoint you can use the attribute thumbnailPhoto in Active Directory.

Doing it with Powershell:
Import-Module activedirectory
$UserPhoto = [byte[]](Get-Content C:\admin\User1.jpg -Encoding byte)
Set-ADUser User1 -Replace @{thumbnailPhoto=$UserPhoto}

You can use a software called ADPhotoEdit:

- Image file size should be not higher than 10kb, because with every file you AD database will grow!
- The maximum image size is 100kb
- Pixel size 96x96 pixels is recommended

Friday, November 10, 2017

Update ADMX files for Windows 10 1709 in your Central Store

Download and install Windows_10_Fall_Creators_Update_1709_ADMX.msi

All admx and adml files will be extracted to “C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Fall Creators Update (1709)\PolicyDefinitions”.

Now backup your actual Central Store folder:
and after that, copy and replace the extracted ADMX and ADML files to the PolicyDefinitions folder.

For some reasons 5 amdl files are not in the other language folders... you have to copy the following adml files from en-us to all other folders, to avoid errors.


After replication finished, you can administrate the new features of Win10 on all DCs.