Tuesday, December 13, 2016

Powershell: User Accounts With Kerberos Pre-Authentication Disabled


Use the following Powershell command:

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Out-GridView

Get a list of ALL the GP names and GUIDS

Just change: DC=yourdomin,DC=com to your domain name.

Dsquery * "CN=Policies,CN=System,DC=yourdomin,DC=com" -filter (objectClass=groupPolicyContainer) -attr Name DisplayName

Friday, December 2, 2016

Powershell Get Windows 2003 or earlier Computer Objects Found in Active Directory



Use the following Powershell syntax to determine the affected computers in your domain:
 
Get-ADComputer -Filter * -Property Name,OperatingSystem,OperatingSystemServicePack| Where-Object{($_.operatingsystem -like "*XP*") -or ($_.operatingsystem -like "*2000*") -or ($_.operatingsystem -like "*2003*") -or ($_.operatingsystemversion -like "*4.0*")}| Out-GridView

The output will be shown in a grid view.

Friday, November 25, 2016

Powershell Script: Set an extensionAttribute for multiple AD Users

With the attached script you can set extensionAttribute4 for multiple AD Users using a csv file. You can do this for other Attributes as well. :)

# Set extensionAttribute4 for specified AD Users
# Create a CSV file that looks like this:
################################################
# File path: c:\admin\UsersExt4.csv
#
# samAccountName,extensionAttribute4
# username.1,Test12345
# username.2,Test12345
################################################
# Scripty by Tim Buntrock

# import ad module
Import-module ActiveDirectory
# import users from csv and set extensionAttribute4
Import-Csv C:\admin\UsersExt4.csv | ForEach-Object {Set-ADUser $_.samAccountName -Replace @{extensionAttribute4=$_.extensionAttribute4} }

Thursday, November 3, 2016

ADUC: Delegate permissions to move Computer accounts between OUs

In ADUC, right-click OU 1 and select "Delegate Control".

Type in a user or group name and click "Next"

Select the "Create a custom task to delegate" option and click "Next".

Select "Only the following objects in the folder", browse to "Computer objects" in the list and check the box. Also check the boxes for "Create selected objects in this folder" and "Delete selected objects in this folder" and click "Next".

Check the box for "Write", click "Next" and "Finish".

Just do the same steps on OU 2.

Tuesday, October 18, 2016

Verify you Windows Server Backups with notification

If you scheduled a Windows Server Backup, you can check for Errors and send an email if a Error happened.

To do this just schedule to run the following script after your backup job:

# Check EventLog for Error created by Windows Backup
If (Get-EventLog -LogName Application -EntryType Error -Source Microsoft-Windows-Backup -After (Get-Date).AddHours(-24))
    {
    #Set E-mail variables.
    $EmailFrom = "server@yourdomain.com"
    $EmailTo = "Tim.Buntrock@yourdomain.com"
    $Subject = "$env:COMPUTERNAME - Windows Backup failed"
    $Body = "$env:COMPUTERNAME - Windows Backup failed. Please logon to the server and verify your backup task!"
    $SMTPServer = "smtp01.yourdomain.com"
    #Send message
    Send-MailMessage -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Priority High -To $EmailTo -From $EmailFrom
    }

Else
    {
    exit
    }


Thats it. :)

AD Powershell Oneliner - Get PSO Settings

Just type in the following:
Get-ADFineGrainedPasswordPolicy PSOName
Replace PSOName with the name of your PSO object.

You can add >c:\admin\PSOSettings.txt to export the settings to a text file.
Get-ADFineGrainedPasswordPolicy PSOName >c:\admin\PSOSettings.txt

Tuesday, September 27, 2016

DCDIAG MachinAccount test Warning: Attribute userAccountControl of DC is: 0x82020


You are running a DCDiag and its shown a warning by performing the MachineAccount test.



If you are pre-stage a Computer account in ADUC and you promote it later, the userAccountControl is set to 532512 instead of the 532480.

To fix this Bug, open ADSI edit, connect to default naming context and browse to the DC that is affected. Open Properties and go to userAccountControl and click on Edit.

 

 


You need to manually set the vaulue to 532480.

 

After that its set to the standard DC value!