Friday, October 13, 2017

Claims X-Ray: Debug and troubleshoot problems with claims issuance

Claims X-Ray is an online service that can be used to debug and troubleshoot problems with claims issuance. It will interact with your AD FS deployment and help you issue the claims that you need for your applications. 

Choose between different authentication methods and request types, and we will show you all of the claims returned by your federation service. You can use this to fully cutomize your policies to get the claims you need.

Wednesday, October 4, 2017

Powershell Set AD Users password to expire and set password last set to current date

Hi guys,

the script I uploaded to technet set pwdlastset and remove pw never expire for all users that are located in the defined OU.
It could be used if you want to implement password expiration for your User Accounts.


Thursday, September 21, 2017

Powershell: Add Members from multiple Groups to a specified Group

The following script can be used with a filter or you specify the groups in the AdminGroups.txt.

I added a member removal task to this script to only host members that are members of the defined group. You can remove this line if you don´t need this.


Tuesday, September 12, 2017

Powershell Remove spaces from the end of lines in a text file

Use this two lines and define your old and new file.

$file = Get-Content "C:\admin\OldFile.txt"
$file | Foreach {$_.TrimEnd()} | Set-Content "C:\admin\NewFile.txt"

Friday, August 18, 2017

Powershell: Save credentials in a hashed file created from user and the computers SID

That commands hashes it against the logged on user SID and the machines SID.

create and export creds->
$creds = Get-Credential
$creds | Export-CliXml c:\temp\cred.clixml

import creds->
$creds2 = Import-CliXml c:\temp\cred.clixml

Monday, June 19, 2017

E-book: The Ultimate Guide to Windows Server 2016

DOWNLOAD the free e-book:


Other e-Books:

Powershell: Set AD User "Name" with givenname and surname (it´s the Name that is displayed in ADUC)

Some guys mix up Name with Displayname. So with this command we will change the name you see in ADUC.

Get-aduser tbuntrock -Properties * | foreach { Rename-ADObject $_ -newname ($_.givenname + " " + $}

Tuesday, June 13, 2017

Powershell: Disable AD User from csv and append Description

The file should contain the samaccountnames and looks like:


$logfile = "C:\admin\VacationUsers.csv"
get-content $logfile |get-aduser -Properties Description | ForEach-Object { Set-ADUser $_ -enabled $false -Description "$($_.Description) DISABLED as requested by HR" }

How it works:
- Define file path
- Just get the users from csv
- Use get-aduser to get description
- do this for each user and...
- Set description

We keep the old Description with $($_.Description) and all that follows will be appended. In my example it is DISABLED as requested by HR.


You can use the following website to build your own GUI.

Thursday, March 30, 2017

Powershell 4 - Get authorized DHCP server

You can use the following command to get all authorized DHCP server:

The output will be the IP and DNSName of the server.

You can add out-gridview to easy filter or copy it to Excel.
Get-DhcpServerInDC | Out-GridView

If you want to instant filter on name or IP address you can do it this way:
$DEDHCPs = Get-DhcpServerInDC | where {($_.DNSName –like “DE*”)}

$ipDHCPs = Get-DhcpServerInDC | where {($_.IPAddress –like “10.15*”)}

You can also write the output directly to a file. Just use export-csv:
Get-DhcpServerInDC | where {($_.IPAddress –like “10.15*”)} | Export-Csv c:\admin\dhcps.csv -NoTypeInformation

or using >c:\admin\dhcps.txt (same output like in PS)

Get-DhcpServerInDC | where {($_.IPAddress –like “10.15*”)} >c:\admin\dhcps.txt

Tuesday, March 14, 2017

Powershell Get Active Directory and Exchnage Schema Version FOREST

To get the AD Schema Version, just run the following command:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

You can use the objectVersion and the following table, to verify which OS is connected to this number.

Version = OS

87 = Windows Server 2016
69 = Windows Server 2012 R2
56 = Windows Server 2012
47 = Windows Server 2008 R2
44 = Windows Server 2008

For Exchange you can use this command:
(Get-ADObject $("CN=ms-Exch-Schema-Version-Pt,"+$((Get-ADRootDSE).NamingContexts | Where-Object {$_ -like "*Schema*"})) -Property rangeUpper).rangeUpper

rangeUpper = Exchange

15137 = 2013 RTM   
15254 = 2013 CU1   
15281 = 2013 CU2   
15283 = 2013 CU3   
15292 = 2013 SP1   
15300 = 2013 CU5
15303 = 2013 CU6
15312 = 2013 CU7-CU15   
15317 = 2016 Preview   
15317 = 2016 RTM   
15323 = 2016 CU1   
15325 = 2016 CU2   
15326 = 2016 CU3   
15326 = 2016 CU4    

Wednesday, March 8, 2017

Powershell Get deleted AD Users

To find deleted AD Users you can use this Powershell command:
get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" } -IncludeDeletedObjects -property * | Format-List LastKnownParent,DisplayName,samaccountname

Lets say you only want to get the accounts that were deleted in the last 42 days? Just used whenChanged attribute and use the actual date minus 42 Days.

get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" } -IncludeDeletedObjects -property * |  where { $_.whenChanged -ge (Get-Date).AddDays(-42) } |Format-List LastKnownParent,DisplayName,samaccountname,whenchanged

That´s to much? You just want users from a specified OU like OU=Users,OU=Germany,DC=timsdomain,DC=com? And that should be saved into a file? Ok lets add the LastKnownParent and just >c:\DeletedUsersDE.txt at the end to get this!

get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" -and LastKnownParent -eq "OU=Users,OU=Germany,DC=timsdomain,DC=com" } -IncludeDeletedObjects -property * |  where { $_.whenChanged -ge (Get-Date).AddDays(-42) } |Format-List LastKnownParent,DisplayName,samaccountname,whenchanged >c:\DeletedUsersDE.txt

Tuesday, February 21, 2017

Find CNF objects in Active Directory

When two or more objects with the same name are created in the same container on different domain controllers before replication occurs the conflict is resolved by renaming the object with the older timestamp.  The object will be renamed so that it includes "\0ACNF:[GUID]" in its DN.  These objects are referred to as conflict or CNF objects.  A domain controller will generate Event ID 12292 whenever a CNF object is created.

To find CNF objects and open the created file, run the following commands: 
dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter "(|(cn=*\0ACNF:*)(ou=*OACNF:*))"  >   cnfobjects.txt
start cnfobjects.txt

Protect your AD DNS Zones from additional deletion using Powershell

You have two types of zones, the forest and domain DNS zones.

To get Forest DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your forest in both commands):

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

To set protection use the following command:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

To get Domain DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your domain in both commands):

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

To set protection use the following command:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

Powershell Script: Set extensionAttribute using EmployeeID or samAccountName

In my example I will use ExtensionAttribute4, of course you can use another one as well!

Find attached a script that using the EmployeeID:

----------------------------------------------------- # Set ExtensionAttribute4 using AD Users EmployeeID
#csv file

Import-module ActiveDirectory
$Path = "C:\admin\UsersExt4.csv"
$users = Get-Content –Path $Path | ConvertFrom-CSV
$users | foreach {
    $ | foreach { if ($_.value -eq "") { $_.value = $null }}

    $eid = $_.employeeID
    $user = Get-ADUser -Filter {employeeID -eq $eid}

    Set-ADUser $user.samaccountname -add @{extensionattribute4 = $_.extensionAttribute4}


And now with the samAccountName:

# File path: c:\admin\UsersExt4.csv
# samAccountName,extensionAttribute4
# username.1,Test12345
# username.2,Test12345

Import-module ActiveDirectory
Import-Csv C:\admin\UsersExt4.csv | ForEach-Object {Set-ADUser $_.samAccountName -Replace @{extensionAttribute4=$_.extensionAttribute4} }


Wednesday, February 15, 2017

Powershell: Get a user that have test in his name or in the description

Just use the following command:

Get-AdUser -filter {(name -Like "*test*") -or (description -Like "*test*")} -Properties name, samaccountname, description |sort-object name | Out-GridView

Powershell Get all Group Manager in AD

Get-ADGroup -LDAPFilter "(ManagedBy=*)" -Properties ManagedBy | Out-GridView

Monday, January 30, 2017

Powershell Get all groups that are managed by a user

After execution you have to enter the samaccountname and the managed groups will be shown in a grid-view. If no groups are managed by the entered user, nothing will popup.

Download Script

$acccount = Read-Host “Enter user name”
Get-ADGroup -LDAPFilter "(ManagedBy=$((Get-ADuser -Identity $acccount).distinguishedname))" | Out-GridView

Thursday, January 19, 2017

Domain Controller time is out of sync

Check hardware
Check VM configuration and Hypervisor settings
Check network / firewalls

Operating System->
On the affected DC run the following in cmd:
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover
net stop w32time && net start w32time

No change check the following regkey:
AnnounceFlags must be set to 10 (Dec) or a (Hex)
If you have to set it just run again:
net stop w32time && net start w32time

At least you can try to set default settings:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time