Monday, June 19, 2017

E-book: The Ultimate Guide to Windows Server 2016

DOWNLOAD the free e-book:

FOLLOW ME


Other e-Books:

Powershell: Set AD User "Name" with givenname and surname (it´s the Name that is displayed in ADUC)

Some guys mix up Name with Displayname. So with this command we will change the name you see in ADUC.



Get-aduser tbuntrock -Properties * | foreach { Rename-ADObject $_ -newname ($_.givenname + " " + $_.sn)}


Get some Powershell books on Amazon:

Tuesday, June 13, 2017

Powershell: Disable AD User from csv and append Description

The file should contain the samaccountnames and looks like:
user1
user2
user3

Script:

$logfile = "C:\admin\VacationUsers.csv"
get-content $logfile |get-aduser -Properties Description | ForEach-Object { Set-ADUser $_ -enabled $false -Description "$($_.Description) DISABLED as requested by HR" }


How it works:
- Define file path
- Just get the users from csv
- Use get-aduser to get description
- do this for each user and...
- Set description


We keep the old Description with $($_.Description) and all that follows will be appended. In my example it is DISABLED as requested by HR.

POSHGUI

You can use the following website to build your own GUI.

https://poshgui.com

Thursday, March 30, 2017

Powershell 4 - Get authorized DHCP server

You can use the following command to get all authorized DHCP server:
Get-DhcpServerInDC

The output will be the IP and DNSName of the server.

You can add out-gridview to easy filter or copy it to Excel.
Get-DhcpServerInDC | Out-GridView

If you want to instant filter on name or IP address you can do it this way:
Name:
$DEDHCPs = Get-DhcpServerInDC | where {($_.DNSName –like “DE*”)}
$DEDHCPs

IP:
$ipDHCPs = Get-DhcpServerInDC | where {($_.IPAddress –like “10.15*”)}
$ipDHCPs


You can also write the output directly to a file. Just use export-csv:
Get-DhcpServerInDC | where {($_.IPAddress –like “10.15*”)} | Export-Csv c:\admin\dhcps.csv -NoTypeInformation

or using >c:\admin\dhcps.txt (same output like in PS)

Get-DhcpServerInDC | where {($_.IPAddress –like “10.15*”)} >c:\admin\dhcps.txt

Tuesday, March 14, 2017

Powershell Get Active Directory and Exchnage Schema Version FOREST

To get the AD Schema Version, just run the following command:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

You can use the objectVersion and the following table, to verify which OS is connected to this number.

Version = OS

87 = Windows Server 2016
69 = Windows Server 2012 R2
56 = Windows Server 2012
47 = Windows Server 2008 R2
44 = Windows Server 2008



For Exchange you can use this command:
(Get-ADObject $("CN=ms-Exch-Schema-Version-Pt,"+$((Get-ADRootDSE).NamingContexts | Where-Object {$_ -like "*Schema*"})) -Property rangeUpper).rangeUpper

rangeUpper = Exchange

15137 = 2013 RTM   
15254 = 2013 CU1   
15281 = 2013 CU2   
15283 = 2013 CU3   
15292 = 2013 SP1   
15300 = 2013 CU5
15303 = 2013 CU6
15312 = 2013 CU7-CU15   
15317 = 2016 Preview   
15317 = 2016 RTM   
15323 = 2016 CU1   
15325 = 2016 CU2   
15326 = 2016 CU3   
15326 = 2016 CU4    

Wednesday, March 8, 2017

Powershell Get deleted AD Users

To find deleted AD Users you can use this Powershell command:
get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" } -IncludeDeletedObjects -property * | Format-List LastKnownParent,DisplayName,samaccountname

Lets say you only want to get the accounts that were deleted in the last 42 days? Just used whenChanged attribute and use the actual date minus 42 Days.

get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" } -IncludeDeletedObjects -property * |  where { $_.whenChanged -ge (Get-Date).AddDays(-42) } |Format-List LastKnownParent,DisplayName,samaccountname,whenchanged

That´s to much? You just want users from a specified OU like OU=Users,OU=Germany,DC=timsdomain,DC=com? And that should be saved into a file? Ok lets add the LastKnownParent and just >c:\DeletedUsersDE.txt at the end to get this!

get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" -and LastKnownParent -eq "OU=Users,OU=Germany,DC=timsdomain,DC=com" } -IncludeDeletedObjects -property * |  where { $_.whenChanged -ge (Get-Date).AddDays(-42) } |Format-List LastKnownParent,DisplayName,samaccountname,whenchanged >c:\DeletedUsersDE.txt

Tuesday, February 21, 2017

Find CNF objects in Active Directory

When two or more objects with the same name are created in the same container on different domain controllers before replication occurs the conflict is resolved by renaming the object with the older timestamp.  The object will be renamed so that it includes "\0ACNF:[GUID]" in its DN.  These objects are referred to as conflict or CNF objects.  A domain controller will generate Event ID 12292 whenever a CNF object is created.

To find CNF objects and open the created file, run the following commands: 
dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter "(|(cn=*\0ACNF:*)(ou=*OACNF:*))"  >   cnfobjects.txt
start cnfobjects.txt

Protect your AD DNS Zones from additional deletion using Powershell

You have two types of zones, the forest and domain DNS zones.

To get Forest DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your forest in both commands):

FOREST:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview


To set protection use the following command:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true


DOMAIN:
To get Domain DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your domain in both commands):

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview


To set protection use the following command:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

Powershell Script: Set extensionAttribute using EmployeeID or samAccountName

In my example I will use ExtensionAttribute4, of course you can use another one as well!

Find attached a script that using the EmployeeID:

----------------------------------------------------- # Set ExtensionAttribute4 using AD Users EmployeeID
#csv file
#employeeID,extensionAttribute4
#1482216,45837
#9999998,9999

Import-module ActiveDirectory
$Path = "C:\admin\UsersExt4.csv"
$users = Get-Content –Path $Path | ConvertFrom-CSV
$users | foreach {
    $_.psobject.properties | foreach { if ($_.value -eq "") { $_.value = $null }}

    $eid = $_.employeeID
    $user = Get-ADUser -Filter {employeeID -eq $eid}

    Set-ADUser $user.samaccountname -add @{extensionattribute4 = $_.extensionAttribute4}
}

-----------------------------------------------------

And now with the samAccountName:

-----------------------------------------------------
################################################
# File path: c:\admin\UsersExt4.csv
#
# samAccountName,extensionAttribute4
# username.1,Test12345
# username.2,Test12345
################################################

Import-module ActiveDirectory
Import-Csv C:\admin\UsersExt4.csv | ForEach-Object {Set-ADUser $_.samAccountName -Replace @{extensionAttribute4=$_.extensionAttribute4} }

-----------------------------------------------------

Wednesday, February 15, 2017

Powershell: Get a user that have test in his name or in the description

Just use the following command:

Get-AdUser -filter {(name -Like "*test*") -or (description -Like "*test*")} -Properties name, samaccountname, description |sort-object name | Out-GridView

Powershell Get all Group Manager in AD

Get-ADGroup -LDAPFilter "(ManagedBy=*)" -Properties ManagedBy | Out-GridView

Monday, January 30, 2017

Powershell Get all groups that are managed by a user

After execution you have to enter the samaccountname and the managed groups will be shown in a grid-view. If no groups are managed by the entered user, nothing will popup.

Download Script

$acccount = Read-Host “Enter user name”
Get-ADGroup -LDAPFilter "(ManagedBy=$((Get-ADuser -Identity $acccount).distinguishedname))" | Out-GridView

Thursday, January 19, 2017

Domain Controller time is out of sync

Hardware->
Check hardware
Check VM configuration and Hypervisor settings
Check network / firewalls

Operating System->
On the affected DC run the following in cmd:
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover
net stop w32time && net start w32time

No change check the following regkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
AnnounceFlags must be set to 10 (Dec) or a (Hex)
If you have to set it just run again:
net stop w32time && net start w32time

At least you can try to set default settings:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time