When two or more objects with the same name are created in the same container on different domain controllers before replication occurs the conflict is resolved by renaming the object with the older timestamp. The object will be renamed so that it includes "\0ACNF:[GUID]" in its DN. These objects are referred to as conflict or CNF objects. A domain controller will generate Event ID 12292 whenever a CNF object is created.
To find CNF objects and open the created file, run the following commands:
dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter "(|(cn=*\0ACNF:*)(ou=*OACNF:*))" > cnfobjects.txt
start cnfobjects.txt
Tuesday, February 21, 2017
Protect your AD DNS Zones from additional deletion using Powershell
You have two types of zones, the forest and domain DNS zones.
To get Forest DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your forest in both commands):
FOREST:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
To set protection use the following command:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
DOMAIN:
To get Domain DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your domain in both commands):
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
To set protection use the following command:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
To get Forest DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your forest in both commands):
FOREST:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
To set protection use the following command:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
DOMAIN:
To get Domain DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your domain in both commands):
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview
To set protection use the following command:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true
Powershell Script: Set extensionAttribute using EmployeeID or samAccountName
In my example I will use ExtensionAttribute4, of course you can use another one as well!
Find attached a script that using the EmployeeID:
----------------------------------------------------- # Set ExtensionAttribute4 using AD Users EmployeeID
#csv file
#employeeID,extensionAttribute4
#1482216,45837
#9999998,9999
Import-module ActiveDirectory
$Path = "C:\admin\UsersExt4.csv"
$users = Get-Content –Path $Path | ConvertFrom-CSV
$users | foreach {
$_.psobject.properties | foreach { if ($_.value -eq "") { $_.value = $null }}
$eid = $_.employeeID
$user = Get-ADUser -Filter {employeeID -eq $eid}
Set-ADUser $user.samaccountname -add @{extensionattribute4 = $_.extensionAttribute4}
}
-----------------------------------------------------
And now with the samAccountName:
-----------------------------------------------------
################################################
# File path: c:\admin\UsersExt4.csv
#
# samAccountName,extensionAttribute4
# username.1,Test12345
# username.2,Test12345
################################################
Import-module ActiveDirectory
Import-Csv C:\admin\UsersExt4.csv | ForEach-Object {Set-ADUser $_.samAccountName -Replace @{extensionAttribute4=$_.extensionAttribute4} }
-----------------------------------------------------
Find attached a script that using the EmployeeID:
----------------------------------------------------- # Set ExtensionAttribute4 using AD Users EmployeeID
#csv file
#employeeID,extensionAttribute4
#1482216,45837
#9999998,9999
Import-module ActiveDirectory
$Path = "C:\admin\UsersExt4.csv"
$users = Get-Content –Path $Path | ConvertFrom-CSV
$users | foreach {
$_.psobject.properties | foreach { if ($_.value -eq "") { $_.value = $null }}
$eid = $_.employeeID
$user = Get-ADUser -Filter {employeeID -eq $eid}
Set-ADUser $user.samaccountname -add @{extensionattribute4 = $_.extensionAttribute4}
}
-----------------------------------------------------
And now with the samAccountName:
-----------------------------------------------------
################################################
# File path: c:\admin\UsersExt4.csv
#
# samAccountName,extensionAttribute4
# username.1,Test12345
# username.2,Test12345
################################################
Import-module ActiveDirectory
Import-Csv C:\admin\UsersExt4.csv | ForEach-Object {Set-ADUser $_.samAccountName -Replace @{extensionAttribute4=$_.extensionAttribute4} }
-----------------------------------------------------
Wednesday, February 15, 2017
Powershell: Get a user that have test in his name or in the description
Just use the following command:
Get-AdUser -filter {(name -Like "*test*") -or (description -Like "*test*")} -Properties name, samaccountname, description |sort-object name | Out-GridView
Get-AdUser -filter {(name -Like "*test*") -or (description -Like "*test*")} -Properties name, samaccountname, description |sort-object name | Out-GridView
Powershell Get all Group Manager in AD
Get-ADGroup -LDAPFilter "(ManagedBy=*)" -Properties ManagedBy | Out-GridView
Monday, February 13, 2017
Subscribe to:
Posts (Atom)