Create a keytab file to use SSO for KeyCloak or another tool

You can use this post to create a KeyTab file for your application to use SSO.

Find attached the details for the sample setup.

Domain: test.zz

user: srviceuser1

pw: HDPw8912hs17!/hsd7

url: auth-test.service.test.zz

Required enycryption: AES256

Command:

ktpass -out c:\auth-test.keytab -princ HTTP/auth-test.test.zz@TEST.ZZ -mapuser srviceuser1 -pass HDPw8912hs17!/hsd7 -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

If another type of encryption is needed you should have a look at the following article:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

You can verify if the spn is applied to the account using the following command.

setspn -L srviceuser1

The last thing we have to do is to enable the support of AES256 encryption on the account serviceuser1. Open Active Directory  Users & Computers, select properties of serviceuser1, go to the account tab and select the following checkbox in Account options: “This account supports Kerberos AES 256 bit encryption”

Attribute Editor tab missing in Active Directory Users and Computers search

Problem:

If you search for a user account, you doesn´t see the Attribute Editor tab in the properties of the user account.

First the „Advanced Features“ have to be activated in the “Active Directory Users and Computers” console. Just select View and click on Advanced Features.

Using a LDAP Query:

• Right-click Saved Queries and click the New-Query option
• Type in a name for your saved query, such as "Search SamAccount"
• Click the Define Query button
• Under the Find drop-down list, select Custom Search
• Click the Advanced tab
• Type in your query
• (objectcategory=person)(samaccountname=*tim.buntrock*)

Using the group trick:

• Search for a user
• Click on the member of tab
• Open a group from user
• Close the user properties tab
• Search for the user in the group member tab and double click him
• Now you should see the Attribute Editor tab

Using Active Directory Administrative Center instead of ADUC

If you are using the AD Administrative Center you can directly access the Attribute Editor after a search.

lastLogon vs lastLogonTimestamp vs lastLogonDate - explained

Today I want to write about this "last Logon attributes"... This could be a little bit confusing if you check it on the internet. So with my post I will try to explain it easily.

lastLogon 
The lastLogon is only updated on the Domain Controller where login has actually happened and it wouldn´t be replicated. It´s being updated each time after each interactive logon. 
An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services, in which case the logon is further qualified as remote interactive.

How to find all AD Users with a specidfic profilepath or homeDirectory

If you try to search for a specific homeDirectory or profilepath that are assigned to users, you have to filter on this path.

Therefore, let´s assume you have a DFS share named \\domain.com\DFSShare\User and in this share you have all homeDirectories. To find all users using this path you could expect that you can use a query like this:

Get-ADUser -Filter "homedirectory -like '\\domain.com\DFSShare\User*'" -Properties homedirectory | select samaccountname, homedirectory

If you run this line, the output will be empty, even if some users using this share as homeDirectory.

Why? A network path has backslashes and a backslash „\” is a special character. Therefore, if you filter on those paths, you have to replace every \ with \5c.

For more information check out the following MS article:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx

If we do that our PowerShell query looks like this:

Get-ADUser -Filter "homedirectory -like '\5c\5cdomain.com\5cDFSShare\5cUser*'" -Properties homedirectory | select samaccountname, homedirectory

Now we see all users that have a homeDirectory located in \\domain.com\DFSShare\User

Powershell Set AD Users password to expire and set password last set to current date

Hi guys,

the script I uploaded to technet set pwdlastset, remove pw never expire and can not change pw for all users that are located in the defined OU.

It could be used if you want to implement password expiration for your User Accounts.

Download:

https://gallery.technet.microsoft.com/Set-password-to-expire-and-f9da9552?redir=0

Powershell: Add Members from multiple Groups to a specified Group

The following script can be used with a filter or you specify the groups in the AdminGroups.txt.

I added a member removal task to this script to only host members that are members of the defined group. You can remove this line if you don´t need this.

Download:
https://gallery.technet.microsoft.com/Add-Members-from-multiple-6cbcae53

Powershell: Set AD User "Name" with givenname and surname (it´s the Name that is displayed in ADUC)

Some guys mix up Name with Displayname. So with this command we will change the name you see in ADUC.



Get-aduser tbuntrock -Properties * | foreach { Rename-ADObject $_ -newname ($_.givenname + " " + $_.sn)}

Powershell: Disable AD User from csv and append Description

The file should contain the samaccountnames and looks like:

user1
user2
user3

Script:

$logfile = "C:\admin\VacationUsers.csv"
get-content $logfile |get-aduser -Properties Description | ForEach-Object { Set-ADUser $_ -enabled $false -Description "$($_.Description) DISABLED as requested by HR" }

How it works:
- Define file path
- Just get the users from csv
- Use get-aduser to get description
- do this for each user and...
- Set description


We keep the old Description with $($_.Description) and all that follows will be appended. In my example it is DISABLED as requested by HR.

Powershell Get deleted AD Users

To find deleted AD Users you can use this Powershell command:
get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" } -IncludeDeletedObjects -property * | Format-List LastKnownParent,DisplayName,samaccountname

Lets say you only want to get the accounts that were deleted in the last 42 days? Just used whenChanged attribute and use the actual date minus 42 Days.

get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" } -IncludeDeletedObjects -property * |  where { $_.whenChanged -ge (Get-Date).AddDays(-42) } |Format-List LastKnownParent,DisplayName,samaccountname,whenchanged

That´s to much? You just want users from a specified OU like OU=Users,OU=Germany,DC=timsdomain,DC=com? And that should be saved into a file? Ok lets add the LastKnownParent and just >c:\DeletedUsersDE.txt at the end to get this!

get-adobject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and ObjectClass -ne "computer" -and LastKnownParent -eq "OU=Users,OU=Germany,DC=timsdomain,DC=com" } -IncludeDeletedObjects -property * |  where { $_.whenChanged -ge (Get-Date).AddDays(-42) } |Format-List LastKnownParent,DisplayName,samaccountname,whenchanged >c:\DeletedUsersDE.txt

Powershell Script: Set extensionAttribute using EmployeeID or samAccountName

In my example I will use ExtensionAttribute4, of course you can use another one as well!

Find attached a script that using the EmployeeID:

----------------------------------------------------- # Set ExtensionAttribute4 using AD Users EmployeeID
#csv file
#employeeID,extensionAttribute4
#1482216,45837
#9999998,9999

Import-module ActiveDirectory
$Path = "C:\admin\UsersExt4.csv"
$users = Get-Content –Path $Path | ConvertFrom-CSV
$users | foreach {
    $_.psobject.properties | foreach { if ($_.value -eq "") { $_.value = $null }}

    $eid = $_.employeeID
    $user = Get-ADUser -Filter {employeeID -eq $eid}

    Set-ADUser $user.samaccountname -add @{extensionattribute4 = $_.extensionAttribute4}
}

-----------------------------------------------------

And now with the samAccountName:

-----------------------------------------------------
################################################
# File path: c:\admin\UsersExt4.csv
#
# samAccountName,extensionAttribute4
# username.1,Test12345
# username.2,Test12345
################################################

Import-module ActiveDirectory
Import-Csv C:\admin\UsersExt4.csv | ForEach-Object {Set-ADUser $_.samAccountName -Replace @{extensionAttribute4=$_.extensionAttribute4} }

-----------------------------------------------------

Powershell: Get a user that have test in his name or in the description

Just use the following command:

Get-AdUser -filter {(name -Like "*test*") -or (description -Like "*test*")} -Properties name, samaccountname, description |sort-object name | Out-GridView

Powershell Get all groups that are managed by a user

After execution you have to enter the samaccountname and the managed groups will be shown in a grid-view. If no groups are managed by the entered user, nothing will popup.

Download Script

$acccount = Read-Host “Enter user name”
Get-ADGroup -LDAPFilter "(ManagedBy=$((Get-ADuser -Identity $acccount).distinguishedname))" | Out-GridView

Powershell Script: Set an extensionAttribute for multiple AD Users

With the attached script you can set extensionAttribute4 for multiple AD Users using a csv file. You can do this for other Attributes as well. :)

# Set extensionAttribute4 for specified AD Users
# Create a CSV file that looks like this:
################################################
# File path: c:\admin\UsersExt4.csv
#
# samAccountName,extensionAttribute4
# username.1,Test12345
# username.2,Test12345
################################################
# Scripty by Tim Buntrock

# import ad module
Import-module ActiveDirectory
# import users from csv and set extensionAttribute4
Import-Csv C:\admin\UsersExt4.csv | ForEach-Object {Set-ADUser $_.samAccountName -Replace @{extensionAttribute4=$_.extensionAttribute4} }

Powershell Script: Adding groups, homepath and create homefolder for specified AD Users

GO TO TECHNET ARTICLE

Export all Terminal Server User CALs from your AD Domain using Powershell

You can checkout my script on technet:
https://gallery.technet.microsoft.com/Export-all-Terminal-Server-234c95e1

Protect your Windows Fileserver against Ransomware by using FSRM and Powershell

Check out my post on technet:
https://gallery.technet.microsoft.com/Protect-your-File-Server-f3722fce

Unlock AD User account using Powershell after entering the username

This script is to unlock an AD user account after entering the username.

You have to enter the username and after that the account will be unlocked.


If the account is not locked out you will receive a message that the account is not locked out.



SCRIPT DOWNLOAD

Check AD User Credentials based on entered username using Powershell

This script is to verify credentials for a specified user.

After you run this script you have to enter the username and password.


Find attached a screenshot how the outputs should look like ->




Download the script

If you want to verify multiple AD user accounts you can use my other script.