Category: Active Directory

PowerShell One-Liner to Disable Active Directory Accounts and Log the Results to a SQL Server Database

The new PowerShell cmdlets that are part of the SQLServer PowerShell module that's distributed as part of SSMS (SQL Server Management Studio) 2016 make it super easy to write the output of PowerShell commands to a SQL Server database. The ActiveDirectory PowerShell module that's part of the RSAT (Remote Server Administration Tools) is also required by the code shown in this blog article. This PowerShell one-liner retrieves a list of Active Directory users who have not logged in within the past Read more [...]

Use PowerShell to Add Active Directory Users to Specific Groups based on a CSV file

I recently responded to a post in a forum about adding Active Directory users to groups with PowerShell based on information contained in a CSV (Comma Separated Values file format). I thought I would not only share the scenario and solution that I came up with but also elaborate on adding additional functionality that may be desired. In this scenario, you’ve been provided with a CSV file that contains a list of Active Directory users and the groups that they should be a member of as shown in Read more [...]

Building logic into PowerShell functions to nag users before their Active Directory password expires

This week I'm sharing a couple of PowerShell functions that are a work in progress to nag those users who seem to never want to change their passwords. I can't tell you how many times the help desk staff at one of the companies that I provide support for receives a call from a user who is unable to access email or other resources on the intranet. The problem? They have run their password down to the point where they arrive in the morning, log into their computer without issue, and during the day Read more [...]

Video: Demystifying Active Directory User Account Lockouts with PowerShell

A few months ago I created an audition video for Pluralsight on “Demystifying Active Directory User Account Lockouts with PowerShell” and I thought I would share that video with you, the readers of my blog site:

You can also find this video on my YouTube channel.

Happy New Year!

µ

PowerShell: Filter by User when Querying the Security Event Log with Get-WinEvent and the FilterHashTable Parameter

I recently ran across something interesting that I thought I would share. The help for the FilterHashTable parameter of Get-WinEvent says that you can filter by UserID using an Active Directory user account's SID or domain account name: Notice that the help also says the data key can be used for unnamed fields in classic event logs. I often hear the question wanting to know what the valid key pairs are for the hash table. As you can see, they're listed in the Read more [...]

Using PowerShell Desired State Configuration to build the first domain controller in your Active Directory forest

If you're a frequent reader of the blog articles on this site, then you know that I've been working on using Desired State Configuration to build my test lab environment that runs as Hyper-V VM's on my Windows 8.1 computer. If you would like to know the current state of my test environment, see the previous blog article: "Creating a Desired State Configuration Resource for Self Signed Certificates". The certificate created in last week's blog has been exported and copied to the Windows 8.1 Read more [...]

Use PowerShell to Install Active Directory Certificate Services

In this blog article, I'll use PowerShell to install Active Directory Certificate Services in my test environment. The domain controller that's being used is running Windows Server 2012 R2 Server Core Installation (no-GUI). The workstation that I'm using is running Windows 8.1 and it is a member of the same Active Directory domain. Many times when I'm prototyping something on a single remote server, I'll use one to one remoting so that it's an interactive session. The Enter-PSSession cmdlet is Read more [...]

PowerShell: When Best Practices and Accurate Results Collide

I'm a big believer in trying to write my PowerShell code to what the industry considers to be the best practices as most are common sense anyway, although as one person once told me: "Common sense isn't all that common anymore". I would hope that even the most diehard best practices person would realize that if you run into a scenario where following best practices causes the results to be skewed, that at least in that scenario it's worth taking a step back so you can see the bigger picture. I Read more [...]

Use PowerShell to Determine the Differences in Group Membership between Active Directory Users

I recently saw a post on Reddit where someone was trying to create a function that takes an Active Directory user name as input for a manager who has direct reports (subordinates) specified in Active Directory. They wanted to determine if the Active Directory group membership of any of those subordinates is different than the others. There are two different parts to this scenario. Returning a list of the manager's direct reports by querying that property from the manager's user account in Active Read more [...]

Set a Users Active Directory Display Name with PowerShell

I recently saw an article on how to set a users Active Directory display name based on the values of their given name, initials, and surname. I came up with my own unique solution for this task and thought I would share it with you, the readers of my blog. As you can see in the following example, there are a mixture of users who need their display name corrected based on the requirement that their display name be listed as "Givenname Initials Surname": I Read more [...]

Find and Disable Active Directory Users with PowerShell Faster than You can Open the GUI

In this scenario, a support request has been escalated to you because the help desk is unable to find a user account in Active Directory that needs to be disabled. The help desk included a screenshot where they attempted to search for the user who is named "William Doe": The request you received also stated that the user is in the "Sales" department so you perform a quick search for users who have a last name of "Doe" and who are also in the "Sales" department: Based Read more [...]

Extract the Name from an Active Directory Distinguished Name with PowerShell and a Regular Expression

This is actually something I had a small blurb about in my previous blog article, but I wanted to go back, revisit it, and write a dedicated blog article about it. Sometimes there are properties in Active Directory like the one in the following example where the "Manager" property is being returned as a distinguished name and what you really wanted was just their name (in human readable format): You could write a complicated function or script to query Active Read more [...]

Create Active Directory Users Home Folder and Assign Permissions with PowerShell

The following function is a work in progress, but I thought I would go ahead and share it. This function requires a module named PowerShellAccessControl that was created by Rohn Edwards which is downloadable from the TechNet Script Repository. The version 3.0 beta revision of his module which is also downloadable on that same page is what was used to test the examples shown in this blog article. The following example demonstrates creating  home folders and assigning Read more [...]

Using PowerShell to Search for Specific Users in Active Directory without Knowing their Exact Information

You're looking for a user in your Active Directory environment who goes by the nickname of "JW". You know that's the user's initials and you need to find their AD user account. Typically you'd use the Identity parameter, but that parameter doesn't allow wildcards: Verifying wildcard's are not allowed on the Identity parameter of Get-ADUser: What you'll need to do is use the Filter parameter instead: The Read more [...]

Helping Others at Microsoft TechEd with PowerShell 911

While at Microsoft TechEd last week, I met a gentleman from Europe who was experiencing a particular issue with the Get-ADUser PowerShell cmdlet. When Get-ADUser is used with a hard coded value such as name as shown in the following example, it returns the expected information without issue: The issue is that when the name, for example, is stored in a variable and double quotes are used to try to expand the variable, nothing is returned: For Read more [...]