Category: Active Directory

Use PowerShell to Copy the Group Membership of one Active Directory User to Another Active Directory User Account

You have an Active Directory user account and you want to make a second user a member of the same groups without removing the second user from any groups they may already be a member of. I prefer using the Quest PowerShell Cmdlets for Active Directory for doing my AD administration work. They have been downloaded and installed on the system this is being run from. The Quest snap-in has been added to make the cmdlets available. User 'afuller' is a member of several groups in this active directory Read more [...]

Use Data Stored in a SQL Server Database to Create Active Directory User Accounts with PowerShell

I need a few Active Directory users created in my test environment so I thought why come up with fake information when I could use information that I already have in a SQL Server database? The Employees table in the Northwind database looks like an easy enough candidate since all the data I need is in one table. This is about the concept and not about seeing how complicated I can make this process. Here's the type of information I'll pull out of this database to use for the Active Read more [...]

Use PowerShell to Determine What Roles are Added When Turning a Windows 2012 Server into a Domain Controller

Goal: Determine what roles are installed when turning a Windows Server 2012 machine into a domain controller. I started out by using PowerShell to save a list of what roles are installed on a plain vanilla 2012 server that has the full GUI installation. The following one liner would be used in PowerShell version 2 to accomplish this task and the syntax is compatible with version 3: PowerShell version 3 has simplified syntax when using the Where-Object cmdlet Read more [...]

Using the Quest Active Directory PowerShell Snapin to Search For & Set Attributes

I want to make sure that all users in a specific OU in my Active Directory domain have the "Deny this user permissions to log on to Remote Desktop Session Host server" option set (checked): Download the Quest Active Directory PowerShell Snapin (free). The PowerShell command shown below searches this specific OU in my Active Directory domain for users where this attribute is not equal to false. The default setting is blank (allowed) as shown with the Gill Bates user below. Read more [...]

Importing PowerShell Modules and Locating Added Cmdlets

Want to add a feature to a Windows Server 2008 R2 machine using PowerShell? That functionality is part of the ServerManager PowerShell Module that's install by default on 2008 R2. The module has to be imported for it's cmdlets to be made available since it's not loaded by default when you launch PowerShell. To view the Modules that are available to be imported, run Get-Module -ListAvailable The ServerManager module has to be imported so that it's commands are made available to PowerShell. Read more [...]

Unable to Grant Domain Local Groups Full Access Permission to a Exchange 2010 Mailbox using the GUI

John Doe is a user in your Active Directory environment (Windows Server 2008 R2 Forest Function Level) with a mailbox on the email server (Exchange Server 2010 with SP2): You want to grant a domain local group named "Test Group" the full access permission to John Doe's mailbox: You attempt to grant this permission by selecting "Manage Full Access Permission" from the Exchange 2010 Management Console: When you click add and search for the group, it doesn't appear: PowerShell to Read more [...]

Oh Where, Oh Where Have My Group Policy Options Gone?

You are unable to find specific GPO options such as “Compatibility View” settings for Internet Explorer. One of the first things to look at is: Where are the policy definitions being retrieved from? The default for an Active Directory environment is from the local machine as shown in the image below: If you’re editing the GPO on a domain controller and have multiple domain controllers that are running different operating system versions, the available options will vary from machine Read more [...]

Find AD User Account Lockout Events with PowerShell

A few weeks ago a user contacted me and stated they were constantly being locked out throughout the day. This could have been caused by a number of things from someone else trying to log in as them to being logged in somewhere else, changing their password and the session with the old password still being active. I ran a search of the security event log on the domain controllers and found the name of the machine that the user was being locked out from. The event ID for lockout events is 4740 for Read more [...]

Create AD Group and Copy a Group’s Members with PowerShell

This week, I was asked if I could export a list of users who were members of a specific group in Active Directory. My Question: What's this list for? Answer: We're working on a project that requires us to create a new security group in Active Directory and we're going to add all the users on the list to the new group. I determined that this new group really was necessary. My response: I can do even better than providing you guys with a list. I can create the new AD group, output a list of users, Read more [...]

Create an Active Directory User Account with PowerShell

I’m in the process of installing SQL Denali and need a couple of users accounts created. If you are creating the Active Directory user on a machine other than a domain controller, you’ll need to install the Active Directory module for Windows PowerShell. Then import the Active Directory module. To see the syntax and available options for creating an Active Directory user using PowerShell, type "Get-Help New-ADUser" inside the PowerShell console. Store Read more [...]

Time Synchronization in an Active Directory Environment

In an Active Directory environment the default time source is the domain controller in your forest root domain that is running the PDC emulator FSMO role. Keep in mind that the PDC emulator FSMO role is a domain level FSMO role so each domain will have one, but each domain’s PDC emulator will receive its time from the forest root’s PDC emulator. The following procedure will walk you through the steps of configuring the forest root’s PDC emulator to receive its time updates from an Internet Read more [...]

Managed Service Accounts

Managed Service Accounts seem to be the end all and fix all for those services such as Exchange or SQL that we have all at some point either set to run as local system, an administrator account, or at best a domain user account that has been setup with the principal of least privilege. Using an account such as local system grants more rights than necessary and the service ends up running as a local administrator equivalent. Using a normal domain user account, even if it has been setup with the principle Read more [...]

When was an Active Directory Group Created or Modified?

This week I needed to figure out when a group was created in one of the Active Directory environments that I provide support for. I looked at the group using “Active Directory Users and Computers” and didn’t see anything that would tell me when it was created. I did a quick Google search and found a way to accomplish this for a similar item (a user object) using VBScript. The example for a user object that I found was on a “Hey, Scripting Guy! Blog”. Here’s an example of how to find Read more [...]

Active Directory Time Synchronization Problems with Hyper-V

One of my customers contacted me today with an issue where the time on all of their servers was off by about 8 minutes or so. My first thought was “which Active Directory domain controller is their authoritative time server?” and “I’ll update the time on it manually and then set it up to synchronize from an Internet time server”. By default, the authoritative time server for your organization is the server that holds the PDC Emulator FSMO role in the forest root domain. You can run Read more [...]

Migrate Active Directory from 2003 R2 to 2008 R2 Server Core

This blog will step you through the process of migrating your Active Directory domain controllers from Microsoft Windows Server 2003 R2 to Windows Server 2008 R2 Server Core. Server Core is an excellent choice for dedicated domain controllers since it requires less maintenance, has a reduced attack surface, requires less management, and will run on less hardware. Lots of people are scared off by Server Core because there's no GUI. To be honest with you, it's a blessing in disguise since you shouldn't Read more [...]