Active Directory


Use PowerShell to Install a DHCP Server on a Windows Server 2019 (Server Core) Active Directory Domain Controller

You need to have an Active Directory domain in place. I’m picking up where I left off in my previous blog article Use PowerShell to Create a New Active Directory Forest on Windows 2019 Server Core Installation (no-GUI). The procedure shown in this blog article is for demonstration purposes only. Install the DHCP server feature. Install-WindowsFeature -Name DHCP Add the DHCP scope to the server. Add-DhcpServerv4Scope -Name '192.168.129.x' -StartRange 192.

Use PowerShell to Create a New Active Directory Forest on Windows 2019 Server Core Installation (no-GUI)

You have a fresh installation of Windows Server 2019 that was installed using the default installation type of server core installation (no-GUI). This server will be the first domain controller in a brand new Active Directory forest. You’ve completed the following configuration prior to attempting to turn this server into a domain controller: Install all the available Windows Updates Set the time zone Set the computer name Set a static IP address Log into the server and launch PowerShell by typing powershell.

The PowerShell Conference Book is the Featured Book and the Number 1 Best Seller on Leanpub

By now, I’m sure you’ve heard about The PowerShell Conference Book. If not, see my previous blog article. The PowerShell Conference Book is currently the featured book on Leanpub. It’s also the number one best seller on Leanpub. And the top book on Leanpub. The book was published last Friday, July 6th with nine of the thirty-three chapters and we’ve added an additional six chapters since then. I would like to thank everyone who has purchased the book so far.

Announcing the PowerShell Conference Book

A couple of months ago, I saw a tweet from Don Jones about how much it costs to sponsor one person for the OnRamp Scholarship Program. I replied wanting to know if the DevOps Collective had considered becoming part of the Leanpub for Causes program so that portions of an author’s royalties could be donated to the program. My initial thought was that I could donate a portion of the royalties from my PowerShell 101 book to the program.

Determine the Default Password Policy for an Active Directory Domain with PowerShell

I’ve been working with PowerShell since the version 1.0 days and I’m still amazed that I find cmdlets that I didn’t know existed. Back in 2003, I had written some PowerShell code to query group policy for the lockout policy of an Active Directory domain. It used code similar to what’s shown in the following example which requires the GroupPolicy PowerShell module that installs as part of the RSAT (Remote Server Administration Tools).

Test Active Directory User Accounts for a Default Password with PowerShell

How do you control password resets in your environment? I’ve worked for numerous companies where their forgotten password reset process was all over the board. Hopefully you have a process in place that allows you to sleep at night. Even with the best policies and procedures in place, what happens when someone on your help desk staff resets a users password to some default password and forgets to set the account so the password has to be changed at next logon?

PowerShell One-Liner to Disable Active Directory Accounts and Log the Results to a SQL Server Database

The new PowerShell cmdlets that are part of the SQLServer PowerShell module that’s distributed as part of SSMS (SQL Server Management Studio) 2016make it super easy to write the output of PowerShell commands to a SQL Server database. The ActiveDirectory PowerShell module that’s part of the RSAT (Remote Server Administration Tools)is also required by the code shown in this blog article. This PowerShell one-liner retrieves a list of Active Directory users who have not logged in within the past 120 days, are enabled, and exist in the Adventure Works OU (Organizational Unit).

Use PowerShell to Add Active Directory Users to Specific Groups based on a CSV file

I recently responded to a post in a forum about adding Active Directory users to groups with PowerShell based on information contained in a CSV (Comma Separated Values file format). I thought I would not only share the scenario and solution that I came up with but also elaborate on adding additional functionality that may be desired. In this scenario, you’ve been provided with a CSV file that contains a list of Active Directory users and the groups that they should be a member of as shown in the following image:

Building logic into PowerShell functions to nag users before their Active Directory password expires

This week I’m sharing a couple of PowerShell functions that are a work in progress to nag those users who seem to never want to change their passwords. I can’t tell you how many times the help desk staff at one of the companies that I provide support for receives a call from a user who is unable to access email or other resources on the intranet. The problem? They have run their password down to the point where they arrive in the morning, log into their computer without issue, and during the day while they’re working their password expires which cuts them off from Intranet resources such as email and websites that require authentication.

Video: Demystifying Active Directory User Account Lockouts with PowerShell

A few months ago I created an audition video for Pluralsight on “Demystifying Active Directory User Account Lockouts with PowerShell” and I thought I would share that video with you, the readers of my blog site: You can also find this videoon my YouTube channel. Happy New Year! µ

PowerShell: Filter by User when Querying the Security Event Log with Get-WinEvent and the FilterHashTable Parameter

I recently ran across something interesting that I thought I would share. The help for the FilterHashTable parameter of Get-WinEvent says that you can filter by UserID using an Active Directory user account’s SID or domain account name: help Get-WinEvent -Parameter filterhashtable Notice that the help also says the data key can be used for unnamed fields in classic event logs. I often hear the question wanting to know what the valid key pairs are for the hash table.

Using PowerShell Desired State Configuration to build the first domain controller in your Active Directory forest

If you’re a frequent reader of the blog articles on this site, then you know that I’ve been working on using Desired State Configuration to build my test lab environment that runs as Hyper-V VM’s on my Windows 8.1 computer. If you would like to know the current state of my test environment, see the previous blog article: “Creating a Desired State Configuration Resource for Self Signed Certificates”. The certificate created in last week’s blog has been exported and copied to the Windows 8.

Use PowerShell to Install Active Directory Certificate Services

In this blog article, I’ll use PowerShell to install Active Directory Certificate Services in my test environment. The domain controller that’s being used is running Windows Server 2012 R2 Server Core Installation (no-GUI). The workstation that I’m using is running Windows 8.1 and it is a member of the same Active Directory domain. Many times when I’m prototyping something on a single remote server, I’ll use one to one remoting so that it’s an interactive session.

PowerShell: When Best Practices and Accurate Results Collide

I’m a big believer in trying to write my PowerShell code to what the industry considers to be the best practices as most are common sense anyway, although as one person once told me: “Common sense isn’t all that common anymore”. I would hope that even the most diehard best practices person would realize that if you run into a scenario where following best practices causes the results to be skewed, that at least in that scenario it’s worth taking a step back so you can see the bigger picture.

Use PowerShell to Determine the Differences in Group Membership between Active Directory Users

I recently saw a post on Reddit where someone was trying to create a function that takes an Active Directory user name as input for a manager who has direct reports (subordinates) specified in Active Directory. They wanted to determine if the Active Directory group membership of any of those subordinates is different than the others. There are two different parts to this scenario. Returning a list of the manager’s direct reports by querying that property from the manager’s user account in Active Directory:

Set a Users Active Directory Display Name with PowerShell

I recently saw an article on how to set a users Active Directory display name based on the values of their given name, initials, and surname. I came up with my own unique solution for this task and thought I would share it with you, the readers of my blog. As you can see in the following example, there are a mixture of users who need their display name corrected based on the requirement that their display name be listed as “Givenname Initials Surname”:

Find and Disable Active Directory Users with PowerShell Faster than You can Open the GUI

In this scenario, a support request has been escalated to you because the help desk is unable to find a user account in Active Directory that needs to be disabled. The help desk included a screenshot where they attempted to search for the user who is named “William Doe”: The request you received also stated that the user is in the “Sales” department so you perform a quick search for users who have a last name of “Doe” and who are also in the “Sales” department:

Extract the Name from an Active Directory Distinguished Name with PowerShell and a Regular Expression

This is actually something I had a small blurb about in my previous blog article, but I wanted to go back, revisit it, and write a dedicated blog article about it. Sometimes there are properties in Active Directory like the one in the following example where the “Manager” property is being returned as a distinguished name and what you really wanted was just their name (in human readable format): Get-ADUser -Filter * -SearchBase 'OU=Northwind Users,OU=Users,OU=Test,DC=mikefrobbins,DC=com' -Properties Manager, Title | Format-Table -Property Name, Title, Manager -AutoSize You could write a complicated function or script to query Active Directory for the “Managers” information and create a custom object to return both the actual users information and the managers information, but if you simply want the name of the manager (in this example), it’s much easier to use the substring method or a regular expression.

Create Active Directory Users Home Folder and Assign Permissions with PowerShell

The following function is a work in progress, but I thought I would go ahead and share it. This function requires a module named PowerShellAccessControl that was created by Rohn Edwards which is downloadable from the TechNet Script Repository. The version 3.0 beta revision of his module which is also downloadable on that same page is what was used to test the examples shown in this blog article. #Requires -Version 3.

Using PowerShell to Search for Specific Users in Active Directory without Knowing their Exact Information

You’re looking for a user in your Active Directory environment who goes by the nickname of “JW”. You know that’s the user’s initials and you need to find their AD user account. Typically you’d use the Identity parameter, but that parameter doesn’t allow wildcards: Get-ADUser -Identity j*w* Verifying wildcard’s are not allowed on the Identity parameter of Get-ADUser: help Get-ADUser -Parameter identity What you’ll need to do is use the Filter parameter instead:

Helping Others at Microsoft TechEd with PowerShell 911

While at Microsoft TechEd last week, I met a gentleman from Europe who was experiencing a particular issue with the Get-ADUser PowerShell cmdlet. When Get-ADUser is used with a hard coded value such as name as shown in the following example, it returns the expected information without issue: Get-ADUser -Filter {Name -eq 'Administrator'} The issue is that when the name, for example, is stored in a variable and double quotes are used to try to expand the variable, nothing is returned:

Run a local PowerShell Function against a Remote Computer with PowerShell Remoting

Did you know that it’s super easy to run a function that exists only on your local computer against a remote computer even when no remoting capabilities have been added to the function itself? It does however require that PowerShell remoting be enabled on the remote system, but if you’re running Windows Server 2012 or higher, PowerShell remoting is enabled by default on those operating systems. I’ll start off by creating a function that performs a meaningful task so I can use it to demonstrate this process.

Use PowerShell to Determine the PDC Emulator FSMO Role Holder in your Active Directory Forest Root Domain

Each domain has a PDC emulator FSMO role so how do I determine which domain controller holds the PDC emulator FSMO role in the forest root domain if I have multiple domains in my forest? Sounds like you can’t see the forest root for the trees :-). The answer of course is with PowerShell: Get-ADForest | Select-Object -ExpandProperty RootDomain | Get-ADDomain | Select-Object -Property PDCEmulator The Active Directory PowerShell module which is part of the Remote Server Administration Tools (RSAT) is installed on the workstation these commands are being run from.

Add an Active Directory User to the Same Groups as Another User with PowerShell

A request has been received to grant additional permissions to an existing user in your organizations Active Directory environment. The username of this existing user is “frank0”. In additional to his current responsibilities, Frank will be taking on the responsibilities of Alan who goes by the username of “alan0”. Note: The examples shown in this blog article are being performed on a Windows 8.1 machine that has the remote server administration toolsinstalled.

Setting an Active Directory User Account to Expire at a Specific Time of Day with PowerShell

Notice that in Active Directory Users and Computers (ADUC) when setting the expiration of a user account, there’s only a way to have the account expire at the end of a specific day: The same option exists in the Active Directory Administrative Center (ADAC): In ADAC, you can see the PowerShell command that the GUI uses to accomplish this task: Let’s query that particular property with PowerShell to see exactly what it’s now set to:

PowerShell Script to Determine What Device is Locking Out an Active Directory User Account

I recently received a request to determine why a specific user account was constantly being locked out after changing their Active Directory password and while I’ve previously written scripts to accomplish this same type of task, I decided to write an updated script. Active Directory user account lockouts are replicated to the PDC emulator in the domain through emergency replication and while I could have used the Get-ADDomain cmdlet to easily determine the PDC emulator for the domain:

Lock Out Active Directory User Accounts with PowerShell

As I’m sure you’re aware, there’s no setting where you can simply flip a switch to lock out Active Directory user accounts. So what is one to do if you need some locked out accounts to do testing with? This script is something I whipped up to accomplish just that because I’m working on another blog where I need some locked out Active Directory user accounts to work with. This script requires the RSAT tools to be installed on the workstation that it is being run from, specifically the Active Directory and Group Policy modules.

Windows 8.1 RSAT PowerShell Cmdlets Get-ADUser & Get-ADComputer : One or more Properties are Invalid

I saw a tweet yesterday from Chris Duckabout a PowerShell version 4.0 bug: ](/images/2013/11/aduser-bug1a.pngaduser-bug1a)Here’s a linkto the Connect Bug on this particular issue. The issue occurs when you try to use the Get-ADUser or _Get-ADCompute_r cmdlets along with specifying the Properties parameter with the asterisk “*” wildcard character to select all of the properties. No issue when the client is running Windows 8.1 with the RSAT toolsinstalled and the Active Directory domain controllers are running Windows Server 2012 R2:

PowerShell Function to Determine the Active Directory FSMO Role Holders via the .NET Framework

Last week I posted a PowerShell function to determine what Active Directory domain controllers held the FSMO roles for one or more domains and forests. That particular function used the Get-ADDomain and Get-ADForest cmdlets which are part of the Active Directory PowerShell module. As it so happens, a friend of mine, Shay Levy who is a PowerShell MVP posted an article on PowerShell Magazine that uses a couple of one liners that use the .

Use PowerShell to Find Where the Current FSMO Roles are Assigned in Active Directory

A while back, I had a need to figure out with PowerShell what server in an Active Directory domain held the PDC Emulator FSMO Role. I found a script on a very popular blog site that figured it out by using a command similar to this: Get-ADDomainController -Filter * | where OperationMasterRoles -contains PDCEmulator | select Name While it accomplished what was necessary, I immediately thought “I can do better” and improved the one liner so it filtered left:

Use PowerShell to add an additional Domain Controller to an existing Windows Server 2012 Active Directory Domain

Recently, I decided to add a second domain controller to my mikefrobbins.com domain. The existing server and this new server that will become a domain controller both run the Microsoft Windows Server 2012 operating system and both were installed with the default installation type of server core (no GUI). Even though the GUI can be turned on and off in Windows Server 2012 (unlike in Windows Server 2008 and 2008 R2), I prefer not to add the GUI unless absolutely necessary.

Book Review: Learn Active Directory Management in a Month of Lunches

The Learn Active Directory Management in a Month of Lunches book by PowerShell MVP Richard Siddaway is now available on the Manning.com website via their Early Access Program (MEAP). As Richard says in Chapter 1: This book is “A straight forward guide to administering Active Directory delivered in lunch sized pieces”. It focuses on what you need to know to do your job as an Active Directory administrator in the real world.

Use PowerShell to Create Active Directory User Accounts from Data Contained in the Adventure Works 2012 Database

This past Saturday, I presented a session at PowerShell Saturday 003in Atlanta. Towards the end of the presentation, I created 290 Active Directory user accounts by using the information for employees contained in the Adventure Works 2012 database. This is actually a PowerShell script that I whipped up Friday night at the hotel after the speaker dinner. I populated some demographic information by joining multiple tables together from that particular database.

Use PowerShell to Create a New Active Directory Forest on Windows 2012 Server Core Installation (no-GUI)

You have a fresh installation of Windows Server 2012 that was installed using the default installation type of server core installation (no-GUI). This server will be the first domain controller in a brand new Active Directory forest. Log into the server and launch PowerShell by typing “powershell.exe”. You’ll need to first add the AD-Domain-Services role to the server: Add-WindowsFeature AD-Domain-Services The installation of this role completes and a restart is not required:

Use PowerShell to Copy the Group Membership of one Active Directory User to Another Active Directory User Account

You have an Active Directory user account and you want to make a second user a member of the same groups without removing the second user from any groups they may already be a member of. I prefer using the Quest PowerShell Cmdlets for Active Directoryfor doing my AD administration work. They have been downloaded and installed on the system this is being run from. The Quest snap-in has been added to make the cmdlets available.

Use Data Stored in a SQL Server Database to Create Active Directory User Accounts with PowerShell

I need a few Active Directory users created in my mikefrobbins.com test environment so I thought why come up with fake information when I could use information that I already have in a SQL Server database? The Employees table in the Northwind database looks like an easy enough candidate since all the data I need is in one table. This is about the concept and not about seeing how complicated I can make this process.

Use PowerShell to Determine What Roles are Added When Turning a Windows 2012 Server into a Domain Controller

Goal: Determine what roles are installed when turning a Windows Server 2012 machine into a domain controller. I started out by using PowerShell to save a list of what roles are installed on a plain vanilla 2012 server that has the full GUI installation. The following one liner would be used in PowerShell version 2 to accomplish this task and the syntax is compatible with version 3: Get-WindowsFeature | Where-Object {$_.

Using the Quest Active Directory PowerShell Snapin to Search For & Set Attributes

I want to make sure that all users in a specific OU in my mikefrobbins.com Active Directory domain have the “Deny this user permissions to log on to Remote Desktop Session Host server” option set (checked): Download the Quest Active Directory PowerShell Snapin (free). The PowerShell command shown below searches this specific OU in my Active Directory domain for users where this attribute is not equal to false. The default setting is blank (allowed) as shown with the Gill Bates user below.

Importing PowerShell Modules and Locating Added Cmdlets

Want to add a feature to a Windows Server 2008 R2 machine using PowerShell? That functionality is part of the ServerManager PowerShell Module that’s install by default on 2008 R2. The module has to be imported for it’s cmdlets to be made available since it’s not loaded by default when you launch PowerShell. To view the Modules that are available to be imported, run Get-Module -ListAvailable The ServerManager module has to be imported so that it’s commands are made available to PowerShell.

Unable to Grant Domain Local Groups Full Access Permission to a Exchange 2010 Mailbox using the GUI

John Doe is a user in your Active Directory environment (Windows Server 2008 R2 Forest Function Level) with a mailbox on the email server (Exchange Server 2010 with SP2): You want to grant a domain local group named “Test Group” the full access permission to John Doe’s mailbox: You attempt to grant this permission by selecting “Manage Full Access Permission” from the Exchange 2010 Management Console: When you click add and search for the group, it doesn’t appear:

Oh Where, Oh Where Have My Group Policy Options Gone?

You are unable to find specific GPO options such as “Compatibility View” settings for Internet Explorer. One of the first things to look at is: Where are the policy definitions being retrieved from? The default for an Active Directory environment is from the local machine as shown in the image below: If you’re editing the GPO on a domain controller and have multiple domain controllers that are running different operating system versions, the available options will vary from machine to machine.

Find AD User Account Lockout Events with PowerShell

A few weeks ago a user contacted me and stated they were constantly being locked out throughout the day. This could have been caused by a number of things from someone else trying to log in as them to being logged in somewhere else, changing their password and the session with the old password still being active. I ran a search of the security event log on the domain controllers and found the name of the machine that the user was being locked out from.

Create AD Group and Copy a Group’s Members with PowerShell

This week, I was asked if I could export a list of users who were members of a specific group in Active Directory. My Question: What’s this list for? Answer: We’re working on a project that requires us to create a new security group in Active Directory and we’re going to add all the users on the list to the new group. I determined that this new group really was necessary.

Create an Active Directory User Account with PowerShell

I’m in the process of installing SQL Denali and need a couple of users accounts created. If you are creating the Active Directory user on a machine other than a domain controller, you’ll need to install the Active Directory module for Windows PowerShell. Then import the Active Directory module. Import-Module ServerManager Add-WindowsFeature RSAT-AD-PowerShell Import-Module ActiveDirectory To see the syntax and available options for creating an Active Directory user using PowerShell, type “Get-Help New-ADUser” inside the PowerShell console.

Time Synchronization in an Active Directory Environment

In an Active Directory environment the default time source is the domain controller in your forest root domain that is running the PDC emulator FSMO role. Keep in mind that the PDC emulator FSMO role is a domain level FSMO role so each domain will have one, but each domain’s PDC emulator will receive its time from the forest root’s PDC emulator. The following procedure will walk you through the steps of configuring the forest root’s PDC emulator to receive its time updates from an Internet time server.

Managed Service Accounts

Managed Service Accounts seem to be the end all and fix all for those services such as Exchange or SQL that we have all at some point either set to run as local system, an administrator account, or at best a domain user account that has been setup with the principal of least privilege. Using an account such as local system grants more rights than necessary and the service ends up running as a local administrator equivalent.

When was an Active Directory Group Created or Modified?

This week I needed to figure out when a group was created in one of the Active Directory environments that I provide support for. I looked at the group using “Active Directory Users and Computers” and didn’t see anything that would tell me when it was created. I did a quick Google search and found a way to accomplish this for a similar item (a user object) using VBScript. The example for a user object that I found was on a Hey, Scripting Guy!

Active Directory Time Synchronization Problems with Hyper-V

One of my customers contacted me today with an issue where the time on all of their servers was off by about 8 minutes or so. My first thought was “which Active Directory domain controller is their authoritative time server?” and “I’ll update the time on it manually and then set it up to synchronize from an Internet time server”. By default, the authoritative time server for your organization is the server that holds the PDC Emulator FSMO role in the forest root domain.

Migrate Active Directory from 2003 R2 to 2008 R2 Server Core

This blog will step you through the process of migrating your Active Directory domain controllers from Microsoft Windows Server 2003 R2 to Windows Server 2008 R2 Server Core. Server Core is an excellent choice for dedicated domain controllers since it requires less maintenance, has a reduced attack surface, requires less management, and will run on less hardware. Lots of people are scared off by Server Core because there’s no GUI. To be honest with you, it’s a blessing in disguise since you shouldn’t be managing your production Active Directory environment directly on your domain controllers anyway.

How to create an Administrative shortcut.

As most systems administrators know, you should log into your computer as a normal domain user who does not have elevated privileges in your Active Directory domain and only run administrative programs with elevated privileges when necessary. You could hold down shift, right click the shortcut, and select “Run as different user” to run a program as a user who has elevated privileges in your Active Directory domain, but there’s an easier, more efficient way to run programs that always require elevated privileges.

Infrastructure Master FSMO Role Placement

The Infrastructure Master Role is one of the three domain operations masters. Its placement is like many other questions in Information Technology, that is, it depends. It depends on the number of domains in the forest and whether or not all domain controllers in a particular domain have been designated as a global catalog server. The infrastructure master is responsible for updating its domains references to objects in other domains in a multi-domain forest by checking its references with the global catalog.