Category: Active Directory

Find and Disable Active Directory Users with PowerShell Faster than You can Open the GUI

In this scenario, a support request has been escalated to you because the help desk is unable to find a user account in Active Directory that needs to be disabled. The help desk included a screenshot where they attempted to search for the user who is named "William Doe": The request you received also stated that the user is in the "Sales" department so you perform a quick search for users who have a last name of "Doe" and who are also in the "Sales" department: Based Read more [...]

Extract the Name from an Active Directory Distinguished Name with PowerShell and a Regular Expression

This is actually something I had a small blurb about in my previous blog article, but I wanted to go back, revisit it, and write a dedicated blog article about it. Sometimes there are properties in Active Directory like the one in the following example where the "Manager" property is being returned as a distinguished name and what you really wanted was just their name (in human readable format): You could write a complicated function or script to query Active Read more [...]

Create Active Directory Users Home Folder and Assign Permissions with PowerShell

The following function is a work in progress, but I thought I would go ahead and share it. This function requires a module named PowerShellAccessControl that was created by Rohn Edwards which is downloadable from the TechNet Script Repository. The version 3.0 beta revision of his module which is also downloadable on that same page is what was used to test the examples shown in this blog article. The following example demonstrates creating  home folders and assigning Read more [...]

Using PowerShell to Search for Specific Users in Active Directory without Knowing their Exact Information

You're looking for a user in your Active Directory environment who goes by the nickname of "JW". You know that's the user's initials and you need to find their AD user account. Typically you'd use the Identity parameter, but that parameter doesn't allow wildcards: Verifying wildcard's are not allowed on the Identity parameter of Get-ADUser: What you'll need to do is use the Filter parameter instead: The Read more [...]

Helping Others at Microsoft TechEd with PowerShell 911

While at Microsoft TechEd last week, I met a gentleman from Europe who was experiencing a particular issue with the Get-ADUser PowerShell cmdlet. When Get-ADUser is used with a hard coded value such as name as shown in the following example, it returns the expected information without issue: The issue is that when the name, for example, is stored in a variable and double quotes are used to try to expand the variable, nothing is returned: For Read more [...]

Run a local PowerShell Function against a Remote Computer with PowerShell Remoting

Did you know that it's super easy to run a function that exists only on your local computer against a remote computer even when no remoting capabilities have been added to the function itself? It does however require that PowerShell remoting be enabled on the remote system, but if you're running Windows Server 2012 or higher, PowerShell remoting is enabled by default on those operating systems. I'll start off by creating a function that performs a meaningful task so I can use it to demonstrate Read more [...]

Use PowerShell to Determine the PDC Emulator FSMO Role Holder in your Active Directory Forest Root Domain

Each domain has a PDC emulator FSMO role so how do I determine which domain controller holds the PDC emulator FSMO role in the forest root domain if I have multiple domains in my forest? Sounds like you can't see the forest root for the trees :-). The answer of course is with PowerShell: The Active Directory PowerShell module which is part of the Remote Server Administration Tools (RSAT) is installed on the workstation these commands are being run from. Read more [...]

Add an Active Directory User to the Same Groups as Another User with PowerShell

A request has been received to grant additional permissions to an existing user in your organizations Active Directory environment. The username of this existing user is "frank0". In additional to his current responsibilities, Frank will be taking on the responsibilities of Alan who goes by the username of "alan0". Note: The examples shown in this blog article are being performed on a Windows 8.1 machine that has the remote server administration tools installed. The Active Directory module is Read more [...]

Setting an Active Directory User Account to Expire at a Specific Time of Day with PowerShell

Notice that in Active Directory Users and Computers (ADUC) when setting the expiration of a user account, there's only a way to have the account expire at the end of a specific day: The same option exists in the Active Directory Administrative Center (ADAC): In ADAC, you can see the PowerShell command that the GUI uses to accomplish this task: Let's query that particular property with PowerShell to see exactly what it's now set to: Notice Read more [...]

PowerShell Script to Determine What Device is Locking Out an Active Directory User Account

I recently received a request to determine why a specific user account was constantly being locked out after changing their Active Directory password and while I've previously written scripts to accomplish this same type of task, I decided to write an updated script. Active Directory user account lockouts are replicated to the PDC emulator in the domain through emergency replication and while I could have used the Get-ADDomain cmdlet to easily determine the PDC emulator for the domain: That Read more [...]

Lock Out Active Directory User Accounts with PowerShell

As I'm sure you're aware, there's no setting where you can simply flip a switch to lock out Active Directory user accounts. So what is one to do if you need some locked out accounts to do testing with? This script is something I whipped up to accomplish just that because I'm working on another blog where I need some locked out Active Directory user accounts to work with. This script requires the RSAT tools to be installed on the workstation that it is being run from, specifically the Active Directory Read more [...]

Windows 8.1 RSAT PowerShell Cmdlets Get-ADUser & Get-ADComputer : One or more Properties are Invalid

I saw a tweet yesterday from Chris Duck about a PowerShell version 4.0 bug: Here's a link to the Connect Bug on this particular issue. The issue occurs when you try to use the Get-ADUser or Get-ADComputer cmdlets along with specifying the Properties parameter with the asterisk "*" wildcard character to select all of the properties. No issue when the client is running Windows 8.1 with the RSAT tools installed and the Active Directory domain controllers are running Windows Server 2012 Read more [...]

PowerShell Function to Determine the Active Directory FSMO Role Holders via the .NET Framework

Last week I posted a PowerShell function to determine what Active Directory domain controllers held the FSMO roles for one or more domains and forests. That particular function used the Get-ADDomain and Get-ADForest cmdlets which are part of the Active Directory PowerShell module. As it so happens, a friend of mine, Shay Levy who is a PowerShell MVP posted an article on PowerShell Magazine that uses a couple of one liners that use the .NET Framework to return the FSMO role holders. I'm not Read more [...]

Use PowerShell to Find Where the Current FSMO Roles are Assigned in Active Directory

A while back, I had a need to figure out with PowerShell what server in an Active Directory domain held the PDC Emulator FSMO Role. I found a script on a very popular blog site that figured it out by using a command similar to this: While it accomplished what was necessary, I immediately thought "I can do better" and improved the one liner so it filtered left: At the April Philadelphia PowerShell User Group meeting, Read more [...]

Use PowerShell to add an additional Domain Controller to an existing Windows Server 2012 Active Directory Domain

Recently, I decided to add a second domain controller to my mikefrobbins.com domain. The existing server and this new server that will become a domain controller both run the Microsoft Windows Server 2012 operating system and both were installed with the default installation type of server core (no GUI). Even though the GUI can be turned on and off in Windows Server 2012 (unlike in Windows Server 2008 and 2008 R2), I prefer not to add the GUI unless absolutely necessary. You've already loaded Read more [...]

Book Review: Learn Active Directory Management in a Month of Lunches

The Learn Active Directory Management in a Month of Lunches book by PowerShell MVP Richard Siddaway is now available on the Manning.com website via their Early Access Program (MEAP). As Richard says in Chapter 1: This book is "A straight forward guide to administering Active Directory delivered in lunch sized pieces". It focuses on what you need to know to do your job as an Active Directory administrator in the real world. When I first heard of this book, I was excited because I thought it would Read more [...]