Active Directory


Use PowerShell to Install a DHCP Server on a Windows Server 2019 (Server Core) Active Directory Domain Controller

You need to have an Active Directory domain in place. I’m picking up where I left off in my previous blog article Use PowerShell to Create a New Active Directory Forest on Windows 2019 Server Core Installation (no-GUI). The procedure shown in this blog article is for demonstration purposes only. Install the DHCP server feature. Install-WindowsFeature -Name DHCP Add the DHCP scope to the server. Add-DhcpServerv4Scope -Name '192.168.129.x' -StartRange 192.

Use PowerShell to Create a New Active Directory Forest on Windows 2019 Server Core Installation (no-GUI)

You have a fresh installation of Windows Server 2019 that was installed using the default installation type of server core installation (no-GUI). This server will be the first domain controller in a brand new Active Directory forest. You’ve completed the following configuration prior to attempting to turn this server into a domain controller: Install all the available Windows Updates Set the time zone Set the computer name Set a static IP address Log into the server and launch PowerShell by typing powershell.

Determine the Default Password Policy for an Active Directory Domain with PowerShell

I’ve been working with PowerShell since the version 1.0 days and I’m still amazed that I find cmdlets that I didn’t know existed. Back in 2003, I had written some PowerShell code to query group policy for the lockout policy of an Active Directory domain. It used code similar to what’s shown in the following example which requires the GroupPolicy PowerShell module that installs as part of the RSAT (Remote Server Administration Tools).

Test Active Directory User Accounts for a Default Password with PowerShell

How do you control password resets in your environment? I’ve worked for numerous companies where their forgotten password reset process was all over the board. Hopefully you have a process in place that allows you to sleep at night. Even with the best policies and procedures in place, what happens when someone on your help desk staff resets a users password to some default password and forgets to set the account so the password has to be changed at next logon?

PowerShell One-Liner to Disable Active Directory Accounts and Log the Results to a SQL Server Database

The new PowerShell cmdlets that are part of the SQLServer PowerShell module that’s distributed as part of SSMS (SQL Server Management Studio) 2016 make it super easy to write the output of PowerShell commands to a SQL Server database. The ActiveDirectory PowerShell module that’s part of the RSAT (Remote Server Administration Tools) is also required by the code shown in this blog article. This PowerShell one-liner retrieves a list of Active Directory users who have not logged in within the past 120 days, are enabled, and exist in the Adventure Works OU (Organizational Unit).

Use PowerShell to Add Active Directory Users to Specific Groups based on a CSV file

I recently responded to a post in a forum about adding Active Directory users to groups with PowerShell based on information contained in a CSV (Comma Separated Values file format). I thought I would not only share the scenario and solution that I came up with but also elaborate on adding additional functionality that may be desired. In this scenario, you’ve been provided with a CSV file that contains a list of Active Directory users and the groups that they should be a member of as shown in the following image:

Building logic into PowerShell functions to nag users before their Active Directory password expires

This week I’m sharing a couple of PowerShell functions that are a work in progress to nag those users who seem to never want to change their passwords. I can’t tell you how many times the help desk staff at one of the companies that I provide support for receives a call from a user who is unable to access email or other resources on the intranet. The problem? They have run their password down to the point where they arrive in the morning, log into their computer without issue, and during the day while they’re working their password expires which cuts them off from Intranet resources such as email and websites that require authentication.

Video: Demystifying Active Directory User Account Lockouts with PowerShell

A few months ago I created an audition video for Pluralsight on “Demystifying Active Directory User Account Lockouts with PowerShell” and I thought I would share that video with you, the readers of my blog site: You can also find this video on my YouTube channel. µ

PowerShell: Filter by User when Querying the Security Event Log with Get-WinEvent and the FilterHashTable Parameter

I recently ran across something interesting that I thought I would share. The help for the FilterHashTable parameter of Get-WinEvent says that you can filter by UserID using an Active Directory user account’s SID or domain account name: help Get-WinEvent -Parameter filterhashtable Notice that the help also says the data key can be used for unnamed fields in classic event logs. I often hear the question wanting to know what the valid key pairs are for the hash table.

Using PowerShell Desired State Configuration to build the first domain controller in your Active Directory forest

If you’re a frequent reader of the blog articles on this site, then you know that I’ve been working on using Desired State Configuration to build my test lab environment that runs as Hyper-V VM’s on my Windows 8.1 computer. If you would like to know the current state of my test environment, see the previous blog article: Creating a Desired State Configuration Resource for Self Signed Certificates. The certificate created in last week’s blog has been exported and copied to the Windows 8.

Use PowerShell to Install Active Directory Certificate Services

In this blog article, I’ll use PowerShell to install Active Directory Certificate Services in my test environment. The domain controller that’s being used is running Windows Server 2012 R2 Server Core Installation (no-GUI). The workstation that I’m using is running Windows 8.1 and it is a member of the same Active Directory domain. Many times when I’m prototyping something on a single remote server, I’ll use one to one remoting so that it’s an interactive session.

PowerShell: When Best Practices and Accurate Results Collide

I’m a big believer in trying to write my PowerShell code to what the industry considers to be the best practices as most are common sense anyway, although as one person once told me: “Common sense isn’t all that common anymore”. I would hope that even the most diehard best practices person would realize that if you run into a scenario where following best practices causes the results to be skewed, that at least in that scenario it’s worth taking a step back so you can see the bigger picture.

Use PowerShell to Determine the Differences in Group Membership between Active Directory Users

I recently saw a post on Reddit where someone was trying to create a function that takes an Active Directory user name as input for a manager who has direct reports (subordinates) specified in Active Directory. They wanted to determine if the Active Directory group membership of any of those subordinates is different than the others. There are two different parts to this scenario. Returning a list of the manager’s direct reports by querying that property from the manager’s user account in Active Directory:

Set a Users Active Directory Display Name with PowerShell

I recently saw an article on how to set a users Active Directory display name based on the values of their given name, initials, and surname. I came up with my own unique solution for this task and thought I would share it with you, the readers of my blog. As you can see in the following example, there are a mixture of users who need their display name corrected based on the requirement that their display name be listed as Givenname Initials Surname:

Find and Disable Active Directory Users with PowerShell Faster than You can Open the GUI

In this scenario, a support request has been escalated to you because the help desk is unable to find a user account in Active Directory that needs to be disabled. The help desk included a screenshot where they attempted to search for the user who is named “William Doe”: The request you received also stated that the user is in the Sales department so you perform a quick search for users who have a last name of “Doe” and who are also in the Sales department:

Extract the Name from an Active Directory Distinguished Name with PowerShell and a Regular Expression

This is actually something I had a small blurb about in my previous blog article, but I wanted to go back, revisit it, and write a dedicated blog article about it. Sometimes there are properties in Active Directory like the one in the following example where the Manager property is being returned as a distinguished name and what you really wanted was just their name (in human readable format): Get-ADUser -Filter * -SearchBase 'OU=Northwind Users,OU=Users,OU=Test,DC=mikefrobbins,DC=com' -Properties Manager, Title | Format-Table -Property Name, Title, Manager -AutoSize You could write a complicated function or script to query Active Directory for the Managers information and create a custom object to return both the actual users information and the managers information, but if you simply want the name of the manager (in this example), it’s much easier to use the substring method or a regular expression.

Create Active Directory Users Home Folder and Assign Permissions with PowerShell

The following function is a work in progress, but I thought I would go ahead and share it. This function requires a module named PowerShellAccessControl that was created by Rohn Edwards which is downloadable from the TechNet Script Repository. The version 3.0 beta revision of his module which is also downloadable on that same page is what was used to test the examples shown in this blog article. #Requires -Version 3.

Using PowerShell to Search for Specific Users in Active Directory without Knowing their Exact Information

You’re looking for a user in your Active Directory environment who goes by the nickname of JW. You know that’s the user’s initials and you need to find their AD user account. Typically you’d use the Identity parameter, but that parameter doesn’t allow wildcards: Get-ADUser -Identity j*w* Verifying wildcard’s are not allowed on the Identity parameter of Get-ADUser: help Get-ADUser -Parameter identity What you’ll need to do is use the Filter parameter instead:

Helping Others at Microsoft TechEd with PowerShell 911

While at Microsoft TechEd last week, I met a gentleman from Europe who was experiencing a particular issue with the Get-ADUser PowerShell cmdlet. When Get-ADUser is used with a hard coded value such as name as shown in the following example, it returns the expected information without issue: Get-ADUser -Filter {Name -eq 'Administrator'} The issue is that when the name, for example, is stored in a variable and double quotes are used to try to expand the variable, nothing is returned:

Run a local PowerShell Function against a Remote Computer with PowerShell Remoting

Did you know that it’s super easy to run a function that exists only on your local computer against a remote computer even when no remoting capabilities have been added to the function itself? It does however require that PowerShell remoting be enabled on the remote system, but if you’re running Windows Server 2012 or higher, PowerShell remoting is enabled by default on those operating systems. I’ll start off by creating a function that performs a meaningful task so I can use it to demonstrate this process.

Use PowerShell to Determine the PDC Emulator FSMO Role Holder in your Active Directory Forest Root Domain

Each domain has a PDC emulator FSMO role so how do I determine which domain controller holds the PDC emulator FSMO role in the forest root domain if I have multiple domains in my forest? Sounds like you can’t see the forest root for the trees :-). The answer of course is with PowerShell: Get-ADForest | Select-Object -ExpandProperty RootDomain | Get-ADDomain | Select-Object -Property PDCEmulator The Active Directory PowerShell module which is part of the Remote Server Administration Tools (RSAT) is installed on the workstation these commands are being run from.

Add an Active Directory User to the Same Groups as Another User with PowerShell

A request has been received to grant additional permissions to an existing user in your organizations Active Directory environment. The username of this existing user is frank0. In additional to his current responsibilities, Frank will be taking on the responsibilities of Alan who goes by the username of alan0. Note: The examples shown in this blog article are being performed on a Windows 8.1 machine that has the Remote Server Administration Tools installed.

Setting an Active Directory User Account to Expire at a Specific Time of Day with PowerShell

Notice that in Active Directory Users and Computers (ADUC) when setting the expiration of a user account, there’s only a way to have the account expire at the end of a specific day: The same option exists in the Active Directory Administrative Center (ADAC): In ADAC, you can see the PowerShell command that the GUI uses to accomplish this task: Let’s query that particular property with PowerShell to see exactly what it’s now set to:

PowerShell Script to Determine What Device is Locking Out an Active Directory User Account

I recently received a request to determine why a specific user account was constantly being locked out after changing their Active Directory password and while I’ve previously written scripts to accomplish this same type of task, I decided to write an updated script. Active Directory user account lockouts are replicated to the PDC emulator in the domain through emergency replication and while I could have used the Get-ADDomain cmdlet to easily determine the PDC emulator for the domain:

Lock Out Active Directory User Accounts with PowerShell

As I’m sure you’re aware, there’s no setting where you can simply flip a switch to lock out Active Directory user accounts. So what is one to do if you need some locked out accounts to do testing with? Disclaimer: All data and information provided on this site is for informational purposes only. Mike F Robbins (mikefrobbins.com) makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.

Windows 8.1 RSAT PowerShell Cmdlets Get-ADUser & Get-ADComputer : One or more Properties are Invalid

I saw a tweet yesterday from Chris Duck about a PowerShell version 4.0 bug: The issue occurs when you try to use the Get-ADUser or Get-ADComputer cmdlets along with specifying the Properties parameter with the asterisk “*” wildcard character to select all of the properties. No issue when the client is running Windows 8.1 with the RSAT tools installed and the Active Directory domain controllers are running Windows Server 2012 R2:

PowerShell Function to Determine the Active Directory FSMO Role Holders via the .NET Framework

Last week I posted a PowerShell function to determine what Active Directory domain controllers held the FSMO roles for one or more domains and forests. That particular function used the Get-ADDomain and Get-ADForest cmdlets which are part of the Active Directory PowerShell module. As it so happens, a friend of mine, Shay Levy who is a PowerShell MVP posted an article on PowerShell Magazine that uses a couple of one liners that use the .

Use PowerShell to Find Where the Current FSMO Roles are Assigned in Active Directory

A while back, I had a need to figure out with PowerShell what server in an Active Directory domain held the PDC Emulator FSMO Role. I found a script on a very popular blog site that figured it out by using a command similar to this: Get-ADDomainController -Filter * | Where-Object OperationMasterRoles -contains PDCEmulator | Select-Object -Property Name While it accomplished what was necessary, I immediately thought “I can do better” and improved the one liner so it filtered left:

Use PowerShell to add an additional Domain Controller to an existing Windows Server 2012 Active Directory Domain

Recently, I decided to add a second domain controller to my mikefrobbins.com domain. The existing server and this new server that will become a domain controller both run the Microsoft Windows Server 2012 operating system and both were installed with the default installation type of server core (no GUI). Even though the GUI can be turned on and off in Windows Server 2012 (unlike in Windows Server 2008 and 2008 R2), I prefer not to add the GUI unless absolutely necessary.

Use PowerShell to Create Active Directory User Accounts from Data Contained in the Adventure Works 2012 Database

This past Saturday, I presented a session at PowerShell Saturday 003 in Atlanta. Towards the end of the presentation, I created 290 Active Directory user accounts by using the information for employees contained in the Adventure Works 2012 database. This is actually a PowerShell script that I whipped up Friday night at the hotel after the speaker dinner. I populated some demographic information by joining multiple tables together from that particular database.

Use PowerShell to Create a New Active Directory Forest on Windows 2012 Server Core Installation (no-GUI)

You have a fresh installation of Windows Server 2012 that was installed using the default installation type of server core installation (no-GUI). This server will be the first domain controller in a brand new Active Directory forest. Log into the server and launch PowerShell by typing powershell.exe. You’ll need to first add the AD-Domain-Services role to the server: Add-WindowsFeature AD-Domain-Services The installation of this role completes and a restart is not required:

Use Data Stored in a SQL Server Database to Create Active Directory User Accounts with PowerShell

I need a few Active Directory users created in my mikefrobbins.com test environment so I thought why come up with fake information when I could use information that I already have in a SQL Server database? The Employees table in the Northwind database looks like an easy enough candidate since all the data I need is in one table. This is about the concept and not about seeing how complicated I can make this process.