This script creates a new ad user based on the following:
Script to Get Lockedout events from the security eventlog from the PDC
|
1 2 |
$DomainController = Get-ADDomainController -Service PrimaryDC -Discover Get-WinEvent -ComputerName $DomainController -FilterHashtable @{logname='security';ID=4740} |
To Copy the users from a ADgroup to another ADgroup or duplicate the contents of a group, us the commandlet Add-ADGroupMember.
You cannot pipe the contents of Get-ADGroupMember to this commandlet as it does not accept pipeline imput. You can check this in the help of the command.
|
1 2 3 4 5 6 7 8 9 |
PS C:\> get-help Add-ADGroupMember -Parameter members .... You cannot pass objects through the pipeline to this parameter. Required? true Position? 2 Default value Accept pipeline input? false Accept wildcard characters? false |
For this to work correctly you must place the content in a variable with Get-ADGroupMember and use this in Add-ADGroupMember.
These two command are:
|
1 2 3 |
PS C:\>$members = Get-ADGroupMember "SourceGroupName" PS C:\> foreach ($i in $members){Add-ADGroupMember -Identity "DestinationGroupName -Members $i} |
On the internet I found a nice looking script for creating a useraccount in the AD.
I have not tested this script so use at your own risk.
To view which user or group has access to a folder structure you must check this per folder.
Fortunately powershell has (ofcourse) the option to recursive check a folder structure and display the result in a nice textfile. The oneliner for this is:
|
1 |
Get-ChildItem -Recurse | where-object {($_.PsIsContainer)} | get-acl | format-list path,accesstostring > c:\permissions.txt |
You can use the get-acl command to display the effective permissions on a folder. This commandlet does not have the option to recursive go trough the entire folderstructure. Get-Childitem has this option and when you pipe it trough get-acl you get the list you want.
The where-object {($_.PsIsContainer)} is used to only display folders and not files.
With powershell you can get an insight about the nested group in the AD and enumerate group membership.
Which users are members of the Domain Admins group?
|
1 |
Get-ADGroupMember "Domain Admins" | ft name |
In which groups is an user a member?
|
1 |
Get-ADPrincipalGroupMembership user | ft name |
Is a user a nested member of the Domains Admins group?
|
1 |
Get-ADUser -Filter 'memberof -recursivematch "cn=domain admins,cn=users,dc=test,dc=internal"' | ft name |
To reset or change the active directory services restore password you must use the ntdsutil command. This command lets you access and change settings in the ADS.
|
1 2 3 |
PS C:\> ntdsutil C:\Windows\system32\ntdsutil.exe: set dsrm password Reset DSRM Administrator Password:_ |
To make a windows server a DC (domain controller) you must first install the feature. I first use the get-WindowsFeature to see if the correct feature is targeted.
|
1 |
get-WindowsFeature ad-domain-services | Install-WindowsFeature –IncludeManagementTools |
After the feature is installed, load the correct module and install the servers as a Domain controller for a new domain and forrest.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Import-Module ADDSDeployment Install-ADDSForest ` -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012R2" ` -DomainName "test.internal" ` -DomainNetbiosName "TEST" ` -ForestMode "Win2012R2" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true |
I you have already a domain and forest up and running you must add a server to this domain.
|
1 2 |
Install-WindowsFeature -Name ad-domain-services Install-ADDSDOmainController -DomainName test.internal -Credential (Get-Credential test\administrator) |
To remove the domain controller function from a server use.
|
1 |
uninstall-ADDSDomainController |
Use the get-help with this cmdlet to see the options you can use.
Here are the commands for a workflow to create a new AD group and add a user to the group.
Nothing fancy but saves you the time to find the command next time.. 🙂
|
1 2 3 |
New-ADGroup -GroupCategory Security -GroupScope Global -Name "Name of the group" -PassThru -path "OU=Security Groups,OU=Groups,OU=company,DC=company,DC=nl" Add-ADGroupMember -Identity "Name of the group" -members UserToAdd get-aduser UserToCheck -Properties memberof |
If you want to get a list of all the AD groups a user is member of you can use
|
1 |
Get-ADUser <username> -Properties memberof |
This will give you a overview of the groups the user is a member of. It is however not easy to read. To get a list use Get-ADPrincipalGroupMembership. This will give you a list with one groupname per line.
|
1 |
Get-ADPrincipalGroupMembership <username> | select name |
Result:
|
1 2 3 4 5 |
name ---- Domain Users Administrators Domain Admins |
To view the hierarchical structure:
|
1 |
(get-aduser <username> -properties memberof).memberof |
result:
|
1 2 |
CN=Domain Admins,CN=Users,DC=metterwoon,DC=nl CN=Administrators,CN=Builtin,DC=metterwoon,DC=nl |
Note that the last result does not display the domain users
Before you can and need to recover AD objects you have to setup your AD to enable this. You will need to be at forest functional level 2008r2 or above.
Think up front about:
You used to use the command “netdom /query fsmo” to determine where the Operation Master Roles are located on you domain controllers. You can get FSMO roles with powershell in several different ways. Some of them are:
|
1 2 3 |
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster Get-ADDomainController -Service PrimaryDC -Discover |
An other way to display the information is.
|
1 2 3 |
Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Format-Table -AutoSize |
To move the FSMO roles to an other server:
|
1 2 3 |
$server = Get-ADDomainController -Identity dc1.company.nl Move-ADDirectoryServerOperationMasterRole -Identity $server ` -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster |
The lastlogon time is kept on every domain controller in the AD. So, if you want to find out what the last logon time and dat of u user is, you have to check all the domain controllers.
When you check all the properties of a user using:
|
1 |
Get-ADUser avanboerum -Properties * |
You get a lot of information. The most important are:
lastLogon : 130709985039216673
LastLogonDate : 12-3-2015 09:08:56
lastLogonTimestamp : 130706213360820511
The LastLogonDate is the one that is kept on the domain controller and is not replicated to other domain controllers.
The LastLogonTimestamp is the one you need. This is however a format we cannot read but we can convert it to a normal readable value.
First we need to put this into a variable so we can extract the value later.
|
1 |
$lastltime = Get-ADUser avanboerum -properties lastlogontimestamp |Select-Object lastlogontimestamp |
Next we use the [datetime]::FromFileTime. This converts the unreadable number to a normal format. We do this while using only the value of the variable.
|
1 |
[datetime]::FromFileTime(($lastltime.lastlogontimestamp)) |
And voila, the correct format is displayed
donderdag 12 maart 2015 09:08:56
A neat script to choose the users OU in the AD, select the user and lets you choose what to do. Reset a password or unlock the users account.
The script uses the out-gridview with -passtru command to ask for your input.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
#define where the users are located in the AD $OUsearchbase = 'OU=Users,DC=company,DC=nl','OU=Users2,DC=company,DC=nl','OU=Users3,DC=company,DC=nl' #Select the right OU and User $user = Get-ADUser -Filter * -Properties LockedOut -SearchBase ( $OUsearchbase | Out-GridView -PassThru -Title "Select the location of the user" ) | Select-Object name,samaccountname,LockedOut,enabled | Out-GridView -PassThru -Title "Select the user" #Prompt for what action you would like to take $title = "Choose Action" $message = "What do you want to do to the user?" $ResetPassword = New-Object System.Management.Automation.Host.ChoiceDescription "Reset Password", ` "Reset the users password" $UnlockAccount = New-Object System.Management.Automation.Host.ChoiceDescription "Unlock account", ` "Unlock a locked user account" $options = [System.Management.Automation.Host.ChoiceDescription[]]($ResetPassword, $UnlockAccount) $result = $host.ui.PromptForChoice($title, $message, $options, 0) #take an action based on the selection switch ($result) { 0 {Set-ADAccountPassword -Identity $user.samaccountname -NewPassword (Read-Host -AsSecureString "Enter new password")} 1 {Unlock-ADAccount -Identity $user.samaccountname} } |
Get to the Microsoft Virtual Academy and follow the course: “Using PowerShell for Active Directory” with Jason Helmick and Ashley McGlone (GoateePFE)
The blog of this session and the session itself are online available.
Great blog with lots of code on Powershell and active directory.
Some topics that are being addressed are: