Category Archives: AD

Create an user


This script creates a new ad user based on the following:

  • display a gui form for information about the user
  • determines the username based on company standards
  • Sets some AD and profiles/home folder information based on the location of the user
  • sets the default AD groups
  • creates a mailbox for the users
  • creates homefolders and profile folders
  • creates a welcome note for the user, based on the users information

Read more »

Get Lockedout events from the security eventlog from the PDC


Script to Get Lockedout events from the security eventlog from the PDC


Copy the users from a ADgroup to another ADgroup


To Copy the users from a ADgroup to another ADgroup or duplicate the contents of a group, us the commandlet Add-ADGroupMember.

You cannot pipe the contents of Get-ADGroupMember to this commandlet as it does not accept pipeline imput. You can check this in the help of the command.

For this to work correctly you must place the content in a variable with Get-ADGroupMember and use this in Add-ADGroupMember.

These two command are:



Get folder permissions recursive


To view which user or group has access to a folder structure you must check this per folder.

Fortunately powershell has (ofcourse) the option to recursive check a folder structure and display the result in a nice textfile. The oneliner for this is:

You can use the get-acl command to display the effective permissions on a folder. This commandlet does not have the option to recursive go trough the entire folderstructure. Get-Childitem has this option and when you pipe it trough get-acl you get the list you want.

The where-object {($_.PsIsContainer)} is used to only display folders and not files.

Enumerate Group Membership


With powershell you can get an insight about the nested group in the AD and enumerate group membership.

Which users are members of the Domain Admins group?

In which groups is an user a member?

Is a user a nested member of the Domains Admins group?


Reset or change the active directory services restore password


To reset or change the active directory services restore password you must use the ntdsutil command. This command lets you access and change settings in the ADS.


Make a server a Domain Controller


New domain and forest.

To make a windows server a DC (domain controller) you must first install the feature. I first use the get-WindowsFeature to see if the correct feature is targeted.

After the feature is installed, load the correct module and install the servers as a Domain controller for a new domain and forrest.

Existing domain and forest.

I you have already a domain and forest up and running you must add a server to this domain.


Demote a server.

To remove the domain controller function from a server use.

Use the get-help with this cmdlet to see the options you can use.

Workflow to create a new AD group and add a user to the group


Here are the commands for a workflow to create a new AD group and add a user to the group.

Nothing fancy but saves you the time to find the command next time.. 🙂


List AD group membership readable


If you want to get a list of all the AD groups a user is member of you can use

This will give you a overview of the groups the user is a member of. It is however not easy to read. To get a list use Get-ADPrincipalGroupMembership. This will give you a list with one groupname per line.



To view the hierarchical structure:


Note that the last result does not display the domain users

Get FSMO roles with powershell


You used to use the command “netdom /query fsmo” to determine where the Operation Master Roles are located on you domain controllers. You can get FSMO roles with powershell in several different ways. Some of them are:

An other way to display the information is.

To move the FSMO roles to an other server:


Powershell: Get users last logon date from AD


The lastlogon time is kept on every domain controller in the AD. So, if you want to find out what the last logon time and dat of u user is, you have to check all the domain controllers.

When you check all the properties of a user using:

You get a lot of information. The most important are:

lastLogon : 130709985039216673
LastLogonDate : 12-3-2015 09:08:56
lastLogonTimestamp : 130706213360820511

The LastLogonDate is the one that is kept on the domain controller and is not replicated to other domain controllers.

The LastLogonTimestamp is the one you need. This is however a format we cannot read but we can convert it to a normal readable value.

First we need to put this into a variable so we can extract the value later.

Next we use the [datetime]::FromFileTime. This converts the unreadable number to a normal format. We do this while using only the value of the variable.

And voila, the correct format is displayed

donderdag 12 maart 2015 09:08:56


Use powershell to reset password and unlock account


A neat script to choose the users OU in the AD, select the user and lets you choose what to do. Reset a password or unlock the users account.

The script uses the out-gridview with -passtru command to ask for your input.


Blog for MVA: Using PowerShell for Active Directory


Get to the Microsoft Virtual Academy and follow the course: “Using PowerShell for Active Directory” with Jason Helmick and Ashley McGlone (GoateePFE)

The blog of this session and the session itself are online available.

Great blog with lots of code on Powershell and active directory.

Some topics that are being addressed are:

  • Users and Groups
  • Quering
  • Forensics
  • Recovery
« Older Entries