Offline Domain Join - Recreating the Blob file using PowerShell

When you need to join a machine to the Active Directory It is a pretty straight forward task using either the User Interface or the PowerShell cmdlet available for that usage.

However in some situation you don't have network connectivity and need to rely on Offline Domain Join, using the Djoin.exe tool. Typically you use djoin in two phases. First you generates a provisioning file that you drop on a newly deployed machine. In the second phase you run djoin with the file as a parameter and the machine is joined to the domain without connection to the domain controller.

My problem
Using that same method, I recently had a tricky problem to solve. The environment where I was performing this was very locked down, not allowing me to copy files to the new provisioned machine.

Fortunately the system handling the deployment could perform action on other systems and gather data. I could rely on something like System Center Orchestrator (or SMA) and get the content of the Blob file over HTTP/HTTPS by invoking a runbook.

Recreating the djoin file with the content was a bit trickier. Djoin is really picky on how the file is created. (see here and here for more information)

Active Directory - How to grant an account to use Sync-ADObject ?

During an onboarding process, I had to create some accounts on a remote site where the Exchange Role is installed. There, the account can be mail-enabled. We do this because the information will get replicated to Office365 faster and we will be able to proceed with other automated tasks.

Once the account is created, mail-enabled, sync to Office365, added to a couple of DLs, I needed to sync back the account to my local Domain Controller.

This can be done using the Cmdlet Sync-ADobject from the Active Directory module.

Of course you will need to give explicit permission to an account to perform this action else you will get the following message:

"Sync-ADObject : Insufficient access rights to perform the operation"

To grant permission, you'll need to launch the ADSIEdit tool and grant permission at the root of the domain for "Replication Synchronisation"

Once the permission granted, you'll see the following

Thanks for reading! If you have any questions, leave a comment or send me an email at fxcat@lazywinadmin.com. I invite you to follow me on Twitter @lazywinadm / Google+ / LinkedIn. You can also follow the LazyWinAdmin Blog on Facebook Page and Google+ Page.

PowerShell - Report Expiring User accounts

In the video game industry it is common practice to hire consultants to take care of the Quality Assurance, which consists of a means of the software engineering processes and methods used to ensure quality. Those people are most likely Testers and usually spend most of their day testing games in development to find bugs.

The problem is, once in a while managers forget to update the expiration dates of their Consultant/External Partners even if they got a couple of reminders, and since we have some automation process taking care of the off-boarding (thanks to PowerShell! ;-)...it is becoming fun when those guys can't connect to their accounts on Monday morning...and they lost all their access.


So I wrote a tiny script to report any expiring user accounts and send it to the IT department every Monday morning, just to give us a heads up.

Report Example

PowerShell/Active Directory - Retrieve Groups managed by a User

I recently had an interesting request at work:
Finding a way to list all the groups a specific user was managing.

If you look into the properties of an Active Directory group object, you will find under the tab "ManagedBy" the name of a user or group who is managing the group and possibly its members if the "Manager can update membership list" is checked.

Group object properties / Managed By tab

This is nice for one group.... what if the user manage tons of them ?

PowerShell - Who Reports to Whom? (Active Directory recursive DirectReports)

I've been working in the video games industry for a bit more than 3 months now. A lot is going on, and the pace seems faster than regular corporation environment. I also notice a lot of employees movements between teams and projects.

Last week I had an interesting "Quest": To find the list of employees under a specific manager. In Active Directory you can retrieve this information under the property DirectReports.

However if this manager manage other managers... how can I do a recursive search... ?
Sounds like a mission for PowerShell :-)

PowerShell - Check the GPO Replication accross your domain

A couple of days ago we had to troubleshoot some SYSVOL replication issues throughout the domain. I wanted to check the version of the GPO that was modified recently and make sure it was replicated on all the Domain Controllers.

I created a small function called Get-ADGPOReplication to easily compare the versions of each Group Policy Objects (User and Computer Configurations) on each Domain Controllers in the Domain.

Get-ADGPOReplication sent to Out-Gridview

PowerShell/SCSM - Retrieving Active Directory Object Classes

Following my previous post, today I continue my SCSM journey. I had to create a new automation workflow using SCSM and SCORCH to give the ability to a portal user to add an Active Directory Account to one or more group(s).

Once you get the input of the user, the selected user account and groups impacted by the request are added to the Service Request Related Item, in the Configuration Item field.

Finding this information with PowerShell was not easy. Also Users and Groups are tagged as "User Class" and we want to avoid querying the Active Directory to verify is a user is really a user and a group... really a group object.

PowerShell - Handy function to connect to Office365 services

I just started to play with a Microsoft Office 365 environment (Azure Active Directory, Lync Online and Exchange Online) and I thought I would make it through PowerShell obviously :-)

But when you start your PowerShell console... you need to load modules, connect to each services, enter your credentials...yada yada yada...

With Office 365 you can administer the following services using PowerShell:

• Azure Active Directory
• Exchange Online PowerShell
• SharePoint Online PowerShell
• Lync Online PowerShell

PowerShell - Get a list of my domain Organizational Units

Quick post, last week my coworker Andrey needed to list all the Organization Units in the domain by Canonical Name. I thought sharing the PowerShell One-Liner magic could save time to some people out there.

In the following examples two methods to retrieve the information using Active Directory and ADSI/NET.

Active Directory Module

I found two ways to get this information using this module

• Get-ADOrganizationUnit
• Get-ADObject

First we need to verify if the module is loaded and then search for Cmdlet that could meet our needs.

# Check if the ActiveDirectory module is Loaded
Get-Module -Name ActiveDirevtory

# Check if the ActiveDirectory module is available
Get-Module -Name ActiveDirectory -ListAvailable

# Import the ActiveDirectory module
Import-Module -Name ActiveDirectory

# Find Cmdlets in the ActiveDirectory related to OrganizationalUnit
Get-Command -Module ActiveDirectory -Name *OrganizationalUnit*

PowerShell - Find Inactive Computers in Active Directory with ADSI

Today I wanted to retrieve inactive computer accounts in the Active Directory without using the Quest Active Directory Snapin or the Active Directory Module. Yes... It happens that you work on a computer that don't have those tools once in a while, and I thought It would be fun to have a script without requirements...

Note: BTW, the following solution might not be the best or most efficient, so let me know if you know a faster/easier way to do this, I'm willing to learn more about querying AD.

Here are the key element of the script, I want:

• Computer Inactive for >=90 days
• Be able to specify a SearchRoot
• Filter on the Operating System if possible (I want only Windows Servers, without the Domain controllers for example)
• Return SamAccountName, Name, DN, Operating System, and Description
• Limit the number of object to return (can be useful for large environment)

Top Five 2013 LazyWinAdmin Blog Posts

The year 2013 has been a pretty good year for the LazyWinAdmin blog.
Thank you guys for following my blog and participating to the comments discussions. Thanks also for those who give me advices, critics and ideas to improve my scripts, I think It helps everyone (and myself) to improve our knowledge everyday, Really appreciated :-)

I get more and more page views, comments,... every month  :-) and I thought It would be nice to give a small Top Five 2013 of the LazyWinAdmin blog posts.

Top Five 2013 Blog posts:

WS2012 Storage - NFS Server - Configure NFS for VMware vSphere 5.1 Home Lab
This article focus on how to configure NFS on Windows Server 2012 with PowerShell for a VMware vSphere 5.1 host.


PowerShell Studio 2012 - WinForms - Creating a basic GUI (Video) 
This is a quick tutorial (with a video) on how to create a really basic Winform/Graphical User Interface (GUI) using SAPIEN PowerShell Studio 2012.


PowerShell - Monitor and Report Active Directory Group Membership Change
This is probably one of my most popular script. This PowerShell script let you monitor membership of one or multiple groups. You can specify the names of the group(s) directly, from a file or from an OU path.

PowerShell - Get a SubString out of a String using RegEx 
In 2013 I started playing a bit more with Regex, this post talked about getting text from a string. I'll post more about this subject soon.

PowerShell 4.0 is now available
The team of Jeffery Snover, the PowerShell Team,  realeased a new version of this awesome tool ! more cmdlets!! more fun!!



Thanks for reading! If you have any questions, leave a comment or send me an email at fxcat@lazywinadmin.com. I invite you to follow me on Twitter @lazywinadm / Google+ / LinkedIn. You can also follow the LazyWinAdmin Blog on Facebook Page and Google+ Page.

[UPDATE] PowerShell - Monitor and Report Active Directory Group Membership Change

UPDATE: The most recent update is available on Github

I found some time to update the script "Monitor Active Directory Membership changes". This is the version 1.6.

To summarize, this script allow you to monitor Active Directory groups membership changes. The script will send your a report via email only when a change occur. I explained in details in my last post how the script work.


So what are the main changes in this version ?

• SearchRoot you can now specify the Organization Unit path(s) where all your groups are located, the script will take care of the rest and watch them all. You also have the option to filter using the parameters SearchScope, GroupType, GroupScope.
• File you can now specify one or multiple files where the list of groups is saved. Distinguished Names, SID, GUID, GroupName, Domain\GroupName are accepted.

Previous post related to this script:
[2013/10] PowerShell - Monitor and Report Active Directory Group Membership Change
[2012/03] Powershell - Monitor Active Directory Groups membership change

Thank you: I want to thank those who sent me suggestions via email or posts comments, I'm very happy to see that this script is helping a lot of my fellow sysadmins.

PowerShell - Add AD Site Subnet

Last month I posted a script that report the Missing Subnets from the Active Directory. The script goes on each Domain Controllers and get the last x entries from the NETLOGON.log file.
Once this report is generated, you might want to check with your Telecom guy/team to get the correct network mask, correct site of each entries and fix this situation.

Reminder: Subnet objects (class subnet) define network subnets in Active Directory. A network subnet is a segment of a TCP/IP network to which a set of logical IP addresses is assigned. Subnets group computers in a way that identifies their physical proximity on the network. Subnet objects in Active Directory are used to map computers to sites.

Today I will show how to add those missing subnets in your Active Directory using PowerShell on Windows Server 2012 and Previous versions via ADSI.

PowerShell - Get-DomainComputer (ADSI)

The following function use ADSI to query Computer objects from the Active Directory. Optionally an alternate credentials and/or a different domain can be specified.

Once in a while, everyone "enjoy" doing Auditing at work...,ok maybe not everyone :-).... so last week, an colleague of mine needed to get the name of the Primary user of each workstations that connect to one of their critical application.

Lucky for me, first he had the list of workstations and second we have the name of the primary user information in the Active Directory located in the description property ! :-) (This is added when the computer is built and joined to the domain the first time).

So he asked me if I could help and get this information somehow. My answer was obviously ... PowerShell!
This could be done very easily using the ActiveDirectory Module but unfortunately RSAT (Remote Server Administrator Tools) feature was not installed on his computer. Why not use ADSI then ? :-)

PowerShell - Using ADSI with alternate Credentials

The following PowerShell code will show you how to run ADSI with alternate credentials to get information from the Active Directory.

I will query Group objects in this example, my filter is define by the following line: "(objectCategory=Group)"

PowerShell - Report the AD Missing Subnets from the NETLOGON.log

Today I will share with you a script that report the Missing Subnets detected in the NetLogon file(s) of your Active Directory Domain Controller(s).

Update: See my Github repository for the most recent version

Missing Subnets

When a computer is joined to a domain It knows for sure of which AD domain it is a member. However once the computer is joined to the domain, It may or may not know which AD site it belongs to. Even if it thinks it knows the AD site, it may not even be in the correct AD site (e.g. because it was moved, AD site was renamed, Subnet not declared, Subnet was removed from a site and add to another...etc.).

PowerShell - Get-DomainUser

Today one of my IT coworkers, in another department, sent a couple of emails to the Ops to get the username (SamAccount) from a couple of Active Directory users accounts. This guy, which is not familiar with AD, had only the DisplayName properties information.

I wrote him back that he could just request RSAT(Remote Server Administration Tools) to be installed on his workstation or just use this small PowerShell that I just wrote in minutes. Since Active Directory does not require any specific permission to access this kind of information. Here is the code, nothing advanced, but it does the work ;-)

function Get-DomainUser {

    PARAM($DisplayName)

    $Search = [adsisearcher]"(&(objectCategory=person)(objectClass=User)(displayname=$DisplayName))"

    foreach ($user in $($Search.FindAll())){

        New-Object -TypeName PSObject -Property @{

            "DisplayName" = $user.properties.displayname

            "UserName"    = $user.properties.samaccountname

            "Description" = $user.properties.description}

    }

}

Result

PS C:\> Get-DomainUser -DisplayName "jonathan*" | Format-List

UserName    : {JonathanD}
Description : {Account of Jonathan Delpiero}
DisplayName : {Jonathan Delpiero}

UserName    : {DumoulinJ}
Description : {Account of Jonathan Dumoulin}
DisplayName : {Jonathan Dumoulin}

PowerShell - Monitor and Report Active Directory Group Membership Change

UPDATE 2016/05/03: The most recent update is available on Github

See also the related blogpost: http://www.lazywinadmin.com/2013/11/update-powershell-monitor-and-report.html

Today I will update a post that I published at the beginning of last year : Monitor Active Directory Membership changes. I updated the script to add some of the things I learned during the Scripting Games 2013 back in April/May. The script will also create a nice html report and send it via Email.

Basically, the script will monitor the Active Directory groups that you specify and notify you if a change occurred since the last time it checked.

Scripting Games 2013 - Advanced Event 4 - An Auditing Adventure

This is my solution for the Advanced Event 4 of the Scripting Games 2013.
This event was a bit challenging for me... In the past, I played with Quest Active Directory snap-in to create a bunch of Monitoring tools and some other small automation tasks, but that's about it. (Example Monitor Active Directory Groups membership change).

Let's see how I solved it.

PowerShell/WinForm - Active Directory User Unlocker

An Active Directory account may be automatically locked, if the domain's security policy has been configured to lock accounts after a number of unsuccessful logon attempts.

If an account has been locked out, the lockouttime attribute will contain a Win32 time value that indicates when the account was locked.

An easy way to search for locked out accounts is an LDAP query similar to
(&(objectClass=user)(lockoutTime=>0))




You can integrate this query in the saved queries of your Active Directory Users and Computers MMC.

Description

The following script will use PowerShell to generate a WinForm and give you the ability to unlock account right from the interface. The goal is to do something simple and functional, nothing fancy.

The GUI was created using PowerShell Studio from SAPIEN. You can try this tool by going on Sapien.com

No Module Required

The beautiful part of it is that no Active Directory Module or Quest Active Directory Snapin are required
In my case I used ADSI: [ADSISearcher]

If you want to know more about ADSISearcher check this article from the Scripting Guy

Graphical User Interface

Under Windows 8