Techibee.com

Sean Deuby, a directory services MVP has recently presented a article at www.windowsitpro.com to help people understand the AD recovery process. It is *not* a deep dive technical documentation, but more related to method we should use for recovery. He presented this in a nice Flow chart form for easy understanding.

Click here to go the article. I like the content he is providing.

Do you want to know how many user accounts/objects you can create in active directory? Want to know how many members a group can have? Want to know maximum number of GPOs a domain can have?. Microsoft AD documentation team has setup a technet page about these details along with some more valuable information.

Link to document : http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx

It is very simple….

Get-QADUser myuser | select PasswordLastSet

If you want to know no. of days since the user changed his password, use below command

((get-date) – (Get-QADUser pamarths).PasswordLastSet).days

Happy Learning..,
Sitaram Pamarthi

Since the time I started working with active directory, I have seen only one official interface, dsa.msc(ADUC) to work with active directory objects(users, computers, etc) — I am bored with it. With the introduction of Windows 7 and Win 2008 R2, MS has brought improvements to the way how administer your active directory with “Active Directory Administrative Center”.

Built on Windows PowerShell™ command-line interface technology, Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks through both data-driven navigation and task-oriented navigation.

You can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:

• Create new user accounts or manage existing user accounts
• Create new groups or manage existing groups
• Create new computer accounts or manage existing computer accounts
• Create new organizational units (OUs) and containers or manage existing OUs
• Connect to one or several domains or domain controllers in the same instance of Active Directory Administrative Center, and view or manage the directory information for those domains or domain controllers
• Filter Active Directory data by using query-building search

In addition, you can use the enhanced GUI to customize Active Directory Administrative Center to suite your particular directory service administering requirements. This can help improve your productivity and efficiency as you perform common Active Directory object management tasks.

So, what should be my domain to get ADAC?

If your domain level is 2008 R2, then it should work by default as it comes with ADMGS(Active Directory Management Gateway Service) which has ADWS(Active Directory Web Services) as built-in component. No worries if you have 2003 domain level also as microsft recently started to support ADWS on Windows 2003 domain controller.

Then, how can I install ADWS on my windows 2003 domain?

Active Directory powerShell blog already spoke about this. Visit http://blogs.msdn.com/adpowershell/archive/2009/06/23/use-active-directory-powershell-to-manage-windows-2003-2008-dcs.aspx for more details about this.

In brief, you should follow below steps to download ADWS source/documentation.

1. Visit http://connect.microsoft.com and enter the invitation ID ADWS-FDBT-CVJK on the home page.
2. Sign in using your live/hotmail ID
3. Active Directory Management Gateway Service download details and instructions will be available to you on MS Connect site – http://connect.microsoft.com/ADWS/

Ok, I have my server side setup done. How to get the ADAC console on my machine?

You client should be running Windows 7 or Windows 2008 atleast to get this client.

1. Install your RSAT on your machine
2. Go to Control Panel and search for “turn windows features on or off” and select it from search results
3. It diplays below windows and navigate to Active Directory Administrative Center and select the check box
4. Click OK to complete the installation.

Now installation part is done, how to launch it?

Go to Start -> Run and enter “DSAC.exe” to launch the ADAC console and enjoy it’s rich features.

References :

ADAC : http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx

RSAT for Win 7: Refer to Step-3 in http://techibee.com/windows-2008/implement-group-policy-preferences-in-windows-2003-environment/161

Hope this helps you…

Happy Learning..,
Sitaram Pamarthi

This small piece of code helps you to know when a active directory user has changed his password last time. Use your own inventions to make the output appear the way you want.

$user = “user1″
$searcher=New-Object DirectoryServices.DirectorySearcher
$searcher.Filter=”(&(samaccountname=$user))”
$results=$searcher.findone()
$changedtime  = [datetime]::fromfiletime($results.properties.pwdlastset[0])
write-host -b blue -f red The user, $user has changed password last time at $changedtime

It will be more easy if you have Quest PowerShell Cmdlets for active roles installed in your PC. Download it from Quest site and install on your machine and execute the below oneliner in Quest powershell window.

Get-QADUser user1 | ft displayname, PasswordLastSet

Happy Learning..,
Sitaram Pamarthi

• Applications (User-based)
  
• Drive Mapping (User-based)
  
• Environment Variables (User-based and computer-based)
  
• Files (User-based and computer-based)
  
• Folders (User-based and computer-based)
  
• Ini Files (User-based and computer-based)
  
• Registry (User-based and computer-based)
  
• Shortcuts (User-based and computer-based)
  
• Network Shares (Computer-Based)
  
• DataSources (User-based and computer-based)
  
• Devices (User-based and computer-based)
  
• Folder Options (User-based and computer-based)
  
• Internet Settings (User-Based)
  
• Local Users and Groups (User-based and computer-based)
  
• Network Options (User-based and computer-based)
  
• Power Options (User-based and computer-based)
  
• Printers (User-based and computer-based)
  
• Regional Options (User-based)
  
• Scheduled Tasks (User-based and computer-based)
  
• Start Menu (User-Based)
  
• Services (Computer-Based)

• You can restrict the desktops local administrators group membership. If any one adds their account to local admins, that will be taken off during the next GPO processing due to GPP setting.
  
• You can execute scripts, commands in user context at scheduled times.
  
• Control power options on laptops/desktops
  
• Easily deploy files to desktops based on user and computer
  
• Push short cuts to user/desktops
  
• And GPPs can definitely replace some of the settings which are being handled by your computer/user login scripts now. Using GPPs for these settings considerably less time than using scripts.

In this post I will take you through few LDAP queries which you might find useful in your day-to-day administration.

To query list of hidden mailboxes:

(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

To query list of GAL visible mailboxes:

(&(objectCategory=person)(objectClass=user)(!(msExchHideFromAddressLists=TRUE)))

To query list of hidden mailboxes whose user account is enabled:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(msExchHideFromAddressLists=TRUE))

To query list of hidden mailboxes whose user account is disabled:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(msExchHideFromAddressLists=TRUE))

Grab the query you want and paste it in “Saved queries” option in Active Directory users and computers MMC(dsa.msc) to view the results.

You can write in comments here if you are looking for a custom LDAP query for your requirements. I will help you when I find time.

Happy Learning…,
Sitaram Pamarthi.