Techibee.com

I came across below interesting reading which talks about A-Z things needed for becoming Microsoft Certified Master(MCM) in Active Directory. MCM is the highest level of Certification given by Microsoft for people who excel in a given technology. Current MCM is available for Exchange, SQL, Lync, Sharepoint and Active Directory.

http://blogs.technet.com/b/askpfeplat/archive/2012/05/21/so-you-want-to-be-a-master-eh.aspx

Hope you will find this informative.

One of my old friend/colleague called me to day for a small help. He is looking for script to get the list of active directory groups that a computer account is member of. Since this is a very basic requirement every System administrator will get, I wanted to post it in my blog.

So, the code described in this post uses Quest Active Directory powershell cmdlets. I can code using the dotnet objects or built-in activedirectory module in windows 7/2008 as well but since I wanted to make it more generic, I opted for Quest cmdlets. Another advantage is that even newbies can query AD with these tools efficiently.

Since I am using Quest AD cmdlets, you should down load them from http://www.quest.com/powershell/activeroles-server.aspx and installed it on your computer. After installation, copy the below code into a file called Get-ComputerGroups.ps1 and run it from Quest AD shell(you can launch this from program files), as shown below.

Get-ComputerGroups.ps1

[cmdletbinding()]
param(
[parameter(mandatory=$true)]
$ComputerName
)            

$Groups = (Get-QADComputer -Id $ComputerName).Memberof            

$Groups | % {
$_.split(",")[0].Split("=")[1]
}

Usage:

[PS] C:\temp\Get-ComputerGroups.p1 -ComputerName MyPC1

Here -ComputerName parameter is mandatory.

Similarly, if you want to provide the computer names from text file and get the active directory group names of all of them, then use the below code.

Get-ComputerGroups.ps1

[cmdletbinding()]
param(
[parameter(mandatory=$true)]
$FilePath
)            

$Computers = Get-Content $FilePath
foreach ($ComputerName in $Computers) {
    write-host "$ComputerName is memberOf following Groups"
    $Groups = (Get-QADComputer -Id $ComputerName).Memberof
    $Groups | % {
    $_.split(",")[0].Split("=")[1]
}            

}

Usage:

[PS] C:\> Get-ComputerGroups.ps1 -FilePath c:\temp\Computersfile.txt

If you want to redirect the output to a text file, just try the below command.

[PS] C:\> Get-ComputerGroups.ps1 -FilePath c:\temp\Computersfile.txt | Out-File c:\temp\output.txt

The output will be written to output.txt file.

Feel free to comment here if you have any doubts.

This post talks about querying Active Directory Sites and subnets information from AD using Powershell. This script is helpful when you want to know subnets mapping to given site and servers lying in a site. This scrip doesn’t need much explanation since it is looking very straight forward. If you defer with me, please comment what part of script you want to understand. Also feel free to post if you would like to query any other information related to sites and services. Happy to help.

Code: Get-ADSites.ps1

[cmdletbinding()]
param()            

$Sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites            

foreach ($Site in $Sites) {            

 $obj = New-Object -Type PSObject -Property (
  @{
   "SiteName"  = $site.Name;
   "SubNets" = $site.Subnets;
   "Servers" = $Site.Servers
  }
 )            

 $Obj
}

 Output

Whenever a computer is added to a windows domain, by default account will get created under Computers container. It is located right below the domain name in dsa.msc. The pull of it is, <domainName>\Computers.

Today one of my friend has asked to know if there any quick script using which he can move all computers from default computers container to OU of his choice in same domain. Since I don’t have a script already authored for this purpose, I quickly made the below.

This is a very basic version of computer accounts movement script. There might be some conditions processing like if name contains XYZ move to one OU or if name contains ABC move to different OU. You can accommodate such conditions in this script if you have little powershell knowledge(or let me know I can help you given some time).

Here is the code.

[cmdletbinding()]            

param (
[parameter(mandatory=$true)]
$TargetOU
)            

Import-Module ActiveDirectory
$Domain = [ADSI]""
$DN=$domain.distinguishedName
$SourcePath = "CN=Computers," + $DN
$Computers = Get-ADComputer -Filter * -SearchBase $SourcePath
if(!$Computers) {
 write-host "No Computers are found in default container"
 return
}
foreach ($Computer in $Computers) {
 if(!(Move-ADObject $Computer -TargetPath $TargetOU)) {
  $Status = "SUCCESS"
 } else {
  $Status = "FAILED"
 }
 $OutputObj = New-Object -TypeName PSobject
 $OutputObj | Add-Member -MemberType NoteProperty -Name ComputerName -Value $Computer.Name.tostring()
 $OutputObj | Add-Member -MemberType NoteProperty -Name SourcePath -Value $SourcePath
 $OutputObj | Add-Member -MemberType NoteProperty -Name DestinationPath -Value $TargetOU
 $OutputObj | Add-Member -MemberType NoteProperty -Name Status -Value $Status
 $OutputObj
}

When I executed this script in my test domain for testing purpose it went fine and generated below output. This script is not depending on any external modules/cmdlets like quest tools. I uses ActiveDirectory module which comes with RSAT(or windows 2008 domain controllers). Needless to say that you need ADWS(active directory web services) installed if all your domain controllers are Windows 2003. This is not required if atleast one DC is having windows 2008 R2 OS where ADWS is default.

Output:

Using PowerShell, we can query who has permissions to a given GPO or a list of GPOs. We can do this either using Quest Active Roles cmdlets or by using native cmdlets that comes along with Windows 7 installation. In this post, I am going to demonstrate and show you the native method. To use the native method, you must be running one of the following:

• Windows Server 2008 R2 on a domain controller
• Windows Server 2008 R2 on a member server that has the GPMC installed
• Windows® 7 with Remote Server Administration Tools (RSAT) installed. (RSAT includes the GPMC and the Group Policy cmdlets)

GPMC(or RSAT) installation also installs a powershell module called grouppolicy using which we can query the GPOs. Before start dealing with GPOs, we should import this module by using import-module GroupPolicy command.

Below is the sample code that helps you get permissions of a give a GPO.

function Get-GPOPermissions {            

param($GpoName)
import-module GroupPolicy            

$permsobj = Get-GPPermissions -Name $GPOName -All
foreach ($perm in $permsobj) {            

    $obj = New-Object -TypeName PSObject -Property @{
   GPOName  = $GPOName
   AccountName = $($perm.trustee.name)
        AccountType = $($perm.trustee.sidtype.tostring())
        Permissions = $($perm.permission)
 }
$obj | Select GPOName, AccountName, AccountType, Permissions            

}
}

Below is the sample output:

Hope this helps. I will continue writing some GPO related scripts in coming days.

Have you started using Group Policy Preferences lately to manage your Windows 7 and Windows 2008 computers? It is possible that Group Policy Preferences can cause increase in login times in your environment if security groups are used for targeting preferences. For example, you may be mapping drives based on user security group membership(ex: sales, finance, etc). Per AskDS, when a security group is used for targeting a group policy preference setting, the computer has to make several round trips to domain controllers to verify the user group membership. This trip time depends on the kind of connectivity you have to domain controllers and the load of DC. If you are on a Wan link, the trip time may be even more. The windows 7/2008 computer won’t allow you to complete the login until this preference setting is evaluated and applied. In such graces the logon time will increase drastically which is a very bad experience for end users.

The AskDS team suggested using Organization Units instead of security groups for targeting. Usage of OUs will reduce the trips to domain controllers as the GPPs have to just parse the DN text of computer/user account to verify if a setting is applicable or not.

After reading the AskDS article, I wondered why they(MS) didn’t use security tokens for evaluating computer/user group membership at the time of processing the target. It is very easy and less traffic to domain controllers. It makes sense. Isn’t it?

I question was answered in very short time in the form of another AskDS article.  They exactly implemented what I felt. MS release hotfix(http://support.microsoft.com/kb/2561285) which injects this nice feature into Group Policy Preferences which can reduce the user logon times and computer startup times(if you are using security group targeting in computer GPPs).

So, if you are using Group Policy Preferences in your organization, then make sure that all your Windows 7/2008 computers have this hotfix. Otherwise one or other day you will end up looking for it when you users keep complaining about slow login issues.

Today, I quickly wanted to check to which AD site a IP belongs to. If I am the computer where that IP is assinged, it is wasy to find out this information. Since that computer is offline/not reachable, I need some other way.

After bit of googling, I came across below usage of dfsutil. I am very familiar with DFSUTIL but never focused much on the “/sitename” parameter.

So, here you go, if your computer IP is, 192.168.10.130 you know to which AD site it belongs by executing “dfsutil.exe /sitename:192.168.10.130″ and outlook will display the site name.

C:>dfsutil /sitename:192.168.10.130

Microsoft(R) Windows(TM) Dfs Utility Version 4.2
Copyright (C) Microsoft Corporation 1991-2005. All Rights Reserved.

 Site for 192.168.10.130 is INDIA

Done processing this command.

C:>

In above example INDIA is my active directory site name.

Auditing active directory has become a vital important factor for many organizations since they use it managing many security aspects like shares permissioning, printers provisioning, access to critical things like IRM(information rights management), etc. Not only these, there are many other things which uses active directory objects for managing the security permissions.

Considering these, now a day’s organizations insist their IT staff to continuously monitor active directory changes; more precisely security group changes. Quest compliance tools is the first product that comes into mind when someone talks about Active Directory auditing — the reason is simple, I already got my hands wet with that. Quest has really nice setup of tools for managing/auditing Active Directory environment. (1) Quest Active Roles Server  — It is a awesome product for delegating and managing change history of active directory object. It is very helpful in delegating rights to L1/L2 IT admin staff at granular level, i. e to the level of attributes. But one downside/limitation with this product is, it is not meant for auditing the changes made to active directory made through native methods, like through dsa.msc and scripts. (2) Quest Intrust plug-in for Active Directory: – This one is designed to cover the limitation that ARS has. This plug-in won’t help you in managing/delegating active directory objects/permissions but this is for monitoring and logging all sorts of changes made to Active Directory Domain/Schema/Configuration partitions. All it does is monitors these partitions and logs the events to event log.

Well, enough talking about Quest products and promoting them — Sorry I am not a quest sales personJ. Moreover they are costly and organizations need to put in some money if they want to leverage the benefits of these products. So, let’s talk about “how to make the group changes auditing work” through native mechanism.

Cheaper solution to monitor active directory group changes:

As many of you already aware, windows 2003/2008 provides some built-in auditing mechanisms. If you didn’t ever get a chance to see them what they are, you should go and read some stuff from MS technet site. In a nut shell,

To enable auditing of Active Directory objects:

a)       Configure an audit policy setting for all domain controllers. When you configure an audit policy setting, you can audit objects but you cannot specify the object you want to audit.

                To configure audit policy, edit “default domain controller” GPO, navigate to “Computer Configuration” -> “Windows Settings” -> “Security Settings” -> “Local Polices” -> “Audit Policies” and set the “Audit Directory Services Access” policy to log “Success” and “failure” events. Make sure that “Default Domain Controller” policy is being applied to all Domain controllers in your domain

b)       Configure auditing for specific Active Directory objects (security groups in this case). After you specify the Active Directory objects, Windows Server tracks and logs these events.

        To select the auditing for a specific objects, security groups in our case, go the OU where you have all your security group objects in active directory, go to the properties of OU, click on “Advanced” and switch to “Auditing” tab and in the list of names, double-click “everyone” and select “Successful” or “failure” check box for the actions you want to audit. Since our aim in this article is to monitor security group member ship changes, select the “successful” check box for “Write members” action.

This completes auditing setup for security group’s objects and your server will start writing the events to Security event log whenever there is a change to the membership of security group you configured.

NOTE: If you are running windows 2008 Active Directory, then story is bit different. The auditing of active directory objects is divided into four sub categories and you need to enable auditing for “Directory Service Changes” subcategory. Go through this TechNet link for more information in this regard.

Disclaimer: These are just my thoughts and experience I want to share. I am not responsible for any kind of damage made to your environment with the steps I provided. One should thoroughly test these changes before trying in production environment. Use at your own risk.

Happy learning…

It is very simple….

Get-QADUser myuser | select PasswordLastSet

If you want to know no. of days since the user changed his password, use below command

((get-date) – (Get-QADUser pamarths).PasswordLastSet).days

Happy Learning..,
Sitaram Pamarthi