Posts RSS Comments RSS 253 Posts and 407 Comments till now

How to find extended rights that apply to a schema class object (remix)

The AD guys posted a really cool post about getting extended rights via the schema. That post can be found here:
How to find extended rights that apply to a schema class object

If you dont have Windows 7, 2008 R2, or the Active Directory Management Gateway then you can get similar results by using my functions from here: Getting AD Schema information from Powershell. This works on all versions of AD.

Using these functions you can just do this:

Get-ADSchemaClass group | %{$_.DefaultObjectSecurityDescriptor} | %{$_.access} | ?{$_.ActiveDirectoryRights -eq "ExtendedRight"}

Heads up on an upcoming codeplex project.

Active Directory Replication Module

Purpose:
Provide administrators with simple task-based set of cmdlets to manage and trouble-shoot Active Directory Replication.

Overview:
This will provide several cmdlets for working with Active Directory focusing on Replication. As AD replication is build on domain/forest infrastructure we are also including a set of Domain and Forest management cmdlets.

Target:
Windows 2003 Domain and above (although most cmdlets will still work against 2000.)

Status:
Work as already begun on the project and I am hoping to release alpha code in the next month or so.

Example of cmdlets to be provided (not complete:)

  • Test-ADRReplication
  • Get-ADRDomain
  • Get-ADRDomainController
  • Get-ADRForest
  • Get-ADRGlobalCatalog
  • Get-ADRMetaData
  • Get/Set/Test-ADRProperty
  • Get/Set/New-ADRSite
  • Get/Set/New-ADRSiteLink
  • Get/Set/New-ADRSubNet

Please let us know if there is feature you would like to see or any general feedback.

blog: Heads up on an upcoming codeplex project.

Active Directory Replication Module

Purpose:
Provide administrators with simple task-based set of cmdlets to manage and trouble-shoot Active Directory Replication.

Overview:
This will provide several cmdlets for working with Active Directory focusing on Replication. As AD replication is build on domain/forest infrastructure we are also including a set of Domain and Forest management cmdlets.

Target:
Windows 2003 Domain and above (although most cmdlets will still work against 2000.)

Status:
Work as already begun on the project and I am hoping to release alpha code in the next month or so.

Example of cmdlets to be provided (not complete:)
  • Test-ADRReplication
  • Get-ADRDomain
  • Get-ADRDomainController
  • Get-ADRForest
  • Get-ADRGlobalCatalog
  • Get-ADRMetaData
  • Get/Set/Test-ADRProperty
  • Get/Set/New-ADRSite
  • Get/Set/New-ADRSiteLink
  • Get/Set/New-ADRSubNet

Please let us know if there is feature you would like to see or any general feedback.

Some AD Functions for DCs and name conversion.

Below are some functions I have written or used recently that I don’t believe I shared before

Get-DC: Gets a DirectoryServices.ActiveDirectory.DomainController object by Name or Domain. If nothing is passed it gets a DC from the current domain

Get-DCConnectionObject: Gets the connection objects for the given DC. Default is all DCs

ConvertTo-Sid: Converts Name to SID.

ConvertTo-Name: Converts Sid to Name.

################################################################################
function Get-DC
{
    Param($Name,$Domain)
   
    if($Name)
    {
        $Context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$Name)
        [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($Context)
    }
    if($Domain)
    {
        $Context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$Domain)
        [System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($Context)
    }
    if(!$Name -and !$Domain)
    {
        $DCName = ([adsi]"LDAP://rootDSE").dnsHostname.ToString()
        $Context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$DCName)
        [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($Context)
    }
}
################################################################################
function Get-DCConnectionObject
{
    Param($name = ".*")
    $Myforest = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
    $MyDCs = $Myforest.Domains | foreach-object{$_.DomainControllers} | ?{$_.name -match $name}
    $MyDCs | %{$_.InboundConnections}
}
################################################################################
function ConvertTo-Sid($UserName,$domain = $env:Computername)
{
   $ID = New-Object System.Security.Principal.NTAccount($domain,$UserName)
   $SID = $ID.Translate([System.Security.Principal.SecurityIdentifier])
   $SID.Value
}
################################################################################
function ConvertTo-Name($sid)
{
   $ID = New-Object System.Security.Principal.SecurityIdentifier($sid)
   $User = $ID.Translate( [System.Security.Principal.NTAccount])
   $User.Value
}

blog: Avoid hardcoding in scripts. Here are some Simple discovery options in Powershell

When writing scripts I have always been a fan of making them as generic as possible. This may make the script a tad more complicated, but it allows it to be dynamic and also allows you to share these scripts between environments (i.e. Lab, QC, Production.) Basically we want to avoid hardcoding Domains, Domain Controllers, OUs, Containers, and site info.

Below I provide some simple examples of getting this information dynamically. This will allow you to discover the information instead of hardcoding it in the script.

To get forest information like Domains, Sites, ForestMode, RootDomain, and Forest masters you can use this:
  1. $Forest = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

To get Domain information like Domain Controllers, DomainMode, Domain Masters, and Forest Root.
  1. $Domain = [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

To get the current Site information for the local machine like Subnets, Sitelinks, Location, Bridgehead Servers, and Domain Controllers.
  1. $MySite = [DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()

With these variables you can find all the Active Directory infrastructure information you could possibly want.

Here are some more specific examples on how to use these variables:

To find all your Global Catalogs in the forest
  1. $Forest.GlobalCatalogs

To find all the Domain Controllers in the current domain
  1. $Domain.DomainControllers

To see what application partitions your forest has
  1. $forest.ApplicationPartitions

To see the forest roles
  1. $forest | select SchemaRoleOwner,NamingRoleOwner

To see the domain roles
  1. $domain | select PDCRoleOwner,RidRoleOwner,InfrastructureRoleOwner

To see the subnets in the current site
  1. $MySite.subnets

To see the bridgehead Servers
  1. $MySite.BridgeheadServers

ADMG (aka ADWS for none 2008 R2 )

As you may or may not know the AD cmdlets that ship with Win7 and Windows 2008 R2 use the ADWS (Active Directory Web Service) but fear not! MS release ADMG (Active Directory Management Gateway) that allows you to use the AD cmdlets and ADAC (Active Directory Administrative Center)

Download here: http://support.microsoft.com/default.aspx?scid=kb;en-us;969041&sd=rss&spid=12925

For more information about Active Directory Web Services: http://technet.microsoft.com/en-us/library/dd391908.aspx

For more information about the Active Directory Module for Windows PowerShell: http://technet.microsoft.com/en-us/library/dd378937.aspx

blog: Why use LDAP filters (Powershell)

A common problem when dealing with Active Directory is the end user trying to parse the results themselves.

Let take this example
  1. $selector = New-Object DirectoryServices.DirectorySearcher
  2. $selector.SearchRoot = [ADSI]""
  3. $selector.pagesize = 1000
  4. $adobj= $selector.findall() | where {$_.properties.objectcategory -match "CN=Person"}
  5. foreach ($person in $adobj) {
  6. $date120DaysAgo = [DateTime]::Now.AddDays(-120).ToFileTime()
  7. $LL1 = $person.properties.lastlogontimestamp
  8. if(($LL1 -le $date120DaysAgo) -and ($person.GetDirectoryEntry().psbase.invokeget('AccountDisabled'))){$person}
  9. }

Instead of doing the parsing on results side... we should let the server do the work. How do we do that?

With LDAP filters. Here is an example.
  1. $filter = "(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(lastlogontimestamp>=$date))"
  2. $ds = New-Object DirectoryServices.DirectorySearcher([ADSI]"",$filter)
  3. $ds.PageSize = 1000
  4. $users = $ds.FindAll()
  5. $users

Or with Quest tools... even easier!
  1. $date = (Get-Date).AddDays(-120).ToFileTime()
  2. $filter = "(lastlogontimestamp>=$date)"
  3. Get-QADUser -LdapFilter $filter -disabled

I think you will find with an LDAP filter you can save a TON of time.

Here is the output of measure-command for the two examples above (this was a very small sample.)

Without Filter
--------------
Days : 0
Hours : 0
Minutes : 0
Seconds : 3
Milliseconds : 477
Ticks : 34776670

With Filter
-----------
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 34
Ticks : 340740

If you were to do this on a large AD the difference in time would be HUGE! Here is an example with 600K users...

With Filter
------------
Days : 0
Hours : 0
Minutes : 0
Seconds : 17
Milliseconds : 353
Ticks : 173535605

I can't post one with out filter... because it has been hours and it is still not done :)

blog: WS2008 R2 Active Directory Webcast – Tomorrow, Friday 4/24

Tomorrow Laura Hunter and Brian Desmond will be doing a webcast discussing and premoting the new Active Directory features in Windows Server 2008 R2 as well as answering AD questions. They have a 90 minute slot and they expect to spend ~45-60 minutes on R2 and the remainder taking questions on the presentation and AD in general.

The webcast is hosted by O?Reilly and is free to attend. If you can?t make it, a recording will be available.

Here are the details:

Registration Link - HERE

Date: Friday, April 24, 2009

Time: 10am PT, San Francisco
6pm - London | 1pm - New York | Sat, Apr 25th at 3am - Sydney | Sat, Apr 25th at 2am - Tokyo | Sat, Apr 25th at 1am - Beijing | 10:30pm - Mumbai

Presented by: Brian Desmond, Laura E. Hunter

Duration: Approximately 90 minutes.

Cost: Free

WS2008 R2 Active Directory Webcast – Tomorrow, Friday 4/24

Tomorrow Laura Hunter and Brian Desmond will be doing a webcast discussing and premoting the new Active Directory features in Windows Server 2008 R2 as well as answering AD questions. They have a 90 minute slot and they expect to spend ~45-60 minutes on R2 and the remainder taking questions on the presentation and AD in general.

The webcast is hosted by O’Reilly and is free to attend. If you can’t make it, a recording will be available.

Here are the details:

Registration Link – HERE

Date: Friday, April 24, 2009

Time: 10am PT, San Francisco
6pm – London | 1pm – New York | Sat, Apr 25th at 3am – Sydney | Sat, Apr 25th at 2am – Tokyo | Sat, Apr 25th at 1am – Beijing | 10:30pm – Mumbai

Presented by: Brian Desmond, Laura E. Hunter

Duration: Approximately 90 minutes.

Cost: Free

blog: WS2008 R2 Active Directory Webcast – Tomorrow, Friday 4/24

Tomorrow Laura Hunter and Brian Desmond will be doing a webcast discussing and premoting the new Active Directory features in Windows Server 2008 R2 as well as answering AD questions. They have a 90 minute slot and they expect to spend ~45-60 minutes on R2 and the remainder taking questions on the presentation and AD in general.

The webcast is hosted by O’Reilly and is free to attend. If you can’t make it, a recording will be available.

Here are the details:

Registration Link - HERE

Date: Friday, April 24, 2009

Time: 10am PT, San Francisco 6pm - London | 1pm - New York | Sat, Apr 25th at 3am - Sydney | Sat, Apr 25th at 2am - Tokyo | Sat, Apr 25th at 1am - Beijing | 10:30pm - Mumbai

Presented by: Brian Desmond, Laura E. Hunter

Duration: Approximately 90 minutes.

Cost: Free

Next »