Category: Active Directory

Set all users' AD login script by PowerShell
article #1054, updated 15 days ago

This works well:

import-module activedirectory
get-aduser -filter * | set-aduser -scriptpath filename_in_netlogon.vbs

Categories:   Active Directory   

==============

Set all OUs to protected from accidental deletion
article #1018, updated 153 days ago

Run the following within Active Directory Module for Windows PowerShell:

Get-ADobject -LDAPFilter "objectClass=organizationalUnit" -SearchBase "DC=domainname,DC=local" | Set-adobject -ProtectedFromAccidentalDeletion $true

Categories:   Active Directory   

==============

ADSync errors, event IDs 6127, 6126
article #974, updated 341 days ago

Here’s a great set of steps for these:

http://blog.jocha.se/tech/azure-ad-sync-event-error-6126-and-6127

The short of it is:

  1. Bring up the Syncronization Service Manager (“Synchronization Service” in Windows search),
  2. Click on Connectors,
  3. Click on “Active Directory Domain Services”,
  4. Click Run in the right pane, choose Full Synchronization, click OK, and wait for completion to be reported (it’s fairly obvious),
  5. Click Run in the right pane, choose Full Import, click OK, and wait for completion to be reported,
  6. Click Windows Azure Active Directory,
  7. and do the same two Runs as for the other line item.

Categories:   Active Directory   Azure

==============

FRS is deprecated in Server 2008R2
article #970, updated 350 days ago

Some articles:

https://msdn.microsoft.com/en-us/library/windows/desktop/ff384840(v=vs.85).aspx).aspx

https://blogs.technet.microsoft.com/filecab/2014/06/25/the-end-is-nigh-for-frs/

Categories:   Windows OS-Level Issues   Active Directory

==============

Secondary email addresses with LAN-synched EOL
article #941, updated 440 days ago

If one has one’s LAN Active Directory synchronized with EOL/Azure, one cannot add secondary email addresses in the EOL console. In this situation:

  1. Open ADSIedit from the domain controller
  2. Open up the OU containing the user
  3. Open the Properties of the user
  4. Open the Properties for the item “proxyAddresses”.
  5. The primary (the “reply”) email address for the user needs to be specified thus, with caps in the prefix:
    SMTP:user@domain.xyz
  6. Secondary email addresses for the user need to be specified thus, with lowercase prefix:
    smtp:alias@domain.xyz
  7. Then run the sync or wait for the automatic run, and it’s done!

Also, as a bonus, after the above is done once, user objects in Active Directory Users and Computers get a new tab, “Attributes”, from which the above can be done for other users.

Categories:   Exchange and Exchange Online   Active Directory

==============

Export all Active Directory groups to CSV
article #762, updated 930 days ago

From the amazing Farhan Kazi:

http://fkazi.blogspot.com/2013/07/export-active-directory-groups-with.html

@ECHO OFF
SETLOCAL EnableDelayedExpansion

SET FileName=Report.csv
SET AG=0
SET EG=0
SET CT=0
SET NE=0
SET GN=

FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group))" -Limit 0') DO SET /a AG+=1 >NUL
FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group)(^!member=*))" -Limit 0') DO SET /a EG+=1 >NUL
SET /a NE=!AG!-!EG!

ECHO Total Groups in Active Directory %AG% out of them %EG% are empty.&&ECHO.
ECHO Group,Members>"!FileName!"
TITLE Exporting !NE! Non-Empty AD Groups.

FOR /F "delims=" %%G IN ('DSQuery * -Filter "(&(objectClass=Group)(member=*))" -Limit 0') DO (
    FOR /F "delims=" %%v IN ('DSQuery * %%G -l -q -Attr Name -Limit 0') DO SET GN=%%v
    SET /a CT+=1 >NUL
    ECHO !CT!. Exporting: !GN!
    FOR /F "delims=" %%M IN ('DSGET Group %%G -Members') DO (
        FOR /F "delims=" %%U IN ('DSQuery * %%M -l -q -Attr displayName') DO (
        ECHO !GN!,%%U>>"!FileName!")))

TITLE Export complete.
ECHO.&&ECHO Export complete, please check '!FileName!' file.
EXIT /B 0

Here’s a mod, which creates one file per group:

REM
REM Export all Active Directory groups to CSV files
REM One CSV file per group
REM
REM Original written by Farhan Kazi
REM http://fkazi.blogspot.com/2013/07/export-active-directory-groups-with.html
REM
REM Modded for one file per group by Jonathan Brickman
REM http://n.ponderworthy.com
REM

@ECHO OFF
SETLOCAL EnableDelayedExpansion

SET AG=0
SET EG=0
SET CT=0
SET NE=0
SET GN=

FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group))" -Limit 0') DO SET /a AG+=1 >NUL
FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group)(^!member=*))" -Limit 0') DO SET /a EG+=1 >NUL
SET /a NE=!AG!-!EG!

ECHO Total Groups in Active Directory %AG% out of them %EG% are empty.&&ECHO.
TITLE Exporting !NE! Non-Empty AD Groups.

FOR /F "delims=" %%G IN ('DSQuery * -Filter "(&(objectClass=Group)(member=*))" -Limit 0') DO (
    FOR /F "delims=" %%v IN ('DSQuery * %%G -l -q -Attr Name -Limit 0') DO SET GN=%%v
    SET /a CT+=1 >NUL
    ECHO !CT!. Exporting: !GN!
    FOR /F "delims=" %%M IN ('DSGET Group %%G -Members') DO (
        FOR /F "delims=" %%U IN ('DSQuery * %%M -l -q -Attr displayName') DO (
        ECHO %%U>>"!GN!".CSV)))

TITLE Export complete.
ECHO.&&ECHO Export complete.
EXIT /B 0

Categories:   Active Directory   

==============

Unlock user's AD account using CMD
article #743, updated 974 days ago

Try:

NET USER <USERNAME> /DOMAIN /ACTIVE:YES

Categories:   Active Directory   Users and Profile Issues

==============

Log into AD using email address
article #620, updated 1279 days ago

It’s called adding a UPN suffix, and it’s documented here:

http://support.microsoft.com/kb/243629

Categories:      Active Directory

==============

Fix domain controller DNS
article #541, updated 1505 days ago

The following command often works:

dcdiag /fix

There is also:

netdiag /fix

Categories:   Active Directory   

==============

To Delete Old Exchange Server from AD
article #532, updated 1506 days ago

To remove an old exchange server from AD:

Start/Run, adisedit.msc

Then expand:

CN=Configuration>CN=Services>CN=Microsoft Exchange>CN=Organization name>
CN=Administrative Groups>CN=Servers

Then delete the old server by name.

Categories:   Active Directory