Category: Active Directory

Set and clear logon script path for all users in Windows domain
article #1250, updated 100 days ago

Here’s how to set it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser –scriptPath

and how to clear it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser -Clear scriptPath

Categories:      

==============

Enable Active Directory Recycle Bin
article #1069, updated 568 days ago

Always nice for recoverability in case of.

GUI on Server 2012:

https://blogs.technet.microsoft.com/canitpro/2014/04/30/step-by-step-enabling-active-directory-recycle-bin-in-windows-server-2012-r2/

Other:

https://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx

Categories:      

==============

Set all users' AD login script by PowerShell
article #1054, updated 618 days ago

This works well:

import-module activedirectory
get-aduser -filter * | set-aduser -scriptpath filename_in_netlogon.vbs

Categories:      

==============

Set all OUs to protected from accidental deletion
article #1018, updated 756 days ago

Run the following within Active Directory Module for Windows PowerShell:

Get-ADobject -LDAPFilter "objectClass=organizationalUnit" -SearchBase "DC=domainname,DC=local" | Set-adobject -ProtectedFromAccidentalDeletion $true

Categories:      

==============

ADSync errors, event IDs 6127, 6126
article #974, updated 944 days ago

Here’s a great set of steps for these:

http://blog.jocha.se/tech/azure-ad-sync-event-error-6126-and-6127

The short of it is:

  1. Bring up the Syncronization Service Manager (“Synchronization Service” in Windows search),
  2. Click on Connectors,
  3. Click on “Active Directory Domain Services”,
  4. Click Run in the right pane, choose Full Synchronization, click OK, and wait for completion to be reported (it’s fairly obvious),
  5. Click Run in the right pane, choose Full Import, click OK, and wait for completion to be reported,
  6. Click Windows Azure Active Directory,
  7. and do the same two Runs as for the other line item.

Categories:      

==============

FRS is deprecated in Server 2008R2
article #970, updated 953 days ago

Some articles:

https://msdn.microsoft.com/en-us/library/windows/desktop/ff384840(v=vs.85).aspx).aspx

https://blogs.technet.microsoft.com/filecab/2014/06/25/the-end-is-nigh-for-frs/

Categories:      

==============

Secondary email addresses with LAN-synched EOL
article #941, updated 1043 days ago

If one has one’s LAN Active Directory synchronized with EOL/Azure, one cannot add secondary email addresses in the EOL console. In this situation:

  1. Open ADSIedit from the domain controller
  2. Open up the OU containing the user
  3. Open the Properties of the user
  4. Open the Properties for the item “proxyAddresses”.
  5. The primary (the “reply”) email address for the user needs to be specified thus, with caps in the prefix:
    SMTP:user@domain.xyz
  6. Secondary email addresses for the user need to be specified thus, with lowercase prefix:
    smtp:alias@domain.xyz
  7. Then run the sync or wait for the automatic run, and it’s done!

Also, as a bonus, after the above is done once, user objects in Active Directory Users and Computers get a new tab, “Attributes”, from which the above can be done for other users.

Categories:      

==============

Export all Active Directory groups to CSV
article #762, updated 1533 days ago

From the amazing Farhan Kazi:

http://fkazi.blogspot.com/2013/07/export-active-directory-groups-with.html

@ECHO OFF
SETLOCAL EnableDelayedExpansion

SET FileName=Report.csv
SET AG=0
SET EG=0
SET CT=0
SET NE=0
SET GN=

FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group))" -Limit 0') DO SET /a AG+=1 >NUL
FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group)(^!member=*))" -Limit 0') DO SET /a EG+=1 >NUL
SET /a NE=!AG!-!EG!

ECHO Total Groups in Active Directory %AG% out of them %EG% are empty.&&ECHO.
ECHO Group,Members>"!FileName!"
TITLE Exporting !NE! Non-Empty AD Groups.

FOR /F "delims=" %%G IN ('DSQuery * -Filter "(&(objectClass=Group)(member=*))" -Limit 0') DO (
    FOR /F "delims=" %%v IN ('DSQuery * %%G -l -q -Attr Name -Limit 0') DO SET GN=%%v
    SET /a CT+=1 >NUL
    ECHO !CT!. Exporting: !GN!
    FOR /F "delims=" %%M IN ('DSGET Group %%G -Members') DO (
        FOR /F "delims=" %%U IN ('DSQuery * %%M -l -q -Attr displayName') DO (
        ECHO !GN!,%%U>>"!FileName!")))

TITLE Export complete.
ECHO.&&ECHO Export complete, please check '!FileName!' file.
EXIT /B 0

Here’s a mod, which creates one file per group:

REM
REM Export all Active Directory groups to CSV files
REM One CSV file per group
REM
REM Original written by Farhan Kazi
REM http://fkazi.blogspot.com/2013/07/export-active-directory-groups-with.html
REM
REM Modded for one file per group by Jonathan Brickman
REM http://n.ponderworthy.com
REM

@ECHO OFF
SETLOCAL EnableDelayedExpansion

SET AG=0
SET EG=0
SET CT=0
SET NE=0
SET GN=

FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group))" -Limit 0') DO SET /a AG+=1 >NUL
FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group)(^!member=*))" -Limit 0') DO SET /a EG+=1 >NUL
SET /a NE=!AG!-!EG!

ECHO Total Groups in Active Directory %AG% out of them %EG% are empty.&&ECHO.
TITLE Exporting !NE! Non-Empty AD Groups.

FOR /F "delims=" %%G IN ('DSQuery * -Filter "(&(objectClass=Group)(member=*))" -Limit 0') DO (
    FOR /F "delims=" %%v IN ('DSQuery * %%G -l -q -Attr Name -Limit 0') DO SET GN=%%v
    SET /a CT+=1 >NUL
    ECHO !CT!. Exporting: !GN!
    FOR /F "delims=" %%M IN ('DSGET Group %%G -Members') DO (
        FOR /F "delims=" %%U IN ('DSQuery * %%M -l -q -Attr displayName') DO (
        ECHO %%U>>"!GN!".CSV)))

TITLE Export complete.
ECHO.&&ECHO Export complete.
EXIT /B 0

Categories:      

==============

Unlock user's AD account using CMD
article #743, updated 1577 days ago

Try:

NET USER <USERNAME> /DOMAIN /ACTIVE:YES

Categories:      

==============

Log into AD using email address
article #620, updated 1882 days ago

It’s called adding a UPN suffix, and it’s documented here:

http://support.microsoft.com/kb/243629

Categories: