Some Notes on the Machines

Here’s how to set it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser –scriptPath

and how to clear it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser -Clear scriptPath

Always nice for recoverability in case of.

GUI on Server 2012:

https://blogs.technet.microsoft.com/canitpro/2014/04/30/step-by-step-enabling-active-directory-recycle-bin-in-windows-server-2012-r2/

Other:

https://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx

This works well:

import-module activedirectory
get-aduser -filter * | set-aduser -scriptpath filename_in_netlogon.vbs

Run the following within Active Directory Module for Windows PowerShell:

Get-ADobject -LDAPFilter "objectClass=organizationalUnit" -SearchBase "DC=domainname,DC=local" | Set-adobject -ProtectedFromAccidentalDeletion $true

Here’s a great set of steps for these:

http://blog.jocha.se/tech/azure-ad-sync-event-error-6126-and-6127

The short of it is:

1. Bring up the Syncronization Service Manager (“Synchronization Service” in Windows search),
2. Click on Connectors,
3. Click on “Active Directory Domain Services”,
4. Click Run in the right pane, choose Full Synchronization, click OK, and wait for completion to be reported (it’s fairly obvious),
5. Click Run in the right pane, choose Full Import, click OK, and wait for completion to be reported,
6. Click Windows Azure Active Directory,
7. and do the same two Runs as for the other line item.

Some articles:

https://msdn.microsoft.com/en-us/library/windows/desktop/ff384840(v=vs.85).aspx).aspx

https://blogs.technet.microsoft.com/filecab/2014/06/25/the-end-is-nigh-for-frs/

If one has one’s LAN Active Directory synchronized with EOL/Azure, one cannot add secondary email addresses in the EOL console. In this situation:

1. Open ADSIedit from the domain controller
2. Open up the OU containing the user
3. Open the Properties of the user
4. Open the Properties for the item “proxyAddresses”.
5. The primary (the “reply”) email address for the user needs to be specified thus, with caps in the prefix:
   SMTP:user@domain.xyz
6. Secondary email addresses for the user need to be specified thus, with lowercase prefix:
   smtp:alias@domain.xyz
7. Then run the sync or wait for the automatic run, and it’s done!

Also, as a bonus, after the above is done once, user objects in Active Directory Users and Computers get a new tab, “Attributes”, from which the above can be done for other users.

From the amazing Farhan Kazi:

http://fkazi.blogspot.com/2013/07/export-active-directory-groups-with.html

@ECHO OFF
SETLOCAL EnableDelayedExpansion

SET FileName=Report.csv
SET AG=0
SET EG=0
SET CT=0
SET NE=0
SET GN=

FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group))" -Limit 0') DO SET /a AG+=1 >NUL
FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group)(^!member=*))" -Limit 0') DO SET /a EG+=1 >NUL
SET /a NE=!AG!-!EG!

ECHO Total Groups in Active Directory %AG% out of them %EG% are empty.&&ECHO.
ECHO Group,Members>"!FileName!"
TITLE Exporting !NE! Non-Empty AD Groups.

FOR /F "delims=" %%G IN ('DSQuery * -Filter "(&(objectClass=Group)(member=*))" -Limit 0') DO (
    FOR /F "delims=" %%v IN ('DSQuery * %%G -l -q -Attr Name -Limit 0') DO SET GN=%%v
    SET /a CT+=1 >NUL
    ECHO !CT!. Exporting: !GN!
    FOR /F "delims=" %%M IN ('DSGET Group %%G -Members') DO (
        FOR /F "delims=" %%U IN ('DSQuery * %%M -l -q -Attr displayName') DO (
        ECHO !GN!,%%U>>"!FileName!")))

TITLE Export complete.
ECHO.&&ECHO Export complete, please check '!FileName!' file.
EXIT /B 0

Here’s a mod, which creates one file per group:

REM
REM Export all Active Directory groups to CSV files
REM One CSV file per group
REM
REM Original written by Farhan Kazi
REM http://fkazi.blogspot.com/2013/07/export-active-directory-groups-with.html
REM
REM Modded for one file per group by Jonathan Brickman
REM http://n.ponderworthy.com
REM

@ECHO OFF
SETLOCAL EnableDelayedExpansion

SET AG=0
SET EG=0
SET CT=0
SET NE=0
SET GN=

FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group))" -Limit 0') DO SET /a AG+=1 >NUL
FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group)(^!member=*))" -Limit 0') DO SET /a EG+=1 >NUL
SET /a NE=!AG!-!EG!

ECHO Total Groups in Active Directory %AG% out of them %EG% are empty.&&ECHO.
TITLE Exporting !NE! Non-Empty AD Groups.

FOR /F "delims=" %%G IN ('DSQuery * -Filter "(&(objectClass=Group)(member=*))" -Limit 0') DO (
    FOR /F "delims=" %%v IN ('DSQuery * %%G -l -q -Attr Name -Limit 0') DO SET GN=%%v
    SET /a CT+=1 >NUL
    ECHO !CT!. Exporting: !GN!
    FOR /F "delims=" %%M IN ('DSGET Group %%G -Members') DO (
        FOR /F "delims=" %%U IN ('DSQuery * %%M -l -q -Attr displayName') DO (
        ECHO %%U>>"!GN!".CSV)))

TITLE Export complete.
ECHO.&&ECHO Export complete.
EXIT /B 0

Try:

NET USER <USERNAME> /DOMAIN /ACTIVE:YES

It’s called adding a UPN suffix, and it’s documented here:

http://support.microsoft.com/kb/243629