Category: Active Directory

Set all users' AD login script by PowerShell
article #1054, updated 2481 days ago

This works well:

import-module activedirectory
get-aduser -filter * | set-aduser -scriptpath filename_in_netlogon.vbs

Categories:      

==============

Set all OUs to protected from accidental deletion
article #1018, updated 2620 days ago

Run the following within Active Directory Module for Windows PowerShell:

Get-ADobject -LDAPFilter "objectClass=organizationalUnit" -SearchBase "DC=domainname,DC=local" | Set-adobject -ProtectedFromAccidentalDeletion $true

Categories:      

==============

ADSync errors, event IDs 6127, 6126
article #974, updated 2807 days ago

Here’s a great set of steps for these:

http://blog.jocha.se/tech/azure-ad-sync-event-error-6126-and-6127

The short of it is:

  1. Bring up the Syncronization Service Manager (“Synchronization Service” in Windows search),
  2. Click on Connectors,
  3. Click on “Active Directory Domain Services”,
  4. Click Run in the right pane, choose Full Synchronization, click OK, and wait for completion to be reported (it’s fairly obvious),
  5. Click Run in the right pane, choose Full Import, click OK, and wait for completion to be reported,
  6. Click Windows Azure Active Directory,
  7. and do the same two Runs as for the other line item.

Categories:      

==============

FRS is deprecated in Server 2008R2
article #970, updated 2817 days ago

Some articles:

https://msdn.microsoft.com/en-us/library/windows/desktop/ff384840(v=vs.85).aspx).aspx

https://blogs.technet.microsoft.com/filecab/2014/06/25/the-end-is-nigh-for-frs/

Categories:      

==============

Secondary email addresses with LAN-synched EOL
article #941, updated 2906 days ago

If one has one’s LAN Active Directory synchronized with EOL/Azure, one cannot add secondary email addresses in the EOL console. In this situation:

  1. Open ADSIedit from the domain controller
  2. Open up the OU containing the user
  3. Open the Properties of the user
  4. Open the Properties for the item “proxyAddresses”.
  5. The primary (the “reply”) email address for the user needs to be specified thus, with caps in the prefix:
    SMTP:user@domain.xyz
  6. Secondary email addresses for the user need to be specified thus, with lowercase prefix:
    smtp:alias@domain.xyz
  7. Then run the sync or wait for the automatic run, and it’s done!

Also, as a bonus, after the above is done once, user objects in Active Directory Users and Computers get a new tab, “Attributes”, from which the above can be done for other users.

Categories:      

==============

Export all Active Directory groups to CSV
article #762, updated 3397 days ago

From the amazing Farhan Kazi:

http://fkazi.blogspot.com/2013/07/export-active-directory-groups-with.html

@ECHO OFF
SETLOCAL EnableDelayedExpansion

SET FileName=Report.csv
SET AG=0
SET EG=0
SET CT=0
SET NE=0
SET GN=

FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group))" -Limit 0') DO SET /a AG+=1 >NUL
FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group)(^!member=*))" -Limit 0') DO SET /a EG+=1 >NUL
SET /a NE=!AG!-!EG!

ECHO Total Groups in Active Directory %AG% out of them %EG% are empty.&&ECHO.
ECHO Group,Members>"!FileName!"
TITLE Exporting !NE! Non-Empty AD Groups.

FOR /F "delims=" %%G IN ('DSQuery * -Filter "(&(objectClass=Group)(member=*))" -Limit 0') DO (
    FOR /F "delims=" %%v IN ('DSQuery * %%G -l -q -Attr Name -Limit 0') DO SET GN=%%v
    SET /a CT+=1 >NUL
    ECHO !CT!. Exporting: !GN!
    FOR /F "delims=" %%M IN ('DSGET Group %%G -Members') DO (
        FOR /F "delims=" %%U IN ('DSQuery * %%M -l -q -Attr displayName') DO (
        ECHO !GN!,%%U>>"!FileName!")))

TITLE Export complete.
ECHO.&&ECHO Export complete, please check '!FileName!' file.
EXIT /B 0

Here’s a mod, which creates one file per group:

REM
REM Export all Active Directory groups to CSV files
REM One CSV file per group
REM
REM Original written by Farhan Kazi
REM http://fkazi.blogspot.com/2013/07/export-active-directory-groups-with.html
REM
REM Modded for one file per group by Jonathan Brickman
REM http://n.ponderworthy.com
REM

@ECHO OFF
SETLOCAL EnableDelayedExpansion

SET AG=0
SET EG=0
SET CT=0
SET NE=0
SET GN=

FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group))" -Limit 0') DO SET /a AG+=1 >NUL
FOR /F %%T IN ('DSQuery * -Filter "(&(objectClass=Group)(^!member=*))" -Limit 0') DO SET /a EG+=1 >NUL
SET /a NE=!AG!-!EG!

ECHO Total Groups in Active Directory %AG% out of them %EG% are empty.&&ECHO.
TITLE Exporting !NE! Non-Empty AD Groups.

FOR /F "delims=" %%G IN ('DSQuery * -Filter "(&(objectClass=Group)(member=*))" -Limit 0') DO (
    FOR /F "delims=" %%v IN ('DSQuery * %%G -l -q -Attr Name -Limit 0') DO SET GN=%%v
    SET /a CT+=1 >NUL
    ECHO !CT!. Exporting: !GN!
    FOR /F "delims=" %%M IN ('DSGET Group %%G -Members') DO (
        FOR /F "delims=" %%U IN ('DSQuery * %%M -l -q -Attr displayName') DO (
        ECHO %%U>>"!GN!".CSV)))

TITLE Export complete.
ECHO.&&ECHO Export complete.
EXIT /B 0

Categories:      

==============

Unlock user's AD account using CMD
article #743, updated 3440 days ago

Try:

NET USER <USERNAME> /DOMAIN /ACTIVE:YES

Categories:      

==============

Log into AD using email address
article #620, updated 3746 days ago

It’s called adding a UPN suffix, and it’s documented here:

http://support.microsoft.com/kb/243629

Categories:      

==============

Fix domain controller DNS
article #541, updated 3971 days ago

The following command often works:

dcdiag /fix

There is also:

netdiag /fix

Categories:      

==============

To Delete Old Exchange Server from AD
article #532, updated 3972 days ago

To remove an old exchange server from AD:

Start/Run, adisedit.msc

Then expand:

CN=Configuration>CN=Services>CN=Microsoft Exchange>CN=Organization name>
CN=Administrative Groups>CN=Servers

Then delete the old server by name.

Categories: