Get-AdComputer: Find Computers in OUs with PowerShell

For today’s cmdlet, we’re going to focus on Get-AdComputer. Similar to one of the previous cmdlets of the day Get-AdUser, this cmdlet is it’s counterpart in the Active Directory module. Instead of retrieving user objects from Active Directory, this cmdlet finds computers in OUs. The Get-AdComputer Filter Parameter One way to use this cmdlet is to use the Filter parameter. We can use the Filter parameter to search for computers in Active Directory based on their name, for example.

Finding Computers in an OU Perhaps we’re not necessarily concerned with their name but in what OU they’re in. Like the Get-AdUser cmdlet, this cmdlet has a SearchBase parameter we can use to limit the search only to an OU and all of its child OUs. Below I’m finding all of the domain controllers inside of my mylab.local’s Domain Controllers OU.

But what if you’ve got a ton of […]

Read more

Using Powershell to Read NDS Users

I work at a place where Groupwise and NDS is still used; unfortunate I know.  Prior to implementing an identity management solution I needed to compare users with NDS against Active Directory.  By utilizing the free Netcmdlets package’s Get-Ldap cmdlet I was able to make that happen. However, before I could get to that point I had create a secure method of passing credentials to the NDS server.  This can be accomplished by creating a credential and exporting it to an XML which keeps it on the file system for later use.  To do this you need to use Powershell’s Get-Credential cmdlet.  By default, this cmdlet prompts you with a GUI message box to input the username and password.  To authenticate with NDS the username needs to be in the form “cn=user,o=something”.  Get-Credential won’t accept this because it’s looking for an Active Directory username. To get around this, the first task you […]

Read more

Worm spreads across network. Powershell chosen as ally to opposition.

Picture this. You drive into work, grab a cup of coffee, sit down at your desk and log in. It’s a typical day; a couple of tickets came in overnight, last night’s backups completed successfully and you’ve only got 20 emails tagged as “high priority” by users. Suddenly you hear frantic footsteps incoming and your antivirus guy pops in with an urgent message. “Susan in Accounting opened up an email and released a 0-day worm onto the company network! I’ve called support and they’re working on a definition update but they don’t have one yet! It’s locking people’s accounts out like crazy!!” You sigh and are insanely grateful you don’t have to manage A/V today. However, you’re not off the hook. Because this worm is nearly ALL user accounts out people can’t work and are getting authentication failures left and right. You’ve gotta do something in the mean time to […]

Read more

Knock out a server’s config in no time with Powershell

I’m currently building a test lab for an upcoming Powershell course. I’m trying to do EVERYTHING for this test lab in Powershell. Normally, I’ll just get lazy and go back to my GUI ways sometimes when I don’t know the cmdlet off hand. Anyway, I’ll try to share some of the scripts I’m using to get everything up and going. Here’s my first contribution. To preface this set of scripts, I’ve got a blank Windows Server 2012 R2 server using DHCP for its IP. I want to make this server an Active Directory domain controller and a DHCP server to get my test lab started. Alot of this was inspired by this Hey Scripting Guy blog post. –PrepOS.ps1

— SetupDomainController.ps1

–InstallDHCPServer.ps1

Read more

Server-Side vs. Client-Side Active Directory Filtering

Searching for objects in Active Directory is a cinch with Powershell.  However, you need to know how to use filters to be the most efficient with your time! When filtering objects in Active Directory we’ve got two options; server-side filtering and client-side filtering.  Server-side filtering is using the -Filter argument while client-side filtering is use Where-Object.  Filtering is filtering, right?  You get the same information in the end!  Technically yes, you’re right.  However, would you rather be staring at a Powershell console 10x longer just watching that blinking cursor or be the most efficient as possible and get more stuff done!  Let’s choose the latter. Here’s an example of the difference.  In this example, I’ve got around 8,300 user accounts in this Active Directory environment.  All I want to do is find all users that have ‘bob’ in their first name.   You’re seeing that right.  A more than 10x […]

Read more

Changing Service Accounts With PowerShell

A few years ago I was in a position where I was to implement a new Active Directory password policy. All employee user passwords were to begin expiring after 6 months. I had all the 10,000 Active Directory accounts accounted for. I had tagged all user accounts that I thought should be used for services and all that were employees. Proper notification was sent out to the entire IT dept asking if any employee user accounts were running services on any of the servers. Nope! So the password policy was implemented and the help desk lit up. Why? There were dozens of services on servers running as employee user accounts that had gotten expired! In hindsight, I shouldn’t have taken their word for it and queried all the servers myself but you live you learn. My solution was to throw together this script. This script loops through all of the […]

Read more

How to find stale Active Directory user accounts

As an Active Directory admin, there inevitably comes a time where you’ve got dozens or even hundreds of stale user accounts. In my environment of a little over 10,000 user accounts, there’s always a few hundred that are no longer needed at any point in time. Eventually, someone’s going to be bothered enough of seeing all these unused accounts that they’ll need to be removed. When this happens, I sure hope you’ve got your Powershell hat on! The first task you’ll have to go through is actually defining what “stale” means. I find that the difficulty of solving a problem in IT isn’t the technical part; it’s the people part. No one ever agrees on what to actually accomplish. Once that’s defined, actually doing it is fairly easy! To find these unused accounts, you’ve got a few different criteria you can key off of: Enabled – If the account is […]

Read more

Powershell: Comparing object property with two object arrays

As an Active Directory administrator I’ve had to compare AD usernames with external data sources; most often a database from a human resources application. When I first got this request I thought it shouldn’t be a problem at all. I was aware of the Powershell -contains operator. I was sadly mistaken that it’s not that easy. The Easy Scenario:  Two Arrays of Strings Exhibit A: Find all elements in $array1 that are also in $array2. This is two arrays with strings; not objects.

The Hard Scenario:  Active Directory vs: External HR Database Simple enough, right? Now, let’s bring objects into the mix. Let’s say we’ve got a field in this HR database of ours and we’d like to populate this into the Active Directory description field. Prior to doing this, we first have to have a common identifier. In my environment, there’s an employee number both in the HR […]

Read more

A Review of Softerra’s Adaxes AD Automation Software

Active Directory (AD) has been a critical piece of functionality in a huge majority of businesses. AD has provided us with single sign-on functionality for nearly 16 years now. Due to AD’s wide adoption, administrators have many years of experience with AD. They know that AD can be a beast of a system to manage. Everyone in the business depends on AD. It’s a critical system but at the same time can easily turn into an organizational mess if not properly maintained. This is where a product like Adaxes by Softerra comes in. I had a chance to review this product and, coming from my nearly 10 years of managing AD, it is the product I wish I had so many years ago. Adaxes is a product that aims to help nearly ever user in a business manage AD. It’s not simply an AD management product for administrators. Adaxes also […]

Read more

Tracking When a User Log on and off From a Computer

I’ve been writing some white papers for Netwrix recently and thought I’d take a snippet from one of those and share with you here. It was a small part of the How to Track User Activity with AD Auditing and PowerShell white paper but I believe it showed a great way to pull data from event logs that isn’t so easily gotten. The task at hand was when a couple of audit policies were enabled and apply to a group of computers you needed a way to find when a user logged on and logged off of a computer. I needed results that showed the computer name, the event, the time it happened and what account it was. If you’ve messed with AD auditing before you’d know that the data it generates is great but it’s a major pain to get to any useful information. Using PowerShell, I managed to […]

Read more
1 2