Use the following Powershell to get all the GPO dumped to HTML files
#> Get-GPO -All -Domain mydomain.tld | % { Get-GPOReport -Guid $_.Id -ReportType Html -Domain mydomain.tld | Set-Content C:\Reports\$($_.DisplayName).html }
Showing posts with label active directory. Show all posts
Showing posts with label active directory. Show all posts
Thursday, September 12, 2019
Active Directory Group Policy by Powershell
Thursday, June 20, 2019
C# + Active Directory = Awesome!!
I have a need to review AD groups and local admin groups as part of the identity project - to identity users who are having privileged access in AD or servers. I developed this tool to help with the quick search, detailed view, export, etc with UI.
Obviously this can be done with PowerShell, but I found there is limitation with PowerShell in regards to recursive lookup especially when dealing with foreign objects
As you can see below, there are different account type you can query, user, computer and group (with recursive option). You can also provide a different credential to query Active Directory as well as specifying a particular OU, LDAP filter and keyword doing the search.
The below UI provides the interface to query local groups in Windows machine. You can specify a single computer, computers in a particular OU or a text file containing a list of computers.
Wednesday, February 14, 2018
Windows 2016 Core Domain Controllers
Upgrading my Domain Controllers from 2012 R2 to 2016. I have decided to run the servers without Desktop Experience to save resources.
Once installed, run the "sconfig" utility from the CMD to setup the server name, IP address, DNS and gateway, then reboot
To add AD Domain Services feature:
Add-WindowsFeature AD-Domain-Services
To install AD Forest::
Install-ADDSForest -CreateDnsDelegation:$false
-DatabasePath C:\Windows\NTDS
-DomainMode WinThreshold
-DomainName domain.tld
-DomainNetbiosName NETBIOSDOMAIN
-ForestMode WinThreshold
-InstallDns:$true
-LogPath C:\Windows\NTDS
-NoRebootOnCompletion:$true
-SysvolPath C:\Windows\SYSVOL
-Force:$true
ForestMode = WinThreshold = for Windows 2016
To add AD Domain Controller to the existing domain:
Install-ADDSDomainController -CreateDnsDelegation:$false
-DatabasePath C:\Windows\NTDS
-DomainName domain.tld
-InstallDns:$true
-LogPath C:\Windows\NTDS
-NoGlobalCatalog:$false
-SysvolPath C:\Windows\SYSVOL
-NoRebootOnCompletion:$true
-Force:$true
-Credential (Get-Credential)
Once installed, run the "sconfig" utility from the CMD to setup the server name, IP address, DNS and gateway, then reboot
To add AD Domain Services feature:
Add-WindowsFeature AD-Domain-Services
To install AD Forest::
Install-ADDSForest -CreateDnsDelegation:$false
-DatabasePath C:\Windows\NTDS
-DomainMode WinThreshold
-DomainName domain.tld
-DomainNetbiosName NETBIOSDOMAIN
-ForestMode WinThreshold
-InstallDns:$true
-LogPath C:\Windows\NTDS
-NoRebootOnCompletion:$true
-SysvolPath C:\Windows\SYSVOL
-Force:$true
ForestMode = WinThreshold = for Windows 2016
To add AD Domain Controller to the existing domain:
Install-ADDSDomainController -CreateDnsDelegation:$false
-DatabasePath C:\Windows\NTDS
-DomainName domain.tld
-InstallDns:$true
-LogPath C:\Windows\NTDS
-NoGlobalCatalog:$false
-SysvolPath C:\Windows\SYSVOL
-NoRebootOnCompletion:$true
-Force:$true
-Credential (Get-Credential)
Wednesday, October 25, 2017
Active Directory GUID
Active Directory GUID is stored as Byte array (Byte[]).
To convert from Byte[] to string:
string guid = new Guid(Byte[] Object).ToString()
To convert from string to Byte[]:
string guid = <string guid here>
Guid g = Guid.Parse(guid);
Byte[] gba = g.ToByteArray();
string result = "";
foreach(Byte b in gba){ result += @"\" + b.ToString("x2"); }
To convert from Byte[] to string:
string guid = new Guid(Byte[] Object).ToString()
To convert from string to Byte[]:
string guid = <string guid here>
Guid g = Guid.Parse(guid);
Byte[] gba = g.ToByteArray();
string result = "";
foreach(Byte b in gba){ result += @"\" + b.ToString("x2"); }
Friday, September 08, 2017
GUID String to Octect String
If you need to perform LDAP query against Active Directory with objectGUID as the filter, you need to convert the string representation of that GUID to octetstring.
For example, if the objectGUID string value is: ffe17244-4c77-48e7-9db7-69578be7e232
You need to convert it to: \44\72\e1\ff\77\4c\e7\48\9d\b7\69\57\8b\e7\e2\32
so then you can provide the LDAP filter with:
(objectGUID=\44\72\e1\ff\77\4c\e7\48\9d\b7\69\57\8b\e7\e2\32)
To do this by C#, use the following function:
private string convertStringGuidToOctectString(string guid)
{
Guid g = Guid.Parse(guid);
Byte[] gba = g.ToByteArray();
string result = "";
foreach (Byte b in gba)
{
result = result + @"\" + b.ToString("x2");
}
return result;
}
Good luck!
For example, if the objectGUID string value is: ffe17244-4c77-48e7-9db7-69578be7e232
You need to convert it to: \44\72\e1\ff\77\4c\e7\48\9d\b7\69\57\8b\e7\e2\32
so then you can provide the LDAP filter with:
(objectGUID=\44\72\e1\ff\77\4c\e7\48\9d\b7\69\57\8b\e7\e2\32)
To do this by C#, use the following function:
private string convertStringGuidToOctectString(string guid)
{
Guid g = Guid.Parse(guid);
Byte[] gba = g.ToByteArray();
string result = "";
foreach (Byte b in gba)
{
result = result + @"\" + b.ToString("x2");
}
return result;
}
Good luck!
Saturday, October 25, 2014
Getting AD NetBIOS Name From User DN
(Get-ADDomain (($user.DistinguishedName.Split(",") | ? {$_ -like "DC=*"}) -join ",")).NetBIOSName
Friday, November 29, 2013
PowerShell Awesomeness!!
Loves PowerShell!
Here is how to get the details of all mailboxes in Exchange 2013 and then assign it to the new App of Enterprise Vault 10.0.4 in a particular OU:
Don't forget the change the -SearchBase, -Url parameters.
All the users in the OU with mailbox enabled will get the new Enterprise Vault Web Application!
Here is how to get the details of all mailboxes in Exchange 2013 and then assign it to the new App of Enterprise Vault 10.0.4 in a particular OU:
Get-ADUser -SearchBase "OU=My Users,DC=domain,DC=local" -SearchScope Subtree -Filter {proxyaddresses -like "smtp:*"} | ForEach-Object {$mbx = Get-Mailbox $_.SamAccountName; New-App -mailbox $mbx.LegacyExchangeDN -Url ("https://vault.domain.local/EnterpriseVault/OfficeMailAppManifest.aspx?LegacyMbxDn=" + $mbx.LegacyExchangeDN + "&BaseURL=https://vault.domain.com/EnterpriseVault")}
Don't forget the change the -SearchBase, -Url parameters.
All the users in the OU with mailbox enabled will get the new Enterprise Vault Web Application!
Wednesday, April 17, 2013
Active Directory Domain Controller GPO Reset
I have these 2x Windows 2012 Domain Controllers that inherited policies from the old GPO which were created since Windows 2003 days. I did not realize there were problems until some of the features that I want to use started acting badly (e.g. access denied, etc).
Obviously the DCs have been joined to the domain and be put in the "Domain Controllers" OU by default after they were dcpromo-ed, which then got the old GPO applied to them.
So to clean them up all the registries, file systems security configuration that have been applied to DC, I need to reset the default domain policy and the default domain controllers policy. Before I do that, I back them up first, just in case.
To clean up the GPO run the following command:
C:\> DCGPOFIX
Then I need to clean up the actual settings that have been applied to my DCs by running the following command on each DC:
C:\> secedit /configure /cfg C:\windows\inf\defltdc.inf /db defltdc.sdb /overwrite
Reboot the DC
Obviously the DCs have been joined to the domain and be put in the "Domain Controllers" OU by default after they were dcpromo-ed, which then got the old GPO applied to them.
So to clean them up all the registries, file systems security configuration that have been applied to DC, I need to reset the default domain policy and the default domain controllers policy. Before I do that, I back them up first, just in case.
To clean up the GPO run the following command:
C:\> DCGPOFIX
Then I need to clean up the actual settings that have been applied to my DCs by running the following command on each DC:
C:\> secedit /configure /cfg C:\windows\inf\defltdc.inf /db defltdc.sdb /overwrite
Reboot the DC
Thursday, September 22, 2011
Active Directory DNS Waiting for Initial Replication
When you boot the 1st domain controller within the environment which has more than 1 DC, by default the DC is waiting for initial inbound replication from the other DC. But because this is the first DC you boot, this is going to take a while
To avoid this, add the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0
Add Reboot!
Do not use this method in the producation environment
To avoid this, add the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0
Add Reboot!
Do not use this method in the producation environment
Monday, July 04, 2011
PowerShell AD Group Membership Listing
To get the member of a particular group in Active Directory:
Get-ADGroup -filter 'name -eq "Group Name" | Get-ADGroupMember -Recursive | fl name
Replace the "Group Name" with the group name from which you want to get the member of
Get-ADGroup -filter 'name -eq "Group Name" | Get-ADGroupMember -Recursive | fl name
Replace the "Group Name" with the group name from which you want to get the member of
Monday, November 30, 2009
Exporting Active Directory Group Membership
Save this code as a .vbs file:
Dim objGroup, objUser, objFSO, objFile, strDomain, strGroup, Domain, Group
'user Input box
strDomain = Inputbox ("Enter the FQDN Domain name, e.g. domain.com", "Domain Name", "Domain Name")
strGroup = InputBox ("Enter the NetBIOS Group name, e.g. mygroup", "Group Name", "Group Name")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("C:\temp\" & strGroup & ".txt")
Set objGroup = GetObject("WinNT://" & strDomain & "/" & strGroup & ",group")
For Each objUser In objGroup.Members
objFile.WriteLine objUser.Fullname & " (" & objUser.Name & ")"
Next
objFile.Close
Set objFile = Nothing
Set objFSO = Nothing
Set objUser = Nothing
Set objGroup = Nothing
Wscript.Echo "Group Membership Exported to the file: " & "C:\temp\" & strGroup & ".txt"
Dim objGroup, objUser, objFSO, objFile, strDomain, strGroup, Domain, Group
'user Input box
strDomain = Inputbox ("Enter the FQDN Domain name, e.g. domain.com", "Domain Name", "Domain Name")
strGroup = InputBox ("Enter the NetBIOS Group name, e.g. mygroup", "Group Name", "Group Name")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("C:\temp\" & strGroup & ".txt")
Set objGroup = GetObject("WinNT://" & strDomain & "/" & strGroup & ",group")
For Each objUser In objGroup.Members
objFile.WriteLine objUser.Fullname & " (" & objUser.Name & ")"
Next
objFile.Close
Set objFile = Nothing
Set objFSO = Nothing
Set objUser = Nothing
Set objGroup = Nothing
Wscript.Echo "Group Membership Exported to the file: " & "C:\temp\" & strGroup & ".txt"
Wednesday, July 09, 2008
Windows 2000 Domain Controller - Restore Trust Relationship
If your domain controllers are not replicated to each other and your are getting the following errors:
netdiag
DC list test . . . . . . . . . . . :[WARNING] Cannot call DsBind to DC1). [SEC_E_WRONG_PRINCIPAL]
dcdiag
Warning: DC1 is the Schema Owner, but is not responding to DSRPC Bind.[DC1] LDAP bind failed with error 31,A device attached to the system is not functioning..
Warning: DC1 is the Schema Owner, but is not responding to LDAP Bind.
Warning: DC1 is the Domain Owner, but is not responding to DSRPC Bind.
Warning: DC1 is the Domain Owner, but is not responding to LDAP Bind.
Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: DC1 is the PDC Owner, but is not responding to LDAPBind.
Warning: DC1 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: DC1 is the Rid Owner, but is not responding to LDAPBind.
Warning: DC1 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
Warning: DC1 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
It could be the trust relationship between the domain controller is broken. To establish the trust back, do the following:
1. Find the PDC Role
netdom query fsmo
2. Reset the computer account password from the other Domain Controller
net stop kdc
netdom resetpwd /server: /userd: /passwordd:
reboot
netdiag
DC list test . . . . . . . . . . . :[WARNING] Cannot call DsBind to DC1). [SEC_E_WRONG_PRINCIPAL]
dcdiag
Warning: DC1 is the Schema Owner, but is not responding to DSRPC Bind.[DC1] LDAP bind failed with error 31,A device attached to the system is not functioning..
Warning: DC1 is the Schema Owner, but is not responding to LDAP Bind.
Warning: DC1 is the Domain Owner, but is not responding to DSRPC Bind.
Warning: DC1 is the Domain Owner, but is not responding to LDAP Bind.
Warning: DC1 is the PDC Owner, but is not responding to DS RPC Bind.
Warning: DC1 is the PDC Owner, but is not responding to LDAPBind.
Warning: DC1 is the Rid Owner, but is not responding to DS RPC Bind.
Warning: DC1 is the Rid Owner, but is not responding to LDAPBind.
Warning: DC1 is the Infrastructure Update Owner, but is not responding to DS RPC Bind.
Warning: DC1 is the Infrastructure Update Owner, but is not responding to LDAP Bind.
It could be the trust relationship between the domain controller is broken. To establish the trust back, do the following:
1. Find the PDC Role
netdom query fsmo
2. Reset the computer account password from the other Domain Controller
net stop kdc
netdom resetpwd /server:
reboot
Monday, April 07, 2008
Find the users' OU from Active Directory
If you need to find the Active Directory user accounts' OU, run the following script:
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
REM get the filename
If WSCript.Arguments.Count <> 1 Then
WScript.Echo "Text file contains user accounts must be supplied"
WScript.Quit 0
End If
dim filenamefilename = WScript.Arguments.Item(0)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDictionary = CreateObject("Scripting.Dictionary")
Const ForReading = 1
Set objFile = objFSO.OpenTextFile (filename, ForReading)
i = 0
Do Until objFile.AtEndOfStream
strNextLine = objFile.Readline
If strNextLine <> "" Then
getOu strNextLine
End If
i = i + 1
Loop
objFile.Close
REM Sub to get username OU
Sub getOu( username )
objCommand.CommandText = "SELECT distinguishedName FROM 'LDAP://dc=domain,dc=com'" & "WHERE objectCategory='user' " & "AND sAMAccountName='" & username & "'"
Set objRecordSet = objCommand.Execute
If objRecordSet.EOF Then
WScript.Echo username & " does not exist "
Else
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName").Value
arrPath = Split(strDN, ",")
dim uOu
for each ou in arrPath
if Left( ou, 3 ) = "OU=" Then
if uOu = "" Then
uOu = ou
else
uOu = uOu & "," & ou
end if
end if
Next
uOu = username & " : " & uOu
Wscript.Echo uOu
objRecordSet.MoveNext
Loop
End If
End Sub
copy the above code to .vbs file (e.g. getOu.vbs). You also need to change the domain name from the LDAP query to your domain name in the code above.
Next, you need to create a text file just having a username per-line, e.g. users.txt
bgates
dduck
Next, run the the following:
cscript getOu.vbs c:\users.txt
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
REM get the filename
If WSCript.Arguments.Count <> 1 Then
WScript.Echo "Text file contains user accounts must be supplied"
WScript.Quit 0
End If
dim filenamefilename = WScript.Arguments.Item(0)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDictionary = CreateObject("Scripting.Dictionary")
Const ForReading = 1
Set objFile = objFSO.OpenTextFile (filename, ForReading)
i = 0
Do Until objFile.AtEndOfStream
strNextLine = objFile.Readline
If strNextLine <> "" Then
getOu strNextLine
End If
i = i + 1
Loop
objFile.Close
REM Sub to get username OU
Sub getOu( username )
objCommand.CommandText = "SELECT distinguishedName FROM 'LDAP://dc=domain,dc=com'" & "WHERE objectCategory='user' " & "AND sAMAccountName='" & username & "'"
Set objRecordSet = objCommand.Execute
If objRecordSet.EOF Then
WScript.Echo username & " does not exist "
Else
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName").Value
arrPath = Split(strDN, ",")
dim uOu
for each ou in arrPath
if Left( ou, 3 ) = "OU=" Then
if uOu = "" Then
uOu = ou
else
uOu = uOu & "," & ou
end if
end if
Next
uOu = username & " : " & uOu
Wscript.Echo uOu
objRecordSet.MoveNext
Loop
End If
End Sub
copy the above code to .vbs file (e.g. getOu.vbs). You also need to change the domain name from the LDAP query to your domain name in the code above.
Next, you need to create a text file just having a username per-line, e.g. users.txt
bgates
dduck
Next, run the the following:
cscript getOu.vbs c:\users.txt
Tuesday, January 02, 2007
Exchange 2003 - Message stuck in the categorizer
If you have a big distribution list or email enabled security group within Active Directory which has a particular member that forwards an email externally, you might not be able successfully send an email to that group.
When you track the message using Exchange Message Tracking Center, you'll find out that the message is in the status: Message Submitted to Categorizer
This is because the automatic forward email is not enabled by default in Exchange 2003. To enable this:
When you track the message using Exchange Message Tracking Center, you'll find out that the message is in the status: Message Submitted to Categorizer
This is because the automatic forward email is not enabled by default in Exchange 2003. To enable this:
- Go to Exchange System Manager
- Expand Global Settings
- Click Internet Message Formats
- Right click Default
- Click Advanced tab
- Choose Allow automatic forward
If this one does not work, try to do high level diagnostic with categorizer - modify the registry:
HLM\System\CurrentControlSet\Services\MSExchangeTransport\Diagnostics\
Change 2 Categorizer from 0 to 7
and check your application event log
Thursday, December 21, 2006
Get the users' memberOf from Active Directory
Sometime you need to do an audit of your Enterprise users and make sure they are a member of the proper security group and distribution list within your Active Directory.
Here is the code in VBScript and talking to AD with LDAP:
On Error Resume Next
Dim OutPutFileDim FileSystem
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FileSystem.CreateTextFile("users.txt", True)
'-- Number value of the error return by ADSI if the '-- memberOf attribute cannot be found.
'==================================================
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
'-- Bind to the Users container'==============================
Set objOU = GetObject("LDAP://OU=Users,dc=domain,dc=com")
'-- Initialize the array for user accounts.
'==========================================
ObjOU.Filter= Array("user")
'-- Control Loop
'===============
For Each objUser in objOU
OutPutFile.WriteLine objUser.cn & " is a member of: "
'-- Use the GetEX method to intialize the array for group
'-- membership. Get method cannot be used as it does not
'-- multivalued attributes (user can be member of many groups.)
'============================================================== arrMemberOf = objUser.GetEx("memberOf")
'-- If the error is not raised from ADSI, then list the
'-- groups that are entries within the arrMemberOf array.
'-- If error is raised, display notification on screen.
'========================================================
If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then
For Each Group in arrMemberOf
OutPutFile.WriteLine vbTab & Group
Next
Else
Err.Clear
End If
Next
'Clean up
OutPutFile.CloseSet
FileSystem = Nothing
Here is the code in VBScript and talking to AD with LDAP:
On Error Resume Next
Dim OutPutFileDim FileSystem
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FileSystem.CreateTextFile("users.txt", True)
'-- Number value of the error return by ADSI if the '-- memberOf attribute cannot be found.
'==================================================
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D
'-- Bind to the Users container'==============================
Set objOU = GetObject("LDAP://OU=Users,dc=domain,dc=com")
'-- Initialize the array for user accounts.
'==========================================
ObjOU.Filter= Array("user")
'-- Control Loop
'===============
For Each objUser in objOU
OutPutFile.WriteLine objUser.cn & " is a member of: "
'-- Use the GetEX method to intialize the array for group
'-- membership. Get method cannot be used as it does not
'-- multivalued attributes (user can be member of many groups.)
'============================================================== arrMemberOf = objUser.GetEx("memberOf")
'-- If the error is not raised from ADSI, then list the
'-- groups that are entries within the arrMemberOf array.
'-- If error is raised, display notification on screen.
'========================================================
If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then
For Each Group in arrMemberOf
OutPutFile.WriteLine vbTab & Group
Next
Else
Err.Clear
End If
Next
'Clean up
OutPutFile.CloseSet
FileSystem = Nothing