Archive for the ‘Active Directory’ Category

Find Active Directory User and Group Information using PowerShell

Quite often during my Active Directory projects I need to generate information about my customer’s users and groups in the environment for documentation purposes. Since PowerShell easily allows us to find and customize this information, I have written a simple script to help grab and output this information.

Copy the text below and save as a .ps1 file.

# PowerShell script to gather information for AD Users.

Import-Module ActiveDirectory

Write-Host “”
Write-Host “Running script to gather information about Active Directory user accounts” -ForegroundColor Green

# Directory where files will be saved
$outdir = “C:\AD Users”

# create the new directory if it’s not already there
if(!(test-path $outdir)){ mkdir $outdir | Out-Null }

# Remove Canonical Name from Distinguished Name
function Get-ADParent ([string] $dn) {
$parts = $dn -split ‘(?<![\\]),’
$parts[1..$($parts.Count-1)] -join ‘,’
$parent = @{Name=’OU’; Expression={ Get-ADParent $_ } }
$parent = @{Name=’OU’; Expression={ Get-ADParent $_.DistinguishedName } }

# Find info about the admin users
$allusers = Get-ADUser -filter * -Properties *
$dadmins = $allusers | where {$_.MemberOf -like “*Domain Admins*”}
$eadmins = $allusers | where {$_.MemberOf -like “*Enterprise Admins*”}
$sadmins = $allusers | where {$_.MemberOf -like “*Schema Admins*”}
$admins =$allusers | where {$_.MemberOf -like “*Administrators*”}
$dadmins | select -Property Name,SamAccountName,PasswordNeverExpires | sort Name | Export-Csv $outdir\Groups-DomainAdmins.csv -NoTypeInformation
$eadmins | select -Property Name,SamAccountName,PasswordNeverExpires | sort Name | Export-Csv $outdir\Groups-EnterpriseAdmins.csv -NoTypeInformation
$sadmins | select -Property Name,SamAccountName,PasswordNeverExpires | sort Name | Export-Csv $outdir\Groups-SchemaAdmins.csv -NoTypeInformation
$admins | select -Property Name,SamAccountName,PasswordNeverExpires | sort Name | Export-Csv $outdir\Groups-Administrators.csv -NoTypeInformation

# Find info about groups
$groups = Get-ADGroup -Filter * -Properties *
$groups | select -Property Name,GroupCategory,GroupScope,$parent | sort OU,GroupCategory,Name | Export-Csv $outdir\Groups.csv -NoTypeInformation

# Set date 90 days ago as a value to compare against (find stale accounts)
$date = [DateTime]::Today.AddDays(-90)

# Find info about user accounts (both active and inactive)
$allusers | select -Property Name,SamAccountName,Enabled,LastLogonDate,$parent | sort OU,Enabled,Name | Export-Csv $outdir\AllUsers.csv -NoTypeInformation
$activeusers = $allusers | where {$_.LastLogonDate -gt (get-date).addmonths(-3) -AND $_.enabled -eq “True”}
$activeusers | select -Property Name,SamAccountName,Enabled,LastLogonDate,$parent | sort OU,Name | Export-Csv $outdir\ActiveUsers.csv -NoTypeInformation
$disabledusers = Search-ADAccount -AccountDisabled -UsersOnly
$disabledusers | select -Property Name,SamAccountName,LastLogonDate,$parent | sort OU,Name | Export-Csv $outdir\DisabledUsers.csv -NoTypeInformation
$inactiveusers = Get-ADUser -Filter ‘LastLogon -le $date’
$inactiveusers | select -Property Name,SamAccountName,Enabled,LastLogonDate,$parent | sort Enabled,OU,Name | Export-Csv $outdir\InactiveUsers.csv -NoTypeInformation
$nopwexpiration = $allusers | where {$_.PasswordNeverExpires -eq $true}
$nopwexpiration | select -Property Name,SamAccountName,PasswordNeverExpires,Enabled,$parent | sort OU,Name | Export-Csv $outdir\NoPWExpirationUsers.csv -NoTypeInformation

# Generate text file of the numbers of users
“All Users: $(($allusers).count)” | Out-File $outdir\UserCount.txt
“Active Users: $(($activeusers).count)” | Out-File $outdir\UserCount.txt -Append
“Inactive Users: $(($inactiveusers).count)” | Out-File $outdir\UserCount.txt -Append
“Disabled Users: $(($disabledusers).count)” | Out-File $outdir\UserCount.txt -Append
“Domain Admins: $(($dadmins).count)” | Out-File $outdir\UserCount.txt -Append
“Enterprise Admins: $(($eadmins).count)” | Out-File $outdir\UserCount.txt -Append
“Schema Admins: $(($sadmins).count)” | Out-File $outdir\UserCount.txt -Append
“Administrators: $(($admins).count)” | Out-File $outdir\UserCount.txt -Append
“All Groups: $(($groups).count)” | Out-File $outdir\UserCount.txt -Append

Write-Host “”
Write-Host “Completed!” -NoNewline “Ouput from the script is located in $outdir” -ForegroundColor Green
Write-Host “”



Run DCDiag on all domain controllers using PowerShell script

Since DCDiag is a simple and great way to check the health of a domain controller I have decided to right a simple script in PowerShell that will connect to all domain controllers in a session, run DCDiag, and spit out the results to a text file. The requirements to make this work is that the domain controller must support PowerShell remoting with it enabled on each domain controller you want to run it on. This at least requires that PowerShell V2 is installed on the domain controller. To enable PowerShell remoting, you can either run Enable-PSRemoting from the PowerShell console on each domain controller or create a GPO and apply to the domain controllers OU. PowerShell remoting is enabled by default on Server 2012 and 2012 R2 domain controllers.

Copy the text below and save as a .ps1 file. Remember to run “Set-ExecutionPolicy Unrestricted” on the domain controller you plan on running the script from. The script will only need to be run once.

Import-Module ActiveDirectory
$outdir = “C:\DCDiag”
if(!(test-path $outdir)){ mkdir $outdir }
$DCs = (Get-ADForest).Domains | %{ Get-ADDomainController –Filter * -Server $_ }
foreach ($DC in $DCs){
$sessions = New-PSSession $
$dcoutdir = “$outdir\$($”
New-Item $dcoutdir -ItemType directory | Out-Null
Invoke-Command -Session $sessions {dcdiag} | Out-File $dcoutdir\dcdiag.txt
Remove-PSSession -ComputerName $

Write-Host “”
Write-Host “Output from script will be in ” $outdir

Write-Host “”


Find Current Users using PowerShell

Similar to having to help discover the current workstations in the environment in my previous post, I also helped myself (along with my customer) in generating the list of current users as well for the migration.

Again the variables I needed to consider are that the account has logged in within 3 months from today’s date along with being an enabled account. The command I used to achieve this is:

Get-ADUser -Properties * -Filter * | where {$_.LastLogonDate -gt (get-date).addmonths(-3) -AND $_.enabled -eq “True”} | select -Property Name,SamAccountName,Enabled,LastLogonDate | sort-object Name | Export-Csv C:\Lists\Users.csv -NoTypeInformation

Enjoy (again)

Find Current Workstations in PowerShell

Recently while performing an Active Directory migration for a customer I needed to generate a list of workstations that were currently in use in the environment. Since the customer was extremely busy wrapped up in numerous other projects and I was in a time crunch, I decided to see what PowerShell could do for me. Some of the variables I needed for my list were:

  • Computer is running a client operating system
  • Computer account is enabled
  • Computer had been logged on in the past 3 months

Using those variables, I generated a nice command to find, sort, and output the information in an Excel file so the project could continue to move on at a decent pace without delay. The command I use to achieve this was:

Get-ADComputer -Properties * -Filter * | where {$_.OperatingSystem -notlike “*server*” -AND $_.lastlogondate -gt (get-date).addmonths(-3) -AND $_.enabled -eq “True”} | select -Property Name,OperatingSystem,Enabled,LastLogonDate | sort-object LastLogonDate -descending | Export-Csv c:\Lists\Workstations.csv -NoTypeInformation


Self-Signed Certificate for LDAPs

March 19, 2014 2 comments

I recently ran into an instance where one of my customers needed to get LDAPs up and functioning quickly. We had a pending engagement to help them implement some Certification Authorities but needed something to hold them ever temporarily until the completion of the project. The following is a way to setup LDAPs using self-signed certificates.

Create the following certificate request making the subject the FQDN of the domain controller, save as .inf file.

Open the Command Prompt as Administrator. Run the following certreq command and call the .inf file

Click Cancel on the Save Request screen after.

Open up the Certificates console using the MMC. Look in Computer Personal Store and export the certificate.

Since there is only one option to not export the private key, click

 Select the Base-64 encoded button to export the file as the Base-64 format, click Next.

Save the file in an easy location for import into the Trusted Root Certification Store, click Save.

 Go to the Trusted Root Certification Authority, right click on Certificates, click Import.


Click Browse to select the file that was just exported.


 Highlight the Base-64 certificate file and click Open.

Place the certificate into the Trusted Root Certification Authorities Store, click Next.


Click Finish to end


Categories: Active Directory

FSMO placement and optimization on Active Directory domain controllers

Over my time in IT I have heard numerous cases on where the FSMO roles should reside on domain controllers in a domain. During some random research regarding some FSMO holder information I stumbled across this article on the Microsoft support site that I thought I would share.

FSMO placement and optimization on Active Directory Domain Controllers

Categories: Active Directory

Active Directory 2012 installation stalls at the “Creating the NTDS settings object”

April 2, 2013 2 comments

I recently ran into this issue with a customer when adding additional Server 2012 domain controllers to an existing domain. The steps below worked perfectly for me.

After you start Active Directory installation in Windows Server 2012 by using Server Manager or the AddsDeployment Windows PowerShell module, the installation stalls at the stage at which you receive the following message:

“Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC”

This issue occurs for one or more of the following reasons:
  • The server’s built-in Administrator account has the same password as the built-in domain Administrator account.
  • The NetBIOS domain prefix or UPN were not provided as credentials for installation. Instead, only the user name “Administrator” was provided.

To resolve this issue, follow these steps:

  1. Restart the server on which Active Directory could not be installed.
  2. Use Dsa.msc or Dsac.exe on an existing domain controller to delete the failed server’s computer account. (The domain controller will not yet be a domain controller object but only a member server.) Then, let Active Directory replication converge.
  3. On the failed server, forcibly remove the server from the domain by using the System Properties Control Panel item or netdom.exe.
  4. On the failed server, remove the Active Directory Domain Services (AD DS) role by using Server Manager or Uninstall-WindowsFeature.
  5. Restart the failed server.
  6. Install the AD DS role, and then try the promotion again. When you do this, make sure that you provide promotion credentials in the form “domain\user” or “”

Categories: Active Directory