Active Directory

One-Liner Wednesday Nov 9, 2022

November 9, 2022 by ClaytonT Leave a Comment

This is an oldie, but a goodie…

Unlock-ADAccount -Identity "UserName"

If you haven’t used this, and didn’t know it existed, definitely add it to your tool box. It’s so much easier than having to go into the GUI to do this.

A nice future script you could have this in is if you have multiple users get locked out, that you could pipe Get-ADUser for the group you want and filter it so only disabled show and either unlock all of them, or pipe it to Out-GridView with passthrough. This would give you a nice gridview of the users and the ones you select from it would be disabled.

One-Liner Wednesday November 2, 2022

November 2, 2022 by admin Leave a Comment

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | sort-object ExpiryDate

Here is a one liner that find very useful and hope you do to.

You can customize it even more, but for now this one grabs all the AD User accounts that are expiring and the ones expiring first at the top. I love using this to stay in front of users passwords expiring then they can’t connect or if they are off network and is a rush to get it done.

You could even sent this up as a scheduled task and have it pull the next 2 weeks of users. Then either you reach out to them, it emails them, or it notifies your help desk to reach out to them to help change their password.

Or you could have it in your dashboard so you’d always see the next 2 weeks of users passwords expiring.

Module Monday October 24, 2022

October 24, 2022 by ClaytonT Leave a Comment

It’s Module Monday…

Although this module could be on Read-Only Friday, I wanted to show you that not all modules change your environment, and they can be extremely helpful getting information for you so you don’t have to create it or yourself. And with it being Cyber Security Month, why not have an easy way to find changes in your Active Directory.

With that said, today’s module is Jeff Hicks ADReportingTools, which I think the name is pretty obvious of what it does, but definitely check out the GitHub for all the reporting it can do. Here are a few of my favorites.

Get-ADDomainControllerHealth – this checks storage space, physical memory, % of security log in use, and critical services not running
Get-ADUserAudit – which will search the event logs on your domain controller for that specific user events
Get-ADGroupUser – which will display all users in that defined group and who any disabled users in red
Get-ADSiteSummary – shows a quick view of your sites and subnets
Show-DomainTree – this will show your domain in a tree view in your console
New-ADDomainReport – I really like this one, it shows you a nice html formatted report of your domain

Hope you take a look at it and if you see any features you’d like, let Jeff know.

PowerShell Gallery:

ADReportingTools/1.4.0

GitHub:
ADReportingTools

Creating an AD Security Group

September 24, 2022 by ClaytonT Leave a Comment

We’ve all had to create a security group before, but why not standardize it.

First, what fields are mandatory and helpful for creating a security group? We will need these to create parameters to make sure they are always filled out.

Security Group Name
Display Name
Description of Group
Credential

Then we create the function parameters as below. If you notice the Mandatory and help message in there, these will require these parameters to be entered in before running as well as give help if someone is unsure of what needs to be entered.

#Create Security Group
#Change the OU path if necessary

[CmdletBinding()]
param (
    [Parameter(Mandatory,HelpMessage='Name of Security Group')]
    [string]$Name,

    [Parameter(Mandatory,HelpMessage='Display Name of Security Group')]
    [string]$DisplayName,

    [Parameter(HelpMessage='Description of Security Group')]
    [string]$Description,

    [Parameter(Mandatory)]
    [ValidateNotNull()]
    [System.Management.Automation.PSCredential]
    [System.Management.Automation.Credential()]
    $Credential = [System.Management.Automation.PSCredential]::Empty

)

Then we apply these parameters to our code

New-ADGroup -Name $Name -Credential $Credential -SamAccountName $Name -GroupCategory Security -GroupScope Global -DisplayName $DisplayName -Path "OU=Security Groups,DC=domain,DC=local" -Description $Description -Confirm

As you can see I’ve hard coded the default OU Path, which you can easily change, or even create a variable for it too. Also you’ll notice that I put the “-Confirm” at the end, this will ask you again if you want to create it after you attempt to run it.

And that’s it! Now you can make sure you and your team always create AD Security Groups the same way. You can add more parameters if you like, check out the New-ADGroup Help for more info.