Clatent

Technology | Fitness | Food

Active Directory

One-Liner Wednesday November 2, 2022

by Leave a Comment 

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | sort-object ExpiryDate

Here is a one liner that find very useful and hope you do to.

You can customize it even more, but for now this one grabs all the AD User accounts that are expiring and the ones expiring first at the top. I love using this to stay in front of users passwords expiring then they can’t connect or if they are off network and is a rush to get it done.

You could even sent this up as a scheduled task and have it pull the next 2 weeks of users. Then either you reach out to them, it emails them, or it notifies your help desk to reach out to them to help change their password.

Or you could have it in your dashboard so you’d always see the next 2 weeks of users passwords expiring.

Module Monday October 24, 2022

by Leave a Comment

It’s Module Monday…

Although this module could be on Read-Only Friday, I wanted to show you that not all modules change your environment, and they can be extremely helpful getting information for you so you don’t have to create it or yourself. And with it being Cyber Security Month, why not have an easy way to find changes in your Active Directory.

With that said, today’s module is Jeff Hicks ADReportingTools, which I think the name is pretty obvious of what it does, but definitely check out the GitHub for all the reporting it can do. Here are a few of my favorites.

  • Get-ADDomainControllerHealth – this checks storage space, physical memory, % of security log in use, and critical services not running
  • Get-ADUserAudit – which will search the event logs on your domain controller for that specific user events
  • Get-ADGroupUser – which will display all users in that defined group and who any disabled users in red
  • Get-ADSiteSummary – shows a quick view of your sites and subnets
  • Show-DomainTree – this will show your domain in a tree view in your console
  • New-ADDomainReport – I really like this one, it shows you a nice html formatted report of your domain

Hope you take a look at it and if you see any features you’d like, let Jeff know.

PowerShell Gallery:

ADReportingTools/1.4.0

GitHub:
ADReportingTools

Creating an AD Security Group

by Leave a Comment

We’ve all had to create a security group before, but why not standardize it.

First, what fields are mandatory and helpful for creating a security group? We will need these to create parameters to make sure they are always filled out.

  • Security Group Name
  • Display Name
  • Description of Group
  • Credential

Then we create the function parameters as below. If you notice the Mandatory and help message in there, these will require these parameters to be entered in before running as well as give help if someone is unsure of what needs to be entered.

#Create Security Group
#Change the OU path if necessary

[CmdletBinding()]
param (
    [Parameter(Mandatory,HelpMessage='Name of Security Group')]
    [string]$Name,

    [Parameter(Mandatory,HelpMessage='Display Name of Security Group')]
    [string]$DisplayName,

    [Parameter(HelpMessage='Description of Security Group')]
    [string]$Description,

    [Parameter(Mandatory)]
    [ValidateNotNull()]
    [System.Management.Automation.PSCredential]
    [System.Management.Automation.Credential()]
    $Credential = [System.Management.Automation.PSCredential]::Empty

)

Then we apply these parameters to our code

New-ADGroup -Name $Name -Credential $Credential -SamAccountName $Name -GroupCategory Security -GroupScope Global -DisplayName $DisplayName -Path "OU=Security Groups,DC=domain,DC=local" -Description $Description -Confirm

As you can see I’ve hard coded the default OU Path, which you can easily change, or even create a variable for it too. Also you’ll notice that I put the “-Confirm” at the end, this will ask you again if you want to create it after you attempt to run it.

And that’s it! Now you can make sure you and your team always create AD Security Groups the same way. You can add more parameters if you like, check out the New-ADGroup Help for more info.