Active Directory

79K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

It is a common practice to join vCenter to Active Directory in order to enable AD logins and authentication to various virtual machines. However, there are times where this simple task fails. Fortunately, one of the most common reasons is due to an SMB1 issue and this describes how to resolve it.
0
OWASP: Avoiding Hacker Tricks
LVL 13
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

In this article, I will take a look at Microsoft Bitlocker Administration and Monitoring (“MBAM”) and conclude, why I prefer my own scripts for deployment and management.
0
In this article, I will show you how delegation of control for Bitlocker recovery passwords in Active Directory is supposed to work using the common wizard, and why I think that you should do it differently.
2
This article explains SHA1 to SHA2 migration requirements in a simple way by putting all data on table, while explaining SHA1 and SHA2 algorithms, SHA1 deprecation plans and possible migration paths to SHA2.
0
ADCycleGroups is a multilevel GPO phase-in tool I developed to automate the moving of computers and users from one GPO version to the next, until it finally gets to the latest GPO policy. This allows me to gradually move computers and users from one version of a policy to the next.
3
LVL 55

Author Comment

by:Shaun Vermaak
Yes
0
LVL 29

Expert Comment

by:Andrew Leniart
Great work Shaun - very useful.

Endorsed!

Regards, Andrew
0
I had to put together a security group that conformed to Microsoft's requirements for Active Directory domain server use between an EC2 instance on AWS and domain servers in our private WAN. I was surprised there was no script for this and decided to put one together.
0
This is a simple web application that allows you to use Active Directory photos anywhere that you can use a HTML tag
3
This article details my method of auditing computers by querying WMI class, serializing it to JSON and saving it is a central location, ready to be deserialized again and pulled into a report
4
LVL 13

Expert Comment

by:Senior IT System Engineer
Yes, I already have it on my workstation:

PS C:\> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17134.590
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.590
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Open in new window


is it because some of my Domain Controllers are on Windows Server 2012 R2?
0
LVL 55

Author Comment

by:Shaun Vermaak
It runs remotely so you need PS 5 on DC
1
The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD). On the other hand, KeePass is an open source password manager. This Powershell script generates a KeePass XML file from a LAPS enabled Active Directory, ready for import.
4
LVL 13

Expert Comment

by:Senior IT System Engineer
This is so cool.
Thank you for sharing this great script Shaun.
0
LVL 55

Author Comment

by:Shaun Vermaak
Thank you Senior IT System Engineer, appreciate the feedback!
1
In this article will discuss what Microsoft exchange database portability is and how we can use it to restore email services along with mailbox data in case of Exchange Server failures.
1
Ensure you’re charging the right price for your IT
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Over time I have seen a number of questions asking how to logoff users at a specific time. I personally haven't required this but decided to develop a little Windows service that manages this via schedule and not a legacy scheduled task running shutdown /l or via AD logon hours
1
LVL 67

Expert Comment

by:McKnife
Will I understand the limitation once I use yours? I have no idea, what you mean. I want to logoff all users at a given time - I can and I don't need extra tools or schedulers.
0
LVL 55

Author Comment

by:Shaun Vermaak
Many ways to skin a cat. I prefer to use methods where I can replace a config file an alter all configuration.
0
AD SYSVOL Scratch recovery from backup
This article explains AD System State Recovery with the authsysvol switch, what it does and when this restore should be attempted, prerequisites, demo, impact and implications. The topic is partially documented by Microsoft and DELL and lacks important details, hence tried to add entire stuff here
2
This article demonstrates DFS namespace and replication group accidental deletion recovery. DFS-N and DFS-R configuration are stored with active directory. Few precautionary measures will enable DFS-N and DFS-R recovery either from DFS native tool (dfsutil) or active directory.
2
LVL 51

Author Comment

by:Mahesh
If user does save previous version of file from VSS, the restored previous version gets replicated to DFSR partner

If VSS is enabled on both replicated partners, the last restored file will win and replicated to all partners

Note that since VSS copy is server specific it will not get replicated across DFSR partners
The VSS versions of same file on both servers can be different based on time difference of VSS snapshot is triggered
If VSS snapshot is triggered on all replicated members at same time, you would get previous version data similar on all members, note that this is workaround as VSS copy is separate for every member

I hope this is clear
1
LVL 13

Expert Comment

by:Senior IT System Engineer
Many thanks, Mahesh for the clarification, it's all clear from now on.
0
In this article I will cover Microsoft DFSR major issues and their resolution. These issues can occur during initial deployment or post-deployment. The resolution for each problem is available on the internet generally in standalone posts. I have tried to present them here collectively and detailed.
4
Group membership expiration is a superb new feature included with Active Directory 2016 functional level. But what if you want this functionality but you haven't upgraded yet? Since I have many clients that cannot yet leverage this new feature, I have developed a custom tool.
2
LVL 67

Expert Comment

by:McKnife
That's too bad. I had hoped that it would, so that we could switch to your tool instead of using what is built-in @2016 server, because the built-in method has a funny limitation (at least in our domain) : it won't work with times of 5 minutes or less (6 minutes is ok!). When using 5 minutes or less, the group will get populated, but the kerberos ticket will not be granted for whatever reason.

We would like to use less than 6 minutes, sometimes, for example when we activate a software license, we give the machine internet access for the shortest time possible (working close to the military, here, no direct internet access allowed). And to do so, we use AD groups, that the SQUID proxy works with. We would like to use, say, 1 minute, but we can't do less than 6... :-)
0
LVL 55

Author Comment

by:Shaun Vermaak
Will look into it. Our requirement usually for a ~day but yours make sense
0
In this article, I am trying to collectively present DFSN and DFSR deployment considerations / best practices, in general, to avoid known DFSN and DFSR issues during and post-deployment. The article would help in defining DFSN and DFSR architecture and configuration.
9
LVL 13

Expert Comment

by:Senior IT System Engineer
This is an awesome resource.
Thanks, Mahesh!
0
NTFS File Permissions
An article explaining how to give user/group ability to create, edit, rename & delete files, but not create folders.
2
This article documents the process of assigning different password policies based on user account password strength. The result of this script is that all the users that are using weak passwords are forced to have a password policy on them that allows their passwords to be valid for fewer days.
6
LVL 13

Expert Comment

by:Senior IT System Engineer
Hi Shaun,

Can the DSInternals module be installed in another computer without RSAT installed?
Because I wanted to run the scheduled task for this report to send out email alert, not from the Domain Controller.
0
LVL 55

Author Comment

by:Shaun Vermaak
Yes, it can :)

Just remember that you do not need DA. Configure an account with replicate directory access an use that in your scheduled task
0
This article shows a process of synchronizing password from on Active Directory domain to another, even if in another forest
7
LVL 6

Expert Comment

by:Vikas Bhat
Thankyou so much. I will give this a try. Meanwhile I also made sure that the users exists on both side.
0
LVL 6

Expert Comment

by:Vikas Bhat
Hello Shaun. Thankyou for all your help. After testing I finally found that the script was working properly and also handling the
if ($Null -ne $domain1User -and $Null -ne $domain2User) but it didn't clear the old values of $domain1User and $domain2User in the for loop.

I have now corrected it by adding below in the for loop.
    $domain1User = $Null
    $domain2User = $Null

Below is the updated script that works properly now even when users are not present on both sides.

Install-Module -Name DSInternals -Confirm:$false -Force

# Create your credentials with these commands
# $credential = Get-Credential;
# $credential | Export-CliXml -Path 'C:\Temp\cred.xml';

# Configure Domain 1
$domain1NetBIOS                     = 'Domain1';
$domain1FQDN                        = 'Domain1.com';
$domain1DN                          = 'DC=Domain1,DC=com';
$domain1Credential                  = Import-CliXml -Path 'C:\Temp\Domain1.xml';
$domain1Hashes                      = Get-ADReplAccount -All -NamingContext $domain1DN -Server $domain1FQDN -Credential $domain1Credential;

# Configure Domain 2
$domain2NetBIOS                     = 'Domain2';
# $domain2FQDN                        = 'Domain2.com';  
$domain2DN                          = 'DC=Domain2,DC=com';
$domain2Credential                  = Import-CliXml -Path 'C:\Temp\Domain2.xml';
$domain2Hashes                      = Get-ADReplAccount -All -NamingContext $domain2DN -Server $domain2FQDN -Credential $domain2Credential;

# The group of users to sync passwords for
$syncGroup                          = 'SG-PasswordSync';

# Loop through these users
$users = Get-ADGroupMember $syncGroup -server $domain1FQDN -Credential $domain1Credential;
foreach ($user in $users)
{	
	$domain1User = $Null
    $domain2User = $Null
    # Get user object in both domain 1 and 2
    $domain1User = Get-ADUser -Identity $user.SamAccountName -Properties "pwdLastSet" -Server $domain1FQDN -Credential $domain1Credential;
    $domain2User = Get-ADUser -Identity $user.SamAccountName -Properties "pwdLastSet" -Server $domain2FQDN -Credential $domain2Credential;

    # Only continue if both users exists
    if ($Null -ne $domain1User -and $Null -ne $domain2User)
    {
        # Get the current user's hashes in both domain 1 and 2
        $currentDomain1UserHash = $domain1Hashes | Where-Object {$_.saMAccountName -eq $user.SamAccountName};
        $currentDomain2UserHash = $domain2Hashes | Where-Object {$_.saMAccountName -eq $user.SamAccountName};

        # Get the current user's NT Hash in both domain 1 and 2
        $currentDomain1UserNTHash = ([System.BitConverter]::ToString($currentDomain1UserHash.NTHash) -replace '-','').ToLower();
        $currentDomain2UserNTHash = ([System.BitConverter]::ToString($currentDomain2UserHash.NTHash) -replace '-','').ToLower();

        # Check if hashes are different AKA the account password is out-of-sync
        if ($currentDomain1UserNTHash -ne $currentDomain2UserNTHash)
        {
            # Get user object in both domain 1 and 2
            $domain1User = Get-ADUser -Identity $user.SamAccountName -Properties "pwdLastSet" -Server $domain1FQDN -Credential $domain1Credential;
            $domain2User = Get-ADUser -Identity $user.SamAccountName -Properties "pwdLastSet" -Server $domain2FQDN -Credential $domain2Credential;

            # Domain 1 password is more recent
            if ($domain1User.pwdLastSet -gt $domain2User.pwdLastSet)
            {
                Write-Host "Sync user '$($user.SamAccountName)' password from domain 1 to domain 2";
                Set-SamAccountPasswordHash -SamAccountName $user.SamAccountName -Domain $domain2NetBIOS -NTHash $currentDomain1UserNTHash -Server $domain2FQDN -Credential $domain2Credential;
            }
            # Domain 2 password is more recent
            elseif ($domain2User.pwdLastSet -gt $domain1User.pwdLastSet)
            {
                Write-Host "Sync user '$($user.SamAccountName)' password from domain 2 to domain 1";
                Set-SamAccountPasswordHash -SamAccountName $user.SamAccountName -Domain $domain1NetBIOS -NTHash $currentDomain2UserNTHash -Server $domain1FQDN -Credential $domain1Credential;
            }
        }
        else
        {
            Write-Host "User '$($user.SamAccountName)' passwords are the same, no need to sync";
        }
    }
}

Open in new window

1
Become a Microsoft Certified Solutions Expert
LVL 13
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

This is my take on Shadow Groups, the principle of maintaining group membership based on objects within an organizational unit within the Active Directory.
1
Correctly defined Active Directory sites and subnet allows for the optimized replication, nearest service location, and authentication to the correct server
2
LVL 13

Expert Comment

by:Senior IT System Engineer
Hi Shaun,

Suppose I have 20+ domain controllers spread across the globe, do I need to manually RDP into each of the DCs and then run the NoClientSites.exe one by one?
0
LVL 55

Author Comment

by:Shaun Vermaak
Hi Senior IT System Engineer

What I do is Copy the NETLOGON files into a single location and then combine them

@Echo Off
Copy \\%1\C$\Windows\Debug\NETLOGN.log \\FileServer\SomeShare\%1_NETLOGON.log

Open in new window


then combine and run
Copy *.log Combined.log

Open in new window


Wrote this from memory so might have some syntax errors ;)
1
This command line tool can be used to quickly create a folder structure for a file server. Not only does it assist in creating the folders, it creates the appropriate groups and assigns the correct permission.
3
This article outlines the Importance of Certificate Authority validity period and its impact on Certificate Renewal Process. The article also details out CA certificate renewal process along with CA validity period extension.
6

Expert Comment

by:Mr Saadi
Hi Mahesh

For issuing a new Sub CA certificate from an offline Root CA, do we need to renew and publish a new CRL from the root CA?

Thanks in advance.
0
LVL 51

Author Comment

by:Mahesh
NO

CRL need to be published in two cases
When your existing CRL validity is expired - You should have keep CRL validity period good enough for Offline Root CA, say, on e year
OR
if you have revoked any certificate

Mahesh.
0
Assume that as a role of System Administrator in SMB (or a startup group), you are requested to (re)design the IT infrastructure of the company. In this article, I will describe the steps of design, configure and operate the IT devices in a small business environment. (<50 users).
0
Import Outlook Calendar to Exchange Server
How to import Outlook calendar to MS Exchange Server. A Calendar stores user appointments, meetings details to manage work. Moving Outlook Calendar to a new or already existing Exchange Server become complex process if Admin needs to import Calendar from Outlook to specific Exchange Mailbox.
0

Active Directory

79K

Solutions

39K

Contributors

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.