Active Directory Reporting: Unused Group Age Report.

  Today’s topic is going to be getting rid of unused groups in the forest.  Over the last few years I’m seeing a growing trend were administrators or identity teams are creating groups that are never used.  Once these groups are created it seems impossible to get these groups removed due to the unknown.  These…

2

Ugh – Active Directory Powershell Cmdlets time out or takes Forever!

  This happens to me more than you can imagine,  when performing simple searches against large Active Directory environments the query will sometimes fail by timing out. The irony is the same cmdlet may have completed successfully a number of times before it starts failing.   This blog wont cover how to troubleshoot this issue, or…

1

Powershell – Get Domain Controllers Scheduled Task

Real quick post for the day. This script is designed to enumerate every Domain Controller in a forest and retrieve all the scheduled task.  Note this script will not work if you run it from Windows 2008 R2 or Windows 7.  You would need to change the script to use get-wmiobject instead.    $default_log =…

0

Powershell – Copy ObjectGuid to MS-DS-ConsistencyGuid

  Not going to go into much detail on why this is needed just wanted to provide a quick and easy solution to automate this task via PowerShell.  If you plan on leveraging this to handle forest migrations and plan to use the MS-DS-ConsistencyGuid as a source anchor in Azure AD make sure to research…

2

Powershell – What Active Directory Sites and Subnets are being used?

Why reinvent the wheel?  The reason I ask this is I ran into an interesting challenge and wanted to share how I solved this issue. Active Directory does very little to provide Domain Admins with the capability to audit the use of sites and or even the subnets that are actually being used.  This can…

3

Active Directory Reporting – Create a password age report

  Security is becoming one of the bigger topics as of late in regards to Active Directory.  While working with other admins I am finding more and more Admins do not know what kind of state user account passwords are in the environment.  Here is a PowerShell script I use to help Admins find out…

0

Chad’s Quick Notes – Installing a Domain Controller with Server 2016 Core

  I will admit with Windows Server 2012 R2 I usually installed the full gui version and then once I had the server the way I wanted it, I would uninstall the gui.  With this no longer being possible with Windows Server 2016 I had to dust off my notes on how to leverage sconfig…

5

My Guidance on Identifying Stale Computers Objects in Active Directory using Powershell

  This is a very common discussion, and a simple search using your favorite search engine provides multiple results from both the community and my Microsoft Peers.  This is my take on the topic and the guidance I usually provide. These are common questions I get: What AD attribute should be used pwdlastset or Lastlogontimestamp…

1

Domain Controller Patch/Hotfix Level Double Check

  Its very easy to make assumptions, one assumption I seem to make frequently is assuming all of the domain controllers in a forest are at the same patch level.  If any of you have ever talked to someone from MS usually the first thing they will have you do is install multiple patches related…

1

Audit All GPO’s for Deny User Right Assignments in an AD forest.

  In large delegated Active Directory environments, one of the things I hear often is if I follow the Microsoft recommendations on creating a GPO to deny Enterprise Admin and Domain Admin rights to access  “Tier 1” or “Tier 2” computers.  How do I know if I am overwriting a GPO that may already contain…

0