Active Directory – Parsing a 'Multi-Line' Description Property

Interesting one this… A customer had some information they needed to obtain from the description property on an object. The information was 'multi-valued' and saved as a Unicode string. What am I talking about? Here's the string in the attribute editor of Active Directory Users and Computers (note the ';' delimiter): Here it is in the Multi-valued…


One-liner: Use Get-ADObject to Find Authorised DHCP Servers

The DHCP PowerShell module has the Get-DhcpServerInDC cmdlet to show you the DHCP servers that have been authorised in Active Directory. This cmdlet was introduced with Windows Server 2012 and v3 of PowerShell. What if you don't have access to the above? What if you want to impress your PoSh Chickens and get a list of…


Security Focus: sIDHistory / sID Filtering Sanity Check – Part 1 – aka Post #100!

 100 posts! Who’d have thought it? I started out wanting to evangelise PowerShell. 100 posts later, that desire is as strong as ever! Along the way, it seems that I have helped some folks out, made others laugh, confused some, talked about PoSh chickens… and had a jolly good time of it, too! Anyway, enough…

3

Find Server Objects Without NTDS Settings

Two for the price of one this week! Well, two ways to achieve the same outcome.  You know, that's one of the many things I love about PowerShell – the numerous ways to arrive at the same result. This one came from a chat I had with my esteemed colleague, Ali Sajjad.   What's the context? Ali was delivering…

1

One-Liner: List Deleted Objects

Short and sweet this week. Just like this one-liner. Get-ADObject -Filter * -SearchBase "CN=Deleted Objects,DC=fabrikam,DC=com" -IncludeDeletedObjects     You can change the search base to a different partition if you want to inspect deleted objects from there. TTFN  

2

Get Active Directory Accounts Created in the Last N Days (featuring -xor)

A customer asked me to demonstrate how you can check for user or computer accounts recently added to a domain. The result was this function: Get-ADNewlyCreatedAccount   The function has the following parameters and switches: $Domain… the target domain $WithinDays… the number of days history to include in the search $UsersOnly… get only newly created user accounts…

1

msDS-parentdistname vs. parentGUID

Last week I wrote about mirroring an OU structure, from a source domain to a test domain, with the help of a couple of PowerShell scripts. The first script had to capture the distinguished name of the parent object of each OU found in the source domain. This would allow me to make sure that an equivalent parent object existed in the target domain before…


Use PowerShell to Find Active Directory Forest Conflict Objects

Quite often there’s conflict amongst the PoSh progeny. Usually, the most belligerent sibling gets sent to their bedroom. In Active Directory, when there’s a sibling name conflict the Relative Distinguished Name of the losing sibling is ‘mangled’, i.e. you’ll see ‘CNF:<guid>’ inserted into the name. Now, the last time there was a rumpus in the PoSh houshold, I tried inserting ‘*CNF:bf8149dd-3e1f-41f5-ad6b-bc11403bc579*’ into the name of the chief…

7

Strict Replication Consistency On New Domain Controllers

Last time out I talked about Content Freshness and likened it to Strict Replication Consistency. This time out… more on Strict Replication Consistency (SRC)… For those folks with forests that have been around since Windows Server 2000, there's a check you can perform with PowerShell to see if your newly created domain controllers will have SRC automatically enabled.  #Create a string for…

2