One-Liner: Query the AD Schema for User Object Attributes

I’ve lost count of just how many blog posts have their origin in a customer question. Here’s another:   “How do you use PowerShell to get a list of what attributes *could* be populated on an AD user object?”   A magnificent question!   The customer was unsure as to why some properties would appear…

0

One-Liner: Find a Renamed and Relocated AD Guest Account WITHOUT using the Well-Known SID

So… someone decided to rename and move the domain’s Guest account. You could find searching via the well-know SID… SID: S-1-5-21domain-501 Name: Guest Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. Or… you could try this little trick…  …

0

Security Focus: Set ConstrainedLanguage Mode on My Test Computer

Whilst doing some research, for a presentation on Security and PowerShell, I came across what I assume is an UNSUPPORTED setting, due to a lack of documentation: [Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy’, ‘4’, ‘Machine’)   After running it, look what happens when I try and start PowerShell. Damn, my profile script won’t run… but, what’s this? I can’t do other…

0

One-Liner: Use PowerShell to Verify Domain Controller Location

It’s generally a bad thing if a domain controller isn’t in the domain controllers OU. For example, the default domain controllers policy may not be applied. Here’s a cheeky one-liner to check you’re good:   Get-ADDomainController -Filter * | ForEach-Object { if ($_.ComputerObjectDN -notmatch “CN=$($_.Name),OU=Domain COntrollers,$($_.DefaultPartition)”) { Write-Output “$($_.Name) computer object DN set to $($_.ComputerObjectDN)” }…

1

One-Liner: Use PowerShell to Get GPOs Containing User Settings

Last week we used Get-ADObject to find GPOs based on their flags attribute. We targeted GPOs that were configured with user settings enabled and computer settings disabled. This week we’ll find GPOs containing user settings. I’ll show you two ways, the second of which is preferred…   Way, the first – Get-GPOReport  Get-GPO -All | ForEach-Object {…

3

One-liner: Use Get-ADObject to Find Authorised DHCP Servers

The DHCP PowerShell module has the Get-DhcpServerInDC cmdlet to show you the DHCP servers that have been authorised in Active Directory. This cmdlet was introduced with Windows Server 2012 and v3 of PowerShell. What if you don't have access to the above? What if you want to impress your PoSh Chickens and get a list of…

0

One-Liner: Domain Controller Patch Levels

Before performing work against your Active Directoy, it's prudent to complete a few checks, e.g. is replication healthy, are my FSMOs up, do I have up-to-date, verified backups etc? Here's a one-liner to give you a view of whether your patch levels are consistent: Get-ADDomainController -Filter * | ForEach-Object { $HotFixes = (Get-HotFix -ComputerName $_.Name).Count Write-Host "$($_.Name): $($_.OperatingSystem)…

6

One-Liner: Active Directory Protected Objects

This week I was asked how to get a list of Active Directory protected objects with PowerShell. Protected objects can’t be deleted as they are critical to the health of Active Directory. The easiest way I could think of is to use Get-ADObject with a specific LDAP filter. Get-ADObject -LDAPFilter “(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))” Here’s some output. Notice…

1