Search results for 'app:weblogs' matching tags 'Windows Server 2008 R2', 'Powershell', and 'Active Directory'

Using PowerShell to Resolve SIDs to Friendly Names

BrianM — Thu, 07 Oct 2010 05:00:00 GMT

Time and time again I run into an issue that presents me with a SID which I need to resolve. I’ve used a number of tools and scripts over the years to address this issue. I think I have the best and easiest method for me to solve this issue that always seems to pop up.

If you’re new to PowerShell you will want to make sure you have it installed if you want to use this script…and yes it is a script not a command. I do this by opening a text file and renaming it from a .txt file to a .ps1 file. When you try to open a .ps1 file it may open in your text editor but for this you will want to Right Click it and select Edit which will open up whatever you have as your PowerShell editor. Copy the following code into the Script Pane:

$objSID = New-Object System.Security.Principal.SecurityIdentifier `
("S-1-5-21-768745588-123456789-987654321-500")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

Now just save this file and you can run it to return the results of the SID that you place in there. The one thing that will change is the actual SID. In this example i’m using S-1-5-21-768745588-123456789-987654321-500 which is the Well Known SID for the domain Administrator. My results should show me the friendly name. Anytime you change the SID you will have to resave the file but then just Run the script and it will show you the results.

I’m sure there is a way I could make this into an application but I'll leave that fun for those looking to take this to the next step.

Using PowerShell to Transfer FSMO Roles

BrianM — Tue, 10 Aug 2010 05:00:00 GMT

You may be familiar with the traditional ways to transfer FSMO roles but how about by using PowerShell? By now you should just know that PowerShell can do everything the GUI can do…well at least that is the way it feels to me.

If you want to use PowerShell to transfer any of your five FSMO roles (PDC Emulater, RID Master, Infrastructure Master, Domain Naming Master and Schema Master) then you will first need to import the Active Directory Module into PowerShell.

ipmo activedirectory

Now that you have the AD module loaded the cmdlet you will use for this is quite large - Move-ADDirectoryServerOperationMasterRole. Thankfully we have the Get-help cmdlet to help us remember that. All I need to do is remember move-ad and then I press tab to complete the rest. There is only one other cmdlet that is similar to it and you just have to remember you are trying to move the FSMO role and not the sever.

When entering the cmdlet you need to specify the operation master roles to move. the syntax for the five roles are as follows - PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, or DomainNamingMaster. To specify more than one role just separate each role with a comma.

An example of me moving the RID Master and PDC Emulater to DC2 is as follows:

Move-ADDirectoryServerOperationMasterRole -Identity "DC2" -OperationMasterRole RIDMaster,PDCEmulator

A feature that I just love in PowerShell is the –WhatIf parameter. By adding this to your code it will do a dry run and let you know what is going to change if you did the command without that parameter.

One key thing to note here is that I am NOT seizing the FSMO role. For that you will need to use NTDSUtil as defined here.

Raising your Active Directory Functional Level with PowerShell

BrianM — Wed, 07 Jul 2010 05:00:00 GMT

Here are two ways for you to use PowerShell to raise your Forest Functional level to Server 2008 R2:

get-adforest | set-adforestmode -forestmode windows2008R2Forest –confirm:$false
set-adforestmode –identity netbiosname windows2008R2Forest –confirm:$false

Either way will work. Enjoy

Seeing your Active Directory Tombstone Period with PowerShell

BrianM — Mon, 05 Jul 2010 05:00:00 GMT

Tip of the day today is to view your Active Directory Tombstone period while using PowerShell

From a PowerShell prompt, type
(get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=AdminPrep,DC=Local" -properties "tombstonelifetime").tombstonelifetime

The result shows up in days…very cool.

Just make sure to change dc=AdminPrep,DC=Local to match your domain.

How Active Directory PowerShell CMDLETS find a DC running Active Directory Web Services

BrianM — Mon, 25 Jan 2010 06:00:00 GMT

If you have been playing with the the AD PowerShell cmdlets you know that it requires a few things to run, first Windows Server 2008 R2 or Windows 7, the .NET Framework 3.5.1 and of course if you want to manage an AD domain you need Active Directory Web Services (ADWS) installed on at least one domain controller.

By the way ADWS requires TCP port 9389

So how in the world does a Windows 7 system know how to find a DC running ADWS? Well your client running PowerShell will use the normal DC locator process. First the client will determine which site it is in nltest /dsgetsite and then it will determine the closest DC nltest /dsgetdc:<FQDN Domain>. It is looking at the DC for the following flag:

DS_WEB_SERVICE_REQUIRED

More info on that flag can be found here.

Now what if you don’t have Server 2008 R2 DCs? With Server 2003 and Server 2008 a problem occurs because the Net Logon service of those domain controllers does not recognize the DS_WEB_SERVICE_REQUIRED flag. There are two hotfixes (one for what ever version of AD you are running) available to fix that in those environments. Server 2003 and Server 2008

After you install this hotfix the AD PowerShell module and Active Directory Administrative Center will be able to locate DCs that have Active Directory Management Gateway Service installed, similar to Active Directory Web Services (ADWS) on a Windows Server 2008 R2-based computer.

Free Active Directory Virtual Labs

BrianM — Thu, 17 Dec 2009 06:00:00 GMT

Did I say free? You bet I did. Microsoft has done this for quite some time now and is something everyone should take advantage of. Especially in today’s economy where training budgets are getting slashed.

Here are three great labs that you can use to learn all about Server 2008 R2’s Active Directory.

Windows Server 2008 R2: What's New in Active Directory

Windows Server 2008 R2: Active Directory and Server Manager Remoting

Windows Server 2008 R2: Active Directory Recycle Bin, PowerShell V2, and Remoting

Do you have any cool free training resources?

PowerShell Script Center

BrianM — Wed, 14 Oct 2009 05:00:00 GMT

I’m sure a lot of you have been playing with PowerShell. If not you better get on it!!! I’m not as far along as I wish I was but there is help out there. One great place is to see what others have done. Microsoft’s TechNet Scripting Center has a place where you can upload your own scripts and search what others have done. This is great for a community of learning developers…did I just say developers…ewwwww. :)

This link provides a shortcut to filter just the Active Directory related scripts. From here you can find scripts on Computer Accounts, Domains, Groups, Monitoring, OUs, Searching Active Directory, Sites and Subnets and User Accounts!

If you want to just view all the PowerShell scripts just hit this URL - http://gallery.technet.microsoft.com/ScriptCenter/en-us. Here you will scripts on Active Directory, Applications, Backup and System Restore, Databases, Desktop Management, Group Policy, Hardware, Interoperability and Migration, Local Account Management, Logs and monitoring, Messaging & Communication, Multimedia, Networking, Office, Operating System, Other Directory Services, Printing, Remote Desktop Services, Scripting Techniques, Security, Servers, Storage, System Center, Using the Internet and Windows Update. WOW that is a wealth of info.

Enjoy and please share if you have any cool ones yourself.

Active Directory Recycle Bin PowerShell Scripts

BrianM — Tue, 31 Mar 2009 05:00:00 GMT

I just found out that there is an Active Directory PowerShell Blog run by Microsoft’s AD PowerShell team. I gathered that info from reading up on Jason’s post. Its amazing how much info you can get from reading other people’s blogs…now on to the regularly scheduled post…

After writing my article on the AD Recycle Bin I thought I would include a few PowerShell scripts here that can be used to modify the tombstone lifetime along with the deleted object lifetime. Remember that the default for both of these is going to be 180 days and will show up as Null if you use LDP to view the attributes.

PowerShell Script to change the tombstone lifetime of my domain (AdminPrep.Local) to 250 days:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“tombstoneLifetime” = 250}

PowerShell Script to change the deleted object lifetime:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“msDS-DeletedObjectLifetime” = 250}

Recycling Active Directory Trash with the AD Recycle Bin

BrianM — Tue, 31 Mar 2009 05:00:00 GMT

Hopefully some of you have been playing with Server 2008 R2 while it has been in Beta. One of the features I’m looking forward to most is the AD Recycle Bin. Yes you heard me correct. We now have an easy method for restoring accidently deleted objects.

In the past our only recovery method out of the box was to perform an authoritative restore of an object. That method had several issues that always rubbed me the wrong way. First you had to be in Directory Services Restore Mode (DRSM). And ever since Server 2003 we could use tombstone reanimation but that removed most of the non-link-valued attributes. This lead to additional work after the restore. The default tombstone lifetime was 180 days with Server 2003 and 2008.

You are probably already familiar with tombstones and the garbage collection process. If not read Gil’s excellent article on that here. With Server 2008 R2 you will need to now become aware of Deleted Object and Recycled Object. The first thing to realize here is that the AD Recycle Bin is not enabled by default with Server 2008 R2. The following steps/requirements must first be met:

Raise the Forest Functional Level to Server 2008 R2
Enable AD Recycle Bin (my example uses PowerShell…get use to it now)
1. Enable-ADOptionalFeature –Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=AdminPrep,DC=com" –Scope ForestOrConfigurationSet –Target "AdminPrep.com"
2. Just make sure to replace AdminPrep with your domain

Now when an object is deleted it is not marked for tombstone it is marked as deleted. It places the object in the Deleted Objects container which is hidden but can be located here – CN=Deleted Objects. When you want to restore an object there are two methods that I'm aware of, one using PowerShell and the other using LDP.

Using LDP:

Using elevated credentials, open LDP by typing ldp.exe from the Run Dialog box
Click Connections and select Connect and then go back and select Bind
Navigate to the CN=Deleted Objects
Find the object you wish to restore and right-click it and select Modify
In the Modify dialog box:
1. In Edit Entry Attribute, type isDeleted
2. Leave the Values box empty
3. Under Operation, click Delete, and then click Enter
4. In Edit Entry Attribute, type distinguishedName
5. In Values, type the original distinguished name (also known as DN) of this Active Directory object
6. Under Operation, click Replace
7. Make sure that the Extended check box is selected, click Enter, and then click Run

To restore an object using PowerShell you must use the Get-ADObject and Restore-ADObject cmdlets. Using PowerShell:

Open the Active Directory PowerShell command Prompt and use the following syntax:
1. Get-ADObject-Filter {String} -IncludeDeletedObjects | Restore-ADObject
Here is an example of restoring a deleted user account named Brian:
1. Get-ADObject -Filter {displayName -eq "Brian"} -IncludeDeletedObjects | Restore-ADObject

When restoring multiple items that may be linked (OU or Group that contains Users) you will want to start at the highest level.

An object can only be restored using those methods if it is still within the Deleted Object Lifetime. The attribute is msDS-deletedObjectLifetime and if you look it up it will have a null value which the default time is 180 days.

Here is a look at what AD Recycle Bin looks like visually