TagActive Directory

Find unlinked GPOs in your domain

Have you ever wondered if your domain has any GPO without a link and which GPO that would be? This is how you find out with Powershell with output to the screen.


$unlinkedGPOs = (Get-GPO -all | where {([xml]($_ | Get-GPOReport -ReportType XML)).gpo.LinksTo.Length -eq 0})
Write-Host "The following GPO has no link:"
$unlinkedGPOs| ft DisplayName -HideTableHeaders
Write-Host "Total: $($unlinkedGPOs.Count)"

Find domain admins with password never expires

Do you know how many domain admins you have in your domain? Do you know which domain admins are running with “password never expires” enabled? Thanks to Powershell it is easy to find out.


# Variables below
#
$domainadmins=(Get-ADGroupMember -Identity "Domain admins" | Get-ADUser -Properties PasswordNeverexpires, lastlogondate)
#*********************************************************************************************
# Output to screen
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | ft -autosize
#

This will display on your screen all members in “Domain Admins” with the last logon time, if the account is enabled and if the “password never expires” is set.

If you want a file export you can use this line instead of output to screen:


# Output to file
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | Export-Csv C:\Temp\domainadmins.csv -Encoding UTF8 -Delimiter ","

“No logon servers are available” error after installing updates (SBS2008)

Yesterday I was doing maintenance on a Windows Small Business Server 2008, the Windows Update patches installed successfully and the restart button was pushed. And then the problems started.. Server rebooted and had problems starting several services such as Active Directory Domain Services, DNS, Exchange, Cetificates and several more. Trying to logon to the server with my Domain Admin credentials gave me this error message: sbs_2008

The same error message came when I tried to logon to other servers in the domain. So what does the trick to fix this?

1. Logon to the server with the local administrator username and password (hit “.\administrator”, in username field to force the logon with local admin)
2. when logged into the server, check that services that supposed to be started are started. — as you noted when you did the logon, you got into safe mode…  strange? yes..
3. So, hit the “WIN + R” and type “MSCONFIG” 4. navigate to the “Boot” menu, and remove the “Safe boot – Boot options” hit Apply and restart your server.
sbs_2008_01
5. Give the server some time to startup again and test the logon with an “domain admin” account   Worked for me 🙂  

Check for Active Directory replication failures

A quick and easy way to check your Active Directory for any replication errors using Powershell.

Get-ADReplicationPartnerMetadata -Scope Domain -Target (Domain name) | ft Server,LastReplicationSuccess,ConsecutiveReplicationFailures -AutoSize

This will list all your Domain Controllers and when they last replicated successfully and show how many consecutive replications errors they have (if any).

AD: Windows Time configuration

Domain controllers

It is ONLY the domain controller holding the PDC role that should use external NTP. All the other domain controllers should sync with PDC domain controller. To find the server holding the PDC role run
netdom /query fsmo

On the domain controller holding the FSMO role you should configure NTP with this command
w32tm /config /manualpeerlist:"1.no.pool.ntp.org 2.no.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

On the other domain controllers configure NTP with this command
w32tm /config /syncfromflags:domhier /reliable:no /update

Servers

On the servers in the domain you should configure NTP with this command
w32tm /config /syncfromflags:domhier /update

Servers outside the domnain should use this:
w32tm /config /manualpeerlist:"IP" /syncfromflags:manual /reliable:yes /update

Some info

All the above configuration has to be followed by the command below to take effect
net stop w32time
net start w32time

If you wan’t to query a NTP source run this
w32tm /monitor /computers:p2dc02.corp.local,ntp.as2116.net

If w32tm don’t exist as a service
%windir%\system32\w32tm /register

Thnx to Henning Ims for this fantastic solution. 🙂

Find disabled users with their group membership and remove them from their groups

To quickly see the disabled users and their group membership in your Active Directory you can use this Powershell command:

Get-ADUser -SearchBase “OU=OU1,DC=domain,DC=local” -Filter ‘enabled -ne $True’ -Properties memberof | ft samaccountname, MemberOf -auto

This script will prompt you for a searchbase (Like “OU=OU1,DC=lab2,DC=local”) and remove all disabled users from their groups:

$inputfromuser = Read-Host ‘Enter AD Searchbase ‘
if ($inputfromuser -like “”)
{
Write-Host “Input error”
}
else{

$Diableduser = Get-ADUser -SearchBase $inputfromuser -Filter ‘enabled -ne $True’ -Properties memberof
foreach ($user in $Diableduser)
{
foreach ($member in $user.MemberOf)
{
Write-Host “Removing” $user.SamAccountName “from” $member
Remove-ADGroupMember $member -Members $user.SamAccountName -Confirm:$false
}
}
}

Honorable mention for assisting on this script goes to Bjørn Wang

edit: Added script for membership removal

Transfer or seize FSMO roles with powershell

To transfer all FSMO roles from one DC to another you can use the following line in powershell: 

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

Replace “Target-DC” with the name of the domain controll (case sensitive)

To seize the roles, add “-Force” in the end of the command

DFS Replication error on Domain Controllers

If you have DFS replication errors on one or more domain controllers, first find out witch domain controller that has the error.
log on to all your domain controllers and check the Event log -> Applications and Services Logs -> DFS Replication and look for Warnings.

In this example the domain controller had an dirty shutdown based on power failure.

If you find this one, the resolution is described in the event
ad_repl

1. first of all, take backup of your SYSVOL directory on all domain controllers (usually found under c:\windows\sysvol)
2. run the wmic command described in your event id in an elevated command prompt
3. the method should execute successful and the Return Value should be like 0;
ad_repl1

When this is done, you should see an information event in event viewer:
ad_repl2

How to find locked out users by using PowerShell

To retrive a list of locked user in Active Directory use these PowerShell commands:

1. start powershell on one of your domain controllers
2. import AD module: “Import-Module ActiveDirectory”
3. search for locket users: “Search-ADAccount -LockedOut | select name”
4. unlock users: “Search-ADAccount -LockedOut | Unlock-ADAccount -Confirm”

If number 4 fails, unlock users manualy from ADUC.

locket_users

AD: Get lists of users and computers that is not in use

Here i have listed some powershell commands to get lists of users that have never logged in to your domain and one line to get a list of computers that never has logged in within an time span of 365 days.

I run these powershell commands in Windows PowerShell ISE that is a nice little program thats included in Windows Server (add feature), when you use PowerShell ISE you need to import Active Directory cmdlets by running “Import-Module ActiveDirectory”

# Import the ActiveDirectory cmdlets
Import-Module ActiveDirectory

#List Active Directory users that have never logged
#in including built-in users using PowerShell
get-aduser -f {-not ( lastlogontimestamp -like “*”) -and (enabled -eq $true)} | select name

#List Active Directory Computers that have never logged
#in within time span (-TimeSpan 365.00:00:00, this is 365 days)
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 35.00:00:00 | select name | sort-object name

© 2019 IdefixWiki

Theme by Anders NorénUp ↑