Find unlinked GPOs in your domain

Have you ever wondered if your domain has any GPO without a link and which GPO that would be? This is how you find out with Powershell with output to the screen.

$unlinkedGPOs = (Get-GPO -all | where {([xml]($_ | Get-GPOReport -ReportType XML)).gpo.LinksTo.Length -eq 0})
Write-Host "The following GPO has no link:"
$unlinkedGPOs| ft DisplayName -HideTableHeaders
Write-Host "Total: $($unlinkedGPOs.Count)"

Find domain admins with password never expires

Do you know how many domain admins you have in your domain? Do you know which domain admins are running with “password never expires” enabled? Thanks to Powershell it is easy to find out.

# Variables below
$domainadmins=(Get-ADGroupMember -Identity "Domain admins" | Get-ADUser -Properties PasswordNeverexpires, lastlogondate)
# Output to screen
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | ft -autosize

This will display on your screen all members in “Domain Admins” with the last logon time, if the account is enabled and if the “password never expires” is set.

If you want a file export you can use this line instead of output to screen:

# Output to file
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | Export-Csv C:\Temp\domainadmins.csv -Encoding UTF8 -Delimiter ","

“No logon servers are available” error after installing updates (SBS2008)

Yesterday I was doing maintenance on a Windows Small Business Server 2008, the Windows Update patches installed successfully and the restart button was pushed. And then the problems started.. Server rebooted and had problems starting several services such as Active Directory Domain Services, DNS, Exchange, Cetificates and several more. Trying to logon to the server with my Domain Admin credentials gave me this error message: sbs_2008

The same error message came when I tried to logon to other servers in the domain. So what does the trick to fix this?

1. Logon to the server with the local administrator username and password (hit “.\administrator”, in username field to force the logon with local admin)
2. when logged into the server, check that services that supposed to be started are started. — as you noted when you did the logon, you got into safe mode…  strange? yes..
3. So, hit the “WIN + R” and type “MSCONFIG” 4. navigate to the “Boot” menu, and remove the “Safe boot – Boot options” hit Apply and restart your server.
5. Give the server some time to startup again and test the logon with an “domain admin” account   Worked for me 🙂  

Check for Active Directory replication failures

A quick and easy way to check your Active Directory for any replication errors using Powershell.

Get-ADReplicationPartnerMetadata -Scope Domain -Target (Domain name) | ft Server,LastReplicationSuccess,ConsecutiveReplicationFailures -AutoSize

This will list all your Domain Controllers and when they last replicated successfully and show how many consecutive replications errors they have (if any).

AD: Windows Time configuration

Domain controllers

It is ONLY the domain controller holding the PDC role that should use external NTP. All the other domain controllers should sync with PDC domain controller. To find the server holding the PDC role run
netdom /query fsmo

On the domain controller holding the FSMO role you should configure NTP with this command
w32tm /config /manualpeerlist:"" /syncfromflags:manual /reliable:yes /update

On the other domain controllers configure NTP with this command
w32tm /config /syncfromflags:domhier /reliable:no /update


On the servers in the domain you should configure NTP with this command
w32tm /config /syncfromflags:domhier /update

Servers outside the domnain should use this:
w32tm /config /manualpeerlist:"IP" /syncfromflags:manual /reliable:yes /update

Some info

All the above configuration has to be followed by the command below to take effect
net stop w32time
net start w32time

If you wan’t to query a NTP source run this
w32tm /monitor /computers:p2dc02.corp.local,

If w32tm don’t exist as a service
%windir%\system32\w32tm /register

Thnx to Henning Ims for this fantastic solution. 🙂

Find disabled users with their group membership and remove them from their groups

To quickly see the disabled users and their group membership in your Active Directory you can use this Powershell command:

Get-ADUser -SearchBase “OU=OU1,DC=domain,DC=local” -Filter ‘enabled -ne $True’ -Properties memberof | ft samaccountname, MemberOf -auto

This script will prompt you for a searchbase (Like “OU=OU1,DC=lab2,DC=local”) and remove all disabled users from their groups:

$inputfromuser = Read-Host ‘Enter AD Searchbase ‘
if ($inputfromuser -like “”)
Write-Host “Input error”

$Diableduser = Get-ADUser -SearchBase $inputfromuser -Filter ‘enabled -ne $True’ -Properties memberof
foreach ($user in $Diableduser)
foreach ($member in $user.MemberOf)
Write-Host “Removing” $user.SamAccountName “from” $member
Remove-ADGroupMember $member -Members $user.SamAccountName -Confirm:$false

Honorable mention for assisting on this script goes to Bjørn Wang

edit: Added script for membership removal

Transfer or seize FSMO roles with powershell

To transfer all FSMO roles from one DC to another you can use the following line in powershell: 

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

Replace “Target-DC” with the name of the domain controll (case sensitive)

To seize the roles, add “-Force” in the end of the command