Archive

Posts Tagged ‘AD’

Find domain admins with password never expires


Do you know how many domain admins you have in your domain? Do you know which domain admins are running with “password never expires” enabled? Thanks to Powershell it is easy to find out.


# Variables below
#
$domainadmins=(Get-ADGroupMember -Identity "Domain admins" | Get-ADUser -Properties PasswordNeverexpires, lastlogondate)
#*********************************************************************************************
# Output to screen
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | ft -autosize
#

This will display on your screen all members in “Domain Admins” with the last logon time, if the account is enabled and if the “password never expires” is set.

If you want a file export you can use this line instead of output to screen:


# Output to file
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | Export-Csv C:\Temp\domainadmins.csv -Encoding UTF8 -Delimiter ","

“No logon servers are available” error after installing updates (SBS2008)

September 5, 2014 Leave a comment

Yesterday I was doing maintenance on a Windows Small Business Server 2008, the Windows Update patches installed successfully and the restart button was pushed. And then the problems started.. Server rebooted and had problems starting several services such as Active Directory Domain Services, DNS, Exchange, Cetificates and several more. Trying to logon to the server with my Domain Admin credentials gave me this error message: sbs_2008

The same error message came when I tried to logon to other servers in the domain. So what does the trick to fix this?

1. Logon to the server with the local administrator username and password (hit “.\administrator”, in username field to force the logon with local admin)
2. when logged into the server, check that services that supposed to be started are started. — as you noted when you did the logon, you got into safe mode…  strange? yes..
3. So, hit the “WIN + R” and type “MSCONFIG” 4. navigate to the “Boot” menu, and remove the “Safe boot – Boot options” hit Apply and restart your server.
sbs_2008_01
5. Give the server some time to startup again and test the logon with an “domain admin” account   Worked for me 🙂  

DFS Replication error on Domain Controllers

November 20, 2013 Leave a comment

If you have DFS replication errors on one or more domain controllers, first find out witch domain controller that has the error.
log on to all your domain controllers and check the Event log -> Applications and Services Logs -> DFS Replication and look for Warnings.

In this example the domain controller had an dirty shutdown based on power failure.

If you find this one, the resolution is described in the event
ad_repl

1. first of all, take backup of your SYSVOL directory on all domain controllers (usually found under c:\windows\sysvol)
2. run the wmic command described in your event id in an elevated command prompt
3. the method should execute successful and the Return Value should be like 0;
ad_repl1

When this is done, you should see an information event in event viewer:
ad_repl2

AD: Count users in organizational units

October 23, 2013 1 comment

To count user accounts in an organizational unit, run this powershell command:

(Get-ADUser -Filter * -SearchBase “ou=Users,ou=A1,dc=contoso,dc=com”).count

Where “ou=” is the path for your OU and “dc=” is yorur domain. My query runs against “contoso.com\users”

Tags: ,

How to find your FSMO Roles?


There are several ways to find out who has your FSMO roles in your Active Directory environment, but the easyest way is to run this:

“NetDOM /query FSMO”

Run the command from CMD or PowerShell.

If you want to user more time to find the FSMO roles use this guides 🙂

http://blogs.technet.com/b/mempson/archive/2007/11/08/how-to-find-out-who-has-your-fsmo-roles.aspx

Tags: ,

AD: Count members in a group using PowerShell


Start powershell
Run: Import-module ActiveDirectory
Run: (Get-ADGroupMember -Identity “GROUPNAME”).count (replace GROUPNAME with the group you want to count)

%d bloggers like this: