Tag: AD

Find domain admins with password never expires

Do you know how many domain admins you have in your domain? Do you know which domain admins are running with “password never expires” enabled? Thanks to Powershell it is easy to find out.

# Variables below
$domainadmins=(Get-ADGroupMember -Identity "Domain admins" | Get-ADUser -Properties PasswordNeverexpires, lastlogondate)
# Output to screen
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | ft -autosize

This will display on your screen all members in “Domain Admins” with the last logon time, if the account is enabled and if the “password never expires” is set.

If you want a file export you can use this line instead of output to screen:

# Output to file
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | Export-Csv C:\Temp\domainadmins.csv -Encoding UTF8 -Delimiter ","

“No logon servers are available” error after installing updates (SBS2008)

Yesterday I was doing maintenance on a Windows Small Business Server 2008, the Windows Update patches installed successfully and the restart button was pushed. And then the problems started.. Server rebooted and had problems starting several services such as Active Directory Domain Services, DNS, Exchange, Cetificates and several more. Trying to logon to the server with my Domain Admin credentials gave me this error message: sbs_2008

The same error message came when I tried to logon to other servers in the domain. So what does the trick to fix this?

1. Logon to the server with the local administrator username and password (hit “.\administrator”, in username field to force the logon with local admin)
2. when logged into the server, check that services that supposed to be started are started. — as you noted when you did the logon, you got into safe mode…  strange? yes..
3. So, hit the “WIN + R” and type “MSCONFIG” 4. navigate to the “Boot” menu, and remove the “Safe boot – Boot options” hit Apply and restart your server.
5. Give the server some time to startup again and test the logon with an “domain admin” account   Worked for me 🙂  

DFS Replication error on Domain Controllers

If you have DFS replication errors on one or more domain controllers, first find out witch domain controller that has the error.
log on to all your domain controllers and check the Event log -> Applications and Services Logs -> DFS Replication and look for Warnings.

In this example the domain controller had an dirty shutdown based on power failure.

If you find this one, the resolution is described in the event

1. first of all, take backup of your SYSVOL directory on all domain controllers (usually found under c:\windows\sysvol)
2. run the wmic command described in your event id in an elevated command prompt
3. the method should execute successful and the Return Value should be like 0;

When this is done, you should see an information event in event viewer:

AD: Count users in organizational units

To count user accounts in an organizational unit, run this powershell command:

(Get-ADUser -Filter * -SearchBase “ou=Users,ou=A1,dc=contoso,dc=com”).count

Where “ou=” is the path for your OU and “dc=” is yorur domain. My query runs against “contoso.com\users”