Find disabled users with their group membership and remove them from their groups

To quickly see the disabled users and their group membership in your Active Directory you can use this Powershell command:

Get-ADUser -SearchBase “OU=OU1,DC=domain,DC=local” -Filter ‘enabled -ne $True’ -Properties memberof | ft samaccountname, MemberOf -auto

This script will prompt you for a searchbase (Like “OU=OU1,DC=lab2,DC=local”) and remove all disabled users from their groups:

$inputfromuser = Read-Host ‘Enter AD Searchbase ‘
if ($inputfromuser -like “”)
Write-Host “Input error”

$Diableduser = Get-ADUser -SearchBase $inputfromuser -Filter ‘enabled -ne $True’ -Properties memberof
foreach ($user in $Diableduser)
foreach ($member in $user.MemberOf)
Write-Host “Removing” $user.SamAccountName “from” $member
Remove-ADGroupMember $member -Members $user.SamAccountName -Confirm:$false

Honorable mention for assisting on this script goes to Bjørn Wang

edit: Added script for membership removal

Copy group membership in AD

To copy member from one group to another you can (of cource) use Powershell. This copies the members of Group1 into members of Group2.

Get-ADGroupMember -Identity “Group1” | ForEach-Object {Add-ADGroupMember -Identity “Group2” -Members $_.SamAccountName}

List installed certificates with Powershell

To list the installed certiifcates in the local computer store I use the following one-liner:

dir Cert:\LocalMachine\My | fl thumbprint, SerialNumber, Subject, NotBefore, NotAfter, Issuer

You can replace “LocalMachine” with “CurrentUser” to list certificates in the current user store.

Transfer or seize FSMO roles with powershell

To transfer all FSMO roles from one DC to another you can use the following line in powershell: 

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

Replace “Target-DC” with the name of the domain controll (case sensitive)

To seize the roles, add “-Force” in the end of the command

Get-Inboxrule – easy way to get rules from mailboxes

An easy command for checking if there are any automatic rules on an Exchange Mailbox is to use PowerShell and Get-InboxRule, this commandlet will give you an output of all the rules and what the rule does with emails that`s arriving in the mailbox.

Example: Get-InboxRule -Mailbox “account” | Select Name, Description | fl


Test-NetConnection the new Ping?

In Windows Server 2012 R2 Microsoft added a new PowerShell command for testing your network Connection. (It works with WIndows 8.1 also)
Can it be used for “The New ping” ? it sure can! 🙂

The Test-NetConnection cmdlet displays diagnostic information for a connection. The output includes the results of a DNS lookup, a listing of IP interfaces, an option to test a TCP connection, IPsec rules, and confirmation of connection establishment.

The command is:
Test-NetConnection “url/ip”

open PowerShell and type:

Test-NetConnection vg.no (where “vg.no” is an url or ip that you want to ping)


if you want to go more Advanced try this:

Test-NetConnection vg.no -tracerout


or maybe you want to do an telnet and check the for an port:

Test-NetConnection vg.no http or Test-NetConnection vg.no -port 443



For more information about this New Nice feature for Windows Server 2012 R2 visit TechNet:

AD: Count users in organizational units

To count user accounts in an organizational unit, run this powershell command:

(Get-ADUser -Filter * -SearchBase “ou=Users,ou=A1,dc=contoso,dc=com”).count

Where “ou=” is the path for your OU and “dc=” is yorur domain. My query runs against “contoso.com\users”

Create a custom event with powershell

To create an event without eventcreate.exe, which is limited to EventID below 1000, you can use powershell. { } indicates what you have to customize and then just run everything as admin from powershell.

$evt=new-object System.Diagnostics.Eventlog(“{Application/System/etc..}”)


$evtNumber={EVENT ID}

$evtDescription=”{write a description}”



Usefull PowerShell commands

PowerShell is a powerfull tool when administrating Microsoft products and personally i like using Windows PowerShell ISE that is an powershell tool provided from Microsoft.
It can be found on Windows 8, Windows Server 2012, Windows Server 2008 R2 and Windows Server 2008.

Here are som usefull PS one-liners that i use often 🙂

# Connect to remote server
Enter-PSSession “yourdomaincontroller”

# Disconnect remote session

# Import the ActiveDirectory cmdlets
Import-Module ActiveDirectory

# List available snapins on your system

# Add snapins examples
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin # Exchange 2007
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 # Exchange 2010
Add-PSSnapin Microsoft.SystemCenter.VirtualMachineManager # WMM (Hyper-V)
Add-PSSnapin Quest.Activeroles.ADManagement # Quest commandlets

# List registered snapins
Get-PSSnapin -Registered

# List Active Directory Computers that have never logged in within time span (-TimeSpan 365.00:00:00, this is 365 days), first line counts the result, second line shows the result, line three sends output to an txt file.
(Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 35.00:00:00 | select name | sort-object name).count
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 90.00:00:00 | select name | sort-object name
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 65.00:00:00 | select name | sort-object name | out-file c:\temp\computers.txt

# The following example demonstrates how to find user accounts that have been inactive for 90 days:
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq ‘user’} | FT Name,ObjectClass –A

# The following example demonstrates how to find inactive user accounts
Search-ADAccount -AccountInactive | where {$_.ObjectClass -eq ‘user’} | FT Name,ObjectClass –A

# The following example demonstrates how to find user accounts that have been inactive since 01/01/2013
Search-ADAccount -AccountInactive -DateTime 01/04/2013 | where {$_.ObjectClass -eq ‘user’} | FT Name,ObjectClass –A

# The following example demonstrates how to find locked-out users in your domain
Search-ADAccount -LockedOut | where {$_.ObjectClass -eq ‘user’} | FT Name,ObjectClass -A

#The following example demonstrates how to unlock the user account U1 in the organizational unit (OU) Test in your domain.
Unlock-ADAccount -Identity “CN=U1,OU=Test,DC=FABRIKAM,DC=COM”

# The following example demonstrates how to unlock the user account U1 in your domain.
Unlock-ADAccount -Identity U1

# Reset pasword on spesific user where “bob” is changed to the username of the user you want to change password on
Set-ADAccountPassword -Identity bob -Reset

Change primary email address in Office 365

Start powershell as administrator

Run the following commands:
$LiveCred = Get-Credential
(Enter your Office 365 administrator credentials)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

Find all aliases for one account:
get-mailbox | select -expand emailaddresses alias
get-mailbox name@domain.com | select -expand emailaddresses alias

Add email alias to an Account:
Set-Mailbox name@domain.com -EmailAddresses SMTP:newprimaryaddress@domain.com,anotheraddress@domain.com,yet.another.address@domain.com

NOTE: the first address after “SMTP:” will be the primary e-mail address. All aliases will be replaced. If you have 100 aliases and only type in one in this command, you will lose 99 aliases!

© 2019 IdefixWiki

Theme by Anders NorénUp ↑