Adam's AD Admin

Manage Shadow Group Membership - PowerShell Function I looked at a quick script to update a shadow group here , and then thought, this would make a good function. I have used my function template (refer to that post if you want to know more about how to format a function), to build up a reusable script to update group membership based on user and computer object location in AD. A traditional shadow group is all members of an OU. In my mind, there are a few assumptions to this statement. Being that you have taken the time to create an OU, put objects in it, and created a group to mirror those objects, you probably have only 1 type of object (i.e. user) and they are all similar in some respect (i.e. same office location). This function takes that in mind and only updates groups with users or computers - not other groups etc. Moving away from the traditional meaning of shadow group, I have added (for my own benefit as I required the functionality) a parameter to change the searchsco...

Powershell v2 Function Template Powershell v2 has updated what you can do with creating functions over Powershell V1. The whole function experience has been updated to a cmdlet like feel with error handling, parameter validation, help creation and of course, tab completion! The following is a bare bones template that I've commented inline for easy reading! function new-template { <# .SYNOPSIS    Brief description of what the function does .DESCRIPTION    A better description .NOTES    Function Name : new-template    Author : Adam Stone    Requires : PowerShell V2 .LINK    http://adadmin.blogspot.com/ .EXAMPLE    Simple usage    PS C:\> new-template -args values .EXAMPLE    Simple usage    PS C:\> new-template -args values values etc .PARAMETER first    A description of the first parameter .PARAMETER targetdomain    A description of the ...

Add-ADGroupMember Quite an easy one to start with, but quite handy too. Saves a few lines of code from ps1. Example usage Add-ADGroupMember -identity "Group name" -members "new group member" Add-ADGroupMember "Group name" "list of new group member" Define the parameters Both identity and members take a range of identifiers for the object. These include "Distinguished Name", "GUID", "SID", and "samaccountname". As all the cmdlets have been designed for interoperability, I find it best to use output from other commands like get-aduser. In a script #set the group name $Group = "All Managers" #get the objects that you want to add to the group (in this case, users with Manager in the description) $users = get-aduser -filter {description -like "*Manager*"} #Add the users to the group Add-ADGroupMember $Group $users Powershell without the Management pack How you gener...

Searching AD using .net and a Global Catalog (GC) Server Although I have been recently been exploring the world of R2 and AD-cmdlts, I have re-visited .net to search a the whole forest in one quick step.  As A GC holds a subset of information on all objects in the forest, we can query any GC in the forest to return these values.  Here, I am doing a search for a specific UPN, but the filter can inculde any attribute stored on the GC. $upn= "first.last@domain.name" $Forest = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest() $GC = $forest.FindGlobalCatalog() $searcher = $gc.GetDirectorySearcher() $searcher.filter = "(userprincipalname=$upn)" $Results = $Searcher.FindAll() The rest of the script is the same as how we ended up in my AD Searcher You might not want to find any GC in the forest, you might want to only choose one from a particular site. As $forest.FindGlobalCatalog() has an option for this,...

Whilst doing some research into indexed attributes, I posted this  a while back on how to find your index attributes.  Since then, I have looked a little deeper into what indexing really means and found this excellent explanation on the numbers that can be found in the searchflags attribute of a schema object. Using Florian’s reference, I built the following script (which is both powershell v1 and v2 compatible) to get the schema attributes from the forest schema and return (among other things) the breakdown of your attributes search flags. $forest = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest() $schema = [ADSI]('LDAP://CN=Schema,CN=Configuration,dc=' + ($($forest).name -replace "[.]",",dc=")) $attributes = $schema.psbase.children | where {$_.objectClass -eq "attributeSchema"} $collection = @() foreach ($attr in $attributes){ $store = "" | select "Name","lDAPDisplayName","singlev...

I have been fortunate enough to be involved in quite a large RODC deployment in a Windows 2008 domain. Even more fortunate is that we are currently upgrading this domain to R2 so I am getting the chance to try out the new powershell 2 AD cmdlets. I have been looking quite a lot into RODC operations, and the importance of the Password Replication Policy (PRP from now on) component has become increasingly more apparent. My first thoughts of PRP were entirely user based. "It allows users to logon to a remote site when the WAN link is down" was my impression. But, when a user logs on to a domain from a trusted computer, there is 2 parts to the authentication - user AND computer. Therefore it is just as important to add the computer objects to the allow PRP as it is the users. While you are there, add any server that is in the same site as the RODC as they will need to authenticate too. My preferred way of doing this create 3 groups and add them to the PRP policy : all users, al...

Every wondered why some queries return much faster than others?  If you search on attributes that are indexed, your DC returns the value much quicker.  How can you find out what attributes are indexed?  use the following  : If you find that your attribute is not being indexed, take a look  here  to find out how to add it to the index. $Collection = @() $domain = [System.DirectoryServices.ActiveDirectory.domain]::getcurrentdomain() $ObjectCategory = "attributeSchema" $ObjectProplist = "name" $LdapQuery = "(&(objectCategory=$ObjectCategory)(searchFlags:1.2.840.113556.1.4.803:=1))" ($domain).name $LDAPdomain = [ADSI]('LDAP://CN=Schema,CN=Configuration,dc=' + ($($domain).name -replace "[.]",",dc=")) $Searcher = New-Object System.DirectoryServices.DirectorySearcher($LDAPdomain, $LdapQuery, $ObjectProplist) $Searcher.pagesize = 1000 $Results = $Searcher.FindAll() foreach ($Object in $Results){    $Store = "...