Generate random passwords for Active Directory users v2

A litte while ago I posted a script to generate random passwords for each user in a specified OU in an Active Directory environment.

Now I`ve just posted another version of this script on PoshCode.

This script are intended for another scenario:
Power users with delegated permissions to reset password for specified Organizational Units. The power users get this script available as a published application in Remote Desktop Services.

How to upgrade from MDT 2008 Update 1 to MDT 2010

Now that Microsoft Deployment Toolkit 2010 are available, MDT 2008 installations should be upgraded to support Windows 7 and Windows Server 2008 R2 deployment.

Also, many new features are available, which I wrote about in this blog-post.


The upgrade procedure

1) Uninstall earlier versions of Windows Automated Installation Kit

2) Download and install Windows Automated Installation Kit for Windows 7

3) Download and install Microsoft Deployment Toolkit 2010

4) Open Deployment Workbench. You should now find your Deployment Share.


Right-click the Deployment Share and choose “Open Deployment Share”.

Specify the path to your Deployment Share.

Check the checkbox “Upgrade the content of the deployment share” and press Next:


Press “Next”:


Review any warnings and press Finish:


Your Deployment Share are now available in the Deployment Workbench:


5) Upgrade the Windows PE boot images with new versions of Windows PE and the MDT-scripts.

To do so, right click the Deployment Share and choose “Update Deployment Share”:


Choose “Completely regenerate the boot images” and press Next:





6) If WDS are used to distribute the boot images, they must be updated.

To do so, open “Windows Deployment Services” from the Start-menu->Administrative tools.

Go to “Boot Images”, right click the boot image to update and choose “Replace”:


You`ll find the updated wim-files in the Boot-folder in the Deployment Share.

Microsoft Deployment Toolkit are now upgraded to version 2010, and supports Windows 7 and Windows Server 2008 R2 deployment.

New features in Microsoft Deployment Toolkit 2010

MDT 2010 was released September 9th 2009.

Michael Niehaus from Microsofts Deployment Team has posted an excellent series of blog posts describing the new features:

New Feature #1: Logging directly to the network

New Feature #2: Gathering virtualization details

New Feature #3: Suspend and resume a Lite Touch task sequence

New Feature #4: Folders everywhere

New Feature #5: Support for multiple deployment shares

New Feature #6: Drag and drop

New Feature #7: Boot image creation optimized

New Feature #8: No more visible command windows when booting Lite Touch Windows PE

New Feature #9: Copy and paste support in the Deployment Workbench task sequence editor

New Feature #10: Detection of signed drivers

New Feature #11: Windows 7 and Windows Server 2008 R2 support

New Feature #12: USMT 4.0 hardlink support

New Feature #13: New task sequence templates

New Feature #14: Database improvements

New Feature #15: Finish actions

New Feature #16: PowerShell support

New Feature #17: Customizable boot image process

New Feature #18: Selection Profiles

New Feature #19: Improved Driver Management

Other interesting posts on Michaels blog:

Running PowerShell scripts as part of a task sequence

Automatically update MDT 2010 boot images in WDS


For those who are working with MDT I would also recommend to follow the Microsoft Deployment Toolkit Teams blog.

Be aware of the following bug described on their blog:Fix for ‘Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed” problem with MDT 2010

The Deployment Guys blog are also an excellent resource.

Replmon.exe not included in Windows Server 2008/2008 R2

A lot of administrators are used to check their Active Directory replication status using replmon.exe which is a part of the Windows Server 2003 Support tools.
Today I stumbled across the need to use replmon.exe on a domain controller running Windows Server 2008, and was unable to find it.

It turns out that that this utility is not included in Windows Server 2008/2008 R2.

According to a comment from a team member from the Microsoft Directory Services Team, this is the explanation:

“Unfortunately, replmon did not survive the transition to Win2008. It was actually developed by MS support, not the product group (along with many other support tools/resource kit tools), and without an actual owner to service the tool years later, it was a casualty. I don’t see why it wouldn’t work on 2008 though…”

I wouldnt recommend using unsupported tools on Windows Server 2008/2008 R2, so the advice would be to either use repadmin.exe on 2008/2008 R2, or to use replmon.exe from a Windows Server 2003 server.

You can find the command reference for repadmin.exe in Windows Server 2008/2008 R2 here.

A few examples:

repadmin.exe /showrepl shows the replication-status for the domain controller the tool are being run from.

repadmin.exe /showrepl servername shows the replication-status for the domain controller with the provided servername,

repadmin.exe /queue shows the replication-queue for the domain controller the tool are being run from.

repadmin.exe /queue servername shows the replication-queue for the domain controller with the provided servername,

repadmin.exe /replsummary shows a brief summary of the replication status.

I also checked if there are any PowerShell cmdlets for checking replication status in Windows Server 2008 R2, but its not. Hopefully this will be implemented some time in the future.

PS: I did test installing the Windows Server 2003 Support tools on a Windows Server 2008 domain controller in a lab environment, and it does work.

How to use the new Active Directory Recycle Bin feature


In Windows Server 2008 R2 there is a new feature called Active Directory Recycle Bin. This feature makes it possible to restore deleted objects in Active Directory without restore from backup.
Opposite to restoring tomb stoned objects, all object parameters are remained (group membership, sn, dn, and so on).

Active Directory Recycle Bin are disabled by default, even in new Windows Server 2008 R2 domains. As a prerequisite, the forest mode must be set to Windows Server 2008 R2.
When all domain controllers are running Windows Server 2008 R2, this can be accomplished by using the Active Directory module in PowerShell:
Set-ADForestMode –Identity domain.local -ForestMode Windows2008R2Forest

You may also use ldp.exe or the GUI tool “Active Directory Domains and Trusts”.

You can use the Get-ADOptionalFeature to check if the Recycle Bin Feature are enabled.

Before enabling the feature:


After enabling the feature:



When the prerequisites are met, the Active Directory Recycle Bin-feature can be enabled.
Either using the Active Directory module in PowerShell:


Or by using ldp.exe.

When the feature are enabled its a good idea to perform some testing. By default all deleted objects are placed in the Deleted Objects container.

In my test I first created a user named “Test User”, and then deleted the user object:


This will retrieve all deleted user objects:


This will restore all deleted user objects:


This will restore a specific user object:


For those of you that are more comfortable using a GUI rather than the PowerShell command-line, a GUI tool for using this new feature are already available. Check out Kirk Munros PowerGUI PowerPack for Active Directory Recycle Bin.

This blogpost are based on the official Microsoft documentation on Technet, provided in the Active Directory Recycle Bin Step-by-Step Guide.