Active Directory group membership modifications report
Based on customer needs I`ve created a Windows PowerShell script to report Active Directory group membership modifications. The script are uploaded to PoshCode and available from here.
In Windows 2000 Server and Windows Server 2003, the following security event IDs were valid for group membership changes:
| Scope | Member added | Member removed |
| Local | 636 | 637 |
| Global | 632 | 633 |
| Universal | 660 | 661 |
In Windows Server 2008 and Windows Server 2008 R2 the security event IDs changed:
| Scope | Member added | Member removed |
| Local | 4732 | 4733 |
| Global | 4728 | 4729 |
| Universal | 4756 | 4757 |
Source for 2000/2003 event IDs.
Source for 2008/2008 R2 event IDs.
Group membership auditing are enabled by default from Windows 2000 Server to Windows Server 2008 R2, so there are no need change any auditing settings to accomplish this.
I`ve added event ID`s for both 2000/2003 and 2008/2008 R2 to the script to cover all event ID`s currently available.
Group membership changes are logged to the Security eventlog on the domain controller the modification was run against. Because of this the script are set up to get all domain controllers in the current domain and loop through the security eventlog on each of them, searching for the relevant event ID`s described in the table above.
The script are based on Alan Renouf`s Daily Report script for PowerCLI.
The “isWithin”-function are taken from Jeffrey Snover`s blog-post regarding DateTime Utility Functions.
Preview of the HTML-report the script will generate:
A tip would be to run the script as a scheduled task e.g. once a day, and store the file in a central location.
For those of you interested in Active Directory auditing I would recommend you to have a look at the AD DS Auditing Step-by-Step Guide on Microsoft TechNet.
Personally I think the new “directory service changes” category are very useful, which allows us to see both the old and new values on modified Active Directory user objects.
Generate random passwords for Active Directory users v2
A litte while ago I posted a script to generate random passwords for each user in a specified OU in an Active Directory environment.
Now I`ve just posted another version of this script on PoshCode.
This script are intended for another scenario:
Power users with delegated permissions to reset password for specified Organizational Units. The power users get this script available as a published application in Remote Desktop Services.
Replmon.exe not included in Windows Server 2008/2008 R2
A lot of administrators are used to check their Active Directory replication status using replmon.exe which is a part of the Windows Server 2003 Support tools.
Today I stumbled across the need to use replmon.exe on a domain controller running Windows Server 2008, and was unable to find it.
It turns out that that this utility is not included in Windows Server 2008/2008 R2.
According to a comment from a team member from the Microsoft Directory Services Team, this is the explanation:
“Unfortunately, replmon did not survive the transition to Win2008. It was actually developed by MS support, not the product group (along with many other support tools/resource kit tools), and without an actual owner to service the tool years later, it was a casualty. I don’t see why it wouldn’t work on 2008 though…”
I wouldn`t recommend using unsupported tools on Windows Server 2008/2008 R2, so the advice would be to either use repadmin.exe on 2008/2008 R2, or to use replmon.exe from a Windows Server 2003 server.
You can find the command reference for repadmin.exe in Windows Server 2008/2008 R2 here.
A few examples:
repadmin.exe /showrepl shows the replication-status for the domain controller the tool are being run from.
repadmin.exe /showrepl servername shows the replication-status for the domain controller with the provided servername,
repadmin.exe /queue shows the replication-queue for the domain controller the tool are being run from.
repadmin.exe /queue servername shows the replication-queue for the domain controller with the provided servername,
repadmin.exe /replsummary shows a brief summary of the replication status.
I also checked if there are any PowerShell cmdlets for checking replication status in Windows Server 2008 R2, but it`s not. Hopefully this will be implemented some time in the future.
PS: I did test installing the Windows Server 2003 Support tools on a Windows Server 2008 domain controller in a lab environment, and it does work.
How to use the new Active Directory Recycle Bin feature
In Windows Server 2008 R2 there is a new feature called Active Directory Recycle Bin. This feature makes it possible to restore deleted objects in Active Directory without restore from backup.
Opposite to restoring tomb stoned objects, all object parameters are remained (group membership, sn, dn, and so on).
Active Directory Recycle Bin are disabled by default, even in new Windows Server 2008 R2 domains. As a prerequisite, the forest mode must be set to Windows Server 2008 R2.
When all domain controllers are running Windows Server 2008 R2, this can be accomplished by using the Active Directory module in PowerShell:
Set-ADForestMode –Identity domain.local -ForestMode Windows2008R2Forest
You may also use ldp.exe or the GUI tool “Active Directory Domains and Trusts”.
You can use the Get-ADOptionalFeature to check if the Recycle Bin Feature are enabled.
Before enabling the feature:
After enabling the feature:
When the prerequisites are met, the Active Directory Recycle Bin-feature can be enabled.
Either using the Active Directory module in PowerShell:
Or by using ldp.exe.
When the feature are enabled it`s a good idea to perform some testing. By default all deleted objects are placed in the Deleted Objects container.
In my test I first created a user named “Test User”, and then deleted the user object:
This will retrieve all deleted user objects:
This will restore all deleted user objects:
This will restore a specific user object:
For those of you that are more comfortable using a GUI rather than the PowerShell command-line, a GUI tool for using this new feature are already available. Check out Kirk Munro`s PowerGUI PowerPack for Active Directory Recycle Bin.
This blogpost are based on the official Microsoft documentation on Technet, provided in the Active Directory Recycle Bin Step-by-Step Guide.
Generate random passwords for Active Directory users
Lately I had the need to create a random password for each user in a specified OU in an Active Directory environment.
I accomplished this by using Windows PowerShell and the system.random .Net-class combined with Quest`s ActiveRoles Management Shell for Active Directory.
The script are uploaded to PoshCode, and available from here.
What I would like to add, is the encryption of the $password variable. If you have some good ideas on how to accomplish this, suggestions are welcome in the Comments-section below.
Manage Active Directory users using PowerShell Life Cycle-policies
Life Cycle Server 2008 is a server application to be run in Active Directory environments providing policy based user administration and managed operations.
I`ve just started working with this product at a customer wanting a system for user population automation in Active Directory.
Basically all users are imported from a file generated by a generic HR system, and the LCS 2008 application keeps this information in a SQL database.
Based on this data-source users are maintained in Active Directory.
There is also a policy-feature allowing to set domain and OU-wide policies for all kinds of user attributes, like group-membership.
Provided in an upcoming extension there will be support for PowerShell commands in these policies:
Regarding to policy linking, inheritance, blocking etc they work the exact way as regular Group Policies.
As an example you could insert a PowerShell script-block into a policy to check that each users` homedirectory exists using Test-Path, and if not, create the directory with the appropriate permissions.
For more information, have a look at the published product documentation.
Group Policy Preferences
GP Preferences was released with Windows Vista and Windows Server 2008. It gives much more flexibility in addition to Group Policy Settings (administrative templates), and in some environments it may completely replace logon scripts.
Overview
To work with Windows XP and Windows Server 2003 there must be installed client-side extensions. The most common and practical way to deploy these would be to approve them in WSUS.
If setup and managed from Windows Vista or Windows Server 2008, GP Preferences may also be implemented in a Active Directory domain in Windows Server 2003 mode. This is described in more detail here.
Group Policy preference client-side extension can be downloaded here.
Group Policy Preferences overview whitepaper can be downloaded here.
Preferences vs. Settings (from the whitepaper)
|
|
Group Policy Preferences |
Group Policy Settings |
|
Enforcement |
· Preferences are not enforced · User interface is not disabled · Can be refreshed or applied once |
· Settings are enforced · User interface is disabled · Settings are refreshed |
|
Flexibility |
· Easily create preference items for registry settings, files, and so on · Import individual registry settings or entire registry branches from a local or a remote computer |
· Adding policy settings requires application support and creating administrative templates · Cannot create policy settings to manage files, folders, and so on |
|
Local Policy |
· Not available in local Group Policy |
· Available in local Group Policy |
|
Awareness |
· Supports non-Group Policy-aware applications |
· Requires Group Policy-aware applications |
|
Storage |
· Original settings are overwritten · Removing the preference item does not restore the original setting |
· Original settings are not changed · Stored in registry Policy branches · Removing the policy setting restores the original settings |
|
Targeting and Filtering |
· Targeting is granular, with a user interface for each type of targeting item · Supports targeting at the individual preference item level |
· Filtering is based on Windows Management Instrumentation (WMI) and requires writing WMI queries · Supports filtering at a GPO level |
|
User Interface |
· Provides a familiar, easy-to-use interface for configuring most settings |
· Provides an alternative user interface for most policy settings |
Also, see this blog post from the Group Policy team regarding GP Preferences vs GP Settings.
Example usage
Drive mapping
Printer mapping
Power Options
Group Policy Resources
GPOGuy – whitepapers, blog, free tools and some excellent video trainings
GPanswers – newsletters, book resources, community forum and more.
“Windows cannot complete the password change”
This week I was helping a customer which was unable to change user password in Active Directory.
They had 2 domain controllers running Windows Server 2003.
When trying to change a user password in Active Directory Users and Computers they received an error message stating “Windows cannot complete the password change for %user% because: The network path was not found”. This occured when logging on to both domain controllers. They also had a backup administrator-account which we tried, and the error also occured there. We started to run some basic tests like dcdiag and netdiag to check that basic domain health were ok. Afterwards I ran a RSOP for the current user to have a look at the applied domain policies. It turned out that an admin had been changing folder redirection policies, and there was an invalid network path in these. It also were set at a level which affected all domain admin accounts, that`s why it didn`t matter which account who logged on trying to change password.
The folder redirection GPO were disabled, and we ran gpupdate on both domain controllers and logged off and back on. Same error message occured.
I then had a look at the shell folder path in the registry, at this registry path: 
The value for AppData were invalid:
This resulted in this error message:
If set to a local path like this…:
..the error message is different:
I then sat the value for AppData to the default value:
Afterwards the error was resolved, and changing user passwords from ADUC were successful.
Tips when scripting users in SBS 2008
If you`re like me you like to automate repetitive tasks. Today I was setting up a Windows Small Business Server 2008, and got an Excel spreadsheet with the users to be created.
I customized the spreadsheet and saved it as a csv-file. This is the headers I used in the csv-file:
givenname,middlename,sn,displayname,name,telephonenumber,samaccountname,userprincipalname,company,parentcontainer
I then installed Quest`s PowerShell AD Cmdlets to use when creating the user accounts. PowerShell was already installed since Exchange 2007 are installed on SBS 2008.
This the PowerShell code i used:
- import-csv "C:\temp\users.csv" |
- foreach-object { $username = $_.samaccountname;New-QADUser -FirstName $_.givenname -LastName $_.sn -ParentContainer $_.ParentContainer -SamAccountName $_.samaccountname -Name $_.name -displayname $_.displayname -userprincipalname $_.userprincipalname -Company $_.company -Department $_.department -PhoneNumber $_.telephonenumber | Set-QADUser -UserPassword Password1 -ObjectAttributes @{homeDrive= ‘F:’ ;homeDirectory= "\\domain.local\Data\Users\$username" ;scriptPath=‘netlogon.bat’}|Enable-QADUser}
SBS 2008 aren`t actually meant for using other tools than the SBS Console, i.e. users should not be created using “Active Directory Users and Computers”. Instead there is a wizard for creating users in the SBS Console. When using this several things happens in the background, like creating home folders, mailboxes, permissions, group membership, and so on…
Also users which are not created using the SBS Console wizard does not show up in the user list in the SBS Console. I knew there is a attribute on the AD objects which the wizard stamps so they are shown in the SBS Console, but I couldn`t remember the name of the attribute. So I asked my very good friend Mr Google, and he gave me a link to a post on the SBS Blog. There I found the name of the attribute which is “msSBSCreationState”, and was planning to script the value of this attribute to the users I`ve just scripted.
Then I read this part of the blogpost:
“If you have users that do not show in the SBS Console, you can get them to show by using the Change user role for user accounts wizard. It is important to notice that this wizard does much more than correctly “stamping” the user’s msSBSCreationState attribute. Using this wizard is only a work around to get the users to show in the SBS Console that were not created using the SBS provided tools. As shown above, the only recommended way adding new users are using the Add a new user account or Add multiple user accounts wizard.”
Then I ran the “Change user role for accounts wizard” to set the account type to “Standard user” for all the scripted user accounts, and afterwards the “magic” of permissions, group membership, mailbox creation and so on were applied. So the tips when scripting user accounts in SBS 2008 is to run this wizard afterwards.
If anyone got any reasons not to create users this way in SBS, please let me know.
You might wonder if there was so many users to be created on a SBS-server which is too much to be done manually, the number was 40 and I`m just too lazy to do that manually 
Active Directory Snapshots in Windows Server 2008
Snapshots is a new feature in Windows Server 2008 Active Directory Domain Services.
It allows you to take live snapshots of the Active Directory Database (ntds.dit).
Click on the image to see my example usage:
The snapshot can also be scheduled to be run i.e. on a daily basis by putting this in a cmd-file and scheduling it to run daily:
ntdsutil snapshot “activate instance ntds” create quit quit
exit
As you can see on the image above you can list all snapshot by typing “list all” within the snapshot-context in ntdsutil.
Then you can type “Mount {GUID}” to mount the snapshot in the filesystem.
A utility called dsamain allows us to publish the mounted snapshot as an LDAP-server, which then can be access by i.e. ldp.exe
In this example I`ve used a great tool called Directory Service Comparison Tool made by Fredrik Lindström, you can see more info regarding the tool here.
Then I connect to the LDAP-server instance I set up with dsamain:
Now we can see modified, added and deleted objects (the snapshot is being compared to the live Active Directory database):
About
Jan Egil Ring works as a Senior Consultant on the Infrastructure Team at Crayon, Norway.
He mainly works with Microsoft server-products, and has a strong passion for Windows PowerShell. In addition to being a consultant, he is a Microsoft Certified Trainer.
He has obtained several certifications such as MCITP: Enterprise Administrator and MCITP: Enterprise Messaging Administrator. For more details see his MCP Virtual Business Card.
In January 2011, he was awarded the Microsoft Most Valuable Professional Award for his contributions in the Windows PowerShell technical community.
His engagements as a speaker includes TechDays in Norway, as well as a Microsoft Office 365 bootcamp for Microsoft partners in Norway.
He is a co-founder of the Norwegian Microsoft Technology User Group (MTUG), which is an assosication of local MTUG user groups in Norway.
His intentions with this blog is to share experiences based on various projects and troubleshooting, as well as sharing different resource links to technologies he works with.
Google Reader – My Shared Items- Kill cmd.exe Bartek Bielawski
- SCVMM 2012 Quick Tip: Finding which storage arrays a Hyper-V host can see hector.linares
- On Becoming a Senior Technical Individual Contributor jsnover
- Fix for "You must close all dialog boxes before you can close Exchange Management Console" in Exchange 2010 Jeff
- The Windows 8 Task Manager Steven Sinofsky
