Tag: ActiveDirectory

Active Directory Domain Trusts & Trust Password Management

Recently a customer asked me about Active Directory Domain Trusts and how the passwords were managed. I replied with some educated guesses based on how AD manages a variety of passwords. After stating how I thought it worked (and mentioned that I wasn’t sure), I decided to look it up. I was mostly correct. Every …

Continue reading

Windows Server 2012 R2 deprecates FRS (File Replication Service)

Microsoft’s Tip of the Day has the following useful information on Domain Controller File Replication Service (FRS) depercation: FRS (File Replication Service) has been deprecated in Windows Server 2012 R2.  The deprecation of FRS has been accomplished by enforcing a minimum domain functional level of Windows Server 2008.  This enforcement is present only if the …

Continue reading

PowerShell Code: Convert Integer8 to Date

There are several Active Directory attributes where the value is stored as an Integer8 value. These include: accountExpires badPasswordTime lastlogon lastlogontimestamp pwdLastSet Here’s information on what Integer8 is: Many attributes in Active Directory have a data type (syntax) called Integer8. These 64-bit numbers (8 bytes) often represent time in 100-nanosecond intervals. If the Integer8 attribute …

Continue reading

Powershell Code: Determine LastLogonTimeStamp Replication Time

It seems that I have been asked to provide a lot of user (& computer) logon information over the past few months. In order to provide this information, I (as others have) leveraged the LastLogonTimeStamp attribute to determine when a user (or computer) logged on last. Assuming you have a Windows 2003 forest mode Active …

Continue reading

PowerShell Function: Get-ADAuthGroups

Here’s a PowerShell Function that leverages Active Directory .Net to get a list of the AD authorization groups. This is extremely useful to get a complete list of security groups that comprise a user’s AD Kerberos token without having to loop or recurse AD groups.   Function GetAuthGroups { Param ( $AccountID, [switch]$CountAuthGroups, [Switch]$ReturnGroups = …

Continue reading

PowerShell and Ambiguous Name Resolution (ANR) Search in Active Directory

I was recently asked how to find a user when you have data that may be the SamAccountName or in another attribute. My first thought was leveraging Ambiguous Name Resolution (ANR) Search in Active Directory. ANR enables you to find a user when you have some information about a user, but don’t know exactly to …

Continue reading

PowerShell Code: Find User in Active Directory Forest

  PowerShell Code: Find User in Active Directory Forest There are times when you have a userid, but don’t know where in a multi-domain forest a user is located. Here’s some PowerShell code for locating the user’s domain. PowerShell code leverages the Active Directory PowerShell module to query a local Global Catalog (GC) server in …

Continue reading

Azure & Active Directory

  Azure is big. It’s really big. Seriously, it’s hard to comprehend just how big it really is. (Apologies to Douglas Adams.) In July of last year, then-CEO Steve Ballmer stated that Azure data centers held “comfortably over a million physical servers.” Last year, Azure server purchases accounted for 17% of all server purchases worldwide. …

Continue reading

Powershell Remote Use of Module Commandlets (Remoting Import-Module)

Practically all of my Powershell scripts use an Active Directory commandlet. Ok, so they use several.  I like to query AD to get environmental information so when I run the script, I know what I am working with from an AD perspective. I can’t help it, I’m an AD Guy. In order to run the …

Continue reading

PowerShell Code: Find Active Directory Site Containing AD Subnet

Here’s a quick script that returns the site in the Active Directory forest given a subnet (ex. 10.20.30.0). Match-Subnet2Site.ps1   Param ( [string]$Subnet ) $IPSubnetRegEx = ‘\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|0)\b’ # $IPRegEx = ‘\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b’ IF ($Subnet -match $IPSubnetRegEx) { Write-Output “Searching the AD forest for subnet: $Subnet ” } ELSE { Write-Error “The provided subnet ($Subnet) is not …

Continue reading