This post describes the exact steps to use the Active Directory PowerShell cmdlets in your 2003 environment today.
Today we will address the token size SID history scenario with a PowerShell script that documents the extent of SID history in your environment and creates a SID mapping file for use with the ADMT to migrate security resources to the new SIDs.
As a Microsoft Premier Field Engineer I frequently get asked for more information on Active Directory topics. Most of the time I end up passing along one or more of the links in today's post. This list will be extremely valuable for anyone who wants to get started with Active Directory or even for a seasoned AD admin who wants to go deeper.
This post is part four in the "PowerShell: SID Walker, Texas Ranger" series on documenting and remediating SID history in your AD forest. In today's post we will look at the final step of remediating SID history: removing the SID history data from our migrated AD objects using PowerShell. Cleaning up this stale data will greatly reduce the chance of token size issues for your users.
Hi folks. It's your friendly, neighborhood PFE again. In order to avoid the long lines to buy a treadmill the first week of January I thought I would save you some time and give you an easier New Years Resolution… Learn PowerShell.
For years many of us have relied on trusty command line utilities like PING, IPCONFIG, and REPADMIN. Some of us are still hanging on to those instead of embracing the brave new world of PowerShell.
In an effort to assist with the transition and to introduce some of the cool new cmdlets in PowerShell v3 I have created a free reference guide showing how the old meets the new. For example, instead of PING try the PowerShell cmdlet Test-Connection, instead of NSLOOKUP use Resolve-DNSName, instead of GPUPDATE use Invoke-GPUpdate.
The guide attached at the bottom of this blog post contains four packed pages of PowerShell pleasure for your perusing.
Today I posted over on the Hey Scripting Guy blog with a quick tip to unlock Active Directory user accounts. Check it out:
Active Directory Account Unlock Shortcut for Help Desk
This post is the fifth in the "SID Walker, Texas Ranger" series on SID history remediation with PowerShell. Today we're wrapping up with a handy summary of each post in the series. We will also take the function library we've been using and upgrade it to a PowerShell module. Then we'll walk through the entire SID history remediation process using the provided cmdlets in this module.
Have you ever needed to copy data between attributes in Active Directory? Maybe you need to copy an ExtensionAttribute value into a different ExtensionAttribute. Maybe you need to copy email, UPN, or SIP addresses. You may even want to move the EmployeeNumber value into the EmployeeID attribute instead. What if you needed to create a new Description based on a combination from other attributes?
Many companies have upgraded bandwidth without updating AD replication topology. Today's post features PowerShell one-liners to report on your AD site links and then tweak them for high performance.
Do you remember SIDWALK? This resource kit utility was written back in the NT 4.0 days to assist with domain migrations. It used a mapping file to rewrite old SIDs with new SIDs across ACLs. That utility is a teenager now. It's time we rewrite it... in PowerShell. In part one of this series we will learn how to parse SIDs out of SDDL that we receive from Get-ACL.
My last post on getting started with Active Directory was so popular that I thought I would do one for getting started with Group Policy. Once again this link list will satisfy everyone from beginner to advanced. I know there are many other third party resources and books, but I want to surface some Microsoft white papers and articles that may not always be obvious. Enjoy!
Back in May I released a post on the Hey Scripting Guy blog showing how to create a shortcut to unlock a user account with a PowerShell desktop shortcut. That post was very popular, and the comments evolved into another shortcut to reset passwords. Due to the popularity and utility of the idea I decided it deserved its own blog post. I’ve also learned a little more about the Set-ADAccountPassword cmdlet to simplify my previous code.
You know the drill. It’s Monday morning. Last Friday 47 users decided it was a good idea to change their password before the weekend. It’s Monday. They forgot, just like I would. Personally I never change my password on a Friday for this reason. I need a couple days to use it before the weekend.
What could make this worse? Holiday weekends… like US Thanksgiving. (grin) Now it’s been at least five days since I reset that password. There’s no chance I’ll remember it unless it’s written down on that sticky note under the mouse pad.
Now all 47 of those users must call the helpdesk first thing Monday before they can begin another week of productivity for the company. The self-service password project has not gotten enough budget or resources for implementation, and until it does every Monday morning is going to look very familiar. That’s where we come in with PowerShell.
Many of us have inherited SID history in our forest from previous mergers and acquisitions. In today's blog entry on SID history remediation we will unearth a Rosetta Stone, the key to decyphering the identity of civilizations past. This script will export a list of domain names and domain SIDs across your forest and all of its trusts. This domain SID list is the key to understanding from where the SID history of our users originated.
The very same day I posted the SID history script I found a shorter way to do it. I'm calling a "do over". When you display a list of object properties sometimes one of those properties contains multiple entries in an array or object collection. In order to expand those multiple values into single rows we pipe the output to Select-Object -ExpandProperty.
Now most people don't plan to spend their entire career on the help desk. It is a starting point for bigger things in IT. PowerShell can be your career LAUNCH PAD. Seriously. PowerShell skills will differentiate you from your peers and slingshot you to the front of the pack.
What if you could get all of the data you needed to close a ticket in seconds?
This is part two in a series on translating SIDs in ACLs. Today we're going to unleash a Chuck Norris round house kick on old SIDs stinking up the ACLs on our file servers. It's time to take out the trash... PowerShell style.
After speaking about SID history and token size at PowerShell Saturday last month an attendee approached me with a common concern. I was so excited to code the answer that I did it in the airport on the way home.
Joe User has been with the company for 23 years and has accumulated more group memberships than the entire desktop support team. Joe has rotated through five different departments during his career and managed to survive all of the layoffs. As a result he has access to every share in the company. Even worse his access token is so big that it won’t fit through the door.
We would love to clean up his group memberships, but we have no way of knowing when he was added to all these groups. If we could see the dates he joined those groups it would give us a clue about removing just the older group memberships. Without this information his token will continue to bloat.
Time for some AD PowerShell v3 goodness!
PS - I'm also going to give you a handy chart showing PowerShell equivalents for REPADMIN in AD PowerShell v3.
Today we are diving into PowerShell remoting to understand five different methods for commanding our army of minions. We will also examine the protocols and requirements under the hood so we know exactly what we are getting. The information below comes from some testing in my home lab where I captured network traces of each remoting technology to see the ports, protocols, and protections employed between two Windows Server 2008 R2 member servers.
Today I am releasing updated functionality in the PowerShell Active Directory SID History module. New features include: inventory SID history in share permissions, new Access database reporting template, bug fixes, and more!
Today's post will help you clean up site link descriptions and give you some nice reporting capability. Some folks like to set their site link description field to list each of the member sites in the link. If that is you, then you'll love this script. Today's script enumerates all of the member sites in a site link and then concatenates their names into the description of the site link. Also, it will make a note in the description for any site links that have change notification enabled. Now that's handy! There is also a bonus site reporting script in the download attached.