Category Archives: Windows 2012

Active Directory Managed Service Accounts (PowerShell Guide)

Services Accounts are recommended to use when install application or services in infrastructure. It is dedicated account with specific privileges which use to run services, batch jobs, management tasks. In most of the infrastructures, service accounts are typical user accounts with “Password never expire” option. Since these service accounts are not been use regularly, Administrators have to keep track of these accounts and their credentials. I have seen in many occasions where engineers face in to issues due to outdated or misplace service account credential details. Pain of it is, if you reset the password of service accounts, you will need to update services, databases, application settings to get application or services up and running again. Apart from it Engineers also have to manage service principle names (SPN) which helps to identify service instance uniquely. 

After considering all these challenges Microsoft has introduced Managed Service Accounts with windows server 2008 R2. These accounts got following features and limitations,

No more password management. It uses a complex, random, 240-character password and change that automatically when it reaches the domain or computer password expire date.

It cannot be lock out or use for interactive login. 

One managed service account only can use in one computer. it cannot be share between multiple computers

Simplified SPN Management – System will automatically change the SPN value if sAMaccount details of the computer change or DNS name property change. 

In order to create Managed service account, we can use following command, I am running this from the domain controller.

New-ADServiceAccount -Name "MyAcc1" -RestrictToSingleComputer

In above command I am creating service account called MyAcc1 and I am restricting it to one computer. 

Next step is associate the service account with the Host REBEL-SRV01 where I am going to use this service account. 

Add-ADComputerServiceAccount -Identity REBEL-SRV01 -ServiceAccount "MyAcc1"

Next step is to install service account in the REBEL-SRV01 server. We need active directory PowerShell module for this. We can install it using RSAT tools. Once its ready run the command,

Install-ADServiceAccount -Identity "MyAcc1"

Once it’s done, we can test it using,

Test-ADServiceAccount "MyAcc1"

It is return the value True which means the test is successful. 

From active directory server, we can verify the service account by running
Get-ADServiceAccount "MyAcc1"
Tip – When configure the Manager service account in service make sure to leave the password as empty. You do not need to define any password there as system auto generate the password. 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Manage Active Directory Organizational Units (OU) with PowerShell

Similar to any other active directory object, OU structure can manage using Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC) MMC and PowerShell. In this post, I am going to demonstrate how to manage OU structure using PowerShell. 

New Organization Unit can create using New-ADOrganizationalUnit cmdlet. The complete syntax can review using,

Get-Command New-ADOrganizationalUnit -Syntax

As the first step, I am going to create new OU called “Asia” to represent Asia Branch. 

New-ADOrganizationalUnit -Name "Asia" -Description "Asia Branch"

In above command -Description defines description for new OU. When there is no path defined, it will create the OU under the root. We can review the details of the new OU using,

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com”


We can add/change values of OU attributes using, 

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com” | Set-ADOrganizationalUnit -ManagedBy “Asia IT Team”

Above command will set ManagedBy Attribute to “Asia IT Team”

Tip – When you use ManagedBy attribute, make sure to use existing active directory object for the value. It can be individual user object or group object. If not, command will fail. 

 “Protect from Accidental Deletion” for OU object is nice small safe guard we can apply. It will prevent Accidental OU object deletion. This will be apply by default if you create OU using ADAC or ADUC. 

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com” | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

As the next step, I am going to create Sub OU under Asia OU Called “Users”.

New-ADOrganizationalUnit -Name "Users" -Path “OU=Asia,DC=rebeladmin,DC=com” -Description “Users in Asia Branch” -ProtectedFromAccidentalDeletion $true

Above command will create OU called Users under path OU=Asia,DC=rebeladmin,DC=com. It is also protected from accidental deletion. 

Now we have OU structure created and next step is move objects to it. for that we can use Move-ADObject cmdlet. 

Get-ADUser “tuser3” | Move-ADObject -TargetPath “OU=Users,OU=Asia,DC=rebeladmin,DC=com”

Above command will find user “tuser3” and move object to OU=Users,OU=Asia,DC=rebeladmin,DC=com

We also can move multiple object to the new OU. 

Get-ADUser -Filter 'Name -like "Test*"' -SearchBase “OU=Users,OU=Europe,DC=rebeladmin,DC=com” | Move-ADObject -TargetPath “OU=Users,OU=Asia,DC=rebeladmin,DC=com”

In above command, It will first search all the user accounts what is starts with “Test” in OU=Users,OU=Europe,DC=rebeladmin,DC=com and then move all objects it found to new OU path. 

Tip – If you have ProtectedFromAccidentalDeletion enable on objects, it will not allow to move object to different OU. It need to remove before object move.

If we need to remove OU object it can be done using Remove-ADOrganizationalUnit cmdlet. 

Remove-ADOrganizationalUnit “OU=Laptops,OU=Europe,DC=rebeladmin,DC=com”

Above command will remove OU=Laptops,OU=Europe,DC=rebeladmin,DC=com Organization Unit. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Guide to publish proxy settings via GPO for IE10 and IE11 in windows server 2008 R2 AD environment

Before IE10, the internet explorer settings were able to manage using Internet Explorer Maintenance (IEM) in group policy. If your organization have IE settings published using IEM, it will not applying anymore to IE10 and IE11.

If its windows 2012 or later AD environment it is not a problem you can simply publish these settings using new IE setting publish method in GPO, but if its Windows 2008 and Windows 2008 R2 it need to follow different method. In this post I will explain how to do it in windows 2008 R2 AD environment.

Before IE10 you can publish settings via GPO using User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. But if your server running with IE10 or IE11 you can’t see it any more in GPO.


The new method is to publish IE settings via, User Configurations > Control Panel Settings > Internet Settings. There you can create settings based on IE version. In my demo I am using a DC server with windows 2008 R2 and IE 11 installed. But here I can’t see option to publish IE10 or IE11.


So how we can do it?

In order to publish IE10+ settings need one of following from same domain,
1)    Windows 2012 or newer server with Group Policy Management Feature installed
2)    Windows 8.0 machine with latest RSAT tools
3)    Windows 8.1 machine with latest RSAT tools
4)    Windows 10 machine with latest RSAT tools

Also make sure the system is running with latest updates.

Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8 or newer.

In my demo I am using a windows 8.1 machine with RSAT installed.

1)    To start log in to the PC with Domain Administrator Privileges.
2)    Then go to programs and click on Group Policy Management


3)    Once its load up, expand the console and go to the domain, right click and select Create GPO in this domain, and Link it here.
In my demo I am going to create new GPO to publish the IE settings.


4)    Type the new policy name and click ok


5)    Then right click on newly added policy and click on edit


6)    Expand the policy settings and go to User Configuration > Preferences > Control Panel Settings > Internet Settings. The Right click and select new. Here now we can see the IE 10. There is no IE11 settings. IE10 settings valid for IE11 too. Click on “Internet Explorer 10” to publish the settings.


7)    Now it will open up the window and its looks similar to typical IE settings interface.


8)    Type the changes you like to publish.


9)    One thing you need to make sure is once publish the changes press “F6” to apply the changes. If its works fine the red dotted line will change to green dotted line. It doesn’t matter what ever the changes you put, if you not activate it with pressing F6 it will not publish.


10)    Click ok to submit the settings and in here you can see it save the IE10 Browser settings.


11)    It’s time for testing and let’s see if it’s applied the new settings published for IE11.


12)    Yes it is worked fine. One thing you need to keep in mind is if you need to do changes to the GPO, need to use one of the above mentioned option. You can’t edit new values with windows 2008 r2.

If you have any questions feel free to contact me on

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

    • Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
    • .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

    • Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
    • System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from


It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.



Once tool is loaded, you can check the replication on entire forest or specific domains.


After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.




If you required you can export the data to xps or csv format.


hope this info helps. If you have any questions feel free to contact me on

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.


Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory


Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.



First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “” –ForestMode Windows2008Forest

In here my FQDN is you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.


Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “” –DomainMode Windows2008Domain


After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.


If you have any questions feel free to contact me on

Restricted Groups using group policies

In previous post I explain about the different groups we can create in a domain environment. In an organization some time you may need to grant permissions for different users to manage these groups and its memberships. But some time it is better if we can lock some of these memberships for security reasons. For example let’s assume you have a group which have access to financial records of the organization which should only have access to upper management. So membership of the group is important.

Restricted group policy is the answer for that. Using group policy you can specify the membership and enforce. So no one can add or remove members.

Let’s see how we can do it in domain environment.

For the demo I created a group called “Remote Clients” and made usera and userb members of it.
But for the demo I need to restrict the group membership and only use testa user as a member.


To do it go to server manager > tools > group policy management


Then go to the OU you wish to apply restrict group policy. If it’s going to apply for the organization you can make it global policy as well. Then right click on OU name and select “Create GPO in this domain an link it here


Then provide the name for new policy and click ok.


Then go to the OU again and right click on the new GPO and click on edit.


Then go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups folder
Right click on it and click “Add Group



Then go and select the group you need to add, in my demo its Remote Clients. Then click ok.


Then it gives option to add members to the group. Also if this group should need to be added as member of another group.


In here I added user testa and I need to force the membership only to this user.



Now it’s all done. Next time when policy applied it will overwrite the current membership.


If you have any question feel free to contact me on

Compacting DHCP database using Jetpack.exe

Like any other database, DHCP server database also need maintenance in periods to keep the performance and availability. In large infrastructures, DHCP database can grow fast. Like we do for other databases, DHCP server DB also can compact. Microsoft recommends to do this for any database larger than 30mb.

Back in windows NT time Microsoft introduce a utility call “Jetpack” which can use to compact WINS and DHCP databases. This tool still available even for windows server 2012 R2.

In this demo I will show how we can do the database compact. The compact process happens in 3 steps.

1)    Copy running DHCP database in to temporary databases.
2)    Delete Original DHCP DB
3)    Rename temporary database to the original database file name.

Please note that to do this first we need to stop the DHCP server. So make sure to pre-plan for the downtime.

In this demo I am using windows server 2012 R2 which is connected to domain. It holds DHCP server role for the network.

1)    Log in to the server as Domain admin or Enterprise Admin.
2)    Open command prompt as admin


3)    Then type cd %systemroot%\system32\dhcp


4)    Then type net stop dhcpserver. It will stop the DHCP server.


5)    Then type jetpack.exe dhcp.mdb tmp.mdb


Well this is the interesting part, if you do not have “wins server” role installed on the server, you will get error like, 'jetpack' is not recognized as an internal or external command, operable program or batch file.
But friends unfortunately, jetpack only comes with WINS server package. So you need to add this role if you do not have it.


6)    Finally type net start dhcpserver to start the dhcp server.


If you have any question feel free to contact me on

Automatic DHCP server Backup

Dynamic Host Configuration Protocol (DHCP) server in organization may require backup and restore dhcp database in event of hardware failure, software failure, migration or in fault configuration change. How many of you guys know that Microsoft automatically backup your dhcp database? Sounds strange right? but yes system automatically backup the DHCP server config. In this post let’s see how we can adjust the default parameters of this automatic backup process.

In my demo I am using a server with windows server 2012 R2 in a domain. It do have DHCP server role installed and configure.

To start the process log in to server as Domain admin or Enterprise admin.
Then Server Manager > DHCP


Once mmc load, right click on the server node and click properties.


In the new window you can see it shows backup path as C:\Windows\system32\dhcp\backup. This is the default path. But we can change it to local folder or network share. Click on brows to select the new path. In my demo it is set to C:\DHCPBackup. Once path set click on ok.



System automatically backup the config in every 60 minutes time. But we also can change this schedule as per our requirement.
To do that we need to do some registry key edit. To open the registry mmc, go to Run > regedit


Then go to path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters
In there you will be able to see a key called BackupInterval.


To edit the value double click on it, and then once open select, decimal value option.


As you can see default value is 60, to change it type the value you needs (the value represent the number of minutes) and press ok. In my demo I am going to set for 10 minutes.

Once done we can check the folder path we set to confirm the backup it’s made.


If you have any questions feel free to contact me on