Tag Archives: AD Attributes

Find Active Directory Objects (PowerShell Guide)

Active Directory can hold near 2 billion objects. When the number of objects grows, the requirement for affective object filtering grows as well. Active Directory have several GUI options to search/filter specific objects. We also can filter objects using PowerShell. 

In previous posts, we learned about Get-ADUser and Get-ADComputer cmdlets and how it can be used with other commands to filter out objects from Active directory and perform administrative tasks.  It is also can use to retrieve specific attribute values from filtered objects. 

Get-ADUser -Identity user1 -Properties *

In above command, it will list down all the attributes and its values associated with user1. This helps to find exact attributes names and common values which can use for further filtering. 

I need to know values of Name, UserPrincipalName and Modified for all the users. Following command will create a table with attributes and its values. 

Get-ADUser -Filter * -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified


I can see some accounts in the list which is service accounts and administrator account. I only want to see the accounts which is in Kingston office

Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified  

With above it filters it further based on the City value.

Now I have the list of data I needed, I like to export it to a CSV file for future use. 

Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | select-object Name,UserPrincipalName,Modified | Export-csv -path C:\ADUSerList.csv

So, above example shows how search query can build up from granular level to find the exact information needed from objects. 

Search-ADAccount cmdlet can also use to search for the active directory objects based on account and password status. Full syntax for the cmdlet can retrieve using,

Get-Command Search-ADAccount -Syntax 

As an example, it can use to filter the accounts which is locked out. 

Search-ADAccount -LockedOut | FT Name,UserPrincipalName

Above command will list down all the lockout accounts with name and UPN

Unlikely the graphical tools, Powershell queries can build to filter the exact objects and data from active directory. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Protected Users Security Group

Active Directory is great tool, no doubt about it, administrators can do their magic to manage resources in infrastructure with it. But same time if someone able to gain access to AD account with privileges, easily they can use those across the domain joined resources. So the protection of the AD infrastructure is critical.

Microsoft continues with implementing new security features to the Active Directory Services to protect infrastructures with emerging threats. “Protected Users Group” also a great feature implemented with windows server 2012 R2 active directory services to protect “High Valued” accounts in AD infrastructure. Advantage of this feature is member of this security group will have “non-configurable” protection automatically. I think it’s a good point especially for security feature. When have configurable options admins make changes to make their life easier and sometime losing the whole concept about security. With this security group the only way to modify the protection for account is to remove it from the group.

To use this feature the primary domain controller needs to be run on windows 2012 R2 domain functional level and devices should need to run minimum of windows 2012 R2 or windows 8.1.

What it does?

According to Microsoft,

1.    The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
2.    The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cipher suite.
3.    The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
4.    The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center (ADAC). This means that when four hours has passed, the user must authenticate again.

This protection should not use for accounts for service and computers.
This table includes the properties of the group



Well-known SID/RID



Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members


Default member of




Safe to move out of default container?


Safe to delegate management of this group to non-service admins?


Default user rights

No default user rights

How to add member to the group?

To add user,

1)    Log in to the Domain controller as Domain admin or Enterprise Admin
2)    Go to Server Manager > Tools > Active Directory Users and Computers
3)    Then under “Users” can find the “Protected Users” group


4)    Double click to open the group properties and under the “members” tab you can add the users, groups


Hope this help, If you have any questions about the post feel free to contact me on rebeladm@live.com

Active Directory Recycle Bin

 What will happen if you have deleted the wrong user account? Or any other AD object? In your AD environment. “Recovery” is the answer but issue is how fast and how easy you can do it.

Once active directory object is deleted, it is automatically goes in to the deleted object container in the AD. Then during the active directory garbage collection process it will clean up these deleted AD objects permanently. By default this process is occurs in every 12 hours. So if need to recover a deleted object (unless you use an active directory backup) it is possible to do before the garbage collection process occurs in AD using LPD.exe tool. But the issue is even you can recover the object along with metadata it will lose its some attributes such as group membership.

Microsoft has come with a feature to answer this. It starts with windows server 2008 R2 and called as “Active Directory Recycle Bin”. This feature is exactly work as “Recycle Bin” in windows operating system. You can use this to undelete any deleted AD objects. More importantly you can restore it with few clicks along with all the attributes. By default AD recycle bin holds deleted objects for 180 days before permanently remove from the system.

This feature is need to be enabled manually in active directory. To use this feature the domain forest functional level at least need to be set to windows server 2008 R2.  Also you need to manually enable this feature and once this feature is enabled you can’t disable it.

Let’s see how we can do this. In my demo I am using active directory runs on windows server 2012 R2.

1)    Log in to the Domain Controller as member of domain admin group or enterprise admin group.
2)    Then Server Manager > Tools >  Active Directory Administrative Center


3)    It will open Active Directory Administrative Center mmc and click on the domain name


4)    Then under Tasks panel click on “Enable Recycle Bin


5)    Once click on it, it will open up pop up saying to confirm the action. As I mentioned earlier once this feature is enable you can’t disable it.


6)    Then it will give info window about the function and the replication. Click ok to exit form window.


It will take some time to replicate across the domain controller in the forest. After replication it’s time to test the functions and see how the restore process works.

For my demo I am using a user account called “User A” and he is member of Gorup_A and Group_B as well. I am going to delete the user and recover it using the AD recycle bin feature.




To recover the object

1)    Go to Server Manager > Tools > Active Directory Administrative Center
2)    Then click on domain name and the arrow in front. Then click on option “Deleted Objects


3)    Then it will show the objects captured by the AD recycle bin feature. In here we can see the UserA account I have just deleted.


4)    To restore the object, right click on object and select “Restore”. This will restore it to original location it was. If you need you also can select which container it should restore to using “restore to” option.


5)    Now in AD I can see the restored object along with its attributes.


So as you can see it was very fast and effective solution. This is the end of this article and if you have any questions feel free to contact me on rebeladm@live.com

Create Users with User Templates in AD

This is one of the features in Active directory which most administrators, system engineers not using in typical networks. Even though this is very small feature it’s very helpful in larger infrastructure systems and will save lot of time, errors with user creation in AD and permissions, membership assign.

Even most not using this, user account templates feature was in place from Windows NT 4.0. In domain environment, we will be able to see many shares similar properties in user accounts. For example if we take users in sales department, almost all will be member of same security groups, distribution groups. So every time when you need to create new sales department user you will need to add these group membership manually. What if users are in 10 groups? How much time it will take to map membership from existing user to new user? If you need to add 10 new users have to follow same procedure? Can we guarantee the system administrator assigned for the task will not miss any? If we delegate control to HR department for account creations will typical Clark can process this complex procedure? Answer for all this questions is use of user account templates for the task.

In AD we can create user template with all common attributes, group memberships and we can use it when we add a new user to AD who will use similar properties.

Let’s look in to the configuration. In my demo I already setup domain contoso.com and in AD there is organization unit called “Sales Department” so everyone in the department will share same properties. Let’s create user account template to use for the task.

To do this right click on the OU and click on New > User


In new user add wizard fill the full name as "Sales User Template" and user name as Sales.Template. Please keep First name, last name empty as its unique. Then Click next to continue.


In next window we can define the password and i have selected options "User must change password at logon" and "Account is disabled options. so every new user account create based on this template will be in disabled mode until its manually enabled. its good practice for user account creation. also user will have option to define his own password at log on. once selection completes click on next to continue.


In next window it gives confirmation about selections and click on "Finish" to create the template in AD.


Even we create user i still need to add some more properties to the template which will be shared among users which will create using this template. To do that right click on user and click on properties.


First i will go to "Member of" tab and using "Add" button will add groups which users will assign to. in my demo i used 3 group membership

All Users, Sales Leads, Sales Users



Then in "Organization" tab i will fill the relevant info for the template.


Then  i will go to the "Account" tab and click on "Logon Hours" button and in pop up i denied sales users log in to network over the weekend.


Then in Profile tab i mapped the Z drive, a common share which will be use by sales department.


Once every thing done, click on "ok' to apply these changes to the template.


Now we have the user template in place. so lets go ahead and add a user based on this template. to do that right click on the "Sales User Template" user we just added and click on "Copy"


In new user wizard fill in the appropriate info, and click on next.


In next window we can see the options we selected on template were already selected ( account disable, user must change password at next log on) and only need to define password and click on next to continue.


In next window it will list the selections and click on finish to create the new sales user.


Now we need to see if this new account have the properties which templates have.

Organization Tab ( Job Title will be shows empty as its unique )


Profile Tab


Account Tab


Member of Tab


so we can see its all worked as expected and saves lot of time and was able to create user with out missing relevant info.