Tag Archives: AD objects

Find Active Directory Objects (PowerShell Guide)

Active Directory can hold near 2 billion objects. When the number of objects grows, the requirement for affective object filtering grows as well. Active Directory have several GUI options to search/filter specific objects. We also can filter objects using PowerShell. 

In previous posts, we learned about Get-ADUser and Get-ADComputer cmdlets and how it can be used with other commands to filter out objects from Active directory and perform administrative tasks.  It is also can use to retrieve specific attribute values from filtered objects. 

Get-ADUser -Identity user1 -Properties *

In above command, it will list down all the attributes and its values associated with user1. This helps to find exact attributes names and common values which can use for further filtering. 

I need to know values of Name, UserPrincipalName and Modified for all the users. Following command will create a table with attributes and its values. 

Get-ADUser -Filter * -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified

fobj01

I can see some accounts in the list which is service accounts and administrator account. I only want to see the accounts which is in Kingston office

Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified  

With above it filters it further based on the City value.

Now I have the list of data I needed, I like to export it to a CSV file for future use. 

Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | select-object Name,UserPrincipalName,Modified | Export-csv -path C:\ADUSerList.csv

So, above example shows how search query can build up from granular level to find the exact information needed from objects. 

Search-ADAccount cmdlet can also use to search for the active directory objects based on account and password status. Full syntax for the cmdlet can retrieve using,

Get-Command Search-ADAccount -Syntax 

As an example, it can use to filter the accounts which is locked out. 

Search-ADAccount -LockedOut | FT Name,UserPrincipalName

Above command will list down all the lockout accounts with name and UPN

Unlikely the graphical tools, Powershell queries can build to filter the exact objects and data from active directory. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Create Active Directory User Objects using PowerShell

There are few ways to create user objects in Active Directory. If it’s using GUI, it can be done using Active Directory Administrative Center or Active Directory Users and Computers MMC. If it is using command line, it can be done using windows command-line or PowerShell. In this demo, I am going to show how we can create user object using PowerShell. 

In order to create user object in active directory we can use New-ADUser cmdlet in PowerShell. You can view the full syntax for the command along with the accepted data types using,

Get-Command New-ADUser -Syntax

In order to create a New User account using PowerShell the minimum value you need to pass is -Name. it will create a disabled user account and you still can define values for other attributes later. 

This is a sample which can use to create a user account,

New-ADUser -Name "Talib Idris" -GivenName "Talib" -Surname "Idris" -SamAccountName "tidris" -UserPrincipalName "tidris@rebeladmin.com" -Path "OU=Users,OU=Europe,DC=rebeladmin,DC=com" -AccountPassword(Read-Host -AsSecureString "Type Password for User") -Enabled $true

In the command,

Name – Defines the Full Name

Given Name – Defines the First Name

Surname – Defines the Surname

SamAccountName – Defines the User Name

UserPrincipalName – Defines the UPN for the user account

Path – Defines the OU path. The default location is “CN=Users,DC=rebeladmin,DC=com”

AccountPassword – This will allow user to input password for the user and system will convert it to the relevant data type

Enable – defines if the user account status is enabled or disabled. 

uadd1
 
You can create a user account with minimum attributes such as Name and UPN. Then later can define a password and enable the account. User account cannot enable without a password. To define password can use Set-ADAccountPassword -Identity cmdlet and to enable account can use Enable-ADAccount -Identity cmdlet. 
 
Instead of executing multiple commands to create multiple user objects, we can create a CSV (comma-separated values) file which include data for attributes and use it to create accounts in one go. 
 
In demo I am using following CSV file. 
 
uadd2

Import-Csv "C:\ADUsers.csv" | ForEach-Object {
$upn = $_.SamAccountName + “@rebeladmin.com” 
New-ADUser -Name $_.Name `
 -GivenName $_."GivenName" `
 -Surname $_."Surname" `
 -SamAccountName  $_."samAccountName" `
 -UserPrincipalName  $upn `
 -Path $_."Path" `
 -AccountPassword (ConvertTo-SecureString “Pa$$w0rd” -AsPlainText -force) -Enabled $true
}
 
In above script Import-Csv cmdlet used to import the CSV file created. I have defined parameter $upn = $_.SamAccountName + “@rebeladmin.com” to use for the  -UserPrincipalName value. In script, I have defined a common password for all the accounts using -AccountPassword (ConvertTo-SecureString “Pa$$w0rd” -AsPlainText -force) 
 
uadd3
 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Recycle Bin

 What will happen if you have deleted the wrong user account? Or any other AD object? In your AD environment. “Recovery” is the answer but issue is how fast and how easy you can do it.

Once active directory object is deleted, it is automatically goes in to the deleted object container in the AD. Then during the active directory garbage collection process it will clean up these deleted AD objects permanently. By default this process is occurs in every 12 hours. So if need to recover a deleted object (unless you use an active directory backup) it is possible to do before the garbage collection process occurs in AD using LPD.exe tool. But the issue is even you can recover the object along with metadata it will lose its some attributes such as group membership.

Microsoft has come with a feature to answer this. It starts with windows server 2008 R2 and called as “Active Directory Recycle Bin”. This feature is exactly work as “Recycle Bin” in windows operating system. You can use this to undelete any deleted AD objects. More importantly you can restore it with few clicks along with all the attributes. By default AD recycle bin holds deleted objects for 180 days before permanently remove from the system.

This feature is need to be enabled manually in active directory. To use this feature the domain forest functional level at least need to be set to windows server 2008 R2.  Also you need to manually enable this feature and once this feature is enabled you can’t disable it.

Let’s see how we can do this. In my demo I am using active directory runs on windows server 2012 R2.

1)    Log in to the Domain Controller as member of domain admin group or enterprise admin group.
2)    Then Server Manager > Tools >  Active Directory Administrative Center

re1

3)    It will open Active Directory Administrative Center mmc and click on the domain name

re2

4)    Then under Tasks panel click on “Enable Recycle Bin

re3

5)    Once click on it, it will open up pop up saying to confirm the action. As I mentioned earlier once this feature is enable you can’t disable it.

re4

6)    Then it will give info window about the function and the replication. Click ok to exit form window.

re5

It will take some time to replicate across the domain controller in the forest. After replication it’s time to test the functions and see how the restore process works.

For my demo I am using a user account called “User A” and he is member of Gorup_A and Group_B as well. I am going to delete the user and recover it using the AD recycle bin feature.

re6

re7

 

To recover the object

1)    Go to Server Manager > Tools > Active Directory Administrative Center
2)    Then click on domain name and the arrow in front. Then click on option “Deleted Objects

re8

3)    Then it will show the objects captured by the AD recycle bin feature. In here we can see the UserA account I have just deleted.

re9

4)    To restore the object, right click on object and select “Restore”. This will restore it to original location it was. If you need you also can select which container it should restore to using “restore to” option.

re10

5)    Now in AD I can see the restored object along with its attributes.

re11

So as you can see it was very fast and effective solution. This is the end of this article and if you have any questions feel free to contact me on rebeladm@live.com

The DS Commands – DSGET

In today post lets look in to another DS command which we can use to administer active directory. The command is "DSGET"  it is also use to query about AD objects.

What is different between DSQUERY and DSGET ?

When you run DSquery you can get set of objects as results. for example if you need to list all the users starts name with "Sales" you can use DSquery command to list similar objects and find the exact object you need. but DSget use to list properties of a object. for example if you need to fine email address of user "Sales A" you can use DSget command for it. But to do that you need to know Distinguish Name (DN) of the object. So this is the reason why this command less popular among engineers.

DSGET Hlp file can open using dsget /? This commands need to be run as administrator on DC server.

dsget1

Lets look in to some of examples,

The first sample command  i will use is dsget user "CN=Sales A,OU=Sales Department,DC=contoso,DC=com" -email. in here dsget user defines that the query is going to based on object type Users. so in this i am trying to find email address of the Sales A user. CN=Sales A,OU=Sales Department,DC=contoso,DC=com is the DN for the user Sales A.

dsget2

As it is showing on the above it is display the email address of the user as the result.

The next sample command is dsget group "CN=Sales Leads,OU=Groups,DC=contoso,DC=com" -members, This is for list all the members of the Ad user group called "Sales Leads" , in command dsget group defines the object type as group and CN=Sales Leads,OU=Groups,DC=contoso,DC=com is the DN for the user group.

dsget3

According to the command it list down the 2 users in the group successfully.

dsget4

This is the end of this post and lets look in to another DS command in next post.