Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts

Wednesday 9 January 2019

PowerShell command for permanently deleting the AD objects

Or, Removing deleted AD objects from AD database
Or, Deleting AD objects from AD database permanently which are already marked as ‘isDeleted’

Descriptions: This approach is useful when you really want to permanently delete the AD object and you no more need these entries to available in ‘DeletedObject’ container of AD.

The most important point to note here is, you would not be able to recover any AD object from Active Directory Recycle Bin once you permanently delete the objects using this PowerShell command.

Open Windows PowerShell (run as administrator) > run the below command
Get-ADObject -Filter 'isDeleted -eq $true -and Name -like "*DEL:*"' -IncludeDeletedObjects | Remove-ADObject -Confirm:$false

Reference screenshot:

Cheers, please write me back if you have any query or feedback.

Thursday 13 December 2018

How to perform Metadata cleanup of decommissioned Active Directory server?

Or, Metadata cleanup of deleted domian controller server
Or, Metadata cleanup of force-decomissioned domain controller server

Descriptions: If you are looking for the step by step help to clean up Active Directory Metadata after force decommissioning your ADC server, this article is for you. Friends, it's always better to decommission ADC server gently and by fixing all issues popping up while performing decommission, but sometimes you end up with taking quick decision to go ahead and force decommission the non-production or outdated ADC server.

Scenario: I have recently force-decommissioned my ADC server because it was failing for unknown multiple reasons while performing normal decommission from server manager console.

Environment Details
Server OS: Windows Server 2012 and Windows Server 2012 R2
Server Role: ADC
Status of AD Role: Removed using server manager console
Deleted AD Server Name: DELETEDADSRV01
Live AD Server Name: LIVEADSRV01

1. Do not delete computer object, containers, or site and service entries manually
2. Make sure you have basic knowledge of CMD interface and understanding of reading the selection appearing while executing the commands for metadata cleanup
3. Make sure you have enough privileged account to perform metadata cleanup (preferably Enterprise Admin or Domain Admin)
4. Remove the check mark from ‘Protect Object From Accidental Deletion’ on the Deleted AD Computer Object, NTDS Settings, and relevant site’s containers

Login to any working available Domain Controller Server > Open CMD (Run as Administrator) > Execute the command in sequence as explained and screenshot given below:

>Metadata cleanup
>connect to server LiveADServer01 (replace ‘LiveADServer’ with your any real live AD server name)
>select operation target
>list site
>select site 0 (if you have multiple sites, select it carefully, where your deleted AD server exist)
>list domains in site
>select domain 0 (if you have multiple domains, select it carefully, where your deleted AD server exist)
>list servers in site (you would be able to see your deleted AD server name in the list here)
>select server 0 (select your deleted AD server’s number carefully)
>remove selected server

Once you execute the last command ‘Remove Selected Server’, you would be getting a pop-up message like shown below. Read the message carefully and proceed further by clicking on ‘Yes’ only if you agree and sure about the action and result.

Once the deletion process is completed, type quite on the CMD prompt to exist the metadata clean-up interface.

Cheers, Hope it helps you…
If you have any query and feedback, Please write me back.

Tuesday 4 December 2018

Can we use DHCP without AD or DNS?

Or, Is there any dependencies of DHCP server on AD or DNS?

DHCP server has no dependencies on DNS or AD servers. It can be used for workgroup environment too.

You should have IP subnets with you to create a DHCP scope...

Cheers…Hope it helps…

Thursday 8 June 2017

PowerShell script to export disk usage report of multiple computers

Or, Disk usage report PowerShell script
Or, PowerShell script for disk usage report with .txt file input
Or, Export disk usage report to CSV for multiple windows computers

Descriptions: Disk usage report for storage optimization or to keep track of disk usage trends is one of the important routine task for every administrator. In this article, we would be exploring the PowerShell script to get disk usage report of multiple windows machines in to excel or CSV file.

In this article, we will prepare the scenario and logical environment, lastly we will run the PowerShell script to get the CSV report in desired folder location.

What has been covered in this script?
This script is designed for getting disk usage report of windows machines listed in ServersList.txt text file. It will keep only last 30 days report in the folder DiskUsageReports.

1. Administrative privilege to run the script
2. List of servers/computers name or IP in a text file
3. Basic knowledge of PowerShell commands

Prepare the environment – Get Ready

Create a root folder and three child folders like:
1. Root folder name: DiskUsage
2. Child folders name: DiskUsageReports, DiskUsageReportScript, and ServersList

A reference screenshot is given below:

Prepare a text file with Name ServersList.txt and place it in ServersList folder. This text file should contain the list of windows machines you wish to export disk usage report.

You can use name or IP as shown in below screenshot:

Finally, create the PowerShell script with following commands.

Simply copy and paste the given commands in PowerShell ISE windows and save it as .ps1 file under DiskUsageScript folder with name DiskUsageReport.ps1


$OldReports = (Get-Date).AddDays(-30)
Get-ChildItem D:\DiskUsage\DiskUsageReports\*.* | `
Where-Object { $_.LastWriteTime -le $OldReports} | `
Remove-Item -Recurse -Force -ErrorAction SilentlyContinue 
$LogDate = get-date -f yyyyMMddhhmm
$File = Get-Content -Path D:\DiskUsage\ServersList\ServersList.txt
$DiskReport = ForEach ($Servernames in ($File))

{Get-WmiObject win32_logicaldisk <#-Credential $RunAccount#> `
-ComputerName $Servernames -Filter "Drivetype=3" `
-ErrorAction SilentlyContinue

$DiskReport |

Select-Object @{Label = "Server Name";Expression = {$_.SystemName}},
@{Label = "Drive Letter";Expression = {$_.DeviceID}},
@{Label = "Total Capacity (GB)";Expression = {"{0:N1}" -f( $_.Size / 1gb)}},
@{Label = "Free Space (GB)";Expression = {"{0:N1}" -f( $_.Freespace / 1gb ) }},
@{Label = 'Free Space (%)'; Expression = {"{0:P0}" -f ($_.freespace/$_.size)}} |

Export-Csv -path "D:\DiskUsage\DiskUsageReports\DiskReport_$logDate.csv" –NoTypeInformation


It should look like the below one:

Now you are done friends, just run the PowerShell script and get the report you need...

Steps: Run the prepared PowerShell Script

Right Click on the .ps1 script file and Click on Run with PowerShell

Now go to DiskUsageReport folder, you should have your CSV report ready there..

Cheers, Please write me back if you have any query or feedback.

Wednesday 7 June 2017

PowerShell command to export AD uses created in last 7 days in to a CSV file

Or, Exporting AD users created in last 7 days to CSV file using PowerShell command
Or, Get AD users report created in last 7 days with the help of PowerShell

Descriptions:  If you are looking for exporting AD users created in last 7 days or any custom days in a CSV file/report, this article is for you my friend. In my case, I am going to export users created in last 7 days.

Run Windows PowerShell as Administrator > run the commands mentioned below to get the CSV output/report

AD users created in last 7 days

Get-ADUser -Filter "Name -like '*'" -Properties Name, Title, Office, Created | where {$_.Created -gt $(Get-Date).AddDays("-7")} | select Name, Title, Office | Export-Csv D:\temp\ADReport.csv

Cheers, Please write me back if you have any query or feedback on this.

Tuesday 6 June 2017

Exporting inactive AD users to CSV file using PowerShell command

Or, PowerShell command to export inactive AD uses in to a CSV file
Or, Get inactive AD users report with the help of PowerShell

Descriptions:  If you are looking for exporting inactive AD users in to a CSV file/report, this article is for you my friend. In my case, I am going to export users whoever are inactive since 30 days.

Run Windows PowerShell as Administrator > run the commands mentioned below to get the CSV output/report

Inactive AD users since 30 days

Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 30 | ?{$_.enabled -eq $True} | Get-ADUser -Properties Name, EmailAddress, Department, Description, lastLogonTimestamp | Select Name, EmailAddress, Department, Description,@{n='lastLogonTimestamp';e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | Export-Csv D:\temp\funytest.csv

Cheers, Please write me back if you have any query or feedback on this.

Sunday 4 June 2017

Exporting AD users to CSV file using PowerShell command

Or, PowerShell command to export AD users in to a CSV file
Or, Get AD users report with all fields or selected fields with the help of PowerShell

Descriptions:  In this article, we are going to try some useful PowerShell commands to export AD users reports. You have choice to select many properties values, less properties values or all properties value as per your need.


Run Windows PowerShell as Administrator > run the commands mentioned below to get the CSV output/report

AD user’s reports with some most commonly used fields
Get-ADUser -Filter '*' -Properties * | Select -Property EmailAddress,GivenName,Surname,DisplayName,Title,Department,Office,OfficePhone,MobilePhone,Fax,StreetAddress,City,State,PostalCode,Country | Export-CSV "D:\temp\ADusers.csv" -NoTypeInformation -Encoding UTF8

AD Users report with less fields
Get-ADUser -Filter '*' -Properties * | select -Property SamAccountName,DisplayName,EmailAddress | Export-CSV "D:\temp\ADusers2.csv" -NoTypeInformation -Encoding UTF8

AD users reports with all available fields
Get-ADUser -Filter '*' -Properties * | Export-CSV "D:\temp\ADusersAllFlds.csv" -NoTypeInformation -Encoding UTF8

The reference screenshot is given below to see how the commands should look like on PowerShell.

Cheers, Please write me back if you have any query or feedback on this.

Saturday 3 June 2017

Automate windows servers event logs archival to network shared folder

Or, How to configure windows event logs archival path to shared folders?
Or, Archiving windows event logs to alternate path or network shared folder?
Or, Automate AD security logs archival in windows server.
Or, Move archived windows logs to network shared folder - can we automate this?

Descriptions: If you repeat it, automate it... this is the theme that works in most of the task automation process. In this article also, we are going to automate a routine task and that is ‘Windows event logs archival’. You can say it like 'archival of archived event logs to network shared shared folder' as well.

Yes, most of the administrators do it manually which is very time consuming and is always at the risk to be missed. If you are reading this article, I know you are one of the lazy administrator like me and want to get rid of this daily/weekly hustle. So let’s start it….

Scenario Details: I have an AD/Active Directory server where I have set auto archival of security event logs. Very often, the C:\ drive of the AD server reach to 90% or even 100% sometime that is really a worry point for me.

IMP Notes:
1 By default archived logs are saved in C:\ drive of windows server at path C:\Windows\System32\winevt\Logs
2. We are going to move archived event logs to network shared folder with the help of PowerShell script
3. Auto archival of event logs are set to archive the security logs if the log file size is reached 1GB.
4. The archived event logs appears like Archive-Security-2017-06-03-xx-yy-zz.evtx

Stage-1: Prepare the PowerShell script

Copy and paste the below PowerShell command in a Notepad file > update parameters as per your environment > save this notepad file as .PS1 file
$path = “C:\Windows\System32\winevt\Logs
$extn = “Archive-Security*.evtx
$size = 1GB
$dest = “\\fileserver01\ADlogsArchival
get-ChildItem -path $path -recurse -ErrorAction "SilentlyContinue" -include $Extn |  where-Object {$_.Length -gt $size} | Move-Item -Destination $dest
IMP Note:  Replace required path and size details with the one applicable for your environment.

Stage-2: Schedule this PowerShell script in windows task scheduler

Create a task in windows task scheduler > in Action tab fill in the details like this...

Program/script: PowerShell.exe
Add arguments (optional): -ExecutionPolicy Bypass C:\DoNotDelete\pscript\LogArchival.ps1

Note: replace the script path with the one applicable for your environment.

That’s it guys, archival of archived logs will take place automatically on scheduled time defined by you in the task scheduler. You can enjoy your coffee now onward and the script will take care of your task...

Cheers, please write me back if you have any query or feedback on this.

Monday 15 May 2017

Top 10 ways to prevent an IT security breach

Or, Top 10 IT security breaches prevention approaches

Eliminating security breaches completely is an impossible task, however there are many things that employees can do to mitigate the threat. In this article, I am going to share ten easy-to-implement policies (created by looking at some high profile security breaches of the past) which, if followed to precision, will drastically reduce the chance of a security breach.

1. Stringent password policy

As cliché as it sounds, securing passwords (including changing default passwords and not re-using old passwords) goes a long way to averting security breaches. Create a specific policy for securing passwords; such as including special characters, minimum length, expiration dates, no repetition and no password sharing.
Many devices and applications in large enterprises are protected by default passwords. You’d better believe that attackers are also aware of this and can exploit it. Be sure to change those default passwords!

2. Disable old, unused or inactive user accounts

Old, unused and inactive user accounts can all become the source of a security attack. Security breaches are easier to pull off in an unclean Active Directory. The easy way to counter this is to ensure that whenever employees (either regular or contractual) leave the organization, make sure to disable their accounts – especially the ones that had privileged access.

3. Automate security

Automate your security initiatives. Use systems that automatically check password settings, unused/stale user and computer accounts, server settings and firewall configurations. Systems like this are vital because to be vigilant in all these areas requires a tremendous amount of time and man-power without them. There is an abundance of third-party solutions on the market today that can offer this service in an affordable way.

4. Enable auditing and examine logs

Good administrators know the importance of auditing, and will monitor system logs regularly and meticulously. As I am covering the best ways to avoid security breaches in this article, I’m going to be putting particular stress on security logs, as they are the first line of defense.
Let’s say, for example, you have a folder containing a set of highly important project files with non-owner file access enabled, and while reviewing the Windows server security log, the administrator comes across a file access event log. That should immediately raise alarm bells and you should be able to determine who accessed the file and for what purpose.

5. Encrypt Data

All sensitive information in your organization (whether it’s on your desktop, laptop or a portable storage device) should be encrypted. That way, even if someone manages to get access to the devices, data will still remain inaccessible. There are many third-party file encryption solution providers on the market to satisfy this requirement.

6. Do regular network scans

Doing regular network scans and comparing them against an active baseline inventory can help thwart a security breach. This will help you detect when and where a rogue app on the network was installed. You can do this using the NetView: a built-in Microsoft command. Third-party applications can also be used to scan the network; these apps are typically in a GUI format and are more informative.

7. Monitor outbound network traffic

Attackers these days use advanced and sophisticated malwares to avoid detection. One way of exposing them is to monitor outbound network traffic. Alarms should be raised when the amount of outbound traffic is abnormally high. Most firewall applications can monitor outbound traffic and deliver scheduled reports.

8. Apply patches and update systems regularly

One way to stop security breach attempts originating from outside the network's perimeter is by keeping operating systems and applications up to date. If the operating system and applications are updated regularly, they are more likely to be able to deal with attacks.
Using a product like Microsoft Baseline Security Analyzer (MBSA) can do this for you. It is an app released by Microsoft that evaluates missing security updates and less-secure security settings within Microsoft Windows in order to tell you when an update is required. It is an effective way to ensure that hardware and software in the network have the latest patches.

9. Devise and implement a disaster recovery plan

Irrespective of the size the organization, a disaster recovery plan is vital in providing continuity in the case of disasters. After an attack, instead of panicking, employees will have a step-by-step guide to follow that will help bring systems back to normal. There are many consultants available that can help you create a resilient disaster recovery plan that is specific to your requirements.

10. Raise awareness

Create an overall atmosphere of heightened security in the organization. All employees, whether a junior help-desk or a senior administrator, need to be aware of the risks their job profiles carry (and how such risks can be mitigated).

The Conclusion

These points raised in this article are intended to make you aware of the security risks your organization faces every day and the best ways to overcome them. However, this is only the first step. Use this guide to implement a layered security approach and devise policies, procedures and audit solutions that can mitigate security threats. If you have any questions about any of the above given points, or any points you feel should be on this list, let me know in the comments below.


"Ajit Singh, Marketing Manager for IT auditing, security and compliance vendor, Lepide -"

Sunday 29 January 2017

Understanding Active Directory, Domain Controller and Domain.

Or, Logical Difference between Active Directory and Domain?
Or, Logical Difference between Active Directory and Domain Controller?

Descriptions: Some time its little confusing to differentiate between domain, domain controller and active directory. It is because, all these terms are used knowingly or unknowingly to describe other related concepts.

To make it simple, I would say…. Domain is a logical boundary with some name like, etc… managed by Active Directory services which contains all the objects and database information and these entries, database, objects and logical boundaries are installed or configured on a server, which is known as Domain Controller.

Let’s see the below examples:

Active Directory: Active Directory is a directory service that stores information of all AD objects like users, computers and OU etc…  NTDS and SYSVOL are some important database directories, which are used by active directory to store all information.

Domain: Domain is a logical boundary of your active directory environment, which gives a single/multiple name interface to access your active directory database information. It works under a common name, database and policy...

Example: My domain name:- and have unique logical name but running from same AD database with domain and sub-domain logical boundary of domain concepts.

Domain Controller: The server, which hold the Active Directory service installed in it, known as Domain controller server.

Example: You have a server having nothing installed its just a server. Once you installed Active Directory services on this server, it becomes Domain Controller server.

Cheers, please write me back if you have any query or feedback on this.

Monday 23 January 2017

How to check FSMO roles using CMD or GUI?

Or, How to check FSMO roles holders in a domain?

Descriptions: In this article we will see, how to check FSMO roles and role holders domain controllers in the domain. Using CMD, its job of cone command and it can be executed from your local machine without login in to any domain controller servers and another way is to check it using GUI where you should be having access to login your domain controllers.

Steps: Checking FSMO roles using CMD
Open CMD (run as administrator)

Type the command given below and hit enter

netdom query fsmo

Steps: Checking FSMO roles using GUI (Domain Level Roles)

From the server manager’s Tool option select Active Directory Users and Computers

Right click on your Domain Name > Select Operations Master

Now you have all the domain level FSMO roles here. You can click on each tab to check who is having which FSMO role.

Steps: Checking FSMO roles using GUI (Forest Level Roles)

From Server Manager’s tool option, select Active Directory Domain and Trust

Right Click on Active Directory Domain and Trust > Select Operations Master

Here you have the Domain Naming FSMO role

Now to check the Schema Master Role, Run > MMC > Add/Remove Snap in > Select Active Directory Schema > Click OK to add the snap-in > Right Click on the Active Directory Schema > Select Operations Master

Here you have the Schema Master Role holder details

That’s all guys, cheers!!
Please write me back if you have any query of feedback.

Sunday 22 January 2017

Active Directory Schema console is not visible in Domain Controller

Or, Where is Active Directory Schema console in Domain Controller server?
Or, How to add Active Directory Schema console snap-in?
Or, How to register Active Directory Schema in domain controller server?

Descriptions: First things first, you may not be able to see the Active Directory Schema console on your domain controller server because its hidden by default and required to be registered first before you can access the schema console. After registration of Schema, you will have to add the snap in from MMC to access the console of Active Directory Schema.

Don’t worry, it’s not a big deal. Just a single command and few GUI steps and you are done. J

Steps: Schema Registration

Open CMD (run as administrator)

Type the command given below and hit enter > Click OK
regsvr32 schmmgmt.dll

Steps: Adding Active Directory Schema Snap-in Console

Go to Run > Type mmc and hit enter > Click yes if prompted on pop-up window

Go to File menu > Select Add/Remove Snap-in

Select Active Directory Schema > Click on Add > Click OK

That’s it, here you have the Active Directory Schema Console

Cheers, please write me back if you have any query of feedback.

Managing Global Catalog Servers best practices

Or, should we keep Global Catalog and Infrastructure Master server roles on one Domain Controller?
Or, is it good have Infrastructure master role and Global catalog server role in one Domain Controller server?

Descriptions: This is one of the most common and most ignored scenario where either people don’t take it seriously or don’t design the Active Directory domain in an efficient manner. When you are running too many DCs in your large domain environment, you must check for these common best practices as to where to keep your FSMO roles holders and how to design their architectural placements.

Guys, in a small domain environment you may not face challenges where you have one DC and one ADC, but if you have more than one ADC in your domain environment, you should never keep Global Catalog server and Infrastructure Master role on same DC/single server.

It’s because, there may be many issue while replicating new changes at Infrastructure level due to priority and communication conflicts between Infrastructure master and global catalog servers. Global Catalog server automatically receives all updates happened in the forest. Infrastructure master role then takes these updates from Global catalog server and replicate it to cross domain DCs.

If you have any query or feedback on this, please write me back.

Saturday 21 January 2017

Understanding FSMO role in active directory and impact when unavailable

Or, FSMO Roles in AD (Active Directory) – Explained
Or, Active Directory FSMO Roles Explained
Or, FSMO roles functions and impact when unavailable

Descriptions: FSMO stands for Flexible Single Master Operation. FSMO roles are one of the critical component of Active Directory which helps a large Active Directory domain environment to be managed in an efficient way in terms of internal communication, availability, accessibility and replications.

FSMO have 5 roles and these roles are categorized logically in two categories, Domain Level roles and Forest Level roles.

FSMO Roles and Categories:

FSMO Roles functions and impact when unavailable:

Schema Master Role: The schema master role holder Domain Controller is responsible to control all updates and modifications to the schema (e.g. user name, company name, email address, department name etc..). Once the schema update is completed, it is replicated from Schema Master domain controller to all other domain controllers in the domain network or forest. To update the schema of a forest, you must have schema admin privileges.

Schema Master role is Forest Level role and there can be only one schema master in a forest.

Impact, if Schema Master Domain Controller is down? Modification to schema objects may not be replicated to other domain controllers in your network. Addition of any new application or server which requires schema modification like, Exchange server, Lync Server etc. will not take place.

Domain Naming Master Role: The domain naming master role holder domain controller is responsible for controlling the addition and removal of domains in the forest. This domain controller is the only one which can allow addition or removal of domain from in the forest.

Domain Naming Master role is Forest level role and there can be only one domain naming master in a forest.

Impact, if Domain Naming Master Domain Controller is down? You can not add new domain in the forest and also you will not be able to remove exiting domains from the forest. Unless you have domain addition and removal kind of activities, there is going to be no impact on your running production.

RID Master Role: The RID Master role holder domain controller is responsible for assigning unique identity number to all the objects created in Active Directory. Whenever any object created and joined in Domain, RID master domain controller is responsible to assign a unique identity number to that object whether it is a computer, printer, user or group etc...

The RID Master role is Domain Level role and there can be more than one RID Master in a forest.

Impact, if RID Master Domain Controller is down? When this domain controller is down, there is no quick impact going to take place because all the Domain controllers by are assigned with 500 RID pool. Even if the RID Master is down, you would be able to create or add new objects in AD till the time you have the RID pool of 500. Once this RID pool is completely occupied, you would no more be able to create or add any additional objects in AD.

To check how many RID pools are available on your domain controller, you can use below command (search for the value RIDManager term once the command is completed).

Dcdiag /test:ridmanager /v

Infrastructure Master Role: The Infrastructure Master role holder Domain Controller is responsible for cross-domain reference check.

Example: We have a security group ‘Finance’ and the user ‘Test-User-1’ is member of this security group. When the user Test-User-1 access the resources where Finance security have access, Infrastructure master role is responsible to validate this information with the help of Global Catalog server.

If any objects or user’s information changes take plane in the domain, Infrastructure master role is responsible for replicating this information to cross domain DCs.

Infrastructure Master role is Domain Level role and there can be more than one Infrastructure master role in a forest.

Impact, if Infrastructure Master Domain Controller is down? Objects changes and updates may not be replicated to cross-domain DCs. Means, if you have shared folder access on a folder where a security group from cross-domain DC is having access and you are just member of that security group, you may not be able to access the folder or it’s possible that new modification in access rights will not be replicated to other DCs.

PDC Emulator Role: PDC Emulator FSMO role holder Domain Controller is responsible for replication between NT4 DCs. This DC also hold the password update and replication authority. When any password changes or update occurs in the domain, PDC emulator is responsible for updating the password update information to all other DCs in the forest.

Authentication failures/success, logon attempts, accounts lockout status, group policy changes or modifications preferably updates on the PDC emulator domain controller first.  This DC also handles the primary Time Server (NTP Server) responsibility in the domain environment. Unless you have modified and dedicated time server in your network, PDC emulator domain controller is by default responsible for replicating time update to all domain joined machines or to the machine where it has been pointed specifically.

PDC Emulator role is Domain Level role and there can be more than one PDC emulator in a forest.

Impact, if PDC Emulator Domain Controller is down? This is the one Domain controller which is going to impact sooner than other. Time Sync across domain computers, new password changes update, group policy updates are not going to work till the time this Domain Controller is down. All existing things should work fine but any new changes and update is not going to take place.

Updated: 10-04-2018

Some reference useful KBs from Microsoft

Cheers, Please write me back if you have any query or feedback.