Active Directory

Script to Create a Report of Members of Privileged Groups

by

This PowerShell script will create a report of users that are members of the following privileged groups:

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Cert Publishers
  • Administrators
  • Account Operators
  • Server Operators
  • Backup Operators
  • Print Operators

This is the default list of privileged groups I’ve set, but you can adjust the privileged groups directly within the getForestPrivGroups function if needed.

The original script was written by Doug Symalla from Microsoft and posted onto the TechNet Script Center: List Membership In Privileged Groups

This was accompanied by two TechNet Blogs:

The script was okay, but needed several updates to be more accurate and bug free. As Doug had not published an update since 26th April 2013, I though that I would. The changes I made are documented in the script.

Read more

Script to Create, Import and Export Group Policy WMI Filters

by

This PowerShell script will Create, Import and Export Group Policy WMI Filters.

I wrote this script to cover a number of different scenarios:

  • To create a default set of GPO WMI Filters for new builds.
  • To document existing WMI filters for health checks and audits.
  • To provide a mechanism to migrate WMI filters between Dev, Test, QA and Prod.

Read more

Script to Create a Report on the Primary Groups (primaryGroupID) in Use

by

This PowerShell script will enumerate all user accounts in a Domain and report on the primary groups (primaryGroupID) in use.

It will also total up the number of enabled and disabled user accounts that each group is applied to.

The output of this script helps with remediation tasks and perhaps even a redesign to implement some standards for the many different use cases.

Read more

Script to Generate a Group Policy Object (GPO) Version Report

by

Is there a version match between your Group Policy Object (GPO) containers and templates?

This PowerShell script will check that the version of each GPO is consistent in the Active Directory Group Policy Container (GPC) and on each Domain Controller in the Group Policy Template (GPT).

All Windows Operating Systems (since Windows 2000) will apply the GPO regardless of a version mismatch. However, a version mismatch will typically mean that some settings will simply not be applied because they haven’t been replicated correctly across the environment. Replication issues with good old flaky FRS and perhaps (but rarely) the newer DFS-R is often the reason that the GPT gets out of sync and lags behind the GPC. This is such a common problem.

Read more

Active Directory Health Check, Audit and Remediation Scripts

by

PowerShell Logo

I’ve been doing Active Directory work for many years and as such have a library of hundreds of scripts to assist with health checks, audits, and remediation tasks that I would like to share with the community.

But it’s not just a case of providing a script that creates a CSV or screen output, etc, as the output needs to be thoroughly explained so that the results are correctly understood and interpreted. The last thing I want is for someone to take the output of one of my scripts and start looking for a problem that does not exist, or making unnecessary modifications to their environment. This means that each script requires a separate article of it’s own. I have been doing this to date, but wanted to create a post to list all scripts used for health checks, audits and remediation tasks; linking them in as I blog about each one. I will also link out to other peoples scripts and articles that I use and find valuable.

I hope you find this a valuable source of information.

Read more

Script to Create the ADMX Central Store

by

I find it amazing how many Active Directory environments I review that do not have an ADMX Central Store set up. It’s been a best practice since the release of Windows Vista/2008 some 7 years ago now. What I find is that there tends to be ADMX sprawl across management servers and even the workstations of the IT Pros, which creates challenges when determining where to edit certain GPOs from. This is just down to lack of understanding and perhaps even laziness.

This PowerShell script will create the ADMX Central Store for you by copying the ADMX files from several source locations, such as a master source on an Administrative share and/or several management servers, including IT Pro workstations.

I use to do this via a batch script using xcopy, but the batch script needed some re-work before I was prepared to share it, so I took this opportunity to re-write it using PowerShell.

Read more

Script to Find Missing Subnets in Active Directory

by

This PowerShell script will collect all Netlogon.log files from the Domain Controllers, export the last x lines and combine it into one file of unique IP Addresses in CSV format. This easily and simply allows you to then identify any missing subnets that need to be added and associated to an Active Directory Site.

Yes, there are a couple of good examples of this type of script already available on the Internet. The trouble with them is that they would not produce reliable results, especially across environments where Domain Controllers were not all at the same Windows Server versions. Not a great practice, but it does happen in the larger environments where migrations are completed in phases. I’ve previously blogged about the change to the fields in the Netlogon.log file. I also found that other scripts were quite inefficient when reading and collecting the Netlogon.log files over WAN connections. The Report the AD Missing Subnets from the NETLOGON.log script by Francois-Xavier CAT was the best available. So I used it as a base to help derive the results I was after.

Read more

Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy

by

This PowerShell script will create the Time Server GPOs and WMI Filters for the Domain Controllers to ensure your time server hierarchy remains correct for transfer and seizure of the PDC emulator FSMO role holder.

However, before I talk about the script it’s important to provide some background information on the required settings for the Windows Time Service (W32Time), as many tend to get it wrong.

The three (3) important settings are:

Script to create a Kerberos Token Size Report

by

SCRIPT UPDATED 22nd September 2017

This PowerShell script will enumerate all user accounts in a Domain, calculate their estimated Token Size and create a report of the top x users in CSV format.

However, before I talk about the script it’s important to provide some background information on Kerberos token size; how to calculate it; and how to manage it.

The Kerberos token size grows depending on the following facts:

  • Amount of direct and indirect (nested) group memberships.
    • Distribution groups are not included in the token, but all security groups are included.
    • All group scopes are included in the token evaluation.
  • Whether or not the user has a SID history, and if so, the number of entries.
  • Authentication method (username/password or multi-factor like Smart Cards).
  • The user is enabled for Kerberos delegation.
  • Local user rights assigned to the user.

If it grows beyond the default maximum allowed size…

Read more