Scripting - J House Consulting - DevOps, Microsoft, Citrix & Desktop Virtualisation (VDI) Specialist - +61 413 441 846

Script to Create the ADMX Central Store

March 10, 2014February 25, 2014 by Jeremy Saunders

I find it amazing how many Active Directory environments I review that do not have an ADMX Central Store set up. It’s been a best practice since the release of Windows Vista/2008 some 7 years ago now. What I find is that there tends to be ADMX sprawl across management servers and even the workstations of the IT Pros, which creates challenges when determining where to edit certain GPOs from. This is just down to lack of understanding and perhaps even laziness.

This PowerShell script will create the ADMX Central Store for you by copying the ADMX files from several source locations, such as a master source on an Administrative share and/or several management servers, including IT Pro workstations.

I use to do this via a batch script using xcopy, but the batch script needed some re-work before I was prepared to share it, so I took this opportunity to re-write it using PowerShell.

Script to Find Missing Subnets in Active Directory

January 23, 2014January 21, 2014 by Jeremy Saunders

This PowerShell script will collect all Netlogon.log files from the Domain Controllers, export the last x lines and combine it into one file of unique IP Addresses in CSV format. This easily and simply allows you to then identify any missing subnets that need to be added and associated to an Active Directory Site.

Yes, there are a couple of good examples of this type of script already available on the Internet. The trouble with them is that they would not produce reliable results, especially across environments where Domain Controllers were not all at the same Windows Server versions. Not a great practice, but it does happen in the larger environments where migrations are completed in phases. I’ve previously blogged about the change to the fields in the Netlogon.log file. I also found that other scripts were quite inefficient when reading and collecting the Netlogon.log files over WAN connections. The Report the AD Missing Subnets from the NETLOGON.log script by Francois-Xavier CAT was the best available. So I used it as a base to help derive the results I was after.

Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy

February 22, 2017January 10, 2014 by Jeremy Saunders

This PowerShell script will create the Time Server GPOs and WMI Filters for the Domain Controllers to ensure your time server hierarchy remains correct for transfer and seizure of the PDC emulator FSMO role holder.

However, before I talk about the script it’s important to provide some background information on the required settings for the Windows Time Service (W32Time), as many tend to get it wrong.

The three (3) important settings are:

NTPServer
Type
AnnounceFlags
Read more

Script to Create a Report on UserAccountControl flags

February 23, 2017January 6, 2014 by Jeremy Saunders

This PowerShell script will enumerate all user accounts in a Domain, calculate their UserAccountControl flags and create a report of the “interesting” flags in CSV format.

The interesting flags are those you are interested in reporting on as documented in Microsoft KB305144 such as:

SCRIPT
ACCOUNTDISABLE
HOMEDIR_REQUIRED
LOCKOUT
PASSWD_NOTREQD
PASSWD_CANT_CHANGE
ENCRYPTED_TEXT_PWD_ALLOWED
TEMP_DUPLICATE_ACCOUNT
NORMAL_ACCOUNT
INTERDOMAIN_TRUST_ACCOUNT
WORKSTATION_TRUST_ACCOUNT
SERVER_TRUST_ACCOUNT
DONT_EXPIRE_PASSWORD
MNS_LOGON_ACCOUNT
SMARTCARD_REQUIRED
TRUSTED_FOR_DELEGATION
NOT_DELEGATED
USE_DES_KEY_ONLY
DONT_REQ_PREAUTH
PASSWORD_EXPIRED
TRUSTED_TO_AUTH_FOR_DELEGATION
PARTIAL_SECRETS_ACCOUNT
Read more

Script to create a Kerberos Token Size Report

September 22, 2017December 20, 2013 by Jeremy Saunders

SCRIPT UPDATED 22nd September 2017

This PowerShell script will enumerate all user accounts in a Domain, calculate their estimated Token Size and create a report of the top x users in CSV format.

However, before I talk about the script it’s important to provide some background information on Kerberos token size; how to calculate it; and how to manage it.

The Kerberos token size grows depending on the following facts:

Amount of direct and indirect (nested) group memberships.
- Distribution groups are not included in the token, but all security groups are included.
- All group scopes are included in the token evaluation.
Whether or not the user has a SID history, and if so, the number of entries.
Authentication method (username/password or multi-factor like Smart Cards).
The user is enabled for Kerberos delegation.
Local user rights assigned to the user.

If it grows beyond the default maximum allowed size…

A change to the fields in the Netlogon.log file from Windows 2012 and above

January 21, 2014December 13, 2013 by Jeremy Saunders

If you collate and report on the Netlogon.log files from Domain Controllers, you’ll notice that many existing scripts may fail to correctly split the lines when processing the logs from Windows 2012 Domain Controllers; unless of course you’ve already noticed and made an allowance for it.

Enabling the Active Directory JET Database Performance Monitor Counters

February 25, 2014June 20, 2013 by Jeremy Saunders

When monitoring the performance of Domain Controllers there are certain counters over and above the default ones that will provide you with advanced information to ensure that they are sized and performing correctly. These are the JET Database Performance Counters.

Script to set the Adobe Print As Image option

September 12, 2012 by Jeremy Saunders

Having deployed a new printing solution in a large University environment, we were faced with all sorts of printing errors, slow printing, and out of memory errors on the printers themselves; specifically when printing PDFs. This is related to how the PDFs are processed, which becomes a challenge in a higher education environment where the PDFs can be considerably complex. This was not only providing a poor user experience, it was becoming a support nightmare to manage when you have thousands of Students and Academics creating and printing PDFs. After some advice, research and testing we found that setting the Adobe “Print As Image” (cPrintAsImage) option made a big difference to the quality and stability of the solution, clearing up most of the printing errors previously experienced. This option changes the way Adobe works by sending the output to the printer as an image file rather than a combination of different elements.

PaperCut Client Launch or Logon Script for Windows

September 11, 2012 by Jeremy Saunders

Having deployed PaperCut print management software in a large University environment, we were faced with the challenge of how to ensure that the client (pc-client-local-cache.exe) launched successfully and consistently at every logon to meet all the use cases. We also had to consider how we were going to specify the different types of command line parameters. So I wrote a script 🙂

An improved and enhanced version of the famous LaunchApp.wsf

September 4, 2012September 3, 2012 by Jeremy Saunders

Have you ever wondered why your logon script fails to map network drives when an Administrative user logs onto a computer with User Account Control (UAC) enabled; even though the drive mapping process completes successfully?

To understand this you need to read the section from “Group Policy Scripts can fail due to User Account Control” here: http://technet.microsoft.com/en-us/library/cc766208(WS.10).aspx