Active Directory - J House Consulting - DevOps, Microsoft, Citrix & Desktop Virtualisation (VDI) Specialist - +61 413 441 846

Script to Create a Report on UserAccountControl flags

February 23, 2017January 6, 2014 by Jeremy Saunders

This PowerShell script will enumerate all user accounts in a Domain, calculate their UserAccountControl flags and create a report of the “interesting” flags in CSV format.

The interesting flags are those you are interested in reporting on as documented in Microsoft KB305144 such as:

SCRIPT
ACCOUNTDISABLE
HOMEDIR_REQUIRED
LOCKOUT
PASSWD_NOTREQD
PASSWD_CANT_CHANGE
ENCRYPTED_TEXT_PWD_ALLOWED
TEMP_DUPLICATE_ACCOUNT
NORMAL_ACCOUNT
INTERDOMAIN_TRUST_ACCOUNT
WORKSTATION_TRUST_ACCOUNT
SERVER_TRUST_ACCOUNT
DONT_EXPIRE_PASSWORD
MNS_LOGON_ACCOUNT
SMARTCARD_REQUIRED
TRUSTED_FOR_DELEGATION
NOT_DELEGATED
USE_DES_KEY_ONLY
DONT_REQ_PREAUTH
PASSWORD_EXPIRED
TRUSTED_TO_AUTH_FOR_DELEGATION
PARTIAL_SECRETS_ACCOUNT
Read more

Script to create a Kerberos Token Size Report

September 22, 2017December 20, 2013 by Jeremy Saunders

SCRIPT UPDATED 22nd September 2017

This PowerShell script will enumerate all user accounts in a Domain, calculate their estimated Token Size and create a report of the top x users in CSV format.

However, before I talk about the script it’s important to provide some background information on Kerberos token size; how to calculate it; and how to manage it.

The Kerberos token size grows depending on the following facts:

Amount of direct and indirect (nested) group memberships.
- Distribution groups are not included in the token, but all security groups are included.
- All group scopes are included in the token evaluation.
Whether or not the user has a SID history, and if so, the number of entries.
Authentication method (username/password or multi-factor like Smart Cards).
The user is enabled for Kerberos delegation.
Local user rights assigned to the user.

If it grows beyond the default maximum allowed size…

Enabling the Active Directory JET Database Performance Monitor Counters

February 25, 2014June 20, 2013 by Jeremy Saunders

When monitoring the performance of Domain Controllers there are certain counters over and above the default ones that will provide you with advanced information to ensure that they are sized and performing correctly. These are the JET Database Performance Counters.