PowerShell - J House Consulting - DevOps, Microsoft, Citrix & Desktop Virtualisation (VDI) Specialist - +61 413 441 846

Script to Create an Active Directory Schema Update Report

January 3, 2015June 22, 2014 by Jeremy Saunders

This PowerShell script was written by the awesome Ashley McGlone (AKA Goatee PFE) and published to the TechNet Script Center. It was also blogged on the Scriting Guy TechNet site. However, it did need some updates to keep up with the newer schema updates as well as adding the SCCM (ConfigMgr) versions. As Ashley has not updated it since 19th September 2013 I thought I’d update it myself and post it here until he gets the time to update the script and publish an updated version.

It will report the versions of the following products as per the sample screen shot from one of my customers:

Active Directory
Exchange
Lync
System Center Configuration Manager (SCCM) – ConfigMgr

Please ensure you read the Scripting Guy’s blog titled “How to Find Active Directory Schema Update History by Using PowerShell“, which provides some great documentation on the script as well as some valuable comments that have helped to implement the updates.

The original script can be found here on the TechNet Script Center: PowerShell Active Directory Schema Update Report

Script to Create an Overview of all Computer Objects in a Domain

September 2, 2016June 22, 2014 by Jeremy Saunders

This PowerShell script will provide an overview and count of all computer objects in a domain based on Operating System and Service Pack. It helps an organisation to understand the number of stale and active computers against the different types of operating systems deployed in their environment.

Computer objects are filtered into 4 categories:

Windows Servers
Windows Workstations
Other non-Windows (Linux, Mac, etc)
Windows Cluster Name Objects (CNOs) and Virtual Computer Objects (VCOs)

A Stale object is derived from 2 values ANDed together:

PasswordLastChanged > $MaxPasswordLastChanged days ago
LastLogonDate > $MaxLastLogonDate days ago

By default the script variable for $MaxPasswordLastChanged is set to 90 and the variable for $MaxLastLogonDate is set to 30. These can easily be adjusted to suite your definition of a stale object.

The Active objects column is calculated by subtracting the Enabled_Stale value from the Enabled value. This gives us an accurate number of active objects against each Operating System.

Script to Create a Report of Members of Privileged Groups

June 17, 2014June 9, 2014 by Jeremy Saunders

This PowerShell script will create a report of users that are members of the following privileged groups:

Enterprise Admins
Schema Admins
Domain Admins
Cert Publishers
Administrators
Account Operators
Server Operators
Backup Operators
Print Operators

This is the default list of privileged groups I’ve set, but you can adjust the privileged groups directly within the getForestPrivGroups function if needed.

The original script was written by Doug Symalla from Microsoft and posted onto the TechNet Script Center: List Membership In Privileged Groups

This was accompanied by two TechNet Blogs:

The script was okay, but needed several updates to be more accurate and bug free. As Doug had not published an update since 26th April 2013, I though that I would. The changes I made are documented in the script.

Script to Create, Import and Export Group Policy WMI Filters

June 9, 2014 by Jeremy Saunders

This PowerShell script will Create, Import and Export Group Policy WMI Filters.

I wrote this script to cover a number of different scenarios:

To create a default set of GPO WMI Filters for new builds.
To document existing WMI filters for health checks and audits.
To provide a mechanism to migrate WMI filters between Dev, Test, QA and Prod.

Script to Create a Report on the Primary Groups (primaryGroupID) in Use

May 27, 2014 by Jeremy Saunders

This PowerShell script will enumerate all user accounts in a Domain and report on the primary groups (primaryGroupID) in use.

It will also total up the number of enabled and disabled user accounts that each group is applied to.

The output of this script helps with remediation tasks and perhaps even a redesign to implement some standards for the many different use cases.

Script to Generate a Group Policy Object (GPO) Version Report

June 26, 2016May 23, 2014 by Jeremy Saunders

Is there a version match between your Group Policy Object (GPO) containers and templates?

This PowerShell script will check that the version of each GPO is consistent in the Active Directory Group Policy Container (GPC) and on each Domain Controller in the Group Policy Template (GPT).

All Windows Operating Systems (since Windows 2000) will apply the GPO regardless of a version mismatch. However, a version mismatch will typically mean that some settings will simply not be applied because they haven’t been replicated correctly across the environment. Replication issues with good old flaky FRS and perhaps (but rarely) the newer DFS-R is often the reason that the GPT gets out of sync and lags behind the GPC. This is such a common problem.

Active Directory Health Check, Audit and Remediation Scripts

January 25, 2015May 15, 2014 by Jeremy Saunders

I’ve been doing Active Directory work for many years and as such have a library of hundreds of scripts to assist with health checks, audits, and remediation tasks that I would like to share with the community.

But it’s not just a case of providing a script that creates a CSV or screen output, etc, as the output needs to be thoroughly explained so that the results are correctly understood and interpreted. The last thing I want is for someone to take the output of one of my scripts and start looking for a problem that does not exist, or making unnecessary modifications to their environment. This means that each script requires a separate article of it’s own. I have been doing this to date, but wanted to create a post to list all scripts used for health checks, audits and remediation tasks; linking them in as I blog about each one. I will also link out to other peoples scripts and articles that I use and find valuable.

I hope you find this a valuable source of information.

Script to create a Kerberos Token Size Report

September 22, 2017December 20, 2013 by Jeremy Saunders

SCRIPT UPDATED 22nd September 2017

This PowerShell script will enumerate all user accounts in a Domain, calculate their estimated Token Size and create a report of the top x users in CSV format.

However, before I talk about the script it’s important to provide some background information on Kerberos token size; how to calculate it; and how to manage it.

The Kerberos token size grows depending on the following facts:

Amount of direct and indirect (nested) group memberships.
- Distribution groups are not included in the token, but all security groups are included.
- All group scopes are included in the token evaluation.
Whether or not the user has a SID history, and if so, the number of entries.
Authentication method (username/password or multi-factor like Smart Cards).
The user is enabled for Kerberos delegation.
Local user rights assigned to the user.

If it grows beyond the default maximum allowed size…