Export-ADUsers.ps1 is a GUI script which exports users with the attributes you select from any OU selected from a domain navigation menu. The list of available attributes are read from the Schema. There is special handling of some attributes and so it can return the domain, Enabled, userAccountControl and published certificates. Not required: admin rights…
Tag: Active Directory
Export Domain Group Members
Export-DomainGroupMembers.ps1 is a GUI script which exports group membership with the attributes you select. It takes the group’s distinguishedname as a parameter, and supports very large groups. How large? I have enumerated groups with over 350,000 members in a multidomain forest. You can get nested group membership, even if there are recursion loops. The list…
Get User Lockout Information
This script lets you see lockout events for a user from the domain controller on which the event(s) occurred. It accepts the user’s distinguished name as input, enumerates the list of domain controllers, then finds the LockoutTime on each domain controller. It then calculates the time +/- 2 seconds, and queries the DC event log…
Get AD Replication Metadata
Some Active Directory attributes are local to the domain controller where the event occurred, such as lastlogon, but most others are replicated to all domain controllers within that domain. This should be distinguished from the attributes which are part of the Global Catalog – those attributes are a subset of domain attributes which exist and…
Get Security Set on Active Directory Objects
Viewing the security set on an Active Directory object is useful for troubleshooting and for security event investigations. Get-ADObjPermissions_ps1 reads your AD schema data, and provides a list of security set with both the setting and the delegate. This does not require admin permissions or any modules to run. It take’s the object’s distinguished name…
Find AD Object’s DistinguishedName
Getting the distinguishedname of an Active Directory object is a common administrative task. Find-ADObject_ps1 makes it easy to get this information for users, computers and groups using System.DirectoryServices.DirectorySearcher instead of the ActiveDirectory module. Admin rights are not required. The syntax is simple, ex: .\Find-ADObject.ps1 -adobject ‘MyGroup’ -ADObjectType Group.
Getting the Status of a GPO Deployment in an AD Forest
If you are in a large environment, you may be deploying group policies to multiple domains. How can you track the deployment status of the deployment? With Get-GPOdeploymentStatus.ps1, you can enter the name of the GPO, then have all domains queried to discover if it has been installed, who installed it, when it was last…
Get Security Set on AD Object
It’s been a while, gentle reader, since my last post. It isn’t that I haven’t been writing code, but rather that much of what I write is for internal use only. Recently I was asked to write a PowerShell script to show the advanced security for any AD object, without relying on the ActiveDirectory module….
Get Active Directory Forest Domain Controllers
Like the other script posted today, this was written to help out the networking team with a simple inventory of DCs in a large Active Directory forest. It queries all domains in the forest, creating a CSV file with the Domain, DC name, IP Address, OS, AD Site and Roles. It can optionally ping the…
Get Sites and Subnets in AD Forest
The script below was written so the networking staff would be able to always have a current list of the AD Sites and Subnets, without relying on the Active Directory Module. <# Get-ADSubnets.ps1 Alan Kaplan 1/24/20 Get list of AD Subnets in Forest Does not rely on AD module or admin rights #> #Default logfile…