TLDR: Group Managed Service Accounts (gMSAs) are limited to the domain in which they are created. gMSAs are not reported by Get-ADUser. Managed Service Accounts (MSAs) were introduced in Server 2008 R2 to allow for system managed password changes of service accounts. Group Managed Service Accounts were introduced in Server 2012 as an improvement to…
Tag: Active Directory
Get AD Schema Attribute Names
One of our admins was running my export and import permissions script, and I thought he had made an error when I looked at an ExtensionAttribute name. Nope. The difference was between the attribute name and the LDAP display name which you see in the Attribute Editor tab from the advanced view of Active Directory…
Get User Lockout Status with PowerShell
Get-UserLockoutStatus.ps1 is an interactive script to get the lockout status of a selected user or all users in a specified domain. It queries each domain controller for non-replicated attributes using a workflow with an inline script for speed. It requires the ActiveDirectory Module.
Create a Hash Table with AD Domain DNS Root and NetBIOS Names
I frequently get requests to modify or lookup a list of user names in a CSV file where the username is NTDomain\SamAccountName. Get-ADUser will let you use the NT domain as a server name, but in my experience it is slower than using the domain’s FQDN. Before I import the list in my code, I…
Reset User Account ACLs
The security for user account objects in an OU may drift over time. User accounts moved within the domain will retain delegations previously made, and user accounts created after schema extensions won’t have the same security as user accounts created earlier in time. Reset-UserAccountACLs.ps1 resets the security (ACLs) for user accounts within an OU to…
Using Workflows to Multithread AD Queries
I am frequently called on for Active Directory reports for all domains in the forest. This code shows you how to use a workflow to easily do this, adding the domain data into the results: WorkFlow Run-wfADQuery { param([string[]]$Domains,[string]$filter) ForEach -parallel ($Domain in $Domains){ InLineScript { $userList =get-aduser -filter $using:filter -server $using:Domain @(Foreach ($user in…
Getting GPO GUID, Name from Active Directory
You don’t have to rely on the Group Policy Module to resolve the display name of a GPO from the GUID, or the GUID from the display name. Here are two short functions that will get that information from Active Directory. The first will return the GPO displayname attribute from a GUID. The GUID (sometimes…
Undelete-ADObject
Undelete-ADObject.ps1 is a GUI form based script for undeleting user, computer, group, print queue, and contacts from Active Directory. You can display all of the objects of the selected type, or search by the name. I use this script frequently. It has a test mode, plus logging.
Powershell Date LDAP filters
This snippet can be used for easier date formatting when using an LDAP date filter with PowerShell. This demonstrates how to get users created within the previous 30 days using LDAP: $MaxDays = 30 $StartDate = (Get-date).AddDays(-$MaxDays) #Set to begin at midnight $ldapStart = $StartDate.GetDateTimeFormats()[5].ToString().Replace(“-“,”)+’000000.0Z’ $LDAPFilter = “(WhenCreated>=$ldapStart)” Get-aduser -LDAPFilter $ldapfilter -properties whencreated
OU of Current PC from anywhere in the Forest
There are a lot of ways to get the OU of the current computer, but most don’t work if you are outside your home domain. This code does, without requiring AD cmdlets: #My Computername works anywhere in forest $strFilter = “(&(objectCategory=Computer)(Name=$env:computername))” $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.Filter = $strFilter $searchRootName = [system.directoryservices.activedirectory.forest]::GetCurrentForest().Name.ToString() $SearchRoot = “GC://”+$SearchRootName $objSearcher.SearchRoot…