In a large enterprise an admin would need to keep track of all the domains in a AD forest, the domain names, the domain controllers (DC) , their IPs, and what FSMO roles does a DC hold. Wrote a little script to just do that…
Tag: domain
Get Inactive Users Report for the past 60 days in a multi domain environment
I had a request recently to provide an inactive user report for the past 60 days. Basically, find out which accounts have not logged in for the past 60 days so action can be taken against them. The request was for a multi domain forest which queries every domain controller and gets the latest lastlogon…
Get All DCs in the Entire Forest
Getting a know a new environment for a new client and I a quickly needed information about all domain controllers in the entire forest. Wrote a small little script to provide me all the information I needed:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Import-Module ActiveDirectory function Get-AllDCsInForest{ [CmdletBinding()] param( [string]$ReferenceDomain = $env:USERDOMAIN ) $ForestObj = Get-ADForest -Server $ReferenceDomain foreach($Domain in $ForestObj.Domains) { Get-ADDomainController -Filter * -Server $Domain | select Domain,HostName,Site, IPv4Address, OperatingSystem, OperatingSystemVersion } } Get-AllDCsInForest| Export-Csv -Path C:\Scripts\AllDcs.txt -NoTypeInformation |
NSLookup still showing IP of demoted Domain Controller
So had an interesting issue today where a Domain Controller (DC) was demoted yet the IP of the demoted DC was still showing up when running nslookup internaldomain.local Demoted DC:Â MWDC04 / IP: 10.14.111.111 I had done the metadata cleanup and tried many suggestions when googling the subject. To my surprise none of the solutions I…
Speed up Active Directory & DNS replication between Sites
Using the standard GUI Microsoft Management Consoles to make the change to speed up Active Directory replication is not possible. The best result of using administrator consoles will be to increase domain replication between domain controllers to 15 minutes. These large time values were instituted into Active Directory at version 1 because inter-site connections during that era of computing and networking were much lower in bandwidth with the most common being frame-relay or…
The Lazy Way To Do Active Directory Inventory
From time to time admins have to run an inventory of what is running in the AD environment. This is a good practice for audits, inventory, removing decommissioned servers, or any other good reason. The details that are required are like when was computer/ server created, when was it last logged into, what is the…
Lists all users last logon time
As administrators we often want to check which users have not logged in for quite a while, or what accounts recently accessed a system, etc. The following script list all users and their last logon time. With the lastloggeduser.csv we can get fancy with excel to find differences based on age and more.
1 |
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\scripts\lastloggedusers.csv |
Connecting to a remote domain controller using PowerShell
Covering one of the basic day to day task if you are a Windows Administrator; connecting to the domain controller. Â I try to minimize logging onto servers as much as possible. Â Your thought should be around connecting to the server remotely and doing the work as needed instead of natively logging on to it. I…
Create A Dedicated Account To Join Computers To A Domain
Admins often need to automate things, like creating a dedicated account for joining machines to an Active Directory (AD) domain. Â This is useful for things like System Center Configuration Manger task sequences and System Center Virtual Machine Manager templates or similar needs. First create a standard Windows user account. Â Next, right-click on the Computers Organization…
Set password never to expire for users in a particular domain (Bulk mode)
Let me start by saying that I don’t recommend doing this at all. Password Never Expires is bad security practice, but there are situations that might require it. I had a similar request on how this could be done. Setting it for multiple users:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
#Connect of Office365 Import-Module MSOnline $O365Cred = Get-Credential $O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection Import-PSSession $O365Session Connect-MsolService –Credential $O365Cred #Get a List of user that belong to the second domain $SDusers = Get-MsolUser -All -DomainName "yourseconddomain.com" #Setting the password never to expire ForEach($SDuser in $SDusers) { Set-MsolUser -UserPrincipalName $SDuser -PasswordNeverExpires $true } |
Setting it for a single user:
1 |
Get-MSOLUser -UserPrincipalName user@domain.com | Select PasswordNeverExpires |