Before preparing to celebrate the first of May I just wanted to note make a short note of Microsoft's new Group Policy for Beginners guide released just two days ago. Since we have new admins in our company I think that they might want to read this through.
"This white paper introduces Group Policy, provides an overview of what you can do with Group Policy, describes essential concepts that you must know, and provides step-by-step instructions for the most common Group Policy tasks."
Saturday, April 30, 2011
Friday, April 29, 2011
Windows PowerShell resources
While looking AD troubleshooting wiki page I came across some great PowerShell resources:
Windows PowerShell Survival Guide
Windows PowerShell Security Survival Guide
Exchange 2010 Powershell Scripting Resources
Common Exchange 2010 cmdlets
Some of them looks to be for beginners but there are some gold nuggets hidden amongst them. Especially I look forward reading those PoSH MVP's blogs.
Windows PowerShell Survival Guide
Windows PowerShell Security Survival Guide
Exchange 2010 Powershell Scripting Resources
Common Exchange 2010 cmdlets
Some of them looks to be for beginners but there are some gold nuggets hidden amongst them. Especially I look forward reading those PoSH MVP's blogs.
Active Directory Domain Services Troubleshooting Survival Guide
Just found out that Active Directory Documentation Team is working on an Active Directory troubleshooting guide on the TechNet Wiki. Have to check it out later.
Friday, April 22, 2011
List of AD FS 2.0 related content
Looking for something completely different I happened to come across something that seems great source of information on AD FS 2.0. A wiki page of AD FS 2.0 content on MSDN, Technet, Microsoft Downloads etc. Have to dig in more carefully later.
Thursday, April 14, 2011
How to update computers group memberships without reboot
I have been running in to this command few times now so I thought I should blog this (it has been already blogged in various blogs but you never find them when you need them):
This way you can get computers to refresh their group policies that are targeted by security groups without having to reboot those computers.
klist -li 0x3e7 purgeThis allows administrators to flush the systems Kerberos TGT (as well as all other tickets). The system process is always 0x3e7. You have to run this from an elevated command prompt otherwise it won't work.
This way you can get computers to refresh their group policies that are targeted by security groups without having to reboot those computers.
Wednesday, April 13, 2011
How to find active computers
Today I was asked how many active (not just enabled) client computers there are left in our old domain waiting to be migrated to a new one. The builtin tools provide easy way to find out inactive computers but not the active ones. By default computers are required to changed their password every 30 days so we can use that information to determine which are the active ones. There are actually couple of ways to find active computers in the domain. The hard way is that you could find all client computers in the domain and then compare the list to all inactive computers which you can find by using:
I figured out that the easiest way to find out which computers have changed their passwords within specified period is to use PowerShell:
And if we are only interested in the number of active computer objects we can just count them:
Pretty cool, right?
For Get-ADComputer cmdlet to work you'll need to have first imported Active Directory module by running
dsquery computer [<startnode>] -inactive <number of weeks>to get computers that have been inactive (stale) for the number of weeks that you specify or
dsquery computer [<startnode>] -stalepwd <number of days>to find computers whose passwords have not changed for the specified number of days. This comparison requires some manual work and since we are looking for a solution that can be easily reproduced we are not satisfied. So it would be easier to just query for all computers whose password have not changed since some day:
dsquery * [<startnode>] -filter "&(objectCategory=computer)(pwdLastSet>=date/time in Integer8-format)"But since in the pwdLastSet attribute value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC) you have to know how to convert the last password reset date to same format before you can use it as a search condition. This conversion can easily be done by using vbscript for example. I'll leave that a homework for you to find out how this is done.
I figured out that the easiest way to find out which computers have changed their passwords within specified period is to use PowerShell:
$d = [DateTime]::Today.AddDays(-60); Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSetThese two commands show you all computers that have changed their passwords within last 60 days. And you can run them on one line instead of having to do any comparisons or date/time conversions.
And if we are only interested in the number of active computer objects we can just count them:
@($d = [DateTime]::Today.AddDays(-60); Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSet).Count
Pretty cool, right?
For Get-ADComputer cmdlet to work you'll need to have first imported Active Directory module by running
Import-Module ActiveDirectorywhich contains a lot of useful cmdlets to manage AD.
It's alive!
Hi all,
Welcome to our windows blog. The primary function of this blog is to be our notepad for windows related things. Introductions will be done later...
Most likely posts handle Active Directory especially scripts and commands to modify it but once in a while there might be a post about new product releases or other cool windows related stuff.
If you find it useful or to contain inaccurate information then feel free to comment.
Welcome to our windows blog. The primary function of this blog is to be our notepad for windows related things. Introductions will be done later...
Most likely posts handle Active Directory especially scripts and commands to modify it but once in a while there might be a post about new product releases or other cool windows related stuff.
If you find it useful or to contain inaccurate information then feel free to comment.
Subscribe to:
Posts (Atom)