Activedirectory

From Piszczynski

Active Directory

Handy PowerShell script to add AD group members from one group to another:

Add-ADGroupMember -Identity 'New Group' -Members (Get-ADGroupMember -Identity 'Old Group' -Recursive)

Reset password in powershell

  • $pw = Read-Host "password" -AsSecureString
    • Set-ADAccountPassword <username> -Reset -NewPassword $pw

Unlock account

  • Unlock-ADAccount -Identity <user>

Check account is locked/unlocked

  • Get-ADUser -Identity <user> -properties Lockedout | Select Name,LockedOut

Search for adusers using powershell:

Can be used with various options: DistinguishedName, Enabled, GivenName, Name, ObjectClass, Object GUID, SamAccountName, SID, Surname, UserPrincipalName.

  • get-aduser -filter "name -eq '<name of user>'"

See all properties for an active directory user account:

  • Get-ADuser -identity <user> -properties *

Get all groups an AD account is a member of:

  • Get-ADPrincipalGroupMembership <username> | select Name

Find login scripts for all users and export to text file:

  • Get-ADUser -filter * -properties scriptpath, homedrive, homedirectory | ft Name, scriptpath, homedrive, homedirectory | out-file C:\temp\logonscriptoutput.txt

Setting up Active directory

Handy basic info for configuring an active directory domain:

https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx

Before creating the domain ensure that all time and date settings on the server to be the primary domain controller are correct.

enable fix for hybrid AD password reset

ms kb

Re-sync AD Account with Azure AD account after deletion, restore or migration

Issues may occur when accounts have been created incorrectly or have been deleted and restored

You may need to manually re-sync the AD objects between on prem AD and Azure AD

This is done using the ImmutableID.

First get the account in Active Directory and get the immutable ID then convert it to Base64 String:

  • Get-ADUser -Filter "name -eq '<username>'" -Properties objectGUID | Select-Object UserPrincipalName, objectGUID, @{Name = ‘ImmutableID’; Expression = { [system.convert]::ToBase64String(([GUID]$_.objectGUID).ToByteArray()) } } | Export-CSV users.csv

Then set the Immutable ID obtained from the AD account on the Azure account:

  • Set-MsolUser -UserPrincipalName USER@DOMAIN.COM -ImmutableID “ABCdefGHIjklMNO==”

Chek here for Ref: https://www.theictguy.co.uk/ad-connect-and-hard-matching-immutableid/

Ports for Domain / Active Directory

UDP Port 88 for Kerberos authentication UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.

TCP Port 139 and UDP 138 for File Replication Service between domain controllers.

UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.

TCP and UDP Port 445 for Replication, User and Computer Authentication, Group Policy, TCP and UDP Port 464 for Kerberos Password Change TCP Port 3268 and 3269 for Global Catalog from client to domain controller.

TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

The ephemeral ports are required: •TCP & UDP 1025-5000 •TCP & UDP 49152-65535


https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

DHCP in active directory

Get all DHCP servers registered to domain:

Get-DhcpServerInDC
Retrieved from ‘http://piszczynski.com/index.php?title=Activedirectory&oldid=996
Last modified
This page was last modified on 5 April 2024, at 13:02.