Activedirectory

Just a list of useful oneliners for powershell server and AD management. Obviously some are not actually oneliners, but hey they’re quick!

Two quick scripts to convert between ImmutableIDs and AD Objects with pipeline capability.

Download the script here Auditing user access is hard, usually you audit from resource out - eg, finding all Domain Admins, or finding all users with full acecss to SecretShare$ share on SecretServer01. But occasionally want to audit from user out.. this is hard.. even impossible (if you have a very big environment). Lets talk about the first step Enumerating Nested Groups. Token Groups Each user has a constructed attribute called tokengroups that returns a list of all transitive group memberships.

A quick, semi-powershell way to clone an OU structure from a source domain to a destination domain is to use the ldifde tool and then just modify the output. To generate the Output file Oustructure-cleaned.ldif we use ldifde to export all OUs and then remove the domain name (this is not necessary but helps later).

When replacing certificates on servers it is nice to be able to verify that the certificate has been updated after you have done the change. Download Retrieve-ServerCertFromSocket.ps1 With websites this tends to be very easy - enter the address in Internet Explorer and doubleclick the padlock to view the certificate. This doesn’t work in lots of situations though - no IE available in the environment, when you are trying to use a particular SNI header that doesn’t match your connectivity method on your client machine, or when you want to get a secure LDAP certificate - port 636 or 3269 from a Domain Controller.

Occasionally in Exchange you will accidentally or intentionally recreate a user, or delete some values from their object - this will impact the LegacyExchangeDN value. I have seen this happen where mailuser objects were removed from Office 365, the user objects were cloud only and the LegacyExchangeDN was gone forever. Contrary to its name, the LegacyExchangeDN value is critical to maintaining active conversations within your organisation. When a user’s legacyExchagneDN is lost, collegues replying to conversations with that user will get an NDR.

When I perform schema changes in very large forests it is nice to be able to track the status of the change as it replicates throughout the forest. I wanted to create a script that would quickly tell me what the current schema was on over 100 DCs. If you don’t want to see how it was done you can just Download Track-LyncSchema.ps1 Starting with some scripts that I have built before foreach-parallel to do parallel processing, get-forestDomainControlles to get a list of all DCs in the forest and get-LdapData to do direct ldap lookups quickly.