Active Directory Administration
This page is dedicated to any and all Active Directory administration
USER / HOST ENUMERATION
Get All Users
Get-ADUser -Filter * -Properties DisplayName, sAMAccountName, EmailAddress | Select DisplayName, sAMAccountName, EmailAddress | Export-CSV "C:\users.csv"
Get Active Win10 Machine Patch Level (Last Logon in 60 Days)
$LastLogon = (Get-Date).Adddays( -(60) ); $Workstations = Get-ADComputer -Filter { LastLogonTimeStamp -gt $LastLogon -and OperatingSystem -like 'Windows 10'} -Properties *; $Workstations = $Workstations | Select-Object -Property DNSHostname,OperatingSystem,OperatingSystemVersion,IPv4Address,LastLogonDate,DistinguishedName,SID; Export-Results -Output $Workstations -Path "C:\Users\burmat\Desktop\Workstations.csv"
Get Hosts Last Logon
Iterate all computer objects in a given domain and get the date/time for the last time they were logged into:
(Find my most recent copy on my GitHub)
Get Users Last Logon
To iterate all user objects in AD and get their last logon time, use:
(Find my most recent copy on my GitHub)
Get Stale Hosts
Use the following to generate a list of hosts that have not been logged into for the past 30 days:
(Find my most recent copy on my GitHub)
DOMAIN MAINTENANCE
Move Object to Retire OU
I like to use the scripts above (Get Hosts Last Logon and Get Users Last Logon) to automatically move objects into the "Retire" OU using the following command(s):
It's now trivial to disable all objects in the given OU.
Disable Everything in OU
Every few weeks, I run the following (as Domain Admin) to ensure the OU I use for my "Recycle Bin" is filled with only disabled accounts:
Get-ADUser -Filter * -SearchBase 'OU=Retire,DC=burmat,DC=co' | Disable-ADAccount
Set Domain User Password
$uname = 'burmat'; $pass = "Password123!'; $securepass = ConvertTo-SecureString $pass -AsPlainText -Force; Set-DomainUserPassword -Identity $uname -AccountPassword $securepass;
FILE SYSTEM ADMINISTRATION
Getting Directory Sizes
I use the following command to generate a list of user profile's on a file server. It is useful to keep track of users that are exceeding our expectations when it comes to consuming space on a global server:
Get-ChildItem | Where-Object { $.PSIsContainer } | ForEach-Object { $.Name + ": " + "{0:N2}" -f ((Get-ChildItem $_ -Recurse | Measure-Object Length -Sum -ErrorAction SilentlyContinue).Sum / 1MB) + " MB" }
Tail a File
Similar to tail -f filename
, you can use Get-Content
to watch a file for changes:
Get-Content -Path "\\server\logs\prod.server.log" -Wait
MISC CLEANUP / MANAGEMENT
Clear Cached (mscachev2) Credentials
A domain-joined endpoint that is taken from the domain might still have cached (mscachev2) domain logins residing on it. This is why I always wipe the system or use the following to remove any cached credentials:
Run regedit
and give your current local account Write access to the "SECURITY" node. After restarting regedit
, navigate to: HKEY_LOCAL_MACHINE\Security\Cache
Cached credentials are stored in the binary values of NL$1
through NL$10
. Zeroing out these values will clear the cached entries. Delete them if you want to remove them and disable this feature completely.
Last updated