Active Directory Administration
This page is dedicated to any and all Active Directory administration

USER / HOST ENUMERATION

Get All Users

Get-ADUser -Filter * -Properties DisplayName, sAMAccountName, EmailAddress | Select DisplayName, sAMAccountName, EmailAddress | Export-CSV "C:\users.csv"

Get Active Win10 Machine Patch Level (Last Logon in 60 Days)

$LastLogon = (Get-Date).Adddays( -(60) ); $Workstations = Get-ADComputer -Filter { LastLogonTimeStamp -gt $LastLogon -and OperatingSystem -like 'Windows 10'} -Properties *; $Workstations = $Workstations | Select-Object -Property DNSHostname,OperatingSystem,OperatingSystemVersion,IPv4Address,LastLogonDate,DistinguishedName,SID; Export-Results -Output $Workstations -Path "C:\Users\burmat\Desktop\Workstations.csv"

Get Hosts Last Logon

Iterate all computer objects in a given domain and get the date/time for the last time they were logged into:
1
Import-Module ActiveDirectory
2
3
function Get-ADHostsLastLogon() {
4
5
$hnames = Get-ADComputer -Filter 'ObjectClass -eq "Computer"' | Select -Expand Name
6
7
foreach ($hname in $hnames) {
8
$dcs = Get-ADDomainController -Filter {Name -like "*"}
9
$time = 0
10
foreach($dc in $dcs) {
11
$computer = Get-ADComputer $hname | Get-ADObject -Properties lastLogon
12
if($computer.LastLogon -gt $time) {
13
$time = $computer.LastLogon
14
}
15
}
16
17
$dt = [DateTime]::FromFileTime($time).ToString('g')
18
# 12/31/1600 will result if $time = 0 (never logged on before)
19
Write-Host $dt", " $hname
20
}
21
Write-Host "Done."
22
}
23
24
Get-ADHostsLastLogon
Copied!
(Find my most recent copy on my GitHub)

Get Users Last Logon

To iterate all user objects in AD and get their last logon time, use:
1
Import-Module ActiveDirectory
2
3
function Get-ADUserLastLogon([string]$userName) {
4
5
$dcs = Get-ADDomainController -Filter {Name -like "*"}
6
$time = 0
7
foreach($dc in $dcs) {
8
$hostname = $dc.HostName
9
$user = Get-ADUser $userName | Get-ADObject -Properties lastLogon
10
if($user.LastLogon -gt $time) {
11
$time = $user.LastLogon
12
}
13
}
14
15
$dt = [DateTime]::FromFileTime($time)
16
Write-Host $username "last logged on at:" $dt
17
}
18
19
$unames = Get-ADUser -Filter 'ObjectClass -eq "User"' | Select -Expand SamAccountName
20
foreach ($uname in $unames) { Get-ADUserLastLogon($uname); }
Copied!
(Find my most recent copy on my GitHub)

Get Stale Hosts

Use the following to generate a list of hosts that have not been logged into for the past 30 days:
1
Import-Module ActiveDirectory
2
3
function Get-StaleComputers() {
4
$time = (Get-Date).Adddays(-30)
5
Get-ADComputer -Filter { LastLogonTimeStamp -lt $time } -Properties LastLogonTimeStamp | Select-Object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} # | Export-CSV C:\temp\unused_machines.csv -notypeinformation
6
Write-Host done.
7
}
8
9
Get-StaleComputers
Copied!
(Find my most recent copy on my GitHub)

DOMAIN MAINTENANCE

Move Object to Retire OU

I like to use the scripts above (Get Hosts Last Logon and Get Users Last Logon) to automatically move objects into the "Retire" OU using the following command(s):
1
# to move a user:
2
Get-ADUser $uname | Move-ADObject -TargetPath 'OU=Retire,DC=burmat,DC=co'
3
4
# to move a computer:
5
Get-ADComputer $hname | Move-ADObject -TargetPath 'OU=Retire,DC=burmat,DC=co'
Copied!

Disable Everything in OU

Every few weeks, I run the following (as Domain Admin) to ensure the OU I use for my "Recycle Bin" is filled with only disabled accounts:
Get-ADUser -Filter * -SearchBase 'OU=Retire,DC=burmat,DC=co' | Disable-ADAccount

Set Domain User Password

$uname = 'burmat'; $pass = "Password123!'; $securepass = ConvertTo-SecureString $pass -AsPlainText -Force; Set-DomainUserPassword -Identity $uname -AccountPassword $securepass;

FILE SYSTEM ADMINISTRATION

Getting Directory Sizes

I use the following command to generate a list of user profile's on a file server. It is useful to keep track of users that are exceeding our expectations when it comes to consuming space on a global server:
Get-ChildItem | Where-Object { $.PSIsContainer } | ForEach-Object { $.Name + ": " + "{0:N2}" -f ((Get-ChildItem $_ -Recurse | Measure-Object Length -Sum -ErrorAction SilentlyContinue).Sum / 1MB) + " MB" }

Tail a File

Similar to tail -f filename, you can use Get-Content to watch a file for changes:
Get-Content -Path "\\server\logs\prod.server.log" -Wait

MISC CLEANUP / MANAGEMENT

Clear Cached (mscachev2) Credentials

A domain-joined endpoint that is taken from the domain might still have cached (mscachev2) domain logins residing on it. This is why I always wipe the system or use the following to remove any cached credentials:
Run regedit and give your current local account Write access to the "SECURITY" node. After restarting regedit, navigate to: HKEY_LOCAL_MACHINE\Security\Cache
Cached credentials are stored in the binary values of NL$1 through NL$10. Zeroing out these values will clear the cached entries. Delete them if you want to remove them and disable this feature completely.
Last modified 2yr ago