PowerShell

Active Directory Domain Services Section (Version 1.1)

This article describes how to use a graphical menu to discover and administer your Active Directory Environment. It’s like sconfig, but much more powerful when it comes to automation with Active Directory.

The latest version is 1.1 (May 2018). For all those who have downloaded my first release, I would strongly recommend taking a look at this update. It fixes bugs and adds new features like Onboarding, Offboarding and much more.


Version 1.1

The tool has undergone a major update since the march release with more options and a fresher look.


Active Directory Domain Services Section

What can we do with it? This is the question for this part. I wanna give you a foretaste. Here’s the menu of version 1.1.

1

The Subsections

1 – Forest | Domain | Sites Configuration

1.png

2 – List Domain Controller

Note that in this section you are also able to test the connectivity to your Domain Controller. It’s your choice 😉

2.PNG

3 – Replicate all Domain Controller

Tired of pressing replicate on all DC’s? You’ve come to the right place.

3.PNG

4 – Show Default Password Policy

It’s good to have an eye on your password settings…

4.PNG

5 – List Domain Admins

5.PNG

6 – List of Active GPOs

6.PNG

7 – List all Windows Clients (Client Operating System only)

7.PNG

8 – List all Windows Server

8.PNG

9 – List all Computers

9.PNG

10 – Run SystemInfo on Remote Computer

You are able to select a scope …

10.PNG

11 – Move Computer to OU

11.PNG

Don’t worry I will intercept wrong entries and save the user…

11a.PNG

12 – List all Groups

12.PNG

13 – List Group Memberships

13.PNG

14 – List all enabled Users

14.PNG

15 – List User Properties

15.PNG

16 – User’s last Domain Logon

The forums are full of questions like “is the LastLogon attribute important, or LastLogonTimestamp or LastLogonDate…, when is it replicated … why is it so difficult to find the right logon date …”. I don’t care and contact every DC and ask for the LastLogon and take the latest…, surprise, surprise it always shows me the correct latest logon …

16.PNG

Don’t worry. I will take care if the user has never logged on.

14a.PNG

17 – Show currently logged on User

This is a live query. The target host will be contacted with the quser command.

17.PNG

18 – Send Messages to users desktop

Cool, ha? One of my favorites … Make your choice to send it to all Windows Server …

18.PNG

19 – Find orphaned User or Computer Accounts

Who forgot to remove the computer or user account? You have to provide the computer or user account and a timespan.

19.PNG

20 – Configure Time-based-Group-Membership

This only works in a Windows Server 2016 Forest Mode. Don’t worry, the tool will first check the Forest Mode and if the feature is enabled. Provide User, Group and Timespan in days.

20.PNG

21 – Onboarding | Create New AD User (from existing)

Do you dream of creating a user based on an existing in a few seconds … to have more time for other tasks? Here we go.

21.PNG

22 – Offboarding | Disable AD User

When an employee leaves the company, he should be deactivated.

22.PNG

Ok, that’s it for now.

PowerShell Web Access

You are also able to run this in PowerShell Web Access:

pswa.PNG

If you haven’t installed PowerShell Web Access yet, here’s a walk through: Windows Server 2012/2016: Installing and Configuring PowerShell Web Access (PSWA)

The Script

I have decided not to present the entire code here. Too many lines of code. You can download the script here, it’s a psm1 file, a PowerShell script module file:

 

Download: Active Directory Domain Services Section (v.1.1)

 

Prerequisites and Notes:

  • Tested in an Active Directory environment with Windows Server 2012/2016 Domain Controllers and Windows 7/8/10 clients
  • WinRm must be enabled on all Client computers (WinRm is enabled on Windows Server 2012/2016 by default) manually (winrm qc) or by GPO https://www.pcwdld.com/winrm-quickconfig-remotely-configure-and-enable
  • Run the tool on a Domain Controller (You may run into troubles with RSAT)
  • 0 and Enter (instead of Enter only) to go back to the main menu is due to the possible integration of PowerShell Web Access where pressing Enter only will not work

After downloading create a folder “AD” in C:\Program Files\Windows PowerShell\Modules and save the AD.psm1 file there.

Unbenannt.PNG

Unbenannt.PNG

It should be then available every time you start PowerShell and run the command ad.

Unbenannt.PNG

Or as mentioned in PowerShell Web Access.

Have fun with it! I am very grateful for ideas for further functions.

9 replies »

  1. Hi Patrick, this is an awesome tool. I can think of numerous additions that would be useful to have.

    List all Users by OU.
    We have thousands of users so narrowing it down would be useful.

    List all computers by OU.
    Same reason as above.

    List all printers available to each user profile on a given PC.
    I have been using remote registry to find out this information recently but this relies on the user being logged in.

    I could go on and on but won’t.

    I will take a look at your code and see if I can provide any additions/updates that may be useful to other sysadmins.

    Best,

    James

    Like

    • Hi James,

      Thank you for the kind feedback. I really appreciate it!

      You’re lucky to work in a cleaned up environment where computers are moved to OUs and users reside in the correct OU.
      😉 I’ve experienced that this is rarely the case.

      Best,
      P

      Like

  2. great tool, especially the list functions! but It would be difficult in our server farm environment to use this tool directly on the server.
    (we are using daily rsat and citrix.) nevertheless many thanks (Grüße von ehemaligem BFI Trainee)

    Liked by 1 person

  3. Cool concept but doesn’t scale well for the enterprise when you have list all groups or listing all ad sites. You could also use wmi for logged on user might be more accurate and have no English language issues.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s