Santhosh Sivarajan's Blog

Top 10 Scripts in Microsoft Script Repository

noreply@blogger.com (Santhosh Sivarajan) — Wed, 11 Jan 2012 17:23:00 +0000

Microsoft Scripting Guy has announced the top 10 scripts in the Microsoft Script Gallery. My script - List Group Members in Active Directory has ranked #8 on the list..Woo hoo

At number eight, we have the List Group Members in Active Directory script written by Microsoft Directory Services MVP, Santhosh Sivarajan. This excellent script had a great following in 2011.
Santhosh's blog: Santhosh Sivarajan's Blog

You can read the complete reports on the following website:

http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/02/find-the-top-ten-scripts-submitted-to-the-script-repository.aspx?utm_source=twitterfeed&utm_medium=twitter

Microsoft Most Valuable Professional (MVP) Award

noreply@blogger.com (Santhosh Sivarajan) — Sun, 01 Jan 2012 17:24:00 +0000

Microsoft Most Valuable Professional (MVP) Award – Directory Services

Perfect start to my 2012. Received the Microsoft Most Valuable Professional (MVP) award for the 2^nd time.

Received the email this morning.

Dear Santhosh Sivarajan,

Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Directory Services technical communities during the past year.
Also in this email:

About your MVP Award Gift

How to claim your award benefits

Your MVP Identification Number

MVP Award Program Code of Conduct

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Nestor Portillo
Director
Community & Online Support

Microsoft Component Architecture Posters (Updated)

noreply@blogger.com (Santhosh Sivarajan) — Tue, 06 Dec 2011 18:22:00 +0000

Update 12/6/2011 12:21 PM – I have added a few more Component Architecture Posters to one of my old blogs - http://portal.sivarajan.com/2010/07/microsoft-component-architecture-poster.html

The Component Architecture Poster provides a visual reference for understanding the key services and technologies. The following are the collection of these Microsoft Component Architecture posters:

Windows Server

Windows Server 2008 Active Directory - http://www.microsoft.com/download/en/details.aspx?id=17881

Windows Server 2008 Feature Components - http://www.microsoft.com/download/en/details.aspx?id=17881

Windows Server 2008 R2 Feature - http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7002

Windows Server 2008 R2 - Remote Desktop Services - http://www.microsoft.com/download/en/details.aspx?id=3262

Windows Server 2008 R2 - Hyper-V - http://www.microsoft.com/download/en/details.aspx?id=3501

Exchange

Exchange Server 2010 Architecture - http://www.microsoft.com/download/en/details.aspx?id=5764

Exchange Server 2010 Transport Server Role - http://www.microsoft.com/download/en/details.aspx?id=21987

Exchange Server 2007 Architecture- http://www.microsoft.com/download/en/details.aspx?id=4006

Exchange Server 2007 Transport Server Role - http://www.microsoft.com/download/en/details.aspx?id=13117

Lync Server

Lync Server 2010 Protocol Workloads - http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6797

SharePoint

Design Sample: Corporate Portal with Classic Authentication

Visio (http://go.microsoft.com/fwlink/?LinkId=196969)

PDF (http://go.microsoft.com/fwlink/?LinkId=196970)

XPS (http://go.microsoft.com/fwlink/?LinkId=196971)

Design Sample: Corporate Portal with Claims-based Authentication

Visio (http://go.microsoft.com/fwlink/?LinkId=196972)

PDF (http://go.microsoft.com/fwlink/?LinkId=196973)

XPS (http://go.microsoft.com/fwlink/?LinkId=196974)

SharePoint 2010 Products Deployment

Visio (http://go.microsoft.com/fwlink/?LinkId=183024)

PDF (http://go.microsoft.com/fwlink/?LinkId=183025)

XPS (http://go.microsoft.com/fwlink/?LinkId=183026)

Services in SharePoint 2010 Products

Visio (http://go.microsoft.com/fwlink/?LinkID=167090)

PDF (http://go.microsoft.com/fwlink/?LinkID=167092)

XPS (http://go.microsoft.com/fwlink/?LinkID=167091)

Cross-farm Services in SharePoint 2010 Products

Visio (http://go.microsoft.com/fwlink/?LinkID=167093)

PDF (http://go.microsoft.com/fwlink/?LinkID=167095)

XPS (http://go.microsoft.com/fwlink/?LinkID=167094)

Topologies for SharePoint Server 2010

Visio (http://go.microsoft.com/fwlink/?LinkID=167087)

PDF (http://go.microsoft.com/fwlink/?LinkID=167089)

XPS (http://go.microsoft.com/fwlink/?LinkID=167088)

Extranet Topologies for SharePoint 2010 Products

Visio (http://go.microsoft.com/fwlink/?LinkId=187987)

PDF (http://go.microsoft.com/fwlink/?LinkId=187988)

XPS (http://go.microsoft.com/fwlink/?LinkId=187986)

Hosting Environments in SharePoint 2010 Products

Visio (http://go.microsoft.com/fwlink/?LinkID=167084)

PDF (http://go.microsoft.com/fwlink/?LinkID=167086)

XPS (http://go.microsoft.com/fwlink/?LinkID=167085)

Search Technologies for SharePoint 2010 Products

Visio (http://go.microsoft.com/fwlink/?LinkID=167731)

PDF (http://go.microsoft.com/fwlink/?LinkID=167733)

XPS (http://go.microsoft.com/fwlink/?LinkID=167732)

Search Environment Planning for Microsoft SharePoint Server 2010

Visio (http://go.microsoft.com/fwlink/?LinkID=167734)

PDF (http://go.microsoft.com/fwlink/?LinkID=167736)

XPS (http://go.microsoft.com/fwlink/?LinkID=167735)

Search Architectures for Microsoft SharePoint Server 2010

Visio (http://go.microsoft.com/fwlink/?LinkID=167737)

PDF (http://go.microsoft.com/fwlink/?LinkID=167739)

XPS (http://go.microsoft.com/fwlink/?LinkID=167738)

Design Search Architectures for Microsoft SharePoint Server 2010

Visio (http://go.microsoft.com/fwlink/?LinkID=167740)

PDF (http://go.microsoft.com/fwlink/?LinkID=167742)

XPS (http://go.microsoft.com/fwlink/?LinkID=167741)

Business Connectivity Services Model

Visio (http://go.microsoft.com/fwlink/?LinkId=165565)

PDF (http://go.microsoft.com/fwlink/?LinkID=165566)

XPS (http://go.microsoft.com/fwlink/?LinkId=165571)

Content Deployment in SharePoint Server 2010

Visio (http://go.microsoft.com/fwlink/?LinkID=179391&clcid=0x409)

PDF (http://go.microsoft.com/fwlink/?LinkID=179523&clcid=0x409)

XPS (http://go.microsoft.com/fwlink/?LinkID=179524&clcid=0x409)

Microsoft SharePoint Server 2010 Upgrade Planning

Visio (http://go.microsoft.com/fwlink/?LinkId=167098)

PDF (http://go.microsoft.com/fwlink/?LinkId=167099)

XPS (http://go.microsoft.com/fwlink/?LinkId=167100)

Microsoft SharePoint Server 2010 Upgrade Approaches

Visio (http://go.microsoft.com/fwlink/?LinkId=167101)

PDF (http://go.microsoft.com/fwlink/?LinkId=167102)

XPS (http://go.microsoft.com/fwlink/?LinkId=167103)

Microsoft SharePoint Server 2010 — Test Your Upgrade Process

Visio (http://go.microsoft.com/fwlink/?LinkId=167104)

PDF (http://go.microsoft.com/fwlink/?LinkId=167105)

XPS (http://go.microsoft.com/fwlink/?LinkId=167106)

Microsoft SharePoint Server 2010 — Services Upgrade

Visio (http://go.microsoft.com/fwlink/?LinkId=167107)

PDF (http://go.microsoft.com/fwlink/?LinkId=167108)

XPS (http://go.microsoft.com/fwlink/?LinkId=167109)

Microsoft SharePoint Server 2010 — Upgrading Parent and Child Farms

Visio (http://go.microsoft.com/fwlink/?LinkId=190984)

PDF (http://go.microsoft.com/fwlink/?LinkId=190985)

XPS (http://go.microsoft.com/fwlink/?LinkId=190986)

Getting started with business intelligence in SharePoint Server 2010

Visio (http://go.microsoft.com/fwlink/?LinkId=167082)

PDF (http://go.microsoft.com/fwlink/?LinkId=167170)

XPS (http://go.microsoft.com/fwlink/?LinkId=167171)

Databases That Support SharePoint 2010 Products

Visio (http://go.microsoft.com/fwlink/?LinkId=187970)

PDF (http://go.microsoft.com/fwlink/?LinkId=187969)

XPS (http://go.microsoft.com/fwlink/?LinkId=187971)

SharePoint 2010 Products: Virtualization Process

Visio (http://go.microsoft.com/fwlink/?LinkId=195021)

PDF (http://go.microsoft.com/fwlink/?LinkId=195022)

XPS (http://go.microsoft.com/fwlink/?LinkId=195023)

Free Microsoft eBooks (updated)

noreply@blogger.com (Santhosh Sivarajan) — Wed, 23 Nov 2011 00:48:00 +0000

I am not sure if you guys are aware that a few Microsoft e-books are available for free download. Here are the details:

Moving to Visual Studio 2010

Download

Programming Windows Phone 7

Download

Office 365 - Connect and Collaborate Virtually Anywhere, Anytime

Download

Windows 7 Product Guide

Download

Introducing SQL Server 2008 R2

Download

Introducing Windows 2008 R2

Download

Understanding Microsoft Virtualization Solutions

Download

Deploying Windows 7 - Essential Guidance

Download

First Look Microsoft Office 2010

Download

Update Your Skills with Resources and Career Ideas from Microsoft

Download

Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts

noreply@blogger.com (Santhosh Sivarajan) — Fri, 11 Nov 2011 16:19:00 +0000

I have updated the “Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts” TechNet Wiki article with more DS commands. Feel free to update/modify this article. http://social.technet.microsoft.com/wiki/contents/articles/3537.aspx

User

Identify OCS enabled users in Active Directory

Dsquery * -filter (msRTCSIP-UserEnabled=TRUE) –limit 0 –attr name samaccountname

Query Password Last Set (pwdlastset) value

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" -limit 0 -attr name pwdlastset

Note: Time can be convered using the w32tm /ntte command.

Search Password Never Expires Settings

Dsquery * -limit 0 “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))” –attr samaccoutname name

Password Expiring in 30 Days

dsquery * -limit 0 -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -attr name samaccountname

User accounts with “Do not require kerberos preauthentication” enabled

Dsquery * -limit 0 “(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=8388608)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(pwdLastSet>=129522420000000000)(pwdLastSet<=129548340000000000))” –attr samaccountname name

List all Roaming Profile users in Active Directory

dsquery * -filter "&(objectClass=User)(objectCategory=Person)(profilePath=*)" -limit 0 -name

Generate SIDHistory Report

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" –attr samAccountName sidHistory

Generate SID (ObjectSID) Report

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" –attr samAccountName Object

Group

Identify all Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648))" –attr samAccountName name

Identify all Built-In Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483649))" –attr samAccountName name

Identify all Universal Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483656))" –attr samAccountName name

Identify all Gloabl Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))" –attr samAccountName name

Computer

Move Computer Objects Based on OS Version

Move Widnows 7 Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=6.1))" | dsmove -newparent OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab

Move Windows XP Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=5.1))" | dsmove -newparent OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab

Domain Controller

Site and Subnet

List all Sites in Active Directory

Dsquery site * -name

Get Site Name from Subnet IP Address in Active Directory (For example, Site Name for Subnet 192.168.2.0/24)

Dsquery Subnet -Name 192.168.2.0/24 | Dsget Subnet -Site

Search AD, Collect Local Admin Group Info and Generate Email Alert – PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Mon, 24 Oct 2011 18:06:00 +0000

This is an updated version of one of my old scripts - http://portal.sivarajan.com/2011/04/list-local-administrator-group-members.html based on the discussion in the http://sivarajan.com/forum/viewthread.php?tid=59 thread.

This updated script

Searches Active Directory (Search_AD function) and collects the computer object information. This information will be stored in the C:\Scripts\Servers.csv file.
The second function (Seach_LAdmin) uses C:\Scripts\Servers.csv file as an input and collects the Local Administrator Group membership details from these computers.
The third function (Send_Email), generates an email alert with the output file (C:\Scripts\SGroupMemberDetails.csv).

Script

Output

It generates 2 output files – Servers.csv and SGroupMemberDetails.csv. The Servers.csv contains all computer information from Active Directory (output of Seach_AD function) and SGroupMemberDetails.csv file contains the Local Admin group membership details .

You will also see the status in the console itself.

An email alert will be generated with SGroupMemberDetails.csv file (Send_Email function).

Note

In PowerShell V2, you can use Send-MailMessage cmdlet create an email message:
http://technet.microsoft.com/en-us/library/dd347693.aspx

Download

You can download the script from the following 2 locations:

www.sivarajan.com - http://www.sivarajan.com/scripts/Search_AD_Local_Admin_Email.txt
Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/Search-AD-Collect-Local-9952be71

User Home Folder / Local Path–PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Wed, 19 Oct 2011 15:46:00 +0000

This PowerShell Script can be used generate reports on user home folder (homedirectory) in Active Directory.

Download:

www.sivarajan.com - http://www.sivarajan.com/scripts/HomeDirectory.txt
Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/User-Home-Folder-Local-2ec2d383

Collect Service Info From Remote Servers – PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Tue, 04 Oct 2011 11:42:00 +0000

This PowerShell script can be used to collect Service information from remote machines.

Input – input.csv, contains all computer names in the following format:

Script:

Output – Server and service information will in the output file, ServiceInfo.csv

Download – You can download the script from following 2 locations:

www.sivarajan.com - http://www.sivarajan.com/scripts/ServiceInfo.txt
TechNet Script Gallery - http://gallery.technet.microsoft.com/Collect-Service-Info-From-6e3b044e

Search AD and List Local Administrator Group Members on Servers – PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Wed, 28 Sep 2011 17:13:00 +0000

This is an updated version of one of my old scripts (http://portal.sivarajan.com/2011/04/list-local-administrator-group-members.html) based on the discussion in the following thread:

http://sivarajan.com/forum/viewthread.php?tid=59

This script searches Active Directory for computer objects and generate an output file - Servers.csv. This will be an input for the second part of the script – Local Admin details.

Download

www.sivarajan.com - http://www.sivarajan.com/scripts/SearchAD_LocalAdmin.txt
Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/Search-AD-and-List-Local-481b4ba2

Windows 8 Server – Remote DCPROMO and Deployment

noreply@blogger.com (Santhosh Sivarajan) — Wed, 21 Sep 2011 18:29:00 +0000

In Windows 8, Microsoft has introduced a lot of new features. In this blog, my focus is on the remote deployment capability of Windows Server 8. The administration and management of local and remote servers can be performed from the Server Manager console. In Server Manager, you will see Local Server and All Servers sections. You can add remote servers in to the All Serves group.

From the Server Manager–> All Servers –> Add Servers

As you can see in the following screenshot, you can select remote servers using Active Directory, DNS or you can import them.

Once you complete this process, you will these new servers in All Servers group. You can Add Roles, Features, Change configuration or perform any other administration task from this console.

I am going to install Active Directory Domain Services Role and perform a remote DCPROMO on my remote server – SAN-WIN08-02.

The process is same as installing a Role on a local machine. You can see more information in http://portal.sivarajan.com/2011/09/windows-8-serveradd-and-remove-roles.html

The next step is to configure this server as a Domain Controller. From the Server Manger Dashboard, you will see the required configuration details in the Roles and Sever Group section.

From this Notification window, you can start the DCPROMO process – Post-deployment Configuration.

In this demo, I am adding an additional Domain Controller to my existing domain. As you can see in the following screenshot, you have three options available:

Add a domain controller to an existing domain
Add a new domain to an existing forest
Add a new forest

Also, you will see a few more options like selecting a Site Name, GC etc in the configuration wizard.

You can configure,enable the DNS delegation and change credentials if needed.

In the next window, you can configure the database, log and SYSVOL locations. Also, you can select a domain controller for replication (Replicate From).

More options are available to customize the application partition replication by adding or removing these partitions, selecting only critical data etc.

Review these installation options and click Next to start the domain controller promotion process. This server (SAN-WIN08-02) will be an additional domain controller in the Santhosh.Lab2 domain.

These settings can be exported to a Windows PowerShell script to automate the installation options.

The DCPROMO process will perform a Prerequisite Check and Complete the installation. You will see the summary report in the Installation Result window.

Windows 8 Server–Add and Remove Roles

noreply@blogger.com (Santhosh Sivarajan) — Fri, 16 Sep 2011 18:48:00 +0000

As you know the Metro UI and Metro style applications are introduced in Windows 8 Server and Workstation OS. So the management interface is different in Windows 8. In this blog, my goal is to explain the procedure for adding or removing a server role on Windows 8 server.

You need to use Server Manger to Add or Remove roles. In Windows 8, you can open Server Manager from the UI itself. By default, Server manger will open at the logion.

From the Server Manager Dashboard, select Manage and then Add Role and Features or Remove Roles and Features option. I am going to remove DNS role from this server.

Click Next in the Remove Roles and Features Wizard window.

Select the server name based on Server Pool and Configuration. Click Next.

Clear the checkbox next to the Role – I am going to remove DNS role from this server.

Click Next or select a Feature to remove.

Click Next in the Confirmation Window.

You will see the process as shown in the following screenshot.

You can close this windows without interrupting the current running task. You can open this page again to see progress.

You may want to restart the server depends on the role. Shutdown and Restart button are in different location on Windows 8. You will see the Shutdown and Restart options in the lower right side of the window.

It will ask you to select a reason for the restart or shutdown - Shutdown Event Tracker

and YES. I am running Windows 8 Server on my Hyper-V box I received a few emails about Windows 8 installation issues on Hyper-V. I managed to install it on a Hyper-V.

Windows 8 - Developer Preview

noreply@blogger.com (Santhosh Sivarajan) — Wed, 14 Sep 2011 02:26:00 +0000

Release Notes: Important Issues in the Windows Server Developer Preview

These release notes address the most critical issues and information about the Windows Server Developer Preview operating system. For information about by-design changes, new features, and fixes in this release, see documentation and announcements from the specific feature teams. For information about important steps to take before installing this release, including issues that you may need to work around, see “Installing the Windows Server Developer Preview,” a document available at the same location as this document. Unless otherwise specified, these notes apply to all editions and installation options of the Windows Server Developer Preview.

Because this is a pre-beta release, many drivers may not be available yet. Check with the OEMs of your devices for the availability of updated drivers.

Installing the Windows Server Developer Preview

This document provides information about installing the Windows Server Developer Preview operating system, including any known issues that you may need to work around before starting an installation. It also provides information that you can use to troubleshoot problems that may occur during the installation. For information about serious known issues that you may need to work around after installation is complete, see “Release Notes: Important Issues in the Windows Server Developer Preview,” available at the same location as this document.

Setup works in several stages. You will be prompted for some basic information, and then Setup will copy files and restart the computer. Setup concludes by presenting a menu for Initial Configuration Tasks, which you can use to configure your server for your specific needs.

Preview guide

See what’s new in Windows 8. This downloadable guide shows you new features for developers, consumers and businesses.

Pdf - http://download.microsoft.com/download/1/E/4/1E455D53-C382-4A39-BA73-55413F183333/Windows_Developer_Preview-Windows8_guide.pdf

Xps - http://download.microsoft.com/download/1/E/4/1E455D53-C382-4A39-BA73-55413F183333/Windows_Developer_Preview-Windows8_guide.xps

Download

The Windows Developer Preview is available to download now! Come back to the Windows Dev Center soon to get the Windows Developer Preview guide, samples, forums, docs and the resources to build on Windows. The Windows Developer Preview is a pre-beta version of Windows 8 for developers. These downloads include prerelease software that may change without notice. The software is provided as is, and you bear the risk of using it. It may not be stable, operate correctly or work the way the final version of the software will. It should not be used in a production environment. The features and functionality in the prerelease software may not appear in the final version. Some product features and functionality may require advanced or additional hardware, or installation of other software.

Download at - http://msdn.microsoft.com/en-us/windows/apps/br229516

Computer Migration - Things to Consider (Updated)

noreply@blogger.com (Santhosh Sivarajan) — Tue, 06 Sep 2011 02:03:00 +0000

Here are a few points which you can consider while doing computer migration. These points are applicable to all migrations irrespective of the migration tool (ADMT, NetIQ, Quest etc).

Here is a high level flow chart that describes the computer migration process:

Admin$ Access (PreMig1 Script) – Ensure that you can access Admin$ or C$ on the workstation using your migration service account. You can use the following script to test the Admin$ permission:

http://portal.sivarajan.com/2010/01/check-admin-share-using-poweshell.html

Ping (part of PreMig1 Script)– Make sure you can ping the workstation from the migration console/server. But keep in mind that, if ICMP is disabled on your network, you won’t be able to ping the workstation. Also, I have seen in many cases that Ping is resolving to an incorrect IP address, which can be due to a bad WINS server or bad name resolution.

Read more at - http://www.sivarajan.com/cm.html

Other Related Blogs

Active Directory Migration Using ADMT - http://www.sivarajan.com/admt.html

Computer Migration - Things to Consider - http://www.sivarajan.com/cm.html

ADMT Include File - http://portal.sivarajan.com/2011/06/admt-include-file.html

User Migration and Input File Format - http://portal.sivarajan.com/2010/12/user-migration-and-input-file-format.html

User Account Migration and Merging – ADMT - http://portal.sivarajan.com/2011/05/user-account-migration-and-merging-part.html

User Account Migration and Merging – Quest Migration Manager - http://portal.sivarajan.com/2011/07/user-account-migration-and-merging-part.html

ObjectSID and Active Directory

noreply@blogger.com (Santhosh Sivarajan) — Thu, 01 Sep 2011 13:06:00 +0000

What is an objectSID in Active Directory?

When a new object is created in Active Directory, Domain Controller assigns a unique value used to identify the object as a security principal. This value is unique inside the domain. An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID

How do I get ObjectSID information from Active Directory?

You can see the ObjectSID information using ADSI Edit or Attribute Editor or you can use DSQUERY commands. I will explain these details with the a few screenshots:

Domain SID – I am using the following DSQUERY command with a name filter to get the SID of my domain.

User SID – As you can see from the following screenshot, the objectSID of the user (TestABC1) is consist of Domain SID of the domain (santhosh) + Relative ID(RID) of the user account.

RID Allocation

RID number will assigned from the RID pool (rIDAAllocationPool) of the Domain Controller. Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master FSMO role. You can get the RID pool allocation table details using the dcdiag /test:ridmanager /v command.

Keep in mind that the RID pool will be different in each domain controller. RID will be allocated to an object in Active Directory based on the Domain Controller that you are using. Here is an example from my second domain controller in my domain:

As you can see in the above screenshot, if I create a new object using this domain controller, the new object will be assigned with 1601 (rIDNextRID) as the RID.

You can also use DQUERY command to get the properties of the RID Set. However, you need to convert some of the values.

By default, RID pools will be allocated in increments of 500 (rIDAllocationPool).

Active Directory and userAccountControl Attribute

noreply@blogger.com (Santhosh Sivarajan) — Wed, 10 Aug 2011 01:58:00 +0000

As you know, searching Active Directory attributes using DSQUERY commands or scripts is not difficult. You can get the values directly from the attribute. However, searching the enabled, disabled status,PasswordExpired etc can be challenging because these properties/values are not stored in its own attribute. These account properties are controlled by an attribute called userAccountControl.

what is userAccountControl ?

It is a 4 bytes (32-bit) integer that represents a bitwise enumeration of various flags that controls the behavior of an object. The attributeID (ruleOD) of this object is 1.2.840.113556.1.4.8. The attributeID is a unique X.500 Object Identifier(OID) for identifying an attribute.

How do I search userAccountControl values in Active Directory?

It is like searching any other attribute in Active Directory. However, you need to represent the userAccountControl values in numeric. The syntax of the LDAP matching rule is

attributename:ruleOID:=value

where attributename is the LDAP DisplayName -in this case it is userAccountControl, ruleOID is the attributeID for the matching rule control - in this case it is 1.2.840.113556.1.4.8, and value is the decimal value you want to use for search. I will explain the details using a couple of examples.

The following DSQUERY command returns all disabled user accounts in Active Directory.

dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" –attr name

userAccountControl = 2 means the user account is disabled (ADS_UF_ACCOUNTDISABLE)

and the following DSQUERY command returns all users with the 'Password Never Expires' settings enabled.

dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" –attr name

userAccountControl = 65536 means the user account has 'Password Never Expires' flag enabled (ADS_UF_DONT_EXPIRE_PASSWD)

So where did the attributeID (ruleOID) 03 suffix come from?

The value of attributeID (ruleOID) can be either 1.2.840.113556.1.4.803 or 1.2.840.113556.1.4.804

1.2.840.113556.1.4.803 – This is the bitwise AND operator (LDAP_MATCHING_RULE_BIT_AND). The rule is true only if all bits from the property match the value.
1.2.840.113556.1.4.804 – This is the bitwise OR operator (LDAP_MATCHING_RULE_BIT_OR). The rule is true if any bits from the property match the value.

Here is the complete structure:

How do I get the userAccountControl values?

These UserAccountControl flag values are available in following MSDN articles. Make sure to use Decimal values not HEX.

http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx

Conclusion

Regardless of what method you use (commands or scripts) you can search Active Directory using userAccountControl flags using the above mentioned syntax.

Looking for more DSQUERY examples?

Visit my TechNet Wiki article - http://social.technet.microsoft.com/wiki/contents/articles/3537.aspx

Udpate Comptuer Description–PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Mon, 01 Aug 2011 23:35:00 +0000

Purpose - To update the computer description (description attribute) in Active Directory. – PowerShell V2 Script.

Input File – Input file (Computers.csv) contains Computer Name and Description.

Script:

I have also uploaded this script to Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/6e883230-fa47-4a9e-aa92-446ab3bea6dd

More scripts - http://portal.sivarajan.com/search?q=script+powershell&max-results=20

Add Users to a Group–PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Sat, 30 Jul 2011 00:01:00 +0000

Purpose – Add users to a group from an input file – PowerShell V2 Script.

Input file – Input file (Users.csv) contains samAccountName in the following format:

Script

I have also uploaded this script to Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/ffff189d-8ef1-4903-b19c-12dcd352c88e

More Scripts - http://portal.sivarajan.com/search?q=scripts&x=0&y=0

Change Service Account Username & Password–PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Tue, 26 Jul 2011 11:38:00 +0000

This PowerShell script can be used to change the service account credentials remotely.

Input – The input file (input.csv) contains server/computer name in the following format:

Script

Output – You will see the status on the screen as shown in the following screenshot:

Download – You can download this script from the following locations:

www.sivarajan.com - http://www.sivarajan.com/scripts/Change_Service_Credentials.txt
Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/79644be9-b5e1-4d9e-9cb5-eab1ad866eaf

More Scripts - http://portal.sivarajan.com/search?q=script+powershell&max-results=20

Modify Logon Scirpt (scriptPath)–PowerShell

noreply@blogger.com (Santhosh Sivarajan) — Fri, 22 Jul 2011 11:42:00 +0000

Here are a couple of options to modify the Logon Script (scriptPath) value in Active Directory. This script requires PowerShell Active Directory module.

Remove scriptPath Value

Import-module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=User Accounts,DC=santhosh,DC=lab" | Set-ADUser -Clear scriptPath

Update or set scriptPath Value

Import-module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=User Accounts,DC=santhosh,DC=lab" | Set-ADUser –scriptPath “\\San01\test.bat”

More scripts - http://portal.sivarajan.com/search?q=script+powershell&max-results=20

http://gallery.technet.microsoft.com/scriptcenter/site/profile?userName=Santhosh%20Sivarajan-

Search Active Directory & Get User Properties–PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Thu, 21 Jul 2011 11:56:00 +0000

You can use this PowerShell script to search Active Directory and get the user properties. The input file (OU.csv) contains OU name sin the following format:

Script:

Download:

You can download the script from the following locations:

www.sivarajan.com - http://www.sivarajan.com/scripts/SearchAD_UserInfo.txt

Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/dd152aa5-bc94-4ac8-9eeb-3bc5b98d425a

More scripts - http://portal.sivarajan.com/search?q=script+powershell&max-results=20

ADMT User Migration and Leaf Object Error Message

noreply@blogger.com (Santhosh Sivarajan) — Tue, 19 Jul 2011 12:03:00 +0000

Issue:

ADMT displays the following error message when try to migrate a user account:

ERR2:7422 Failed to move source object 'CN=XXXX'. hr=0x8007208c The operation cannot be performed because child objects exist. This operation can only be performed on a leaf object.

Cause/Resolution:

Some application may add configuration details to a user object. Exchange ActiveSync is an example. If you have ActiveSync, make sure the ExchangeActiveSync child object has the proper value. Or if the application is not using this configuration, you can remove the attribute value. You can use ADSI Edit to verify this value (ADSIEdit –> Default Naming Context –> Properties of the User).

If the issue is only happening on a few user accounts, you can dump the user account properties using DSQUERY command and compare them with a “good” user account value.

Other Related Blogs & Articles:

Active Directory Migration Using ADMT - http://www.sivarajan.com/admt.html

Computer Migration - Things to Consider - http://www.sivarajan.com/cm.html

User Account Migration and Merging Using ADMT - http://www.sivarajan.com/

ADMT Include File - http://portal.sivarajan.com/2011/06/admt-include-file.html

User Migration and Input File Format - http://portal.sivarajan.com/2010/12/user-migration-and-input-file-format.html

User Must Change Password at Next Logon–pwdLastSet–PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Thu, 14 Jul 2011 11:46:00 +0000

This PowerShell script can be used update the pwdLastSet (User Must Change Password at Next Logon) value in Active Directory. You can use either “0” or “-1” to enable to disable this option:

0 to enable the User must change password at next logon option
-1 to disable the User must change password at next logon option

Script:

Output:

Download:

www.sivarajan.com - http://www.sivarajan.com/scripts/User_Change_Password.txt

TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/030d1ff1-df99-47fe-b9c3-ecd4d98ffd7d

More scripts - http://portal.sivarajan.com/search?q=script+powershell&max-results=20

Move Computer Objects Based on Operating System Version

noreply@blogger.com (Santhosh Sivarajan) — Tue, 12 Jul 2011 14:44:00 +0000

This logic can be used move computer objects in Active Directory based based on their Operating System version.

Option #1 – DS Commands

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=6.1))" | dsmove -newparent OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab

The above command will move all Windows 7 computers to OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab OU.

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=5.1))" | dsmove -newparent OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab

The above command will move all Windows XP computers to OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab OU.

Option #2 – Ver or systeminfo Commands

In option #1, I am verifying the OperatingSystem or OperatingSystemVersion values from Active Directory attribute. You can also verify these values from the actual computer objects using the following method:

http://portal.sivarajan.com/2011/03/operating-system-infobatch-file.html

Filter

You can update the filter based on OperatingSystem or OperatingSystemVersion values. Also, I have used the default computer location (CN=Computers,DC=santhosh,DC=lab) query.

operatingSystemVersion - http://msdn.microsoft.com/en-us/library/ms724832(v=vs.85).aspx

operatingSystem - http://msdn.microsoft.com/en-us/library/aa370556(v=vs.85).aspx

Server Object Filter

If your goal is to move all “severs”, you can modify the search using the "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystem=*server*)) filter. This filter will verify the”server” string the operatingSystem attribute value.

Domain Controller Filter

If you want to exclude all Domain Controllers, you can use the following userAccountControl filter (Active Directory and userAccountControl Attribute).

(&(ObjectClass=computer)(objectCategory=Computer)(!userAccountControl:1.2.840.113556.1.4.803:=8192))

Automation

You can create a batch file with these commands or create a schedule task to achieve this goal. If you really want to automate this process, you attach this script to an event ID using Attach Task To This Event option.

http://portal.sivarajan.com/2010/04/generate-email-alert-to-event-attach.html

Search AD and Add Employee ID–PowerShell Script

noreply@blogger.com (Santhosh Sivarajan) — Tue, 12 Jul 2011 02:47:00 +0000

Script #1

Here is a simple PowerShell script which you can use to add Employee ID in a user object. This script requires PowerShell Active Directory module.

Note: I am not searching AD for the user account. My assumption is the user account already exist in AD.

Input file – Input file (Users.csv) contains user names and employeeID in the following format:

You can download this script from the following locations:

www.sivarajan.com - http://www.sivarajan.com/scripts/Add_EMpID.txt

Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/e9bafc1a-b5b1-4663-8e25-b0d0ea28c2b2

Script #2 - Search AD using email address and update the employee ID value.

Input file (users.csv) contains email address and employee ID in the following format:

Download - http://www.sivarajan.com/scripts/Search_AD_EmployeeID.txt

Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/87a2a2f3-f590-4bdf-911b-da4df53f1f11

More scripts - http://portal.sivarajan.com/search?q=script+powershell&max-results=20

User Account Migration and Merging – Part II (Quest Migration Manager)

noreply@blogger.com (Santhosh Sivarajan) — Wed, 06 Jul 2011 12:17:00 +0000

Part I - User Account Migration and Merging Using ADMT

Part II - User Account Migration and Merging Using QMM

Pre-creating user account in the target domain is a common scenario these days due to single-sign-on solution, HR management procedure etc. This will make the user migrate procedure more challenging. During the migration you need to make sure these accounts are properly “merged” with correct SID information.

In this example, I will explain a procedure to migrate and merge user accounts using Quest Migration Manager (QMM). You can read the Part I (User Account Migration and Merging – Part I (ADMT)) of this document in the following link:

http://portal.sivarajan.com/2011/05/user-account-migration-and-merging-part.html

Scenario:

I have pre-created user accounts in the target domain. Their logon name (samAccoutnName) is different in the target domain. My goal to migrate an account from the source domain, merge it with the corresponding account in the target domain and maintain the source SID in the migrated object.

Migration Plan:

My plan is to use an input file which contains a mapping between source and target user accounts. The file encoding type must be ANSI. You can read about this requirement in my following blog:

http://portal.sivarajan.com/2010/12/user-migration-and-input-file-format.html

Here is an example of this input file:

In the above example, my plan is to migrate User1 and merge it with a pre-created user account (12345) in the target domain. The column headers are Source sAMAccountName, Target sAMAccountName and Target Name.

Migration Procedure:

1. Open Quest Migration Manager console. Right click on the Migration node and select New Session option.

Note: Make sure the Account Name matching attributes is selected in the domain pair configuration (Domain Pair –> Properties –> Object Matching).

2. Click Next on the Welcome window.

3. Specify the name in the Name box for this migration session. Click Next.

4. On the Select Object in Source Domain window, click on Import button and select the user input file and click Open.

5. Click Next on Select Objects in Source Domain window.

6. On the Select Target Container window:

a. Click Browse to select the appropriate target OU

b. Select Migrate objects without OUs as a flat list option and

c. Select either

Merge and move the objects to the new OU –> This option will move the migrated/merged object to the selected OU.

Merge and leave the account where it was before the migration option –> This option will leave the account where it was before the migration.

d. Click Next.

7. On the Set Security Settings window, select appropriate options. Click Next.

8. On the Specify Object Processing Options window, select appropriate options. Click Next.

9. Click Next on the Specify Object Processing Options window.

10. On the Select Migration Agent window, select the correct DSA as the migration agent server. Click Next.

11. Click Next on the Migrate Active Directory Objects window.

12. Click Yes on the Migration Wizard Popup window. Migration process status will display on the status windows

14. Select View log button on the Completing the Migration Wizard windows to verify the log file.

15. Click Finish to complete the user migration process.

sIDHistory

You can verify the sIDHistory value using ADSI Editor or one of the following scripts. The sIDHistory value should be equal to the ObjectSID in the source domain.

Verify sIDHistory and Identify the Source User Account - http://portal.sivarajan.com/2011/03/verify-sidhistory-and-identify-source.html

siDHistory Report - with Multi Value Support - http://portal.sivarajan.com/2011/04/sidhistory-report-with-multi-value.html

Generate sidHistory Report using DSQUERY command - http://portal.sivarajan.com/2011/01/generate-sidhistory-report-using.html

QMM Directory Synchronization

If you are planning to use Quest directory synchronization, you can enable the directory synchronization after the user migration. QMM will update the user information (user properties, group membership etc) based the QMM matching attribute value (adminDescription & adminDisplayName or ExtensionAttribute 14 and 15). These values get populated during the user migration.

Other Related Blogs & Articles:

Active Directory Migration Using ADMT - http://www.sivarajan.com/admt.html

Computer Migration - Things to Consider - http://www.sivarajan.com/cm.html

User Account Migration and Merging Using ADMT - http://www.sivarajan.com/

ADMT Include File - http://portal.sivarajan.com/2011/06/admt-include-file.html

User Migration and Input File Format - http://portal.sivarajan.com/2010/12/user-migration-and-input-file-format.html