Adam's AD Admin

Every wondered why some queries return much faster than others?  If you search on attributes that are indexed, your DC returns the value much quicker.  How can you find out what attributes are indexed?  use the following  : If you find that your attribute is not being indexed, take a look  here  to find out how to add it to the index. $Collection = @() $domain = [System.DirectoryServices.ActiveDirectory.domain]::getcurrentdomain() $ObjectCategory = "attributeSchema" $ObjectProplist = "name" $LdapQuery = "(&(objectCategory=$ObjectCategory)(searchFlags:1.2.840.113556.1.4.803:=1))" ($domain).name $LDAPdomain = [ADSI]('LDAP://CN=Schema,CN=Configuration,dc=' + ($($domain).name -replace "[.]",",dc=")) $Searcher = New-Object System.DirectoryServices.DirectorySearcher($LDAPdomain, $LdapQuery, $ObjectProplist) $Searcher.pagesize = 1000 $Results = $Searcher.FindAll() foreach ($Object in $Results){    $Store = "&quo

In the final part of this series, I will look at dealing with the lastlogontimestamp attribute and easily outputting the data you have gathered to a file. Part 2 left us with : $domains = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest().get_domains() $ObjectCategory = "user" $ObjectProplist = "name","samaccountname","whencreated" $LdapQuery = "(&(objectCategory=$ObjectCategory)(name=ad*))" foreach ($domain in $domains){       ($domain).name       $LDAPdomain = $domain.GetDirectoryEntry()       $Searcher = New-Object System.DirectoryServices.DirectorySearcher($LDAPdomain, $LdapQuery, $ObjectProplist,"subtree")       $Searcher.pagesize = 1000       $Results = $Searcher.FindAll()       foreach ($Object in $Results){             foreach ($prop in $ObjectProplist){                   $Object.Properties.$prop                  }       } } If you have tried to manipulate lastlogontimestamp in VB, you will

I have been doing some testing on enabling WinRM via group policy, being that WinRM is the service that Powershell v2 sets up it remoting capabilities. Here are the GPO settings that you need to configure WinRM .... set the winrm service to auto start Computer Configuration \ Policies \ Windows Settings \ Security Settings \ System Services Windows Remote Management (WS-Management)  set Startup Mode to Automatic start the service incorporated in to the above - you may need a restart. create a winrm listener Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service / Allow automatic configuration of listeners IPv4 filter: * * is listen on all addresses, or if you only want a particular IP address to respond use an iprange eg 10.1.1.1-10.1.1.254 - don't forget that this IP range has to be valid for all hosts that fall in the scope of the GPO you are creating.  You can use 10.1.1.1 -

A quick way of delegating PS remoting permissions .... http://msgoodies.blogspot.com/2009/09/using-ps-session-without-having.html

We finished up Part 1  with this script : $LDAPdomain = [ADSI]('LDAP://dc=other,dc=com') $Searcher = New-Object System.DirectoryServices.DirectorySearcher($LDAPdomain,"(objectclass=user)","name","subtree") $Results = $Searcher.FindAll() foreach ($Object in $Results){   $Object.Properties.name } I am going to take things a little further by adding variables which in turn will help remove any hardcoded elements of the script. A quick one first, after running your search for all users, did you notice that you got exactly 1000 results (assuming that you have at least 1000 users in your domain)?  This is the maximum number of records that you can return in one go using LDAP.  What you need to do is tell the searcher to page results by adding this command : $Searcher.pagesize = 1000 This will return the first 1000, but go off and find the next 1000 straight after, and so on. The next thing is to use variables instead of hard coding in the

In my quest to make my life easier, I have been waiting with bated breath to get my hands on the remoting features of PS v2.  Now that I have access to windows 7 and Windows Server 2008 R2, let the fun begin! When looking for information about these new features, where better to go than the source.  I found this video on Tech.ED where Jeffery Snover (Powershell Godfather as he is introduced!) co presents using Powershell v2 in large Environments.  From my findings (mainly from this video) there are primarily 2 new ways of gathering information from remote computers in PS v2, the all singing all dancing big brother that needs all the options installed and configured, and the little brother version which has less pre-requisites for the remote client, but does not do quite as much. The -computername switch (Little Brother)  One of the biggest things missing in powershell 1 was the ability to run a cmdlet agains a remote machine.  With PS v2 this has changed. Suddenly, I can get t

One of the first things I learnt to do in powershell was to search AD. I could search in VB but there were a few quirks and limitations that gave me the incentive to take the leap in to PS. That and I had just started a new job supporting a large financial AD environment where we had to do a lot of data capture across multiple domains! As anyone would, I looked at the way VB works and tried to convert it. Here is a direct translation of VB to PS in terms of searching AD ... VB Script : Set objConnection = CreateObject("ADODB.Connection") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = "<LDAP://dc=other,dc=com>;(objectclass=user);name;subtree" Set objRecordSet = objCommand.Execute If objRecordset.RecordCount > 0 Then    objRecordSet.MoveFirst    Do Until objR