Adam's AD Admin

Get group members of large groups via Powershell I have always been aware that getting the group membership of large groups has been a challenge and have always managed to avoid addressing the issue.  (Is that what we call the 'Too Hard' pile???) Well, I have had a reason to find this out again, but this time I have Powershell to help me out! Why is this such an issue I hear you ask... this link  expalins why.  In a nut shell, you will only every return a maximum of 1500 members for a group, 1000 if you are querying Windows 2000.  I cannot take any credit for the soulution, I can only pass on a now ancient (in poweshell terms that is) Monad link to how to enumerate all the members of a group from /\/\o\/\/ .  As you will see, this link refers to Monad, the pre-release name for powershell.  Please follow the link above or more from /\/\o\/\/ can be found at thepowershellguy.com meanwhile, I have added my own comments to his script below... #get the group $group = [ads

In trying to resolve an issue with regards to computers loosing thier trust relationship with the domain, I found this increadibly good explaination  of how passwords are used and changed in AD.  It goes a long way to explain where is the password change is initiated (the computer, not a DC), what is required to be in place before the change can happen and how it works around an issues it may face. Thanks Manish Singh (from the Directory Services team) for such a detailed post. Added to links too!

Manage Shadow Group Membership - PowerShell Function I looked at a quick script to update a shadow group here , and then thought, this would make a good function. I have used my function template (refer to that post if you want to know more about how to format a function), to build up a reusable script to update group membership based on user and computer object location in AD. A traditional shadow group is all members of an OU. In my mind, there are a few assumptions to this statement. Being that you have taken the time to create an OU, put objects in it, and created a group to mirror those objects, you probably have only 1 type of object (i.e. user) and they are all similar in some respect (i.e. same office location). This function takes that in mind and only updates groups with users or computers - not other groups etc. Moving away from the traditional meaning of shadow group, I have added (for my own benefit as I required the functionality) a parameter to change the searchsco

Powershell v2 Function Template Powershell v2 has updated what you can do with creating functions over Powershell V1. The whole function experience has been updated to a cmdlet like feel with error handling, parameter validation, help creation and of course, tab completion! The following is a bare bones template that I've commented inline for easy reading! function new-template { <# .SYNOPSIS    Brief description of what the function does .DESCRIPTION    A better description .NOTES    Function Name : new-template    Author : Adam Stone    Requires : PowerShell V2 .LINK    http://adadmin.blogspot.com/ .EXAMPLE    Simple usage    PS C:\> new-template -args values .EXAMPLE    Simple usage    PS C:\> new-template -args values values etc .PARAMETER first    A description of the first parameter .PARAMETER targetdomain    A description of the sedond parameter #> #parameter validataion param (    #define the position of the parameter if required, sp

Manage Shadow Group Membership with powershell AD Cmdlets Sometimes, in our Active Directory structure, we need a group to reflect the contents of an OU. One example of this is If you organise you users and computers in location specific OU's and need to use RODC password replication policy. In this script I use PowerShell v2 AD cmdlets to enumerate group membership and OU membership and then use compare-object to work out the differences. Finally the switch reads if the additional user was found in the group or the OU and either adds or removed the member accordingly. This script uses get-aduser, but get-adcomputer will work just as well. I am wouking on a more comprehensive solution using get-adobject to deal with multiple object types. $Group = "shadowgroup" $OU = "OU=ShadowOU,DC=domain,DC=com" $users = $(get-aduser -SearchBase $OU -filter "*") $groupmembers = Get-ADGroupMember -Identity $Group switch (Compare-Object -ReferenceObject $gro