I previously wrote a post about using the ActiveDirectory module with Get-ADUser. The idea was to find AD users using PowerShell and went over several advanced topics. Feel free to check that to get familiar with the overall commands since Get-ADGroup is going to use something similar.
 

Here, the Get-ADGroup cmdlet is going to be used to filter all groups that have no members and move them to a separate OU for further processing. Since we are a little cautious when it comes to making bulk changes like this, I would suggest moving them to a staging OU where they can be left there for 30-60 days. Since these groups are empty, chances are no one is going to be missing them but it’s a good idea to separate them first, then move forward with deleting.
 

Before we delete anything, I would strongly recommend you enable the AD recycle bin so you can recover objects without hesitation.
 

Find Empty Groups in Active Directory using PowerShell

#Get All empty groups in the entire domain. Be careful with Exchange and other built-in groups.
$AllEmptyGroupList = Get-ADGroup -Filter {Members -notlike "*" } -Properties Members, WhenChanged, WhenCreated

#Get all empty groups that have not been touched in longer than 6 months. Be careful with Exchange and other built-in groups.
$CutOffDate = (Get-Date).AddMonths(-6)
$SixMonthEmptyGroupList = Get-ADGroup -Filter {Members -notlike "*" -and WhenChanged -lt $CutOffDate} -Properties Members, WhenChanged, WhenCreated

#Get all stale groups from a specific OU (Preferred)
$EmptyGroupList = Get-ADGroup -Filter {Members -notlike "*" -and WhenChanged -lt $CutOffDate} -Properties Members, WhenChanged, WhenCreated -SearchBase 'OU=My Groups,DC=contoso,DC=com'

Hopefully, you were able to understand how to find empty groups in Active Directory using PowerShell to better manage your group lifecycle. If a group is empty and hasn’t been modified in over 6 months, it’s a pretty good sign that it is no longer needed and can be purged.
 

Again, I would highly recommend you enable the recycle bin but with this you should be able to start off slowly and decommissioning in whatever approach you feel necessary.

The post Find Empty Groups in Active Directory using PowerShell appeared first on the Sysadmin Channel.

Requirements

If you’re wanting to change the UPN suffix for your users there are a couple of things needed to make that happen. Let’s list that down now.

• Permissions to modify AD Accounts
• The UPN Suffix is added to your Domain

Add A New UPN Suffix to Active Directory

As mentioned in one of the requirements, you’ll need to add the UPN suffix to be able to set it correctly. Seems pretty obvious right! We’ll walk through how to do that.

• Open Active Directory Domain and Trusts console
• Right click Active Directory Domain and Trusts -> Properties
• Add the domain you would like to use

As you can see from the screenshot above, I added the domain thesysadminchannel.com since this is what I want my users to login as. However, before we get to changing the UPN for our users, let’s first validate that the domain suffix is available and correctly added to Active Directory.

Get Domain Suffixes Currently In AD

As ironic as it seems, the Domains and Trust console is where we can confirm if the domain is added. Nonetheless, we’ll take it a step further and verify this action dynamically using PowerShell. This way if you want to automate your account creation, this will help get you started on the right track. Spoiler alert: This uses the Get-ADForest cmdlet.

#Get UPN Suffix using Powershell
Get-ADForest | select UPNSuffixes

Change UserPrincipalName with PowerShell

Now for the bread and butter where we cover exactly how to change UserPrincipalName with PowerShell. We’ll go over multiple ways of setting the UPN suffix for a single user, multiple users in bulk or through a csv file that you can run the script against. Seems to pretty awesome right?!?!

Set The UPN Suffix For A Single User

In order to get an idea of how the change the UserPrincipalName, let’s run through an example of changing a single user that way you’re not overwhelmed right out of the gate. This article is primarily focused on doing it the “PowerShell” way, but sometimes it’s honestly a lot quicker to do it using the GUI if it’s just a one time thing. No need to spend extra cycles.

• Open Active Directory Users and Computers (ADUC)
• Search the user and open properties
• Click on the Account tab
• Under User Logon Name, click the drop down to specify the UPN suffix

Ok now that we got that out of the way, let’s set ourselves up for success and essentially do the same thing using Powershell.

#Change UPN for a single user using Powershell
$Domain = 'thesysadminchannel.com'
$User = 'ajolie'
Get-ADUser $User | select Name, UserPrincipalName

Name           UserPrincipalName
----           -----------------
Angelina Jolie ajolie@ad.thesysadminchannel.com


Get-ADUser $User | Set-ADUser -UserPrincipalName "$user@$domain"
Get-ADUser $User | select Name, UserPrincipalName

Name           UserPrincipalName
----           -----------------
Angelina Jolie ajolie@thesysadminchannel.com

Change The UserPrincipalName For Bulk Users

Needing to be able to change a single user is great and all, however, what if we needed to change 1,000 users? 10,000 users in bulk? As an exercise, we’ll change the UPN for all users in a specific OU. This will allow us to see how to dynamically query AD users and modify their UPN without too much effort.

As a reference point, we’ll use Get-ADUser and filter by Organizational Unit so we can scope the target base. Just for good measure, it’s always a good to take an export (backup) of the user’s current settings. The UserPrincipalName is a primary attribute in Active Directory so at the very least, practice on a few test users or even a test Domain so you know exactly what the outcome is going to be. Let’s get started.

#Specify UPN Domain
$Domain = 'thesysadminchannel.com'

#Get list of samaccountnames in our targeted OU
$UserList = Get-ADUser -Filter * -SearchBase 'OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com' | `
select -ExpandProperty SamAccountName

#Change UPN Suffix from sub domain to primary domain
foreach ($User in $UserList) {
    Get-ADUser $User | Set-ADUser -UserPrincipalName "$User@$Domain"
}

Get-ADUser -Filter * -SearchBase 'OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com' | select Name, UserPrincipalName

Name               UserPrincipalName
----               -----------------
Isabella Contreras icontreras@thesysadminchannel.com
Director of IT     director1@thesysadminchannel.com
Arya Stark         astark@thesysadminchannel.com
Angelina Jolie     ajolie@thesysadminchannel.com
Melissa Zuniga     mzuniga@thesysadminchannel.com

Use PowerShell to Change UPN Suffix from Csv File

An alternative method to changing users in bulk is to use a csv. You can format the csv anyway you want to but essentially we’re looking to import it and change the users based off of that. Let’s create sample csv.

The headers will be samaccountname,userprincipalname,name,enabled but we’ll mainly be relying on the samaccountname for out input.

Here is the code to be able update that as we did in our previous steps.

#Specify UPN Domain
$Domain = 'thesysadminchannel.com'

#Import csv to a csvList variable.
$csvList = Import-Csv 'C:\Users\pcontreras\csvList.csv'

#Change UPN Suffix from sub domain to primary domain using the csv file
foreach ($User in $csvList.samaccountname) {
    Get-ADUser $User | Set-ADUser -UserPrincipalName "$User@$Domain"
}

Conclusion

So hopefully this article was able to give you a pretty idea for being able to change UserPrincipalName with Powershell. The ability to change a UPN suffix in Active Directory will definitely come in handy if you’re making changes to your org.

As always, be sure to check out our other content full of Powershell Wizardry. Articles such as Get Active Directory Account Lockout Source Using Powershell or even our Youtube Channel for amazing video content

The post How To Change UserPrincipalName with PowerShell appeared first on the Sysadmin Channel.

Requirements

Using the Active Directory Module has a few requirements that we’ll need to make sure are up and running in order for your queries to run successfully.

• An Active Directory Domain must be setup
• The Domain Controller you’re querying must have Active Directory Web Services Service running
• Remote Server Administration Tools (RSAT)
• For Windows 10 1903 and later, view setup guide
• Active Directory Light-Weight Directory Tools Windows Feature (RSAT-AD-Tools) if running on a Windows Server

Get-ADUser Examples and Parameter Overview

In this article we’ll cover several of the parameters used in the cmdlet along with examples and screenshots so you can see exactly how to utilize these to your benefit.

Find ADUser With Identity Parameter

Get-ADUser using the -Identity Parameter is typically the most commonly used parameter when people want to query a specific user. This is because the -Identity parameter is positioned as the first parameter so it can be omitted when running the actual query.

Example: Get-ADUser -Identity aryastark will produce the exact same results as Get-ADUser aryastark

 
There are 4 attributes that are allowed when using Identity parameter. Let’s list them here along with an example of what it typically looks like.

• Distinguished Name
• CN=Arya Stark,OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com

• ObjectGuid
• 643d7cb4-9682-4835-908d-d696ed476649

• Security Identifier (SID)
• S-1-5-21-3946430794-117524452-1540306727-8620

• sAMAccountName (username)
• aryastark

Example of the 4 attributes that are accepted

Get-ADUser Using The Filter Parameter

The -Filter parameter in the Get-ADUser cmdlet is definitely also another fan favorite. The phrase “Filter Left, Format right” definitely applies here in getting the data you need in a reduced amount of time. This is one of those fundamental Powershell concepts that everyone should learn early on.

Get AD User Properties

Let’s take a look at get ad user properties in action. Say we wanted to get everyone with the GivenName (firstname) of ‘Arya’ – What exactly would that query look like?

#Get All Active Directory users that have a first name of Arya
Get-ADUser -Filter "GivenName -eq 'Arya'" | select Name, UserPrincipalName, Enabled

Name       UserPrincipalName                Enabled
----       -----------------                -------
Arya Stark aryastark@thesysadminchannel.com    True
Arya Cruz  aryacruz@thesysadminchannel.com     True
Arya Jolie aryajolie@thesysadminchannel.com    True

Select object was added to condense output

You can find other filterable attributes by choosing any one of the attributes when running -Properties *. Commonly used filters are UserPrincipalName, Surname, Mail and even Name or DisplayName.

Filter With Operators

Regarding operators, there are several choices such as equal, like, less than and even greater than that’s convenient for us to use.

When using the -eq operator, the filter has to match the property exactly so make sure you specify the text exactly as it’s shown in AD. As noted in the above example, we searched for all users with the first name ‘Arya.’ Say we wanted to only filter for the Name ‘Arya Stark’.

#Get the AD user whos name is Arya Stark
Get-ADUser -Filter "Name -eq 'Arya Stark'" | select Name, UserPrincipalName, Enabled


Name       UserPrincipalName                Enabled
----       -----------------                -------
Arya Stark aryastark@thesysadminchannel.com    True

Let’s now dive into the -like operator and how to specifically use it for filters. A great example I’ve used in the past is to see who are all the people that have the word Remote in their AD Office Attribute.

#Get all users who are remote 
Get-ADUser -Filter "Office -like 'Remote*'" -Properties Office | select UserPrincipalName, Name, Office

UserPrincipalName                Name       Office
-----------------                ----       ------
aryacruz@thesysadminchannel.com  Arya Cruz  Remote - California
aryastark@thesysadminchannel.com Arya Stark Remote - Winterfell


#Get all users who are in California
Get-ADUser -Filter "Office -like '*California*'" -Properties Office | select UserPrincipalName, Name, Office

UserPrincipalName                Name       Office
-----------------                ----       ------
aryacruz@thesysadminchannel.com  Arya Cruz  Remote - California
aryajolie@thesysadminchannel.com Arya Jolie Palo Alto - California

With regard to auditing, I’ve always found filtering accounts by LastLogonDate has always been extremely helpful. For an in-depth write-up check out the link above. Otherwise, let’s go over a quick example to get the gist of what’s happening. We’ll also couple it with the -and operator to string multiple queries together and narrow down your filter.

#Get Remote Users who have not logged in, in over 90 days
$CutoffDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter "LastLogonDate -lt '$CutoffDate' -and Office -like '*Remote*'" -Properties LastLogonDate `
 | select UserPrincipalName, Name, LastLogonDate

UserPrincipalName                Name       LastLogonDate
-----------------                ----       -------------
aryastark@thesysadminchannel.com Arya Stark 3/17/2021 5:29:46 PM

How To Use LDAP Filters

To be perfectly honest, I can probably count the number of times on one hand that I’ve used an LDAP filter. The methods mentioned above have been ingrained into my brain since that’s how I learned. The reason being is that the syntax is a bit more complex and the standard operators like -and/-or don’t really come into play here.

If you’re great with VBScript then it might be up your alley. In any event, here we go.

#Get AD user using an LDAP filter query
Get-ADUser -LdapFilter "(&(objectClass=user)(Name=Arya Stark))" | select Name, UserPrincipalName, Enabled

Name       UserPrincipalName                Enabled
----       -----------------                -------
Arya Stark aryastark@thesysadminchannel.com    True

Filter Using Ambiguous Name Resolution (ANR)

Ambiguous Name Resolution, aka ANR, allows multiple objects to be resolved on a single query. Think of it like a built-in -like operator that queries against GivenName, Surname, DisplayName, SamAccountName, physicalDeliveryOfficeName and even the Exchange MailNickName without any added effort.

ANR is especially useful in larger organizations where people share a similar display name. It just helps to truncate multiple -and/-or queries into a single function to ease your searches. Let’s cover an example of using ambiguous name resolution in an actual filter (using Arya Stark as our example).

#Get all users who have Arya in their name
Get-ADUser -Filter "Anr -eq 'Arya'" | select UserPrincipalName, Name, Enabled

UserPrincipalName                Name       Enabled
-----------------                ----       -------
aryastark@thesysadminchannel.com Arya Stark    True
aryacruz@thesysadminchannel.com  Arya Cruz     True
aryajolie@thesysadminchannel.com Arya Jolie    True


#Get all users who have Stark in their name
Get-ADUser -Filter "Anr -eq 'Stark'" | select UserPrincipalName, Name, Enabled

UserPrincipalName                Name       Enabled
-----------------                ----       -------
aryastark@thesysadminchannel.com Arya Stark    True

Notice we didn’t need to specify GivenName, Surname or even use the -Like Operator.

Display All Of The Properties For A Specified User

All Active Directory users have the same core attributes populated but they’re not displayed by default. If you notice in the examples above, I had to specify -Property in order for Powershell to know to check those AD properties. If you omit the property parameter, the filter won’t find it even though the attribute is there on the user’s account.

A good thing is this allows a wildcard (*) so you can see what’s available. I would also recommend to explicitly specify your properties when querying many users so you’re not putting to much stress on the remote Domain Controller.

#Get all properties for a user.
Get-ADUser aryastark -Properties * 

Query Active Directory Users By Organizational Unit

The ability to query users by an Organizational Unit is an excellent method to ensure you’re getting the most out of your Active Directory OU structure. A great, real world example for this would be if you have your AD Org units structured by regional location and you’re looking to get all users in that location.

SearchBase uses the DistinguishedName as the parameter input. You can grab the DN by one of 2 ways.

• Query a user in that OU and select the DN property. Extract OU DN from there
• Use Get-ADOrganizationalUnit and filter by name

#Query a user in the OU and select the DN property to get the OU syntax.
Get-ADUser aryastark 

DistinguishedName
-----------------
CN=Arya Stark,OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com


#Use Get-ADOrganizationalUnit and filter by name
Get-ADOrganizationalUnit -Filter "Name -like '*Excluded*'" | select DistinguishedName

DistinguishedName
-----------------
OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com

Now that we have the Organizational Unit’s DistinguishedName, we can use that as the input parameter. This coupled with the -Filter parameter will help narrow your search by Org Unit.

#Get All users under the Excluded OU.  Use a custom label to show Organizational Unit
Get-ADUser -Filter * -SearchBase "OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com" | select Name, `
@{Name = 'OrganizationalUnit'; `
Expression = {$Length = ($_.DistinguishedName).IndexOf(",OU"); $_.DistinguishedName.Substring($Length + 1) }} | `
Sort-Object OrganizationalUnit

Name               OrganizationalUnit
----               ------------------
Arya Jolie         OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Isabella Contreras OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Arya Cruz          OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Director of IT     OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Arya Stark         OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Test1              OU=Test,OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Test2              OU=Test,OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com

Wildcards are also allowed to use with Filter to search for All

Specify The OU Depth Of A Search

Building off of the SearchBase parameter from above, you might have noticed that the search was recursive. Meaning that it drilled down to all Sub OU’s without having the need to specify them. The question however, is what if we don’t want to drill down. What if we only want that explicit OU?

This is where the SearchScope parameter comes into play. Using the same query above, let’s exclude the two test accounts in the Test OU.

#Get Users in the Excluded OU and Exclude the Test OU Users
Get-ADUser -Filter * -SearchBase "OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com" -SearchScope OneLevel | `
select Name, `
@{Name = 'OrganizationalUnit'; `
Expression = {$Length = ($_.DistinguishedName).IndexOf(",OU"); $_.DistinguishedName.Substring($Length + 1) }}

Name               OrganizationalUnit
----               ------------------
Arya Cruz          OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Arya Jolie         OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Arya Stark         OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Director of IT     OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com
Isabella Contreras OU=Excluded,DC=ad,DC=thesysadminchannel,DC=com

When SearchScope is omitted, it will default to Subtree

Target The Domain Controller Of Your Choice

Anytime you make an Active Directory query, you’ll most likely always default to a Domain Controller in your site. This is defined by Active Directory Sites and Services and an easy way to check what Domain Controller you’re currently authenticating against is to use $env:LogonServer.

This is great and all, but what if you wanted to query a Domain Controller in another site, perhaps one across the globe? You would use the -Server parameter to do this. Specifically for me, I always like to use the Primary Domain Controller, PDC Emulator, as this is the heart of all replication changes. If you specify this Domain Controller specifically, you can avoid waiting for replication and can move on with your script without adding sleep commands.

You can use Powershell to query, or transfer FSMO Roles to a different Domain Controller.

Let’s walk through an example for how to use the server parameter to specify the PDC emulator dynamically.

#Get PDC Emulator dynamically and save it to a variable for later use
$DomainController = Get-ADDomain | select -ExpandProperty PDCEmulator
$DomainController
PAC-DC01.ad.thesysadminchannel.com

Get-ADUser aryastark -Server $DomainController | select UserPrincipalName, Name

UserPrincipalName                Name
-----------------                ----
aryastark@thesysadminchannel.com Arya Stark

Using the Server parameter can bypass replication times and it recommended for automation.

Passing Alternate Credentials for Get-ADUser

Being able to pass a different set of credentials would come in handy for use cases like automation or other use cases like users in a different domain. Since Active Directory grants read-only access to all users by default, there really isn’t a need to pass in alternate credentials if you’re querying something in the same domain. It should be able to do it with no problem.

When this comes in handy is if you need to make changes to AD Objects and you need to use different credentials. To make this happen you’ll use the -Credential parameter and use Get-Credential to securely set the username and password. Since we’re so keen on examples, let’s test it.

#Save user credentials into a variable using Get-Credential
$Credential = Get-Credential -UserName 'ad\pcontreras' -Message 'Enter in a Password'
PS C:\>
Get-ADUser aryastark -Credential $Credential | select UserPrincipalName, Name

UserPrincipalName                Name
-----------------                ----
aryastark@thesysadminchannel.com Arya Stark

In the sprit of this article, we’ll pass on credentials for Get-ADUser

Get-ADUser From A Different Domain

If you happen to have multiple Domains in your forest and you’re too lazy to Remote Desktop into a Domain Controller on that domain to run the query (guilty of it myself from time to time), it’s absolutely helpful to be able to run your query from a single machine. You can do this by combining two of the parameters above. Those parameters being -Credential as well as -Server.

I don’t have any other domains in my forest so I won’t be able to provide a working screenshot. However, one thing to keep in mind is that you’ll need to provide the Fully Qualified Domain Name (FQDN) for the remote DC. Overall, the basic syntax should look like this:

#Save user credentials into a variable using Get-Credential
$Credential = Get-Credential -UserName 'otherdomain\myaccount' -Message 'Enter in a Password'

Get-ADUser myaccount -Server DC01.otherdomain.thesysadminchannel.com -Credential $Credential

Conclusion

Hopefully this deep dive on how to use Powershell Get AD User has been incredible helpful for you. I’m also hoping you learned a thing or two that you can implement in your environment. As I mentioned, Get-ADUser is probably one of the most fundamental cmdlets that anyone administrator should have in their arsenal of tools.

It can be useful, especially when providing reports on the current state of your environment. If you liked this article, feel free to browse our other Active Directory as well as our own personal Powershell gallery full of useful scripts. Finally, if you’re interested in video content, check out our Youtube Channel for sysadmin videos

The post Get-ADUser: Find AD Users Using PowerShell Ultimate Deep Dive appeared first on the Sysadmin Channel.

If you’re interested in learning more and seeing if it’s for you, here’s a quick overview of the high-level benefits for keeping it enabled.

• It allows you to personalize your feed and stay up to date
• Get Weather reports for multiple locations throughout the world

Here is the Microsoft Doc for more how to’s with the app.

Remove News and Interests via Group Policy

Option 1 – Being able to disable news and interest via Group Policy (GPO) would be preferred for those who want to commit this change across a group (or all) users in your environment. In my lab I’m running Server 2019 Domain Controllers and the admx template for the settings are not there by default. However, on my Windows 10 20H2 machine running the RSAT tools, the settings are there so you can get by with using a machine with those tools installed. If you’re interested, see how to install RSAT for Windows 10 1903 and Later
 

This is a computer setting so to disable the feature using a GPO, follow these steps as they’re laid out here.

• Edit an existing policy or create a new policy and name it: Disable News and Interest
• Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> News and interests
• Open the setting Enable news and interests on the taskbar to edit policy
• Set the setting to Disabled and click OK
• Deploy the policy as needed. You can also use the local gpedit.msc to make this change on a single computer

Disable News and Interests via Group Policy

Remove News and Interests via Registry

Option 2 – The next option which is just as prominent is to disable News and Interest via Registry.

• Go to Start -> type Regedit to open the local registry edit
• Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Feeds
• Open ShellFeedsTaskbarViewMode to edit the setting
• Set the value to 2 to remove News and Interests

Disable News and Interests via Registry

There are 3 options for that we can set when using the registry.

• 0 – Shows icon and text
• 1 – Show only icon
• 2 – Hide News and Interests

How To Remove Weather From Taskbar Using Powershell

Option 3 – Building on top of our regedit option, here’s a quick snippet to remove News and Interest using Powershell.

#Get Current Setting before change
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds" | select ShellFeedsTaskbarViewMode

#Remove News and Interest Using Powershell
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds" -Name "ShellFeedsTaskbarViewMode" -Value 2

#Get Current Setting after change
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds" | select ShellFeedsTaskbarViewMode

Disable News and Interests using Powershell

Remove Weather From Taskbar Windows 10

Option 4 – Our last option is probably the one that might be the quickest and easiest on a per user basis, but definitely not something that can be scaled across the environment. If you’re wanting to make this change across the environment, the other options would definitely be better suited for this. It does however offer the quickest solution to the problem so that works too.

• Right click the taskbar
• Hover over News and Interest
• Select Turn off

Remove Weather From Taskbar Windows 10

Conclusion

Hopefully this article was able to inform you on the multiple ways for how to remove News and Interests a.k.a remove weather from taskbar in Windows 10. I know for some it can be incredibly annoying and in my opinion I think it’s a little too intrusive for a Enterprise environment.

The post How To Remove News and Interests In Windows 10 appeared first on the Sysadmin Channel.

SYSVOL and NETLOGON Shares Missing on New DC Fix

After a bit of searching around I was able to figure out the reason why. This newly promoted domain controller was running on Server 2019 so I thought it was a bit odd that it was behaving this way. It turns out the fix works from 2012 R2 and newer.

With that being said lets go over the steps to resolve the missing Sysvol and Netlogon shares for your DC.

• Login to your Domain Controller that’s having the issue
• Open Regedit
• Browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
• Set SysVolReady from 0 to 1

Once you’ve set the above registry key, the SYSVOL folder should be created so you can type in \\DC\Sysvol and it should work. However, I noticed that this specific registry key didn’t fix my NETLOGON folder so in order to fix that issue here is what I did.

• While logged in to my domain controller
• Navigate to C:\Windows\SYSVOL\domain
• Create a new folder and name it scripts
• Restart the netlogon service (or reboot the machine)

By now you the issue of your sysvol missing on new domain controller should be fixed as well as your netlogon shares missing on your server. This article is pretty short and sweet but if you’re still having issues with domain controller replication, I’ve created a video on Youtube that I’ll link here as well.

The post [Solved] SYSVOL and NETLOGON Shares Missing on New DC appeared first on the Sysadmin Channel.

I have also posted a video of how to fix domain controller replication at the end of this post for those who prefer to watch the demo 🙂

After checking the event viewer I am across several logs that seemed a bit concerning to me.

Log Name: DFS Replication
Source: DFSR
Date: 3/25/2020 1:04:30 PM
Event ID: 4612
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PAC-DC02.ad.thesysadminchannel.com

Description:
The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. 
The replicated folder will remain in the initial synchronization state until it has replicated with its partner PAC-DC01.ad.thesysadminchannel.com. 
If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. 
This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. 
If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. 
This can cause the SYSVOL folder on this server to become out of sync with other domain controllers. 
 
Additional Information: 
Replicated Folder Name: SYSVOL Share 
Replicated Folder ID: 33B02C74-D5A3-41A7-A1EB-7D526AA4A243 
Replication Group Name: Domain System Volume 
Replication Group ID: 3CA9F092-C1B4-4F46-B276-7FD034A8E03C 
Member ID: 2AED3E8C-B864-4939-8969-BC747CD672C5 
Read-Only: 0



Log Name: DFS Replication
Source: DFSR
Date: 3/25/2020 1:04:30 PM
Event ID: 5002
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PAC-DC02.ad.thesysadminchannel.com
Description:
The DFS Replication service encountered an error communicating with partner PAC-DC01 for replication group Domain System Volume. 
 
Partner DNS address: PAC-DC01.ad.thesysadminchannel.com 
 
Optional data if available: 
Partner WINS Address: PAC-DC01 
Partner IP Address: 172.16.10.101 
 
The service will retry the connection periodically. 
 
Additional Information: 
Error: 1753 (There are no more endpoints available from the endpoint mapper.) 
Connection ID: 3CA9F092-C1B4-4F46-B276-7FD034A8E03C 
Replication Group ID: FD8F1538-9B92-4EF9-9E8E-E74512BC2149

First things first, we need to determine which domain controller is going to act as the master server. This needs to be the most updated DC in terms of policies because this will overwrite anything and everything that doesn’t match.

An example of this is if you create the policies on DC01, and those policies never replicate to DC02. DC01 is more up to date than DC02 so DC01 should be your master.

Once you have that all set, you can follow the steps in the video.

Fix SYSVOL Folders Not Replicating Across Domain Controllers

Hopefully you found that very useful and now your sysvol replication is working as expected. If you still have doubts, you can check out Microsoft’s Documentation for the official page.

The post [Solved] SYSVOL Folders Not Replicating Across Domain Controllers appeared first on the Sysadmin Channel.

Get Password Expiration Date Using Powershell

The only requirement is that you’ll need the Active Directory Powershell module to be able to query that the information stored in AD. Also, if you plan on using the send email parameter you’ll need to modify lines 88-92 so you can send it out of your own smtp server.

Function Get-PasswordExpirationDate {
#requires -Module ActiveDirectory

<#
.SYNOPSIS
    Checks to see if the account is X days within password expiration.
    For updated help and examples refer to -Online version.

.NOTES
    Name: Get-PasswordExpirationDate
    Version: 2.0
    Author: theSysadminChannel
    DateCreated: 2019-Dec-15

.LINK
    https://thesysadminchannel.com/get-password-expiration-date-using-powershell-active-directory -



.PARAMETER DaysWithinExpiration
    Set the number of days you want to check until the password is expired.  Valid options are 1 - 365.

.PARAMETER SendEmail
    Send an email to each user that has the EmailAddress populated to notify them that their password is nearning expiration.

.PARAMETER SamAccountName
    Specify the user accounts you want to check.  This option does not support the SendEmail or DaysWithinExpiration parameters.

.EXAMPLE
    Get-PasswordExpirationDate 15

.EXAMPLE
    Get-PasswordExpirationDate -DaysWithinExpiration 10 -SendEmail

.EXAMPLE
    Get-PasswordExpirationDate -SamAccountName Username1, username2

#>

    [CmdletBinding(DefaultParameterSetName="AllAccounts")]
    param(
        [Parameter(
            Position = 0,
            Mandatory = $false,
            ParameterSetName = "AllAccounts"
        )]
        [ValidateRange(1,365)]
        [int]       $DaysWithinExpiration = 10,


        [Parameter(
            Mandatory = $false,
            ParameterSetName = "AllAccounts"
        )]
        [switch]    $SendEmail,


        [Parameter(
            Mandatory = $false,
            ParameterSetName = "SpecificAccounts",
            ValueFromPipeline=$true,
            ValueFromPipelineByPropertyName=$true
            )]
        [string[]]  $SamAccountName
    )

    BEGIN {}

    PROCESS {
        #Calculating the expired date from the domain's default password policy. -- Do Not Modify --
        $MaxPwdAge   = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
        $expiredDate = (Get-Date).addDays(-$MaxPwdAge)

        #Calculating the number of days until you would like to begin notifying the users. -- Do Not Modify --
        $emailDate = (Get-Date).addDays(-($MaxPwdAge - $DaysWithinExpiration))

        #Since specific accounts were specified we'll output their password expiration dates regardless if they are within the expiration date
        #Use msDS-UserPasswordExpiryTimeComputed to calculate expiration date in case a fine grain password policy is used
        if ($PSBoundParameters.ContainsKey("SamAccountName")) {
            foreach ($User in $SamAccountName) {
                try {
                    $ADObject = Get-ADUser $User -Properties PasswordNeverExpires, PasswordLastSet, EmailAddress, msDS-UserPasswordExpiryTimeComputed
                    if ($ADObject.PasswordNeverExpires -eq $true) {
                        $DaysUntilExpired = "NeverExpire"
                      } else {
                        $ExpirationDate = Get-Date ([datetime]::FromFileTime($ADObject.'msDS-UserPasswordExpiryTimeComputed'))
                        $DaysUntilExpired = $ExpirationDate - (Get-Date) | select -ExpandProperty Days
                    }
                    [PSCustomObject]@{
                        SamAccountName   = $ADObject.samaccountname.toLower()
                        PasswordLastSet  = $ADObject.PasswordLastSet
                        ExpirationDate   = $ExpirationDate
                        DaysUntilExpired = $DaysUntilExpired
                        EmailAddress     = $ADObject.EmailAddress
                    } 
               } catch {
                    Write-Error $_.Exception.Message
                }
            }
        } else {
            $ExpiredAccounts = Get-ADUser -Filter {(PasswordLastSet -lt $EmailDate) -and (PasswordLastSet -gt $ExpiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, EmailAddress
            foreach ($ADObject in $ExpiredAccounts) {
                try {
                    $DaysUntilExpired = $ADObject.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days
                    if ($PSBoundParameters.ContainsKey("SendEmail") -and $null -ne $ADObject.EmailAddress) {
                        #Setting up email parameters to send a notification email to the user
                        $From       = "example@thesysadminchannel.com"
                        $Subject    = "Your Password Will Expire in " + $DaysUntilExpired + " days"
                        $Body       = "Hello,`n`nThis email is to notify you that your password will expire in " + $DaysUntilExpired + " days.`n`nPlease consider changing it to avoid any service interruptions.`n`nThank you,`nThe I.T. Department."
                        $smtpServer = "mail.thesysadminchannel.com"
                        #$CC        =  "cc1@thesysadminchannel.com", "cc2@thesysadminchannel.com"

                        Send-MailMessage -To $($ADObject.EmailAddress) -From $From -Subject $Subject -BodyAsHtml $Body -SmtpServer $SmtpServer #-Priority High -Cc $CC
                    }
                    [PSCustomObject]@{
                        SamAccountName   = $ADObject.samaccountname.toLower()
                        PasswordLastSet  = $ADObject.PasswordLastSet
                        DaysUntilExpired = $DaysUntilExpired
                        EmailAddress     = $ADObject.EmailAddress
                    }
                } catch {
                    Write-Error $_.Exception.Message
                }
            }
        }
    }

    END {}

}

Once you call the function here’s an example of what the output would look like.

You can customize the email to send as high priority or add CC if you like when you specify the -SendEmail parameter

Here’s an example if you wanted to specify users. If the password is set to not expire it will display NeverExpire. It will also error out if a user is not found in Active Directory.

So now that we’ve got a working Powershell script to query Active Directory for expired passwords, we can also use this as a Powershell password expiration report which is really nice.

All in all I wanted to say thanks a lot for taking the time to visit and hopefully you can make use of the get password expiration date Powershell script in your environment. If you like these kinds of posts, feel free to check out our gallery full of useful real-world scripts. Don’t forget to check out our Youtube Page for sysadmin video content.

The post Get Password Expiration Date Using Powershell appeared first on the Sysadmin Channel.

Install RSAT for Windows 10 Version 1809, 1903 and Later in the GUI

Although I much prefer the Powershell method, we’ll start off with the GUI method.

• Open Settings -> Apps -> Optional Features

• Select the tools you want to install and click install

Install RSAT for Windows 10 Version 1809, 1903 and Later in Powershell

• Open Powershell as Administrator
• Type: Get-WindowsCapability -Name RSAT* -Online

Take note of the name and status

• To install the feature, you can either pipe the command to Add-WindowsCapability -or-
• Add-WindowsCapability -Name Name-of-Feature -Online

In this example, I’m installing the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools

• The items should now be in the Start Menu -> Windows Administrative Tools

I’d love to hear your feedback and I hope you can now add RSAT easily using the Features on Demand. As always be sure to check out our Youbtube Channel https://www.youtube.com/c/theSysadminChannel or if you want more Server Administration content, check out our Server Administration Category. There is a lot of useful information on both links.

The post Install RSAT for Windows 10 Version 1809, 1903 and Later appeared first on the Sysadmin Channel.

If you have any questions regarding the script, feel free to leave me a comment and I’ll do my best to get back to you.

Get Direct Reports in Active Directory Using Powershell

Function Get-DirectReport {
#requires -Module ActiveDirectory

<#
.SYNOPSIS
    This script will get a user's direct reports recursively from ActiveDirectory unless specified with the NoRecurse parameter.
    It also uses the user's EmployeeID attribute as a way to exclude service accounts and/or non standard accounts that are in the reporting structure.
 
.NOTES
    Name: Get-DirectReport
    Author: theSysadminChannel
    Version: 1.0
    DateCreated: 2020-Jan-28
 
.LINK
    https://thesysadminchannel.com/get-direct-reports-in-active-directory-using-powershell-recursive -   
 
.PARAMETER SamAccountName
    Specify the samaccountname (username) to see their direct reports.
 
.PARAMETER NoRecurse
    Using this option will not drill down further than one level.
 
.EXAMPLE
    Get-DirectReport username
 
.EXAMPLE
    Get-DirectReport -SamAccountName username -NoRecurse
 
.EXAMPLE
    "username" | Get-DirectReport
#>

    [CmdletBinding()]
    param(
        [Parameter(
            Mandatory = $false,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true
        )]

        [string]  $SamAccountName,

        [switch]  $NoRecurse
    )

    BEGIN {}

    PROCESS {
        $UserAccount = Get-ADUser $SamAccountName -Properties DirectReports, DisplayName
        $UserAccount | select -ExpandProperty DirectReports | ForEach-Object {
            $User = Get-ADUser $_ -Properties DirectReports, DisplayName, Title, EmployeeID
            if ($null -ne $User.EmployeeID) {
                if (-not $NoRecurse) {
                    Get-DirectReport $User.SamAccountName
                }
                [PSCustomObject]@{
                    SamAccountName     = $User.SamAccountName
                    UserPrincipalName  = $User.UserPrincipalName
                    DisplayName        = $User.DisplayName
                    Manager            = $UserAccount.DisplayName
                }
            }
        }
    }

    END {}

}

Like always I like to test out my scripts to ensure the content that I am publishing is legit for people to use so I created a sample org chart. This is what that looks like.

 
With the above already created in my lab let’s run Get-DirectReport -SamAccountName cio | Sort-Object samaccountname so we can quickly get an org chart for everyone under our CIO. By default it does run recursively so I’ll also run the -NoRecurse parameter to only get the people that are reporting directly to the CIO.

This is what the output looks like.

I’d love to hear your feedback and I hope you can use this in your environment if you ever need a quick org chart using Powershell. As always be sure to check out our Youbtube Channel https://www.youtube.com/c/theSysadminChannel or if you want more Powershell scripts or content, check out our Powershell Category. There is a lot of useful information on both links.

The post Get Direct Reports in Active Directory Using Powershell (Recursive) appeared first on the Sysadmin Channel.

In Server 2008 R2 it was a little trickier to demote or decommission a domain controller because you had to use DCPromo, but with the addition of Server 2012 R2, it has become a whole lot easier. As easy as clicking a few buttons.

If you have any questions please leave a comment below and I’ll do my best to get back to you.

Demote or Decommission A Domain Controller

Follow the steps here to decommission a domain controller

• Transfer any FSMO roles to a DC that’s going to remain online
• Remove Active Directory Domain Services role from DC
• Demote domain controller to a member server
• Clean up references in DNS manager
• Remove server from Sites and Services
• Update static IP addresses that are pointing to decommissioned domain controller

 
The process in 2012 R2 and later makes it so much easier to accomplish this task that future generations don’t have to deal with the struggles of sysadmins in the past.

Demote A Domain Controller Using Powershell

Here is the Powershell commands you can use to demote a domain controller.

Import-Module ADDSDeployment
Uninstall-ADDSDomainController -DemoteOperationMasterRole: $true -DnsDelegationRemovalCredential (Get-Credential) -RemoveDnsDelegation: $true -Force

Demote a Domain Controller in Active Directory Demo

The post Demote or Decommission A Domain Controller (Best Practice) appeared first on the Sysadmin Channel.