{ "version": "https://jsonfeed.org/version/1.1", "title": "Active Directory", "home_page_url": "https://evotec.xyz/de/categories/active-directory", "feed_url": "https://evotec.xyz/de/categories/active-directory/index.feed.json", "description": "Evotec Main Website", "items": [ { "id": "https://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-sidhistory-cleanup-with-cleanupmonster", "url": "https://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-sidhistory-cleanup-with-cleanupmonster", "title": "Mastering Active Directory Hygiene: Automating SIDHistory Cleanup with CleanupMonster", "summary": "Security Identifier (SID) History is a useful mechanism in Active Directory (AD) migrations. It allows users and groups in a new domain to retain access to resources that still rely on permissions from the old domain. However, once migrations are completed, these historical SIDs can become clutter, posing both security and administrative challenges. While it\u2019s best to remove unnecessary SID History as soon as you\u2019re done migrating, many environments skip this step. Over time, decommissioned or broken trusts make cleanup more difficult, and domain objects can accrue so many old entries that you lose track of what is still required.", "date_published": "2025-03-16T18:47:45.0000000Z", "tags": [ "Active Directory", "activedirectory", "cleanup", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonster", "url": "https://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonster", "title": "Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster", "summary": "Have you ever looked at your Active Directory and wondered, \u201CWhy do I still have computers listed that haven\u2019t been turned on since World Cup 2016?\u201D Yeah, we\u2019ve all been there. Keeping AD clean and up-to-date is like trying to organize your garage\u2014it\u2019s easy to put off until it becomes a total mess.", "date_published": "2024-08-25T13:14:39.0000000Z", "tags": [ "active directory", "ad", "cleanup", "intune", "microsoft entra", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-replication-summary-to-your-email", "url": "https://evotec.xyz/de/blog/active-directory-replication-summary-to-your-email", "title": "Active Directory Replication Summary to your Email or Microsoft Teams", "summary": "Active Directory replication is a critical process that ensures the consistent and up-to-date state of directory information across all domain controllers in a domain. Monitoring this process is important as it helps identify any issues that may arise and resolve them quickly. One way to monitor Active Directory replication is by using the Repadmin command-line tool. Repadmin provides a wealth of information about the replication status and health of a domain. However, manually checking the Repadmin output can be time-consuming and tedious, and running it manually every 30 minutes just to check if everything is great doesn\u2019t seem like a great idea. While PowerShell has its own commands around replication I\u2019ve not found something as fast and reliable as repadmin /replsummary.", "date_published": "2024-04-17T19:25:32.0000000Z", "tags": [ "active directory", "powershell", "replication" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-health-check-using-microsoft-entra-connect-health-service", "url": "https://evotec.xyz/de/blog/active-directory-health-check-using-microsoft-entra-connect-health-service", "title": "Active Directory Health Check using Microsoft Entra Connect Health Service", "summary": "Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its health is pivotal for the seamless operation of various services. Today, I decided to look at Microsoft Entra Connect Health (Azure AD Connect Health) service, which allows monitoring Azure AD Connect, ADFS, and Active Directory. This means that under a single umbrella, you can have an overview of three services health. But is it worth it?", "date_published": "2023-10-08T14:36:57.0000000Z", "tags": [ "Active Directory", "Azure", "azure ad", "health checks", "microsoft entra", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/report-active-directory-accounts-that-are-synchronized-with-azure-ad", "url": "https://evotec.xyz/de/blog/report-active-directory-accounts-that-are-synchronized-with-azure-ad", "title": "Report Active Directory Accounts that are Synchronized with Azure AD", "summary": "I was scrolling X (aka Twitter) today and saw this blog post, \u201CPowerShell: Report On-Premises Active Directory Accounts that are Synchronized with Azure AD Connect\u201D by Kevin Trent. I like reading blog posts as I tend to learn some new things and see how people tend to solve their problems.", "date_published": "2023-08-07T13:21:18.0000000Z", "tags": [ "active directory", "ad", "azure ad", "microsoft graph", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/strengthening-password-security-in-active-directory-a-powershell-powered-approach", "url": "https://evotec.xyz/de/blog/strengthening-password-security-in-active-directory-a-powershell-powered-approach", "title": "Strengthening Password Security in Active Directory: A PowerShell-Powered Approach", "summary": "PasswordSolution uses the DSInternals PowerShell module to gather Active Directory hashes and then combines that data into a prettified report. If you have ever used DSInternals, you know that while very powerful, it comes with raw data that is hard to process and requires some skills to get it into a state that can be shown to management or security.", "date_published": "2023-05-28T14:40:25.0000000Z", "tags": [ "active directory", "ad", "dsinternals", "html", "password quality", "passwordsolution", "powershell", "scan", "security", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/reporting-group-membership-for-critical-active-directory-groups", "url": "https://evotec.xyz/de/blog/reporting-group-membership-for-critical-active-directory-groups", "title": "Reporting group membership for critical Active Directory groups", "summary": "I work a lot with Active Directory-related tasks. One of the tasks is to know the group membership of critical Active Directory Groups such as Domain Admins, Enterprise Admins, Schema Admins, Event Log Readers, and a few others that are a bit less known. As I did it, I got bored of typing the group names repeatedly and decided that enough was enough and there must be an easier way for me to do that.", "date_published": "2022-08-07T11:57:28.0000000Z", "tags": [ "active directory", "ad", "group membership", "groups", "nested groups", "powershell", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/finding-duplicate-dns-records-by-ip-adress-using-powershell", "url": "https://evotec.xyz/de/blog/finding-duplicate-dns-records-by-ip-adress-using-powershell", "title": "Finding duplicate DNS records by IP Address using PowerShell", "summary": "In my earlier blog post, I showed you a way to find duplicate DNS entries using PowerShell, but the focus was on finding duplicate entries based on hostname. But what if you would like to find duplicate entries based on IP Addresses? This was the question I was asked on Reddit, and I thought it was a legitimate request, so today\u2019s focus will be on transposing table output from earlier functions to present data differently.", "date_published": "2022-07-26T17:23:53.0000000Z", "tags": [ "active directory", "dns", "DNSServer", "duplicates", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/finding-duplicate-dns-entries-using-powershell", "url": "https://evotec.xyz/de/blog/finding-duplicate-dns-entries-using-powershell", "title": "Finding duplicate DNS entries using PowerShell", "summary": "Today\u2019s blog post is about Active Directory-integrated DNS and how to find duplicate entries. By duplicate, I mean those where one DNS name matches multiple IP addresses. While some duplicate DNS entries are expected, in other cases, it may lead to problems. For example, having a static IP assigned to a hostname that later on is also updated with dynamic entries.", "date_published": "2022-07-24T16:48:21.0000000Z", "tags": [ "active directory", "ad", "dns", "DNSServer", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/finding-duplicate-spn-with-powershell", "url": "https://evotec.xyz/de/blog/finding-duplicate-spn-with-powershell", "title": "Finding duplicate SPN with PowerShell", "summary": "Duplicate SPNs aren\u2019t very common but can happen in any Active Directory as there\u2019s no built-in way that tracks and prevent duplicate SPN\u2019s. One has to either know all SPN\u2019s in the environment, track them or check each time whether it already exists or not. Things get more complicated with larger Active Directory environments as people change, new apps are added, old apps are forgotten, but SPNs prevail.", "date_published": "2021-12-07T15:32:01.0000000Z", "tags": [ "active directory", "ad", "adessentials", "forest", "powershell", "spn", "testimo" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-domain-services-could-not-replicate-the-directory-partition-the-replication-operation-encountered-a-database-error", "url": "https://evotec.xyz/de/blog/active-directory-domain-services-could-not-replicate-the-directory-partition-the-replication-operation-encountered-a-database-error", "title": "Active Directory Domain Services could not replicate the directory partition \u2013 The replication operation encountered a database error", "summary": "If you ever encounter an error while trying to create a new domain within a forest saying, \u201CThe replication operation encountered a database error,\u201D it makes you sweat a bit. Your brain tells you it will be a nightmare to fix, do I have proper backups to make it happen, and the question \u201Cwhy now\u201D shows up.", "date_published": "2021-11-28T14:38:20.0000000Z", "tags": [ "active directory", "dcdiag", "dfs", "domain", "forest", "forest replication", "PowerShell", "testimo", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/monitoring-ldaps-connectivity-certificate-with-powershell", "url": "https://evotec.xyz/de/blog/monitoring-ldaps-connectivity-certificate-with-powershell", "title": "Monitoring LDAPS connectivity/certificate with PowerShell", "summary": "Some time ago, I wrote a blog post on checking for LDAP, LDAPS, LDAP GC, and LDAPS GC ports with PowerShell. It mostly works, but it requires a tad bit of effort, and it doesn\u2019t cover the full scope that I wanted. Recently (well over 3 years ago), Chris Dent shared some code that verifies the LDAP certificate, and I thought this would be good to update my cmdlets to support just that with a bit of my own magic on top.", "date_published": "2021-03-02T17:53:05.0000000Z", "tags": [ "active directory", "ad", "ldap", "powershell", "testimo" ] }, { "id": "https://evotec.xyz/de/blog/the-only-command-you-will-ever-need-to-understand-and-fix-your-group-policies-gpo", "url": "https://evotec.xyz/de/blog/the-only-command-you-will-ever-need-to-understand-and-fix-your-group-policies-gpo", "title": "The only command you will ever need to understand and fix your Group Policies (GPO)", "summary": "I\u2019ve been working on cleaning up Group Policies for a couple of months. While it may seem trivial, things get complicated when you\u2019re tasked with managing 5000 GPOs created over 15 years by multiple teams without any best practices in mind. While working on GPOZaurr (my new PowerShell module), I\u2019ve noticed that the more code I wrote to manage those GPOs, the more I knew passing this knowledge to admins who will be executing this on a weekly/monthly basis is going to be a challenge. That\u2019s why I\u2019ve decided to follow a similar approach as my other Active Directory testing module called Testimo. I\u2019ve created a single command that analyses Group Policies using different methods and shows views from different angles to deliver the full picture. On top of that, it provides a solution (or it tries to) so that it\u2019s fairly easy to fix \u2013 as long as you agree with what it proposes.", "date_published": "2021-01-24T17:15:04.0000000Z", "tags": [ "active directory", "gpo", "group policy", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/visually-display-active-directory-trusts-using-powershell", "url": "https://evotec.xyz/de/blog/visually-display-active-directory-trusts-using-powershell", "title": "Visually display Active Directory Trusts using PowerShell", "summary": "Active Directory Trusts are useful to connect one or more domains. But as useful those are, they can be very dangerous. Also, keeping trusts working and in good shape should be a top priority for Active Directory Admins. While there is a couple of command in the Active Directory module Get-ADTrust, I thought I would try and write my own that checks a few more things. I want to thank Chris Dent for his input on the part of this command. His binary skills amaze me!", "date_published": "2020-09-14T13:44:10.0000000Z", "tags": [ "Active Directory", "activedirectory", "adessentials", "get-winadtrust", "powershell", "pswritehtml", "show-winadtrust" ] }, { "id": "https://evotec.xyz/de/blog/visually-display-active-directory-nested-group-membership-using-powershell", "url": "https://evotec.xyz/de/blog/visually-display-active-directory-nested-group-membership-using-powershell", "title": "Visually display Active Directory Nested Group Membership using PowerShell", "summary": "In the Active Directory PowerShell module, you have two commands to your disposal that help display group membership. Those are Get-ADGroup and Get-ADGroupMember. The first command contains property Members, which gives you DistinguishedName of all members, and Get-ADGroupMember can provide you either direct members or with Recursive switch all members recursively (skipping groups). Till a few weeks ago, I was a happy user of those commands until I noticed two things. Member property for Get-ADGroup sometimes misses elements for whatever reason.", "date_published": "2020-09-02T16:06:48.0000000Z", "tags": [ "Active Directory", "adessentials", "diagram", "get-adgroup", "get-adgroupmember", "nested groups", "powershell", "pswritehtml" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-dhcp-report-to-html-or-email-with-zero-html-knowledge", "url": "https://evotec.xyz/de/blog/active-directory-dhcp-report-to-html-or-email-with-zero-html-knowledge", "title": "Active Directory DHCP Report to HTML or EMAIL with zero HTML knowledge", "summary": "I\u2019m pretty addicted to reading blog posts. I saw this new blog post the other day, where the author created the DHCP HTML report, and he did it by manually building headers, footers, table borders, and finally, adding some coloring to the percentage of DHCP being in use. It\u2019s the \u201Cstandard\u201D approach to build HTML in PowerShell, and I\u2019ve seen a similar path before, but that got me thinking how much time it would take for me to replicate the very same functionality using PSWriteHTML module.", "date_published": "2020-07-12T16:17:30.0000000Z", "tags": [ "Active Directory", "dhcp", "html", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/using-win32_useraccount-wmi-filter-in-powershell-group-policies-and-what-to-avoid", "url": "https://evotec.xyz/de/blog/using-win32_useraccount-wmi-filter-in-powershell-group-policies-and-what-to-avoid", "title": "Using Win32_UserAccount WMI filter in PowerShell/Group Policies and what to avoid", "summary": "Some months ago, I created PowerShell Script to create local administrative users on workstations \u2013 Create a local user or administrator account in Windows using PowerShell. It\u2019s a bit overcomplicated, but the goal was it should work for Windows 7 and up, and that means supporting PowerShell 2.0. As part of that exercise, I\u2019ve been using Win32_UserAccount WMI based query to find local users and manage them to an extent. While Get-LocalUser exists, it\u2019s not suitable for the PowerShell 2.0 scenario. I also use the same query in GPO for WMI filtering. You can say it\u2019s been a good friend of mine.", "date_published": "2020-06-02T15:45:54.0000000Z", "tags": [ "active directory", "ad", "gpo", "powershell", "wmi" ] }, { "id": "https://evotec.xyz/de/blog/get-adobject-the-server-has-returned-the-following-error-invalid-enumeration-context", "url": "https://evotec.xyz/de/blog/get-adobject-the-server-has-returned-the-following-error-invalid-enumeration-context", "title": "Get-ADObject : The server has returned the following error: invalid enumeration context.", "summary": "In the last weeks, I\u2019m working on a PowerShell module that the main goal is to work on gathering and fixing GPOs. I\u2019ve been testing my module a lot of times on my test environment, and it worked fine till the moment I run it on production, and it started to fail pretty quickly. The difference between my environment and production is 25 GPOs vs. 5000 GPOs. The error I was getting:", "date_published": "2020-05-15T11:32:58.0000000Z", "tags": [ "active directory", "get-adobject", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/the-security-account-manager-sam-has-determined-that-sid-is-already-in-use-in-the-forest", "url": "https://evotec.xyz/de/blog/the-security-account-manager-sam-has-determined-that-sid-is-already-in-use-in-the-forest", "title": "The security account manager (SAM) has determined that SID is already in use in the Forest", "summary": "The security account manager (SAM) has determined that the security identifier (SID) for this computer is already in use in the Forest you want to join. This can happen when restoring an Active Directory Domain Controller with an improper backup. Reinstall the operating system on the local AD DC to obtain a new SID.", "date_published": "2020-03-12T19:02:42.0000000Z", "tags": [ "active directory", "powershell", "sid", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/azuread-enable-password-expiration-with-password-hash-synchronization", "url": "https://evotec.xyz/de/blog/azuread-enable-password-expiration-with-password-hash-synchronization", "title": "AzureAD \u2013 Enable Password Expiration with Password Hash Synchronization", "summary": "Azure AD Connect allows three ways to make sure the user password is the same in Active Directory and Office 365. Those are Password Hash Sync, Pass-Thru Authentication, and ADFS. While my preferred option to go with would be Pass-Thru Authentication, only Password Hash Synchronization is the easiest and least resource-intensive. It synchronizes user password to Office 365, and even if your Active Directory is down, you can still log in to Office 365. It\u2019s perfect for small and even more significant companies that don\u2019t have resources or can\u2019t guarantee that their infrastructure will stay 100% time online so users can authenticate based on their Active Directory.", "date_published": "2020-02-24T19:53:50.0000000Z", "tags": [ "Active Directory", "azure ad", "azure adconnect", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-dfs-health-check-with-powershell", "url": "https://evotec.xyz/de/blog/active-directory-dfs-health-check-with-powershell", "title": "Active Directory DFS Health Check with PowerShell", "summary": "One of the critical parts of Active Directory is DFS. It allows you to share same NETLOGON/SYSVOL folders across all Domain Controllers in your Forest. Its health is vital to the functionality of your Active Directory. If it\u2019s broken, a lot of things may not work, and it\u2019s not that easy to tell the status of it. At first sight, everything may seem to work correctly, but if you take a closer look \u2013 not so much. It\u2019s great if you find it out by yourself, but not fun if suddenly GPO\u2019s don\u2019t apply to some users, computers, and you find out a year later.", "date_published": "2020-02-20T20:29:20.0000000Z", "tags": [ "active directory", "adessentials", "dfs", "gpo", "PowerShell", "testimo" ] }, { "id": "https://evotec.xyz/de/blog/finding-gpos-missing-permissions-that-may-prevent-gpos-from-working-correctly", "url": "https://evotec.xyz/de/blog/finding-gpos-missing-permissions-that-may-prevent-gpos-from-working-correctly", "title": "Finding GPOs missing permissions that may prevent GPOs from working correctly", "summary": "I\u2019ve been in IT for a longer time now. I\u2019ve made my fair share of mistakes and misconfigurations. One of those misconfigurations was removing Authenticated Users from Security filtering in Group Policy Objects. While it worked fine at some point Microsoft rolled out a Hotfix MS16-07 on June 14th 2016.", "date_published": "2020-02-19T21:08:35.0000000Z", "tags": [ "active directory", "adessentials", "gpo", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/renaming-netbios-name-of-active-directory-error", "url": "https://evotec.xyz/de/blog/renaming-netbios-name-of-active-directory-error", "title": "Renaming NETBIOS name of Active Directory Error", "summary": "Recently I was testing renaming the NETBIOS name of an Active Directory domain. While this process is fairly easy, there are a few gotcha\u2019s, and before one would like to rename their domain or NETBIOS name, serious testing is required to be sure everything works after rename. In the end, if something goes wrong, the rollback will not be a walk in a park. It will hurt, and it will eat your time. So there was I going thru the usual steps.", "date_published": "2020-02-16T15:38:02.0000000Z", "tags": [ "active directory", "netbios", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020", "url": "https://evotec.xyz/de/blog/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020", "title": "Four commands to help you track down insecure LDAP Bindings before March 2020", "summary": "In March 2020, Microsoft will release its monthly updates. With those updates, Microsoft will disable insecure LDAP Bindings, which is going to break a lot of your systems (hopefully not). But this was already communicated, and you know all about it, right? If not, you should read those two articles that can help you with understanding what is happening and when.", "date_published": "2020-01-19T19:54:06.0000000Z", "tags": [ "Active Directory", "adessentials", "powershell", "pseventviewer", "pswinreportingv2" ] }, { "id": "https://evotec.xyz/de/blog/what-do-we-say-to-health-checking-active-directory", "url": "https://evotec.xyz/de/blog/what-do-we-say-to-health-checking-active-directory", "title": "What do we say to health checking Active Directory?", "summary": "Setting up a new Active Directory is an easy task. You download and install Windows Server, install required roles and in 4 hours or less have a basic Active Directory setup. In an ideal world that would be all and your only task would be to manage users, computers, and groups occasionally creating some Group Policies. Unfortunately, things with Active Directory aren\u2019t as easy as I\u2019ve pictured it. Active Directory is a whole ecosystem and works well ranging from small companies with ten users to 500k users or more (haven\u2019t seen one myself \u2013 but so they say!). When you scale Active Directory adding more servers, more domains things tend to get complicated, and while things on top may look like they work correctly, in practice, they may not. That\u2019s why, as an Administrator, you need to manage Active Directory in terms of its Health and Security. Seems easy right? Not quite. While you may think you have done everything, checked everything, there\u2019s always something missing. Unless you have instructions for everything and can guarantee that things stay the same way as you left them forever, it\u2019s a bit more complicated. That\u2019s why Microsoft delivers you tools to the troubleshoot your Active Directory, such as dcdiag, repadmin and some others. They also sell monitoring solutions such as Microsoft SCOM which can help and detect when some things happen in your AD while you were gone. Surely there are some 3rd party companies give you some tools that can help with a lot of that as well. Finally, there is lo of folks within the community creating PowerShell scripts or functions that help with some Health Checks of your Active Directory.", "date_published": "2019-09-08T15:48:39.0000000Z", "tags": [ "active directory", "ad", "dhcp", "dns", "health checks", "powershell", "security checks", "testimo", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/getting-active-directory-last-backup-time-using-powershell", "url": "https://evotec.xyz/de/blog/getting-active-directory-last-backup-time-using-powershell", "title": "Getting Active Directory Last Backup Time using PowerShell", "summary": "I shouldn\u2019t be telling you that, but Active Directory Backup is an essential part of your Active Directory setup. When a backup of Active Directory happens, AD is aware of it. Following PowerShell solution allows you to get Active Directory Last Backup Time for the whole forest or by domain.", "date_published": "2019-08-05T12:40:18.0000000Z", "tags": [ "active directory", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/testing-ldap-and-ldaps-connectivity-with-powershell", "url": "https://evotec.xyz/de/blog/testing-ldap-and-ldaps-connectivity-with-powershell", "title": "Testing LDAP and LDAPS connectivity with PowerShell", "summary": "One of the common ways to connect to Active Directory is thru LDAP protocol. There are a lot of applications that talk to AD via LDAP. By default Active Directory has LDAP enabled but that\u2019s a bit insecure in today\u2019s world. That\u2019s where LDAPS comes in. It\u2019s not easy to set up, but when you get it done, it works. The problem I had recently is that while setting up LDAPS on DC\u2019s I only did this on some of the DC\u2019s, and not all of them as I should.", "date_published": "2019-08-04T14:55:32.0000000Z", "tags": [ "active directory", "ldap", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-instant-replication-between-sites-with-powershell", "url": "https://evotec.xyz/de/blog/active-directory-instant-replication-between-sites-with-powershell", "title": "Instant Replication between Active Directory sites with PowerShell", "summary": "In Active Directory when you change something, it\u2019s replicated to other Domain Controllers regularly. It\u2019s a standard procedure that happens automatically in the background for you. It\u2019s a handy feature because you can have multiple DC\u2019s all over the world and have your users data in sync. You can change almost anything on DC nearest to you and be sure it will be the same value all over the place. But is it always the same? Well, it should be unless it isn\u2019t. Today I was given a new migration from Exchange to Office 365. I started with ADConnect installation and wanted to make sure that UserPrincipalNames have all UPNSuffixes in place.", "date_published": "2019-07-21T13:31:06.0000000Z", "tags": [ "active directory", "ad", "instant replication", "powershell", "replication" ] }, { "id": "https://evotec.xyz/de/blog/getting-bitlocker-and-laps-summary-report-with-powershell", "url": "https://evotec.xyz/de/blog/getting-bitlocker-and-laps-summary-report-with-powershell", "title": "Getting Bitlocker and LAPS summary report with PowerShell", "summary": "Having Bitlocker and LAPS in modern Active Directory is a must. But just because you enable GPO and have a process that should say Bitlocker and LAPS are enabled doesn\u2019t mean much. Now and then you should verify things yourself. One of the Facebook users on PowerShell group just had this idea of exporting Bitlocker keys and then giving that list to his colleagues for manual verification. He wanted to do it half PowerShell and half manually. While the idea was great, why not take full advantage of PowerShell and have a helpful report with all the necessary information?", "date_published": "2019-07-11T17:07:22.0000000Z", "tags": [ "active directory", "ad", "bitlocker", "laps", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/fixing-active-directory-passwordnotrequired-with-powershell", "url": "https://evotec.xyz/de/blog/fixing-active-directory-passwordnotrequired-with-powershell", "title": "Fixing Active Directory PasswordNotRequired with PowerShell", "summary": "There was I, deploying PSPasswordExpiryNotifications for one of my Clients when I started getting complaints that some users are not getting their Password Expiry Notifications. Well, that\u2019s a new one. I\u2019ve tested this script multiple times, and it worked just fine. So I dive into the details of my script to see what I did in there (I don\u2019t even remember anymore \u2013 it just works) to find out this little line:", "date_published": "2019-06-25T10:29:44.0000000Z", "tags": [ "active directory", "ad", "PasswordNotRequired", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/export-clixml-and-import-clixml-serialization-woes", "url": "https://evotec.xyz/de/blog/export-clixml-and-import-clixml-serialization-woes", "title": "Export-CliXML and Import-CliXML serialization woes", "summary": "I\u2019ve been working today trying to deliver to one of my Clients Active Directory documentation. To my surprise, something that worked fine for a very long time has started to provide weird results. So, after spending about 8 hours taking apart a few of my PowerShell modules trying to find out what is wrong finally, I\u2019ve found it: Export-CliXML / Import-CliXML. Those two commands are great. I\u2019ve used them multiple times with great success (or so I thought).", "date_published": "2019-06-23T10:12:27.0000000Z", "tags": [ "Active Directory", "export-clixml", "import-clixml", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/getting-windows-10-build-version-from-active-directory", "url": "https://evotec.xyz/de/blog/getting-windows-10-build-version-from-active-directory", "title": "Getting Windows 10 build version from Active Directory", "summary": "Today I saw an article on how to get Windows Version Report from Active Directory and thought that this is a cool idea. Something handy for migration scenarios or information on how up to date is your infrastructure. Since there are many ways to do the same thing I decided to tackle this myself and further include it into PSWinDocumentation.AD project. By default Active Directory stores Operating System and Operating System Version but it doesn\u2019t really show versions one may expect.", "date_published": "2019-06-14T15:03:06.0000000Z", "tags": [ "active directory", "build", "powershell", "windows 10" ] }, { "id": "https://evotec.xyz/de/blog/how-i-didnt-know-how-powerful-and-fast-hashtables-are", "url": "https://evotec.xyz/de/blog/how-i-didnt-know-how-powerful-and-fast-hashtables-are", "title": "How I didn\u2019t know how powerful and fast hashtables are", "summary": "I\u2019ve been using PowerShell for a long while now using Hashtables, OrderedDictionary, and other types of data types in PowerShell, but I never paid attention to how powerful those are. And I don\u2019t mean your general knowledge about hashtables that is already covered by Kevin Marquette in his article Everything you wanted to know about Hashtables or my article PowerShell \u2013 Few tricks about HashTables and Arrays I wish I knew when I started. Let\u2019s find out, how Powerful they are, shall we?", "date_published": "2019-05-19T09:49:26.0000000Z", "tags": [ "active directory", "hashtable", "learn", "powershell", "speed" ] }, { "id": "https://evotec.xyz/de/blog/what-do-we-say-to-writing-active-directory-documentation", "url": "https://evotec.xyz/de/blog/what-do-we-say-to-writing-active-directory-documentation", "title": "What do we say to writing Active Directory documentation?", "summary": "It\u2019s no secret that nobody likes creating documentation. I don\u2019t like it, and you don\u2019t like it, even documentation lovers don\u2019t like it. But while you can live without documentation, you really shouldn\u2019t. And I am not talking here only about documentation that is only useful in the onboarding process of new employees or documentation concerning introducing someone to some concepts to get them easily start. I\u2019m talking about documentation for your live environment where you know what you have, how you have set it up, but is still the same after one week, one month, or one year? Usually, not so much. And one of the worst mistakes admin can do is assume that his environment doesn\u2019t change, things are as they were when they were set up.", "date_published": "2019-05-12T12:46:24.0000000Z", "tags": [ "Active Directory", "dashimo", "documentation", "documentimo", "excel", "excelimo", "powershell", "pswindocumentation", "Windows", "word" ] }, { "id": "https://evotec.xyz/de/blog/the-only-powershell-command-you-will-ever-need-to-find-out-who-did-what-in-active-directory", "url": "https://evotec.xyz/de/blog/the-only-powershell-command-you-will-ever-need-to-find-out-who-did-what-in-active-directory", "title": "The only PowerShell Command you will ever need to find out who did what in Active Directory", "summary": "While the title of this blog may be a bit exaggeration, the command I\u2019m trying to show here does it\u2019s best to deliver on the promise. What you\u2019re about to witness here is something I\u2019ve worked on for a while now, and it meets my basic needs. If you don\u2019t have SIEM product or products that monitor who does what in Active Directory this command makes it very easy, even for people who don\u2019t have much experience in reading Event Logs. If you\u2019d like to learn about working with Windows Event Logs here\u2019s a great article I wrote recently \u2013 PowerShell \u2013 Everything you wanted to know about Event Logs and then some.", "date_published": "2019-04-28T15:52:32.0000000Z", "tags": [ "active directory", "ad", "events", "events viewer", "powershell", "pswinreporting", "pswinreportingv2", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/backing-up-bitlocker-keys-and-laps-passwords-from-active-directory", "url": "https://evotec.xyz/de/blog/backing-up-bitlocker-keys-and-laps-passwords-from-active-directory", "title": "Backing up Bitlocker Keys and LAPS passwords from Active Directory", "summary": "Having a modern, secure infrastructure in 2019 is a requirement. You should implement BitLocker to make sure that in the event of stolen laptop data is not readily extractable and implementing LAPS is a must in a fast changing IT world. But I\u2019m not here to convince you to those two security features. I\u2019m here to show you an easy way to backup LAPS and BitLocker. While having everything stored in Active Directory is excellent, things can get complicated when you don\u2019t have access to your Active Directory, or you restore an older version of it. You see, LAPS, for example, keeps only last Administrator password. This is great and all but what happens if you restore the machine from backup from 6 months back? Your password has already changed multiple times. During our testing of DR scenarios, we wanted to access the computer via their local Administrator credentials and we just couldn\u2019t because that password was already gone.", "date_published": "2019-03-31T20:01:43.0000000Z", "tags": [ "active directory", "bitlocker", "laps", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/accessing-azurevm-with-nla-and-broken-domain-trust-relationship", "url": "https://evotec.xyz/de/blog/accessing-azurevm-with-nla-and-broken-domain-trust-relationship", "title": "Accessing AzureVM with NLA and broken domain trust relationship", "summary": "Hosting your VM\u2019s in Azure Cloud is excellent. You have all those features, professionally managed and virtually limitless. I don\u2019t want to take your time to sell you Azure Services but to share a solution to one of the things I had to solve in Azure and sooner or later you may end up with on. During the test restore for Active Directory and multiple other machines which were much older (or newer) then Active Directory Domain Controller that was restored it turned out one can\u2019t log in to most of the devices. First of all your domain password is already changed, but that can quickly be addressed. Your second and more significant problem is Network Level Authentication (NLA), and your 3rd problem is broken trust relationship.", "date_published": "2019-03-28T09:22:42.0000000Z", "tags": [ "Active Directory", "ad trust", "azure", "azure vm", "nla", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-the-directory-service-was-unable-to-allocate-a-relative-identifier", "url": "https://evotec.xyz/de/blog/active-directory-the-directory-service-was-unable-to-allocate-a-relative-identifier", "title": "Active Directory \u2013 The directory service was unable to allocate a relative identifier", "summary": "I\u2019ve been testing Disaster Recovery scenario restoring Active Directory. One of the servers was restored, and it worked for a moment after restore. If you can regain your Primary DC, it\u2019s best to do so. If you can\u2019t, a standard thing to do during DR is to move all FSMO roles to the restored server so that it can become a master server. You can find out your FSMO holders by using those commands below:", "date_published": "2019-03-27T20:39:25.0000000Z", "tags": [ "active directory", "ad", "error", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/pswinreporting-1-8-split-of-branches-legacy-vs-new-hope", "url": "https://evotec.xyz/de/blog/pswinreporting-1-8-split-of-branches-legacy-vs-new-hope", "title": "PSWinReporting 1.8 \u2013 Split of branches (Legacy vs. New Hope)", "summary": "A new branch of PSWinReporting is slowly coming, and I thought it would be the best time to have a final article about it with all configuration options available for those that will want to stay using PSWinReporting from Legacy branch. The idea is that you may have it working in your systems and it\u2019s good enough for you. You may not want to change it, and with New Hope, the changes are so big it\u2019s a rewrite.", "date_published": "2019-03-10T20:39:43.0000000Z", "tags": [ "Active Directory", "event", "event monitoring", "events", "powershell", "pswinreporting", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/powershell-everything-you-wanted-to-know-about-event-logs", "url": "https://evotec.xyz/de/blog/powershell-everything-you-wanted-to-know-about-event-logs", "title": "PowerShell \u2013 Everything you wanted to know about Event Logs and then some", "summary": "If you feel this title is very familiar to you it\u2019s because I actually have stolen the title from Kevin Marquette. I\u2019m in awe of his posts that take you thru topic from beginning till the end. No splitting, no hiding anything, everything on a plate, in a single post. That\u2019s why I\u2019ve decided to write a post that will take you on a trip on how to work with Event Logs, something that is an internal part of Windows Administration. If you\u2019ve never worked with Events and you\u2019re in IT you most likely should make an effort to find out what it is and how you can eat it.", "date_published": "2019-02-20T13:22:19.0000000Z", "tags": [ "Active Directory", "event logs", "events", "get-eventlog", "get-winevent", "microsoft window", "PowerShell", "windows", "windows server" ] }, { "id": "https://evotec.xyz/de/blog/how-to-find-different-server-types-in-active-directory-with-powershell", "url": "https://evotec.xyz/de/blog/how-to-find-different-server-types-in-active-directory-with-powershell", "title": "How to find different server types in Active Directory with PowerShell", "summary": "Working as a freelancer is a great thing if you can handle it. Each day, each week something new happens and a new problem shows up on my doorstep. It also means it\u2019s almost never boring at your job and you get to play with new stuff. But there\u2019s one drawback to this. You\u2019re often thrown at the problem, told to fix it but often that\u2019s about as much information as you get. It wasn\u2019t very different today. I was told to switch Office 365 from ADFS to Password Synchronization. While reasons for this are not really important, the important question here is what is the name of AD Connect server that\u2019s responsible for this configuration?", "date_published": "2019-02-06T18:25:30.0000000Z", "tags": [ "active directory", "ad", "adconnect", "azure ad", "exchange", "Hyper-V", "powershell", "sql", "windows" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-how-to-track-down-why-and-where-the-user-account-was-locked-out", "url": "https://evotec.xyz/de/blog/active-directory-how-to-track-down-why-and-where-the-user-account-was-locked-out", "title": "Active Directory \u2013 How to track down why and where the user account was locked out", "summary": "I\u2019ve been working with Windows Events for a while now. One of the things I did to help me diagnose problems and reporting on Windows Events was to write PSEventViewer to help to parse the logs and write PSWinReporting to help monitor (with use of PSEventViewer) Domain Controllers for events that happen across the domain. It\u2019s handy and I, get those excellent daily reports of what happened while I was gone.", "date_published": "2019-01-24T15:25:31.0000000Z", "tags": [ "active directory", "event viewer", "get-events", "get-winevent", "powershell", "pseventviewer", "pswinreporting", "windows", "windows server" ] }, { "id": "https://evotec.xyz/de/blog/active-directory-move-addirectoryserveroperationmasterrole-access-is-denied", "url": "https://evotec.xyz/de/blog/active-directory-move-addirectoryserveroperationmasterrole-access-is-denied", "title": "Active Directory \u2013 Move-AD Directory Server Operation Master Role: Access is denied", "summary": "When working with Active Directory one of the common tasks is to move FSMO roles between servers. Well, maybe not that common but it happens from time to time where you have to move all or just some of the FSMO roles. For that purposes, there is single PowerShell command Move-ADDirectoryServerOperationalMasterRole. Sure you can do this via GUI but if there\u2019s one command available to fix it all why bother? To make the move one has to be a Domain Admin, Enterprise Admin and Schema Admin. Everything was going smoothly for some roles but wasn\u2019t working for others.", "date_published": "2019-01-06T09:10:18.0000000Z", "tags": [ "active directory", "fsmo", "powershell" ] }, { "id": "https://evotec.xyz/de/blog/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure", "url": "https://evotec.xyz/de/blog/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure", "title": "Azure AD Connect \u2013 Synchronizing MAIL field with UserPrincipalName in Azure", "summary": "Azure AD Connect is an application responsible for synchronizing Active Directory with Azure AD allowing for a natural population of users, groups, and devices in Office 365. While for most companies standard setup is very easy and most of the time touch-free, there are companies which require greater customization. During installation of AD Connector, you choose what should be used for Azure AD Username from your AD. UserPrincipalName field is an obvious choice for this and also proposed by default for that purpose. This field is utilized further by your users to log in to your Exchange, SharePoint, Teams and so on.", "date_published": "2018-11-09T21:45:47.0000000Z", "tags": [ "active directory", "azure", "azure ad", "office 365" ] }, { "id": "https://evotec.xyz/de/blog/pswindocumentation-audit-active-directory-passwords", "url": "https://evotec.xyz/de/blog/pswindocumentation-audit-active-directory-passwords", "title": "PSWinDocumentation \u2013 Audit Active Directory Passwords", "summary": "If you\u2019re paying attention to what\u2019s happening around the world now you probably know Have I Been Pwned service by now. You probably know that it has huge lists of hashes of passwords that leaked out over the years from different services (LinkedIn, Adobe, and so on). This means those passwords are now in possession of good guys, but also bad guys. With Active Directory being often a central place to store your password that allows you to access your Office 365 account, ADFS, Microsoft Exchange it\u2019s important that your AD passwords is both secure and safe. Bad guys may want to try and access your email accounts or other data that\u2019s available online. And having a list of passwords you or other people may have used before doesn\u2019t help you in protecting your own data.", "date_published": "2018-10-07T17:57:42.0000000Z", "tags": [ "active directory", "ad", "audit", "powershell", "windows" ] }, { "id": "https://evotec.xyz/de/blog/pswindocumentation-export-to-word-excel-sql-of-ad-aws-exchange-o365-exchange-o365-azure-ad", "url": "https://evotec.xyz/de/blog/pswindocumentation-export-to-word-excel-sql-of-ad-aws-exchange-o365-exchange-o365-azure-ad", "title": "PSWinDocumentation \u2013 Export to Word, Excel, SQL of AD, AWS, Exchange, O365 Exchange, O365 Azure AD", "summary": "Today I\u2019m pushing forward with PSWinDocumentation project. I\u2019ve fixed some bugs but I also added a couple of new features. I did lie a bit in the first sentence because this time it\u2019s not all me. I got help from Mateusz Niemczyk who is a certified AWS engineer working for Euvic with me on some projects. If you\u2019ve not yet guessed where I got him involved from the introduction \u2013 yes we\u2019re adding basic AWS data support to PSWinDocumentation. But that\u2019s not all\u2026", "date_published": "2018-09-23T20:39:26.0000000Z", "tags": [ "Active Directory", "aws", "Azure AD", "excel", "exchange", "export", "office 365", "powershell", "pswriteexcel", "PSWriteWord", "sql", "Windows", "word" ] }, { "id": "https://evotec.xyz/de/blog/pswinreporting-forwarders-microsoft-teams-slack-microsoft-sql-and-more", "url": "https://evotec.xyz/de/blog/pswinreporting-forwarders-microsoft-teams-slack-microsoft-sql-and-more", "title": "PSWinReporting \u2013 Forwarders, Microsoft Teams, Slack, Microsoft SQL and more", "summary": "It\u2019s been a while since PSWinReporting has been updated, or rather since I\u2019ve written a blog post about it since it\u2019s always\u2026", "date_published": "2018-09-16T17:59:28.0000000Z", "tags": [ "active directory", "event log", "events", "microsoft teams", "ms sql", "powershell", "slack", "sql", "teams", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/pswindocumentation-version-0-1-with-word-excel-export", "url": "https://evotec.xyz/de/blog/pswindocumentation-version-0-1-with-word-excel-export", "title": "PSWinDocumentation \u2013 Version 0.1 with Word / Excel export", "summary": "A few weeks ago I\u2019ve released my first version of PSWinDocumentation. It was simple, one command module where you start it and get some basic AD stuff into Microsoft Word document. Today\u2026 I\u2019m releasing a new version that has a bit bigger feature set. Are you ready for it? Let\u2019s go!", "date_published": "2018-08-23T20:07:04.0000000Z", "tags": [ "active directory", "ad", "excel", "powershell", "scripts", "windows", "word" ] }, { "id": "https://evotec.xyz/de/blog/pswinreporting-1-0-is-out", "url": "https://evotec.xyz/de/blog/pswinreporting-1-0-is-out", "title": "PSWinReporting 1.0 \u2013 Monitoring Active Directrory Events", "summary": "Few months after initial release a new public version of PSWinReporting 1.0 is released. While the name might not be\u2026", "date_published": "2018-06-10T09:26:45.0000000Z", "tags": [ "active directory", "ad", "domain controller", "email", "html", "monitoring", "powershell", "powershell gallery", "powershell module", "Windows" ] }, { "id": "https://evotec.xyz/de/blog/working-with-windows-events-with-powershell", "url": "https://evotec.xyz/de/blog/working-with-windows-events-with-powershell", "title": "Working with Windows Events with PowerShell", "summary": "As you may (and should) know Event Log is your first place to look for explanations on why server/client is\u2026", "date_published": "2018-05-28T09:28:21.0000000Z", "tags": [ "Active Directory", "event viewer", "Exchange", "get-events", "get-winevent", "microsoft", "powershell", "windows" ] } ] }