https://evotec.xyz/de/categories/active-directoryEvotec Main Websitehttps://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-sidhistory-cleanup-with-cleanupmonsterSecurity Identifier (SID) History is a useful mechanism in Active Directory (AD) migrations. It allows users and groups in a new domain to retain access to resources that still rely on permissions from the old domain. However, once migrations are completed, these historical SIDs can become clutter, posing both security and administrative challenges. While it’s best to remove unnecessary SID History as soon as you’re done migrating, many environments skip this step. Over time, decommissioned or broken trusts make cleanup more difficult, and domain objects can accrue so many old entries that you lose track of what is still required.Sun, 16 Mar 2025 18:47:45 GMThttps://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-sidhistory-cleanup-with-cleanupmonsterActive Directoryactivedirectorycleanuppowershellhttps://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonsterHave you ever looked at your Active Directory and wondered, “Why do I still have computers listed that haven’t been turned on since World Cup 2016?” Yeah, we’ve all been there. Keeping AD clean and up-to-date is like trying to organize your garage—it’s easy to put off until it becomes a total mess.Sun, 25 Aug 2024 13:14:39 GMThttps://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonsteractive directoryadcleanupintunemicrosoft entrapowershellhttps://evotec.xyz/de/blog/active-directory-replication-summary-to-your-emailActive Directory replication is a critical process that ensures the consistent and up-to-date state of directory information across all domain controllers in a domain. Monitoring this process is important as it helps identify any issues that may arise and resolve them quickly. One way to monitor Active Directory replication is by using the Repadmin command-line tool. Repadmin provides a wealth of information about the replication status and health of a domain. However, manually checking the Repadmin output can be time-consuming and tedious, and running it manually every 30 minutes just to check if everything is great doesn’t seem like a great idea. While PowerShell has its own commands around replication I’ve not found something as fast and reliable as repadmin /replsummary.Wed, 17 Apr 2024 19:25:32 GMThttps://evotec.xyz/de/blog/active-directory-replication-summary-to-your-emailactive directorypowershellreplicationhttps://evotec.xyz/de/blog/active-directory-health-check-using-microsoft-entra-connect-health-serviceActive Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its health is pivotal for the seamless operation of various services. Today, I decided to look at Microsoft Entra Connect Health (Azure AD Connect Health) service, which allows monitoring Azure AD Connect, ADFS, and Active Directory. This means that under a single umbrella, you can have an overview of three services health. But is it worth it?Sun, 08 Oct 2023 14:36:57 GMThttps://evotec.xyz/de/blog/active-directory-health-check-using-microsoft-entra-connect-health-serviceActive DirectoryAzureazure adhealth checksmicrosoft entrapowershellhttps://evotec.xyz/de/blog/report-active-directory-accounts-that-are-synchronized-with-azure-adI was scrolling X (aka Twitter) today and saw this blog post, “PowerShell: Report On-Premises Active Directory Accounts that are Synchronized with Azure AD Connect” by Kevin Trent. I like reading blog posts as I tend to learn some new things and see how people tend to solve their problems.Mon, 07 Aug 2023 13:21:18 GMThttps://evotec.xyz/de/blog/report-active-directory-accounts-that-are-synchronized-with-azure-adactive directoryadazure admicrosoft graphpowershellhttps://evotec.xyz/de/blog/strengthening-password-security-in-active-directory-a-powershell-powered-approachPasswordSolution uses the DSInternals PowerShell module to gather Active Directory hashes and then combines that data into a prettified report. If you have ever used DSInternals, you know that while very powerful, it comes with raw data that is hard to process and requires some skills to get it into a state that can be shown to management or security.Sun, 28 May 2023 14:40:25 GMThttps://evotec.xyz/de/blog/strengthening-password-security-in-active-directory-a-powershell-powered-approachactive directoryaddsinternalshtmlpassword qualitypasswordsolutionpowershellscansecurityWindowshttps://evotec.xyz/de/blog/reporting-group-membership-for-critical-active-directory-groupsI work a lot with Active Directory-related tasks. One of the tasks is to know the group membership of critical Active Directory Groups such as Domain Admins, Enterprise Admins, Schema Admins, Event Log Readers, and a few others that are a bit less known. As I did it, I got bored of typing the group names repeatedly and decided that enough was enough and there must be an easier way for me to do that.Sun, 07 Aug 2022 11:57:28 GMThttps://evotec.xyz/de/blog/reporting-group-membership-for-critical-active-directory-groupsactive directoryadgroup membershipgroupsnested groupspowershellWindowshttps://evotec.xyz/de/blog/finding-duplicate-dns-records-by-ip-adress-using-powershellIn my earlier blog post, I showed you a way to find duplicate DNS entries using PowerShell, but the focus was on finding duplicate entries based on hostname. But what if you would like to find duplicate entries based on IP Addresses? This was the question I was asked on Reddit, and I thought it was a legitimate request, so today’s focus will be on transposing table output from earlier functions to present data differently.Tue, 26 Jul 2022 17:23:53 GMThttps://evotec.xyz/de/blog/finding-duplicate-dns-records-by-ip-adress-using-powershellactive directorydnsDNSServerduplicatespowershellhttps://evotec.xyz/de/blog/finding-duplicate-dns-entries-using-powershellToday’s blog post is about Active Directory-integrated DNS and how to find duplicate entries. By duplicate, I mean those where one DNS name matches multiple IP addresses. While some duplicate DNS entries are expected, in other cases, it may lead to problems. For example, having a static IP assigned to a hostname that later on is also updated with dynamic entries.Sun, 24 Jul 2022 16:48:21 GMThttps://evotec.xyz/de/blog/finding-duplicate-dns-entries-using-powershellactive directoryaddnsDNSServerpowershellhttps://evotec.xyz/de/blog/finding-duplicate-spn-with-powershellDuplicate SPNs aren’t very common but can happen in any Active Directory as there’s no built-in way that tracks and prevent duplicate SPN’s. One has to either know all SPN’s in the environment, track them or check each time whether it already exists or not. Things get more complicated with larger Active Directory environments as people change, new apps are added, old apps are forgotten, but SPNs prevail.Tue, 07 Dec 2021 15:32:01 GMThttps://evotec.xyz/de/blog/finding-duplicate-spn-with-powershellactive directoryadadessentialsforestpowershellspntestimohttps://evotec.xyz/de/blog/active-directory-domain-services-could-not-replicate-the-directory-partition-the-replication-operation-encountered-a-database-errorIf you ever encounter an error while trying to create a new domain within a forest saying, “The replication operation encountered a database error,” it makes you sweat a bit. Your brain tells you it will be a nightmare to fix, do I have proper backups to make it happen, and the question “why now” shows up.Sun, 28 Nov 2021 14:38:20 GMThttps://evotec.xyz/de/blog/active-directory-domain-services-could-not-replicate-the-directory-partition-the-replication-operation-encountered-a-database-erroractive directorydcdiagdfsdomainforestforest replicationPowerShelltestimoWindowshttps://evotec.xyz/de/blog/monitoring-ldaps-connectivity-certificate-with-powershellSome time ago, I wrote a blog post on checking for LDAP, LDAPS, LDAP GC, and LDAPS GC ports with PowerShell. It mostly works, but it requires a tad bit of effort, and it doesn’t cover the full scope that I wanted. Recently (well over 3 years ago), Chris Dent shared some code that verifies the LDAP certificate, and I thought this would be good to update my cmdlets to support just that with a bit of my own magic on top.Tue, 02 Mar 2021 17:53:05 GMThttps://evotec.xyz/de/blog/monitoring-ldaps-connectivity-certificate-with-powershellactive directoryadldappowershelltestimohttps://evotec.xyz/de/blog/the-only-command-you-will-ever-need-to-understand-and-fix-your-group-policies-gpoI’ve been working on cleaning up Group Policies for a couple of months. While it may seem trivial, things get complicated when you’re tasked with managing 5000 GPOs created over 15 years by multiple teams without any best practices in mind. While working on GPOZaurr (my new PowerShell module), I’ve noticed that the more code I wrote to manage those GPOs, the more I knew passing this knowledge to admins who will be executing this on a weekly/monthly basis is going to be a challenge. That’s why I’ve decided to follow a similar approach as my other Active Directory testing module called Testimo. I’ve created a single command that analyses Group Policies using different methods and shows views from different angles to deliver the full picture. On top of that, it provides a solution (or it tries to) so that it’s fairly easy to fix – as long as you agree with what it proposes.Sun, 24 Jan 2021 17:15:04 GMThttps://evotec.xyz/de/blog/the-only-command-you-will-ever-need-to-understand-and-fix-your-group-policies-gpoactive directorygpogroup policypowershellhttps://evotec.xyz/de/blog/visually-display-active-directory-trusts-using-powershellActive Directory Trusts are useful to connect one or more domains. But as useful those are, they can be very dangerous. Also, keeping trusts working and in good shape should be a top priority for Active Directory Admins. While there is a couple of command in the Active Directory module Get-ADTrust, I thought I would try and write my own that checks a few more things. I want to thank Chris Dent for his input on the part of this command. His binary skills amaze me!Mon, 14 Sep 2020 13:44:10 GMThttps://evotec.xyz/de/blog/visually-display-active-directory-trusts-using-powershellActive Directoryactivedirectoryadessentialsget-winadtrustpowershellpswritehtmlshow-winadtrusthttps://evotec.xyz/de/blog/visually-display-active-directory-nested-group-membership-using-powershellIn the Active Directory PowerShell module, you have two commands to your disposal that help display group membership. Those are Get-ADGroup and Get-ADGroupMember. The first command contains property Members, which gives you DistinguishedName of all members, and Get-ADGroupMember can provide you either direct members or with Recursive switch all members recursively (skipping groups). Till a few weeks ago, I was a happy user of those commands until I noticed two things. Member property for Get-ADGroup sometimes misses elements for whatever reason.Wed, 02 Sep 2020 16:06:48 GMThttps://evotec.xyz/de/blog/visually-display-active-directory-nested-group-membership-using-powershellActive Directoryadessentialsdiagramget-adgroupget-adgroupmembernested groupspowershellpswritehtmlhttps://evotec.xyz/de/blog/active-directory-dhcp-report-to-html-or-email-with-zero-html-knowledgeI’m pretty addicted to reading blog posts. I saw this new blog post the other day, where the author created the DHCP HTML report, and he did it by manually building headers, footers, table borders, and finally, adding some coloring to the percentage of DHCP being in use. It’s the “standard” approach to build HTML in PowerShell, and I’ve seen a similar path before, but that got me thinking how much time it would take for me to replicate the very same functionality using PSWriteHTML module.Sun, 12 Jul 2020 16:17:30 GMThttps://evotec.xyz/de/blog/active-directory-dhcp-report-to-html-or-email-with-zero-html-knowledgeActive Directorydhcphtmlpowershellhttps://evotec.xyz/de/blog/using-win32_useraccount-wmi-filter-in-powershell-group-policies-and-what-to-avoidSome months ago, I created PowerShell Script to create local administrative users on workstations – Create a local user or administrator account in Windows using PowerShell. It’s a bit overcomplicated, but the goal was it should work for Windows 7 and up, and that means supporting PowerShell 2.0. As part of that exercise, I’ve been using Win32_UserAccount WMI based query to find local users and manage them to an extent. While Get-LocalUser exists, it’s not suitable for the PowerShell 2.0 scenario. I also use the same query in GPO for WMI filtering. You can say it’s been a good friend of mine.Tue, 02 Jun 2020 15:45:54 GMThttps://evotec.xyz/de/blog/using-win32_useraccount-wmi-filter-in-powershell-group-policies-and-what-to-avoidactive directoryadgpopowershellwmihttps://evotec.xyz/de/blog/get-adobject-the-server-has-returned-the-following-error-invalid-enumeration-contextIn the last weeks, I’m working on a PowerShell module that the main goal is to work on gathering and fixing GPOs. I’ve been testing my module a lot of times on my test environment, and it worked fine till the moment I run it on production, and it started to fail pretty quickly. The difference between my environment and production is 25 GPOs vs. 5000 GPOs. The error I was getting:Fri, 15 May 2020 11:32:58 GMThttps://evotec.xyz/de/blog/get-adobject-the-server-has-returned-the-following-error-invalid-enumeration-contextactive directoryget-adobjectpowershellhttps://evotec.xyz/de/blog/the-security-account-manager-sam-has-determined-that-sid-is-already-in-use-in-the-forestThe security account manager (SAM) has determined that the security identifier (SID) for this computer is already in use in the Forest you want to join. This can happen when restoring an Active Directory Domain Controller with an improper backup. Reinstall the operating system on the local AD DC to obtain a new SID.Thu, 12 Mar 2020 19:02:42 GMThttps://evotec.xyz/de/blog/the-security-account-manager-sam-has-determined-that-sid-is-already-in-use-in-the-forestactive directorypowershellsidWindowshttps://evotec.xyz/de/blog/azuread-enable-password-expiration-with-password-hash-synchronizationAzure AD Connect allows three ways to make sure the user password is the same in Active Directory and Office 365. Those are Password Hash Sync, Pass-Thru Authentication, and ADFS. While my preferred option to go with would be Pass-Thru Authentication, only Password Hash Synchronization is the easiest and least resource-intensive. It synchronizes user password to Office 365, and even if your Active Directory is down, you can still log in to Office 365. It’s perfect for small and even more significant companies that don’t have resources or can’t guarantee that their infrastructure will stay 100% time online so users can authenticate based on their Active Directory.Mon, 24 Feb 2020 19:53:50 GMThttps://evotec.xyz/de/blog/azuread-enable-password-expiration-with-password-hash-synchronizationActive Directoryazure adazure adconnectpowershellhttps://evotec.xyz/de/blog/active-directory-dfs-health-check-with-powershellOne of the critical parts of Active Directory is DFS. It allows you to share same NETLOGON/SYSVOL folders across all Domain Controllers in your Forest. Its health is vital to the functionality of your Active Directory. If it’s broken, a lot of things may not work, and it’s not that easy to tell the status of it. At first sight, everything may seem to work correctly, but if you take a closer look – not so much. It’s great if you find it out by yourself, but not fun if suddenly GPO’s don’t apply to some users, computers, and you find out a year later.Thu, 20 Feb 2020 20:29:20 GMThttps://evotec.xyz/de/blog/active-directory-dfs-health-check-with-powershellactive directoryadessentialsdfsgpoPowerShelltestimohttps://evotec.xyz/de/blog/finding-gpos-missing-permissions-that-may-prevent-gpos-from-working-correctlyI’ve been in IT for a longer time now. I’ve made my fair share of mistakes and misconfigurations. One of those misconfigurations was removing Authenticated Users from Security filtering in Group Policy Objects. While it worked fine at some point Microsoft rolled out a Hotfix MS16-07 on June 14th 2016.Wed, 19 Feb 2020 21:08:35 GMThttps://evotec.xyz/de/blog/finding-gpos-missing-permissions-that-may-prevent-gpos-from-working-correctlyactive directoryadessentialsgpopowershellhttps://evotec.xyz/de/blog/renaming-netbios-name-of-active-directory-errorRecently I was testing renaming the NETBIOS name of an Active Directory domain. While this process is fairly easy, there are a few gotcha’s, and before one would like to rename their domain or NETBIOS name, serious testing is required to be sure everything works after rename. In the end, if something goes wrong, the rollback will not be a walk in a park. It will hurt, and it will eat your time. So there was I going thru the usual steps.Sun, 16 Feb 2020 15:38:02 GMThttps://evotec.xyz/de/blog/renaming-netbios-name-of-active-directory-erroractive directorynetbiospowershellhttps://evotec.xyz/de/blog/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020In March 2020, Microsoft will release its monthly updates. With those updates, Microsoft will disable insecure LDAP Bindings, which is going to break a lot of your systems (hopefully not). But this was already communicated, and you know all about it, right? If not, you should read those two articles that can help you with understanding what is happening and when.Sun, 19 Jan 2020 19:54:06 GMThttps://evotec.xyz/de/blog/four-commands-to-help-you-track-down-insecure-ldap-bindings-before-march-2020Active Directoryadessentialspowershellpseventviewerpswinreportingv2https://evotec.xyz/de/blog/what-do-we-say-to-health-checking-active-directorySetting up a new Active Directory is an easy task. You download and install Windows Server, install required roles and in 4 hours or less have a basic Active Directory setup. In an ideal world that would be all and your only task would be to manage users, computers, and groups occasionally creating some Group Policies. Unfortunately, things with Active Directory aren’t as easy as I’ve pictured it. Active Directory is a whole ecosystem and works well ranging from small companies with ten users to 500k users or more (haven’t seen one myself – but so they say!). When you scale Active Directory adding more servers, more domains things tend to get complicated, and while things on top may look like they work correctly, in practice, they may not. That’s why, as an Administrator, you need to manage Active Directory in terms of its Health and Security. Seems easy right? Not quite. While you may think you have done everything, checked everything, there’s always something missing. Unless you have instructions for everything and can guarantee that things stay the same way as you left them forever, it’s a bit more complicated. That’s why Microsoft delivers you tools to the troubleshoot your Active Directory, such as dcdiag, repadmin and some others. They also sell monitoring solutions such as Microsoft SCOM which can help and detect when some things happen in your AD while you were gone. Surely there are some 3rd party companies give you some tools that can help with a lot of that as well. Finally, there is lo of folks within the community creating PowerShell scripts or functions that help with some Health Checks of your Active Directory.Sun, 08 Sep 2019 15:48:39 GMThttps://evotec.xyz/de/blog/what-do-we-say-to-health-checking-active-directoryactive directoryaddhcpdnshealth checkspowershellsecurity checkstestimoWindowshttps://evotec.xyz/de/blog/getting-active-directory-last-backup-time-using-powershellI shouldn’t be telling you that, but Active Directory Backup is an essential part of your Active Directory setup. When a backup of Active Directory happens, AD is aware of it. Following PowerShell solution allows you to get Active Directory Last Backup Time for the whole forest or by domain.Mon, 05 Aug 2019 12:40:18 GMThttps://evotec.xyz/de/blog/getting-active-directory-last-backup-time-using-powershellactive directorypowershellhttps://evotec.xyz/de/blog/testing-ldap-and-ldaps-connectivity-with-powershellOne of the common ways to connect to Active Directory is thru LDAP protocol. There are a lot of applications that talk to AD via LDAP. By default Active Directory has LDAP enabled but that’s a bit insecure in today’s world. That’s where LDAPS comes in. It’s not easy to set up, but when you get it done, it works. The problem I had recently is that while setting up LDAPS on DC’s I only did this on some of the DC’s, and not all of them as I should.Sun, 04 Aug 2019 14:55:32 GMThttps://evotec.xyz/de/blog/testing-ldap-and-ldaps-connectivity-with-powershellactive directoryldappowershellhttps://evotec.xyz/de/blog/active-directory-instant-replication-between-sites-with-powershellIn Active Directory when you change something, it’s replicated to other Domain Controllers regularly. It’s a standard procedure that happens automatically in the background for you. It’s a handy feature because you can have multiple DC’s all over the world and have your users data in sync. You can change almost anything on DC nearest to you and be sure it will be the same value all over the place. But is it always the same? Well, it should be unless it isn’t. Today I was given a new migration from Exchange to Office 365. I started with ADConnect installation and wanted to make sure that UserPrincipalNames have all UPNSuffixes in place.Sun, 21 Jul 2019 13:31:06 GMThttps://evotec.xyz/de/blog/active-directory-instant-replication-between-sites-with-powershellactive directoryadinstant replicationpowershellreplicationhttps://evotec.xyz/de/blog/getting-bitlocker-and-laps-summary-report-with-powershellHaving Bitlocker and LAPS in modern Active Directory is a must. But just because you enable GPO and have a process that should say Bitlocker and LAPS are enabled doesn’t mean much. Now and then you should verify things yourself. One of the Facebook users on PowerShell group just had this idea of exporting Bitlocker keys and then giving that list to his colleagues for manual verification. He wanted to do it half PowerShell and half manually. While the idea was great, why not take full advantage of PowerShell and have a helpful report with all the necessary information?Thu, 11 Jul 2019 17:07:22 GMThttps://evotec.xyz/de/blog/getting-bitlocker-and-laps-summary-report-with-powershellactive directoryadbitlockerlapspowershellhttps://evotec.xyz/de/blog/fixing-active-directory-passwordnotrequired-with-powershellThere was I, deploying PSPasswordExpiryNotifications for one of my Clients when I started getting complaints that some users are not getting their Password Expiry Notifications. Well, that’s a new one. I’ve tested this script multiple times, and it worked just fine. So I dive into the details of my script to see what I did in there (I don’t even remember anymore – it just works) to find out this little line:Tue, 25 Jun 2019 10:29:44 GMThttps://evotec.xyz/de/blog/fixing-active-directory-passwordnotrequired-with-powershellactive directoryadPasswordNotRequiredpowershellhttps://evotec.xyz/de/blog/export-clixml-and-import-clixml-serialization-woesI’ve been working today trying to deliver to one of my Clients Active Directory documentation. To my surprise, something that worked fine for a very long time has started to provide weird results. So, after spending about 8 hours taking apart a few of my PowerShell modules trying to find out what is wrong finally, I’ve found it: Export-CliXML / Import-CliXML. Those two commands are great. I’ve used them multiple times with great success (or so I thought).Sun, 23 Jun 2019 10:12:27 GMThttps://evotec.xyz/de/blog/export-clixml-and-import-clixml-serialization-woesActive Directoryexport-clixmlimport-clixmlpowershellhttps://evotec.xyz/de/blog/getting-windows-10-build-version-from-active-directoryToday I saw an article on how to get Windows Version Report from Active Directory and thought that this is a cool idea. Something handy for migration scenarios or information on how up to date is your infrastructure. Since there are many ways to do the same thing I decided to tackle this myself and further include it into PSWinDocumentation.AD project. By default Active Directory stores Operating System and Operating System Version but it doesn’t really show versions one may expect.Fri, 14 Jun 2019 15:03:06 GMThttps://evotec.xyz/de/blog/getting-windows-10-build-version-from-active-directoryactive directorybuildpowershellwindows 10https://evotec.xyz/de/blog/how-i-didnt-know-how-powerful-and-fast-hashtables-areI’ve been using PowerShell for a long while now using Hashtables, OrderedDictionary, and other types of data types in PowerShell, but I never paid attention to how powerful those are. And I don’t mean your general knowledge about hashtables that is already covered by Kevin Marquette in his article Everything you wanted to know about Hashtables or my article PowerShell – Few tricks about HashTables and Arrays I wish I knew when I started. Let’s find out, how Powerful they are, shall we?Sun, 19 May 2019 09:49:26 GMThttps://evotec.xyz/de/blog/how-i-didnt-know-how-powerful-and-fast-hashtables-areactive directoryhashtablelearnpowershellspeedhttps://evotec.xyz/de/blog/what-do-we-say-to-writing-active-directory-documentationIt’s no secret that nobody likes creating documentation. I don’t like it, and you don’t like it, even documentation lovers don’t like it. But while you can live without documentation, you really shouldn’t. And I am not talking here only about documentation that is only useful in the onboarding process of new employees or documentation concerning introducing someone to some concepts to get them easily start. I’m talking about documentation for your live environment where you know what you have, how you have set it up, but is still the same after one week, one month, or one year? Usually, not so much. And one of the worst mistakes admin can do is assume that his environment doesn’t change, things are as they were when they were set up.Sun, 12 May 2019 12:46:24 GMThttps://evotec.xyz/de/blog/what-do-we-say-to-writing-active-directory-documentationActive DirectorydashimodocumentationdocumentimoexcelexcelimopowershellpswindocumentationWindowswordhttps://evotec.xyz/de/blog/the-only-powershell-command-you-will-ever-need-to-find-out-who-did-what-in-active-directoryWhile the title of this blog may be a bit exaggeration, the command I’m trying to show here does it’s best to deliver on the promise. What you’re about to witness here is something I’ve worked on for a while now, and it meets my basic needs. If you don’t have SIEM product or products that monitor who does what in Active Directory this command makes it very easy, even for people who don’t have much experience in reading Event Logs. If you’d like to learn about working with Windows Event Logs here’s a great article I wrote recently – PowerShell – Everything you wanted to know about Event Logs and then some.Sun, 28 Apr 2019 15:52:32 GMThttps://evotec.xyz/de/blog/the-only-powershell-command-you-will-ever-need-to-find-out-who-did-what-in-active-directoryactive directoryadeventsevents viewerpowershellpswinreportingpswinreportingv2Windowshttps://evotec.xyz/de/blog/backing-up-bitlocker-keys-and-laps-passwords-from-active-directoryHaving a modern, secure infrastructure in 2019 is a requirement. You should implement BitLocker to make sure that in the event of stolen laptop data is not readily extractable and implementing LAPS is a must in a fast changing IT world. But I’m not here to convince you to those two security features. I’m here to show you an easy way to backup LAPS and BitLocker. While having everything stored in Active Directory is excellent, things can get complicated when you don’t have access to your Active Directory, or you restore an older version of it. You see, LAPS, for example, keeps only last Administrator password. This is great and all but what happens if you restore the machine from backup from 6 months back? Your password has already changed multiple times. During our testing of DR scenarios, we wanted to access the computer via their local Administrator credentials and we just couldn’t because that password was already gone.Sun, 31 Mar 2019 20:01:43 GMThttps://evotec.xyz/de/blog/backing-up-bitlocker-keys-and-laps-passwords-from-active-directoryactive directorybitlockerlapspowershellhttps://evotec.xyz/de/blog/accessing-azurevm-with-nla-and-broken-domain-trust-relationshipHosting your VM’s in Azure Cloud is excellent. You have all those features, professionally managed and virtually limitless. I don’t want to take your time to sell you Azure Services but to share a solution to one of the things I had to solve in Azure and sooner or later you may end up with on. During the test restore for Active Directory and multiple other machines which were much older (or newer) then Active Directory Domain Controller that was restored it turned out one can’t log in to most of the devices. First of all your domain password is already changed, but that can quickly be addressed. Your second and more significant problem is Network Level Authentication (NLA), and your 3rd problem is broken trust relationship.Thu, 28 Mar 2019 09:22:42 GMThttps://evotec.xyz/de/blog/accessing-azurevm-with-nla-and-broken-domain-trust-relationshipActive Directoryad trustazureazure vmnlapowershellhttps://evotec.xyz/de/blog/active-directory-the-directory-service-was-unable-to-allocate-a-relative-identifierI’ve been testing Disaster Recovery scenario restoring Active Directory. One of the servers was restored, and it worked for a moment after restore. If you can regain your Primary DC, it’s best to do so. If you can’t, a standard thing to do during DR is to move all FSMO roles to the restored server so that it can become a master server. You can find out your FSMO holders by using those commands below:Wed, 27 Mar 2019 20:39:25 GMThttps://evotec.xyz/de/blog/active-directory-the-directory-service-was-unable-to-allocate-a-relative-identifieractive directoryaderrorpowershellhttps://evotec.xyz/de/blog/pswinreporting-1-8-split-of-branches-legacy-vs-new-hopeA new branch of PSWinReporting is slowly coming, and I thought it would be the best time to have a final article about it with all configuration options available for those that will want to stay using PSWinReporting from Legacy branch. The idea is that you may have it working in your systems and it’s good enough for you. You may not want to change it, and with New Hope, the changes are so big it’s a rewrite.Sun, 10 Mar 2019 20:39:43 GMThttps://evotec.xyz/de/blog/pswinreporting-1-8-split-of-branches-legacy-vs-new-hopeActive Directoryeventevent monitoringeventspowershellpswinreportingWindowshttps://evotec.xyz/de/blog/powershell-everything-you-wanted-to-know-about-event-logsIf you feel this title is very familiar to you it’s because I actually have stolen the title from Kevin Marquette. I’m in awe of his posts that take you thru topic from beginning till the end. No splitting, no hiding anything, everything on a plate, in a single post. That’s why I’ve decided to write a post that will take you on a trip on how to work with Event Logs, something that is an internal part of Windows Administration. If you’ve never worked with Events and you’re in IT you most likely should make an effort to find out what it is and how you can eat it.Wed, 20 Feb 2019 13:22:19 GMThttps://evotec.xyz/de/blog/powershell-everything-you-wanted-to-know-about-event-logsActive Directoryevent logseventsget-eventlogget-wineventmicrosoft windowPowerShellwindowswindows serverhttps://evotec.xyz/de/blog/how-to-find-different-server-types-in-active-directory-with-powershellWorking as a freelancer is a great thing if you can handle it. Each day, each week something new happens and a new problem shows up on my doorstep. It also means it’s almost never boring at your job and you get to play with new stuff. But there’s one drawback to this. You’re often thrown at the problem, told to fix it but often that’s about as much information as you get. It wasn’t very different today. I was told to switch Office 365 from ADFS to Password Synchronization. While reasons for this are not really important, the important question here is what is the name of AD Connect server that’s responsible for this configuration?Wed, 06 Feb 2019 18:25:30 GMThttps://evotec.xyz/de/blog/how-to-find-different-server-types-in-active-directory-with-powershellactive directoryadadconnectazure adexchangeHyper-Vpowershellsqlwindowshttps://evotec.xyz/de/blog/active-directory-how-to-track-down-why-and-where-the-user-account-was-locked-outI’ve been working with Windows Events for a while now. One of the things I did to help me diagnose problems and reporting on Windows Events was to write PSEventViewer to help to parse the logs and write PSWinReporting to help monitor (with use of PSEventViewer) Domain Controllers for events that happen across the domain. It’s handy and I, get those excellent daily reports of what happened while I was gone.Thu, 24 Jan 2019 15:25:31 GMThttps://evotec.xyz/de/blog/active-directory-how-to-track-down-why-and-where-the-user-account-was-locked-outactive directoryevent viewerget-eventsget-wineventpowershellpseventviewerpswinreportingwindowswindows serverhttps://evotec.xyz/de/blog/active-directory-move-addirectoryserveroperationmasterrole-access-is-deniedWhen working with Active Directory one of the common tasks is to move FSMO roles between servers. Well, maybe not that common but it happens from time to time where you have to move all or just some of the FSMO roles. For that purposes, there is single PowerShell command Move-ADDirectoryServerOperationalMasterRole. Sure you can do this via GUI but if there’s one command available to fix it all why bother? To make the move one has to be a Domain Admin, Enterprise Admin and Schema Admin. Everything was going smoothly for some roles but wasn’t working for others.Sun, 06 Jan 2019 09:10:18 GMThttps://evotec.xyz/de/blog/active-directory-move-addirectoryserveroperationmasterrole-access-is-deniedactive directoryfsmopowershellhttps://evotec.xyz/de/blog/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azureAzure AD Connect is an application responsible for synchronizing Active Directory with Azure AD allowing for a natural population of users, groups, and devices in Office 365. While for most companies standard setup is very easy and most of the time touch-free, there are companies which require greater customization. During installation of AD Connector, you choose what should be used for Azure AD Username from your AD. UserPrincipalName field is an obvious choice for this and also proposed by default for that purpose. This field is utilized further by your users to log in to your Exchange, SharePoint, Teams and so on.Fri, 09 Nov 2018 21:45:47 GMThttps://evotec.xyz/de/blog/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azureactive directoryazureazure adoffice 365https://evotec.xyz/de/blog/pswindocumentation-audit-active-directory-passwordsIf you’re paying attention to what’s happening around the world now you probably know Have I Been Pwned service by now. You probably know that it has huge lists of hashes of passwords that leaked out over the years from different services (LinkedIn, Adobe, and so on). This means those passwords are now in possession of good guys, but also bad guys. With Active Directory being often a central place to store your password that allows you to access your Office 365 account, ADFS, Microsoft Exchange it’s important that your AD passwords is both secure and safe. Bad guys may want to try and access your email accounts or other data that’s available online. And having a list of passwords you or other people may have used before doesn’t help you in protecting your own data.Sun, 07 Oct 2018 17:57:42 GMThttps://evotec.xyz/de/blog/pswindocumentation-audit-active-directory-passwordsactive directoryadauditpowershellwindowshttps://evotec.xyz/de/blog/pswindocumentation-export-to-word-excel-sql-of-ad-aws-exchange-o365-exchange-o365-azure-adToday I’m pushing forward with PSWinDocumentation project. I’ve fixed some bugs but I also added a couple of new features. I did lie a bit in the first sentence because this time it’s not all me. I got help from Mateusz Niemczyk who is a certified AWS engineer working for Euvic with me on some projects. If you’ve not yet guessed where I got him involved from the introduction – yes we’re adding basic AWS data support to PSWinDocumentation. But that’s not all…Sun, 23 Sep 2018 20:39:26 GMThttps://evotec.xyz/de/blog/pswindocumentation-export-to-word-excel-sql-of-ad-aws-exchange-o365-exchange-o365-azure-adActive DirectoryawsAzure ADexcelexchangeexportoffice 365powershellpswriteexcelPSWriteWordsqlWindowswordhttps://evotec.xyz/de/blog/pswinreporting-forwarders-microsoft-teams-slack-microsoft-sql-and-moreIt’s been a while since PSWinReporting has been updated, or rather since I’ve written a blog post about it since it’s always…Sun, 16 Sep 2018 17:59:28 GMThttps://evotec.xyz/de/blog/pswinreporting-forwarders-microsoft-teams-slack-microsoft-sql-and-moreactive directoryevent logeventsmicrosoft teamsms sqlpowershellslacksqlteamsWindowshttps://evotec.xyz/de/blog/pswindocumentation-version-0-1-with-word-excel-exportA few weeks ago I’ve released my first version of PSWinDocumentation. It was simple, one command module where you start it and get some basic AD stuff into Microsoft Word document. Today… I’m releasing a new version that has a bit bigger feature set. Are you ready for it? Let’s go!Thu, 23 Aug 2018 20:07:04 GMThttps://evotec.xyz/de/blog/pswindocumentation-version-0-1-with-word-excel-exportactive directoryadexcelpowershellscriptswindowswordhttps://evotec.xyz/de/blog/pswinreporting-1-0-is-outFew months after initial release a new public version of PSWinReporting 1.0 is released. While the name might not be…Sun, 10 Jun 2018 09:26:45 GMThttps://evotec.xyz/de/blog/pswinreporting-1-0-is-outactive directoryaddomain controlleremailhtmlmonitoringpowershellpowershell gallerypowershell moduleWindowshttps://evotec.xyz/de/blog/working-with-windows-events-with-powershellAs you may (and should) know Event Log is your first place to look for explanations on why server/client is…Mon, 28 May 2018 09:28:21 GMThttps://evotec.xyz/de/blog/working-with-windows-events-with-powershellActive Directoryevent viewerExchangeget-eventsget-wineventmicrosoftpowershellwindows