https://evotec.xyz/de/tags/active-directory/index.atom.xml2024-08-25T13:14:39.0000000ZEvotec Main Websitehttps://evotec.xyz/de/blog/mastering-active-directory-hygiene-automating-stale-computer-cleanup-with-cleanupmonster2024-08-25T13:14:39.0000000Z

Have you ever looked at your Active Directory and wondered, “Why do I still have computers listed that haven’t been turned on since World Cup 2016?” Yeah, we’ve all been there. Keeping AD clean and up-to-date is like trying to organize your garage—it’s easy to put off until it becomes a total mess.

https://evotec.xyz/de/blog/active-directory-replication-summary-to-your-email2024-04-17T19:25:32.0000000Z

Active Directory replication is a critical process that ensures the consistent and up-to-date state of directory information across all domain controllers in a domain. Monitoring this process is important as it helps identify any issues that may arise and resolve them quickly. One way to monitor Active Directory replication is by using the Repadmin command-line tool. Repadmin provides a wealth of information about the replication status and health of a domain. However, manually checking the Repadmin output can be time-consuming and tedious, and running it manually every 30 minutes just to check if everything is great doesn’t seem like a great idea. While PowerShell has its own commands around replication I’ve not found something as fast and reliable as repadmin /replsummary.

https://evotec.xyz/de/blog/report-active-directory-accounts-that-are-synchronized-with-azure-ad2023-08-07T13:21:18.0000000Z

I was scrolling X (aka Twitter) today and saw this blog post, “PowerShell: Report On-Premises Active Directory Accounts that are Synchronized with Azure AD Connect” by Kevin Trent. I like reading blog posts as I tend to learn some new things and see how people tend to solve their problems.

https://evotec.xyz/de/blog/strengthening-password-security-in-active-directory-a-powershell-powered-approach2023-05-28T14:40:25.0000000Z

PasswordSolution uses the DSInternals PowerShell module to gather Active Directory hashes and then combines that data into a prettified report. If you have ever used DSInternals, you know that while very powerful, it comes with raw data that is hard to process and requires some skills to get it into a state that can be shown to management or security.

https://evotec.xyz/de/blog/reporting-group-membership-for-critical-active-directory-groups2022-08-07T11:57:28.0000000Z

I work a lot with Active Directory-related tasks. One of the tasks is to know the group membership of critical Active Directory Groups such as Domain Admins, Enterprise Admins, Schema Admins, Event Log Readers, and a few others that are a bit less known. As I did it, I got bored of typing the group names repeatedly and decided that enough was enough and there must be an easier way for me to do that.

https://evotec.xyz/de/blog/finding-duplicate-dns-records-by-ip-adress-using-powershell2022-07-26T17:23:53.0000000Z

In my earlier blog post, I showed you a way to find duplicate DNS entries using PowerShell, but the focus was on finding duplicate entries based on hostname. But what if you would like to find duplicate entries based on IP Addresses? This was the question I was asked on Reddit, and I thought it was a legitimate request, so today’s focus will be on transposing table output from earlier functions to present data differently.

https://evotec.xyz/de/blog/finding-duplicate-dns-entries-using-powershell2022-07-24T16:48:21.0000000Z

Today’s blog post is about Active Directory-integrated DNS and how to find duplicate entries. By duplicate, I mean those where one DNS name matches multiple IP addresses. While some duplicate DNS entries are expected, in other cases, it may lead to problems. For example, having a static IP assigned to a hostname that later on is also updated with dynamic entries.

https://evotec.xyz/de/blog/finding-duplicate-spn-with-powershell2021-12-07T15:32:01.0000000Z

Duplicate SPNs aren’t very common but can happen in any Active Directory as there’s no built-in way that tracks and prevent duplicate SPN’s. One has to either know all SPN’s in the environment, track them or check each time whether it already exists or not. Things get more complicated with larger Active Directory environments as people change, new apps are added, old apps are forgotten, but SPNs prevail.

https://evotec.xyz/de/blog/active-directory-domain-services-could-not-replicate-the-directory-partition-the-replication-operation-encountered-a-database-error2021-11-28T14:38:20.0000000Z

If you ever encounter an error while trying to create a new domain within a forest saying, “The replication operation encountered a database error,” it makes you sweat a bit. Your brain tells you it will be a nightmare to fix, do I have proper backups to make it happen, and the question “why now” shows up.

https://evotec.xyz/de/blog/monitoring-ldaps-connectivity-certificate-with-powershell2021-03-02T17:53:05.0000000Z

Some time ago, I wrote a blog post on checking for LDAP, LDAPS, LDAP GC, and LDAPS GC ports with PowerShell. It mostly works, but it requires a tad bit of effort, and it doesn’t cover the full scope that I wanted. Recently (well over 3 years ago), Chris Dent shared some code that verifies the LDAP certificate, and I thought this would be good to update my cmdlets to support just that with a bit of my own magic on top.

https://evotec.xyz/de/blog/the-only-command-you-will-ever-need-to-understand-and-fix-your-group-policies-gpo2021-01-24T17:15:04.0000000Z

I’ve been working on cleaning up Group Policies for a couple of months. While it may seem trivial, things get complicated when you’re tasked with managing 5000 GPOs created over 15 years by multiple teams without any best practices in mind. While working on GPOZaurr (my new PowerShell module), I’ve noticed that the more code I wrote to manage those GPOs, the more I knew passing this knowledge to admins who will be executing this on a weekly/monthly basis is going to be a challenge. That’s why I’ve decided to follow a similar approach as my other Active Directory testing module called Testimo. I’ve created a single command that analyses Group Policies using different methods and shows views from different angles to deliver the full picture. On top of that, it provides a solution (or it tries to) so that it’s fairly easy to fix – as long as you agree with what it proposes.

https://evotec.xyz/de/blog/using-win32_useraccount-wmi-filter-in-powershell-group-policies-and-what-to-avoid2020-06-02T15:45:54.0000000Z

Some months ago, I created PowerShell Script to create local administrative users on workstations – Create a local user or administrator account in Windows using PowerShell. It’s a bit overcomplicated, but the goal was it should work for Windows 7 and up, and that means supporting PowerShell 2.0. As part of that exercise, I’ve been using Win32_UserAccount WMI based query to find local users and manage them to an extent. While Get-LocalUser exists, it’s not suitable for the PowerShell 2.0 scenario. I also use the same query in GPO for WMI filtering. You can say it’s been a good friend of mine.

https://evotec.xyz/de/blog/get-adobject-the-server-has-returned-the-following-error-invalid-enumeration-context2020-05-15T11:32:58.0000000Z

In the last weeks, I’m working on a PowerShell module that the main goal is to work on gathering and fixing GPOs. I’ve been testing my module a lot of times on my test environment, and it worked fine till the moment I run it on production, and it started to fail pretty quickly. The difference between my environment and production is 25 GPOs vs. 5000 GPOs. The error I was getting:

https://evotec.xyz/de/blog/the-security-account-manager-sam-has-determined-that-sid-is-already-in-use-in-the-forest2020-03-12T19:02:42.0000000Z

The security account manager (SAM) has determined that the security identifier (SID) for this computer is already in use in the Forest you want to join. This can happen when restoring an Active Directory Domain Controller with an improper backup. Reinstall the operating system on the local AD DC to obtain a new SID.

https://evotec.xyz/de/blog/active-directory-dfs-health-check-with-powershell2020-02-20T20:29:20.0000000Z

One of the critical parts of Active Directory is DFS. It allows you to share same NETLOGON/SYSVOL folders across all Domain Controllers in your Forest. Its health is vital to the functionality of your Active Directory. If it’s broken, a lot of things may not work, and it’s not that easy to tell the status of it. At first sight, everything may seem to work correctly, but if you take a closer look – not so much. It’s great if you find it out by yourself, but not fun if suddenly GPO’s don’t apply to some users, computers, and you find out a year later.

https://evotec.xyz/de/blog/finding-gpos-missing-permissions-that-may-prevent-gpos-from-working-correctly2020-02-19T21:08:35.0000000Z

I’ve been in IT for a longer time now. I’ve made my fair share of mistakes and misconfigurations. One of those misconfigurations was removing Authenticated Users from Security filtering in Group Policy Objects. While it worked fine at some point Microsoft rolled out a Hotfix MS16-07 on June 14th 2016.

https://evotec.xyz/de/blog/renaming-netbios-name-of-active-directory-error2020-02-16T15:38:02.0000000Z

Recently I was testing renaming the NETBIOS name of an Active Directory domain. While this process is fairly easy, there are a few gotcha’s, and before one would like to rename their domain or NETBIOS name, serious testing is required to be sure everything works after rename. In the end, if something goes wrong, the rollback will not be a walk in a park. It will hurt, and it will eat your time. So there was I going thru the usual steps.

https://evotec.xyz/de/blog/removing-user-from-local-administrator-group-based-on-data-stored-in-active-directory2019-11-17T21:09:21.0000000Z

We need to deal with a group names through SID’s rather than names because each group name is different in different languages. The second problem is to distinguish whether a user is a local or domain user. Finally, I need to connect to Active Directory to verify if the user I am about to remove has ExtensionAttribute10 (or any other field in AD) filled in or not.

https://evotec.xyz/de/blog/what-do-we-say-to-health-checking-active-directory2019-09-08T15:48:39.0000000Z

Setting up a new Active Directory is an easy task. You download and install Windows Server, install required roles and in 4 hours or less have a basic Active Directory setup. In an ideal world that would be all and your only task would be to manage users, computers, and groups occasionally creating some Group Policies. Unfortunately, things with Active Directory aren’t as easy as I’ve pictured it. Active Directory is a whole ecosystem and works well ranging from small companies with ten users to 500k users or more (haven’t seen one myself – but so they say!). When you scale Active Directory adding more servers, more domains things tend to get complicated, and while things on top may look like they work correctly, in practice, they may not. That’s why, as an Administrator, you need to manage Active Directory in terms of its Health and Security. Seems easy right? Not quite. While you may think you have done everything, checked everything, there’s always something missing. Unless you have instructions for everything and can guarantee that things stay the same way as you left them forever, it’s a bit more complicated. That’s why Microsoft delivers you tools to the troubleshoot your Active Directory, such as dcdiag, repadmin and some others. They also sell monitoring solutions such as Microsoft SCOM which can help and detect when some things happen in your AD while you were gone. Surely there are some 3rd party companies give you some tools that can help with a lot of that as well. Finally, there is lo of folks within the community creating PowerShell scripts or functions that help with some Health Checks of your Active Directory.

https://evotec.xyz/de/blog/getting-active-directory-last-backup-time-using-powershell2019-08-05T12:40:18.0000000Z

I shouldn’t be telling you that, but Active Directory Backup is an essential part of your Active Directory setup. When a backup of Active Directory happens, AD is aware of it. Following PowerShell solution allows you to get Active Directory Last Backup Time for the whole forest or by domain.

https://evotec.xyz/de/blog/testing-ldap-and-ldaps-connectivity-with-powershell2019-08-04T14:55:32.0000000Z

One of the common ways to connect to Active Directory is thru LDAP protocol. There are a lot of applications that talk to AD via LDAP. By default Active Directory has LDAP enabled but that’s a bit insecure in today’s world. That’s where LDAPS comes in. It’s not easy to set up, but when you get it done, it works. The problem I had recently is that while setting up LDAPS on DC’s I only did this on some of the DC’s, and not all of them as I should.

https://evotec.xyz/de/blog/active-directory-instant-replication-between-sites-with-powershell2019-07-21T13:31:06.0000000Z

In Active Directory when you change something, it’s replicated to other Domain Controllers regularly. It’s a standard procedure that happens automatically in the background for you. It’s a handy feature because you can have multiple DC’s all over the world and have your users data in sync. You can change almost anything on DC nearest to you and be sure it will be the same value all over the place. But is it always the same? Well, it should be unless it isn’t. Today I was given a new migration from Exchange to Office 365. I started with ADConnect installation and wanted to make sure that UserPrincipalNames have all UPNSuffixes in place.

https://evotec.xyz/de/blog/getting-bitlocker-and-laps-summary-report-with-powershell2019-07-11T17:07:22.0000000Z

Having Bitlocker and LAPS in modern Active Directory is a must. But just because you enable GPO and have a process that should say Bitlocker and LAPS are enabled doesn’t mean much. Now and then you should verify things yourself. One of the Facebook users on PowerShell group just had this idea of exporting Bitlocker keys and then giving that list to his colleagues for manual verification. He wanted to do it half PowerShell and half manually. While the idea was great, why not take full advantage of PowerShell and have a helpful report with all the necessary information?

https://evotec.xyz/de/blog/fixing-active-directory-passwordnotrequired-with-powershell2019-06-25T10:29:44.0000000Z

There was I, deploying PSPasswordExpiryNotifications for one of my Clients when I started getting complaints that some users are not getting their Password Expiry Notifications. Well, that’s a new one. I’ve tested this script multiple times, and it worked just fine. So I dive into the details of my script to see what I did in there (I don’t even remember anymore – it just works) to find out this little line:

https://evotec.xyz/de/blog/getting-windows-10-build-version-from-active-directory2019-06-14T15:03:06.0000000Z

Today I saw an article on how to get Windows Version Report from Active Directory and thought that this is a cool idea. Something handy for migration scenarios or information on how up to date is your infrastructure. Since there are many ways to do the same thing I decided to tackle this myself and further include it into PSWinDocumentation.AD project. By default Active Directory stores Operating System and Operating System Version but it doesn’t really show versions one may expect.

https://evotec.xyz/de/blog/how-i-didnt-know-how-powerful-and-fast-hashtables-are2019-05-19T09:49:26.0000000Z

I’ve been using PowerShell for a long while now using Hashtables, OrderedDictionary, and other types of data types in PowerShell, but I never paid attention to how powerful those are. And I don’t mean your general knowledge about hashtables that is already covered by Kevin Marquette in his article Everything you wanted to know about Hashtables or my article PowerShell – Few tricks about HashTables and Arrays I wish I knew when I started. Let’s find out, how Powerful they are, shall we?

https://evotec.xyz/de/blog/the-only-powershell-command-you-will-ever-need-to-find-out-who-did-what-in-active-directory2019-04-28T15:52:32.0000000Z

While the title of this blog may be a bit exaggeration, the command I’m trying to show here does it’s best to deliver on the promise. What you’re about to witness here is something I’ve worked on for a while now, and it meets my basic needs. If you don’t have SIEM product or products that monitor who does what in Active Directory this command makes it very easy, even for people who don’t have much experience in reading Event Logs. If you’d like to learn about working with Windows Event Logs here’s a great article I wrote recently – PowerShell – Everything you wanted to know about Event Logs and then some.

https://evotec.xyz/de/blog/backing-up-bitlocker-keys-and-laps-passwords-from-active-directory2019-03-31T20:01:43.0000000Z

Having a modern, secure infrastructure in 2019 is a requirement. You should implement BitLocker to make sure that in the event of stolen laptop data is not readily extractable and implementing LAPS is a must in a fast changing IT world. But I’m not here to convince you to those two security features. I’m here to show you an easy way to backup LAPS and BitLocker. While having everything stored in Active Directory is excellent, things can get complicated when you don’t have access to your Active Directory, or you restore an older version of it. You see, LAPS, for example, keeps only last Administrator password. This is great and all but what happens if you restore the machine from backup from 6 months back? Your password has already changed multiple times. During our testing of DR scenarios, we wanted to access the computer via their local Administrator credentials and we just couldn’t because that password was already gone.

https://evotec.xyz/de/blog/active-directory-the-directory-service-was-unable-to-allocate-a-relative-identifier2019-03-27T20:39:25.0000000Z

I’ve been testing Disaster Recovery scenario restoring Active Directory. One of the servers was restored, and it worked for a moment after restore. If you can regain your Primary DC, it’s best to do so. If you can’t, a standard thing to do during DR is to move all FSMO roles to the restored server so that it can become a master server. You can find out your FSMO holders by using those commands below:

https://evotec.xyz/de/blog/how-to-find-different-server-types-in-active-directory-with-powershell2019-02-06T18:25:30.0000000Z

Working as a freelancer is a great thing if you can handle it. Each day, each week something new happens and a new problem shows up on my doorstep. It also means it’s almost never boring at your job and you get to play with new stuff. But there’s one drawback to this. You’re often thrown at the problem, told to fix it but often that’s about as much information as you get. It wasn’t very different today. I was told to switch Office 365 from ADFS to Password Synchronization. While reasons for this are not really important, the important question here is what is the name of AD Connect server that’s responsible for this configuration?

https://evotec.xyz/de/blog/active-directory-how-to-track-down-why-and-where-the-user-account-was-locked-out2019-01-24T15:25:31.0000000Z

I’ve been working with Windows Events for a while now. One of the things I did to help me diagnose problems and reporting on Windows Events was to write PSEventViewer to help to parse the logs and write PSWinReporting to help monitor (with use of PSEventViewer) Domain Controllers for events that happen across the domain. It’s handy and I, get those excellent daily reports of what happened while I was gone.

https://evotec.xyz/de/blog/active-directory-move-addirectoryserveroperationmasterrole-access-is-denied2019-01-06T09:10:18.0000000Z

When working with Active Directory one of the common tasks is to move FSMO roles between servers. Well, maybe not that common but it happens from time to time where you have to move all or just some of the FSMO roles. For that purposes, there is single PowerShell command Move-ADDirectoryServerOperationalMasterRole. Sure you can do this via GUI but if there’s one command available to fix it all why bother? To make the move one has to be a Domain Admin, Enterprise Admin and Schema Admin. Everything was going smoothly for some roles but wasn’t working for others.

https://evotec.xyz/de/blog/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure2018-11-09T21:45:47.0000000Z

Azure AD Connect is an application responsible for synchronizing Active Directory with Azure AD allowing for a natural population of users, groups, and devices in Office 365. While for most companies standard setup is very easy and most of the time touch-free, there are companies which require greater customization. During installation of AD Connector, you choose what should be used for Azure AD Username from your AD. UserPrincipalName field is an obvious choice for this and also proposed by default for that purpose. This field is utilized further by your users to log in to your Exchange, SharePoint, Teams and so on.

https://evotec.xyz/de/blog/pswindocumentation-audit-active-directory-passwords2018-10-07T17:57:42.0000000Z

If you’re paying attention to what’s happening around the world now you probably know Have I Been Pwned service by now. You probably know that it has huge lists of hashes of passwords that leaked out over the years from different services (LinkedIn, Adobe, and so on). This means those passwords are now in possession of good guys, but also bad guys. With Active Directory being often a central place to store your password that allows you to access your Office 365 account, ADFS, Microsoft Exchange it’s important that your AD passwords is both secure and safe. Bad guys may want to try and access your email accounts or other data that’s available online. And having a list of passwords you or other people may have used before doesn’t help you in protecting your own data.

https://evotec.xyz/de/blog/pswinreporting-forwarders-microsoft-teams-slack-microsoft-sql-and-more2018-09-16T17:59:28.0000000Z

It’s been a while since PSWinReporting has been updated, or rather since I’ve written a blog post about it since it’s always…

https://evotec.xyz/de/blog/pswindocumentation-version-0-1-with-word-excel-export2018-08-23T20:07:04.0000000Z

A few weeks ago I’ve released my first version of PSWinDocumentation. It was simple, one command module where you start it and get some basic AD stuff into Microsoft Word document. Today… I’m releasing a new version that has a bit bigger feature set. Are you ready for it? Let’s go!

https://evotec.xyz/de/blog/pswinreporting-1-0-is-out2018-06-10T09:26:45.0000000Z

Few months after initial release a new public version of PSWinReporting 1.0 is released. While the name might not be…

https://evotec.xyz/de/blog/just-different-approach-to-active-directory-password-notifications2018-05-23T15:12:36.0000000Z

A long time ago I’ve maintained a C# version of Password Expiry reminders. It was working based on HTML templates…

https://evotec.xyz/de/blog/get-eventslibrary-ps1-monitoring-events-powershell2018-04-19T09:48:35.0000000Z

This event library (Get-EventsLibrary.ps1) is PowerShell script that parses Security (mostly) logs on Domain Controllers. It has few reports capabilities…

https://evotec.xyz/de/blog/whats-new-event-monitoring-0-82018-04-17T19:23:09.0000000Z

💡 Little introduction Event Monitoring solution written in PowerShell is an event library (Get-EventsLibrary.ps1) script that parses Security (mostly) logs on…

https://evotec.xyz/de/blog/whats-new-event-monitoring-v0-72018-03-27T19:36:29.0000000Z

I’ve further optimized code and added some more health checks so that the process is a bit smoother. You can…

https://evotec.xyz/de/blog/whats-new-event-monitoring-v0-62018-03-25T17:19:51.0000000Z

After having some feedback and seeing as some features were missing new version of Events Monitoring brings few of noticeable…

https://evotec.xyz/de/blog/monitoring-active-directory-changes-on-users-and-groups-with-powershell2018-03-23T10:01:43.0000000Z

Working as Administrator with Active Directory can be rewarding. You can easily deploy new settings, make changes to users even…

https://evotec.xyz/de/blog/synchronizing-active-directory-external-time-source2018-01-24T16:33:18.0000000Z

One of the crucial parts in modern IT world is proper time and date. While it may seem that 30…

https://evotec.xyz/de/blog/remove-protect-object-setting-organizational-unit-via-powershell2017-12-13T20:26:06.0000000Z

Sometimes when you want to clean up Active Directory by deleting or moving Organizational Units you get Access Denied error….

https://evotec.xyz/de/blog/azure-adconnect-export-failed-permission-issue-error2017-10-08T19:23:20.0000000Z

During our recent setup of Azure ADConnect for one of our Clients we’ve been getting permission-issue – Insufficient access rights…

https://evotec.xyz/de/blog/delegating-active-directory-attribute-physicaldeliveryofficename2016-08-17T20:55:52.0000000Z

Being responsible for Active Directory you’re often tasked with fairly simple task of delegating permissions for user and groups. After…