SS Technology Forum

SS Technology Forum

Computer Migration - Things to Consider

Here are a few points which you can consider while doing computer migration. These points are applicable to all migrations irrespective of the migration tool (ADMT, NetIQ, Quest etc)

Active Directory User Migration

Here is a graphical representation of the high level steps involved in an Active Directory migration using ADMT

User Migration and Merging Using Quest Migration Manager

Pre-creating user account in the target domain is a common scenario these days due to single-sign-on solution, HR management procedure etc

Microsoft Right Management Service (RMS)

Rights Management Service (RMS) is an add-on to many RMS aware applications. In this article my main focus is to explain how we can utilize RMS technology with Exchange 2003 and how we can take advantage of RMS technology to increase the email security

Microsoft ISA Server

I am sure we have all either encountered or heard of this "problem" one time or another if the ISA Server is part of the Active Directory Domain. Is it a problem?

Showing posts with label Windows 2008 R2. Show all posts
Showing posts with label Windows 2008 R2. Show all posts

Monday, April 23, 2012

Active Directory: Active Directory Upgrade – French Version

Yagmoth555, has translated my “Active Directory Upgrade – High Level Steps” Microsoft WiKi article into French. Thanks Philippe. Now you can read this article in different languages !!!

AD_Upgrade_WiKi

English Version - Active Directory: Active Directory Upgrade - High Level Steps

French Version - Mise a jour d'Active Directory - √Čtapes sommaire (fr-FR)

Italian Version - Panoramica di alto livello per l'upgrade di Active Directory (it-IT)

Wednesday, March 28, 2012

Active Directory: Active Directory Upgrade – Italian Version

Fabrizio Volpe, a fellow MVP,  has translated my “Active Directory Upgrade – High Level Steps” Microsoft WiKi article into Italian.  Thanks Fabrizo.   Now you can read this  article in both languages Smile

English Version - Active Directory: Active Directory Upgrade - High Level Steps

Italian Version - Panoramica di alto livello per l'upgrade di Active Directory (it-IT)

Wednesday, March 14, 2012

Active Directory Mixed Mode and Built-in Groups

Issue

If you are running your Active Directory in Mixed mode and FSMO roles are on the Windows 2000 or Windows 2003 DC, you won’t be able to see the following built-in groups:

  • Event Log Readers
  • Cryptographic Operators
  • IIS_IUSERS
  • Certificate Service DCOM Access

 

image

Some of these groups have introduced with Windows 2008 and some these groups have changed name.  For example, Certificate Service DCOM Access serves the same purpose as CERTSVC_DCOM_ACCESS in Windows 2003.

However, if you are running Active Directory in Windows 2000/2003 and Windows 2008 mixed mode and your PDC Emulator FSMO roles is not on the Windows 2008 DC, you won’t be able to see these groups.  You need to transfer the PDC Emulator FSMO role to windows 2008/Windows 2008 R2 DC (or newest OS) to resolve this issue.

 

image


Update - Wednesday, July 25, 2012 9:50 PM

I received the following email from Chris regarding this topic.  I thought I would share it with you.

From: Christoffer Andersson
Sent: Wednesday, July 25, 2012 9:50 PM
To: Santhosh Sivarajan
Subject: Active Directory - Built-In Groups

 

Just came across your article: http://portal.sivarajan.com/2012/03/active-directory-mixed-mode-and-built.html

Just wanted to share that: This can be accomplished without moving/transferring the PDC to a DSA running the latest bits: (This is how MS deal with the presence of the required RODC* groups even if the PDC isn’t running Win2k8 or above)
http://msdn.microsoft.com/en-us/library/dd240061(v=prot.13).aspx

The state that “runSamUpgradeTasks” are stored in sam-domain-updates, haven’t really got time to decode the values yet, but lower it allows re-creation of built in groups.

Modifying the “wellKnownOtherObjects” attribute on the SamServer object at the PDC (1. WIN2K DC) to contain “B:32: 6ACDD74F3F314AE396F62BBE6B2DB961:<X>” where <X> is the NTDS Settings object of (3. WIN2K3 DC), calling “runSamUpgradeTasks” will cause new groups defined in the Windows Server 2003 release to be created in the domain without moving off the PDC role from the (1. WIN2K DC)

 

Enfo Zipper

Christoffer Andersson – Principal Advisor

Tuesday, December 6, 2011

Microsoft Component Architecture Posters (Updated)

Update 3/13/2012 – Updated with Windows 8 Posters

Windows Server 8 Server 2012

Windows Server “8” Beta Hyper-V Component Architecture Poster - http://www.microsoft.com/download/en/details.aspx?id=29189

image

 

Update 12/6/2011 12:21 PM – I have added a few more Component Architecture Posters to one of my old blogs - http://portal.sivarajan.com/2010/07/microsoft-component-architecture-poster.html

image

The Component Architecture Poster provides a visual reference for understanding the key services and technologies. The following are the collection of these Microsoft Component Architecture posters:

Windows Server

Windows Server 2008 Active Directory - http://www.microsoft.com/download/en/details.aspx?id=17881

Windows Server 2008 Feature Components - http://www.microsoft.com/download/en/details.aspx?id=17881

Windows Server 2008 R2 Feature - http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7002

Windows Server 2008 R2 - Remote Desktop Services - http://www.microsoft.com/download/en/details.aspx?id=3262

Windows Server 2008 R2 - Hyper-V - http://www.microsoft.com/download/en/details.aspx?id=3501

Exchange

Exchange Server 2010 Architecture - http://www.microsoft.com/download/en/details.aspx?id=5764

Exchange Server 2010 Transport Server Role - http://www.microsoft.com/download/en/details.aspx?id=21987

Exchange Server 2007 Architecture- http://www.microsoft.com/download/en/details.aspx?id=4006

Exchange Server 2007 Transport Server Role - http://www.microsoft.com/download/en/details.aspx?id=13117

Lync Server

Lync Server 2010 Protocol Workloads - http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6797

SharePoint

Design Sample: Corporate Portal with Classic Authentication

  • Visio (http://go.microsoft.com/fwlink/?LinkId=196969)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=196970)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=196971)

Design Sample: Corporate Portal with Claims-based Authentication

  • Visio (http://go.microsoft.com/fwlink/?LinkId=196972)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=196973)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=196974)

SharePoint 2010 Products Deployment

  • Visio (http://go.microsoft.com/fwlink/?LinkId=183024)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=183025)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=183026)

Services in SharePoint 2010 Products

  • Visio (http://go.microsoft.com/fwlink/?LinkID=167090)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=167092)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=167091)

Cross-farm Services in SharePoint 2010 Products

  • Visio (http://go.microsoft.com/fwlink/?LinkID=167093)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=167095)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=167094)

Topologies for SharePoint Server 2010

  • Visio (http://go.microsoft.com/fwlink/?LinkID=167087)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=167089)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=167088)

Extranet Topologies for SharePoint 2010 Products

  • Visio (http://go.microsoft.com/fwlink/?LinkId=187987)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=187988)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=187986)

Hosting Environments in SharePoint 2010 Products

  • Visio (http://go.microsoft.com/fwlink/?LinkID=167084)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=167086)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=167085)

Search Technologies for SharePoint 2010 Products

  • Visio (http://go.microsoft.com/fwlink/?LinkID=167731)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=167733)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=167732)

Search Environment Planning for Microsoft SharePoint Server 2010

  • Visio (http://go.microsoft.com/fwlink/?LinkID=167734)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=167736)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=167735)

Search Architectures for Microsoft SharePoint Server 2010

  • Visio (http://go.microsoft.com/fwlink/?LinkID=167737)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=167739)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=167738)

Design Search Architectures for Microsoft SharePoint Server 2010

  • Visio (http://go.microsoft.com/fwlink/?LinkID=167740)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=167742)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=167741)

Business Connectivity Services Model

  • Visio (http://go.microsoft.com/fwlink/?LinkId=165565)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=165566)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=165571)

Content Deployment in SharePoint Server 2010

  • Visio (http://go.microsoft.com/fwlink/?LinkID=179391&clcid=0x409)
  • PDF (http://go.microsoft.com/fwlink/?LinkID=179523&clcid=0x409)
  • XPS (http://go.microsoft.com/fwlink/?LinkID=179524&clcid=0x409)

Microsoft SharePoint Server 2010 Upgrade Planning

  • Visio (http://go.microsoft.com/fwlink/?LinkId=167098)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=167099)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=167100)

Microsoft SharePoint Server 2010 Upgrade Approaches

  • Visio (http://go.microsoft.com/fwlink/?LinkId=167101)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=167102)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=167103)

Microsoft SharePoint Server 2010 — Test Your Upgrade Process

  • Visio (http://go.microsoft.com/fwlink/?LinkId=167104)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=167105)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=167106)

Microsoft SharePoint Server 2010 — Services Upgrade

  • Visio (http://go.microsoft.com/fwlink/?LinkId=167107)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=167108)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=167109)

Microsoft SharePoint Server 2010 — Upgrading Parent and Child Farms

  • Visio (http://go.microsoft.com/fwlink/?LinkId=190984)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=190985)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=190986)

Getting started with business intelligence in SharePoint Server 2010

  • Visio (http://go.microsoft.com/fwlink/?LinkId=167082)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=167170)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=167171)

Databases That Support SharePoint 2010 Products

  • Visio (http://go.microsoft.com/fwlink/?LinkId=187970)
  • PDF (http://go.microsoft.com/fwlink/?LinkId=187969)
  • XPS (http://go.microsoft.com/fwlink/?LinkId=187971)

SharePoint 2010 Products: Virtualization Process

Friday, November 11, 2011

Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts

I have updated the “Active Directory: Active Directory Domain Services (AD DS) Commands and Scripts” TechNet Wiki article with more DS commands. Feel free to update/modify this article.  http://social.technet.microsoft.com/wiki/contents/articles/3537.aspx
User

Identify OCS enabled users in Active Directory

Dsquery * -filter (msRTCSIP-UserEnabled=TRUE) –limit 0 –attr name samaccountname

Query Password Last Set (pwdlastset) value

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" -limit 0 -attr name pwdlastset

Note: Time can be convered using the w32tm /ntte command.

Search Password Never Expires Settings

Dsquery * -limit 0 “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))” –attr samaccoutname name

Password Expiring in 30 Days

dsquery * -limit 0 -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -attr name samaccountname

User accounts with “Do not require kerberos preauthentication” enabled

Dsquery * -limit 0 “(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=8388608)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(pwdLastSet>=129522420000000000)(pwdLastSet<=129548340000000000))” –attr samaccountname name

List all Roaming Profile users in Active Directory

dsquery * -filter "&(objectClass=User)(objectCategory=Person)(profilePath=*)" -limit 0 -name

Generate SIDHistory Report

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" –attr samAccountName sidHistory

Generate SID (ObjectSID) Report

dsquery * -filter "&(objectClass=User)(objectCategory=Person)" –attr samAccountName Object

Group

Identify all Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648))" –attr samAccountName name

Identify all Built-In Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483649))" –attr samAccountName name

Identify all Universal Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483656))" –attr samAccountName name

Identify all Gloabl Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))" –attr samAccountName name

Computer

Move Computer Objects Based on OS Version

Move Widnows 7 Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=6.1))" | dsmove -newparent OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab

Move Windows XP Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(ObjectClass=computer)(objectCategory=Computer)(operatingSystemVersion=5.1))" | dsmove -newparent OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab

Domain Controller

 

Site and Subnet

List all Sites in Active Directory

Dsquery site * -name

Get Site Name from Subnet IP Address in Active Directory (For example, Site Name for Subnet 192.168.2.0/24)

Dsquery Subnet -Name 192.168.2.0/24 | Dsget Subnet -Site

Tuesday, October 4, 2011

Collect Service Info From Remote Servers – PowerShell Script

This PowerShell script can be used to collect Service information from remote machines. 

Input – input.csv, contains all computer names in the following format:

image

Script:

image

Output – Server and service information will in the output file, ServiceInfo.csv

Download – You can download the script from following 2 locations:

  1. www.sivarajan.com - http://www.sivarajan.com/scripts/ServiceInfo.txt
  2. TechNet Script Gallery - http://gallery.technet.microsoft.com/Collect-Service-Info-From-6e3b044e

Update -  10/30/2012 6:15:26 AM

 –append with export-csv is introduced in PowerShell 3.0. So if you are using PowerShell 3.0 just add –append

Otherwise use out-file cmdlet.

So update

get-wmiobject win32_service -computername $Server -Credential $Cred | Select SystemName,DisplayName,StartName,Status | Export-CSV $OutPutFile


with


get-wmiobject win32_service -computername $Server -Credential $Cred | Select SystemName,DisplayName,StartName,Status | Out-File $OutPutFile -encoding ASCII –append




Wednesday, September 21, 2011

Windows 8 Server – Remote DCPROMO and Deployment

In Windows 8, Microsoft has introduced a lot of new features.  In this blog, my focus is on the remote deployment capability of Windows Server 8.  The administration and management of local and remote servers can be performed from the Server Manager console.  In Server Manager, you will see Local Server and All Servers sections. You can add remote servers in to the All Serves group. 
From the Server Manager–> All Servers –> Add Servers

Win8-0050

As you can see in the following screenshot, you can select remote servers using Active Directory, DNS or you can import them. 

Win8-0053

Once you complete this process, you will these new servers in All Servers group.  You can Add Roles, Features, Change configuration or perform any other administration task from this console. 

Win8-0057

I am going to install Active Directory Domain Services Role and perform a remote DCPROMO on my remote server – SAN-WIN08-02

Win8-0058

The process is same as installing a Role on a local machine. You can see more information in http://portal.sivarajan.com/2011/09/windows-8-serveradd-and-remove-roles.html

Win8-0059

The next step is to configure this server as a Domain Controller.  From the Server Manger Dashboard, you will see the required configuration details in the Roles and Sever Group section. 

Win8-0060

From this Notification window, you can start the DCPROMO process – Post-deployment Configuration

Win8-0061

In this demo, I am adding an additional Domain Controller to my existing domain.  As you can see in the following screenshot, you have three options available:

  1. Add a domain controller to an existing domain
  2. Add a new domain to an existing forest
  3. Add a new forest

Win8-0064

Also, you will see a few more options like selecting a Site Name, GC etc in the configuration wizard. 

Win8-0065

You can configure,enable the DNS delegation and change credentials if needed. 

Win8-0066

In the next window, you can configure the database, log and SYSVOL locations.  Also, you can select a domain controller for replication (Replicate From). 

Win8-0067

More options are available to  customize the application partition replication by adding or removing these partitions, selecting only critical data etc.   

Win8-0068

Review these installation options and click Next to start the domain controller promotion process.  This server (SAN-WIN08-02) will be an additional domain controller in the Santhosh.Lab2 domain. 

Win8-0069

These settings can be exported to a Windows PowerShell script to automate the installation options.

Win8-0024

The DCPROMO process will perform a Prerequisite Check and Complete the installation.  You will see the summary report in the Installation Result window. 

Win8-0045

 


Friday, September 16, 2011

Windows 8 Server–Add and Remove Roles

As you know the Metro UI  and Metro style applications are introduced in Windows 8 Server and Workstation OS.  So the management interface is different in Windows 8.  In this blog, my goal is to explain the procedure for adding or removing a server role on Windows 8 server. 

You need to use Server Manger to Add or Remove roles.  In Windows 8, you can open Server Manager from the UI itself.  By default, Server manger will open at the logion.

image

From the Server Manager Dashboard, select Manage and then Add Role and Features or Remove Roles and Features option. I am going to remove DNS role from this server. 

image

Click Next in the Remove Roles and Features Wizard window. 

image

Select the server name based on Server Pool and Configuration.  Click Next

image

Clear the checkbox next to the Role – I am going to remove DNS role from this server.

image

Click Next or select a Feature to remove. 

image

Click Next in the Confirmation Window. 

image

You will see the process as shown in the following screenshot.

image

You can close this windows without interrupting the current running task. You can open this page again to see progress.

You may want to restart the server depends on the role.  Shutdown and Restart button are in different location on Windows 8.  You will see the Shutdown and Restart options in the lower right side of the window. 

Win8-0037

It will ask you to select a reason for the restart or shutdown  - Shutdown Event Tracker

image

and YES. I am running Windows 8 Server on my Hyper-V box Smile  I received a few emails about Windows 8 installation issues on Hyper-V.  I managed to install it on a Hyper-V. 

Thursday, September 1, 2011

ObjectSID and Active Directory

What is an objectSID in Active Directory?

When a new object is created in Active Directory, Domain Controller assigns a unique value used to identify the object as a security principal.  This value is unique inside the domain.  An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID

How do I get ObjectSID information from Active Directory?

You can see the ObjectSID information using ADSI Edit or Attribute Editor or you can use DSQUERY commands.   I will explain these details with the a few screenshots:

Domain SID – I am using the following DSQUERY command with a name filter to get the SID of my domain. 

image

image

User SID – As you can see from the following screenshot, the objectSID of the user (TestABC1) is consist of Domain SID of the domain (santhosh) + Relative ID(RID) of the user account. 

image

image

RID Allocation

RID number will assigned from the RID pool (rIDAAllocationPool) of the Domain Controller.  Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master FSMO role.  You can get the RID pool allocation table details using the dcdiag /test:ridmanager /v command. 

image

Keep in mind that the RID pool will be different in each domain controller.  RID will be allocated to an object in Active Directory based on the Domain Controller that you are using.  Here is an example from my second domain controller in my domain:

image

As you can see in the above screenshot, if I create a new object using this domain controller, the new object will be assigned with 1601 (rIDNextRID) as the RID.

You can also use DQUERY command to get the properties of the RID Set.  However, you need to convert some of the values.

image

By default, RID pools will be allocated in increments of 500 (rIDAllocationPool).

image


Other Related Blogs and Articles:

Verify sIDHistory and Identify the Source User Account - http://portal.sivarajan.com/2011/03/verify-sidhistory-and-identify-source.html

ObjectSID Vs sIDHistory - http://sivarajan.com/forum/viewthread.php?tid=8

Identify SID Using DSQUEY Command - http://portal.sivarajan.com/2010/06/identify-sid-using-dsquey-command.html

PowerShell Script - Search Active Directory and Generate SIDHistory Report - http://portal.sivarajan.com/2010/12/powershell-script-search-active.html

SID Filtering – Access is denied - http://portal.sivarajan.com/2009/06/sid-filtering-access-is-denied.html

ADMT SID Mapping File Generation Using DSQUERY Command - http://portal.sivarajan.com/2011/04/admt-sid-mapping-file-generation-using.html

siDHistory Report - with Multi Value Support - http://portal.sivarajan.com/2011/04/sidhistory-report-with-multi-value.html


Tuesday, August 9, 2011

Active Directory and userAccountControl Attribute

As you know, searching Active Directory attributes using DSQUERY commands or scripts is not difficult.  You can get the values directly from the attribute.  However, searching the enabled, disabled status,PasswordExpired  etc can be challenging because these properties/values are not stored in its own attribute.  These account properties are controlled by an attribute called userAccountControl. 

what is userAccountControl ?

It is a 4 bytes (32-bit) integer that represents a bitwise enumeration of various flags that controls the behavior of an object. The attributeID (ruleOD) of this object is 1.2.840.113556.1.4.8.  The attributeID is a unique X.500 Object Identifier(OID) for identifying an attribute. 

image

How do I search userAccountControl values in Active Directory?

It is like searching any other attribute in Active Directory. However, you need to represent the userAccountControl values in numeric.  The syntax of the LDAP matching rule is

attributename:ruleOID:=value

where attributename is the LDAP DisplayName -in this case it is userAccountControl, ruleOID is the attributeID for the matching rule control - in this case it is 1.2.840.113556.1.4.80X, and value is the decimal value you want to use for search.  I will explain the details using a couple of examples. 

The following DSQUERY command returns all disabled user accounts in Active Directory.  

dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" –attr name

userAccountControl = 2 means the user account is disabled (ADS_UF_ACCOUNTDISABLE)

and the following DSQUERY command returns all users with the 'Password Never Expires' settings enabled.

dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" –attr name

userAccountControl = 65536 means the user account has 'Password Never Expires' flag enabled (ADS_UF_DONT_EXPIRE_PASSWD)

So where did the attributeID (ruleOID) 1.2.840.113556.1.4.803 come from?

The value of attributeID (ruleOID) can be either bitwise AND (1.2.840.113556.1.4.803) or bitwise OR  (1.2.840.113556.1.4.804)

  • 1.2.840.113556.1.4.803 – This is the bitwise AND operator (LDAP_MATCHING_RULE_BIT_AND).  The rule is true only if all bits from the property match the value. 
  • 1.2.840.113556.1.4.804 – This is the bitwise OR operator (LDAP_MATCHING_RULE_BIT_OR).  The rule is true if any bits from the property match the value.

Here is the complete structure:

image

 

How do I get the userAccountControl values? 

These userAccountControl flag values are available in following MSDN articles. Make sure to use Decimal values not HEX. 

  1. http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx
  2. http://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx

Conclusion

Regardless of what method you use (commands or scripts) you can search Active Directory using userAccountControl flags using the above mentioned syntax. 

Looking for more DSQUERY examples?

Visit my TechNet Wiki article - http://social.technet.microsoft.com/wiki/contents/articles/3537.aspx

 


Friday, July 29, 2011

Add Users to a Group–PowerShell Script

Purpose – Add users to a group from an input file – PowerShell V2 Script. 

Input file – Input file (Users.csv) contains samAccountName in the following format:

image

Script

image

 


I have also uploaded this script to Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/ffff189d-8ef1-4903-b19c-12dcd352c88e

Tuesday, July 26, 2011

Change Service Account Username & Password–PowerShell Script

This PowerShell script can be used to change the service account credentials remotely. 

Input – The input file (input.csv) contains server/computer name in the following format: 

image

Script

image

Output – You will see the status on the screen as shown in the following screenshot:

image

Download – You can download this script from the following locations:

  1. www.sivarajan.com - http://www.sivarajan.com/scripts/Change_Service_Credentials.txt
  2. Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/79644be9-b5e1-4d9e-9cb5-eab1ad866eaf

More Scripts - http://portal.sivarajan.com/search?q=script+powershell&max-results=20


Thursday, July 21, 2011

Search Active Directory & Get User Properties–PowerShell Script

You can use this PowerShell script to search Active Directory and get the user properties.  The input file (OU.csv) contains OU name sin the following format:

image

Script:

image

Download:

You can download the script from the following locations:

www.sivarajan.com - http://www.sivarajan.com/scripts/SearchAD_UserInfo.txt

Microsoft TechNet Gallery - http://gallery.technet.microsoft.com/scriptcenter/dd152aa5-bc94-4ac8-9eeb-3bc5b98d425a

More scripts - http://portal.sivarajan.com/search?q=script+powershell&max-results=20

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More