Tag Archives: Active Directory

Secure your servers in time with JIT and JEA at Experts Live Summer Night event

Earlier this month I spoke at Experts Live Summer Night, an Security focused event for IT Professionals. I covered JIT, Privileged Access Management and JEA, Just Enough Administration. Here is an excerpt of the presentation:

Just Enough Administration, also known as JEA, has been around for several years and has received a lot of updates and new features. How can we use this to secure our servers and reduce the attack surface that we expose to potential malicious actors. During this session Jaap will demo how to configure and deploy JEA templates, configure JIT administration.

All the code and slides are as always available in my Events GitHub repository:

Furthermore I have also uploaded my presentations to SlideShare:


Active Directory Friday: Find groups with no members

Occasionally groups may become obsolete or are never populated with members. It can be interesting to find out how many groups are in your organization that have no members, as action can be taken on it based on the output.

Overview of articles in this series
Active Directory Friday: Find groups with no members
Active Directory Friday: Principal group membership
Active Directory Friday: User account group membership

Because of the nature of how group membership is defined this article will be the first in a series of three. In this article I will show how group membership can be determined using an LDAP queries. The next article in this series will go into principal group membership and its implications and the final article will go into constructed attributes and how to work with constructed attributes, specifically the memberof attribute.

In this article I will give a a number of examples that can be used to determine which groups are empty. Using Get-ADGroup the following command can be executed to retrieve memberless groups:

Get-ADGroup -LDAPFilter '(!(member=*))'


Alternatively the DirectoryServices.DirectorySearcher object can be used to achieve a similar result:

(New-Object DirectoryServices.DirectorySearcher -Property @{
 Filter = '(&(objectClass=group)(!(member=*)))'
 PageSize = 100

The [adsisearcher] type accelerator is another interesting alternative for this purpose, here is an example:


The problem with the above examples however, is that some groups will show up as being empty, for example the Domain Users group. Next week I will go into Principal group membership, what this is and how to query for this and by doing so generate more accurate results in regards to group membership.

For more information about the topics discussed in this article, please have a look at the following resources:

Active Directory Friday: Find groups with no members
JaapBrasser.com – Active Directory Friday
Free ebook – Active Directory Friday All Articles

New versions of Connect-Mstsc and Get-OrphanHomeFolder in TechNet Script Gallery

One of the things that keeps me busy is maintaining the library of scripts I have made available in the TechNet Script Library. I get a good number of questions and requests about my scripts there and I enjoy picking out some of the interesting or useful requests to implement them in my scripts. Recently I received some requests for new functionality in some of my scripts so I decided two of my scripts for the latest round of updates.

For Connect-Mstsc I have updated both the PowerShell 3.0 and up version as well as the version that is backwards compatible with PowerShell 2.0. A new parameter has been introduced, -Public, which corresponds with the /public switch of the mstsc.exe tool. It runs Remote Desktop in public mode, which was requested by MSFTW. Here is an example of this switch parameter in action:

Connect-Mstsc -ComputerName server01:3389 -User contoso\jaapbrasser -Password supersecretpw -Public

A RDP session to server01 at port 3389 will be created using the credentials of contoso\jaapbrasser and the /public switch will be set for mstsc

Get-OrphanHomeFolder has been updated to support wildcards/regular expressions to be able to exclude folders. This came from a request of martin_i who has a lot of folders named .v2 which he would like to exclude instead of manually specifying each path. Here is an example:

.\Get-OrphanHomeFolder.ps1 -HomeFolderPath \\Server02\Fileshare\Home -MoveFolderPath \\Server03\Fileshare\MovedHomeFolders -ExcludePath '\.v2$' -RegExExclude 
Will list all the folders in the \\Server02\Fileshare\Home folder and will move orphaned folders using robocopy, excluding folders that end with .v2

For more information or the direct download links of these scripts please refer to the links below. Feel free to leave a comment either here or in the TechNet Script Library.

TechNet Script Gallery
My entries in TechNet Script Gallery
Script to get orphaned home folders and folder size
Connect-Mstsc – Open RDP Session with credentials
Connect-Mstsc – Open RDP Session with credentials (PowerShell 2.0)

Free ebook – Active Directory Friday All Articles


The Active Directory Friday articles have proven to be quite popular among my readers and as a thank you to all my readers I decided to publish the series as an Ebook. The reason for publishing this series as an ebook is to make the content more easily accessible. The ebook is available in PDF, EPUB and MOBI formats to allow for complete portability and free choice for any device to read these articles upon. I have placed this ebook in the Books section of my blog and the download links are available below.

PDF_download Download PDF EPub_logo Download EPUB mobi Download MOBI

The ebook covers the following topics:

  • Creating Active Directory groups using PowerShell
  • Determine the forest functional level
  • Find empty Organizational Unit
  • Use the ANR filter for LDAP Queries
  • Find users with password never expires
  • Change a user’s password
  • Create new OU
  • Determine tombstone lifetime
  • Search for computers accounts
  • List password information for Domain Administrators
  • Get DistinguishedName of current domain
  • Query Group Policy Objects in Active Directory
  • Find user accounts that have not changed password in 90 days

This resource will be updated on a regular basis as new articles are published, to keep the content up-to-date with the latest articles. If you have any requests or feedback for topics to be included in this ebook or the Active Directory Friday series, please leave a comment below.

Active Directory Friday All Articles
Active Directory Friday
PDF_download Download PDF
EPub_logo Download EPUB
mobi Download MOBI

Active Directory Friday: Distribution group membership for AD User

To get a list of distribution groups an Active Directory user account is a member of of we can query Active Directory. For example by combining the Get-ADUser and Get-ADGroup cmdlets. To generate this list the following code can be used:

Get-ADUser -Identity JaapBrasser -property memberof |
Select-Object -ExpandProperty memberof | Get-ADGroup |
Where-Object {$_.groupcategory -eq 'Distribution'}

The Get-ADUser cmdlet gets all the groups Jaap Brasser is a member of, the Select-Object cmdlet expands the MemberOf attribute which is then piped into the Get-ADGroup cmdlet. The last step is using the Where-Object cmdlet to filter out only the Distribution groups to get the desired results.

Alternatively the DirectoryServices DirectorySearcher object can be used. This object does not require the Active Directory module to be installed and can run on any version of PowerShell. The following code can be used:

$ADSearcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = "(samaccountname=JaapBrasser)"
} | ForEach-Object {
    $_.FindOne().Properties.memberof | ForEach-Object {
        $CurrentGroup = [adsi]"LDAP://$_"
        if (-not ([int](-join $CurrentGroup.Properties.grouptype) -band 0x80000000)) {

This sample works by querying Active Directory for the samaccountname JaapBrasser. Of this user account the distinguishedname of each group object is retrieved. The group type is explained in last weeks post as well, in which I explained about the hex codes which defines whether a group is a Security Group or a Distribution group. The article is available here: Creating Active Directory groups using PowerShell

For more information on this subject please refer to the following links:

Distribution group membership
Understanding Groups
2.2.12 Group Type Flags
Creating Active Directory groups using PowerShell