Tag Archives: Active Directory

Three years of blogging; 100 posts

This month, June 2015 is a month of milestones. Just last week I posted an article on my 150000th download from the TechNet Script Gallery, today the occasion is my 100th blog post. remember when I started three years ago. I decided against making a obligatory first post in which I outlined my plans for making a blog, as I did not have a clear vision.

BooksSection

Now, more than three years later I use my blog as an outlet for any technical or otherwise interesting topics I come across. To celebrate the occasion I have opened up another section on my blog, Books.

To mark this joyful occasion, I have decided to bundle my ongoing series on this blog: Active Directory Friday into an ebook, available in the Books section of this site. The book is currently contains all thirteen articles and will be updated with new articles on a regular basis. It is available for download here: Active Directory Friday: All Articles

ADF-AllArticles

For a complete overview of all the links in this blog post I have created the following table containing all links.

Three years of blogging; 100 posts
150000 Downloads
New Books Section
Active Directory Friday
Download: Active Directory Friday: All Articles

 

Share

Active Directory Friday: Creating Active Directory groups using PowerShell

Creating a group in Active Directory using PowerShell is relatively simple when using the Active Directory module. To create a Global Distribution Group the following code can be executed:

1
New-ADGroup -Name NewGlobalDG_1 -GroupScope Global -GroupCategory Distribution

When creating a Domain Local Security Group the GroupScope can be changed to DomainLocal and GroupCategory can be omitted since the default is a Security Group:

1
New-ADGroup -Name NewDLSG_1 -GroupScope DomainLocal

Creating groups using the [adsi] provider is a three step process. First we bind to the OU in which the group should be created. Secondly we enter the name and the properties of the group that should be created. And by finally calling the SetInfo() method to create the group. The following code will create a group:

1
2
3
4
5
$TargetOU = [adsi]'LDAP://OU=Groups,DC=jaapbrasser,DC=com'
$Group = $TargetOU.Create('group','cn=System_Operators')
$Group.put('grouptype',0x80000004)
$Group.put('samaccountname','System_Operators')
$Group.SetInfo()

To specify the Group Type a hexadecimal value is required as specified in the following MSDN article: 2.2.12 Group Type Flags. The following table lists all the possible values:

Symbolic name Value
GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001
GROUP_TYPE_ACCOUNT_GROUP 0x00000002
GROUP_TYPE_RESOURCE_GROUP 0x00000004
GROUP_TYPE_UNIVERSAL_GROUP 0x00000008
GROUP_TYPE_APP_BASIC_GROUP 0x00000010
GROUP_TYPE_APP_QUERY_GROUP 0x00000020
GROUP_TYPE_SECURITY_ENABLED 0x80000000

It is important to note that only four values are relevant to us when creating Active Directory accounts:

  • GROUP_TYPE_ACCOUNT_GROUP – 0x00000002
  • GROUP_TYPE_RESOURCE_GROUP – 0x00000004
  • GROUP_TYPE_UNIVERSAL_GROUP – 0x00000008
  • GROUP_TYPE_SECURITY_ENABLED – 0x80000000

To simplify the creation of groups these values can be place in a hashtable:

1
2
3
4
5
6
$GroupType = @{
    Global      = 0x00000002
    DomainLocal = 0x00000004
    Universal   = 0x00000008
    Security    = 0x80000000
}

Using the values stored in the hash table it is now possible to create any of the three group scopes as either a distribution group or security group. The following example uses the -bor operator to combine the values to create a Universal Security Group:

1
2
3
4
5
$TargetOU = [adsi]'LDAP://OU=Groups,DC=jaapbrasser,DC=com'
$Group = $TargetOU.Create('group','cn=Universal_Operators')
$Group.put('grouptype',($GroupType.Universal -bor $GroupType.Security))
$Group.put('samaccountname','Universal_Operators')
$Group.SetInfo()

That is all there is to it, using this methodology it is possible to create any type of Active Directory group using either the Active Directory module or the [adsi] type accelerator. Below I have included some links in regards to this topic.

Creating Active Directory Groups
New-ADGroup
Understanding Groups
2.2.12 Group Type Flags
Share

Active Directory Friday: Determine the forest functional level

Knowing the Forest Functional Level can be important when implementing new products or when considering to upgrade your functional level. This information can be view in the ‘Active Directory Domains and Trusts’ console, but for the purpose of this article we will take a look how this information can be retrieved programmatically, or to be more specific: How to retrieve this using PowerShell.

In the following example we use the Get-ADForest cmdlet to Retrieve information about the current forest. In particular the property we are interested in is the ForestMode property:

1
Get-ADForest | Select-Object ForestMode

Alternatively the [adsi] type accelerator can be used, this has the advantage that it works on any computer that has PowerShell installed as it does not rely on having the Active Directory module installed, the following code will retrieve the Forest Functional level:

1
([adsi]"LDAP://CN=Partitions,$(([adsi](“LDAP://RootDSE”)).configurationNamingContext)").'msDS-Behavior-Version'

The problem with this is that the value of the Forest Functional Level is stored as an integer. Luckily for us this integer can be found on MSDN. So by combining the previous command with a switch statement we can get the expected output:

1
2
3
4
5
6
7
8
9
switch (([adsi]"LDAP://CN=Partitions,$(([adsi](“LDAP://RootDSE”)).configurationNamingContext)").'msDS-Behavior-Version') {
    0 {'DS_BEHAVIOR_WIN2000'}
    1 {'DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS'}
    2 {'DS_BEHAVIOR_WIN2003'}
    3 {'DS_BEHAVIOR_WIN2008'}
    4 {'DS_BEHAVIOR_WIN2008R2'}
    5 {'DS_BEHAVIOR_WIN2012'}
    6 {'DS_BEHAVIOR_WIN2012R2'}
}

For more information about the Forest Functional Level I have included a TechNet article that goes in depth about the implications of the various forest and domain functional levels. For more information about the msDS-Behavior-Version attribute I have included the link to the MSDN entry.

Forest Functional Level
Understanding Active Directory Domain Services (AD DS) Functional Levels
msDS-Behavior-Version: Forest Functional Level
Share

Active Directory Friday: Find empty Organizational Unit

As an Active Directory Administrator there are some moments, few and far in between where you might have a moment to yourself. In this article I will give you a short line of code so you can use this moment to find out if you have any empty Organizational Units in your domain. The definition of empty is an OU that does not contain any child objects. By this definition an OU containing another OU would not be considered empty. Because there is no LDAP filter for this we will take a look at how to do this using the Cmdlets and the [adsisearcher] type accelerator.

In the following example I will use Get-ADOrganizationalUnit in combination with an if-statement and Get-ADObject to gather empty OUs:

1
2
3
4
5
Get-ADOrganizationalUnit -Filter * | ForEach-Object {
	   if (-not (Get-ADObject -SearchBase $_ -SearchScope OneLevel -Filter * )) {
      		$_
   	}
}

So lets have a look at what this code does, the first portion is straight forward, gather all OUs using the Get-ADOrganizationalUnit cmdlet and pipe it into the ForEach-Object cmdlet. The if-statement is the interesting part here, I am using the Get-ADObject cmdlet to establish if this OU contains any child object, by setting the SearchBase to that OU and setting the SearchScope to OneLevel. Setting the SearchScope to OneLevel will only return direct child objects of the parent, the OU, without returning the OU itself. Because of this Get-ADObject will not return any objects if the OU is empty.

For more information about the SearchScope parameter and the possible arguments have a look at the following link: Specifying the Search Scope

Because you might not have the ActiveDirectory module loaded in your current PowerShell session it can be useful to know the [adsisearcher] alternative:

1
2
([adsisearcher]'(objectcategory=organizationalunit)').FindAll() | Where-Object {
   -not (-join $_.GetDirectoryEntry().psbase.children) }

This is a slightly different approach to illustrate a different method of gathering empty OUs, here we check the Children property part of the base object that is retrieved. The -join operator is used to ensure the -not does not evaluate the empty System.DirectoryServices.DirectoryEntries object as true.

Using the logic in this post it is also possible to filter for other specific objects contained in the OUs. For example display OUs that only have user objects, display OUs with both user and computer objects and so on.

For more information on this subject please refer to the following links:

Additional resources
Specifying the Search Scope
Get-ADObject
Get-ADOrganizationalUnit

Active Directory Friday: Use the ANR filter for LDAP Queries

ANR or Ambiguous Name Resolution is used to query for objects in Active Directory if the exact identity of an object is not known. A query containing Ambigious Name Resolution will query for all the attributes for example, Given Name, Sur Name, Display Name and samaccountname. For Windows Server 2008 and later versions this is the full list of ANR Attributes included in the search results:

For a full list of all the attributes that are queried please refer to the following TechNet article: ANR Attributes.

  • Display-Name
  • Given-Name
  • Physical-Delivery-Office-Name
  • Proxy-Addresses
  • RDN
  • SAM-Account-Name
  • Surname
  • Legacy-Exchange-DN
  • ms-DS-Additional-Sam-Account-Name
  • ms-DS-Phonetic-Company-Name
  • ms-DS-Phonetic-Department
  • ms-DS-Phonetic-Display-Name
  • ms-DS-Phonetic-First-Name
  • ms-DS-Phonetic-Last-Name

For a full list of all the attributes that are queried please refer to the following TechNet article: ANR Attributes.

An ANR query is useful in a number of scenarios, for example when relying on user input in your script. In this case querying against a samaccountname might fail if the spelling does not match the samaccountname. Similarly an export from a different department or database might be close to what is stored in Active Directory but not an exact match, again this is somewhere where an ANR query might be useful. Something that should be kept in mind is that this is a relatively expensive query and therefore should be avoided when it is not required. In this article we will discuss how to create an ANR filter and what happens exactly in such a query.

In the next example we will be using Get-ADUser cmdlet, which is part of the ActiveDirectory module, in combination with the LDAPFilter parameter in order to execute our query:

1
Get-ADUser -LDAPFilter '(anr=Jaap Brasser)'

This will query against all the attributes in the list as ‘Jaap Brasser*’ and two additionally queries: ‘GivenName=Jaap*’ and ‘SurName=Brasser*’ as well as ‘GivenName=Brasser*’ and ‘SurName=Jaap*’. As a result more than one result might be returned, as different attributes of a user account might overlap or are not unique to a single user account. This is the downside of this method of querying.

In the following example I will use the [adsisearcher] type accelerator to execute the same query:

1
([adsisearcher]'(anr=Jaap Brasser)').FindAll()

Alternatively the DirectorySearcher object can be manually created to execute a query:

$ADSearcher = New-Object DirectoryServices.DirectorySearcher -Property @{
 Filter = '(anr=Jaap Brasser)'
 PageSize = 100
}
$ADSearcher.FindAll()

For more information on this Ambiguous Name Resolution (ANR) have a look at the following resources:

Ambiguous Name Resolution
MSDN Ambiguous Name Resolution
ANR Attributes
KB Ambiguous Name Resolution for LDAP in Windows 2000
Share