Tag Archives: distinguishedName

Active Directory Friday: List password information for Domain Administrators

5 Replies

In today’s Active Directory Friday we touch the subject of security of Domain Administrator accounts. Although this should not be overlooked it is not uncommon for passwords to be unchanged for a long period of time.

To find the members of the Domain Admins group we can use following LDAP Filter:

1

"(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)"

Then for each account found a PowerShell Custom Object is created with the following three properties:

  • Samaccountname
  • PasswordAge
  • Account Enabled

So combing all these statements the complete code is as follows:

1
2
3
4
5
6
7
8
9
10
11

$Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = "(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)"
    PageSize = 500
}
$Searcher.FindAll() | ForEach-Object {
    New-Object -TypeName PSCustomObject -Property @{
        samaccountname = $_.Properties.samaccountname -join ''
        pwdlastset = [datetime]::FromFileTime([int64]($_.Properties.pwdlastset -join ''))
        enabled = -not [boolean]([int64]($_.properties.useraccountcontrol -join '') -band 2)
    }
}
Share

Active Directory Friday: Get DistinguishedName of current domain

3 Replies

To determine the DistinguishedName of the current domain the [adsi] accelerator can be utilized. The following piece of code can be used to retrieve the DN of the current domain:

1
2

New-Object -TypeName System.DirectoryServices.DirectoryEntry |
Select -ExpandProperty distinguishedName

Alternatively the [adsi] accelerator can be utilized for this purpose, as this requires less code and it is easier to remember:

1

([adsi]'').distinguishedName

The value returned by this line of code a System.DirectoryServices.PropertyValueCollection instead of a string object. To unwrap this code can be used:

1

([adsi]'').distinguishedName[0]

Now the object returned is a string and the methods and properties of a string object are available, so it is possible to manipulate the output for example by doing a text replace:

1

([adsi]'').distinguishedName[0].replace('com','jaap')

Note that in PowerShell v3 and up it is not required to unwrap the array, as the Member Enumeration feature of PowerShell will ensure that the methods and properties of underlying objects in an array are available. As demonstrated in the following line of code:

1

([adsi]'').distinguishedName.replace('com','jaap')
Share

Active Directory Friday: Query Group Policy Objects in Active Directory

Leave a reply

For the second Active Directory Friday we have Group Policies on our radar. To query for Group Policy objects the following LDAP filter can be used:

1

'(objectClass=groupPolicyContainer)'

To get the full list of Group Policy objects the adsisearcher accelerator should be used in combination with the LDAP filter. This will return all group policy objects:

1

([adsisearcher]'(objectClass=groupPolicyContainer)').FindAll()

To generate a short report with relevant information about the following code can be used:

1
2
3
4
5
6
7
8
9
10
11
12

$GPOSearcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = '(objectClass=groupPolicyContainer)'
    PageSize = 100
}
$GPOSearcher.FindAll() | ForEach-Object {
    New-Object -TypeName PSCustomObject -Property @{
        'DisplayName' = $_.properties.displayname -join ''
        'CommonName' = $_.properties.cn -join ''
        'FilePath' = $_.properties.gpcfilesyspath -join ''
        'DistinguishedName' = $_.properties.distinguishedname -join ''
    } | Select-Object -Property DisplayName,CommonName,FilePath,DistinguishedName
}

This will display a list of all Group Policy Objects and display the following properties:

  • DisplayName
  • CommonName
  • FilePath
  • DistinguishedName

The full script is also available in the TechNet Script Gallery: http://gallery.technet.microsoft.com/Get-GroupPolicyObject-05aaef2d

Share