Tag Archives: System.DirectoryServices.DirectoryEntry

Active Directory Friday: Change a user’s password

It is one of the most common tasks Active Directory administrators face, changing a user’s password or unlocking their account. Today we will discuss how this can be done in Powershell using either the Active Directory module or [adsi] type accelerator for this purpose.

Setting or resetting a password is rather straight forward using the Active Directory cmdlets, simply use Get-ADUser to get the AD user object and pipe it into Set-ADAccountPassword:

1
Get-ADUser jaapbrasser | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "secretpassword01" -Force)

To unlock an account the Unlock-ADAccount cmdlet can be used:

1
Get-ADUser jaapbrasser | Unlock-ADAccount

To both unlock and change the password of a user using the ADSI type accelerator the following code can be used:

1
2
3
4
$User = [adsi]([adsisearcher]'samaccountname=jaapbrasser').findone().path
$User.SetPassword("secretpassword01")
$User.lockoutTime = 0
$User.SetInfo()
Share

Active Directory Friday: Create new OU

PowerShell can be used to create any number of objects in Active Directory. Today I will demonstrate how to create an organizational unit using both the ActiveDirectory module as well as the [adsi] alternative.

Creating an OU using the New-ADOrganizationalUnit is quite straight forward:

1
New-ADOrganizationalUnit -Name Departments -Path "ou=Resources,DC=jaapbrasser,DC=com'

Using the [adsi] accelerator to create an OU requires some additional steps. First the parent object has to be selected, in this example the Resources OU in the jaapbrasser.com domain. The next step is create a new object, an organizationalunit in this case, finally the changes are committed to Active Directory by using the SetInfo() method.

1
2
3
$TargetOU = [adsi]'LDAP://ou=Resources,DC=jaapbrasser,DC=com'
$NewOU = $TargetOU.Create('organizationalUnit','ou=Departments')
$NewOU.SetInfo()

That is all there is to it, creating an Organizational Unit in Active Directory is quite easy, with or without the ActiveDirectory module.

Share

Active Directory Friday: Determine tombstone lifetime

In Active Directory objects are tomb stoned after a deletion occurs. This is allow replication to occur between domain controllers before an object is deleted from the Active Directory data store. The default value depends on the server when the forest was initially created, Microsoft recommends that this is set at 180 days.

The tombstone lifetime is set at the forest level and can be viewed by running the following code:

1
([adsi]"LDAP://CN=Directory Service,CN=Windows NT,CN=Services,$(([adsi](“LDAP://RootDSE”)).configurationNamingContext)").tombstoneLifetime

Alternatively this can also be retrieved by using the Get-ADObject cmdlet:

1
2
3
4
5
6
$HashSplat = @{
    Identity = 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=jaapbrasser,DC=com'
    Partition = 'CN=Configuration,DC=jaapbrasser,DC=com'
    Properties = 'tombstoneLifetime'
}
Get-ADObject @HashSplat | Select-Object -Property tombstoneLifetime
Share

Active Directory Friday: Search for computers accounts

I have decided to reintroduce Active Directory Friday on my blog, so today is the start of the new series of articles on Friday. The format remains the same as the previous posts. Usually the examples will be written by using .Net objects or the [adsi] and [adsisearcher] accelerators, although occasionally examples using the Active Directory cmdlets will be posted. My preference for avoiding the cmdlets is mostly compatibility, usually there is only a select number of systems that has access to the Active Directory module, so it pays off to know the native method as well.

Today we will take a look at how to find computer objects in Active Directory using the DirectoryServices.DirectorySearcher object. In order to search for computer objects the following properties of this object will be set:

  • Filter – This contains the LDAP filter used to select only the computer objects by specifying the objectcategory
  • PageSize – This allows for paging to occur, by specifying the pagesize more than 1000 results can be returned
1
2
3
4
5
$Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = '(objectCategory=computer)'
    PageSize = 500
}
$Searcher.FindAll()

To search in a specific organizational unit the SearchRoot property can be used, only computer objects in the Servers OU will be returned by this search:

1
2
3
4
5
6
7
$Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = '(objectCategory=computer)'
    PageSize = 500
    SearchRoot = 'LDAP://OU=Servers,DC=jaapbrasser,DC=com'
    SearchScope = 'Subtree'
}
$Searcher.FindAll()

The SearchScope property has been set to Subtree, which means that the OU will be recursively searched through and all child-ous will be included in the search. There are a total of three options available for the SearchRoot property:

  • Base – Only returns a single objects
  • OneLevel – Only searches the current container, will not recursively search
  • Subtree – Searches recursively through all child containers
Share

Active Directory Friday: List password information for Domain Administrators

In today’s Active Directory Friday we touch the subject of security of Domain Administrator accounts. Although this should not be overlooked it is not uncommon for passwords to be unchanged for a long period of time.

To find the members of the Domain Admins group we can use following LDAP Filter:

1
"(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)"

Then for each account found a PowerShell Custom Object is created with the following three properties:

  • Samaccountname
  • PasswordAge
  • Account Enabled

So combing all these statements the complete code is as follows:

1
2
3
4
5
6
7
8
9
10
11
$Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = "(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)"
    PageSize = 500
}
$Searcher.FindAll() | ForEach-Object {
    New-Object -TypeName PSCustomObject -Property @{
        samaccountname = $_.Properties.samaccountname -join ''
        pwdlastset = [datetime]::FromFileTime([int64]($_.Properties.pwdlastset -join ''))
        enabled = -not [boolean]([int64]($_.properties.useraccountcontrol -join '') -band 2)
    }
}
Share