Active Directory 2012

Active Directory – Display Global Catalog information

Sometimes, you may need to check the information stored in the Active Directory Global Catalog. This can happen if you want to check that the replication between GC located in separate site is done.

We can easily view the information in GC with ADSI Edit:

ADSI Edit

ADSI Edit

Let’s see how to connect to a GC using ADSI Edit.

Continue reading

Active Directory 2012

Active Directory – Get Last logon using Powershell

During an Active Directory migration, I needed to do an inventory of the computers to migrate. Because some computers do not exist anymore but not removed from Active Directory. I created a Powershell script based on the Last Logon Timestamp property.

CSV file from the script

CSV file from the script

This powershell script creates a CSV file with the computer name, the last logon property and the operating system. Some domains were based on Windows Server 2003 or 2008, I could not use Active Directory commandlets, so I used the LDAP Search.

Continue reading

Active Directory 2012

Active Directory – How to display Bitlocker Recovery Key

When Bitlocker is enabled on workstation/ laptop in your entreprise, you must have a solution to get the recovery key of the hard drive. In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes.

The easiest solution is to use Active Directory Users And Computers console. This can only be possible if you set in the GPO to store Recovery Key into Active Directory.

With Active Directory Users And Computers, we can:

  • Display Bitlocker Recovery key for one computer.
  • Search in all Active Directory for a Password ID.
  • Delegate Rights to display confidential information.

Continue reading

Windows 8.1

Security – Local Administrator Password Solution LAPS

Since Windows Server 2008, we can use Group Policy Preferences to set a password for Local Administrator on all workstations in an OU. In May 2014, Microsoft released a patch to remove this feature. KB2962486

In fact, the password was stored insecurely. It was crypted using a key which is now public MSDN. This is a security leak, password are sent in “clear” and several time by day, using GPO application. If KB2928120 is installed on your system, you can’t no more use GPO to define password for:

  • Drive Maps.
  • Local Users.
  • Scheduled Tasks.
  • Services.
  • Data Sources.

With the Security patch, Microsoft provided a Powershell script to change local password remotely.

Since few days, Microsoft released a new tool: Local Administrator Password Solution (LAPS). With this tool, computers are able to randomly change password for local administrator and store it in Active Directory attribute.

Continue reading

Active Directory 2012

Active Directory – Create Fine-grained password

Before Windows Server 2008, there was a limitation about password management: only one password policy and lockout policy could be applied to all users in the domain. Therefore, some organizations created several domains to manage different set of user / password policy.

With Windows Server 2008, Microsoft integrated Fine-Grained password policy. With this object, you can now create multiple password policy in the same domain and assign it to a specific user group. However, there was no built-in GUI to create Fine-Grained policy. We had to use ADSIEdit and Attribute Editor to assign a policy to a user group.

Windows Server 2012 uses Active Directory Administrative Center to give us the possibility to create Fine-Grained policy with a wizard. Let’s see how to do that easier.

Continue reading

Active Directory 2012

Active Directory – Enable Recycle Bin

Windows Server 2008R2 introduced a new feature in domain: Active Directory Recycle Bin. A great feature, but it was the first version, so we had to use Powershell to enable the feature, and to restore deleted item.

With Windows Server 2012 R2, Microsoft released a GUI for the Recycle Bin. It is integrated in the Active Directory Administrative Center. With ADAC, you can enable and restore deleted item easily. Of course, you can still do it with Powershell cmdlet.

Continue reading

Active Directory 2012

Active Directory – Create OU using Powershell

Sometimes, you need to create a lot of Organization Units into your Active Directory.
To do this, you can use the Active Directory Users and Computers but it can be quickly time consuming depends on the number of OU.

Hopefully, Microsoft integrated a powershell module with Active Directory. So, we can create a script to do this for us.

Continue reading