Get list of un protected OU's

To get locating OUs that isn't protected from accidental deletion in AD

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false}

Active Directory – SID Filtering

Run Powershell as Enterprise Administrator:

to Deactivate Sid Filter:

Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:No

to Activate:

Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /enablesidhistory:Yes

Source

Migrate DC 2008r2 to 2016/2019

Dcdiag /e /test:sysvolcheck /test:advertising

Dfsrmig /setglobalstate 1

Dfsrmig /getmigrationstate

Dfsrmig /setglobalstate 2

Dfsrmig /getmigrationstate

Dfsrmig /setglobalstate 3

Dfsrmig /getmigrationstate


sourse: https://www.youtube.com/watch?v=jl4vo5rD18A

Reset password to all users in OU

Get-ADUser -Filter * -SearchScope Subtree -SearchBase "OU=Users,OU=test,DC=test,DC=local" -Server test.local|   Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "pass-123" -Force)

Re-join Domain Without Restarting

“The trust relationship between the workstation and the primary domain failed”.

to fix this without restart


use this powershell command :

CD C:\Windows\System32\WinddowsPowershell\v1.0

Test-ComputerSecureChannel –credential Yourdoamin\Administrator –Repair

Enter admin password

to test relation ship use :

Test-ComputerSecureChannel 

If True - it works !!!

ADD extensionAttribute

If you have different upn names , than your domain server name and you need to use different upn-s for ldap queris you can add sammaacountname + server domain name to custem attributes.

In file atribute.txt write users sammaccountnames.

Import-Module ActiveDirectory
$Users = Get-Content c:\tmp\atribute.txt
ForEach ($User in $Users) {
$username = Get-ADUser -Server test.local -Identity "$user" -Properties  samaccountname |select -ExpandProperty samaccountname
Set-ADUser -Server test.local -Identity "$user" -Add @{extensionAttribute13="$Username@test.local"}
}

Set the MaxPageSize in Active Directory

In large environments there are lots of objects in Active Directory. Querying the objects via LDAP is done by different third party applications to (for example) verify users. But sometimes these queries return an error with regard to the sizelimit and not all objects are returned.
 You can change this limit with the ADSI Edit Snap-in. 

CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=YOUR_COMPANY, DC=YOUR_COMPANY_TLD

Doubleclick on the lDapAdminLimits. Click on MaxPageSize and remove the entry. Change the entry as shown next :
MaxPageSize=10000

Logon Script to delete all browser cashe

@echo off

REM Cookies:

REM RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

REM RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

::Firefox

@echo off

taskkill /im "firefox.exe"

set DataDir=C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles

del /q /s /f "%DataDir%"

rd /s /q "%DataDir%"

for /d %%x in (C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\*) do del /q /s /f %%x\*sqlite

::Google Chrome

@echo off

ECHO **** Clearing Chrome cache
taskkill /F /IM "chrome.exe">nul 2>&1

set ChromeDataDir=C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default
set ChromeCache=%ChromeDataDir%\Cache>nul 2>&1  
del /q /s /f "%ChromeCache%\*.*">nul 2>&1    
del /q /f "%ChromeDataDir%\*Cookies*.*">nul 2>&1    
del /q /f "%ChromeDataDir%\*History*.*">nul 2>&1    


set ChromeDataDir=C:\Users\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default
set ChromeCache=%ChromeDataDir%\Cache>nul 2>&1
del /q /s /f "%ChromeCache%\*.*">nul 2>&1   
del /q /f "%ChromeDataDir%\*Cookies*.*">nul 2>&1    
del /q /f "%ChromeDataDir%\*History*.*">nul 2>&1    
ECHO **** Clearing Chrome cache DONE


::Internet Explorer
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

:Clear temp files
erase "%TEMP%\*.*" /f /s /q
for /D %%i in ("%TEMP%\*") do RD /S /Q "%%i"

erase "%TMP%\*.*" /f /s /q
for /D %%i in ("%TMP%\*") do RD /S /Q "%%i"

Reset Ad user password in OU

Reset Active Directory multiple users password in OU using powershell:

# Specify the OU.
$OU = [ADSI]"LDAP://ou=West,dc=MyDomain,dc=local"

# Enumerate all objects in the OU.
$arrChildren = $OU.Get_Children()
ForEach ($User In $arrChildren)
{
    # Only consider user objects.
    If ($User.Class -eq "user")
    {
        # Set password.
        $User.Invoke("SetPassword", "123-zxc")
        # Expire the password.
        $User.pwdLastSet = 0
        $User.SetInfo()
    }
}

Change msRTCSIP-GroupingID for multiple users

If you want In your organization to separate several Organizations from seeing each other.

You must set OU GUID  to msRTCSIP-GroupingID attribute.

After getting the OU ObjectGUID we set this GUID as the msRTCSIP-GroupingID option for all users in that OU.

to do this using powershell for multiple users:

copy OU ObjectGUID.

for example: 2DCF9FC8-CB7C-4382-AA97-EF9B890B9B6A

copy this GUID and convert this GUID to Hexadecimal

use this site:

http://www.windowstricks.in/online-windows-guid-converter

after converting we'll have C89FCF2D7CCB8243AA97EF9B890B9B6A

change this format to xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

C89FCF2D-7CCB-8243-AA97-EF9B890B9B6A

first import the AD PowerShell Module:

Import-Module ActiveDirectory

$Users = Get-Content c:\tmp\atribute.txt

ForEach ($User in $Users) {

Set-ADUser -Server test.local -Identity "$user" -replace @{'msRTCSIP-GroupingID'=[GUID]("C89FCF2D-7CCB-8243-AA97-EF9B890B9B6A")}

}

Add extensionAttribute for multiple users

To Add extensionAttribute :

Import-Module ActiveDirectory

$Users = Get-Content c:\tmp\atribute.txt

ForEach ($User in $Users) {

Set-ADUser -Server test.local -Identity "$user" -Add @{extensionAttribute1="test"}

}


To Remove extensionAttribute :


$Users = Get-Content c:\tmp\atribute.txt

ForEach ($User in $Users) {

Set-ADUser -Server test.local -Identity "$user" -Clear "extensionattribute1"

}

Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub

Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub

1. Turn on the Offline Root CA and login with Admin account
2. Open the Certification Authority Console
3. Right Click on the "Revoked Certificates" and click Properties.
4. Set “CRL Publish interval” to a large value (Default is 26 Weeks) and  uncheck “Publish Delta CRL” check-box.

In order to Publish a new CRL from the offline Root CA to the Enterprise Sub CA you need to do the following:

1. Publish a new CRL on the Root CA, this can be done by Right Click the "Revoked Certificates" - All Tasks - Publish      
2. Copy the CRL file from the Root CA located under %systemroot%\system32\certsrv\certenroll to the Sub CA Server
3. Turn off the Root CA
4. Copy the above file to the InetPub folder (HTTP Path) in the Sub CA server which is by default located under the C:\inetpub\wwwroot\Certdata
5. Open an Admin Command Prompt and run the following command to publish it to the Active Directory (LDAP Path).                                                                                           

certutil -f -dspublish " C:\Inetpub\wwwroot\certdata\RootCA.crl      

Source                                                                                                                                            

Powershell script to get users logged in in last 30 days

Powershell script to get users logged in in last X days

get-aduser -filter {lastlogondate -gt "8/1/2013"} -Properties lastlogondate | select Name,LastLogonDate | sort name

(get-aduser  -server contoso.com -filter {lastlogondate -gt "8/1/2013"} -Properties lastlogondate).count

No Sysvol and netlogon folders on new domain controller

Fix no Sysvol and netlogon folders on new domain controller:

open regedit--
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

change SyvolReady value from 0 to 1

After reboot you can see empty sysvol folder. Recovery polices from backup or fix dfsr replication.

again change change SyvolReady value from 1 to 0

reboot and after reboot again change SyvolReady value from 0 to 1.

after reboot you can see Sysvol an Netlogon folders.

RODC AD in DMZ ports

Ports to be open on the firewall between the RODC in the perimeter network and the writable Domain Controller in the LAN:

Port	Type of traffic
TCP 57344	DRSUAPI, LsaRpc, NetLgonR
TCP Static 53248	FrsRpc
TCP 135	EPM
TCP 389	LDAP
TCP 3268	GC, LDAP
TCP 445	DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 53	DNS
TCP 88	Kerberos
UDP 123	NTP
UDP 389	C-LDAP
UDP 53	DNS
TCP and UDP464	Kerberos Change/Set Password Ports to be open on any host or network firewall between a member server in the perimeter network and the RODC in the perimeter network: Port Type of traffic TCP 135 EPM TCP 389 LDAP TCP 445 DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc TCP 88 Kerberos TCP Dynamic DNS, DRSUAPI, NetLogonR, SamR UDP 389 C-LDAP UDP 53 DNS Source

RODC AD in DMZ ports

Ports to be open on the firewall between the RODC in the perimeter network and the writable Domain Controller in the LAN:

Port	Type of traffic
TCP 57344	DRSUAPI, LsaRpc, NetLgonR
TCP Static 53248	FrsRpc
TCP 135	EPM
TCP 389	LDAP
TCP 3268	GC, LDAP
TCP 445	DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
TCP 53	DNS
TCP 88	Kerberos
UDP 123	NTP
UDP 389	C-LDAP
UDP 53	DNS
TCP and UDP464	Kerberos Change/Set Password Ports to be open on any host or network firewall between a member server in the perimeter network and the RODC in the perimeter network: Port Type of traffic TCP 135 EPM TCP 389 LDAP TCP 445 DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc TCP 88 Kerberos TCP Dynamic DNS, DRSUAPI, NetLogonR, SamR UDP 389 C-LDAP UDP 53 DNS Source

DFS Replication problem -FIX

1. Connect to PDC domain controller:

Open services.msc --- and stop DFS Replication service

2. Open ADSI Edit (adsiedit.msc)
 connect to PDC
 go to ---
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<PDC Server >,OU=Domain Controllers,DC=<your domain>

change attributes :
msDFSR-Enabled=FALSE
msDFSR-options=1

on all other domain controllers change 
4. msDFSR-Enabled to  False

on PDC run :

5.repadmin /syncall pdc_name /APed

6. start  DFS Replication service

7. Go to ADSIEdit and change back msDFSR-Enabled to True
8. run DFSRDIAG POLLAD (on PDC)
9.  on all other Domain controllers run 

repadmin /syncall pdc_name /APed

10.  on all other DC (not PDC) change in ADSIEDIT msDFSR-Enabled to True
11. run on all DC (not PDC) DFSRDIAG POLLAD

Source