How to find and report nested groups in Active Directory using PowerShell

Since I started working with and learning Powershell, I try to find solution of complicated tasks which seems to be simple when we put in one Sentence.
Well, one way is to double click a group and check the members tab and enter in Excel rows and columns. If I have nothing else to do and I love clicking mouse buttons then I guess that will be a nice time killer job. or else find a 3rd party software a freeware or shareware with limitations that does not really most of the time gives what I need.

Fortunately my favorite is PowerShell !.,

Here is the result
image

Continue reading

List Users and their Group Membership using PowerShell

In some cases you might need to prepare a report on list of Active Directory users and their group Membership. One of the case recently I came across is for Auditing purpose.

In this Organization we have approximately 1600+ users and there was incomplete documentation for this scenario.

There was no other way than writing small PowerShell script.

SCAP-0284
Note: There might be some other ways as well to script and accomplish this task. Continue reading

Export Active Directory User details to Excel using PowerShell

I am a frequent visitor of Experts-Exchange.com, I have seen many questions people are asking which are related to bulk management, for example; Exporting User details from AD and they need some specific data only, Exporting Exchange 2010 mailbox details.

Mostly this kind of questions comes up when administrators need to make some kind of report or analyze the infrastructure usage.

So I thought of putting simple 1 liner scripts together as per my knowledge.

Here we will try to get a report on some specific user details from AD. I am using Windows Server 2012 for the purpose of this demonstration and its going to very brief from very basics. Continue reading

Changing UserName and SMTP addresses in bulk

Recently I had to perform a task in which there was a need to change UserName, Alias and SMTP addresses associated with the user for approx 150 users. These were recently created users.

If I start doing it using GUI, am sure my whole day will pass in find, click.. click.. click..

I had to do little bit of manual work like generating a csv output for the users in the department OU and add new username and new email address column to it.

The final CSV looked like this.
image

Once ready with the csv file, lets import it in PowerShell and let it do its magic.

$userCol = Import-Csv -Path C:\Update-users.csv
Foreach($user in $userCol){
"Processing : "+$user.UserName
    Set-Mailbox -Identity $user.UserName -EmailAddressPolicyEnabled $false
    Set-Mailbox -Identity $user.UserName -Alias $user.NewUserName
    Set-Mailbox -Identity $user.UserName -EmailAddresses $user.NewEmail
    Set-Mailbox -Identity $user.UserName -EmailAddressPolicyEnabled $true
"Changing UserName from: "+$user.UserName+" TO: "+$user.NewUserName
    Set-Mailbox -Identity $user.UserName -SamAccountName $user.newUserName -UserPrincipalName $user.upn -Alias $user.NewUserName
    }

I did use a seperate set-mailbox for each task for easy to understand.

The script is self explanatory.

Hope it helps.

Troubleshoot Event ID 680

Troubleshooting Event ID 680 sometimes gets really tricky and I haven’t came across a good article which has described the process on how to start.

Many a times users account will keep on getting locked-out, there are few possibilities for this, like:

1. User save domain account username and password, and when the password is changed the saved credentials are not updated, the application which is using saved credentials is still sending the old password for authentication, but domain controller says I don’t have this credentials and the account lock-out.

2. User (IT admin) logs on the server via RDC and forgets to logoff. There are group policy (not sure which one, will update on this later) to logoff the user session after specified time period. In case if the GPO is not in place and the connect is disconnected instead of logging Off, and again the password change occurs, the account keeps locking out.

3. The scenario which I will document in this article is related to “Logon As” account for services.

Lets check what exactly is happening here.

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    680
Date:        10/31/2012
Time:        9:52:59 AM
User:        NT AUTHORITY\SYSTEM
Computer:    HQDC1
Description:
Logon attempt by:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:    nadeem
Source Workstation:   
Error Code:    0xC0000064

Image-0016

The Error Code mentioned in Description says, “User name does not exist” Refer (http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=680)
The user account is nadeem. (one of the admin who was responsible for server hardware health check).

Source Workstation is Blank!!.. now how to track this event, from where the authentication is taking place?

To start troubleshooting we will 1st enabled the Logging of “NetLogon” service.
Logging has to be enabled on Domain Controller on which the event is getting logged, as the authentication is taking place on DC.

To enable Logging, go to command prompt and run:

nltest /dbflag:0x20000004

And restart “NetLogon” service

net stop netlogon
net start netlogon

Image-0013

Now, go to the location “C:\windows\Debug”
Here you will find “NetLogon.log” file, this is where the logging will recorded.
You can see in the log file, we can see the user authentication request is coming from a server named “HQANTIVIRUS”
Image-0014

So, we got the source server and its time to logon to the server and check it.

TIP: as soon as you logon check “Processes”tab under “Windows task manager” and find the Username along with the corresponding executable which is issuing authentication request

In this case, what I found was “hpsimsvc.exe” was showing username as “nadeem”

Next, I check the services.msc and found out the service is Logged on as “nadeem”
nadeem

Once, you fix this, the event will not show up Smile.

Let us disable the logging of NetLogon.
From command prompt run:

nltest /dbflag:0x0

And restart “NetLogon” service

net stop netlogon
net start netlogon

Image-0017