Archive: ‘AD in general’ Category

Prevent accidental deletions of AD objects

1 comment June 5th, 2013

The “ask DS team” posted a blog post about “Two lines that can save your AD from a crisis”. Not a bad thing to do as it will prevent you or another admin to accidentally delete users or computer objects.

The lines they wrote protected users, computers and OUs. Did they forget about Groups?

Anyway, to also include all your groups:

# Set the "ProtectedFromAccidentalDeletion" attribute to "true" on all users,
# computers and groups in your domain where the attribute is set to "false"

Get-ADObject -filter {ObjectClass -eq "user" -or objectclass -eq "group"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

If you try to delete a user og computer object, you will get an error stating the object is protected from accidental deletion. You will have to untick the “Protect object from accidental deletion”:



What if you’d like to move the user object to a different OU? Same error as above. You must set the attribute to ‘false’.

If you have hundreds of objects in an OU you’d like to move, it’s easier to use Powershell to revert the attribute of all objects in the spesific OU:

Get-ADObject -SearchBase 'OU=OU1,dc=domain,dc=com' -filter {ObjectClass -eq "user" -or objectclass -eq "group"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true} | Set-ADObject -ProtectedFromAccidentalDeletion:$false

Will Gareth Bale stay with Spurs next season?



1 comment January 16th, 2012

This weekend I attended at the NIC2012 conference in Oslo.

Many interesting sessions were on the schedule like DS MVP Brian Desmond’s “What’s new in Windows Server 8 Active Directory” and “Kerberos uncovered”.

Key notes from WinServer 8 AD:

  • USN Rollback preventions when restoring a snapshot (PDCe needs to be on a Win Server 8 DC)
  • Support for cloning DCs (handy when you have to deploy dozens of them)
  • GUI for the AD Recycle Bin and Fine Grained Password Policy
  • Dcpromo.exe is gone (you promote a DC from the server manager)
  • AD delivers the mechanism for file server access with Claims Based Authentication
  • A huge amount of new Powershell cmdlets

Unfortunately it looks like the video for this session is missing, though I’d recommend you to have a look at some other sessions like:

“Kerberos uncovered” by Brian Desmond:

”How to Not Screw Up Your PKI Environment“ by Brian Komar:

“What’s new in Windows 8 Hyper-V” by Ronald Beeklaar:


All sessions:



Active Directory Topology Diagrammer

No comments June 11th, 2011

An updated version of ADTD was just realased. Go get it if you like to have a graphical documentation of your domain. It requires MS Visio. The older version worked with the Visio trial version. I’ve not tested if this version do.


No comments February 5th, 2011

If you’re going to prepare your domain/forest for 2008/2008R2 domain controllers, you’ve to run ADPREP before you can promote them. If your existing domain consists of 32-bits 2003 DC’s, you have to run the 32-bit version of ADPREP, named adprep32.exe.

Let’s say you have 3 domains in your forest and you want to raise the Forest Functional Level (FFL) and Domain Functional Level (DFL) to 2008R2.

1. Verify replication health (important):

The first thing you have to make sure of is that your replication is working. To get a quick forest wide overview, you can use a tool called repadmin.exe. (run it from cmd)

repadmin /replsum * /bysrc /bydest /sort:delta

Look at the output and if all DC’s shows “Fails” = 0, you’re ready to move on. If it report errors, you have to look into those before proceeding.

2. Extend the schema:

Log into the DC holding the Schema Master. If you don’t know who that is, run “netdom query fsmo” from any DC. Have the 2008R2 media reachable from the Schema Master.

If the Schema Master DC is a 2003 32-bit run:

adprep32 /forestprep

If you want to be 100 per cents sure that the extensions are replicated to all DC’s before move on to the next step:

Open ADSIedit.msc and navigate to:

Schema > (Properties on) “CN=Schema,CN=Configuration,DC=domain,DC=com

Check “objectVersion” value. Value should be “47” if it has replicated.

Also verify this on the PDCe DC in the other domains. If the value is “30” (2003 level), the change has not been replicated yet. To trigger a replication:

On the PDCe DC: “repadmin /syncall /A /P /e”

When all DC’s got the correct value you can;

 3.  Prepare the domain:

Run “adprep32 /domainprep” on each DC holding the Infrastructure Master (IM) FSMO. One IM in each domain. If you don’t plan to add 2008 DC’s to i.e. Domain C, you don’t have to run this on the IM in Domain C.

 4. If you have a Windows 2000 domain, you have to run:

“adprep32 /domainprep /gpprep”

It will not hurt to run this on a 2003 domain, as you can run the adpreps so many times you want.

5. RODC’s

If you plan to apply RODC’s into your domain, run:

“adprep32 /rodcprep”

 If you’ll never add RODC’s you can skip this, but DCDIAG will report an error regarding “NCSecDesc”. You can ignore the error, but who likes to do that?

FAQ’s and common errors regarding ADPREP from the Technet Wiki:

Do I need WINS?

No comments December 15th, 2010

No, you do not!


  • You have Exchange 2000/2003 and want to preserve full functionality. Changing a domain password with OWA 2003, export/import with Exmerge and Outlook clients prior to 2003, all requires WINS.
  • You have a large sub netted network, NETBIOS broadcast may not work between the networks.
  • You have a program that requires WINS.

I assume you don’t have any NT servers or Win98 clients 🙂 

If you do have a WINS server in play, you could use “Performance Monitor” to monitor WINS queries (“Successful Queries/sec”).


If you have a lot of queries, you should take into consideration if NETBIOS name query broadcasts are acceptable. Just take into mind that broadcasts will increase the load on your network.


Documenting AD groups

No comments October 29th, 2010

AD Group membership should be documented, but there are none good built-in MS tools that can do it for you (atleast that I’m aware of). You can use tools such as “dsget group” but you can’t pipe it to Excel and get it user/customer friendly 😐

Here is a script that will do the job for you. It requires that you have Excel installed.
If you don’t have Excel, it will work on a trial version that you’ll find here.

'------------------Save me as .vbs ----------------------------------------------
' The script searces for all AD groups (as you can specify) and writes
' the group name with the group manager and its members to an Excel spred sheet.
' One sheet per group.
' Privilages to run: "domain users"
' v.1.1
' rsoe(a)
On Error Resume Next
Const MyDomain = "dc=spurs,dc=local"
' If you don't want all built-in groups but only groups in a spesific OU:
' Const MyDomain = "ou=ChildOU,ou=ParentOU,dc=spurs,dc=local"
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
' Open Excel for writing
Set objExcel = CreateObject("Excel.Application")
objExcel.Visible = True
' Find all groups
objCommand.CommandText = _
    "SELECT ADsPath, Name FROM 'LDAP://" & MyDomain & "' WHERE objectCategory='group'"
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
    Set objGroup = GetObject(objRecordSet.Fields("ADsPath").Value)
 strGroupName = objRecordSet.Fields("Name").Value

 ' Find if the group has a manager
 strManagedBy = objGroup.Get("managedBy")
 If IsEmpty(strManagedBy) = FALSE Then
       strManager = strManagedBy  
    Else strManager = "-"
    End If
 ' Give the sheet the Group name. One sheet per group.
 objExcel.Sheets.Add.Name = strGroupName

 arrMemberOf = objGroup.GetEx("member")
 objExcel.Cells(1, 1).Value = "Members of " & strGroupName & ":"
 objExcel.Cells(2, 1).Value = "Managed by: " & strManager
 i = 3
 count = 0
    ' Check to see if the group contains users
 If Err.Number <> E_ADS_PROPERTY_NOT_FOUND then
    For Each strMemberOf in arrMemberOf
          Set objMember = GetObject("LDAP://" & strMemberOf)
       strMemberName = right(objMember.Name,len(objMember.Name)-3)
       objExcel.Cells(i, 1).Value = strMemberName
       set objMember = nothing
       i = i + 1
       count = count + 1
    objExcel.Cells(i, 1).Value = "Member count: " & count
       ' The group don't have any members
    objExcel.Cells(i, 1).Value = "Member count: " & count
 End If

 i = 0
 count = 0
 strManagedBy = ""
 Set objGroup = nothing

The perfect excuse to buy an iPhone 4

No comments October 28th, 2010

Most of the phone calls the AD service desk receives are about user accounts that have been disabled or forgotten passwords.
This is a small task to handle if you have a task pad of ADUC in front of you.

It’s Saturday and you are watching a Tottenham game with a fellow Spurs fan at his place. You receive a call from your boss that has forgotten his AD password. He tells you reset his password *now*! 

Your friend doesn’t have an Internet connection, so you have to get down to the office to reset his bloody password. Arrrgg! 

I just bought an iPhone 4 and downloaded an app called “AD Helpdesk”. If you have one, you can watch the game and please your boss at the same time.

Setup a VPN connection on the phone to reach your internal network and start the App.

Search AD for his username and just reset his password from the app.

More about the app:

Configure the time

3 comments June 23rd, 2010

Applies to Server 2003/2008. Not for Windows 2000.

Time is crucial in an Active Directory domain. If there are i.e. more than 5 minutes offset between a DC and a client computer, the Kerberos protocol used for authentication will fail.

You may also see problems with AD replication if two DCs are out of time sync, since attributes that are changed are time stamped when the change occurred. The time stamp is one of three functions to prevent replication/attribute conflicts.

When a user logs on to his/her workstation and authenticates, the computer will synchronize its time with the authenticating DC.

This DC, if it’s not the PDC role holder, synchronizes its time with the domain’s PDCe role holder.

The PDCe holder should synchronize its time with a reliable time source. You could find a NTP server close to you HER.
If the DC holding the PDC dies, the role is transferred or siezed you have to configure the time source on the new PDCe.
Configuring the external time source can be a mess, and maintaining it might be even more messy

The MS DS team made a blog entry about this some time ago and I must say it’s a really elegant approach!!

In short terms they create a GPO, sets an external time source, configures a WMI filter so the GPO only applies to the domains PDCe role holder, and link the GPO to the Domain Controller container.

Open the GPMC and create a new WMI filter:











Query: Select * from Win32_ComputerSystem where DomainRole = 5

Create a new GPO and set the external time source:

Computer Configuration/Administrative Templates/System/Windows Time Service/Time Providers/Configure Windows NTP Client

You set the NtpServer you prefer and change the type to NTP.











Activate the WMI filter to this GPO:












and link the GPO to the Domain Controllers container:





















To see how the DCs is synchronizing their time, run: w32tm / monitor





Here dc01test.spurs.local (the PDCe holder) uses its HW clock while dc4test.spurs.local is synchronizing with dc01test.

Restart the time service (net stop w32time && net start w32time) and force a Group Policy update (gpupdate /force or wait 5 minutes)

Now the newly created GPO is applied and now dc01test is synchronizing with the external time source.






You can also see this in the System Event log:











So what happens if I transfer the PDCe role from dc01test to dc4test?

I wait for 5 minutes (and run w32tm /monitor just to check):






As you can see dc4test is now synchronizing with the external time source, while dc01test is synchronizing with dc4test.

You don’t have to think of configure the time source if your PDCe is transferred.
You even don’t have to clean the old PDCe holder as the registry don’t gets tattooed by this!!!
If you configure the time with a GPO, the registry settings will be located here:


If you don’t use a GPO, the settings will be set here:


The first one takes precedence over the second one.


GPO backup

No comments March 16th, 2010

When you take a System state backup of a DC it includes a backup of your SYSVOL with all your GPO’s. If a GPO get corrupted or is accidentally deleted you have to restore the System state to get the policy back. This operation is time consuming.

With the Group Policy Management Consol (GPMC) you can take backups of your GPO’s directly from the consol (and even restore them) which is less time consuming then a System state restore.

Even better are the scripts that follow with the GPMC. With them you can i.e. schedule a regular backup of all GPO’s.

I made a script that dumps the GPO’s to a file share, using some the scripts that followed with the installation of the GPMC.

Download the GPMC here for Win2003.


‘ Backup all GPO’s in the domain
‘ author: Rune Sørensen
‘ 14.04.2009 , v.1.0

‘ Save the script as a vbs file and run it once or create a scheduled task
‘ runnning the script.
‘ \\server\share should reflect your servername and sharename

Dim fso, strPath, objShell

‘ Filepath to the share
strPath = “\\server\share\GPO_Backup\*”

Set fso = CreateObject(“Scripting.FileSystemObject”)
Set objShell = CreateObject(“Wscript.Shell”)

‘ Delete the last taken backup

strExecuteBackup = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript BackupAllGPOs.wsf \\server\share\GPO_Backup”‘

strQueryBackups = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript QueryBackupLocation.wsf \\server\share\GPO_Backup > \\server\share\GPO_Backup\BackupLocations.txt”

strCreateReport = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript GetReportsForAllGPOs.wsf \\server\share\GPO_Backup”

objShell.Run strExecuteBackup
WScript.Sleep (120000)

objShell.Run strQueryBackups
WScript.Sleep (60000)

objShell.Run strCreateReport
Set objShell = nothing
Set fso = nothing

””””””””””””””””””””” EOF ”””””””””””’

Restore an OU

No comments March 11th, 2010

Assuming you have a 2003 DC SP1< and a good System state backup. Not older than your domains tombstone lifetime.

Start the DC in DSRM (F8 at boot)


Start NTBackup

Restore Wizard > Next

Choose the System state backup file > Next > Advanced

Restore files to “Original Location”

Leave exsisting files > Next


If you have only one DC in your domain. Tick the last checkbox (fig.2). If you have more than one, don’t tick it.

Press “Finish”

Do not restart the DC at this moment.

Mark the object as authoritative (meaning the object(s) will get replicated to other DC’s because it’s authoritative)

Open cmd >ntdsutil

> authoritative restore

> restore subtree destinguishedName

ie. An OU accidentally got deleted called “Reserves” holding all the Tottenhams reserves user objects. (What the heck. They aren’t good enough for the first team, but maybe someday they will so let’s get them back).


> quit

Restart the DC in normal mode (SP1 or newer). The AD Replication will do the job to get the OU and the user objects replicated to the other DC’s in the domain.

If you have a Windows 2003 SP1 or newer DC, the ntdsutil will create two files if the restored user object have any back-links to group membership. If they do you have to restore the back-link aswell. But wait until all DC’s have got the users replicated.

Syntax: ldifde -i -f <ar*.ldf>

ie: ldifde -i -f ar_20100129-081113_links_spurs.local.ldf

If you have a Win2008 R2 domain and restore a user from the Recycle Bin you don’t have to worry about the back-links. The process will do it for you.