Wednesday, November 4, 2015

LDAP Queries for Users, Computers, Groups and Service Connection Points v2

Find attached a lot of ldap queries. An example how to use this queries using ADUC, see this post.

Computer accounts

Computer accounts starting with WS

Computer accounts with "COP" in the attribute "description"
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description

Computer accounts with MS-SQL installed

Computer accounts with a Server OS

Find all Computers that do not have a Description

Find all computer accounts for whom a manager is specified
Find All Workstations

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

Find all 2008 Servers – DCs
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))

Disabled Computer Acounts

Enabled Computer Acounts

SQL Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))

Exchange Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Windows Vista SP1 computers
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 Enterprise computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))

Find all Windows 8.0 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows 8*)(operatingSystemVersion=6.2 (9200))) 

Find all Windows 8.1 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows 8.1*))

Find all Windows Server 2012 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))

Find all Windows Server 2012 no R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*)
(operatingSystemVersion=6.2 (9200))) 

 Find all Windows Server 2012 R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*)) 

Find all Windows 10 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows 10*))

User accounts

Find all user accounts

Find all user accounts for whom a password is not required

Find all user accounts that do not require a SmartCard for logon

Find users that have non-expiring passwords

To find all user accounts that have the name “Mueller” in them

Locked out user accounts

Useraccounts starting with "A" in the Attribute "Common Name"

Diabled user accounts

Useraccounts without an value in Attribute "Mail"

Useraccounts with Mail Enabled

Useraccounts that have never logged on

Users that have been given dial-in permissions
Users find who have admin in description field

Find user accounts with no log on script

Find user accounts with no profile path

Find non disabled accounts that must change their password at next logon

Find all Users that need to change password on next login

Finds all locked out accounts

Finds all Users with Email Address set

Finds all Users with no Email Address

Find all Users with Dial-In permissions

Finds all disabled accounts in active directory

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.

Find all mail-enabled groups hidden from the Global Address list (GAL)

Find all mail-enabled security groups

Find all mailbox-enabled accounts

Find all mailbox-enabled accounts with Outlook Web Access (OWA) disabled

Find all users with Hidden Mailboxes



To find all groups that have no members

Find Groups that contains the word admin

Find all Universal Groups

Find all global security groups

Finds Domain Local Groups

Find all distribution groups

List all groups with sec- prefix convention

Find all security groups with members

Service connection Points

Find all service connection points

Find all service connection points that do not have service bindings specified

Find all service connection points that do not have a service DNS name specified

Thursday, October 22, 2015

Replications problems between two DCs caused by faulty Schannel and wrong Kerberos ticket of the affected DCs Computer object

•    Automatic and manual replication gives error:
Error Message "Target Principal Name is Incorrect"

•    AD Replication error 8452 remains:
"The naming context is in the process of being removed or is not replicated from the specified server."

•    KCC builds wrong NTDS partners

Directory Services Events:
•    EventID 36871  Schannel
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

•    Event  ID 36886 Schannel
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

•    Affected DC cannot communicate with the PDC
•    Renewal of the Schannel on the affected DC is required
•    New Kerberos ticket has to be requested from PDC
•    KCC has to be restarted to rebuild the replications partner(s)

Actions needed:
1.    Stop the KDC service:
C:\>net stop KDC
2.    Purge kerberos tickets using KLIST:
C:\>klist purge
3.    Find PDC Domain Controller in the domain of the affected DC
4.    Reset secure channel from Problem DC's to PDC:
C:\>netdom resetpwd /server:<PDC> /userd:<DOMAIN>\<Admin_account>
5. Access the PDC by FQDN to force the Problem DC's to request new kerberos
C:\>net use \\<PDC FQDN>\IPC$
6. Force the DC to replicate from PDC: (from active directory sites and services)
7. Start the KDC service:
C:\>net start KDC

Delete existing NTDS connections and check replication topology.

Wednesday, March 25, 2015

Change AD Group membership for multiple Users using Powershell

You can download my script from technet.

- Requirements:
You have to create c:\ADUser.csv looking like this:

Also edit the marked groups in the script matching to your environment. You can extend this as needed.
# Add the specified users to the groups "Petun" and "Petun2" in AD
Add-ADGroupMember -Identity Petun -Member $User.username
Add-ADGroupMember -Identity Petun2 -Member $User.username

Windows Server 2012: The remote session was disconnected because there are no Terminal Server client access licenses available for this computer

If you try a RDP connection you get the following Error message.

It could be the case, that no license is available:
So you have to add the needed license to you RD Licensing Server!

If this server isn´t a terminal server you have to run the RDP console with the following parameter:
mstsc /admin


You can also disable "User Account Control: Run all administrators in Admin Approval Mode" by doing the following steps:

- Open "Search" and type in "secpol" and click on "Local Security Policy"

- In the "Local Security Policy" browse to "Local Policies/Security" options and set "User Account Control: Run all administrators in Admin Approval Mode" to "Disabled".

After this change restart the server.