Tuesday, February 21, 2017

Find CNF objects in Active Directory

When two or more objects with the same name are created in the same container on different domain controllers before replication occurs the conflict is resolved by renaming the object with the older timestamp.  The object will be renamed so that it includes "\0ACNF:[GUID]" in its DN.  These objects are referred to as conflict or CNF objects.  A domain controller will generate Event ID 12292 whenever a CNF object is created.

To find CNF objects and open the created file, run the following commands: 
dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter "(|(cn=*\0ACNF:*)(ou=*OACNF:*))"  >   cnfobjects.txt
start cnfobjects.txt

Protect your AD DNS Zones from additional deletion using Powershell

You have two types of zones, the forest and domain DNS zones.

To get Forest DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your forest in both commands):

FOREST:
Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview


To set protection use the following command:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=ForestDnsZones,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true


DOMAIN:
To get Domain DNS zones that are not protected from additional deletion, you can use the following PS command (change the -Searchbase to your domain in both commands):

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview


To set protection use the following command:

Get-ADObject -Filter 'ObjectClass -like "dnszone"' -SearchScope Subtree -SearchBase "DC=DomainDnsZones,DC=subdomain,DC=domain,DC=com" -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

Powershell Script: Set extensionAttribute using EmployeeID or samAccountName

In my example I will use ExtensionAttribute4, of course you can use another one as well!

Find attached a script that using the EmployeeID:

----------------------------------------------------- # Set ExtensionAttribute4 using AD Users EmployeeID
#csv file
#employeeID,extensionAttribute4
#1482216,45837
#9999998,9999

Import-module ActiveDirectory
$Path = "C:\admin\UsersExt4.csv"
$users = Get-Content –Path $Path | ConvertFrom-CSV
$users | foreach {
    $_.psobject.properties | foreach { if ($_.value -eq "") { $_.value = $null }}

    $eid = $_.employeeID
    $user = Get-ADUser -Filter {employeeID -eq $eid}

    Set-ADUser $user.samaccountname -add @{extensionattribute4 = $_.extensionAttribute4}
}

-----------------------------------------------------

And now with the samAccountName:

-----------------------------------------------------
################################################
# File path: c:\admin\UsersExt4.csv
#
# samAccountName,extensionAttribute4
# username.1,Test12345
# username.2,Test12345
################################################

Import-module ActiveDirectory
Import-Csv C:\admin\UsersExt4.csv | ForEach-Object {Set-ADUser $_.samAccountName -Replace @{extensionAttribute4=$_.extensionAttribute4} }

-----------------------------------------------------

Wednesday, February 15, 2017

Powershell: Get a user that have test in his name or in the description

Just use the following command:

Get-AdUser -filter {(name -Like "*test*") -or (description -Like "*test*")} -Properties name, samaccountname, description |sort-object name | Out-GridView

Powershell Get all Group Manager in AD

Get-ADGroup -LDAPFilter "(ManagedBy=*)" -Properties ManagedBy | Out-GridView