Active Directory – SomaBright

What are subnets?

Subnets map network addresses to sites

Subnets identify the network addresses that map computers to AD DS sites. A subnet is a segment of a TCP/IP network to which a set of logical IP addresses are assigned. A site can consist of one or more subnets.

Keep your subnet information up to date

When you design your AD DS site configuration, it’s critical that you correctly map IP subnets to sites. Similarly, if the underlying network configuration changes, make sure that you update the configuration to reflect the new site mapping. Domain controllers use the AD DS subnet information to map client computers and servers to sites. If this mapping isn’t accurate, operations such as logon traffic and applying GPOs are likely to occur across WAN links, and may be disruptive.

When to create more OUs?

Although you can manage a small organization without creating additional OUs, even small organizations typically create an OU hierarchy. An OU hierarchy lets you subdivide the administration of your domain for management purposes. There are basically two reasons to create OUs.

Application of GPOs. To group objects together to make it easier to manage them by applying Group Policy Objects (GPOs) to the whole group. You can link GPOs to the OU, and the settings apply to all objects within the OU. For example, you create an OU for contractors who have different security requirements than full-time employees.

Delegation of control. To delegate administrative control of objects within the OU. You can assign management permissions on an OU, thereby delegating control of that OU to an AD DS user or group. For example, you create an OU to manage a satellite office in a different geographical location. Then, you delegate control of the OU to a group.

What is Active Directory Domain Services (AD DS)?

Active Directory Domain Services (AD DS)is a scalable, secure, and manageable infrastructure for user and resource management. AD DS is a Windows Server role that’s installed and hosted on a server known as a domain controller. AD DS uses Lightweight Directory Access Protocol (LDAP) to access, search, and change the directory service. LDAP is a based on the X.500 standard and TCP/IP.

AD DS provides a centralized system for managing users, computers, and other resources on the network. AD DS features a centralized directory, single sign-on access, integrated security, scalability, and a common management interface.

Powershell – Updating Active Directory Objects Using from a CSV

Below are possible ways to update active directory objects using data contained in a CSV.

Without a CSV:

Get-ADUser Soma.Bright -Properties SamAccountName | Set-ADUser -Replace @{SamAccountName="Bright.Soma"}

Using a CSV with “identity”:

$file=import-csv "AccountInfo.csv"
foreach($dataRecord in $file) {
$SamAccountName=$dataRecord.SamAccountName

$EmployeeType=$dataRecord.employeeType
$Department=$dataRecord.department

Get-ADUser -Identity $SamAccountName -Properties EmployeeType | Set-ADUser -Replace @{EmployeeType=$EmployeeType}

Get-ADUser -Identity $sAMAccountName | Set-ADUser -Department $Department
}

Using a CSV with a “filter”:

Import-module ActiveDirectory 
$userList= Import-Csv '.\List of Users.csv'
foreach ($userin$userList){ Get-ADUser -Filter "SamAccountName -eq '$($user.sAMAccountName)'"-SearchBase "DC=subdomain,DC=company,DC=com"-Properties Company |% { Set-ADUser $_-Replace@{Company = 'Deliveron'} } }If you then wanted to query AD for those users to make sure they updated correctly, you could use the following query using Get-ADUser:foreach ($userin$userList){

Get-ADUser -Filter "SamAccountName -eq '$($user.sAMAccountName)'"-SearchBase "DC=subdomain,DC=company,DC=com"-Properties Company | Select SamAccountName, Name, Company

}

Updating Multiple values:

 Import-Module ActiveDirectory  

$users = Import-Csv -Path c:\update.csv

foreach ($user in $users) {
Get-ADUser -Filter "employeeID -eq '$($user.employeeID)'" -Properties * -SearchBase "ou=Test,ou=OurUsers,ou=Logins,dc=domain,dc=com" |
Set-ADUser -employeeNumber $($user.employeeNumber) -department $($user.department) -title $($user.title) -office $($user.office) -streetAddress $($user.streetAddress) -City $($user.City) -state $($user.state) -postalCode $($user.postalCode) -OfficePhone $($user.OfficePhone) -mobile $($user.mobile) -Fax $($user.Fax) -replace @{"extensionAttribute1"=$user.extensionAttribute1; "extensionAttribute2"=$user.extensionAttribute2; "extensionAttribute3"=$user.extensionAttribute3}
}

For more info please see the below links:

Import-csv to update Active directory users

Update AD from CSV

Powershell – CSV – AD Attribute Update

AD / Import CSV Update Attributes Script

Import Users from a CSV File into Active Directory using PowerShell

To Get a List of AD Users With or Without a “Null”, “ALL”, and “Empty” Values or Attributes Using Powershell

To get a list of AD users with no mail attribute:

get-aduser| where {$_.mail -eq $null}

get-aduser -properties Company -filter {mail -notlike “*”}

get-aduser -properties Company -filter {Company -eq $null}

get-aduser -filter * -properties * | where {($_.mail -eq $null) -and ($_.manager -ne $null)}

get-aduser -filter * -properties * | where {($_.mail -eq $null) -and ($_.manager -ne $null)} | select name

NOTE: Running the opposite commands above will give you a list of the AD users with mail attribute e.g

Get-ADUser -Properties mail -Filter {mail -like ‘*’}

NOTE: The below command will give you an error because you cannot use $null and -eq in a filter parameter in powershell.

get-aduser -properties Company -filter {Company -eq $null}

Also, the below is known to fail:

get-aduser -properties Company -filter {Company -eq “” }

The list of active accounts with e-mail addresses:

Get-ADUser -Filter {(mail -ne “null”) -and (Enabled -eq “true”)} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Format-Table

Getting a List of AD Accounts Which Haven’t Been Used Over A Given Period

Identify recently created user accounts that have not been used to access a web service in 14 days. I’m looking to filter on accounts with a blank LastLogonTimeStamp, and a whenCreated date of -14 days:

$TargetDate = Get-Date -Date (get-date).AddDays(-14)

$SearchBase = “OU=People,DC=my,DC=domain,DC=com”

$Filter = {(whenCreated -lt $TargetDate) -and (-not(lastLogonTimeStamp -like “*”))}

get-ADUser -Filter $Filter -SearchBase $SearchBase | Disable-ADAccount

The users who haven’t changed their passwords in the last 90 days:

$90_Days = (Get-Date).adddays(-90)

Get-ADUser -filter {(passwordlastset -le $90_days)}

To see all users who last logged on before January 1, 2013, you could type:

get-aduser -f * | where {$_.lastlogondate -le “1 January 2013”}

Find Those Inactive Users and Computers:

PS C:\> Import-Module ActiveDirectory

PS C:\> Get-ADUser –filter * | Where { $_.passwordLastSet –lt (Get-Date).AddDays(-365) }

PS C:\> Import-Module ActiveDirectory

PS C:\> Get-ADUser –filter * -prop PasswordLastSet | Where { $_.passwordLastSet –eq $null }

How to Find Out Total Number of All AD Accounts Using Powershell

To calculate the total number of all Active directory accounts:

Get-ADUser -Filter {SamAccountName -like “*”} | Measure-Object

Category: Active Directory

point mailbox to another AD account

Active Directory (AD)

Powershell – Updating Active Directory Objects Using from a CSV

To Get a List of AD Users With or Without a “Null”, “ALL”, and “Empty” Values or Attributes Using Powershell

Getting a List of AD Accounts Which Haven’t Been Used Over A Given Period

How to Find Out Total Number of All AD Accounts Using Powershell