You may also use this to export this data to a CSV file. Notice that when using the export-csv cmdlet you must choose the ‘select’ and define the attributes that should be exported. Format-Table (aliased above as FT) is used to display the information on the console.

GetQADUser-sizelimit 0 | where{$_.whencreated -gt (get-date).adddays(-90)}| select Name,WhenCreated,DN | Export-csv c:\Users90days.csv

There is always a couple of ways to accomplish the same task with further fine tuning your query. As you can see that above query would grab all the users in the domain, going by their whenCreated attribute and present you the pertinent users.

You can define the OU to search with the –searchroot parameter.

Get-QADUser –Searchroot ‘test.mydomain.int/Users/Chicago/’ | where{$_.whencreated -gt (get-date).adddays(-90)}

Alternatively, if you would to like find users account that have been modified since x number of days, you can try something like this.

$OU = <OU PATH>
Get-QADUser -LastChangedAfter (get-date).adddays(-7) -search $OU -sl 0 | ft name,whenchanged

Share/Bookmark

Please note that these nesting restrictions assume Window 2000 native or Windows Server 2003 DFL.

1. Which particular group will take other scope type (nested) as its member i.e from the same domain and from a trusted domain ?

Chart 1 for Question # 1

Chart 2 for Question # 1

2. Where can a particular group be assigned permissions (ACL) i.e only in the domain where it resides and also cross domains ? (trusted or other child domains within the same forest )

All three scope types can be used to assign permissions in the same domain where the groups reside.

Chart 1 for Question # 2

3. Which group will accept users and computers from same and trusted domain ?

All three scope types will accept Users and Workstation from the same domain where they reside.

Chart 1 for Question # 3

More information on the scope of these groups can be found here:

http://technet.microsoft.com/en-us/library/cc755692.aspx

To learn about a leading access control model known as AGDLP see :

http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1255549,00.html

Share/Bookmark

Download the tool here

Get white papers regarding Active Directory Risk Assessment Program

Share/Bookmark

Windows Server 2003 includes support for a startup switch that lets you tune the allocation of use of memory and memory address space. Regardless of the amount of physical memory in your system, Windows uses a virtual address space of 4 GB, with 2 GB allocated to user-mode processes (for example, applications) and 2 GB allocated to kernel-mode processes (for example, the operating system and kernel-mode drivers). On systems that have 1 GB or more of physical memory, the startup switche can be used to allocate more memory to applications (3 GB) and less memory to the operating system (1 GB). This additional virtual address space helps reduce the amount of memory fragmentation.

How beneficial is it ?

You may have read many articles on this subject before. This discussion has been going on for many years now and at times has almost reached epic proportions due to the conflicting information available from Microsoft. Long story short is that by and large, you should NOT use the /3GB switch unless you meet specific criteria, please read the following article as it demystifies the whole theory. Or read the excerpt below.

http://blogs.technet.com/askperf/archive/2007/03/23/memory-management-demystifying-3gb.aspx

The /3GB option was intended as a short term solution to allow applications such as database servers to maintain more data in memory than a 2GB address space allowed. However, using the /3GB method to increase the user-mode memory space comes at a cost. If we have to allocate an additional 1GB of this address space to the user-mode space, then the System space is cut in half. Drivers, Heap, Paged & NonPaged Memory all have only half the resources to work with now. However, because of the way memory mapping works, cutting the kernel space in half does a lot more than just reducing the address space. Many of the structures within the kernel virtual memory space are cut back by far more than 50%.

For a process to access the full 3GB address space, the image file (application process) must have the IMAGE_FILE_LARGE_ADDRESS_AWARE flag set in the image header.

If the flag is not set in the image header, then the OS reserves the third gigabyte so that the application won’t see virtual addresses greater than 0x7FFFFFFF. You set this flag by specifying the linker flag /LARGEADDRESSAWARE when building the executable. This flag has no effect when running the application on a system with a 2-GB user address space. Therefore if you enable the /3GB switch, then applications that do not have this flag set can only use the standard 2GB of User mode memory, and the Kernel is still limited to the 1GB space – which means that 1GB of virtual memory is basically wasted !

All that is required to make it happen is a switch in the boot.ini file. The switch, /3GB, is placed
at the end of the line that executes the WinNT loading process.

Example:

[operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINNT="Windows NT
Server Version 4.00" /3GB

Or you may add an additional line in your boot.ini as above to have the option to boot into either environment, with or without the switch.

What to keep in mind ?

This topic deals with the the virtual memory address space and has no relevance with the physical memory, it is however a limitation of a 32bit OS if you are running 64bit OS this not applicable. At the end of the day you must decide if your application is capable of handling this switch as an added benefit. Often times, if you are having to up the threshold of your OS handling of things and or things such as over-clocking your processor to keep up, one might worry about the logic behind it. Perhaps go for 64bit OS to begin with.

Share/Bookmark

Uptime.exe can be used to display the current uptime of the local or remote system. Optionally, it can also scan the Event log for key system events such as system restart or computers that are not responding (hanging). Where possible, it also calculates system availability. It is primarily intended for Windows NT Server 4.0 Service Pack 4 or later, though it operates in limited fashion on earlier versions.

You can download it from the link below and drop it on the root of the c:\ or where you wish and the command line to run is simply uptime

http://support.microsoft.com/kb/232243

Share/Bookmark

I used it to rename a Windows Server 2008 domain in my test lab environment. The process was pretty straightforward but it may require more tasks if you have multiple DCs in a multi domain environment.

The Forest and Domain Functional Level should be Windows Server 2008 to proceed with the following task.

From the command prompt, I started out by running rendom /list which outputs an XML file (Domainlist.xml) to the directory where rendom resides. You edit that file to change your domain configuration to the new domain name. i.e ForestDNSZones, DomainDNSZones, Netbios name. See referenced link for details.

After you have modified the file you can run rendom /showforest which shows you the future configuration, verify and make changes if necessary.

Upload the changes you have made in the XML file: Run rendom /upload

Verify readiness of Domain Controller(s): Run rendom /prepare

Execute domain rename instructions: Run rendom /execute

After thats finishes up successfully, you should also run GPFIXUP tool to fix up GPO references to your old domain name. See Step 12 of this document.

Here is an example :

C:\Users\Administrator>gpfixup /olddns:08r2.lab /newdns:mcts.lab
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
……..

Start fixing site group policy links:
.

Start fixing non-site group policy links:
….
gpfixup tool executed with success.

C:\Users\Administrator>gpfixup /oldnb:08r2 /newnb:mcts
Group Policy fix up utility Version 1.1 (Microsoft)

Start fixing group policy (GroupPolicyContainer) objects:
..
gpfixup tool executed with success.

Lastly, run rendom /clean

The identity (domain GUID) of the renamed domain does not change during a domain rename operation. Thus a computer’s domain membership does not change as a result of the holding domain being renamed.

However, every member computer joined to the renamed domain needs to be rebooted twice. Please refer to “How Domain Rename works” technical reference for more info.

How Domain Rename Works : Microsoft Technet

Other References:

http://dsg.port.ac.uk/~hx/rename_domain/index.php

http://www.msexchange.org/tutorials/Domain-Rename.html (for domains with Exchange)

Share/Bookmark

Warning: Using ADSIedit can have adverse effects on your Active Directoy environment, if not handled with proper knowledge.

Launch ADSIedit from run command, ADSIedit.msc

Under Domain Configuration, expand and find your domain. Right click and go to the Properties

Look for the following property and modify it to ’0′

Hit OK, Apply and exit

How does it keep track of how many machines have you added based on your user ID/account ?

For a computer account created by domain users, the account has ‘ms-DS-CreatorSID’ attribute to indicate the creator user. When a user adds a computer to the domain, a process enumerates the ‘ms-DS-CreatorSID’ attribute on every computer account in the domain and calculates if the sum exceeds the current quota for that user.

The ‘ms-DS-CreatorSID’ and ‘ms-DS-MachineAccountQuota’ with default value 10 are also available in Windows Server 2008 AD DS.

Note: The ‘ms-DS-CreatorSID’ attribute will be unset in the computer account that is pre-created in Active Directory Users and Computers MMC or joined by domain administrators.

http://support.microsoft.com/kb/243327

Share/Bookmark

· AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).

· ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.

· ALoInfo.exe. Displays all user account names and the age of their passwords.

· EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

· EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.

· LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed. The latest version available is 1.0.0.60.

· NLParse.exe. Used to extract and display desired entries from the Netlogon log files.

Unfortunately, I didn’t find good documentation of how to quickly make good use of these tools when my domain admin account started getting mysteriously locked out after I had changed my password due to the policy in place. From my experience I found Lockout Status and EventComb MT to be most useful from the suite.

I knew the common causes why my account would get locked out due to one of the reasons listed here : See this but I needed to figure out what is the offending machine or service thats providing my old credentials to a DC thats causing the account to be locked out.

I started out launching Lockout Status tool and selected my domain admin account as ‘target’ from the file menu and running it. It gave me list of all the DCs with the status of my account and more importantly the DC the lockout happened on in the ‘Orig Lock’ tab towards the right of the program screen. I then launched the Event CombMT piece and right clicked in the white space in the search area and added the DC the lockout originated at. I choose from ‘Option’ menu where I wanted to output the file as txt or CSV. I chose ‘Security’ as log files search option for all event types and then putting ’644′ as the event id and clicked on search.

It outputted the CSV file in the area I had specified and I was able to see that it found the event 644 for my ID on 6 different machines across the domain, it was listed under ‘Caller Machines Name’ column, (I know its bad administration on my part to sometimes disconnect my terminal sessions instead of logging off). Sure enough when I logged on to those machines I immediately saw the following notifications.

I had to log off and log back in to clear out the error. After that, I ran the Lockout Status tool again and noticed the lock status for my domain admin account had been cleared out.

Conclusion: Never leave your account logged on somewhere (or have a service run under your user context) and lock the machines or disconnect the remote session without logging off, and when using tools like Remote Desktops (which can be useful and allow you to have a list of machines you remote in frequently during the day), make sure you don’t save your passwords in the session configurations.

More Resources:

Download the Microsoft Account Management Tools

Technet Resource on how to maintain and manage the account lockout

WindowsSecuirty.com-Implementing and Troubleshooting Account lockout

Share/Bookmark

We are quite a big environment as we have little over 1000 AD defined subnets and only 80 some had been populated in the reverse lookup zones. I was tasked to make sure that all the reverse zones are created in our DNS from the defined subnets. As it could be very tedious task, I wanted to automate the process. I am not a scriptor but I knew that we could not be the only who has had this issue and I tried digging the newsgroups/blogs/forums and the internet in general but I had no or little luck finding any relevant information.

I started off looking into ADSIedit, as I wanted the export the subnet objects and then somehow import them back into the DNS. I knew that there was DNSCMD command line utility that allows you to do various tasks for zones/records creations, deletion and modification. Unfortunately it did not have a very wide syntax that allowed to pipe-in a list from an external source such a CSV file (that would have the subnets I export from AD). As expected the export part went fine and I had the full list of all the AD defined subnets. Now I was struggling to find a VBscript I could wrap this file into and pipe-in thru DNSCMD like utility.

I looked at Joeware free AD utilites, and I saw Joe had a tool called ADfind. I decided to query him and I got a rapid reply back from him with some suggestions, he assured me it is doable using his ADfind utility combined with some other script or utility. In mean time he forwarded my query to Dean Wells of MSEtechnology who emailed me a rather quick solution using Joe’s ADfind tool (see below). I was extremely pleased how my easy attempt to query seasoned scriptors had paid off.

Apart from other great writing and consulting achievements both Joe Richards and Dean Wells are Micrsoft MVPs and their voluntary efforts to help out the community truly exhibited what MVP program is all about.

So here is the command you would run at your DNS server to accomplish this task;

for /f "tokens=1,2,3 delims=." %n in ('adfind -config -rb "CN=Subnets,CN=Sites" -f "objectclass=subnet" name -list') do @dnscmd /zoneadd %p.%o.%n.in-addr.arpa /primary

add ‘ds’ in front of the primary (/dsprimary) if you wish to make the zones AD integrated

NOTES from Dean
-If you place the syntax above within a batch file, please note that any occurrence of a ‘%’ symbol must be replaced with ‘%%’ (two of them)
-ADfind and DNSCMD must both exist within the current directory or the system path
-In its current form, the syntax assumes the subnet is comprised of 3 octets

Share/Bookmark

If you don’t know your DSRM password and haven’t stored them in a safe place, use the following commands for each Domain Controller to reset it to a known value:

ntdsutil
set dsrm password
reset password on server {servername}

Once you do this, write down that password and lock/encrypt it away.

Share/Bookmark