main

Active DirectoryBeginner-Series

Set Active Directory Password To Never Expire – Beginner Series

windows_7_starter_edition-5804f5c75f9b5805c2cb310c.jpg?fit=768%2C512

Before getting started, you can check when your domain account password is going to expire. Just open the Command Prompt as administrator, type the following command and press Enter.

net user <USERNAME> /domain

Example:

In this example you can see when the password of the account was last set, when it expires and if the account is active, Along with other useful information about the account.

In order to set the password of a specific account not to expire you will need to open Active Directory and search for the account. Open the properties for the account that you want to update and click on the “account” tab, then tick the “password never expires” box.

Active Directory

Export a list of members from an Active Directory Security Group into a .txt File

ms-ad-color.png?fit=600%2C168

I needed to export a list of all the members in an active directory group today. Here are two methods which work well. The first example uses the net group command. In both examples ‘Group Name’ is the name of the group that you want to export the member list for, and memberlist.txt is the name of the output file.

net group “Group Name” /domain > C:\temp\memberlist.txt

The second example uses dsquery and dsget, which will return the full distinguished names of the user objects that are members of the group. This could be useful if you also need to know which organizational unit the members accounts reside in.

dsquery group -name “Group Name” | dsget group -members > memberlist.txt

Active DirectoryTipsWindows

My Batch File Templates

robocopy-examples.jpg?fit=768%2C411

This script silently installs Sophos but it can be amended to install apps and run various commands.

@ECHO OFF
CLS
ECHO 1.VDI Install
ECHO 2.Physical PC Install
ECHO 3.Mac Client Download
ECHO 4.Reboot This Machine
ECHO 5.Log off This Machine
ECHO.

CHOICE /C 12345 /M "Select your option:"

:: Note - list ERRORLEVELS in decreasing order
IF ERRORLEVEL 5 GOTO Logoff
IF ERRORLEVEL 4 GOTO Reboot
IF ERRORLEVEL 3 GOTO Mac
IF ERRORLEVEL 2 GOTO Physical
IF ERRORLEVEL 1 GOTO VDI

:VDI
ECHO

net use y: "\\ServerPath\SCCM_Content_Source$\Applications\MSI\BPR_Sophos_All"

cd Y:\

VDI.exe -q

GOTO End

:Physical
ECHO

net use y: "\\ServerPath\SCCM_Content_Source$\Applications\MSI\BPR_Sophos_All"

cd Y:\

Desktop.exe -q

GOTO End

:Mac
ECHO

xcopy "\\ServerPath\SCCM_Content_Source$\Applications\MSI\BPR_Sophos_All\Mac.zip" "C:\Users\%username%\Downloads" /y

GOTO End

:Reboot
ECHO

shutdown -t 0 -r -f

GOTO End

:Logoff
ECHO 

shutdown -l -f

GOTO End

:End

 

The below script will copy data from one location to another, just add your UNC path.

Robocopy \\CurrentLocation \\Destination\ /mir /copyall

Active Directory

How to: Fix Access Denied Message When Attempting to Move Objects in Active Directory

ms-ad-color.png?fit=600%2C168

When trying to move an OU in Active Directory, you get this error:

Active Directory Domain Services

Windows cannot move object “OU” because:
Access is denied.

This is either because Protection from accidental deletion is turned on for the OU you are trying to move, or because you have delegated rights, but no permission to move the OU.

In order to fix this, click on View > Advanced Features and then right-click > Properties on the OU – When the window appears click on Object and untick the “prevent from accidental deletion” box.

 

If this box has already been unticked then you will need to amend permissions for that OU. Right-click > Properties on the OU and a window will open.

Click on the Security tab and then Advanced, you will need to add your account or group and give it your desired permissions.

This should resolve your issue.

 

Active Directory

Disable or Block Ad-Hoc Network Connection

offline-525700_960_720.png?fit=768%2C558

In your group policy, go to Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies.

Right-click Wireless Network and choose Create a New Windows XP Policy, or edit your existing policy. In the Networks to Access drop-down box, change the setting from “Any available network (access point preferred)” to “Access point (infrastructure) networks only). Click OK.

Right-click Wireless Network and choose Create a New Wireless Policy for Windows Vista and Later Releases, or edit your existing policy. Select the Network Permissions tab. Check the box for “Prevent connections to ad-hoc networks”. Click OK.

Active DirectoryTips

Create Local Administrator Security Group with GPO

grouppolicy.jpg?fit=524%2C301

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “Helpdesk_Engineers”

Active DirectoryTips

Give users or groups delegate access to BitLocker Recovery information in Active Directory

Bitlocker.png?fit=768%2C499

Symptoms

When you use Active Directory to store BitLocker Recovery passwords, this information by default is only available for members of the Domain Administrators group. Adding Read permissions to the Recovery Information objects does not enable other groups to read the BitLocker recovery passwords from Active Directory.

Resolution

In order to delegate access to BitLocker Recovery Information objects in Active Directory to users that are not a member of the Domain Administrators group, Full Control access must be provided to these users. This can be done by a member of the Domain Administrators group using the Delegation of Control Wizard in the Active Directory Users & Computer console (DSA.MSC).