I am writing a script to disable old workstation objects (and I have to remake the wheel due to some unique things on my system). I'd like to make some test computer objects with known LastLogonDate to validate my script.
How can I, preferably just with PowerShell, set the LastLogonDate property to what I want it to be? I'd prefer it to be in PowerShell so I can include the necessary changes in order self-test my code when it runs. I am also heavily restricted on what programs can be placed on the network.
I haven't found a pure PowerShell solution, and TechNet indicates that Set-ADComputer doesn't have that functionality. In desperation I've tried running ADSIedit on a domain controller to set LastLogon and LastLogonTimestamp, but get error 0x209a (attribute is owned by the Security Accounts Manager).
Worst case scenario, I can use a previously disabled workstation but that workaround is getting a lot of frowns from my security folks.
Thank you.
Edit:
If I can figure out how to get around that "error 0x209a (attribute is owned by the Security Accounts Manager" issue, I think I can use the following PowerShell to set it:
Get-ADComputer -Identity <ComputerName> -Server <DomainController> | Set-ADObject -DisplayName <ComputerName> -Replace #{LastLogon=<NewTimeStamp>}
Where NewTimeStamp is the tick count of the date you want to set.
Do not modify! Both LastLogon and LastLogonTimeStamp are system-owned attributes and even if you found a way to bypass the restriction, you would most likely break the replication of the object.
There's nothing wrong with disabling and moving old unused computer objects. Your security folks would however hate you if you broke AD by doing unsupported modifications.
LastLogonDate is a virtual/calculated property created by the AD-module for easy access to a datetime-converted property of for the LastLogonTimeStamp-attribute.
Related
Introduction
I've been tasked with creating a user management PowerShell script to be used for one of our customers so that we can easily manage users and automate a lot of our user creation processes.
The Issue
Our customer is insisting on using login scripts over GPO for mapping drives for users. I have added a login script builder to the script, however I cannot for the life of me figure out how to specify which drives actually need adding to the login script.
How Drive Mappings Are Managed
The way drive mappings are managed at our customer's network, is based on job role + Active Directory groups. They request on an E-Form which drives need to be mapped, and we then look through the Active Directory to see which group has permissions to access the requested drives. We then add these groups.
What I Need Help With
I've managed to figure out what code I need to use, however groups aren't being added to the user at all. I can't get it working.
Current Code
Note: This may not all be in order, there may be code in-between on the actual script. This is just relevant code.
Group Assignment
$GroupAssignment = $zzeveryone,$safebootdu,$infosecdrive,$mgmtboarddrive,$anaestheticsdrive,
$adverseirdrive,$breastcancersecsdrive,$bookwisedrive,$patientassessmentdrive,
$clinicaleducationdrive,$clinicaldevdrive,$clinicalauddrive,$CDUdrive,
$CBLettersdrive,$commsdrive,$colorectalscdrive,$colorectaldrive,
$codingdrive,$clinicalsupportdrive,$clinicalstddrive,$dietitiansdrive,
$dermatologydrive,$csudrive,$complaintsdrive,$entdrive,$emudrive,
$ElderlyCaredrive,$dischargedrive,$financedrive,$familyplanningdrive,
$GeneralSurgdrive,$gastrodrive,$infectiondrive,$infoptdrive,
$InfoMangtdrive,$MedStaffingdrive,$MedPhotodrive,$legaldrive,
$MedicalEquipdrive,$orthopticsdrive,$Orthopaedicsdrive,$OccHealthdrive,
$palsdrive,$Pharmacydrive,$Pathologydrive,$PostGraddrive,
$Podiatrydrive,$Respiratorydrive
Add-ADPrincipalGroupMembership -Identity $SAMAccountName -MemberOf $GroupAssignment
Example Group Assignment
$wcservicesdrive = if ($User.'Drives (Seperate with a ;)' -Contains 'women and childrens servicesdomain w&c services') {
Write-Output "domain w&c services"
}
Else {
Write-Output ""
}
$GroupAssignment should cause this to output to the Add-ADPrincipalGroupMembership, however it doesn't.
Any ideas?
We are calling Get_ADDomainController from C# code to get all the DCs in a forest-
Get-ADDomainController -Discover -ForceDiscover -DomainName "abc.xyz.com"
This command works most of the times, but sometimes it does fail with below error-
Get-ADDomainController : The format of the specified domain name is invalid
Can someone please let me know what might be going wrong when the command does not work?
I would like you to go through the following Links. They have mentioned all the possibilities. So it is not easy to pick any one randomly.
I believe your domain contains pre-created read-only domain controller (RODC) accounts.
Link 1 - Microsoft Support
Link 2 - Programmatically Join
If Windows cannot determine the user or computer name. (The format of the specified domain name is invalid. ). Group Policy processing aborted.
Try this: Link 3 - GP Aborting and then GP Update
Hope it helps.
Ideally this should move to ServerVault, but still can be considered in SO cause coding is involved.
With most ActiveDirectory commands, you can add a parameter: -server. This parameter has proven to be extremely useful to me, since where I am working seems to have some kind of slow updating system, and when I don't only use one of the servers, my programs can lag and completely bug.
I'm also trying to modify the ACL of a folder. To do this, I have a function that takes the -PassThru of a New-ADGroup command, and then pipes this into a custom function.
The custom function creates and returns new AccessRules (which are added to array $AccessRules), which are then added to an $acl variable:
$AccessRules |
%{$acl.AddAccessRule($_)}
This inconsistently returns errors: Sometimes, it runs smoothly, but other times, it returns the classic "Some or all identity references could not be translated". I am 90% sure this comes from the fact that it is not checking the right server, because even between
Get-ADGroup -filter {name -eq "[group name]"}
and
Get-ADGroup -filter {name -eq "[group name]"} -Server [server name/address]
I only get results for the second.
Is there a way I could add a similar -Server Parameter to something like .AddAccessRule()? Perhaps a slightly different method?
You can use a neat trick specified in this answer. You create a New-PSDrive to your AD using a certain server, then you call cd or set-location to that drive, voila, any .NET functions called (and any cmdlets that are not otherwise redirected to a different server) will use that server to process the requests, resolve AD entities into SIDs, etc, without you waiting for AD replication.
How to add ForeignSecurityPrincipals to 'Active Directory Lightweight Directory Services' (AD LDS)? i.e. bringing 'AD security principals (users as well as computer accounts)' to AD LDS? Any script/ps cmdlet/tool?
Adding 'AD' security princials as "ForeingSecurtyPrincipals" to AD LDS using 'ADSI edit'
I know I can bring them by making them members of administrators/readers/users (i.e. in order to define roles for the 'AD users' as readers/users/administrators the foreign security principals need to be added - which makes sense - so ADSI edit is automatically adding the SIDs to foregin security principals container) (please see the attached image
Question (what are different ways of doing it other than assigning roles using adsi edit):
But, I am wondering is there a way without making the security principal as member of one of the roles? especially I don't want to do this way for 'computer accounts' - as they are not categorized as 'administrators' or 'users' or 'roles' - default in AD LDS schema. I think I can extend the schema so that my AD LDS instance understands computer accounts and then add the computers there.
Just curious if there is another way to do it? any other tool or PS script will also do as well as I am pretty sure there are number of 'directory services admin tools'
Regards.
You seem to be asking about two different things, here. The image is showing you grant access to Active Directory security principals to ADLDS. But then you start talking about extending the schema, suggesting you're looking to import objects from AD.
If it's the latter, you could use FIM, ADAMSync or roll your own using e.g. PowerShell.
More help on ADAMSync here
* UPDATE *
According to Dmitri Gavrilov in this post, manually adding FSPs is not possible.
Alternatively, you can use powershell to add the user/computer to one of the built-in groups (my example will use Readers), then immediately remove them. The foreignSecurityPrincipal will remain in the directory. It seems that ADAM/ADLDS is the one actually creating the foreignSecurityPrincipal object on your behalf when you request adding a member by SID.
Get the Readers group in the Configuration partition...
$servername = "myserver:389"
$configPartition = (Get-ADRootDSE -Server $servername).namingContexts | ? { $_ -match "^CN=Configuration" }
$readersGroup = ("CN=Readers,CN=Roles," + $configPartition)
Add the SID (Wrap in <SID=...>) to the Readers group
Set-ADObject -Identity $readersGroup-Add #{member = "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX-XXXXX>"} -Server $servername
Remove the SID from the Readers group
Set-ADObject -Identity $readersGroup-Remove #{member = "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX-XXXXX>"} -Server $servername
Actually it simply turned out to be that I can set 'permissions' on ad lds directory objects without adding to the 'ForeignSecuritypPrincipals' container...
So, I just set 'perms' based on sid (few examples are below, http://greatit.wordpress.com/2012/08/13/dsacls-and-built-in-groups/ )
Examples which grant 'generic all/full control' on AD LDS obect:
dscals "\\{myadldsserver}:{port}\cn=testadldsobect,cn=test,cn=com' /g {sid}:GA
dsacls {DN} /g {domain}/{username}:GA
dsacls {DN} /g {domain}/{machinename}$:GA
Regards.
When I run get-user|get-member in powershell with the exchange add-in I noticed there is no description property.
Does anyone know if it has been renamed to something else or another way of accessing it?
If you aren't looking to change the description this should work:
[PS] C:\>$ANR = "testuser#example.com"
[PS] C:\>$foo = [adsi]("LDAP://" + (get-user $ANR).DistinguishedName)
[PS] C:\>$foo.description
My Description
If you are wanting to edit, you will need to get further into System.DirectoryServices & look at how to write objects back to AD. It would likely be simpler to use quest of another package that does some wrapping. If you want to roll your own there are gobs of blogs on AD programming in Powershell.
Exchange itself provides minimal interaction with AD - essentially, it gives you some AD stuff because AD and Exchange are so connected, but it doesn't try to expose all of AD's functionality.
Check out quest.com/powershell; that is an add-in library (it's free), and it has a cmdlet called Get-QADUser which will get you what you need - somewhat more easily, and in a more PowerShell-ish fashion, than using ADSI (which is also completely legit for what you're after).
get-user? do you mean get-qaduser from the quest cmdlet suite?
if so, I believe not all properties are retrieved by default. There's an -Include parameter that lets you specify additional properties to retrieve from AD, IIRC.
It works on the console; however in the CSV file, it keeps appending
System.DirectoryServices.PropertyValueCollection
to the end of each line instead of the value
When I run it on the prompt by typing out the distinguishedname, the ldap query works..
$tmp =adsi
$tmp.description
bill
any ideas?
solved it.. its just $tmp.description.value