Category Archives: AD

Set-ADForestMode Fails – referral was returned from the server

Attempting to upgrade the forest mode from 2003 to 2008R2, using the command:

Set-ADForestMode –identity %FOREST% –ForestMode Windows2008R2Forest

This was failing with the error:

Set-ADForestMode : A referral was returned from the server

I found the Active Directory Web Services Service hadn’t started.

After starting this service, the Set-ADForestMode command worked fine.

Basic Get-ADUser powershell commands

I needed to remove the logon script option in AD for all users of an entire domain.  I used the following commands:

Get-ADUser –filter *

This command will list all AD Users

Get-ADUser –filter * | Measure-Object

This command will list the number of users

Get-ADUser –identify ADAdmin –properties *

This command will get all properties of a specific user … in this example, the user is ADAdmin

Get-ADUser –filter * –properties * | Format-Table Name, ScriptPath

This will list the name, and logon script

Get-ADUser –filter * | Set-ADUser –server dc03 –clear scriptpath

This will erase the logon script for all users, running against the server called DC03

 

Properties you can use with Set-ADUser are:

AccountExpirationDate

accountExpires

AccountLockoutTime

AccountNotDelegated

adminCount

AllowReversiblePasswordEncryption

BadLogonCount

badPasswordTime

badPwdCount

CannotChangePassword

CanonicalNameCertificatesCity

CN

codePage

Company

Country

countryCode

Created

createTimeStamp

Deleted

Department

Description

DisplayName

displayNamePrintable

DistinguishedNameDivision

DoesNotRequirePreAuth

dSCorePropagationData

EmailAddress

EmployeeID

EmployeeNumber

Enabled

extensionName

Fax

GivenName

HomeDirectory

HomedirRequired

HomeDrive

homeMDB

homeMTA

HomePage

HomePhone

Initials

instanceType

ipPhone

isDeleted

LastBadPasswordAttempt

LastKnownParent

lastLogon

LastLogonDate

lastLogonTimestamp

legacyExchangeDN

LockedOut

logonCount

LogonWorkstations

mail

mailNickname

Manager

mDBUseDefaults

MemberOfMNSLogonAccount

MobilePhone

Modified

modifyTimeStamp

msDS-User-Account-Control-Computed

msExchALObjectVersion

msExchHomeServerName

msExchMailboxGuid

msExchMailboxSecurityDescriptormsExchMobileMailboxFlags

msExchPoliciesExcluded

msExchRBACPolicyLinkmsExchRecipientDisplayType

msExchRecipientTypeDetails

msExchSafeSendersHash

msExchTextMessagingState

msExchUserAccountControl

msExchUserCulture

msExchVersion

msExchWhenMailboxCreated

msSBSComputerUserAccessOverride

msSBSCreationState

msSBSRoleGuid

msTSExpireDate

msTSLicenseVersion

msTSManagingLS

Name

nTSecurityDescriptorObjectCategoryObjectClass

ObjectGUID

objectSidOffice

OfficePhone

Organization

OtherName

PasswordExpired

PasswordLastSet

PasswordNeverExpires

PasswordNotRequired

POBox

PostalCode

PrimaryGroupprimaryGroupID

ProfilePath

ProtectedFromAccidentalDeletion

protocolSettings

proxyAddressespublicDelegatesBLpwdLastSet

SamAccountName

sAMAccountType

ScriptPath

sDRightsEffective

ServicePrincipalNames

showInAddressBookSIDSIDHistory

SmartcardLogonRequired

sn

State

StreetAddress

Surname

textEncodedORAddressTitle

TrustedForDelegation

TrustedToAuthForDelegation

UseDESKeyOnly

userAccountControl

userCertificate

List Workstations and Last Logon Time from AD using Powershell

This will list computers and Last Logon Times from AD:
import-module ActiveDirectory
$dcs = Get-ADComputer -Filter { OperatingSystem -NotLike ‘*Server*’ } `
    -Properties OperatingSystem
foreach($dc in $dcs) { `
    Get-ADComputer $dc.Name -Properties lastlogontimestamp | `
    Select-Object @{n=”Computer”;e={$_.Name}}, @{Name=”Lastlogon”; `
    Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}
}

References: http://stackoverflow.com/questions/16965355/get-last-logon-time-computer-and-username-together-with-powershell
http://blogs.technet.com/b/askds/archive/2010/02/04/inventorying-computers-with-ad-powershell.aspx