A Couple Quick Active Directory One-Liners

Here is a few one-liner commands to help get info on your Active Directory environment.  I don’t think there is any mind blowing commands here but they’ve helped me out.  There are literally hundreds of these around the web as well as PowerShell ones but these are the ones that I’ve been using lately. 

How to view the Domains you trust and see what those Domain SIDs are:

nltest /domain_trusts /v

A quick listing of your AD Sites:

dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn description location -filter (objectClass=site)

A quick listing of your AD sites and their Site Links and Costs (sure would be nice if you could spit this out to Visio or something):

dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn costdescription replInterval siteList -filter (objectClass=siteLink)

Compare time against your forest root PDCe:

w32tm /monitor /computers:ForestRootPDC

Find out which DC for a site is the ISTG:

dsquery * "CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr interSiteTopologyGenerator

Using PowerShell to Resolve SIDs to Friendly Names

Time and time again I run into an issue that presents me with a SID which I need to resolve.  I’ve used a number of tools and scripts over the years to address this issue.  I think I have the best and easiest method for me to solve this issue that always seems to pop up.

If you’re new to PowerShell you will want to make sure you have it installed if you want to use this script…and yes it is a script not a command.  I do this by opening a text file and renaming it from a .txt file to a .ps1 file.  When you try to open a .ps1 file it may open in your text editor but for this you will want to Right Click it and select Edit which will open up whatever you have as your PowerShell editor.  Copy the following code into the Script Pane:

$objSID = New-Object System.Security.Principal.SecurityIdentifier
    ("S-1-5-21-768745588-123456789-987654321-500")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

Now just save this file and you can run it to return the results of the SID that you place in there.  The one thing that will change is the actual SID.  In this example i’m using S-1-5-21-768745588-123456789-987654321-500 which is the Well Known SID for the domain Administrator.  My results should show me the friendly name.  Anytime you change the SID you will have to resave the file but then just Run the script and it will show you the results.

I’m sure there is a way I could make this into an application but I”ll leave that fun for those looking to take this to the next step.

Find and Disable Stale User Accounts

Stale user accounts can be a big problem…even more so when they are not disabled.  I’m a firm believer that if you have an account that is not being used it should be disabled.  However depending on the size of your Active Directory that can be a daunting challenge.  Below you will find a snippet of code that will identify where user accounts are not being used for 10 weeks and then it has the ability to disable them. 

dsquery user -inactive 10 -limit 0

The 10 value is for the number of weeks an account has been inactive.  If you think you are going to have a lot of these then you may want to change your limit from 0 to something like 50 or so.

Now if you would like to disable them as well you simply add on another portion of code.  For safety reasons I prefer to run the code above first to see who is inactive and then once I’ve validated those accounts can be inactive I run the following code to disable them.

dsquery user -inactive 10 -limit 0 | dsmod user -disabled yes

Obviously the account needs to have the appropriate permissions for dsmod to work so watch out for that.  Good luck and happy hunting!

How to Verify Trusts

I know, all AD admins have trust issues…not just literal ones but we also think about the trusts we have in our Active Directory environment.  As you all know I”m a fan of quick easy ways to get info.  Today’s tidbit is how to use nltest to verify your trusts.

The following command and switches can be used to view all of your trusts.  You can perform them from any system in your domain, just specify the DC in the command.

nltest /server:dc_name /domain_trusts /all_trusts

Just replace the dc_name with your domain controllers name and it will list all of your trusts to the domain that the DC resides in.

Another tidbit I like to do is filter it by name if you have multiple namespaces.

nltest /server:dc_name /domain_trusts /all_trusts | find /i “name

Here you would replace name with the name of a domain or part of the namespace you are looking for. 

Is my Active Directory Backed Up?

There are a ton of methods to backup Active Directory.  I’m not going to get into each method with this post.  What I am going to do is share another little command that can be run to check to see if your Active Directory was backed up and when.

Before I discuss that command one point I would like to make is to be very careful about who you let backup and restore your Active Directory DB.  From a security standpoint this could be a major violation of your company’s security policy.  Think it about for a minute.  Let’s say I work in a support group in your company that provides backup and restore services for all systems, including Domain Controllers.  I could take that backup of Active Directory and restore it to a private system that I have.  Now I could use a number of tools to help try to crack into it.  Sure it may take a bit of time but I”ve got plenty of time.

If you have a group that is responsible for backups and restores on Domain Controllers then I believe you need to put some really good policies and guidelines in place to protect your most important asset…Active Directory.  I actually don’t like anyone backing up Active Directory that isn’t an Administrator and I always select the option that only and Administrator can restore the backup.  I understand that a rouge admin could do harm but at least there was some mitigation put in place.

Now, finally to the point.  Is my Active Directory backed up?  For this one we are going to run another Repadmin command.

repadmin /showbackup

This will show you when your last backup of Active Directory ran.  You don’t need to run it against a specific DC because Active Directory doesn’t care.  If you have child domains in your environment and want to run this against them all just put a  * at the end of the command and it will check all the domains.

Now go out there and make sure your Active Directory is backed up!!!

Initiate Replication across all Partitions and DCs

It seems I”m always trying to remember this little command and its about time I put here where I can always access it in the future.  This isn’t a new command but it is a nifty little one that will initiate replication across your environment. 

Repadmin /syncall  /APed

I prefer to run it from the DC (thus the reason DC_name is taken out after /syncall) and from the  command line to pipe it out to a text file.

Viewing your FSMO Role Holders Remotely

There are quite a few ways to view what your FSMO roles are.  You can use the GUI tools or even the following netdom command that I”ve shared in the past – netdom query fsmo

However if you are working in a trusted multi-domain environment the following command can help you view the FSMO role holders remotely.

netdom query /domain:%domainname% fsmo

This is just a huge time saver and hopefully you can add it to your tool belt of commands.

Recycling Active Directory Trash with the AD Recycle Bin

Hopefully some of you have been playing with Server 2008 R2 while it has been in Beta.  One of the features I’m looking forward to most is the AD Recycle Bin.  Yes you heard me correct.  We now have an easy method for restoring accidently deleted objects. 

In the past our only recovery method out of the box was to perform an authoritative restore of an object. That method had several issues that always rubbed me the wrong way.  First you had to be in Directory Services Restore Mode (DRSM).  And ever since Server 2003 we could use tombstone reanimation but that removed most of the non-link-valued attributes.  This lead to additional work after the restore. The default tombstone lifetime was 180 days with Server 2003 and 2008.





You are probably already familiar with tombstones and the garbage collection process.  If not read Gil’s excellent article on that here.  With Server 2008 R2 you will need to now become aware of Deleted Object and Recycled Object.  The first thing to realize here is that the AD Recycle Bin is not enabled by default with Server 2008 R2.  The following steps/requirements must first be met:
  1. Raise the Forest Functional Level to Server 2008 R2
  2. Enable AD Recycle Bin (my example uses PowerShell…get use to it now)
    1. Enable-ADOptionalFeature –Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=AdminPrep,DC=com” –Scope ForestOrConfigurationSet –Target “AdminPrep.com”
    2. Just make sure to replace AdminPrep with your domain

Now when an object is deleted it is not marked for tombstone it is marked as deleted.  It places the object in the Deleted Objects container which is hidden but can be located here – CN=Deleted Objects.  When you want to restore an object there are two methods that I”m aware of, one using PowerShell and the other using LDP.

Using LDP:
  1. Using elevated credentials, open LDP by typing ldp.exe from the Run Dialog box
  2. Click Connections and select Connect and then go back and select Bind
  3. Navigate to the CN=Deleted Objects
  4. Find the object you wish to restore and right-click it and select Modify
  5. In the Modify dialog box:
    1. In Edit Entry Attribute, type isDeleted
    2. Leave the Values box empty
    3. Under Operation, click Delete,and then click Enter
    4. In Edit Entry Attribute,type distinguishedName
    5. In Values, type the original distinguished name (also known as DN) of this Active Directory object
    6. Under Operation, click Replace
    7. Make sure that the Extended check box is selected, click Enter, and then click Run

To restore an object using PowerShell you must use the Get-ADObject and Restore-ADObject cmdlets.  Using PowerShell:
  1. Open the Active Directory PowerShell command Prompt and use the following syntax:
    1. Get-ADObject-Filter {String} -IncludeDeletedObjects | Restore-ADObject
  2. Here is an example of restoring a deleted user account named Brian:
    1. Get-ADObject -Filter {displayName -eq “Brian”} -IncludeDeletedObjects | Restore-ADObject

When restoring multiple items that may be linked (OU or Group that contains Users) you will want to start at the highest level.

An object can only be restored using those methods if it is still within the Deleted Object Lifetime.  The attribute is msDS-deletedObjectLifetime and if you look it up it will have a null value which the default time is 180 days.

Here is a look at what AD Recycle Bin looks like visually

Active Directory Recycle Bin PowerShell Scripts

I just found out that there is an Active Directory PowerShell Blog run by Microsoft’s AD PowerShell team.  I gathered that info from reading up on Jason’s post.  Its amazing how much info you can get from reading other people’s blogs…now on to the regularly scheduled post…

After writing my article on the AD Recycle Bin I thought I would include a few PowerShell scripts here that can be used to modify the tombstone lifetime along with the deleted object lifetime.  Remember that the default for both of these is going to be 180 days and will show up as Null if you use LDP to view the attributes.

PowerShell Script to change the tombstone lifetime of my domain (AdminPrep.Local) to 250 days:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“tombstoneLifetime” = 250}

PowerShell Script to change the deleted object lifetime:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=AdminPrep,DC=Local” –Partition “CN=Configuration,DC=AdminPrep,DC=Local” –Replace:@{“msDS-DeletedObjectLifetime” = 250}

New PowerShell Blog

Just saw that a good friend and former co-worker FINALLY has a blog up.  Jason’s blog is geared toward PowerShell and it already has some nice posts as well as some videos on PowerShell.  I’m so far behind on the PowerShell curve but i’m sure Jason’s blog will help get me up to speed. 

With Server 2008 R2’s release coming soon all AD admins should take to the time to learn PowerShell since it is going to include ways to manage AD.  So make sure you hit www.jasonhelmick.com for all your PowerShell loving…what’s with the name Jason? :,,)

Also i’m going to need Jason to explain to me why his videos on Microsoft PowerShell are in .MOV format???? What is up with that????