Two Very Important Attributes with Active Directory Recycle Bin

I’ve blogged several times about the AD Recycle Bin (ADRB).  It has been a popular subject here at the Life of Brian and I can see why.  It is a feature all AD admins have been screaming about for years.  I wanted to spend 5 mins of your life going over two attributes that confuse everyone…even me from time to time.

There are over a dozen attributes that deal with ADRB but I want to focus on two of them, isDeleted and isRecycled.  The first time I read through the documentation on these attributes I thought it was pretty straight forward, isDeleted is when an object is deleted and isRecycled is when an attribute is recycled.  Well it is NOT that simple.  Let me explain these attributes a bit further for your understanding.

The isDeleted attribute has been around since Windows 2000 and exists on every AD object.  It describes if an object is deleted (makes sense) but also if it is restorable.  After the ADRB is enabled you have the ability to restore deleted objects (that were deleted after it was enabled).

The isRecycled attribute is new to Windows Server 2008 R2 and only exists on an object after it has been recycled.  By default, a deleted object will become a recycled object after the msDS-deltedObjectLifetime (another new attribute in Server 2008 R2) expires.  Now that object is what I like to call dead dead.  This means that you can’t restore it with all its pretty properties.  Its kind of like the old way of restoring an object just to get its SID back.

I think you can see where the confusion comes into play.  When I hear or read the term isDeleted my gut reaction is to think that it is deleted (dead dead) and when it says isRecycled I think it can be restored fully…well the sad truth is that it is the opposite.

Windows 7 Aero and Microsoft Live Meeting

I do a lot meetings and training via Live Meeting.  One thing that has irked me for sometime has been that when I share my desktop it goes into a Basic display mode and disables all the cool Aero features.

I’ve figured out a workaround to this.  After you share your screen go the start menu and paste the following into the search box – Find and fix problems with transparency and other visual effects.  If you have UAC on it will prompt you to click Yes.  The next screen that pops up is a troubleshooter wizard shown below.

image

If you click next it will go through a process where it checks features and HW to see if Aero can run.  If it worked prior to sharing in Live Meeting it should now work after you run it.

I haven’t found a method to save this theme or settings but each time I need it I run this tool and it gives me the ability to run Aero features!

Posted in Windows 7. No Comments »

Using PowerShell to Transfer FSMO Roles

You may be familiar with the traditional ways to transfer FSMO roles but how about by using PowerShell?  By now you should just know that PowerShell can do everything the GUI can do…well at least that is the way it feels to me. 

If you want to use PowerShell to transfer any of your five FSMO roles (PDC Emulater, RID Master, Infrastructure Master, Domain Naming Master and Schema Master) then you will first need to import the Active Directory Module into PowerShell.

ipmo activedirectory

Now that you have the AD module loaded the cmdlet you will use for this is quite large – Move-ADDirectoryServerOperationMasterRole.  Thankfully we have the Get-help cmdlet to help us remember that.  All I need to do is remember move-ad and then I press tab to complete the rest.  There is only one other cmdlet that is similar to it and you just have to remember you are trying to move the FSMO role and not the sever.

When entering the cmdlet you need to specify the operation master roles to move. the syntax for the five roles are as follows – PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, or DomainNamingMaster. To specify more than one role just separate each role with a comma.

An example of me moving the RID Master and PDC Emulater to DC2 is as follows:

Move-ADDirectoryServerOperationMasterRole -Identity "DC2" -OperationMasterRole RIDMaster,PDCEmulator

A feature that I just love in PowerShell is the –WhatIf parameter.  By adding this to your code it will do a dry run and let you know what is going to change if you did the command without that parameter.

One key thing to note here is that I am NOT seizing the FSMO role.  For that you will need to use NTDSUtil as defined here.

What if Halo was available on the Atari 2600?

I grew up on the Atari 2600 and because of that it has a found place in my childhood memories.  I’ve played my fair share of Halo over the years too.  Well what if Bungie was around 30+ years ago and released their mega hit Halo on the 2600?  Dream no more…

Halo2600

How cool is this?  You can actually play the game too.  It reminds me a lot of the game called Adventure for the Atari 2600.  Enjoy!

Posted in Life of Brian. No Comments »

Find and Disable Stale User Accounts

Stale user accounts can be a big problem…even more so when they are not disabled.  I’m a firm believer that if you have an account that is not being used it should be disabled.  However depending on the size of your Active Directory that can be a daunting challenge.  Below you will find a snippet of code that will identify where user accounts are not being used for 10 weeks and then it has the ability to disable them. 

dsquery user -inactive 10 -limit 0

The 10 value is for the number of weeks an account has been inactive.  If you think you are going to have a lot of these then you may want to change your limit from 0 to something like 50 or so.

Now if you would like to disable them as well you simply add on another portion of code.  For safety reasons I prefer to run the code above first to see who is inactive and then once I’ve validated those accounts can be inactive I run the following code to disable them.

dsquery user -inactive 10 -limit 0 | dsmod user -disabled yes

Obviously the account needs to have the appropriate permissions for dsmod to work so watch out for that.  Good luck and happy hunting!

How to Delegate the Right to Delegate Kerberos Constrained Delegation

Wow, that is a lot of delegating…seriously how many times can you say it in one sentence.  Today’s post is one that threw me for a loop.  As a domain admin I have the right to configure constrained Kerberos delegation.  There may come a time when you want to delegate that out to a user or group. 

My first thought was to assign the user/group Full Control on the OU that included the accounts.  At this point I would run the following command

setspn -a http/workstation01 adminprepbrian

Surely Full Control would grant me the permission to do this…Failed!!!  Insufficient access rights.  It is not a “permission” that is needed, it is a “User Right”.  So where do you go to assign rights to work with constrained delegation and what User Right is it?  Well, you won’t find it in the Local Security Policy.

The User Right that you need to grant is SeEnableDelegationPrivilege. Now where and how do I grant this User Right.  Well it turns out you still should delegate Full Control to the user/group that you want to grant this User Right too.  Then on a DC you must run the following command:

ntrights -u adminprepbrian +r SeEnableDelegationPrivilege

Just make sure to modify that domain/user to match your environment.  Now when I run the Setspn command it works because that account has the correct User Right.  You may have to wait for replication to occur if you are in a distributed environment.

Raising your Active Directory Functional Level with PowerShell

Here are two ways for you to use PowerShell to raise your Forest Functional level to Server 2008 R2:

  • get-adforest | set-adforestmode -forestmode windows2008R2Forest –confirm:$false
  • set-adforestmode –identity netbiosname windows2008R2Forest –confirm:$false

Either way will work.  Enjoy

Seeing your Active Directory Tombstone Period with PowerShell

Tip of the day today is to view your Active Directory Tombstone period while using PowerShell

  1. From a PowerShell prompt, type
  2. (get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=AdminPrep,DC=Local" -properties "tombstonelifetime").tombstonelifetime

The result shows up in days…very cool. 

Just make sure to change dc=AdminPrep,DC=Local to match your domain.

What are Service Principle Names (SPNs)?

SPNs seem to get more and more use these days so I thought it be nice to give an explanation of what SPNs are.

SPNs are used for mapping a service to a user account. You will find SPNs used predominantly with Delegation and Impersonation and a lot of times this is between a web server and another server hosting a service that requires Kerberos authentication.  The key here is that Kerberos authentication is required and thus this is primarily used within an organization or a trusted company.  An example of this would be when an end user logs on to a web server which then logs on to a SQL server.  The web server is trying to authenticate against the SQL server using the web users credentials but it doesn’t have the right to do that type of delegation.  If that were the case I don’t think online banking would be…well online.  :,,)  Now this is only the case when the web and SQL instances are on separate servers.  If they were on the same server you would not need to worry about SPNs.

Kerberos is the key here.  Kerberos authentication happens all the time and is very common.  The special part of Kerberos authentication is that it requires a ticket that ensures each party is who they say they are.  This ensures that a hacker can’t impersonate another user.  The only type of delegation that Windows allows is a Kerberos connection.  In short the user knows how to contact and authenticate with the web server but has no idea who the SQL server is but needs data from it and needs to authenticate…thus delegation and impersonation needs to occur.

An SPN is a name that Kerberos clients use to identify a service for computer that is also using Kerberos.  In fact you can have multiple instances of a service running on a system and each could have its own SPN. SPNs have a specific format that they use which looks similar to this – <service class>/<host>:<port>/<service name>  The only parts that are required are the serviceclass and host.  For example, HTTP/www.adminprep.com would be an SPN registration for any page on that webpage.  You would use the port option if you wanted to specify a port with the service, like this – MSSQLSvc/sqlservername.adminprep.com:3411.  More info on the formatting of SPNs can be found here.

SPN names can use short NetBIOS names or long FQDN names.  I recommend always using FQDNs as you can have potential name conflicts in a multi-domain forest with short names.

For a more detailed looked into SPNs i’ve provided a few links below along with links to common issues.  However the first place you should go is to this TechNet article.

Service Principle Name (SPN) Resources and Issues

AZPOSH User Group

Last night was the inaugural Arizona PowerShell user group meeting known as AZPOSH.  There was well over 20 people there and a great guest speaker.  Dr. Ferdinand Rios who is the CEO of Sapien Technologies spent an hour talking to us about what is new at Sapien…and wow there is some really cool stuff coming out soon.  Dr. Rios is a dynamic presenter and also a coder of some of their products.  He showed off an early alpha version of Visual Powershell which is perfect for a person like me that doesn’t like to remember (ok doesn’t have the mental capacity) a bunch of cmdlets and the ability to save portions of code for later use.  He also showed iPowerShell which is an app for iPhones as well as the iPad.  The future of that app (as long as it gets ported over to other phones) looks amazing.  The ability to use a device like the iPhone or iPad to run PowerShell remotely reminds me of the old Star Trek days.

Jason and Mike both did a great job running the meeting and I’m really looking forward to where this user group is going.  I know they are working on opening this up to a remote audience as well which is really intriguing for people that aren’t in the Phoenix area but still want to be part of the PowerShell community.  Jason suckered me in to presenting for the July meeting…actually I’m really excited to be able to speak about Active Directory and PowerShell.  Can’t wait to attend the next month’s meeting!!!

Posted in PowerShell. No Comments »