All posts filed under “Active Directory

comment 0

Monitor and audit Active Directory user and group management

Traceability is key when collaborating in the Active Directory (AD). Multiple admins changing and updating permissions and policies makes it difficult being compliant with the company’s policies. It is important to monitor mutations in the directory. By default audit policies are disabled for Domain Controllers (DC) and must be enabled explicitly. Enabling auditing for the DCs is quite easy, querying the logs for a specific event is a bit more difficult.

In this guide you’ll learn how to enable auditing for a specific case and how to query the audit logs for a specific event.
Read More

comment 0

Change Active Directory User Password Expiration Mode

To change an Active Directory users password expiration mode you can use this PowerShell snippet:

Import-Module ActiveDirectory

Get-ADGroupMember "Group1" -Recursive |
Get-ADUser -Properties PasswordNeverExpires |
where {$_.enabled -eq $true -and $_.PasswordNeverExpires -eq $false} |
select -First 50 | %{

    Write-Host $_.UserPrincipalName
    Set-ADUser $_ -PasswordNeverExpires $true

Latest version of this snippet:

comment 1

Assign Temporary Administrator Rights for ActiveDirectory Users via SharePoint list

In my company the user only have user rights on their computers. As you should know you’ll face many problems with this restriction.

Many users want to install third party software on their computers or add a printer at home. To reduce argues and make the user happy, I’ll assign administrator rights for a temporary time.

Based on a predefined GPO and based on a list showing which user has administrator rights in a specified time period, my PowerShell script creates new temporary GPO to assign local administrator rights.

Read More

comment 0

Archive ActiveDirectory Users and their Mailbox

One of my company’s requirements is the retention time of 10 years for user accounts and their mailbox data, I have to admit, this might not be common or even recommended.
However I have to deal with it.

One problem to face is the availabilty of user account names, by the number of about 500 employees there’s a hight change that two or even more people are having the same name.

To clean up the available names in the system I’ve written a script that renames a users identity and the mailboxes address.
So let’s see what this script does:

Read More

comments 2

Project: Setup Windows 7 Kiosk

The goal of this project is a simple Windows 7 Kiosk installation with nothing else as the newest version of internet explorer installed. A user should not be allowed to do something than can malfunction the system or even elevating the user privileges. I want to show you in this post which GroupPolicies I’ve used and what configurations I made to set up this type of installation.

First I want to commit my principles for working with ActiveDirectory and Group Policies:

  • If not needed a GroupPolicy shouldn’t contain any registry keys.
    • Group Policies instructions are much easier to read.
  • Only AMDX templates are allowed, this means no AMD templates or anything else.
    • AMDX won’t in contrast to AMD templates becopied to the client, they stay in the SYSVOL Policy Definition folder on the domain controller.
  • The Group Policy objects should be reusable.
  • Configuring the minimum.

Read More