Enabling Access Based Enumeration -ABE on DFS Namespace-Part II

Nov 20th, 2011
No comments

In my previous post on Access Based Enumeration, I outlined procedures for enabling ABE. With Windows server  2008 and 2008 R2, there is an added option to enable ABE  on a DFS Namespace. I will show how to accomplish this on this post. Read more…

Tags: , , ,

PowerShell Get-ADUserGroupMembership

Sep 14th, 2010
1 comment
#Get-ADUserGroupMembership
########################################################################
# This PoSh script will read input of AD Users from a text file-c:\ADUsers.tx  and output
# the respective user’s AD Group Membership in a .csv file -C:\UserGroup.csv.
# REQUIREMENTS:
# Quest Active Directory cmdLets must be installed on the machine that script will run from.
#Witten By: www.isaacoben.com
#Version: 1.2
#########################################################################
#Add QAD cmdlets
Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
#Get User list from text file ADUser.txt
$ADUser = Get-Content “c:\ADUsers.txt”
#Count number of users on list
$ADUser_Count = $ADUser.Length
#Enumerate the number of users
$i = 0;
ForEach ($targetUser in $ADUser)
{
$Progress_bar = [int][Math]::Ceiling((($i / $ADUser_Count) * 100))
#Start Displaying Progress activity
Write-Progress -Activity “Retrieving AD Group Membership for $targetUser” -PercentComplete $Progress_bar -Status “$Progress_bar% Complete” -SecondsRemaining $Progress_bar
Sleep (1)
$Current_User = Get-QADUser $targetUser
$Current_User| Get-QADMemberOf |Select-Object $Current_User.Name, name|Out-File -FilePath ‘C:\UserGroup.csv’-Append
$i ++
}
Write-Progress -Activity “Retrieved All Users” -PercentComplete 100 -Status “Done – 100%”
Sleep (1)
Tags: ,

How to control memberships for local computer’s builtin groups

Oct 3rd, 2009
No comments

Domain Administrators sometime face a scenerio in which they have multiple workstations or member servers as part of a domain and will like to restrict/control which user should be members of any of the built-in local groups, such as Administrators, Backup Operators, Remote Desktop Users, Power Users etc. Rather than attempting to accomplish this manually, it will be much easier and faster to use an automatic approach. I will suggest two possible automatic options to get this done, either through a computer startup script or through Restricted Groups using Group Policy Objects. But I will highly recommend using the Restricted Group option, I will explain why later. Read more…

Tags:

Performing an authoritative restore for Active Directory deleted objects or containers

Jul 4th, 2009
No comments

Just thought I should list the step by step process for performing authoritative restore in active directory for windows server 2003. But first, just a brief summary of the difference between an authoritative and a non authoritative restore.

 A non Authoritative restore is hardware failures or other software issues that results in the complete restoration of the directory services from backup.

An Authoritative restore is used when a change or deletion of an object is made in Active Directory and the action/change have to be reverse. An example can be a user mistakenly deletes an OU or a user object, then decided to reverse the action by restoring the OU or user object that has been deleted.

Steps on performing an authoritattive restore. In this scenerio, I deleted an OU and a user and then restore both through authoritative restore process. Read more…

Tags: , , , ,

How to remove child domain and other naming context from forest root domain

Jul 4th, 2009
No comments

In previous post I outline some guidelines on how to remove demoted domain controller from domain using ntdsutil.exe. In this post, I will give guides on removing a naming context, be it a child domain or a DNS zone from Active Directory usning ntdsutil.exe.

First. make sure that no domain controller or replica objects exists in your forest for the domain in question. If they do, use previous steps [link here] to remove the objects before proceeding to delete the domain from the forest. Read more…

Tags: , , , ,