Posts by IsaacOben:

    Enabling Access Based Enumeration -ABE on DFS Namespace-Part II

    November 20th, 2011

    In my previous post on Access Based Enumeration, I outlined procedures for enabling ABE. With Windows server  2008 and 2008 R2, there is an added option to enable ABE  on a DFS Namespace. I will show how to accomplish this on this post. Read the rest of this entry “

    No Comments "

    PowerShell Get-ADUserGroupMembership

    September 14th, 2010
    #Get-ADUserGroupMembership
    ########################################################################
    # This PoSh script will read input of AD Users from a text file-c:\ADUsers.tx  and output
    # the respective user’s AD Group Membership in a .csv file -C:\UserGroup.csv.
    # REQUIREMENTS:
    # Quest Active Directory cmdLets must be installed on the machine that script will run from.
    #Witten By: www.isaacoben.com
    #Version: 1.2
    #########################################################################
    #Add QAD cmdlets
    Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
    #Get User list from text file ADUser.txt
    $ADUser = Get-Content “c:\ADUsers.txt”
    #Count number of users on list
    $ADUser_Count = $ADUser.Length
    #Enumerate the number of users
    $i = 0;
    ForEach ($targetUser in $ADUser)
    {
    $Progress_bar = [int][Math]::Ceiling((($i / $ADUser_Count) * 100))
    #Start Displaying Progress activity
    Write-Progress -Activity “Retrieving AD Group Membership for $targetUser” -PercentComplete $Progress_bar -Status “$Progress_bar% Complete” -SecondsRemaining $Progress_bar
    Sleep (1)
    $Current_User = Get-QADUser $targetUser
    $Current_User| Get-QADMemberOf |Select-Object $Current_User.Name, name|Out-File -FilePath ‘C:\UserGroup.csv’-Append
    $i ++
    }
    Write-Progress -Activity “Retrieved All Users” -PercentComplete 100 -Status “Done – 100%”
    Sleep (1)

    1 Comment "

    How to control memberships for local computer’s builtin groups

    October 3rd, 2009

    Domain Administrators sometime face a scenerio in which they have multiple workstations or member servers as part of a domain and will like to restrict/control which user should be members of any of the built-in local groups, such as Administrators, Backup Operators, Remote Desktop Users, Power Users etc. Rather than attempting to accomplish this manually, it will be much easier and faster to use an automatic approach. I will suggest two possible automatic options to get this done, either through a computer startup script or through Restricted Groups using Group Policy Objects. But I will highly recommend using the Restricted Group option, I will explain why later. Read the rest of this entry “

    No Comments "

    Performing an authoritative restore for Active Directory deleted objects or containers

    July 4th, 2009

    Just thought I should list the step by step process for performing authoritative restore in active directory for windows server 2003. But first, just a brief summary of the difference between an authoritative and a non authoritative restore.

     A non Authoritative restore is hardware failures or other software issues that results in the complete restoration of the directory services from backup.

    An Authoritative restore is used when a change or deletion of an object is made in Active Directory and the action/change have to be reverse. An example can be a user mistakenly deletes an OU or a user object, then decided to reverse the action by restoring the OU or user object that has been deleted.

    Steps on performing an authoritattive restore. In this scenerio, I deleted an OU and a user and then restore both through authoritative restore process. Read the rest of this entry “

    No Comments "

    How to remove child domain and other naming context from forest root domain

    July 4th, 2009

    In previous post I outline some guidelines on how to remove demoted domain controller from domain using ntdsutil.exe. In this post, I will give guides on removing a naming context, be it a child domain or a DNS zone from Active Directory usning ntdsutil.exe.

    First. make sure that no domain controller or replica objects exists in your forest for the domain in question. If they do, use previous steps [link here] to remove the objects before proceeding to delete the domain from the forest. Read the rest of this entry “

    No Comments "