Ran into a situation at a client location where in Active Directory, the security permissions applied to an OU were not getting inherited permissions on to the objects. Basically, security inheritance was broken.This causes a problem when the administrative accounts or groups needing to modify an attribute on the AD object throw errors, or are…
Tag: security
Adding a security group to the Local Administrator Group in AD
Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password. Admins make a common mistake when they want to add a…
Creating Security Groups for File Shares in Bulk using PowerShell
Security Groups are great for managing large groups for permissions. Â A client requested that they needed to have Read-Only, Read-Write, and Ready-Modify (allow for deleting) for all their file shares for better management. Getting the Share Names In order for me to create the groups I needed the share names. PowerShell to the rescue! Type…
Remove disabled users from Distribution Lists & Security Groups in Active Directory
One of my clients had several disabled users showing up in distribution lists and security groups and this was creating unnecessary noise in email, alerts, etc. I highly encourage all administrators to keep their AD neat and tidy. The following PowerShell script searches for disabled users in Groups and Distribution Groups and removes them:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# This script removes all disabled users from all security and distribution groups in the specified "searchOU" Import-Module ActiveDirectory $searchOU = "OU=Groups,DC=domain,DC=local" $adgroup = Get-ADGroup -Filter 'GroupCategory -eq "Security" -or GroupCategory -eq "Distribution"' -SearchBase $searchOU $adgroup | ForEach-Object{ $group = $_ Get-ADGroupMember -Identity $group -Recursive | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled | ?{$_.Enabled -eq $false}} | ForEach-Object{ $user = $_ $uname = $user.Name $gname = $group.Name Write-Host "Removing $uname from $gname" -Foreground Yellow Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false } } |
…
Find out ‘in cloud’ Distribution Groups
Microsoft Teams was announced yesterday and many want to jump right in. I noticed when users wanted to create teams, new distribution groups started getting added. I wanted to find out my ‘In cloud’ distribution groups and was surprised there was no property for the item. I was able to find out the groups…
Remove group membership of disabled accounts
Majority of the system administrators I’ve met forget this very important rule. When an account is not needed remove its membership from the security/ distribution groups, otherwise you get disabled account showing up in groups, and that looks ugly. You will need Quest ActiveRoles for Powershell installed to get this working. Depending on the size…
Microsoft IIS: Disabling the SSL v3 Protocol
Depending on how your Windows servers are configured, you may need to disable SSL v3. Note that older versions of Internet Explorer may not have the TLS protocol enabled by default. If you disable SSL versions 2.0 and 3.0, the older versions of Internet Explorer will need to enable the TLS protocol before they can…
Enabling ActiveSync for a Security Group using Powershell
1 2 3 4 5 6 |
$users = Get-ADGroupMember "AD Group with Users to be Enabled for ActiveSync" foreach ($line in $users) { $user = $line.samaccountname Set-CASMailbox $user -ActiveSyncEnabled:$true Get-CASMailbox $user | Select-Object Name, ActiveSyncEnabled } |