Mohammed Wasay

Tag: users

  • Adding a security group to the Local Administrator Group in AD

    Adding a security group to the Local Administrator Group in AD

    [su_tooltip position=”north” content=”Note: I normally disable the built-in Administrator account., and make another account an admin. This is a good security precaution and in my opinion a best practice.”][/su_tooltip]

    Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password.

    Admins make a common mistake when they want to add a security group the Local Administrator group for a particular set of machines or domain wide. The mistake they make is creating a restricted access group vs. just adding to the existing Administrators Group. The result it that it wipes out any existing Local Administrator permissions or memberships.

    This can be accomplished with a Simple GPO.

    I will cover both methods for clarification. First I will cover the correct way to add. The Second Method is how to add a restricted group.

    Correct Way

    CREATE THE SECURITY GROUP

    1. Open Active Directory Users and Computers
    2. Select your Security Group OU
    3. Right Click and select New > Group
    4. Give the Group a name, I used “AUTOMATION”

    CREATE THE GPO

    1. Launch Group Policy Management Console.
    2. Right click the OU that you want the GPO to apply to.
    3. Select “Create a GPO…”
    4. This will Launch Group Policy Editor.
    5. Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
    6. Right Click in the blank area and select New > Local Group > Administrators (Built-in)
    7. Action: Update (This is the most important part).
    8. Add the needed security group. I have added my AUTOMATION Security Group.
    9. Click Apply.
    10. Click OK.
    11. Apply the GPO to the root of the domain OR the appropriate OU.

    Incorrect Way (This is how you would create a Restricted Access Group)

    [su_note note_color=”#ee899a”]Reason this is incorrect: This will wipe out any existing memberships of the Local Administrator Group. [/su_note]

    If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

    CREATE THE SECURITY GROUP

    1. Open Active Directory Users and Computers
    2. Select your Security Group OU
    3. Right Click and select New > Group
    4. Give the Group a name, I used “SG – Local Admins”

    CREATE THE GPO

    1. Open Group Policy Management Console.
    2. Right click the OU that contains the systems you want to set the local admin on
    3. Select “Create a GPO in this domain, and Link it here…”
    4. Name the GPO. I used “Set Local Administrators”
    5. Right Click the GPO and select Edit.
    6. Set the following:
      1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
      2. Right Click and select “Add Group…”
      3. Select browse and add the Administrators group
      4. Select OK
      5. Double click Administrators
      6. Select Add for “Members of this group:”
      7. Browse and find your security group. I added “SG – Local Admins”

    That should be it. Now you can set which users of the domain are local administrators of their computers.

  • Lists all users last logon time

    Lists all users last logon time

    As administrators we often want to check which users have not logged in for quite a while, or what accounts recently accessed a system, etc.

    The following script list all users and their last logon time. With the lastloggeduser.csv we can get fancy with excel to find differences based on age and more.

    $([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\scripts\lastloggedusers.csv

     

  • Get PasswordAge for users in a particular domain

    Get PasswordAge for users in a particular domain

    In Office365 if you have more than one domain in a subscription, there are times where you may want to get the password age for users of that domain.

    In my case to check which users are covered and meeting policy and get the users addressed.

    Get-MsolUser -All -DomainName "yourdomainname.com" | select DisplayName, LastPasswordChangeTimeStamp,@{Name=”PasswordAge”;Expression={(Get-Date)-$_.LastPasswordChangeTimeStamp}}

    The output will be similar to:

  • Remove disabled users from Distribution Lists & Security Groups in Active Directory

    One of my clients had several disabled users showing up in distribution lists and security groups and this was creating unnecessary noise in email, alerts, etc. I highly encourage all administrators to keep their AD neat and tidy.

    The following PowerShell script searches for disabled users in Groups and Distribution Groups and removes them:

    # This script removes all disabled users from all security and distribution groups in the specified "searchOU"

Import-Module ActiveDirectory

$searchOU = "OU=Groups,DC=domain,DC=local"

$adgroup = Get-ADGroup -Filter 'GroupCategory -eq "Security" -or GroupCategory -eq "Distribution"' -SearchBase $searchOU
$adgroup | ForEach-Object{ $group = $_
	Get-ADGroupMember -Identity $group -Recursive | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled | ?{$_.Enabled -eq $false}} | ForEach-Object{ $user = $_
		$uname = $user.Name
		$gname = $group.Name
		Write-Host "Removing $uname from $gname" -Foreground Yellow
		Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false
	}
}

    Hope this helps!

  • Active Directory: Changing passwords for users in bulk using a .csv file

    Many accounts in your AD might need a password change. What if you want to do this in bulk ?

    First, we need to the userlist. Depending on your requirements we need to get a list of users (specifically samaccountname). For random password generation I recommend using http://manytools.org/network/password-generator/ as it can generate up 1000 for free.

    Here is what my UserList.csv look like:

    sAMAccountName,Password
test1,gqLfZub$OtO#dBg
test2,6eXq78gTyx$YjmM
test3,ZNgl!KdYo7U6yzR
test4,voiIs!TISw!Wcyc
test5,W7ZBTAe7CWcFzyn
test6,BykgCY5b*NGFO5!
test7,3ApLlchwgRQwf1P
test8,9jZvvR2$wDggf3M
test9,*QCDjcgnNLkBDP1
test10,sZpvUnvjJxAE9HE
test11,$C8TX!tcS3d#MjK
test12,Pzw*aH6zjpOx8Wj
test13,XmfIPiIz82!!X77
test14,ri!!hQX!w!FSZuI
test15,S0Gzf6fEUsG!4Ib
test16,Kj8s!vy94S!ozLJ
test17,PzFzjP7obALeuWa
test18,Ri5V2laxxck6Rgg
test19,Rw8KcX*FoMT#gr1
test20,QDndAgzdYo5CYX!

    Make sure you do the following on a domain controller or connecting to your domain controller via PS-remote with elevated permissions.

    Run this in PowerShell (Open PowerShell in Admin Mode)

    PowerShell:

    Import-Module Active Directory
$Resetpassword = Import-Csv "c:\_Scripts\UserList.csv"

foreach ($Account in $Resetpassword) {
    $Account.sAMAccountName
    $Account.Password
        Set-ADAccountPassword -Identity $Account.sAMAccountName -NewPassword (ConvertTo-SecureString $Account.Password -AsPlainText -force) -Reset
}

    [su_note note_color=”#fafae8″]-Reset
    Specifies to reset the password on an account. (User is not prompted to change password).
    To use this parameter, you must set the -NewPassword parameter.
    You do not need to specify the -OldPassword parameter.
    [/su_note]