Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password. Admins make a common mistake when they want to add a […]
As administrators we often want to check which users have not logged in for quite a while, or what accounts recently accessed a system, etc. The following script list all users and their last logon time. With the lastloggeduser.csv we can get fancy with excel to find differences based on age and more.
|
1 |
$([ADSI]"WinNT://$env:COMPUTERNAME").Children | where {$_.SchemaClassName -eq 'user'} | select @{l='name';e={$_.name}},@{l='LastLogin';e={$_.lastlogin}} | export-csv C:\scripts\lastloggedusers.csv |
In Office365 if you have more than one domain in a subscription, there are times where you may want to get the password age for users of that domain. In my case to check which users are covered and meeting policy and get the users addressed.
|
1 |
Get-MsolUser -All -DomainName "yourdomainname.com" | select DisplayName, LastPasswordChangeTimeStamp,@{Name=”PasswordAge”;Expression={(Get-Date)-$_.LastPasswordChangeTimeStamp}} |
The output will be similar to:
One of my clients had several disabled users showing up in distribution lists and security groups and this was creating unnecessary noise in email, alerts, etc. I highly encourage all administrators to keep their AD neat and tidy. The following PowerShell script searches for disabled users in Groups and Distribution Groups and removes them:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# This script removes all disabled users from all security and distribution groups in the specified "searchOU" Import-Module ActiveDirectory $searchOU = "OU=Groups,DC=domain,DC=local" $adgroup = Get-ADGroup -Filter 'GroupCategory -eq "Security" -or GroupCategory -eq "Distribution"' -SearchBase $searchOU $adgroup | ForEach-Object{ $group = $_ Get-ADGroupMember -Identity $group -Recursive | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled | ?{$_.Enabled -eq $false}} | ForEach-Object{ $user = $_ $uname = $user.Name $gname = $group.Name Write-Host "Removing $uname from $gname" -Foreground Yellow Remove-ADGroupMember -Identity $group -Member $user -Confirm:$false } } |
[…]
Many accounts in your AD might need a password change. What if you want to do this in bulk ? First, we need to the userlist. Depending on your requirements we need to get a list of users (specifically samaccountname). For random password generation I recommend using http://manytools.org/network/password-generator/ as it can generate up 1000 for […]
