users

Adding a security group to the Local Administrator Group in AD

Posted on June 6, 2017 by Windows

Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password.

Admins make a common mistake when they want to add a security group the Local Administrator group for a particular set of machines or domain wide. The mistake they make is creating a restricted access group vs. just adding to the existing Administrators Group. The result it that it wipes out any existing Local Administrator permissions or memberships.

This can be accomplished with a Simple GPO.

I will cover both methods for clarification. First I will cover the correct way to add. The Second Method is how to add a restricted group.

Correct Way

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “AUTOMATION”

CREATE THE GPO

  1. Launch Group Policy Management Console.
  2. Right click the OU that you want the GPO to apply to.
  3. Select “Create a GPO…”
  4. This will Launch Group Policy Editor.
  5. Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
  6. Right Click in the blank area and select New > Local Group > Administrators (Built-in)
  7. Action: Update (This is the most important part).
  8. Add the needed security group. I have added my AUTOMATION Security Group.
  9. Click Apply.
  10. Click OK.
  11. Apply the GPO to the root of the domain OR the appropriate OU.

Incorrect Way (This is how you would create a Restricted Access Group)

Reason this is incorrect: This will wipe out any existing memberships of the Local Administrator Group. 

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

CREATE THE SECURITY GROUP

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “SG – Local Admins”

CREATE THE GPO

  1. Open Group Policy Management Console.
  2. Right click the OU that contains the systems you want to set the local admin on
  3. Select “Create a GPO in this domain, and Link it here…”
  4. Name the GPO. I used “Set Local Administrators”
  5. Right Click the GPO and select Edit.
  6. Set the following:
    1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
    2. Right Click and select “Add Group…”
    3. Select browse and add the Administrators group
    4. Select OK
    5. Double click Administrators
    6. Select Add for “Members of this group:”
    7. Browse and find your security group. I added “SG – Local Admins”

That should be it. Now you can set which users of the domain are local administrators of their computers.

Lists all users last logon time

Posted on May 8, 2017 by PowerShell Windows

As administrators we often want to check which users have not logged in for quite a while, or what accounts recently accessed a system, etc.

The following script list all users and their last logon time. With the lastloggeduser.csv we can get fancy with excel to find differences based on age and more.

 

Get PasswordAge for users in a particular domain

Posted on January 3, 2017 by Office 365

In Office365 if you have more than one domain in a subscription, there are times where you may want to get the password age for users of that domain.

In my case to check which users are covered and meeting policy and get the users addressed.

The output will be similar to:

Remove disabled users from Distribution Lists & Security Groups in Active Directory

Posted on November 10, 2016 by Windows

One of my clients had several disabled users showing up in distribution lists and security groups and this was creating unnecessary noise in email, alerts, etc. I highly encourage all administrators to keep their AD neat and tidy.

The following PowerShell script searches for disabled users in Groups and Distribution Groups and removes them:

Hope this helps!

Active Directory: Changing passwords for users in bulk using a .csv file

Posted on October 13, 2016 by Office 365 Windows

Many accounts in your AD might need a password change. What if you want to do this in bulk ?

First, we need to the userlist. Depending on your requirements we need to get a list of users (specifically samaccountname). For random password generation I recommend using http://manytools.org/network/password-generator/ as it can generate up 1000 for free.

Here is what my UserList.csv look like:

Make sure you do the following on a domain controller or connecting to your domain controller via PS-remote with elevated permissions.

Run this in PowerShell (Open PowerShell in Admin Mode)

PowerShell:

-Reset
Specifies to reset the password on an account. (User is not prompted to change password).
To use this parameter, you must set the -NewPassword parameter.
You do not need to specify the -OldPassword parameter.
Mo Wasay
My name is Mo Wasay. I work with a variety of technologies and engage with the community and customers around the world. I am located in Dallas, Texas, U.S.A. I like to share my knowledge and experiences and help others who come across similar situations. My current focus is Microsoft Azure, Azure Stack and Windows Server.
View Mo Wasay, MSCS, MCITP, MCSE, VCP, ISM, CIS's profile on LinkedIn