TechShizz | All posts by rich

Restore AD from backup

To restore AD using this Windows Backup Server needs to be running full backups of the drive with the NTDS.dit file on the DC.

 

To browse the backups/NTDS snapshots

 

Ntdsutil

Activate instance ntds

Snapshot

List all

 

Identify the backup and copy the GUID to be mounted

 

Snapshot>Mount {GUID}

 

You can browse the backup and copy things from it if needed. You can also mount the NTDS file within it.

Note the path of the NTDS.dit file within it for the next part.

 

Dsamain-dbpath c:\$SNAP_465746_VOLUME_C$\windows\ntds\ntds.dit -ldapport:5000

 

From a dsa.msc you can now "change domain controller" and look at do.contoso.local:5000 to mount the AD database.

 

To un-mount

 

Unmount {GUID}

 

Restore AD from directory service recovery mode

 

If an OU or user our group or any object is deleted from AD you will need to perform an authorities restore by rebooting into DRSM

 

Bcdedit /set safeboot dsrepair

 

Shutdown /r /t 0

 

Server reboots

 

To identify the backup again run

 

Wbadmin get versions

 

Copy the version   :dd/mm/yyyy-hh:mm

 

Run a non-authoritative restore

 

Wbadmin start systemstaterecovery -version:03/24/2015-18:22

 

Run an authoritative restore

 

Ntdsutil

Act inst ntds

authoritative restore subtree "ou=test,dc=contoso,dc=local"

 

 

Reset boot method

 

Bcdedit /deletevalue safeboot

 

Shutdown /r /t 0

WMI Filters

DESKTOPS

 

ANY WINDOWS DESKTOP OS

 

Any Windows Desktop OS – Version 1

select * from Win32_OperatingSystem WHERE ProductType = "1"

Any Windows Desktop OS – Version 2 (better for Win7 sometimes)

select * from Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3")

Any Windows Desktop OS – 32-bit

select * from Win32_OperatingSystem WHERE ProductType = "1" AND NOT OSArchitecture = "64-bit"

Any Windows Desktop OS – 64-bit

select * from Win32_OperatingSystem WHERE ProductType = "1" AND OSArchitecture = "64-bit"

WINDOWS XP

 

Windows XP

select * from Win32_OperatingSystem WHERE (Version like "5.1%" or Version like "5.2%") AND ProductType="1"

Windows XP – 32-bit

select * from Win32_OperatingSystem WHERE (Version like "5.1%" or Version like "5.2%") AND ProductType="1" AND NOT OSArchitecture = "64-bit"

Windows XP – 64-bit

select * from Win32_OperatingSystem WHERE (Version like "5.1%" or Version like "5.2%") AND ProductType="1" AND OSArchitecture = "64-bit"

WINDOWS VISTA

 

Windows Vista

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="1"

Windows Vista – 32-bit

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

Windows Vista – 64-bit

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="1" AND OSArchitecture = "64-bit"

WINDOWS 7

 

Windows 7

select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1"

Windows 7 – 32-bit

select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

Windows 7 – 64-bit

select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1" AND OSArchitecture = "64-bit"

WINDOWS 8

 

Windows 8

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1"

Windows 8 – 32-bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

Windows 8 – 64-bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND OSArchitecture = "64-bit"

WINDOWS 8.1

 

Windows 8.1

select * from Win32_OperatingSystem WHERE Version like "6.3%" AND ProductType="1"

Windows 8.1 – 32-bit

select * from Win32_OperatingSystem WHERE Version like "6.3%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

Windows 8.1 – 64-bit

select * from Win32_OperatingSystem WHERE Version like "6.3%" AND ProductType="1" AND OSArchitecture = "64-bit"

 

 

SERVERS

 

ANY WINDOWS SERVER OS

 

Any Windows Server OS

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3")

Any Windows Server OS – 32-bit

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND NOT OSArchitecture = "64-bit"

Any Windows Server OS – 64-bit

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND OSArchitecture = "64-bit"

Any Windows Server – Domain Controller

select * from Win32_OperatingSystem where (ProductType = "2")

Any Windows Server – Domain Controller – 32-bit

select * from Win32_OperatingSystem where (ProductType = "2") AND NOT OSArchitecture = "64-bit"

Any Windows Server – Domain Controller – 64-bit

select * from Win32_OperatingSystem where (ProductType = "2") AND OSArchitecture = "64-bit"

Any Windows Server – Non-Domain Controller

select * from Win32_OperatingSystem where (ProductType = "3")

Any Windows Server – Non- Domain Controller – 32-bit

select * from Win32_OperatingSystem where (ProductType = "3") AND NOT OSArchitecture = "64-bit"

Any Windows Server – Non-Domain Controller – 64-bit

select * from Win32_OperatingSystem where (ProductType = "3") AND OSArchitecture = "64-bit"

WINDOWS SERVER 2003

 

Windows Server 2003 – DC

select * from Win32_OperatingSystem WHERE Version like "5.2%" AND ProductType="2"

Windows Server 2003 – non-DC

select * from Win32_OperatingSystem WHERE Version like "5.2%" AND ProductType="3"

Windows Server 2003 – 32-bit – DC

select * from Win32_OperatingSystem WHERE Version like "5.2%" AND ProductType="2" AND NOT OSArchitecture = "64-bit"

Windows Server 2003 – 32-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "5.2%" AND ProductType="3" AND NOT OSArchitecture = "64-bit"

Windows Server 2003 – 64-bit – DC

select * from Win32_OperatingSystem WHERE Version like "5.2%" AND ProductType="2" AND OSArchitecture = "64-bit"

Windows Server 2003 – 64-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "5.2%" AND ProductType="3" AND OSArchitecture = "64-bit"

WINDOWS SERVER 2003 R2

 

Windows Server 2003 R2 – DC

select * from Win32_OperatingSystem WHERE Version like "5.2.3%" AND ProductType="2"

Windows Server 2003 R2 – non-DC

select * from Win32_OperatingSystem WHERE Version like "5.2.3%" AND ProductType="3"

Windows Server 2003 R2 – 32-bit – DC

select * from Win32_OperatingSystem WHERE Version like "5.2.3%" AND ProductType="2" AND NOT OSArchitecture = "64-bit"

Windows Server 2003 R2 – 32-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "5.2.3%" AND ProductType="3" AND NOT OSArchitecture = "64-bit"

Windows Server 2003 R2 – 64-bit – DC

select * from Win32_OperatingSystem WHERE Version like "5.2.3%" AND ProductType="2" AND OSArchitecture = "64-bit"

Windows Server 2003 R2 – 64-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "5.2.3%" AND ProductType="3" AND OSArchitecture = "64-bit"

WINDOWS SERVER 2008

 

Windows Server 2008 – DC

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="2"

Windows Server 2008 – non-DC

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="3"

Windows Server 2008 – 32-bit – DC

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="2" AND NOT OSArchitecture = "64-bit"

Windows Server 2008 – 32-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="3" AND NOT OSArchitecture = "64-bit"

Windows Server 2008 – 64-bit – DC

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="2" AND OSArchitecture = "64-bit"

Windows Server 2008 – 64-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "6.0%" AND ProductType="3" AND OSArchitecture = "64-bit"

WINDOWS SERVER 2008 R2

 

Windows Server 2008 R2 – 64-bit – DC

select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="2"

Windows Server 2008 R2 – 64-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="3"

WINDOWS SERVER 2012

 

Windows Server 2012 – 64-bit – DC

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="2"

Windows Server 2012 – 64-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="3"

WINDOWS SERVER 2012 R2

 

Windows Server 2012 R2 – 64-bit – DC

select * from Win32_OperatingSystem WHERE Version like "6.3%" AND ProductType="2"

Windows Server 2012 R2 – 64-bit – non-DC

select * from Win32_OperatingSystem WHERE Version like "6.3%" AND ProductType="3"

Shadow Groups

DS-Tools

The Quick and Dirty version:
dsquery user “<Organizational Unit distinguishedName>” –scope onelevel | dsmod group “<Shadow Group distinguishedName>” –chmbr

This will look for all users found in the specified OU, and limit the search to that OU only. Then it will clear the current group membership of the SG and add all users currently found in the OU.

The Clean and Clever batch file version:
Set OU=Organizational Unit distinguishedName (without quotes)
Set Group=Shadow Group distinguishedName (without quotes)

dsget group %Group% –members | find /v /i “%OU%” | dsmod group “%Group%” –rmmbr
dsquery * “%OU%” –filter “(&(sAMAccountType=805306368)(!memberOf=%Group%))” –scope onelevel | dsmod “%Group%” –addmbr


This will look at the group membership, pipe it to the find command, to find only the users where the OU’s distinguishedName is NOT present, and then pipe it to dsmod group to remove those users from the group. The next step is to look for all users in the specified OU that are NOT member of the Shadow Group already. It will then add any users found to the group.

PowerShell

Windows Server 2008 R2 with Active Directory cmdlets:
$OU=”Organizational Unit distinguishedName”
$Group=”Shadow Group distinguishedName”

Get-ADGroupMember –Identity $Group | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false}
Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}
 

This will do the same thing as the ds-tools clean and clever version, except it’s done in PowerShell with the AD cmdlets.

Once you’ve decided for what approach you want to take, you can easily create a scheduled task for this and ensure that the batch or PowerShell script runs at intervals that suits your organization. Just make sure that the user account the scheduled task runs under has got the proper privileges (such as log on as batch job and permission to update the Shadow Groups (write members) in Active Directory).

Create a Password Security Object (PSO)

Password Security Object

 

Creating a PSO

 

Create a Group to apply the PSO to.

 

ADSI Edit

Connect to Adatum.com

Go to System

Right Click 'Password Settings Container' > New > Object

Enter PSO Name as cn like 'PSO1'

 

msDS-PasswordSettingsPrecedence box, type 10. Click Next.

msDS-PasswordReversibleEncryptionEnabled box, type FALSE. Click Next.

msDS-PasswordHistoryLength box, type 6. Click Next.

msDS-PasswordComplexityEnabled box, type FALSE. Click Next.

msDS-MinimumPasswordLength box, type 6. Click Next.

msDS-MinimumPasswordAge box, type 1:00:00:00. Click Next.

msDS-MaximumPasswordAge box, type 20:00:00:00. Click Next.

msDS-LockoutThreshold box, type 2. Click Next.

msDS-LockoutObservationWindow box, type 0:00:15:00

msDS-LockoutDuration box, type 0:00:15:00. Click Next

 

Done - Now apply the Policy

 

Ensure advanced features is enabled in Active Directory users and computers.

 

Go to Adatum.com > system > password settings container > right click PSO1 > Properties

Attribute tab

Find: msDS-PSOAppliesto

Use the pop up to search AD for the group or OU you want to apply to.

Creating users in Bulk with PowerShell

Finding Commands

 

Get-command *AD*

 

New-ADUser

Remove-ADUser

 

New-ADUser -Path "ou=User Accounts,dc=contoso,dc=com" -Name "Mary North"

-SAMAccountName "mary.north" -UserPrincipalName "mary.north@contoso.com"

-EmailAddress "mary.north@contoso.com" -GivenName "Mary" -Surname "North"

-Description "Sales Representative in Australia"

-Company "Contoso, Ltd." -Department "Sales"

-Office "Sydney"

 

Password Set

 

-AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)

-ChangePasswordAtLogon $true -Enabled $true

 

Piped command

 

Get-ADUser "mary.north" | Set-ADUser -DisplayName "North, Mary"

 

Variable Command

 

$user = Get-ADUser "mary.north"

Set-ADUser $user -EmployeeNumber 12345

 

 

IMPORT FROM CSV

 

$UserList=IMPORT-CSV c:\users\administrator\documents\newusers.csv

 

# Step through Each Item in the List

 

FOREACH ($Person in $UserList) {

 

# Build Username

 

$Username=$Person.Username

 

# Build Password from Firstname and Lastname

 

$Password=$Person.Firstname+$Person.Lastname

 

# Build the Displayname

 

$Name=$Person.Firstname+” “+$Person.Lastname

 

# Build and define Domain name

 

$Domain="@teamrou.com"

 

# Build User Principal Name

 

$UPN=$Username+$Domain

 

# Build and define Home Directory path

 

$HDrive="\\Shares\%username%\"

 

# Build and define which Organizational Unit to create User inside

 

$OU="OU=test,DC=yourdomainhere,DC=com"

 

# Create Account in Active Directory (AND HERE...WE...GO!)

 

New-ADUser -Name $Name –GivenName $Person.Firstname –Surname $Person.Lastname –DisplayName $Name –SamAccountName $Username -HomeDrive "H:" -HomeDirectory $HDrive –UserPrincipalName $UPN -Path $OU

 

# Set Password

 

Set-ADAccountPassword -Identity $Username -NewPassword (ConvertTo-SecureString -AsPlainText $Password -Force)

 

# Add User to Security Groups

Add-ADPrincipalGroupMembership -Identity $Username -MemberOf "Sales","Test"

 

# Enable Account

Enable-ADAccount -Identity $Username

}