TechShizz | Tech Guides


List of users being Audited

AuditPol /List /User


To see how a user is being audited

AuditPol /Get /User:UserName / Category:*


To see the users SID

AuditPol /List /User /V


List all audit categories

AuditPol /List / Category

Creating users in Bulk with PowerShell

Finding Commands


Get-command *AD*





New-ADUser -Path "ou=User Accounts,dc=contoso,dc=com" -Name "Mary North"

-SAMAccountName "mary.north" -UserPrincipalName ""

-EmailAddress "" -GivenName "Mary" -Surname "North"

-Description "Sales Representative in Australia"

-Company "Contoso, Ltd." -Department "Sales"

-Office "Sydney"


Password Set


-AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)

-ChangePasswordAtLogon $true -Enabled $true


Piped command


Get-ADUser "mary.north" | Set-ADUser -DisplayName "North, Mary"


Variable Command


$user = Get-ADUser "mary.north"

Set-ADUser $user -EmployeeNumber 12345





$UserList=IMPORT-CSV c:\users\administrator\documents\newusers.csv


# Step through Each Item in the List


FOREACH ($Person in $UserList) {


# Build Username




# Build Password from Firstname and Lastname




# Build the Displayname


$Name=$Person.Firstname+” “+$Person.Lastname


# Build and define Domain name




# Build User Principal Name




# Build and define Home Directory path




# Build and define which Organizational Unit to create User inside




# Create Account in Active Directory (AND HERE...WE...GO!)


New-ADUser -Name $Name –GivenName $Person.Firstname –Surname $Person.Lastname –DisplayName $Name –SamAccountName $Username -HomeDrive "H:" -HomeDirectory $HDrive –UserPrincipalName $UPN -Path $OU


# Set Password


Set-ADAccountPassword -Identity $Username -NewPassword (ConvertTo-SecureString -AsPlainText $Password -Force)


# Add User to Security Groups

Add-ADPrincipalGroupMembership -Identity $Username -MemberOf "Sales","Test"


# Enable Account

Enable-ADAccount -Identity $Username




Shadow Groups


The Quick and Dirty version:
dsquery user “<Organizational Unit distinguishedName>” –scope onelevel | dsmod group “<Shadow Group distinguishedName>” –chmbr

This will look for all users found in the specified OU, and limit the search to that OU only. Then it will clear the current group membership of the SG and add all users currently found in the OU.

The Clean and Clever batch file version:
Set OU=Organizational Unit distinguishedName (without quotes)
Set Group=Shadow Group distinguishedName (without quotes)

dsget group %Group% –members | find /v /i “%OU%” | dsmod group “%Group%” –rmmbr
dsquery * “%OU%” –filter “(&(sAMAccountType=805306368)(!memberOf=%Group%))” –scope onelevel | dsmod “%Group%” –addmbr

This will look at the group membership, pipe it to the find command, to find only the users where the OU’s distinguishedName is NOT present, and then pipe it to dsmod group to remove those users from the group. The next step is to look for all users in the specified OU that are NOT member of the Shadow Group already. It will then add any users found to the group.


Windows Server 2008 R2 with Active Directory cmdlets:
$OU=”Organizational Unit distinguishedName”
$Group=”Shadow Group distinguishedName”

Get-ADGroupMember –Identity $Group | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false}
Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}

This will do the same thing as the ds-tools clean and clever version, except it’s done in PowerShell with the AD cmdlets.

Once you’ve decided for what approach you want to take, you can easily create a scheduled task for this and ensure that the batch or PowerShell script runs at intervals that suits your organization. Just make sure that the user account the scheduled task runs under has got the proper privileges (such as log on as batch job and permission to update the Shadow Groups (write members) in Active Directory).

Authoritative Restore

Restore from DSRM


For this to work Windows Backup must have taken backups for the ntds.dit file.


Browsing the Backups and the NTDS.dit file


Manual Snapshots of the drive can be done from

ntdsutil: act inst ntds

snapshot create

list all


Select the GUID of the backup and Mount it as follows:


Mount {GUID}


You can then browse the snapshot in the c:\


You can then mount the ntds.dit file inside the mounted backup as follows:


Exit ntdsutil and run:


dsamain -dbpath c:\$SNAP_65168161358_VOLUMEC$\Windows\ntds\ntds.dit -ldapport 5000


This will be mounted and then can be accesses from dsa.msc. You need to change domain controller to dc1.contoso.local:5000 to browse the NTDS.dit file.


Performing an Authorative Restore

If an OU or user or whatever needed to be restored authorativly do the following.


Restart DC in DSRM (Directory Services Restore Mode)


Open CMD


bcdedit /set safeboot dsrepair

shutdown /r /t 0

Restore AD from backup

To restore AD using this Windows Backup Server needs to be running full backups of the drive with the NTDS.dit file on the DC.


To browse the backups/NTDS snapshots



Activate instance ntds


List all


Identify the backup and copy the GUID to be mounted


Snapshot>Mount {GUID}


You can browse the backup and copy things from it if needed. You can also mount the NTDS file within it.

Note the path of the NTDS.dit file within it for the next part.


Dsamain-dbpath c:\$SNAP_465746_VOLUME_C$\windows\ntds\ntds.dit -ldapport:5000


From a dsa.msc you can now "change domain controller" and look at do.contoso.local:5000 to mount the AD database.


To un-mount


Unmount {GUID}


Restore AD from directory service recovery mode


If an OU or user our group or any object is deleted from AD you will need to perform an authorities restore by rebooting into DRSM


Bcdedit /set safeboot dsrepair


Shutdown /r /t 0


Server reboots


To identify the backup again run


Wbadmin get versions


Copy the version   :dd/mm/yyyy-hh:mm


Run a non-authoritative restore


Wbadmin start systemstaterecovery -version:03/24/2015-18:22


Run an authoritative restore



Act inst ntds

authoritative restore subtree "ou=test,dc=contoso,dc=local"



Reset boot method


Bcdedit /deletevalue safeboot


Shutdown /r /t 0