TechShizz | Tech Guides

Shadow Groups

DS-Tools

The Quick and Dirty version:
dsquery user “<Organizational Unit distinguishedName>” –scope onelevel | dsmod group “<Shadow Group distinguishedName>” –chmbr

This will look for all users found in the specified OU, and limit the search to that OU only. Then it will clear the current group membership of the SG and add all users currently found in the OU.

The Clean and Clever batch file version:
Set OU=Organizational Unit distinguishedName (without quotes)
Set Group=Shadow Group distinguishedName (without quotes)

dsget group %Group% –members | find /v /i “%OU%” | dsmod group “%Group%” –rmmbr
dsquery * “%OU%” –filter “(&(sAMAccountType=805306368)(!memberOf=%Group%))” –scope onelevel | dsmod “%Group%” –addmbr


This will look at the group membership, pipe it to the find command, to find only the users where the OU’s distinguishedName is NOT present, and then pipe it to dsmod group to remove those users from the group. The next step is to look for all users in the specified OU that are NOT member of the Shadow Group already. It will then add any users found to the group.

PowerShell

Windows Server 2008 R2 with Active Directory cmdlets:
$OU=”Organizational Unit distinguishedName”
$Group=”Shadow Group distinguishedName”

Get-ADGroupMember –Identity $Group | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false}
Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}
 

This will do the same thing as the ds-tools clean and clever version, except it’s done in PowerShell with the AD cmdlets.

Once you’ve decided for what approach you want to take, you can easily create a scheduled task for this and ensure that the batch or PowerShell script runs at intervals that suits your organization. Just make sure that the user account the scheduled task runs under has got the proper privileges (such as log on as batch job and permission to update the Shadow Groups (write members) in Active Directory).

Data Cable Terminations

Category 5 / Cat 5E Patch Cable

Before you begin, you should know which wiring scheme you will be using. The only difference between 568A and 568B wiring is that pairs 2 and 3 (orange and green) are swapped. If you are unsure which one to use then you should go with the 568B diagram. It is the 568B diagram that we demonstrate in this tutorial and the 568A wiring is shown in the diagrams below mainly for illustration. In our estimation the 568B connection is used in over 99% of all straight through applications. Know that using either the A or B standard will produce a "straight through" connection that should work for any Ethernet or POE (power over Ethernet) application. Therefore do not sweat over the choice.

Always go B, not A (although it doesn’t matter anymore)


Application Note: To make a crossover patch cable, you should wire one end 568B and the other end 568A

Bulk Active Directory Import

CSVDE -i -f c:\users.csv

 

To Loop a DSAdd command

 

for /f "Tokens=*" %i in (c:\5000users.csv) do dsmod user %i -pwd Pa$$w0rD -disabled no

Auditpol

List of users being Audited

AuditPol /List /User

 

To see how a user is being audited

AuditPol /Get /User:UserName / Category:*

 

To see the users SID

AuditPol /List /User /V

 

List all audit categories

AuditPol /List / Category

Application Directory Partitions

To create a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /CreateDirectoryPartition <FQDN>

This will need to be done only once. It will create the partition in the NTDS.dit file and replicate around AD.

https://technet.microsoft.com/en-us/library/cc772361.aspx

 

To enlist a DNS server in a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /EnlistDirectoryPartition <FQDN>

This will need to be repeated on each DNS Server that requires access to the partition.

https://technet.microsoft.com/en-us/library/cc772361.aspx

 

To remove a DNS server from a DNS application directory partition

  1. Open a command prompt.
  2. Type the following command, and then press ENTER:

dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN>

https://technet.microsoft.com/en-us/library/cc772361.aspx