ADDS – Query to find machines that not changed their pwd

Hi everybody!

To find machines that maybe not exists in the domain you can do a query seeking those that not change their pwd in the last 180 days. The query is: dsquery computer –stalepwd 180

More querys:



Microsoft Active Directory Topology Diagrammer

Hi guys,

I put the link to download the Microsoft Active Directory Topology Diagrammer.

With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through LDAP. The Active Directory Topology Diagrammer tool automates Microft Office Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure, your DFS-R topology or your current Exchange 20XX Server Organization. With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work withthe objects in Microsoft Office Visio.

See you!!

Powershell Script to request info about state of AD Site links

Hi guys,

I read an interesting post in the Ashled McGlone blog that I think is good to remark.

See you!


Author’s note:  Before you dismiss this article you should know that the top two areas where I find issues for AD health are replication and DNS.  If you’re short on time skip to the bottom section “But Wait… There’s More” and run that report in your environment.  Otherwise I think you’ll get a lot of value from this content.

Freaky Neat

MonkIn my role as a Microsoft Premier Field Engineer I get to see what our customers do with Active Directory, both good and bad. Some admins are neat freaks about keeping everything pretty. (Imagine Adrian Monk as an AD admin.)  Others barely have time to open Facebook at work, and neatness is not a priority. Those are just the facts of IT life.  Consequently one area we frequently clean up is AD replication. You can see my former articles here on cleaning up replication settings.

What is hiding in your site links?

Today’s post will help you clean up site link descriptions and give you some nice reporting capability. For a quick overview of the terminology you can read the landmark TechNet article How Replication Works. To make a long story short admins create sites and then link them together with site links. Like most things in life change happens, and we don’t go back to clean up afterwards. I commonly find orphaned site links, mondo links with too many sites, and site link descriptions that haven’t been updated to reflect their member sites. (Use the free AD Topology Diagrammer to get a really cool Visio diagram of your sites and links.)

Some folks like to set their site link description field to list each of the member sites in the link. If that is you, then you’ll love this script.  Today’s script enumerates all of the member sites in a site link and then concatenates their names into the description of the site link.  Also, it will make a note in the description for any site links that have change notification enabled.  Now that’s handy!

Here is a screenshot from my lab showing what the descriptions can look like:


The Code

First let’s list the sitelinks:

# List all sitelinks            
Get-ADObject -LDAPFilter '(objectClass=siteLink)' ` 
    -SearchBase (Get-ADRootDSE).ConfigurationNamingContext ` 
    -Property Name, Cost, Description, Sitelist |            
    Format-List Name, Cost, Description, Sitelist

Now let’s update the descriptions:

# One ridiculous line of code            
# Broken down for readability            
Get-ADObject -LDAPFilter '(&(objectClass=siteLink)(siteList=*))' ` 
    -SearchBase (Get-ADRootDSE).ConfigurationNamingContext ` 
    -Property Name, Cost, Sitelist, Options |            
    ForEach {            
        Set-ADObject -Identity $_.DistinguishedName -Replace @{            
                ForEach ($site in $_.sitelist) {            
                    $s += "$($site.SubString(3,$site.IndexOf(",")-3)) <--> "            
                If ($_.Options -band 1) {' (Notify)'}            

Some site links have been orphaned and emptied by deleting the member sites and forgetting to delete the associated site link. For those here is a modified line that will update their description to ‘EMPTY SITE LINK’.

# Flag empty site links            
Get-ADObject -LDAPFilter '(&(objectClass=siteLink)(!siteList=*))' ` 
    -SearchBase (Get-ADRootDSE).ConfigurationNamingContext ` 
    -Property Name, Sitelist, Options |            
    % {Set-ADObject -Identity $_.DistinguishedName ` 
    -Replace @{Description='EMPTY SITE LINK'+` 
    $(If ($_.Options -band 1) {' (Notify)'})}}

The real magic in these lines are the LDAP filters:

  • All sitelinks: ‘(objectClass=siteLink)’
  • Sitelinks with member sites: ‘(&(objectClass=siteLink)(siteList=*))’
  • Sitelinks without member sites: ‘(&(objectClass=siteLink)(!siteList=*))’

Once you have imported the ActiveDirectory module you can type Get-Help about_ActiveDirectory_filter for more information on creating LDAP filter syntax.

But wait… there’s more!

In the script file attached at the end of the post I have included all of the scripts above plus some bonus content.  There is a site report script that will give you some schweet stats on your AD sites.  Use it to find those sites that are not in a site link, missing subnets, or do not have a DC.  The output looks like this:

Name     SiteLinkCount SubnetCount DCCount IsEmpty WhenCreated  Description
----     ------------- ----------- ------- ------- -----------  -----------
Bogus1               1           0       0    True 10/6/2010    Test site
Bogus2               0           0       0    True 1/25/2011    Test site
Bogus3               0           0       0    True 1/25/2011    Test site
Kentucky             3           1       2   False 4/13/2010    Kentucky
Lonely               2           1       1   False 2/17/2011    Remote site
Ohio                 2           2       2   False 4/13/2010    Ohio

Armed with this handy little report you will know where to begin your site, subnet, and site link remediation activities.

The Fine Print

This version of the script works with PowerShell v2 in your environment today. In AD PowerShell v3 there are new cmdlets to work with site links directly.

If you’re one of those who likes to note WAN speeds on site link descriptions, then you have a couple options:

  • Don’t run the script. It will overwrite your notes in the descriptions.
  • Export the descriptions, run this script, then manually add back the WAN speeds.

Unless you schedule this script to run as a scheduled task, you’ll need to run it again any time you update sites or site links. The descriptions are only as good as the last run of the script.

Currently the script inserts ‘<–>’ between the site names. Feel free to edit this to your liking.

If you have 1,000,000,000 sites jammed into a single site link, then it is likely that the concatenated description string will be too long and break the script.  Don’t do that if you can avoid it.

Running this script is harmless to your environment’s functionality, but it will overwrite your existing site link descriptions. As always you should test it in a lab first.


Pushing out Firefox proxy settings with GPO


Unlike Internet Explorer, Mozilla Firefox is a third-party browser having no integration with Microsoft Windows, and it does not support remote administration by default. Yet there are instruments allowing to remotely configure Firefox like Internet Explorer. I order to use this instruction you will need a freeware package FirefoxADM. It can be downloaded from the repository SourceForge:

Before proceeding with distribution of proxy settings for Firefox, download and extract the package FirefoxADM on a server with Active Directory.

1. Pushing out Firefox proxy settings with GPO

1.1. Open the relevant GPO for the site, domain or organizational unit in the Group Policy Object
1.2. Expand the following levels within the tree: User Configuration > Windows Settings > ‘Scripts (Logon/Logoff)
1.3. Double-click “Proxy-settings” in the main policy area.
1.4. Click the “Show Files” button; this will display the folder the script will be stored in.
1.5. Copy and paste the script firefox_login.vbs from the FirefoxADM package into the folder.
1.6. Returning to the “Logon” properties window, click “Add”.
1.7. Browse to the location of the start scripts folder where the script was just copied to, select the file and click the “Open” button.
1.8. Click “OK” and then “OK” again to save the changes.

This has now configured the GPO to run a script which will lockdown the Firefox settings when the
machine first starts up. You now need to add and configure the Administrative Templates which will
be used to define the locked down proxy settings.

1.9. Expand the “User Configuration” level in the tree.
1.10. Right-click on ‘Administrative Templates’ and select ‘Add/Remove Templates’.
1.11. Click the ‘Add’ button and browse to the location of the startup template firefoxdefaults.adm, select the file and click “Open”. Click “Close”.
1.12. Expand the “Administrative Templates” level under ‘Computer Configuration’.
1.13. Select “Mozilla Firefox Default Settings” in the tree.
1.14. Double-click “Proxy Settings” in the main policy area.
1.15. Select the radio button “Enabled”.
1.16. At this point you can begin entering the proxy settings that are to be pushed to users; this
information can be found in your provisioning email.
1.17. Once finished click “OK”.

FIX: IE Group Policy Preferences do not apply to Internet Explorer 9 in a 2008 R2 domain

Problem 1

Internet Explorer 6, Internet Explorer 7, and Explorer 8 Group Policy Preference items do not apply to users who are running Internet Explorer 9.

Internet Explorer Group Policy Preference items include a targeting item that is a hidden file. This targeting item checks the version of Internet Explorer that is running to make sure that this version matches the version that is selected in the Group Policy Management Editor. This means, for example, that Internet Explorer 8 preference items only apply to computers that use Internet Explorer 8.

The targeting item fails because the version number of Internet Explorer 9 is greater than minimum and maximum values that are selected in the preference item. Therefore, the preference item does not apply to Internet Explorer 9.

Problem 2

No Group Policy Preferences appear for Internet Explorer 9.

Internet Explorer settings in Group Policy Preferences are part of the Windows operating system. The general release dates for Windows Server 2008 and for Windows Server 2008 R2 pre-date the release of Internet Explorer 9. Internet Explorer 9 is precluded from shipping with updated Internet Explorer preferences. Therefore, Group Policy Preferences for Internet Explorer 9 are not supported in the release of Windows Server 2008 R2.