Open Group Policy Editor: Link Policy to relevant OU Navigate to User Configuration>Administrative Templates>Start menu and taskbar. Edit “Prevent Changes to Taskbar and Start Menu Settings” Set it to enable Pres OK Note: To enforce group policy: Navigate to Start>Run type gpupdate /force and hit Enter Read more

Creating a Group Using a graphical user interface Open the Active Directory Users and Computers . In the left pane, browse to the parent container of the new group, right-click on it, and select New Group. Enter the name of the group and select the group type (global, domain local, or universal) and group type (security or distribution). Click OK. Using dsadd in command-line interface dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc "<GroupDesc>" Where <GroupDN> Read more

$strComputer = "ComputerName" $computer = [ADSI]("WinNT://" + $strComputer + ",computer") $computer.name $Users = $computer.psbase.children |where{$_.psbase.schemaclassname -eq "User"} foreach ($member in $Users.psbase.syncroot) {$member.name} Read more

Use this PowerShell script to rename Local Administrator Account on a list of remote machines. #$erroractionpreference = "SilentlyContinue" $a = New-Object -comobject Excel.Application $a.visible = $True $b = $a.Workbooks.Add() $c = $b.Worksheets.Item(1) $c.Cells.Item(1,1) = "Machine Name" $c.Cells.Item(1,2) = "Account Renamed" $c.Cells.Item(1,3) = "Report Time Stamp" $d = $c.UsedRange $d.Interior.ColorIndex = 19 $d.Font.ColorIndex = 11 $d.Font.Bold = $True $intRow = 2 foreach ($strComputer in Read more

PowerShell script to find all Active Directory admins in domain

Get-QADUser -ldapFilter ‘(SamAccountName=*.admin)’|export-csv filename.csv

Get-QADUser -SearchRoot 'domainname.com/OuName'|%{$_.TsProfilePath ='\ServerName1profilesshare' + $_.sAMAccountName;$_.CommitChanges();} Change values in RED: Where domainname.com - Fill your domain name Where OUName – Fill desired OU name Where \ServerName1profilesshare – fill your file server name and terminal servers profiles share path Note: I sugest testing it very well before apluing to production enviroment Read more

Use this script to check user group membership in Windows Domain Active Directory $root=([adsi]"").distinguishedName $ou=[adsi]("LDAP://ou=x,ou=y,ou=z,"+$root) # fill  with user  CN “Common Name” $user=$ou.psbase.children.find("cn=tartetCN ") $groups = $user.memberof foreach($group in $groups) { $strGroup = $group.split(',')[0] $strGroup = $strGroup.split('=')[1] $strGroup } Read more

Things to consider before migration to new hardware Are you going to keep same DC host name ? Are you going to use same IP address? If you are changing your name and IP if it will have influence on your network ( Firewall Roles etc..) Is the server DHCP server Is the server root CA? - I'm not sure if you can migrate Enterprise Root CA - May be Restore from Backup Is the server Global Catalog ? Preparation steps Make full Backup of your Active Directory Install new server and join it to Read more

The script bellow allows you to locate users with invalid logon attempts $strFilter = "(&(objectCategory=User)(badPwdCount>=0))" $objDomain = New-Object System.DirectoryServices.DirectoryEntry $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.PageSize = 1000 $objSearcher.Filter = $strFilter $colProplist = "name" foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)} $colResults = $objSearcher.FindAll() foreach Read more

In windows 2003 and later you can use AD saved queries , but for windows 2000 domain the only way is by using CSVDE/LDIFDE The following command should do the work :You will receive file output csvde -f outputfilename.csv -d "dc=domain,dc=com" -r "(&(mailnickname=*)(proxyAddresses=smtp:email@yourdomain.com))" -l name Change  "dc=domain,dc=com" to  your AD domain name and suffix, and email@yourdomain.com with the email address you're looking for. To find all recipients who have an email address Read more