When searching for users in Active Directory using PowerShell, the ActiveDirectory module is often one of the first things that comes in to mind. The module has been around for quite som time now but there is one problem that many users still stumbles on, the Filter parameter. There are basically three methods for searching after a user with Get-ADUser.
I’ve previously written about how to generate a random password and how to output a password in phonetic alphabet. Today I’m going to put those two functions to use in a practical example. Scenario: Carl is a helpdesk agent and today he is feeling a bit stressed out. There has been an outage on one of the business critical systems and the phones are constantly ringing. One of the calls is a user who forgot his password and Carl quickly asks the usual control questions to make sure that the user is who he claims to be, locates the user account and clicks on reset password.
I once wrote a post on how to generate random passwords that would comply with Active Directory complexity rules quite a while back. My script on TechNet Gallery has now reached over 2000 downloads and I thought it might be time to revisit the topic with a few updates. First off I’ve just updated the script, mainly for better performance. I’ve also realized that a common scenario is when a user calls the service desk asking for a new password.
[TL;DR: I’ve written a script to bulk restore objects from Active Directory Recycle Bin, it is available on TechNet Galleries] Active Directory Recycle Bin The Active Directory Recycle Bin is a nifty feature introduced with Windows Server 2008 R2 and makes it possible to undo an accidental deletion of an Active Directory object. This means that if the Active Directory Recycle Bin is enabled, all link-valued and non-link-valued attributes of a deleted object are preserved and the object can be restored in its entirety.
When working with Active Directory and Powershell using ldap filters is a great way of searching the directory with great performance. The only problem is that ldap filters tend to be a bit hard to read and sometimes they appear to be a jitter of parentheses with some cryptic values in between. When I write ldap filters I usually write them as multiline indented text, for example let say I wanted to search for all users (not contacts or computers) that is enabled and not set to expire.