Active Directory

Restore OU-tree from AD Recycle Bin with PowerShell

[TL;DR: I’ve written a script to bulk restore objects from Active Directory Recycle Bin, it is available on TechNet Galleries] Active Directory Recycle Bin The Active Directory Recycle Bin is a nifty feature introduced with Windows Server 2008 R2 and makes it possible to undo an accidental deletion of an Active Directory object. This means that if the Active Directory Recycle Bin is enabled, all link-valued and non-link-valued attributes of a deleted object are preserved and the object can be restored in its entirety.

Parse netlogon.log using PowerShell to find missing Subnets

[TL,DR: I’ve written a script to retrieve IP Addresses from subnets not defined in Active Directory. It is published on Technet Gallery: Get-MissingSubnets] Active Directory uses Sites to define where in the topology a computer resides and thereby determining which server that should be used for certain services. For example sites are used to determine which Domain Controller a client should use as a logon server and if one of my clients log on at a site somewhere in Australia I probably don’t want it to process Group Policies from a Domain Controller in the US.

Working with complex ldap filters in Powershell

When working with Active Directory and Powershell using ldap filters is a great way of searching the directory with great performance. The only problem is that ldap filters tend to be a bit hard to read and sometimes they appear to be a jitter of parentheses with some cryptic values in between. When I write ldap filters I usually write them as multiline indented text, for example let say I wanted to search for all users (not contacts or computers) that is enabled and not set to expire.

Using Standalone Managed Service Accounts for Scheduled Tasks

Managed Service Accounts was a feature introduced in Windows Server 2008 R2 that gave us service account with automatic password management, meaning that the passwords for these account will be automatically changed regularly without any human interaction. The downside in Standalone Managed Service Accounts is that they can only be used from computer. This is solved with Group Managed Service Accounts that were introduced in Server 2012. In Windows Server 2012, these accounts can also be used as RunAs account on scheduled tasks but it can’t be configured in GUI.