Skip to main content

Posts

Showing posts from October, 2010

How to recover and object from the AD Recycle Bin

Once you have activated your AD Recycle Bin, you can recover any deleted object from that point forward. To recover a deleted object, open the PowerShell Console with the AD modules. To do this on Server 2008 R2, Click Start \ Active Directory MOdule for Windows PowerShell.First we need to verify that the object is still in the AD Recycle bin. The account we are looking for in this example is User3. Type the following line in the Windows PowerShell console:Get_ADObject – Filter {DisplayName –like “User*”} – IncludeDeletedObjectsWe can see the full name of the object that we need to recover, User3.Now type:Get_ADObject – Filter {DisplayName –eq “User3”} – IncludeDeletedObjects | Restore-ADObjectA quick check of Active Directory Users and Computers will show the restored object and all of its properties.

In a get-help –full, what does the Position parameter mean?

In PowerShell, you can get a wealth of information from using the Get-Help parameter.For example, if you type Get-Help Get-Command, you receive basic help information for the cmdlet Get-Command.For detailed information, type Get-Help Get-Command –full.The first section of this expanded help file is the basic information for the cmdlet.It includes the syntax, a description, and in some cases, related commands.The next section list the parameters and the third examples.We will focus on the parameters section.Below is the parameter Name from Get-Command.-Name Gets information only about the cmdlets or command elements with the specified name. represents all or part of the name of the cmdlet or command element. Wildcards are permitted.To list commands with the same name in execution order, type the command name without wildcard characters. For more information, see the Notes section.Required?falsePosition?1Default valueAccept pipeline input?true (ByValue, ByPropertyName)Accept wildcard c…

What are the drive types enumerated by Win32_LogicalDrive

IN PowerShell, we can leverage the power of the WMI interface to enumerate the properties of the hardware inside of our clients. A simple PowerShell script to do that is:

$computer = "LocalHost" $namespace = "root\CIMV2" Get-WmiObject -class Win32_LogicalDisk -computername $computer -namespace $namespace
The information below is an example of the returned data. Remember, this script will return this set of data of all drives connected to the client at the time it was executed.
__GENUS : 2 __CLASS : Win32_LogicalDisk __SUPERCLASS : CIM_LogicalDisk __DYNASTY : CIM_ManagedSystemElement __RELPATH : Win32_LogicalDisk.DeviceID="E:" __PROPERTY_COUNT : 40 __DERIVATION : {CIM_LogicalDisk, CIM_StorageExtent, CIM_Logical Device, CIM_LogicalElement...} __SERVER : FERRARI5X64 __NAMESPACE :…

How To Decrypt many files in AD RMS When You Do Not Have Access to Them

Active Directory Right Management Service (AD RMS) is a security tool that you can deploy to your users that allow them to determine what kind of access users or groups have to the content that a user generates. A very good question from class is how do you decrypt the data if you need to get access to it when you were not given AD RMS rights. The answer is with the AD RMS Bulk Protection Tool. You can download it from here (http://www.microsoft.com/downloads/details.aspx?FamilyID=F9FBE58F-C175-41D0-AFDC-6F160AB809CD&displaylang=ru&displaylang=en)Once you download the .msi file, double click it to allow it to install.Click NextCheck I accept the terms in the License Agreement and click Next.Click NextClick InstallClick Finish when the installation completes.To start using the AD RMS Bulk Protection Tool:Click Start / All Programs / AD RMS Bulk Protection Tool / AD RMS Bulk Protection ToolA special command prompt windows will open. Give it a few seconds to finish loading…

Use Group Policy to configure clients for Network Access Protection

Network Access Protection is another tool in your arsenal to protect your networks.With it, you have the ability to make sure your defenses are on, stay on, and are up to date.NAP also provides you the tools to help make remediation of any problems automatic.Your clients needs to have several configuration changes made to the in order to respond to NAP.They are:- Security Center must be turned on.- The NAP Service must be running.- The proper NAP Enforcement Client must be enabled.You can achieve this using group policy.Just make sure this GPO is applied to all your clients.Security Center: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Security Center \ Turn on Security Center (Domain PCs Only).Set this object to Enabled.NAP Service: Computer Configuration \ Policies \ Windows Settings \ System Services \ Network Access Protection Agent.Check Define the Policy and then select Automatic.NAP Enforcement Client: Computer Configuration \ Policies \ Wi…

How to set up a security group to be email enabled

In an Exchange environment, only Universal Groups can be emailed enabled.To convert a Global or Domain Local group to a Universal Group:- Open the properties of the group.- In the Group Scope box, click Universal.- Click OK.To mail enable the group:- Click Start à All Programs à Microsoft Exchange Server 2010 à Exchange Management Console- Expand Microsoft Exchange à Microsoft Exchange On-Premises à Recipient Configuration- Click Distribution Group.- Click New Distribution Group in the Action pane.- Select Existing Group and click Browse.- Click the group and then click OK.- Click Next- Provide an Alias for the group and click Next- Click New- Click FinishThe group is now email enabled.To email enable an existing universal group with powershell:- Click Start à All Programs à Microsoft Exchange Server 2010 à Exchange Management Shell- We will assume the name of the group is Group1 with an SMTP address of Contoso.com.- Type Enable-DistributionGroup –Identity “Group1” –Alias “Group 1” –D…

DHCPv6 installation guide for Windows Server 2008 R2

This guide is intended to help network administrators deploy IPv6 using DHCPv6 server in Windows server 2008 R2. This lab procedure is being produced on a Windows Server 2008 R2 Hyper-V server running two virtual machines. One is a Windows 2008 R2 server and the second is a Windows 7 Professional client. The server is a domain controller with DHCP service installed and the client is a member of the domain. The DHCP server needs to be set up for IPv6 Stateful configuration. Open Server Manager Click Roles Click Add Roles Click Next Check DHCP Server and click Next Click Next In the Select Network Connection Bindings window, select which network adapters that you would like to use for DHCP and then click Next. In the Specify IPv4 DNS Server Settings, enter the correct information for your network and click Next In the Specify IPv4 WINS Server Settings, give the information appropriate for your environment and click Next In the Add or Edit DHCP Scopes window, click Next In the Configure DHCPv6…

How to use Group Policy to Populate Remote Desktop Group on Clients

For many organizations, Group Policy is the option of choice for one-to-many administration. In particular, we are going to be looking at the GPO for Restricted Groups.For this to work you need to make sure this policy setting applies only to the organizational unit that contains the clients the you want to set group membership onOpen Group Policy ManagementCreate a GPO and give it the name of your choice.Edit the policy.Expand Computer Configuration \ Windows Settings \ Security Settings \ Restricted Groups.Right mouse click Restricted Groups and select New Group.Click Browse.Type Remote and click Check Names.Click OKClick OK. You should see the window below.

In the Members of this Group section, click Add.Add the users or groups that you want to ensure they are a member of the Remote Desktop Users Group. Click Browse if you need help finding the users or groups.This will also ensure that only these users and groups are the only accounts listed in this group. To add others later or to…

RDC client upgrade for Windows XP

The following link will take you to the Microsoft article concerning upgrading your XP RDC clients to the Windows 7/Server 2008 R2 compatible version. Take note of the known issues section.Upgrading your RDC clients will allow you to take advantage of the following, should your OS support these options:Web Single Sign-On (SSO) and Web forms-based authenticationRemote Desktop (RD) Web Access now uses forms-based authentication to improve the user experience. Web SSO makes sure that after a user is logged on, no additional passwords are required for RD Gateway, RD Session Host servers and RemoteApp programs.

For security, Web SSO requires remote applications to be signed using a certificate from a trusted issuer.Access to personal virtual desktops by using RD Connection BrokerUsers can access personal virtual desktops when they use the new Remote Desktop Virtualization Host in Windows Server 2008 R2. Personal desktops are assigned to users on a one-to-one basis and maintain state over ti…

How to get Windows XP applications compatible with Windows 7

The simple truth is not all applications will be compatible with Windows 7.Since Windows Vista, parts of the OS and registry are not longer accessible to applications to modify.There are several methods to mitigate application compatibility issues.One of them is with Windows XP Mode for Windows 7.You must be running Window 7 Professional, Business, or Ultimate editions to be able to utilize Windows XP mode.You will also need to install virtual PC on Windows 7.Below are the links to download your copy of Windows XP Mode and the installation instructions.Once you have Windows XP Mode installed, install you application in the XP mode and give it a try.Windows XP Mode download: http://www.microsoft.com/windows/virtual-pc/download.aspxInstallation instructions: http://windows.microsoft.com/en-us/windows7/install-and-use-windows-xp-mode-in-windows-7

What is the maximum number of domains a forest can contain?

The answer to this question depends on the operating system of your forest.-Windows 2000:800 domains-Windows 2003/2008: 1200 domainsThese are Microsoft’s recommendations.Another interesting note is that your domain controllers can only create 2,147,483,393 before they can no longer create any more new objects. I think it is safe to say that most organizations will not hit this limit in a domain controllers lifetime.http://support.microsoft.com/kb/909264http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx#BKMK_Forest

How to import the Active Directory modules into PowerShell.

In PowerShell V1, I was a bit disapointed with the lack of Active Directory support built into PowerShell. With V2 and the RSAT (Remote Server Administration Tools), you have much greater management capability of your AD environment with PowerShell.

The first step is to get your PowerShell configured for AD. On a Windows Server 2008 R2 domain controller, this is easy. Just click Start / Windows PowerShell Modules. That will bring up a PowerShell console with all the new goodies loaded up. Now, what about the ISE?
To load the AD Modules up in the ISE, I have a small script that I use. I just run it and I'm ready to go. You can also include this as a function in your own scripts to avoid having to run a supporting script.
<#
=========================================== Script Name: ImportAD.ps1 Author: Jason A. Yoder, MCT Company: MCTExpert, Inc. Website: www.MCTExpert.com Blogsite: www.MCTExpert.blogspot.com
Date: 2010AUG24
Script Purpose: install the Active Directory components of…