Skip to main content


Showing posts from July, 2012

How to get the FSMO roles in PowerShell

Even though our domains are multimaster domains, not all functionality can be handled by each machine independently. For example, let’s take a look at the RID Master role. And RID is what uniquely identifies all security objects in a domain. A security object is either a user, computer, group, or INetOrgPerson. Each of these objects have a Security Identifier (SID). A SID looks like this: S-1-5-21-576790344-2948317706-4057815606-1702 To break this down: SThe string is a SID1The revision level5The identifier value. Possible identifier authority values are: 0 – Null Authority 1 – World Authority 2 – Local Authority 3 – Creator Authority 4 – Non-unique Authority 5 – NT Authority9 – Resource Manager Authroity576790344-2948317706-4057815606Domain or local computer identifierRelative Identifier (RID). This is unque in the domain.1702Active Directory uses the SID to identify an object that can have security access assigned to it. You and I use the user name. the username name maps to a SID w…

Easily open a Remote PowerShell Session on Server 2012

The GUI is good,but PowerShell is better.  Many IT Pros in my classes are confused with why we are moving more and more to a text based administration.  All I can say is “everything old is new again.”  Remember back in the day when we had the expensive main frame that was larger than most peoples living rooms?  End users accessed it via terminals.  We moved on to the Client/Server model when hardware began to shrink and became cheaper.   Now we are moving to virtualized desktops and are accessing them from terminals.  Well, the same thing is happening on the administrative side.  We used to do everything in a text when it came to network administration.  With Windows NT 3.5, we started doing it graphically.  This made management very intuitive. There are some limitations though.  If I needed to find all user SIDs that ended in 4 and were both part of the Newark OU and also in both the Finance and HR security groups.  If I find them, I need to change their address and add them to anoth…

Create a New Password Setting Object in Windows Server 2012

Password Setting Object (PSO) is another name for Fine Grain Password Policies.  These PSOs allowed us to set up a different password policy based on security group membership.  For example, an employee who is working on a multi billion dollar drug might need to have more characters in their password and more frequent password changes than someone who does not handle critical company data.  PSOs allow us to do that. Up until now, PSOs were created with the ADSI Edit application or PowerShell.  Now, we can use the Active Directory Administrative Center.Open the Active Directory Administrative Center.Change to Tree View.Expand SystemClick Password Settings ContainerRight Click Password Settings Container and then select New –> Password Settings.Here you can see all the settings that go into a PSO.  A few items to point out.PrecedenceIn the case of a conflict in which a user is a member of more than one group with different PSOs assigned to each group, the one with the Precedence numb…

Enable Active Directory Recycle Bin in Server 2012

In Windows Server 2008 R2, We had a new, and very welcome feature added into our administrative tool bag.  The Active Director Recycle Bin allowed us to bring back deleted objects from Active Directory without loosing any property of that object.  Turning it on was an issue.  Below is how you turn on the AD Recycle Bin in a 2008 R2 forest with a domain named. 1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator. 2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER: For this example, my domain is Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=MCTNet,DC=COM’ –Scope ForestOrConfigurationSet –Target ‘’ With Server 2012, you now can now turn on the AD Recycle Bin in the GUI.On a 2012 Domain Controller, op…

Join Windows Server 2012 to a Domain from Server Manager

When you first install Windows Server 2012, you will notice you are not asked for the name of the server during the installation.  This is because a random name is generated.  Take a look at the section of the server manager below. Make sure you click Local Server.Notice the name.  In this exercise we are going to change the name and join this server to the domain.  In reality, this process has not changed much since Windows 2000.  Click on either the Computer name or the WORKGROUP name.The System Properties windows that we are familiar with appears.Click the Change button.Provide the new name for this server and the name of the domain.  Click OK.Provide the appropriate credentials to add a client to this domain.Once you get the welcome message, click OK.Click Close and the Restart Now.That is it for the GUI method of adding a server to your domain.

Running PowerShell as an Administrator from Server Core

Here is one that I had not thought of.  I’m exploring some AD DS installation option for Server Core.  While looking around, I discovered that I needed to update my Help files.  No problem except you need to op PowerShell as an administrator.  From the command prompt, start was something that I had not done.   After some exploring I came up with this. Type PowerShell to enter a PowerShell session.Type Start-Process PowerShell –Verb RunAs and press Enter.No problems updating help now.

Shutting Down Windows 8 on a PC

As we continue our march to Microsoft’s biggest redesign of the Windows user interface in over a decade, Windows 8, we need to be on the lookout for a few interface changes that may frustrate our users.  Here is one.  How to shut down Windows 8.To shut down Windows 8, you need to access the Charm Bar.  You can do this by moving your mouse to the upper or lower right. I’ve noticed that this is especially difficult in an RDP connection.  Your other option is to press Window_Key + C.Click Settings.Inside the Settings charm, click Power and then Shut Down.This may be something to include in your initial end user training for Windows 8.  Users will more than likely be frustrated with this interface at first.  Taking the time to demonstrate to your end users will greatly help in end user acceptable of Windows 8.

Server 2012 makes sure you see when updates are available.

As I continue my transition of my physical servers from Windows Server 2008 R2 to Windows 2012, I’m taking note of the changes.  Below is a screen shot of the message you get when Windows 2012 has a pending update.The rest works like Server 2008.