Active Directory

Which Active Directory Group Policies are being Applied to your Accounts

Playing a bit of detective, I started reviewing Active Directory Group Policies that had been applied to workstations, in an attempt to resolve a few reported concerns regarding polices being applied successfully.

Using the gpresult command I was able to output all of the polices applied. The command requires the specification of scope to be issued correctly.  Example below:

 

Policies applied to your user account:

gpresult /Scope User /v

 

Policies applied to your Computer:

gpresult /Scope Computer /v

Ref: https://technet.microsoft.com/en-us/library/dn265978(v=ws.11).aspx

Only settings that have been applied to your machine and user account will show up.

 

Oh! And yes there is Graphical Interface for this tool.
You can get to it by executing the following steps below:

Type rsop.msc into the run box , then hit enter

A pop-up dialog will show while querying your system.

Once the console opens you will be able to see which settings have been applied to your PC.

 

 

How to demote a Windows Server 2012 Domain Controller

In this short write up I will go over steps to demote a Server 2012 domain controller.

If you have worked in Active Directory and Windows Domain Administration over the years you may recall that in previous version of Windows Server that you would use the command line tool of ‘DCPROMO’ to promote or demote a server. Since Server 2012, the use of DCPROMO has been deprecated. In fact, if you attempt to use it you will be inform of this via the Active Directory Domain Service Installed.

In Server 2012 and later versions the use of Server Manager or PowerShell is required to promote / demote a server to/from a Domain Controller (DC). Below I provide steps on how to demote a server with some illustration along the way. Also, here is a quick YouTube video on the process: https://youtu.be/sBK2_APaDdg

Log into the domain controller you intend on demoting and Launch the Server Manager, select the Manage drop down menu, select Remove roles and features.

On the server selection page, select the desired server from the pool.

On the Remove Roles and Features Wizard, un-tick the Active Directory Domain Services box

The Remove Roles and Features dialog box will open. Click Remove features

On the Remove Roles and Features Wizard dialog box Validation Results box will appear. The domain controller must be demoted before continuing. Click on Demote this domain controller.

On the Active Directory Domain Services Configuration Wizard enter the required credentials to demote this server, click Next.

You will have several removal options. From the forced remove of failed domain member, to removing of the last domain in your forest. Make the selections which is appropriate for your remove task and click Next

Finally you will arrive on the New Administrator Password, enter and confirm the new local administrator account password, click Next.

On the Review Options verify the information is correct and click Demote.

After the server has restarted it will no longer be a domain controller

And that is it.

PowerShell: Unlock Active Directory Users Account

Use:

 

  • Listing account lockouts in Active Directory
  • Unlocking locked out accounts

# Open PowerShell or PowerShell ISE with an account with rights to unlock accounts
# Import the Actice Directory Module to PowerShell
#
Import-Module ActiveDirectory
#
# Run the Search-ADAccount command to search for accounts that are locked out
# Accounts locked out will be displayed
#
Search-ADAccount -LockedOut
#
#
# To unlock multiple {All} accounts the following command can be used
Search-ADAccount -LockedOut | Unlock-ADAccount
#

This could be useful if you wanted to somehow send an email to a ticket system so that you log and create IT tickets of account lockouts. A good way for your IT staff to track those types of activities that they do spend time on.

 

Tech Short: Using PowerShell to join Computer to AD Domain

Working on a server installation I decided to use a simple yet effective power-shell command to join a Windows Server 2012/R2 system to our domain.

For the sake of brevity lets just show you.

Requirements:

  • Admin access to the computer/server you are joining to the domain along with permissions in the AD domain to join machines
  • Connected to the network where the domain is accessible
  • Obtain an network ip address along with dns that can resolve the domain you are joining
  • PowerShell

Steps:

  1. Launch PowerShell as an Administrator
  2. Issue the following command example: Add-Computer -DomainName <domain name> -Restart

You will be prompt for a username and password at this point. Enter in the correct credentials and soon after a restart will occur.

When you resume from the restart you can now log in on this workstation/server with domain credentials.

Additional info can be found on Technet

I hope you enjoyed this short, thanks for visiting – jermal

Remote Server Administration Tools for Windows 10 | Released

Weeks of waiting and its here at last.

Q. What is it?

A. RSAT (Remote Server Administration Tools) is a Windows Server component for remote management of other computers and server operating systems running Windows.

Grab the tools here: Remote Server Administration Tools for Windows 10