Active Directory

How to use Netdom.exe to reset machine

That which you do not know, the doing will quickly teach you. – Po (Kung Fu – 1972)

Here is a situation where you have a virtual machine joined to an active directory domain and it’s reverted to an earlier state which then invalidates its domain security key. Rather than removing this machine and joining it again you can regain domain access by simply logging into the machine as a member of the local administration group and run the following command in an elevated command prompt:

netdom.exe resetpwd /s:<Primary DC Name> /ud:<DomainUsername> /pd:<Username Password>

This will update the machines security key on the virtual machine and the domain. And after a reboot of the machine you are able to log in and function a member of the domain again.

More info on netdom commands here: http://technet.microsoft.com/en-us/library/cc785478(v=ws.10).aspx

And a big thanks Michael Girard who posted this as part of my ‘Flashback Friday’ post on Facebook where I had asked people to share what they had learned this week.

Please stop by http://www.facebook.com/jermsmitcom when you have a chance.

Lync not populating contact cards phone numbers from Active Directory

So you have Lync, and every time you want to look up an extension of someone in your office you are left with nothing. Why, Why is this, why doesn’t things just work. As frustrating as this may be it happens for a reason.

Lync expects all the phone numbers in Active Directory to be in the E.164 format. In short they should be something such as this:  +1-111-5550000 etc… If they are not like this, you will need to normalize them if you want Lync to public them.

Normalization Rules
Normalization rules define how phone numbers expressed in various formats are to be routed for the named location. The same number string may be interpreted and translated differently depending on the locale from which it is dialed. Normalization rules are necessary for call routing because users can, and do, use various formats when entering phone numbers in their Contacts lists.

Method used to fix this
I utilized the contact card functionality of Lync and a series of regular expressions found around the web and came up with a Company_Phone_Number_Normalization_rules.txt located in the Lync share 1-webservices-1abfiles followed by a quick “Update-CsAddressbook” all you need to do is give some time for the address book to regenerate.

I give a big thanks to the guys / gals over at Network Administration Secrets for this one.

How To Find Your Logon Server – Active Directory

To check the local domain controller for a computer or server simply type the following in the command prompt: echo %logonserver%

What this does is print the value of the environment variable giving you the machine name of the domain controller being used.

 

Saved Queries feature in Active Directory

This post focuses on custom queries that  allow you to perform additional tasks in Active Directory

Microsoft in Active Directory Users and Computers (ADUC) is a wonderful tool and is very useful when it comes to managing user / and computer accounts in your Domain.  It also has another feature which doesn’t get used often.  The feature I refer to is the ability to use Lightweight Directory Access Protocol (LDAP) queries, saving them for later use.  These queries can be exported and shared by other administrators to find out day to day info such as expired user account, users with accounts locked out, etc.  You can locate this in ADUC under Saved Queries

 

Go to Active Directory Users and Computers:
Right click the Saved Queries folder and select New, Query.
Enter an appropriate Name and Description.
Make sure the query root is set to the domain level you want the query to pertain to.
Select the Include sub-containers check box if you want the query to search all sub-containers.
Click Define Query.
In the Find dialog box, click the Find drop-down arrow and select Custom Search.
On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.
Click OK twice.

Here are some saved queries I have used

Users that have been given dial-in permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Users whose accounts are disabled
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Users that must change password at next logon
(objectCategory=user)(pwdLastSet=0)

List all groups that start with IN or SA
(objectCategory=group)(|(cn=IN*)(cn=SA*))

Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)

I think you get the idea at this point.
Here are some more saved queries I happen to find out there while Google Searching

 

Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)

Find users who have admin in description field
(objectcategory=person)(description=*admin*)

Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)

Empty Groups with No Members
(objectCategory=group)(!member=*)

Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group
(groupType:1.2.840.113556.1.4.804:=14)

Find all User with the name Bob
(objectcategory=person)(samaccountname=*Bob*)

Find user accounts with passwords set to never expire
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Find all users that never log in to domain
(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))

Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)

Finds non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)

Finds all Users with Email Address set
(objectcategory=person)(mail=*)

Finds all Users with no Email Address
(objectcategory=person)(!mail=*)

Find all Users, Groups or Contacts where Company or Description is Contractors
(|(objectcategory=user)(objectcategory=group)(objectcategory=contact))(|(description=North*)(company=Contractors*))

Find all Users with Mobile numbers 712 or 155
(objectcategory=user)(|(mobile=712*)(mobile=155*))

Find all Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Find All printers with Color printing capability
Note: server name must be changed
(&(&(&(uncName=*Servername*)(objectCategory=printQueue)(printColor=TRUE))))

Find Users Mailboxes Overriding Exchange Size Limit Policies
(&(&(&objectCategory=user)(mDBUseDefaults=FALSE)))

Find all Users that need to change password on next login.
(&(objectCategory=user)(pwdLastSet=0))

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)

Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)

Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

Find all Windows 2000 SP4 computers
(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack 4))))

Find all Windows XP SP2 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))))))))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Vista SP1 computers
(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))

Find All Workstations
(sAMAccountType=805306369)

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))