Using this page to keep track of all the useful powershell "mini-scripts" I've used:
Copy users from one security group to another security group
Add-ADGroupMember -Identity destination-group-name -Members (Get-ADGroupMember -Identity source-group-name -Recursive)
Add enabled users from an OU to a security group
Get-ADUser -SearchBase 'OU=Your-OU,DC=corp,DC=company,DC=com' -Filter {Enabled -eq $true} | ForEach-Object {Add-ADGroupMemberIf you use ADFS as your primary IdP, you may have noticed that before your users sign in, they have the option to pick the Relying Party they want to sign into under the "Sign in to one of the following sites" radio button. If ADFS is accessible from the internet (which it mostly likely is if you are using
Our 2012R2 DC's do DHCP and DNS for our environment, but I found that our client's DNS addresses were frequently incorrect, even though DHCP is supposed to update DNS with the correct entry. Found this blog post that solved our problems:
Note: If you are unsure about running the dnscmd shown
The Digicert cert utility for Windows make the process so much easier:
To generate the CSR:
https://www.digicert.com/util/csr-creation-microsoft-active-directory-ldap-2012-digicert-utility.htm
To install the Cert:
https://www.digicert.com/ssl-certificate-installation-microsoft-active-directory-ldap-2012.htm
For LDAPS on a domain controller, I did not have to import the cert file into the AD DS personal store.
Migrated a DC and wanted to do some basic AD health checks.
From the cmd prompt (domain joined pc with sufficient privileges or on the DC):
Replication Info:
repadmin /replsummary
repadmin /showrepl
Query FSMO role holders, which should confirm that they are online:
netdom query fsmo
General Server Diagnosis:
dcdiag /a /s:<DC server name>
If you want
If you need to get a list of all members in an AD Security Group, open up powershell and try the following commands from a DC:
dsquery group -name "GroupName" | dsget group -members
I published a blog post last year regarding verifying NTP settings on a Windows Server. Now, I recently needed to go a step farther and force a server to time sync with a DC. Here are the relevant commands:
To find out what server is the time server on your domain, from the CMD prompt run:
nltest /dsgetdc:your_domain_Recently came across an issue where users in an 802.1x wireless environment were logging into their laptops, and the AD logon script would run before they had wireless network connectivity. This was a problem since their network drives would not map.
While the users blamed the wireless network, the problem is actually resolved in AD Group Policy by specifying
From the cmd prompt:
For current time:
Time /T
For configuration:
w32tm /query /configuration
For status:
w32tm /query /status
To set your 2008R2 server as an NTP server, edit the following two reg keys:
1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags and change to Value 5
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\Enabled