Disable loading the default drive ‘AD:’ during import-module

All of you who have used the Active Directory (AD) powershell module would have noticed that every time you import the AD module, a default drive ‘AD:’ is also loaded. So when you type the following command: Import-module ActiveDirectory You see a progress bar with a message like following: Basically, during the import-module phase, the…


Find out when your Password Expires

Few weeks ago I came across this question “How to find out an account’s password expiration date” in one of our internal mailing-list. This looks like a simple question, but when we tried to find the answer we realized it is not a trivial task. One of my colleagues pointed to this 22-printed page detailed…


Adding/removing members from another forest or domain to groups in Active Directory

Adding/removing members belonging to the same domain from a group is very simple using AD Powershell cmdlets. All you have to do is pass an identifier (either samAccountName, distinguishedName, securityIdentifier or GUID) of the member and group to one of the membership cmdlets: · Add-ADGroupMember · Remove-ADGroupMember · Add-ADPrincipalGroupMembership · Remove-ADPrincipalGroupMembership Example: C:\PS> Add-ADGroupMember SvcAccPSOGroup…


Redirecting Well Known Containers (CN=Users; CN=Computers etc.)

In this post we will see the Powershell way of redirecting Users and Computers containers (i.e. Powershell equivalent of tools: redirusr.exe and redircmp.exe). By now you might know that you can use Get-ADDomain cmdlet for viewing the well-known containers of a domain, For example:PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-ADDomain | select *Container ComputersContainer : CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com DeletedObjectsContainer : CN=Deleted…


Accessing Replication Metadata using ADPowerShell

Metadata associated with Active Directory Replication is exposed in AD via many constructed attributes. Some of these metadata attributes come in pairs of binary blob & xml representation of the metadata element. Constructed Replication XML Metadata Attribute Available on Objects Corresponding Binary Attribute msDS-ReplQueueStatistics Root DSE – msDS-ReplAllInboundNeighbors Root DSE – msDS-ReplAllOutboundNeighbors Root DSE –…


View/Configure Protected ACL and Fixing Broken Inheritance

ACL inheritance is one of key concept in Active Directory delegation of control. It allows ACEs set on a parent container gets inherited by its child objects. It simplifies access management significantly as it allows the management to be done on the container level rather than on individual leaf objects. However, sometimes we may want…


Add Object Specific ACEs using Active Directory Powershell

Active Directory Powershell implements two Powershell Provider cmdlets specifically for access control management in Active Directory: Get-ACL and Set-ACL. This blog series is to give a few examples on how to use them. Note that it is not intended for a detailed explanation of access control and delegation in Active Directory and with an assumption…


How to view SOAP XML messages to and from AD Webservices and Powershell

I am sure many of us are curious to see the XML messages communicated between the AD Powershell webservices client and a Windows server hosting AD Webservices whenever a powershell cmdlet gets executed. In this blog, I am providing information to view those messages by enabling Windows Communication Foundation (WCF) logging through ADWS configuration. For…


How to find extended rights that apply to a schema class object

Recently, I came across this question (how to find extended rights that apply to a schema class) in our internal mailing lists. Extended rights are special permissions that denote a special task or function. These rights apply to one or more object classes and can be found stamped in the security descriptor of an object….


Active Directory Management Gateway Service released to web – manage YOUR Windows 2003/2008 DCs USING AD POWERSHELL !

RTW version of Active Directory Management Gateway Service (ADMGS), an Active Directory Web Services (ADWS overview here) out of band release for down level servers is now available to download from Microsoft Download Center Page. ADMGS is a down level release of in-box version of Windows Server 2008 R2  ADWS and provides the same functionality….