Redirecting Well Known Containers (CN=Users; CN=Computers etc.)

In this post we will see the Powershell way of redirecting Users and Computers containers (i.e. Powershell equivalent of tools: redirusr.exe and redircmp.exe). By now you might know that you can use Get-ADDomain cmdlet for viewing the well-known containers of a domain, For example:PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-ADDomain | select *Container ComputersContainer : CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com DeletedObjectsContainer : CN=Deleted…


Accessing Replication Metadata using ADPowerShell

Metadata associated with Active Directory Replication is exposed in AD via many constructed attributes. Some of these metadata attributes come in pairs of binary blob & xml representation of the metadata element. Constructed Replication XML Metadata Attribute Available on Objects Corresponding Binary Attribute msDS-ReplQueueStatistics Root DSE – msDS-ReplAllInboundNeighbors Root DSE – msDS-ReplAllOutboundNeighbors Root DSE -…


View/Configure Protected ACL and Fixing Broken Inheritance

ACL inheritance is one of key concept in Active Directory delegation of control. It allows ACEs set on a parent container gets inherited by its child objects. It simplifies access management significantly as it allows the management to be done on the container level rather than on individual leaf objects. However, sometimes we may want…


Add Object Specific ACEs using Active Directory Powershell

Active Directory Powershell implements two Powershell Provider cmdlets specifically for access control management in Active Directory: Get-ACL and Set-ACL. This blog series is to give a few examples on how to use them. Note that it is not intended for a detailed explanation of access control and delegation in Active Directory and with an assumption…


How to view SOAP XML messages to and from AD Webservices and Powershell

I am sure many of us are curious to see the XML messages communicated between the AD Powershell webservices client and a Windows server hosting AD Webservices whenever a powershell cmdlet gets executed. In this blog, I am providing information to view those messages by enabling Windows Communication Foundation (WCF) logging through ADWS configuration. For…


How to find extended rights that apply to a schema class object

Recently, I came across this question (how to find extended rights that apply to a schema class) in our internal mailing lists. Extended rights are special permissions that denote a special task or function. These rights apply to one or more object classes and can be found stamped in the security descriptor of an object….


Active Directory Management Gateway Service released to web – manage YOUR Windows 2003/2008 DCs USING AD POWERSHELL !

RTW version of Active Directory Management Gateway Service (ADMGS), an Active Directory Web Services (ADWS overview here) out of band release for down level servers is now available to download from Microsoft Download Center Page. ADMGS is a down level release of in-box version of Windows Server 2008 R2  ADWS and provides the same functionality….


Token Bloat Troubleshooting by Analyzing Group Nesting in AD

This tool started when I was finding ways to analyze the complexity of group memberships in AD. Other than the usual average/median/min/max of number of members, number of memberships etc, I was also interested in finding out the maximum nesting levels of groups and the recursive group membership count. For e.g. in the diagram below,…


Active Directory Powershell to manage Sites and Subnets – Part 3 (Getting Site and Subnets)

Hello folks! Here are few Active Directory Powershell script snippets that you will find useful while writing scripts. They deal with fetching sites, subnets and servers. Most of the snippets are simple and self-explanatory and can be simply copy-pasted in your existing script.## Get a specified Active Directory Site. $siteName = “Default-First-Site-Name” $configNCDN = (Get-ADRootDSE).ConfigurationNamingContext…


Active Directory Powershell to manage Sites and Subnets – Part 2 (New-XADSubnet)

In an earlier post “Active Directory Powershell to manage sites – Part 1 (New-XADSite)” Jairo explained in detail about how to create a Site in Active Directory using AD Powershell. In today’s post I am going to discuss about how to create Subnets using AD Powershell. Before going into details of creating a subnet object,…