Active Directory

PowerShell: Test Domain User Account Credentials Test-UserCredentials.ps1

This script will check if the password for a given username is correct.
If the authentication failed using the provided Domain\Username and Password, The script will do some checks and provide clues why the authentication failed.
The checks are:

  • Domain is reachable.
  • User Name exists in the domain.
  • The account is Enabled.
  • The account is Unlocked.

You can run the script from powershell as .\Test-UserCredentials.ps1 or Right click the script and select “Run with PowerShell”,
The script will ask for the user credentials as Domain\Username, and Password in a friendly Windows authentication window, and report the status of the combination.
Screenshots:

Get User Input:
11_02_00-Windows PowerShell

Example for correct username and password
2015-12-22 15_40_43-Windows PowerShell

Example for failed authentication due to: domain is not found/unreachable:
2015-12-22 15_43_15-Windows PowerShell

Example for failed authentication due to: User Name does not exist:
2015-12-22 15_45_40-Windows PowerShell

Example for failed authentication due to: User Account is disabled:
2015-12-22 15_47_29-Windows PowerShell

Example for failed authentication due to Locked out User account:
2015-12-31 10_13_51-Windows PowerShell

Example for failed authentication mostly due to wrong password:
2015-12-28 10_22_50-Windows PowerShell

Download from TechNet Gallery: https://gallery.technet.microsoft.com/PowerShell-Test-Domain-b71cc520

Test If AD User Name and Password Combination are Correct

—UPDATE#1—
Check my enhanced PowerShell script that do the same task as here, and more…: https://ibrahimsolimanblog.wordpress.com/2015/09/10/powershell-test-domain-user-account-credentials-test-usercredentials-ps1/

—Original Post—
This neat VBS script will test the active directory authentication for a given user name and password. and It will tell you if it succeeded or failed with which error.

I used to use Run-AS to test the authentication, but sometimes the user will not have the permissions to access the machine I’m testing on, and I will receive a non clear error.

Now, to the script:

Set objNetwork = CreateObject("WScript.Network")
strDomain = objNetwork.UserDomain
Const ADS_SECURE_AUTHENTICATION = 1
strUsername=InputBox("Enter Username:")
strPassword=InputBox("Enter Password:")
Set objDS = GetObject("LDAP:")
On Error Resume Next
Set objDomain = objDS.OpenDSObject("LDAP://" & strDomain, strUsername, strPassword, ADS_SECURE_AUTHENTICATION)
If Err.Number Then
    WScript.Echo _
    "For user:" & vbCrLf & _
    "   " & strDomain & "\" & strUsername & vbCrLf & _ 
    "Error Number:" & vbCrLf & _
    "   " & Err.Number & vbCrLf & _
    "Error Description:" & vbCrLf & _
    "   " & Err.Description
Else
    WScript.Echo _
    "Valid password entered for user" & vbCrLf & _
    "   " & strDomain & "\" & strUsername
End If
On Error Goto 0

Run it, Provide the user name (Without providing the domain name), then provide the password, and get the result.

Source: http://stackoverflow.com/questions/3856479/testing-username-password-against-active-directory-domain-in-vbscript

PowerShell: Find the LDAP address from a User Account

LDAP-Address.ps1

Import-Module ActiveDirectory
$Account = Read-Host 'Enter User Account'
$DN = Get-ADuser $Account
Write-Host LDAP://$DN

Run the script from your domain controller.
LDAP-Address.ps1

The script will ask you for the user logon name, and will display the relative LDAP address in the form of: LDAP://CN=………,OU=…..,OU=………,DC=…….,DC=…..

One-Liner: Move Multible Users to a Specific OU (Powershell)

This PowerShell command will read the users’ alias from a text file, and will move them to a specific OU.

Preparation:
  • On you domain controller, create a text file at C:\MoveUsers\Users.txt
  • In Users.txt add users aliases one per each line.
  • Get the DN for the destination OU, one easy common way, is to open ADSI Edit, expand the tree on the left till you reach the desired OU –> in the properties of the OU you will get the OU DN.
  • Open PowerShell and import the Active Directory Module:
Import-Module ActiveDirectory
The Command:
Get-Content C:\MoveUsers\Users.txt | Foreach{Get-ADUser $_ | Move-ADObject -TargetPath "OU=HR Users,OU=Users,DC=Masry,DC=Lab"}

Replace OU=HR Users,OU=Users,DC=Masry,DC=Lab with your OU DN obtained previously.

Internet Explorer 9 Group Policy Preference

So, we know that IE9 was released after Windows Server 2008 R2,

And if you tried to create a GPO preference on Windows 2008 R2 Domain Controller  for Internet Explorer you will find options for:

– Internet Explorer 5 and 6

– Internet Explorer 7

– Internet Explorer 8

Lets Open Group Policy Management Console on Windows 2008 R2 domain controller and see:

Start –> Run –> GPMC.MSC –> Expand the nodes and select any group policy –> Right Click and click Edit you will see:

 

image

Under User Configuration –> expand Preferences –> Control Panel Settings –> Internet Settings

image

Right Click in the right pane, and click new to explore available options

image

And as you see, Internet Explorer 9 is not listed (as you already expected)

Solution:

Microsoft have a hotfix for this situation, The hotfix will not add “Internet Explorer 9” to the Menu, But it will make “Internet Explorer 8” option applies also to IE9 (without this hotfix, the options will be filtered out, and will not be applied on iE9 users).

Download the hotfix from here, Install on the Windows 2008 R2 domain controller where you configure the group policies, and whenever you need to create a preference for IE9 choose “Internet Explorer 8” from the New menu, and you good to go.

Reference:

Note:

If you are applying Internet Explorer preference on Windows 7 machines, consider installing the below hotfix as well, The hotfix is descried and available for download here:

Useful Commands to use with Active Directory

Create User

dsadd user “CN=Ahmed Mohamed Ali,OU=Temp,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg” -upn E00001@adib.co.ae -samid E00001 -display “Ahmed Mohamed Ali” -dept “Heliopolis Branch” -pwd 123456789 -mustchpwd yes -disabled yes -title “Banker” -desc “Banker” -company “Expert EGYPT” -office “Cairo Branch” -fn “Ahmed” -mi “Mohame” -ln “Ali” -memberof “CN=Cairo Staff,OU=Egypt,OU=Groups,DC=Expert,DC=com,DC=eg”

 

Note:

– I would recommend creating the User in a temp empty OU first, and after confirming that everything is OK, you can move them top their desired OU.

– The ‘-mi “xxxxxx”‘ field must NOT exceed 6 characters, that’s by design.

 

Add Telephone and Mobile info to a User

dsmod user “CN=Ahmed Mohamed Ali,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg” -tel “0020211111111” -mobile “20101111111”

 

Create Global Security Group

 
dsadd group “CN=Finance,OU=egypt,ou=Groups,DC=Expert,DC=com,DC=eg” -samid Finance -secgrp yes -scope G
 

Add Members to a Group

dsmod group “CN=Finance,OU=egypt,ou=Groups,DC=Expert,DC=com,DC=eg” -addmbr “CN=Ahmed Mohamed Ali,OU=Temp,OU=Egypt,OU=Common Users,OU=User Accounts,DC=Expert,DC=com,DC=eg”
 

Dump objects details inside an OU to a .CSV file

CSVDE -d “OU=Egypt,OU=Users,DC=Expert,DC=com,DC=eg” -f “C:\Documents and Settings\Administrator\Desktop\Users_Egypt.csv”
 

Get User Email in a text file, from his SAMID

Create this batch and name it like Useremail.bat

@echo off dsquery user -samid %1 | dsget user -email | Find “@” >usermail.txt
 

Run it as

Useremail.bat AMohamed

and get the result in usermail.txt

Get The User DN from the SAMID

DSQuery User -samid AMohamed
 

Change a Domain Account’s Password[1]

Using the following command you reset user DoeJ his password to Pa$$word1!

dsquery user -samid DoeJ | dsmod user -pwd Pa$$word1!

If you use * instead of Pa$$word1!, you will be asked for a password. iIf you are logged on to a domain controller you can also use the net user command, the equivalent command in this case would be:

net user DoeJ Pa$$word1!

You can also use the net user command from your workstation:

net user DoeJ Pa$$word1! /domain

Change the default location of creating Computer objects

By default when you join a PC to the domain, a computer object for that PC will be created in “Computers” OU,

to change this, for example, make the default OU for newly joined PCs to be “CompanyPCs”

C:\WINDOWS\system32>redircmp.exe OU=CompanyPCs,DC=Expert,DC=com,DC=eg

Get Users of a Group

dsget group “CN=GFSAccMaintenanceLegalOfficer,OU=Egypt,OU=Groups,DC=adib,DC=co,DC=ae” -members

 

Delete User

Dsquery user -samid EXXXX | DSrm -noprompt -c  > c:\log.txt

 

List Groups and its members

 

Echo “CN=GROUPNAME,OU=Egypt,OU=Groups,DC=Masry,DC=com,DC=eg” >>LIST.txt & dsget group “CN=GROUPNAME,OU=Egypt,OU=Groups,DC=Masry,DC=com,DC=eg” -members >>LIST.txt

 

Locked Users Saved Query

(&(&(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))))

 

 

References:

DSADD on TechNet