Archive

Archive for the ‘Active Directory’ Category

Windows 10 (1607) shows OneDrive in the Explorer navigation pane

Despite setting “Prevent the usage of OneDrive for file storage” under “Computer Configuration/Administrative Templates/Windows Components/OneDrive”, OneDrive is still shown in the File Explorer navigation pane.

It transpires that the OneDrive client included with Windows 10 (1607) does not seem to remove the OneDrive icon from File Explorer. Updating the OneDrive client fixes this issue, unfortunately, this is a per-user upgrade. To update the default client, execute the following:

%LOCALAPPDATA%\Microsoft\OneDrive\17.3.6381.0405\OneDriveStandaloneUpdater.exe

The OneDrive client will be then be updated to the latest version.

Get User Principal Name – Part II

10th December, 2016 Leave a comment

Whilst I was researching an unrelated issue, I happened upon the following article: http://serverfault.com/questions/591836/access-an-ad-attribute-in-a-first-time-logon-scenario

Whilst the user was looking to put the userSharedFolder attribute into an environment variable, the solution allows almost any Active Directory attribute to be access and stored, including the User Principal Name. It uses a feature of Group Policy Preferences that I wasn’t previously aware of.

I prefer this to my previous solution, as it allows for centralised management, whereas, with PowerShell, I have to push the script out to the workstations somehow.

Here are the instructions on creating the Group Policy Preferences Environment Variable:

  1. Create a new GPO (or edit one that has user settings)
  2. Go to User Config -> Preferences -> Windows Settings -> Environment
  3. Create a new Environment variable
  4. Action: Update
    Select: User Variable
    Name: UPN
    Value: %_UPN%
  5. Click the Common tab.
  6. Enter a description: “Create an environment variable called UPN and populate it with the UserPrincipalName attribute for the user, as held in Active Directory.”
  7. Tick “Item-level Targeting” and click “Targeting…”
  8. Select New Item -> LDAP Query
  9. Filter: (&(objectClass=user)(sAMAccountName=%USERNAME%))
    Binding: LDAP:
    Attribute: userPrincipalName
  10. Environment variable name: _UPN
  11. Click OK, OK

You can then reference the environment variable subsequent scripts that run after the GPO has applied.

It may be possible, by using multiple filters, to build a variable from different Active Directory attributes, but I haven’t tried this.

Categories: Active Directory Tags:

PowerShell – Get User Principal Name (One-liner)

2nd October, 2016 Leave a comment

As part of our Windows 10/Office 2016 project, we wanted to get the current user’s User Principal Name (UPN). There are several posts on the web with regards on how to do this, including utilising the ADSystemInfo COM object, or obtaining the current user’s ID and then searching Active Directory, however, neither are a clean PowerShell one-liner!

So, after a bit of research, here it is:

([ADSI]"LDAP://<SID=$([System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value)>").UserPrincipalName

This command gets the current user’s Windows Security Principal’s value (or SID), which we then use to bind to its LDAP object. From this object, we can obtain the User Principal Name (or any other Active Directory value).

For our purpose, we wanted to put this value into a user environment variable. Here’s the script I came up with:

$UserUPN = ([ADSI]"LDAP://<SID=$([System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value)>").UserPrincipalName
If ($UserUPN) { [Environment]::SetEnvironmentVariable("UPN", $UserUPN, "User") }

Batch file to check if user is a member of an Active Directory Group

9th August, 2013 Leave a comment

Due to a limitation of our software deployment software, I was asked if it was possible to copy a file based on an Active Directory group membership. After a bit of research I decided the best course of action was to utilise the DSquery and DSget commands that are part of the Windows 7 operating system.

Let’s examine the core of the script below.

  • Firstly, we specify the distinguishedName of the group that we want to check and put it into a variable – we’ll use this later in our code.
  • We then use “dsquery user -samid %username%” to obtained the distinguishedName of the currently logged in user by using the %username% environment variable, which is the SAMid (sAMAccountName) in Active Directory.
  • We pipe the result into “dsget user -memberof -expand”. This generates a list of distinguishedNames of all the group that the user is a member of. The “-expand” parameter ensures that all nested groups are listed as well.
  • We then pipe the result of this into the FindStr utility and search for the group name the we specified at the start of the process. We perform a case insensitive search and also redirect STDOUT and STDERR to NULL to stop anything being shown on the screen.
  • Finally, we check the %ERRORLEVEL% value to determine if the string has been found or not.

And here’s the script:

@ECHO OFF
set group="CN=Network Team - ICT Services,OU=Test,DC=domain,DC=net"
dsquery user -samid %username% | dsget user -memberof -expand | findstr /i /c:%group% 1>NUL 2>NUL
If %ERRORLEVEL% EQU 1 echo Not found group!!
If %ERRORLEVEL% EQU 0 echo Found group!!

NDR for disabled Active Directory accounts

10th December, 2012 Leave a comment

When staff leave the organisation, are on long term sick, or take a sabbatical we disable their account in Active Directory. This also used to stop emails being delivered to their mailbox (returning a None Delivery Report [NDR] to the sender), which was very useful to let other staff know they were no longer available and stopped important emails sitting in mailboxes that were no longer checked.

Unfortunately, one of the Service Packs (for Exchange 2003, if I recall correctly) “fixed” this issue. Our workaround was to restrict disabled accounts to only accept emails from themselves. Whilst this can be done via the GUI, a script is a lot quicker.

The PowerShell script below adds restrictions to disabled accounts, the removal is removed on accounts that are re-enabled.

# Constants to modify multi-valued AD attributes.
$ADS_PROPERTY_CLEAR = 1
$ADS_PROPERTY_UPDATE = 2
$ADS_PROPERTY_APPEND = 3
$ADS_PROPERTY_DELETE = 4

# LDAP path to start search from
$RootOU = "LDAP://OU=User Accounts,DC=domain,DC=net"

Write-Host "Accounts that are disabled but accepting emails"

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]$RootOU)
$Search.PageSize = 1000
$search.filter = "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(!authOrig=*)(|(homeMDB=*)(msExchHomeServerName=*))(!sAMAccountName=command*))"
$results = $search.FindAll()

foreach($result in $results){
   $User = $result.GetDirectoryEntry()
   $distinguishedName = $User.distinguishedName
   $distinguishedName
   $User.PutEx($ADS_PROPERTY_UPDATE,"authOrig",@($distinguishedName))
   $User.SetInfo()
}

Write-Host "Accounts that are enabled but not accepting emails"

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]$RootOU)
$Search.PageSize = 1000
$search.filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(authOrig=*)(|(homeMDB=*)(msExchHomeServerName=*)))"
$results = $search.FindAll()

foreach($result in $results){
   $User = $result.GetDirectoryEntry()
   $distinguishedName = $User.distinguishedName
   $distinguishedName
   $User.PutEx($ADS_PROPERTY_CLEAR,"authOrig",$null)
   $User.SetInfo()
}
Categories: Accounts, PowerShell

PowerShell Script to export data from Active Directory

9th December, 2012 Leave a comment

I was asked to assist a vendor who was working with our Unix/Oracle team. He was trying to import data from Active Directory into an Oracle database.

 

I’m no expert on Oracle, but it appears that the LDAP connector simply returned blobs of data, this then had to be parsed, but there seems to be no order to the data returned. The was before we starting looking at converting the objectGUID or seeing if we’d hit the 1000 record AD limit (which SQL Server suffers from).

 

I’d recently been on a PowerShell course delivered by Microsoft, so I thought I’d write a quick script to export the data. In this case, we output the result to a CSV file, but it is possible to update the database directly. Anyway, here’s the script we used:

 

# LDAP path to start search from
$RootOU = "LDAP://OU=Regional Accounts,OU=User Accounts,DC=domain,DC=net"

# CSV path
$CSVpath = "C:\TEMP\ADusers.csv"

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]$RootOU)
$Search.PageSize = 1000
$search.filter = “(&(objectCategory=person)(objectClass=user))"
$results = $search.FindAll()

$myData = @()
foreach($result in $results){
   $User = $result.GetDirectoryEntry()
   $myData += ( $User | Select-Object -Property @{Name="objectGUID";Expression={($_.objectGUID | foreach { $ofs="" } { "{0:X2}" -f $_})}},
   @{Name="sAMAccountName";Expression={$_.sAMAccountName}},
   @{Name="homeDirectory";Expression={$_.homeDirectory}},
   @{Name="mail";Expression={$_.mail}},
   @{Name="sn";Expression={$_.sn}},
   @{Name="givenName";Expression={$_.givenName}},
   @{Name="mailNickName";Expression={$_.mailNickName}},
   @{Name="title";Expression={$_.title}},
   @{Name="postOfficeBox";Expression={$_.postOfficeBox}},
   @{Name="accountexpires";Expression={[datetime]::fromfiletime($_.ConvertLargeIntegerToInt64($_.accountexpires[0])).ToString("s")}},
   @{Name="employeeNumber";Expression={$_.employeeNumber}}
)
}
$myData | Export-csv -path $CSVpath -notype

# Or, you can output to a grid
#$myData | Out-GridView
Categories: Accounts, PowerShell