Alan's sysadmin Blog

Working smarter not harder

Archive for the ‘Active Directory’ Category

Script: Fixing Orphaned AdminSDHolder Accounts

Posted by Alan McBurney on August 27, 2014

This is intended as a follow up to Detecting members of Protected Groups within AD

It seems that no matter how many Exchange or Lync projects I do I always come across the issue of orphaned AdminSDHolders.

To overcome the tedium of detecting and fixing orphaned users I decided to put together a script to automate the task.

This script gets all users that are members of protected groups within AD and compares membership with users that have the AD Attribute AdminCount=1 set. If the user has the AdminCount=1 enabled but is not a member of a protected group within AD then the user is considered orphaned, the AdminCount is reset to 0 and inheritable permissions are enabled.

<#
.SYNOPSIS
Detects Orphaned SD Admin users, resets admin count attribute and enables inheritable permissions

.Author
Alan.McBurney

THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.

Version 1.0, July 10th, 2014

.DESCRIPTION
This script gets all users that are members of protected groups within AD and compares
membership with users that have the AD Attribute AdminCount=1 set.
If the user has the AdminCount=1 enabled but is not a member of a protected group then the user
is considered an orphaned admin user and the AdminCount is reset to 0 and inheritable permissions
are reset

.REFERENCES
"http://blogs.technet.com/b/heyscriptingguy/archive/2010/07/11/hey-scripting-guy-weekend-scripter-checking-for-module-dependencies-in-windows-powershell.aspx">http://blogs.technet.com/b/heyscriptingguy/archive/2010/07/11/hey-scripting-guy-weekend-scripter-checking-for-module-dependencies-in-windows-powershell.aspx</a>
"http://blogs.msdn.com/b/muaddib/archive/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects.aspx">http://blogs.msdn.com/b/muaddib/archive/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects.aspx</a>

.EXAMPLE
Reset-OrphanSDUsers

.Notes
To Do list: Enable logging
#>

#Check to Ensure Active Directory PowerShell Module is available within the system
Function Get-MyModule
{
Param([string]$name)
if(-not(Get-Module -name $name))
  {
    if(Get-Module -ListAvailable |Where-Object { $_.name -eq $name })
    {
      Import-Module -Name $name
      $True | Out-Null
    }
    else
    {
      Write-Host ActiveDirectory PowerShell Module Not Available -ForegroundColor Red
    }
  } # end if not module
  else
  {
    $True | Out-Null
  }   #module already loaded
} #end function get-MyModule

Get-MyModule -name "ActiveDirectory"

Function Set-Inheritance
{
Param($ObjectPath)
$Acl = Get-ACL -path "AD:\$ObjectPath"
  If ($Acl.AreAccessRulesProtected -eq $True)
  {
    $Acl.SetAccessRuleProtection($False, $True)
    Set-ACL -AclObject $ACL -path "AD:\$ObjectPath"
  }
}

#Get List of Proected Groups
$AdminGrp = Get-ADGroup -LDAPFilter "(adminCount=1)"

#Get List of Admin Users (Past and Present)
$AdminUsers = Get-ADUser -LDAPFilter "(adminCount=1)"

$Admins = ForEach ($Grp in $AdminGrp) {Get-ADGroupMember $Grp | Where-Object {$_.ObjectClass -eq "User"}}

#Create Empty Hash
$PGUSers = @{}
$OrphanUsers = @{}

#Compare $AdminUsers to $Admins and place in appropriate hash table
ForEach ($User in $AdminUsers)
{
If ($Admins -Match $User.Name)
  {
    $PGUsers.Add($User.Name, "Present")
  }
  Else
  {
    $OrphanUsers.Add($User.SamAccountName, "NotPresent")
  }
}

If ($OrphanUsers.Keys.Count.Equals(0))
{
  $True | Out-Null
}
Else
{
  #Clear AdminCount Attribute
  ForEach ($Orphan in $OrphanUsers.Keys)
  {
    $Orphan
    $ADUser = Get-ADUser $Orphan
    Set-ADUser $Orphan -Clear {AdminCount}
    Set-Inheritance $ADUser
  }
}

Posted in Active Directory, Exchange 2010, Exchange 2013, Lync, Lync 2013, PowerShell | Tagged: , | 1 Comment »

Windows Server Core 2012 R2 Remote Management

Posted by Alan McBurney on October 8, 2013

In my last blog post I added certificate services to a server core installation.

Well as it turns out after some more hands on with server core I did it the hard way as Server 2012 brings with it a new level of remote or headlesss management.

When I first got this up and running I was pretty blown away by the experience.

What I’m going to walk though in this blog post are the configuration steps that are required in order to get remote management of the server core installation up and running via a dedicated management server.

In this lab I have 2 Windows 2012 R2 Servers

  • 1 Server Core
  • 1 GUI

I’m not going to include the steps that are required in order to get the VM’s installed.
I’m going to pick this up from the point that the installation is complete.

Once Server Core has been installed and you have created your admin password and logged in. The first thing to do is fire up SConfig in order to set:

  • Server Name
  • IP Address\Subnet Mask
  • DNS Servers
  • Remote Desktop

1

Running sconfig from the command prompt brings up the screen as below and allows basic server setup options to be configured

2

Select Option 2 and enter a computer name for the server. This requires a reboot once complete

Once the server comes backup and your logged back in run sconfig again and this time choose option 8 in order to set the IP Adresss, Subnet mask, Default Gateway and DNS Servers

Once complete that’s about all that needs done on the server core installation.

We can now switch over to the Management Server.

Configure this server up in the normal way, setting:

  • IP Address\Subnet Mask
  • Default Gateway
  • DNS Server
  • Server Name

Reboot the server and get logged back in.

As we are still to configure a domain we are effectively in a workgroup.
And as there is no domain there is no DNS for name resolution.

To work around these issues there are few steps that need to be taken.

  1. Add a host file entry for the DC on th emanagement server
  2. Add the would be Domain Controller to the trusted hosts file on the management server

Lets go ahead and take care of the easy task of assining the Domain Controller ServerName to the management servers host file

Open Notepad as administrator and then open:

C:\Windows\System32\drivers\etc\hosts

Add an entry for the domain controller similar to that below

3

Close the file and test name resolution via ping.
We won’t get a ping response due to the Firewall on Quarkalbs-DC01 but thats not the point. The point here is to test name resolution.

4

Now that name resolution is functional for QuarkLabs-DC01 the next step is to add the server to the trusted hosts file on the management server

Open PowerShell and run the following command

Set-Item WSMAN:\localhost\Client\TrustedHosts quarklabs-dc01 -force

5

All items are now set and we can go back to the Server Manager Dashboard on the management server and add our remote server

From Server Manager choose Add other server to manage

6

Select DNS and add the remote server

7

Click OK and wait for a moment while the remote server is added.

The server count should have increased from the dashboard

8

Open All Servers and be sure that the recently added server is now present

9

The server can now be managed via the management server like any normal server.

That wraps it up for this post. In the next post I’ll configure and promote the server to be a domain controller all via the management server.

.

Posted in Active Directory, Server 2012 R2, Server Core, Windows Servers | Tagged: , , , | Leave a Comment »

Creating File Shares with PowerShell

Posted by Alan McBurney on July 23, 2013

I’m gradually moving more and more to PowerShell only for server administration.

Today I needed to create a new file share for a Lync 2013 Std Edition installation on Server 2012 and once again I looked to achieve this though the Shell.

As it turns out that this is a very simple task so with no further ado here is the syntax

New-SmbShare –Name LyncShare -Path C:\LyncShare –Description “Lync 2013 File Share” –FullAccess Administrators

Posted in Active Directory, Lync, Lync 2013, PowerShell | Tagged: , | Leave a Comment »

Detecting members of Protected Groups within AD

Posted by Alan McBurney on July 16, 2013

I do a lot Exchange and Lync work and typically post project I get calls from customers that things aren’t working quite as expected.

Some typical issues include insufficient rights to modify users within Lync, ActiveSync not working or send as permissions being stripped out for users within Exchange.

What all these issues have in common is that users affected are members of what’s termed as Protected Groups within AD and security inheritance is being stripped from the user object.

If you need a primer or a deep dive for that matter into Protected Groups see John Policelli’s article here

The following Active Directory PowerShell commands can be used detect which users and groups are affected by Protected Group status.

To get the list of protected users:
     Get-ADUser -LDAPFilter "(admincount=1)" | select name

To get the list of protected groups:
     Get-ADGroup -LDAPFilter "(admincount=1)" | select name

Once the users have been removed from the Protected Groups its just a matter of enabling security inheritance for the user object from within AD and the issues should be resolved. 

Posted in Active Directory, Exchange 2010, Exchange 2013, Lync, PowerShell, Windows 2008 R2, Windows Server 2012 | Tagged: , | 2 Comments »