Network Audit and Documentation, CENTREL Solutions Blog

When using the Active Directory DFS PowerShell module's cmdlet  Get-DfsnAccess  you may see the error Get-DfsnAccess : The requested operation is not supported This can occur if you run the command with a path that points to a namespace or a version 1 folder. To clarify this cmdlet gets the view permissions on a DFS folder seen on the advanced tab. You'll notice that on a domain version 1 - shown as "Domain (Windows 2000 Server mode)" in the DFS user interface does not have an Advanced tab on its folders. If you're looking for the permissions assigned to the namespace seen on the "delegation" tab here. These permissions can be obtained by reading the "GrantAdminAccess" property of the Get-DfsnRoot cmdlet. Get-DfsnRoot -Path "\\demo2022.int\Domain2008"|SELECT -ExpandProperty GrantAdminAccess  While you're here - Why not check out our  Active Directory Documentation Tool ?

If you have a security identifier that you want to use resolve into an account name you can always use PowerShell remoting and the SecurityIdentifier class however if you want to use directly using Active Directory and the Active Directory PowerShell cmdlets you can use the following. $sddl = "S-1-5-21-1531147241-2246046137-799074561-512"; $account = Get-ADObject -Filter "objectSid -eq '$sddl'" -Properties "msDS-PrincipalName"; $account."msDS-PrincipalName";  While you're here - Why not check out our  Active Directory Documentation Tool ?

If you want to get a user's full NetBIOS account name in the format DOMAIN\Username - for example EUROPE\TSmith with the Active Directory PowerShell cmdlets Get-ADUser or Get-ADObject this can be done by reading the  msDS-PrincipalName attribute. This can be viewed in ADSIEdit.msc however you'll need to ensure that "Constructed" attribute types is selected because this value isn't stored for the user but is generated dynamically. In PowerShell you can simply enter the following command: Get-ADUser -Identity " CN=Terry Smith,CN=Users,DC=demoxcs2022,DC=int " -Properties "msDS-PrincipalName"; or even the following  Get-ADObject -Identity " CN=Terry Smith,CN=Users,DC=demoxcs2022,DC=int " -Properties "msDS-PrincipalName";  While you're here - Why not check out our  Active Directory Documentation Tool ?

You can get Active Directory objects using the Active Directory PowerShell module's cmdlets such as Get-ADObject, Get-ADComputer and Get-ADObject etc. Typically this works fine however when you cross domain boundaries this can become more complicated and you may see the error Get-ADObject : A referral was returned from the server. Take for example the following you are in demo2022.int and you're trying to find the display name of a user in europe.demo2022.int with the distinguished name "CN=Terry,DC=europe,DC=2022,DC=int". The domain controllers in demo2022 do not have this account so it can't be resolved - you can however as a Global Catalog server as they will contain a cut down version of the objects in the forest. You can get a global catalog by finding one in the forest, you can then use the global catalog by specifying the port 3268 (Global Catalog) or 3269 (Global Catalog over SSL) if SSL is setup. $globalCatalog   =  ( Get-ADForest ) . GlobalCatalogs [ 0 ]

When you try and find the Active Directory schema management MMC you find that it's missing. For security reasons Microsoft do not install the snap-in by default and it has to be installed manually using the command: regsvr32 schmmgmt.dll The Active Directory Schema snap-in can then be added to an MMC by selecting File > Add/Remove Snap-in...  or by pressing Ctrl+M. Ensure that you run the command using an Administrator account in an elevated command prompt otherwise you will see the error: The module “schmmgmt.dll” was loaded but the call to DllRegisterServer failed with error code 0x80040201. For more information about this problem, search online using the error code as a search term.  While you're here - Why not check out our  Active Directory Documentation Tool ?

If you've used the cmdlet Get-GPInheritance you may be surprised to find that the cmdlet doesn't allow you to target an Active Directory site to find the Group Policy objects linked to that site. To do this you'll need to get the information manually from the gpLink attribute in Active Directory. # Gets the Active Directory Group policy object links for the specified site name. Function Get-GroupPolicySiteLinks {      [ CmdletBinding () ]      param (                [ Parameter () ]           [ System.String ] $SiteName      )      process      {                     $site = Get-ADReplicationSite -Identity $SiteName -Properties "gpLink";           $groupPolicyLinks = [ regex ]:: Matches( $site . gpLink , "(?<=\[).+?(?=\])" ) . Value;                   [ array ]:: Reverse( $groupPolicyLinks );           foreach ( $groupPolicyLink in $groupPolicyLinks )           {                $gpoGuid = [ regex ]:: Matches( $groupPolicyLink , "(?<=

By default the Active Directory PowerShell cmdlet Get-ADUser returns special accounts such as trust accounts. If you only want normal user accounts you need to use the user account control flags which are documented here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties Specifically you need the following flag NORMAL_ACCOUNT 0x0200 512 The easiest way to provide this is to use the filter parameter and the bitwise AND which determines whether flag 512 is set. Get-ADUser -Filter "userAccountControl -band 512"  While you're here - Why not check out our  Active Directory Documentation Tool ?