Replicate all group members from Group A to Group B in Powershell

This is going to be a very quick article that will show you how to simply replicate all members from a group over to another group with the AD powershell module.

There are mainly two different goals:

  1. You want to replicate all group members from Group A to Group B in Powershell, as they are.
  2. You want to replicate all users that are in Group A recursively to Group B.

Case 1

Simple enough, this will grab every member as it is (either a user, a group or any other object) and add it to Group B.

Case 2

The difference between case 1 and 2 is -Recursive. This will grab all members including members of other groups. For instance if Group A had 3 members, 2 user objects and a group called “Group A1” which then contained 3 users, you will see that Group B will contain just the 5 users and not the groups.

Read More

Set Permissions for a Print Server with Powershell

You cannot set permissions for a print server with Powershell alone. At least you can’t right now (4th of May 2017). There’s a way though 🙂

I spent a few hours researching this and I noticed I wasn’t the only one that wanted to set up a security group on a Print Server level in a scripted manner, however everybody was stuck with the same issue. Just to be clear, this is what I want to achieve:

print-management_print-server-security

My idea is to get a security group to be able to fully manage the print server, without being Server Admins. And I want to achieve this before adding any printer so that permissions will eventually get applied on new printers. In theory this step will help me with automating a print server installation/configuration.

SetPrinter

I was losing any hope until I came across a technet forum’s thread where there was a discussion over “setprinter.exe“, a tool contained in the Windows Server 2003 Resource Kit. However the one that comes with it, doesn’t really work. After some more time, I was able to obtain the updated MS version of the tool which you can download from here: SetPrinter.Zip.
Note that I only have the 64bit version of it, so this won’t work on a 32bit system.

I will try and explain how we’re going to use this application before showing you a basic powershell script that will assign the permissions. The cool thing of this tool is that it can work remotely as well.

First of all, we will work with the pSecurityDescriptor. This contains the access type and depending on how we use setprinter.exe, we can grab and/or set the pSecurityDescriptor for the Print Server itself or for one of its printers; the last option would be useless as Powershell nowadays allows you to change printer’s security settings easily.

So, let’s run the following to get the current pSecurityDescriptor:

Note that right after the print server you need to add a backslash and you need a space and the number 3 right after.

This is what you’ll get (these are the default permissions):

setprinter_show_1

During the process when I was trying to understand this, I added a security group to the permissions of the server (manually, through the GUI) and gave it Full Control (this is the level of permissions I need for the group). After doing that, I re-ran the command above and I got this:

This might seem confusing, but ultimately it’s simple: Anything within ( ) contains the permissions and the user/group identification and for the group I just added, that’s its SID!
When I was testing this, I ended up adding an extra group manually (again, Full permissions) and re-ran the setprinter.exe command so that I could compare the 3 outputs and have a better understanding of what was happening.

Eventually I figured out that in order to assign full permissions to a user or a group, I need to add the following to the pSecurityDescriptor:

Obviously, replace MYSIDHERE with the SID of the User or Group. That wasn’t so bad after all 🙂

Powershell

Time to have powershell to do some work now! See the script below:

I’ve added a lot of comments to make sure everything is explained. Remember that the AD Powershell module is required for getting the SID (you could use psgetsid if you don’t want to use the AD Module) and also that you can run this remotely from your own machine as setprinter.exe will be able to grab/apply permissions remotely.

Let’s go quickly through it: (more…)

Read More

Nearest Domain Controller without Powershell AD Module

Getting the nearest Domain Controller when the AD module is present, is fairly simple, all you would need to do is running the following:

But what if you want to achieve the same result on a client/server that doesn’t have the Powershell Active Directory modules installed?
Well, in cmd you can do something like this:

The above will come back with quite a few useless (to our scope) pieces of information (or an error).

dsgetdc-nearest-domain-controller-1

 

So we can run this instead, to just get the “DC”:

So now we have just one line with the Domain Controller (or the error).

dsgetdc-nearest-domain-controller-2

Now, let’s try to work with the above command in powershell. What we want to achieve is having a variable ($DC) that will either contain the domain controller name or any other value that we want if there’s an error, for instance we could assign the value $false to it.

The script is pretty crude so that you can modify it as you like; let’s explain what it does. It first tries to run the above command with a slight difference, I added .split(” “) that will automatically split the result in an array of sub-strings. But, if the command fails, this powershell command won’t be able to split anything and will throw an error. This is why we need a Try/Catch.
If the command fails to retrieve a domain controller then, $DC will be $false.
Now, if the .split command works, then the script runs through each object of the array of sub-strings and checks when the sub-string starts with two backslashes: that means that we’ve got what we’re looking for!.
Finally, $DC will get the name of the domain controller assigned . Note that .replace(‘\\’,”) will remove the two backslashes and will leave us just the domain controller’s hostname.
I hope this explains a bit more the idea behind it.

Read More

Reset Password Expiration

Resetting the password expiration in Active Directory might come in handy when a user’s password has expired and don’t have the chance to change it yet (perhaps due to network restrictions).
The Help Desk team, rather than resetting the user’s password, can reset the password expiration time without compromising security by knowing the temporary password.
Obviously, changing password is itself a security issue, so this should not be used just because you’re too bored to change your own account’s password. 🙂
Note that what you’re going to perform is not resetting the password expiration value but you’re resetting the last password set date.

There are three ways of doing this, via Active Directory Users and Computers, via ADSI Edit and via Powershell.

Active Directory Users and Computers (ADSI is very similar once you open the Object’s properties)

  1. Open Active Directory Users and Computers
  2. Click on View and select Advanced Features
    • active-directory-users-and-computers_advanced-features
  3. Now open up the object for which you want to reset the password expiration and go to the Attribute Editor‘s tab.
  4. Click once on the Attribute column, this will sort it by name.
  5. Scroll down to pwdLastSet.
    • active-directory-users-and-computers_attribute-editor-pwdlastset
  6. Click Edit, delete the current entry, type 0 (zero) and click Ok.
    • active-directory-users-and-computers_pwdlastset-0
  7. Click Ok to save the changes.
  8. Open the object again, repeat the steps above to reach the pwdLastSet attribute and, this time, assign -1 and click Ok and Ok again to save the changes. This will reset the password last set to “now”.
    • active-directory-users-and-computers_pwdlastset_-1

Powershell

This one’s my favourite because it’s quick and easy. Run Powershell from a machine where Active Directory’s powershell module is installed (a domain controller will do). Make sure you have admin rights on the target user (or make sure you run powershell as an administrator).
Finally, run the following commands (they’re all commented to make it easier for you to understand the steps).

 

Read More

Bitlocker Error 0x80005000

A problem occurred during BitLocker setup. You may need to restart BitLocker setup to continue. Error code 0x80005000.
This is the error you get when trying to enable BitLocker to a drive on a machine joined to the domain that is sitting in an OU that contains a “/” (forward slash) in its name.
Renaming the OU and remove the “/” off its name will fix the issue and you will be able to encrypt the drive you were trying to encrypt before getting BitLocker Error 0x80005000.

bitlocker-error-code-0x80005000

Read More