Get an AD Object without RSAT and fast

In this article we’ll see the function I’ve built to get an AD Object without RSAT and fast. I’ve been thinking for a while to write a new function, mainly because I wanted to pass multiple SamAccountNames without having to write a filter. However I recently had to go through a ton of users and fast, this is when I though that I could finally write my custom function, which leverages System.DirectoryServices.DirectorySearcher, so it doesn’t even require RSAT.

There are a lot of guides are out there how to use it, this article is meant to share with you the function I built around that.

The things I like the most about this:

  • It’s fast. The more objects you’re querying, the faster it’ll be compared to Get-ADObject/Get-ADUsers/Get-ADGroup.
  • You can use it to query any kind of Object.
  • You can pass multiple SamAccountNames (Sam1, Sam2, SamN), SIDs or DistinguishedNames.
    • You can also choose to pass a partial parameter with a wildcard, for example: MyUserSam*
  • You can also choose to write a plain LDAP Query instead of the SAM/SID/DN.
  • Filter down for an account status with -AccountStatus. By default you’ll get both Enabled and Disabled.

(more…)

Read More

Resource Win7Only referenced in attribute displayName could not be found

This error appears when you have updated the ADML and ADMX file to Windwos 10, version 1803. Let’s see how to fix it!

When trying to editing a policy, you receive this error: Resource ‘$(string id=Win7Only)’ referenced in attribute displayName could not be found.

This is a known issue for Microsoft, in fact there was an update in the Windows 10 version 1803’s SearchOCR.ADML file and this line was missed in the new ADML file:

<string id=”Win7Only”>Microsoft Windows 7 or later</string>

The way I used to fix this was to manually editing SearchOCR.ADML.

Editing SearchOCR.ADML

  • Make a copy of \Policies\PolicyDefinitions\en-us\searchocr.adml. Normally this path is under \\yourdomain\sysvol\yourdomain. This is needed in case the file you’ll edit gets corrupted.
  • With a text editor, open \Policies\PolicyDefinitions\en-us\searchocr.adml and search for <string id=”OCREveryPage”>Force TIFF IFilter to perform OCR for every page in a TIFF document</string>.
    • The line above this, should be: <string id=”OCR”>OCR</string>
  • Add the following string, right after <string id=”OCR”>OCR</string>:
    • <string id=”Win7Only”>Microsoft Windows 7 or later</string>
  • Save the file and try again (allow some time for replication if you have multiple Domain Controllers).

EDIT: There’s a KB from MS finally released for this HERE.

Read More

Replicate all group members from Group A to Group B in Powershell

This is going to be a very quick article that will show you how to simply replicate all members from a group over to another group with the AD powershell module.

There are mainly two different goals:

  1. You want to replicate all group members from Group A to Group B in Powershell, as they are.
  2. You want to replicate all users that are in Group A recursively to Group B.

Case 1

Simple enough, this will grab every member as it is (either a user, a group or any other object) and add it to Group B.

Case 2

The difference between case 1 and 2 is -Recursive. This will grab all members including members of other groups. For instance if Group A had 3 members, 2 user objects and a group called “Group A1” which then contained 3 users, you will see that Group B will contain just the 5 users and not the groups.

Read More

Set Permissions for a Print Server with Powershell

You cannot set permissions for a print server with Powershell alone. At least you can’t right now (4th of May 2017). There’s a way though 🙂

I spent a few hours researching this and I noticed I wasn’t the only one that wanted to set up a security group on a Print Server level in a scripted manner, however everybody was stuck with the same issue. Just to be clear, this is what I want to achieve:

print-management_print-server-security

My idea is to get a security group to be able to fully manage the print server, without being Server Admins. And I want to achieve this before adding any printer so that permissions will eventually get applied on new printers. In theory this step will help me with automating a print server installation/configuration.

SetPrinter

I was losing any hope until I came across a technet forum’s thread where there was a discussion over “setprinter.exe“, a tool contained in the Windows Server 2003 Resource Kit. However the one that comes with it, doesn’t really work. After some more time, I was able to obtain the updated MS version of the tool which you can download from here: SetPrinter.Zip.
Note that I only have the 64bit version of it, so this won’t work on a 32bit system.

I will try and explain how we’re going to use this application before showing you a basic powershell script that will assign the permissions. The cool thing of this tool is that it can work remotely as well.

First of all, we will work with the pSecurityDescriptor. This contains the access type and depending on how we use setprinter.exe, we can grab and/or set the pSecurityDescriptor for the Print Server itself or for one of its printers; the last option would be useless as Powershell nowadays allows you to change printer’s security settings easily.

So, let’s run the following to get the current pSecurityDescriptor:

Note that right after the print server you need to add a backslash and you need a space and the number 3 right after.

This is what you’ll get (these are the default permissions):

setprinter_show_1

During the process when I was trying to understand this, I added a security group to the permissions of the server (manually, through the GUI) and gave it Full Control (this is the level of permissions I need for the group). After doing that, I re-ran the command above and I got this:

This might seem confusing, but ultimately it’s simple: Anything within ( ) contains the permissions and the user/group identification and for the group I just added, that’s its SID!
When I was testing this, I ended up adding an extra group manually (again, Full permissions) and re-ran the setprinter.exe command so that I could compare the 3 outputs and have a better understanding of what was happening.

Eventually I figured out that in order to assign full permissions to a user or a group, I need to add the following to the pSecurityDescriptor:

Obviously, replace MYSIDHERE with the SID of the User or Group. That wasn’t so bad after all 🙂

Powershell

Time to have powershell to do some work now! See the script below:

I’ve added a lot of comments to make sure everything is explained. Remember that the AD Powershell module is required for getting the SID (you could use psgetsid if you don’t want to use the AD Module) and also that you can run this remotely from your own machine as setprinter.exe will be able to grab/apply permissions remotely.

Let’s go quickly through it: (more…)

Read More

Nearest Domain Controller without Powershell AD Module

Getting the nearest Domain Controller when the AD module is present, is fairly simple, all you would need to do is running the following:

But what if you want to achieve the same result on a client/server that doesn’t have the Powershell Active Directory modules installed?
Well, in cmd you can do something like this:

The above will come back with quite a few useless (to our scope) pieces of information (or an error).

dsgetdc-nearest-domain-controller-1

 

So we can run this instead, to just get the “DC”:

So now we have just one line with the Domain Controller (or the error).

dsgetdc-nearest-domain-controller-2

Now, let’s try to work with the above command in powershell. What we want to achieve is having a variable ($DC) that will either contain the domain controller name or any other value that we want if there’s an error, for instance we could assign the value $false to it.

The script is pretty crude so that you can modify it as you like; let’s explain what it does. It first tries to run the above command with a slight difference, I added .split(” “) that will automatically split the result in an array of sub-strings. But, if the command fails, this powershell command won’t be able to split anything and will throw an error. This is why we need a Try/Catch.
If the command fails to retrieve a domain controller then, $DC will be $false.
Now, if the .split command works, then the script runs through each object of the array of sub-strings and checks when the sub-string starts with two backslashes: that means that we’ve got what we’re looking for!.
Finally, $DC will get the name of the domain controller assigned . Note that .replace(‘\\’,”) will remove the two backslashes and will leave us just the domain controller’s hostname.
I hope this explains a bit more the idea behind it.

Read More