Posts Tagged ‘Active Directory’

Edit the Group Policy that is applying to your domain controllers

Server 2003

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy 

-> Enable Audit Directory Access Service

Server 2008 or Above

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options->Audit: Force audit policy subcategory settings

Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Policies->DS Access




Target OU or Whole Domain

Right-click on where you want to enable Auditing and bring up the properties.  Under Extensions you will see the Security tab.  From there select Advanced and then choose the Auditing tab.  If you want to be comprehensive, I would select the Everyone security principal, set Type to Success and Applies to: This object and all descendant objects.  For the permissions, again if you want to be comprehensive, set the following:

  • Write all properties
  • Delete
  • Delete subtree
  • Modify permissions
  • Modify owner
  • All validated writes
  • All extended writes
  • Create all child objects
  • Delete all child objects

Open Event viewer and filter Security log to find event id’s (Windows Server 2003/2008-2012):
– 631, 635, 648, 653, 658, 663/4727, 4731, 4754 , 4759, 4744, 4749 – Group created
– 632, 636, 650, 655, 660, 665/4728, 4732, 4756 , 4761, 4746, 4751 – Member added to a group
– 633, 637, 651, 656, 661, 666/4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
– 634, 638, 652, 662, 667, 657/4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
– 639, 641, 649, 654, 659, 664/4735, 4737, 4745, 4750, 4755, 4760 – Group changed
– 566/4662 – An operation was performed on an object(OU Changes) (Type: Directory Service Access).

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

thesecuritydatabaseontheserverdoesnothaveacomputeraccountWhen tying to log into a machine on another domain which has a link with a One Way Active Directory domain trust the follow error was displayed on login : 

“The security database on the server does not have a computer account for this workstation trust relationship”

Checking the Incoming and Outgoing link properties on Active Directory proved there was an incoming however the outgoing was not present. I had to delete the incoming trust , save the password , then recreate the outgoing trust on the returning domain. The returning domain also did not have a conditional forwarder setup for the other domain , which needs to be added in DNS and point to a Active Directory server at the other end ( that must be routable ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently had a problem where DNS Entries for a server were disappearing in active directory. We set the records manually after multiple ipconfig /registerdns still would not hold the entry in active directory.

We removed the device from the domain and rejoined still to no avail (to check domain trust was not the problem)

In the end we had to set the DNS entry statically in some of the servers util we found out what was causing it to be removed.


‘Turns out the someone had configured the RAS server to assign DHCP address’ on the same range statically assigned where. This wouldn’t of caused an IP conflict due to clever RAS routing , however it would of caused the DNS issue we saw randomly ( whenever someone logged into RAS to assign themself an address! ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

I was trying to get a list of Active Computers on our Network. A DSQuery can give me a list of all computer , and I tried to get an inactive list for 4 weeks and subtract the value , however the Inactive List was not that acurate.

Instead I wanted to Query the PwdLastSet to

I found a few scripts online but they moved the computer accounts to OU’s , and I just needed this for auditing purposes. So I edited the tracked back script

Save the script as script.ps1 then run with .\script -OlderThan 30

    [int] $OlderThan = 20
try {
    Import-Module ActiveDirectory -ErrorAction Stop -Verbose:$false
} catch {
    Write-Error "Active Directory module failed to Import. Terminating the script. More details : $_"
try {
    #Get domain name
    $DomainDN = (Get-ADDomain -ErrorAction Stop).DistinguishedName
    #Get Computers in Domaing
    $Computers = Get-ADComputer -Filter * -Properties PasswordLastSet -SearchBase $DomainDN -ErrorAction Stop
} catch {
    Write-Error "Failed to query active Directory for computers. Exiting the script. More details : $_"
$now = Get-Date
$agedate = (Get-Date).AddDays(-$OlderThan)
foreach($Computer in $Computers) {
$ComputerName = $computer.Name
$Computerpwdsetdate = $Computer.PasswordLastSet
    if($Computerpwdsetdate -lt $agedate) {
	#Write-Host "Expired $ComputerName"
	$computernumber = $computernumber + 1         
Write-Host "Total = $computernumber"


VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

ADUsers&Comps**SolarWinds make a free tool GUI for this :

*****More AD Cleaup Tools

You can run these commands in a command prompt on any DC or PC With Active Directory Tools installed

Time Perioud = Weeks so for example let’s work with 6

How to find the CN or OU Path

Open Active Directory Users and Compuer , Click on View and Advanced Features

Find the OU you need to reference and Click on Properties, Attribute Editor Tab and Copy the distinguishedName 


Computer Accounts

Find Old Disabled or Enabled Computer accounts across the whole domain older than 6 weeks

dsquery computer -inactive 6 -limit 0

Powershell Find Only Enabled Computer inactive for 3 Months 

Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan "90" | ?{$_.enabled -eq $True}

Find computer accounts old than 6 weeks and disable

dsquery computer -inactive 6 -limit 0 | dsmod computer -disabled yes

Find Old Computers in a Group CN e.g. if the Icon Looks like this : CN_Group

dsquery computer -inactive 6 -limit 0 CN=Computers,DC=domain,DC=local (Add to stop it going further then the current folder) -scope onelevel

Find Old Computers in a Operation Unit OU e.g. if the Icon Looks like this : OU

dsquery computer -inactive 6 -limit 0 OU=Clients,DC=domain,DC=local (Add to stop it going further then the current folder) -scope onelevel

Query THEN DELETE computer objects which have been inactive for 8 weeks in a specific OU and name starts with PCNAME

dsquery computer "OU=Computers,OU=OUNAME,DC=domain,DC=local" -inactive 8 -name PCNAME* | dsrm -noprompt

User Accounts

Find Old Disable or Enabled User accounts across the whole domain older than 6 weeks

dsquery user domainroot -name * -inactive 6

Powershell Find Only Enabled User inactive for 3 Months 

Search-ADAccount -UsersOnly -AccountInactive -TimeSpan "90" | ?{$_.enabled -eq $True}

Exchange Active User accounts

(Get-MailboxStatistics -Server <exchangeservername> | where {$_.LastLogonTime -gt ((get-date).AddDays(-60))}).count

Find Old User accounts across the whole domain older than 6 weeks and disable 

dsquery user domainroot -name * -inactive 6 | dsmod user -disabled yes


Get-ADUser –filter * -Properties passwordLastSet,whencreated,lastlogondate,Enabled,PasswordNeverExpires | Where { ($_.passwordLastSet –eq $null –or $_.lastlogondate –gt (Get-Date).AddDays(-30)) -and ($_.Name -notlike “*svc*” -and $_.Name -notlike “*Admin*” -and $_.Name -notlike “*test*” -and $_.Name -notlike “*huonit*” -and $_.Name -notlike “*Room*” -notlike “*Mailbox*” -notlike “*Exchange*” -notlike “*Service*” -notlike “*Helpdesk*”) }| Select Name


VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)