Home » Posts tagged 'active directory' (Page 2)

Tag Archives: active directory

Performing an Offline Domain Join

Sometimes it is necessary to perform an Offline Domain join of a computer. This is usually for a remote computer with no immediate access to the domain network. You can use DJOIN to perform and offline domain join and force the machine to apply group policies that would normally be applied whilst connected to the network.

First you need to prepare the offline domain join request by logging on to a domain joined machine and opening command prompt. We create the request by stating the computername to join and any policy names (GPOs) you want to apply immediately.

Example Direct Access

On the windows joined machine enter the following command to prepare the offline domain join

djoin.exe /provision /domain <domain.local> /machine <machinenametojoin> /savefile c:\<machinename>.txt /POLICYNAMES "Direct Access Settings, User Restrictions GPO"

The Policy names are the names of the GPOs you want to apply. Copy the file it created to the root of C:\ on the remote workstation

Open command prompt on the remote workstation and issue this command

djoin.exe /requestODJ /loadfile: c:\<machinename>.txt /windowspath %systemroot% /localos

Restart the machine and it will be domain joined with policies applied

Resetting Office 365 Password using Powershell

To reset an office 365 user’s password you need the Windows Azure Active Directory Module installed http://msdn.microsoft.com/en-us/library/azure/jj151815.aspx

Open the console and enter


Press Enter, enter your admin Office 365 account username and password in the logon box

Then issue this command

Set-MsolUserPassword -UserPrincipalName cphillip@domain.com -NewPassword London1234 -ForceChangePassword $false

Resetting User’s Password in Active Directory Using Powershell

This command and script was created for ease of convenience, simplicity and speed during a recent job


Set-ADAccountPassword <username> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText <password> -Force)

And to prevent them from changing or changing at logon

Set-AdUser -Identity <username> -CannotChangePassword:$true -ChangePasswordAtLogon:$false

Adding Pictures to Active Directory

I came across this challenge when installing Lync 2013 where a customer did not have Exchange 2013 and therefore unable to us HD pictures in Lync and Exchange. Prior to Exchange 2013 the only way to import pictures is to use Active Directory to store the image. Storing images in AD have specific requirements. The format must be .jpg or .gif and the image size must be no more than 48×48 pixels. There is a cool image resizer tool that someone has made compatible with windows 7 (it works for windows 8 too) https://imageresizer.codeplex.com/releases/view/30247 Anyway to achiever my goal I created a CSV file which includes the column headers ADUserName and Picture. In the ADUserName column add the samAccountName of the user and in the Picture column add the literal location of the picture you want to use e.g c:\pictures\user.one.jpg

The rest is done by PowerShell

#change parameters here
 $Log = New-Item -ItemType File -Path "C:\ADPictureLog.txt" -Force
 $File = "C:\ADPictures.csv"
 #Import csv
 $usercsv = Import-Csv -path $file -Delimiter ','
#Check if user file is empty.
 if ($Usercsv -eq $null)
  write-host "No Users Found in Input File"
  exit 0
$count = $Usercsv | Measure-Object | Select-Object -expand count
Write-Host "Found " $count "Users to import."
 Write-Host "Processing Users.....`n"
 $index = 1
ForEach ($User in $Usercsv)
 Write-Host "Processing User " $index " of " $count
 $ADUserName = $User.ADUserName
  $UserPicture = $User.Picture
 $CheckAD = Get-ADUser -Identity $ADUserName
 if ($CheckAD -eq $null) {
  $notinad = $true
  Write-Host "User " $ADUserName " is not found in AD. Double check spelling, etc." -Foregroundcolor Red
  Add-Content -Path $Log -Value "$($ADUserName) is not found in AD. Double check spelling, etc."
else {
  #import photograph
  $Photo = [byte[]](Get-Content $UserPicture -Encoding byte)
  Set-ADUser -Identity $ADUserName -Replace @{thumbnailPhoto=$Photo}
  Write-Host "User: " $ADUserName " Photo has been updated with " $UserPicture " Ok"
  Add-Content -Path $Log -Value "$($ADUserName) has been updated with a photograph $($UserPicture)"
 Write-Host "Picture Updates have been Completed"
 Add-Content -Path $Log -Value "End of Log"

Emailing Users when Password is about to Expire

I had one request from a customer recently that asked if it was possible to email users before the their active directory passwords expire as it was causing issues with remote users.

I created a PowerShell script which I added as a scheduled task on one domain controller that runs once  a day. The script queries AD for the date the user last changed their password and compared it against AD password policy maximum age limit. If this reached a specified time such as 5 days before, the user would be emailed once per day with 5 days to go. Please note that you will need an exchange server or mail server that will allow unauthenticated email to be sent from the DC you home this script on.
$from = “passwordreminder@domain.local”
$expireindays = 5
#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter * -properties * |where {$_.Enabled -eq “True”} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }

foreach ($user in $users)
$Name = (Get-ADUser $user | foreach { $_.Name})
$emailaddress = $user.emailaddress
$passwordSetDate = (get-aduser $user -properties * | foreach { $_.PasswordLastSet })
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
$subject=”Your password will expire in $daystoExpire days”
$body =”
Dear $name,
<p> Your Password will expire in $daystoexpire days.<br>
To change your password, Logon to the domain Internal Network on a PC / Laptop, press CTRL ALT Delete and chose Change Password <br>
<p>Thanks, <br>

if ($daystoexpire -lt $expireindays)
Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High


Precreate 2012 R2 RODC computer object in Active Directory

To pre-create a Read Only Domain Controller account in Active directory using PowerShell perform the following steps

  1. Create a Domain User Account called RODCADMIN and set Password
  2. Create a Security Group called Allowed Prepopulating and add in users you want to allow to cache credentials on a RODC, e.g Domain users and Domain Computers
  3. Run the following Powershell Command
    Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName <RODC Computer> -DomainName <FQDN> -SiteName <AD Site Name> -AllowPasswordReplicationAccountName “<domain>\Allow RODC>” -DelegatedAdministratorAccountName “<domain>\RODCAdmin” -InstallDNS –NoGlobalCatalog –ReplicationSourceDC <Writeable Domain Controller FQDN>
  4. Once created do not join the machine you want to be a RODC to the domain, instead install the AD Domain Services role and then promote to a Domain Controller. These settings should automatically be gathered from AD during this process.

To pre-populate user passwords on a RODC take a look at this script available from technet gallery http://gallery.technet.microsoft.com/scriptcenter/Prepopulate-a-batch-of-34e6d0dc

Performing an Authoritative Synchronisation of SYSVOL using DFSR

I came across a scenario the other week where newly promoted 2012 R2 domain controller would not complete it’s initial SYSVOL replication and in doing so was failing to advertise properly as an available authentication server. The only way I was able to resolve this issue was to perform an authoritative synchronisation of the SYSVOL folder using the PDC as the master.

To perform this please follow the following steps. You should install the DFS Replication role to each domain controller in order to use the DFSR command tools.

  1. Open ADSI Edit on the PDC and connect to the default naming context.
  2. Navigate to CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>,DC=<local>
  3. Modify the attribute msDFSR-Enabled=FALSE
  4. Modify the attribute msDFSR-options=1
  5. For AD replication throughout the forest. You can do this by performing repadmin /replicate <other dc fqdn> <pdc fqdn> “DC=domain,DC=local” /full /force
  6. Next modify the msDFSR-Enabled=FALSE attribute on all other domain controllers and repeat step 5
  7. Start the DFSR service on the PDC and set as authoritative
  8. Look for Event ID 4114 in the DSFR event log
  9. Modify the attribute msDFSR-Enabled=True on the PDC
  10. Repeat Step 5
  11. Run DFSRDIAG POLLAD from the PDC
  12. Look for Event ID 4602 to indicate SYSVOL has been initialised
  13. Start the DFSR service on all other domain controllers and you should see Event ID 4114 in each event log
  14. Modify the attribute msDFR-Enabled=True on all other domain controllers
  15. Repeat step 5
  16. Run DFSRDIAG POLLAD on all other domain controllers
  17. SYSVOL should now replicate between all domain controllers having this issue

To force a SYSVOL replication you can use DFSR command line tool from the PDC

DFSRDIAG SyncNow /Partner:<other dc fqdn> /RGName:”Domain System Volume” /Time:5 

%d bloggers like this: