Home » Posts tagged 'user management'

Tag Archives: user management

Copy users from on Active Directory to another (no trust/ADMT)

I had a scenario whereby a customer wanted to migrate from SBS2003 to Server 2012 and Exchange 2013 in one hop. There was not enough resources to install and exchange 2010 migration server to move mailboxes over EWS and due to SBS constraints we cannot use ADMT to migrate as Domain Trusts cannot be made between SBS and any other domain. The solution we opted for was to build a new domain with exchange 2013 installed and then migrate the users over using a mixture of export scripts from the SBS domain and PST files for their email.

As we were migrating to an independent domain we don’t really need to worry about SID History as we are not accessing resources in the old domain after migration. What we do need to worry about is the X500 address of the user. I have another blog post about the importance of this attribute when moving between exchange servers on different domains.

First I exported all the users from the old domain using CSVDE, because AD Powershell was not available on SBS2003

CSVDE -f c:\users.csv -d “OU=users,OU=SBS Company,DC=domain,DC=local” – r (objectClass=user)

This produced the required CSV with all the attributes we need and more!

I then copied this file to the new domain and created a powershell script to read through these users, enable their mailboxes (if required) and add them to or create and add them to security groups they were members of in the old domain. In order to achieve this the script reads the memberOf field of the user and splits the groups into an array. It then checks the groups exists in new domain. if it does it will add the user to the group. If it doesn’t it will create the group and add the user to it. There is a limitation in using this script in this way. It will not discriminate between distribution or security groups. What I mean is that when it creates a group it will be a security group regardless whether the group was a distribution group in the old domain. But this was OK for me to do it this way.

The script allows you to add the destination location of the users and groups OU as well as choosing whether to enable a mailbox or not. If you choose to enable a mailbox then you must supply the PowerShell URL of the exchange server e.g http://exchangeserver.domain.com/powershell

Log files are written to C:\ADMigration folder which will be created. During the user import, a random password will be generated for the user. These passwords are stored in a folder called userpasswords.txt located in C:\ADMigration folder.

Pre-requisites

Ensure Exchange is installed before running this script if you are migrating mailboxes, otherwise it will create the exchange groups and may cause issues

Turn off Password history and complexity requirements temporarily in the domain as I have had weird issues with this script when it is enabled

 

Here is the script, copy this into notepad or PS ISE and save with the ps1 extension

migrateusers_ps1

 

Emailing Users when Password is about to Expire

I had one request from a customer recently that asked if it was possible to email users before the their active directory passwords expire as it was causing issues with remote users.

I created a PowerShell script which I added as a scheduled task on one domain controller that runs once  a day. The script queries AD for the date the user last changed their password and compared it against AD password policy maximum age limit. If this reached a specified time such as 5 days before, the user would be emailed once per day with 5 days to go. Please note that you will need an exchange server or mail server that will allow unauthenticated email to be sent from the DC you home this script on.
$smtpServer=”exchangecasserver.domain.local”
$from = “passwordreminder@domain.local”
$expireindays = 5
#Get Users From AD who are enabled
Import-Module ActiveDirectory
$users = get-aduser -filter * -properties * |where {$_.Enabled -eq “True”} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }

foreach ($user in $users)
{
$Name = (Get-ADUser $user | foreach { $_.Name})
$emailaddress = $user.emailaddress
$passwordSetDate = (get-aduser $user -properties * | foreach { $_.PasswordLastSet })
$maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
$expireson = $passwordsetdate + $maxPasswordAge
$today = (get-date)
$daystoexpire = (New-TimeSpan -Start $today -End $Expireson).Days
$subject=”Your password will expire in $daystoExpire days”
$body =”
Dear $name,
<p> Your Password will expire in $daystoexpire days.<br>
To change your password, Logon to the domain Internal Network on a PC / Laptop, press CTRL ALT Delete and chose Change Password <br>
<p>Thanks, <br>
</P>”

if ($daystoexpire -lt $expireindays)
{
Send-Mailmessage -smtpServer $smtpServer -from $from -to $emailaddress -subject $subject -body $body -bodyasHTML -priority High

}

Skype for Business – Enabling Bulk Users

During a Lync 2013 install of over 2000 seats I had to enable bulk groups of users for Lync enterprise voice, PC to PC and Remote Call Control together with different pool assignments and policies. I created a script that would read from a user completed CSV file and enable users with the specified policies and pool associations.

The CSV file must have the following column headers and saved as LyncUsers.csv

ADUsername Pool LineUri SipAddress ClientPolicy ConferencePolicy DialPlanpolicy Voicepolicy ExternalAccessPolicy

The LineURI should be in format of tel:+441870123456;ext=987

The SipAddress should be in the format of sip:useralias@domain.com

If policies are not defined the default policies will be applied

For the script this is in a word document as this website does not allow .ps1 files to be uploaded. please copy the script contents to a notepad file and save with the .ps1 extension

lyncbulkusers_ps1

%d bloggers like this: