Finding Groups that have disabled users in them

This is just a quick powershell script to find all users who are a member of a certain group (of certain groups).
We were running out of licenses for one of the products we use internally. This product is tied to group memberships. Instead of clicking on each indivual group or disabled user (approximate 40 groups or 560 disabled users), I figured I would draft up a quick powershell to do the work for me.

Write-Host "Importing the ActiveDirectory Module" -foregroundcolor green
Import-Module ActiveDirectory | out-null 
Write-Host "Filtering AD Groups" -foregroundcolor green

#This will filter your groups. Change *changeme* to the group(s) you want filter. Keep the * if you want to wildcard it 
$Groups = (Get-AdGroup -filter * | Where {$_.name -like "*changeme*"} | select Name -expandproperty Name)
Write-Host "Preparing the CSV Template" -foregroundcolor green

#This will create the template for you to export to CSV 
$csv = @() 
$Record = [ordered]@{ 
"Group Name" = "" 
"Name" = "" 
"Username" = "" 
"Enabled" = ""
} 
Write-Host "The Magic is happening. Getting all Disabled Members" -foregroundcolor green

#The Magic
Foreach ($Group in $Groups) 
{ 
 $ArrayOfMembers = Get-ADGroupMember -Identity $Group -Recursive | %{Get-ADUser -Identity $_.distinguishedName -Properties Enabled | ?{$_.Enabled -eq $false}} | Select Name,SamAccountname,Enabled
 foreach ($Member in $Arrayofmembers) 
 {
 $Record."Group Name" = $Group
 $Record."Name" = $Member.Name
 $Record."UserName" = $Member.SamAccountname
 $Record."Enabled" = $Member.Enabled
 $objRecord = New-Object PSObject -property $Record
 $csv += $objrecord
 } 
}

#The Export
Write-Host "Exporting to CSV" -foregroundcolor green
$csv | export-csv "C:\temp\ADSecurityGroups.csv" -NoTypeInformation | out-null
Write-Host "Complete" -foregroundcolor green

Continue reading Finding Groups that have disabled users in them

Step by Step Moving FSMO roles in Server 2012 R2

I needed to move our FSMO roles to a centralised server today, the main cause for this was firewall ruling (cannot add rules mid-week) and an urgent requirement for Domain controllers in our Azure Production environment.

We were unable to dcpromo our Azure server and after 2 days of troubleshooting, wiresharking and several work-a-rounds – we decided to move the FSMO roles yet again. Now, I know for a fact that continuously moving the FSMO roles is NOT HEALTHY for a domain environment, I was totally against it, but I bit the bullet and did as I was told.

They are now in their new home, On-Premise Site A,  and will not be moved again. However, due to Microsoft best practice, we will split the Schema master and Domain Naming Master off to DC2 once all firewall rules are in place.
Continue reading Step by Step Moving FSMO roles in Server 2012 R2

Scripted configurations of SNMP v2

Today I went through the process of scripting the configuration of SNMP configurations for multiple OS/devices. The reason for this is that there has never been a formality or standardisation of this and sometimes we tend to forget this and or that. So, in case you would also like to script it, here is what we use.

The defaults:

sysLocation:
For this, you could either use “3rd floor, of some office” or, if you are a global company, with  monitoring system that makes use of the GoogleMaps API (e.g. Observium) and would like to show various location globally – use a google API name – e.g. London, UK or Cape Town, South Africa etc.

sysContact:
This could be a name or an email address or telephone number

Community:
Something that is configured on your server and on your device/workstation/server that allows communications. There is also a permission set that will get applied to this.

target:
This is the place you are sending information to

port:
This is by default, 161/UDP, unless you change it.

Continue reading Scripted configurations of SNMP v2

Creating Superseded Applications in SCCM 2012 R2


Today I was investigating upgrading an application we use for email signature management called Symprex. I want to upgrade it using SCCM and realised that internally we didn’t have any “How-To” documentation on deploying an application from start to finish, so what better way to add a post to my blog and some internal documentation.

sccm-2012-r2-logo

So, what is supersedence exactly?

Microsoft TechNet gives us a pretty good explanation:

“Application management in Microsoft System Centre 2012 Configuration Manager allows you to upgrade or replace existing applications by using a supersedence relationship. When you supersede an application, you can specify a new deployment type to replace the deployment type of the superseded application and also configure whether to upgrade or uninstall the superseded application before the superseding application is installed.
When you supersede an application, this applies to all future deployments and Application Catalog requests. This will not affect the existing installations of the application.”

Taken directly from Technet

Continue reading Creating Superseded Applications in SCCM 2012 R2

How to Monitor DHCP Addresses with IPSentry

Recently, I had taken part in a maintenance weekend at the office, post maintenance, Our IPSentry dashboard, (we use IPSentry for some of our monitoring), reported a couple errors, which was fixed.

Come Monday morning, a colleague of mine noticed that certain systems were down, which he brought up. I did some further investigation and noticed one of our DHCP pools were running out of leases. I wanted to see if IPSentry could monitor DHCP addresses, and as it turns out, it can.

It took me a while to figure this out, but now I know it, I’ll add it here for the world to share.

As mentioned before, in order to monitor DHCP leases, you would need to make use of the SNMP Addin for IPSentry.

So here are the prerequisites:

Continue reading How to Monitor DHCP Addresses with IPSentry

Resetting DSRM or Directory Services Restore Mode password in Server 2012 R2

Today I needed to reset a DSRM password, not because we forgot it, but more due to wanting to have different passwords for our domain controllers.

Although, you could have the same password for each Domain Controller – this is not always secure. If your server gets compromised and they hack the DSRM password, they will try that exact password on a different server in order to gain access to it.

What is DSRM?

DSRM is a special boot mode (or option) for Windows Server Domain Controllers (ONLY). Think of it as a kind of “SafeMode” for directory services. With DSRM, the administrator is able to repair, recover or restore Active Directory services.  DSRM is configured during the promotion of Active Directory Services. This Administrator account that you configure is completely unrelated and separate to the DOMAIN\Administrator account.

Continue reading Resetting DSRM or Directory Services Restore Mode password in Server 2012 R2