Posts

Showing posts from June, 2017

Restoring Active Directory Attributes with PowerShell - Part 3

Welcome to the third and final article of the Restoring Active Directory Attributes with PowerShell. Today we are going to create a scheduled task in order to execute a PowerShell script that will manage our Active Directory snapshots.

First, we are going to create the script that will manage the snapshots but in order to do that we have to decide on how often and how many snapshots we want to have. Personally, I go for two snapshots per day for a period of three days, nut I have these snapshots spread across multiple Domain Controllers.

The following script will create an Active Directory snapshot and then remove all the older snapshots keeping a total of 3. That way, when it is executed on a daily basis, you will have three snapshots for the last 3 three days.

# Create the new Active Directory snapshotNew-ActiveDirectorySnapshot# Get the current date$now = [DateTime]::Now # Remove snapshots older than three days from nowGet-ActiveDirectorySnapshot | Where-Object {$_.Date -lt$now…

Restoring Active Directory Attributes with PowerShell - Part 2

Image
On the first article of the series, we used the ntdsutil tool to create, mount, dismount and remove Active Directory snapshots and load the Active Directory database using the dsamain tool. Today, we are going to use a set of PowerShell functions I've created for this purpose. These functions are included in my Active Directory module since version 1.4.1.

Let's start by creating an Active Directory snapshot and then mount it on port 33389:


After taking the snapshot, I updated the first name, last name and proxy addresses attributes on my user in order to compare and later on restore them. Using the "Get-ADUser" cmdlet we can get current the values for those attributes and as well as the values from the snapshot:


As you may notice, a proxy address is missing, the first name has been updated to "Christos 1" and the last name have been updated to "Polydorou 2".

This is how easy it is to restore the attributes! First we save the production and the sna…

Restoring Active Directory Attributes with PowerShell - Part 1

Image
Active Directory Recycle Bin. Great Feature. But what happens if instead of deleting the object, some of the attributes are misconfigured? Enter Active Directory snapshot.

In the first article of the Restoring Active Directory Attributes with PowerShell we are going to talk about Active Directory snapshots and later on we are going to see how to restore attributes on objects.

So, what is an Active Directory snapshot? It's actually an VSS snapshot of the volume that the Active Directory database resides on. And how can we use that snapshot? We can use it as a backup, a way to avoid full replication when installing a Domain Controller on a remote site and may other ways but we are going to focus on mounting it and using dsamain in order to load the database and access live.

Let's see some examples on how to create such a snapshot. Of course, you need to have the appropriate rights, like domain or forest administrator. To create a snapshot, we are going to use the ntdsutil execut…

Get Exchange Mailbox Quota Status using PowerShell

Back in the old days of Microsoft Exchange, when quota was applied to a mailbox we had a way to check the status of the quota using the "Get-MailboxStatistics" cmdlet and the property "StorageLimitStatus". On the newer versions of Exchange, this property does not contain a value since it has an impact on the performance against Active Directory (read more here).

In order to overcome this issue - and since I'm often checking for the quota status - I've decided to create a PowerShell function. The function is called "Get-MailboxQuotaStatus" and it's available with my Exchange module since version 2.4.1.

What it actually does is to check if the mailbox follows the database quotas or it's own and then compare the quota values against the size of the mailbox. The objects that this function returns are consisted of the mailbox object that is returned from the "Get-Mailbox" cmdlet and the status of the quota.

The possible values for the…

Active Directory Naming Conversion using Powershell

When dealing with Exchange, most of the object Identities are in the form of CanonicalName which makes searching Active Directory difficult since Canonical Name is a calculated attribute and cannot be used in a query.

For example, the identity of a mailbox is the cn of the user:

[PS] C:\Windows\system32>$cn = (get-mailbox cpolydorou).Identity.ToString()
[PS] C:\Windows\system32>$cn
LAB.local/LAB/Users/Christos Polydorou
The newly released version of my Active Directory module (1.3.0) contains the cmdlet "Convert-ActiveDirectoryNaming" that will help with converting between the different Active Directory naming formats. The following example illustrates the usage of the cmdlet.

First, let's get the user from Active Directory in order to have the DistinguishedName, SamAccountName, CanonicalName and UserPrincipalName values.

PS C:\> $user = Get-ADUser cpolydorou -Properties DistinguishedName, SamAccountName, CanonicalName, UserPrincipalName

PS C:\> $user
Ca…