I just came across a post by Jonathan Medd over at simple-talk.com about the new Active Directory recycle bin in Windows Server 2008 R2.
It’s definitely worth the read.
One of my colleagues gave me a list of AD groups for the sharepoint environment he’s confguring. Instead of creating them manually I used the Quest ActiveRoles management shell.
import-csv ‘SecurityGroups.csv’ | foreach {
New-QADGroup -Parent $_.ParentContainer -Name $_.Name -sAM $_.Name -GroupScope $_.GroupScope -GroupType $_.GroupType
}
This script imports a .csv file to create the security groups. The .csv file contains the OU distinguished name, the group Name, the group type (security or distribution) and finally the scope (Domain Local, Global or Universal).
It looks like this:
Parentcontainer,Name,Grouptype,GroupScope
“OU=Sharepoint,DC=domain,DC=local”,SecurityGroup01,Security,DomainLocal
I’m very fond of the powerful AdFind command line utility from joeware.net. Here’s a little list I’m keeping for my own reference:
Find the user behind a GUID:
adfind -binenc -gc -s subtree -b dc=test,dc=com -f "objectGUID={{GUID:????????-????-????-????-????????????}}" displayName
Likewise, you can use the same tool to find the e-mail address of a certain user:
adfind -gc -b dc=???,dc=??? -nodn -nolabel -f "sAMAccountName=??????" mail
The command above is actually part of script, so I used the “-nodn” and “-nolabel” parameters to have the tool only return the e-mail address. You obviously need to replace the question marks with something meaningful in the examples above.
List all distribution groups:
adfind -csv -nodn -f "(&(objectcategory=group)(mail=*))" displayname
List all contacts:
adfind -csv -nodn -f "(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=contact)) ))))" displayname
List all mailbox-enabled users:
adfind -csv -nodn -f "(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))))" displayname
Run a query against another domain:
adfind -h %servername% -u %domain%\%username% -up %password% -csv -nodn -f "displayname=John Doe" displayname
List all the members of a DL (and optionally use the resulting dn to retrieve some more readable information):
adfind -list -f "DisplayName=%displayname%" member adfind -list -f "DisplayName=%displayname%" member | adfind -csv -nodn mailnickname displayname mail
Report on the usage of Extension Attributes:
adfind -csv -nodn -f "(|(ExtensionAttribute1=*)(ExtensionAttribute2=*)(ExtensionAttribute3=*)(ExtensionAttribute4=*)(ExtensionAttribute5=*)(ExtensionAttribute6=*)(ExtensionAttribute7=*)(ExtensionAttribute8=*)(ExtensionAttribute9=*)(ExtensionAttribute10=*)(ExtensionAttribute11=*)(ExtensionAttribute12=*)(ExtensionAttribute13=*)(ExtensionAttribute14=*)(ExtensionAttribute15=*))" displayname ExtensionAttribute1 ExtensionAttribute2 ExtensionAttribute3 ExtensionAttribute4 ExtensionAttribute5 ExtensionAttribute6 ExtensionAttribute7 ExtensionAttribute8 ExtensionAttribute9 ExtensionAttribute10 ExtensionAttribute11 ExtensionAttribute12 ExtensionAttribute13 ExtensionAttribute14 ExtensionAttribute15
Count the number of mailboxes on an exchange server:
adfind -c -f "msExchHomeServerName=/o=EMS/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=%servername%"
Imagine you’re working as a consultant/contractor for a large organisation and you want to know the end date of you contract:
adfind -tdcs -f "samaccountname=%UserName%" accountExpires
The “tdcs” parameter converts the time in a human readable format.
Somebody called you on your mobile phone and you want to know who:
adfind -list -f "telephoneNumber=*%extension%" displayname
More info
Exchange News Ticker
View Koen Vermoesen's profile