posted
10/07/10
By Fredrik "DXter" Jonsson
Yesterday I created this little script and I wanted to share it with you guys.
Now that PKI View is removed from KB889250, some people has asked me how to remove all references to old PKI structures in Active Directory in a easier way than just LDAP. Even though AD cleanup is a standard procedure regarding CA decommission, many people are not aware of that and some people seems to just remove the ADCS role and think “that’s it!”. 
So yesterday I created a little script to do this AD cleanup automatically. It is using the Active Directory PS-Drive and the Remove-ADObject cmd-let that is provided by the Active Directory PowerShell Module that comes with Windows Server 2008 R2. Since the Active Directory PowerShell Module is using the Active Directory Management Gateway Service, make sure that at least one of your DC’s have it installed or is running on Windows Server 2008 R2. The idea of the script is to use it after a decommission of a single Enterprise Root or if you want to make sure that no old PKI stuff exists in Active Directory before you install a new PKI structure. This script removes ALL existing references to internal PKI’s and CA’s, so use it very carefully! I think that people should use it only after you have decommissioned your last CA or before you install your first.
The first screen is presenting what the script will do.
A final warning before continuing to delete stuff. 
The script is prompting for credentials using the Get-Credential cmd-let.
The script is searching the Public Key Services container in the Configuration partition (for the current domain) for specific PKI related objects that has object classes such as “certificationAuthority”, “pKIEnrollmentService”, “msPKI-PrivateKeyRecoveryAgent”, etc…
All objects that are found are presented and the person that is executing the script has a option to remove the objects that are being presented. The Remove-ADObject cmd-let is doing the deletion of the objects with the credentials that was provided earlier to the credential prompt in the beginning of the script. 
A simple way to verify that everything is deleted correctly is simply to run the script again. If all PKI related objects are gone, the script will say so.
If you think this sounds cool and want to test this in your test environment, the script is available from the download section on http://poweradmin.se/blog/download/?did=4
// Fredrik “DXter” Jonsson
posted
13/01/10
By Fredrik Wall
Todays onliner will show all Windows XP computers
in a whole Active Directory.
Get-QADComputer -SizeLimit 0 -Osname "*xp*" | Select-Object Name, description, path
This can be nice If you want to migrate to Windows 7.
And if you want to show all Windows Server 2008
or Windows Server 2003 machines you just change –OSName to 2008 or 2003.
You need to have Quest AD cmdlets installed and you need to Add it first.
Add-PSSnapin Quest.ActiveRoles.ADManagement
If you want to import all information to excel you can
export It to a csv file with
| Export-Csv c:\scripts\test.txt
posted
03/01/10
By Fredrik Wall
This is another function that I use in
Active Directory scripting.
I use it when I want to create computer names
with the syntax SitenameComputertypeNumbers.
The function can be found here.
posted
22/12/09
By Fredrik Wall
Hi,
I sat down thinking a little bit today.
And then It strikes me that the Lab AD was not finished
and that It was not done by best practice.
So I will do the structure from this document from Microsoft,
Best Practice Active Directory Design for Managing Windows Networks.
And then we need to:
- Create groups
- Computers
- OU Information
Then I think we are where we should be.
posted
22/12/09
By Fredrik Wall
The script is not 100% finished as It is posted now in pieces.
I will be adding some check for existing users etc.
BUT I did test it last night with 5000 accounts and It did well.
Okay, I got a few error and some accounts didn’t go from disabled
to enabled. But that was like 5 out of 5000 with almost no
error handling and no check for existing users 
I came up with some new ideas as well last night.
So I will add 1 or 2 articles after the script is posted.
Articles on how to make GUI for this with Windows.Forms.
posted
21/12/09
By Fredrik Wall
How to create and set user information.
It’s time to create and set our user information.
The information we want for this setup is:
- First name
- Last name
- Display name
- Description
- Telephone number
- E-Mail
- Web page
- User principal name
- SAMAccount name
- Department
- Company
To create AD users with this information, we just do like this:
# Creating the User
$objOU = new-object DirectoryServices.DirectoryEntry("LDAP://OU=$myLabOUs,OU=$labOU," + $labDomain)
$objUser = $objOU.Create("user", "cn=$FirstName $LastName")
$objUser.Put("sAMAccountName", $userSAM)
$objUser.Put("userPrincipalName",$userPrincipalName)
$objUser.Put("displayName",$displayName)
$objUser.put("mail", $userEmail)
$objUser.put("department", $myLabOUs)
$objUser.put("company","Power Admin Corp")
$objUser.put("employeeNumber", $userNumber)
$objUser.put("telephoneNumber", $userTele)
$objUser.put("wWWHomePage", "http://www.poweradmin.se/blog")
$objUser.SetInfo()
Write-Host "Created - " $firstName $lastName "($userSAM) in" $mylabOUs
$objUser.Put("givenName", $firstName)
$objUser.Put("sn", $lastName)
$objUser.Put("description", $userDescription)
$objUser.SetInfo()
# Password
$objUser.psbase.invoke("setpassword", "myH@rdP@ssw0rd99!")
$objUser.SetInfo()
# Enable the account
$objUser.psbase.invokeset('accountdisabled', $false)
$objUser.SetInfo()
# Change password at next login
$objUser.PwdLastSet = 0
$objUser.Setinfo()
This was all for this article series.
Now we have a script to create lots of accounts.
Later on I will also post error handling and more.
I will post a whitepaper on this in a couple of days.
posted
21/12/09
By Fredrik Wall
I have been doing some changes to the last part.
All of my scripts are under constantly changes.
So before I post the next part of the script I
want to post this change.
I have been doing some changes to the $labDomain.
Now, by default you don’t need to do change anything.
It uses your users default domain and will use It all
the way.
# Name of the AD
# Default is the domain where your user are.
# Change $labDomain if you want to change this.
# $labDomain = "dc=poweradmin,dc=local"
$activeLabDomain = new-object DirectoryServices.DirectoryEntry
$labDomain = $activeLabDomain.distinguishedName
# Creating the "root" Lab OU
$search = [System.DirectoryServices.DirectorySearcher]"[ADSI]LDAP://$labDomain"
$search.Filter = "(&(name=$labOU)(objectCategory=organizationalunit))"
$result = $search.FindOne()
if ($result -eq $null) {
$labADSIDomain = [ADSI]"LDAP://$labDomain"
$objOU = $labADSIDomain.Create("OrganizationalUnit", "ou=" + $labOU)
$objOU.SetInfo()
Write-Host $labOU "created"
}
else
{
Write-Host $labOU "exists"
}
# Creating all OUs in the Lab OU
$labDomainOU = [ADSI]"LDAP://ou=$labOU,$labDomain"
foreach ($labUnit in $labOUs) {
$search = [System.DirectoryServices.DirectorySearcher]$labDomainOU
$search.Filter = "(&(name=$labUnit)(objectCategory=organizationalunit))"
$result = $search.FindOne()
if ($result -eq $null) {
$objOU = $labDomainOU.Create("OrganizationalUnit", "ou=" + $labUnit)
$objOU.SetInfo()
Write-Host $labUnit "created"
}
else
{
Write-Host $labUnit "exists"
}
}
posted
21/12/09
By Fredrik Wall
It’s time to take our information and create the AD.
First of all we need to setup the lab structure in our AD.
I use my lab active directory named poweradmin.local
# Name of the AD
$labDomain = [ADSI]"LDAP://dc=poweradmin,dc=local"
And then we need to decide what our Lab OU “root” should be called.
# LAB OU
$labOU = "Lab OU"
And then we put all of our OUs that we need.
# OUs to create
$labOUs = "Finance","IT","Marketing","Operations","Service","Customer Support"
Now It’s time to create the “root” lab OU.
First of all we check If it exists and It doesn’t we create it.
# Creating the "root" Lab OU
$search = [System.DirectoryServices.DirectorySearcher]$labDomain
$search.Filter= "(&(name=$labOU)(objectCategory=organizationalunit))"
$result = $search.FindOne()
if ($result -eq $null) {
$objOU = $labDomain.Create("OrganizationalUnit","ou=" + $labOU)
$objOU.SetInfo()
Write-Host $labOU "created"
}
else
{
Write-Host $labOU "exists"
}
When we have the “root” OU setup It’s time to create the rest.
# Creating all OUs in the Lab OU
$labDomainOU = [ADSI]"LDAP://ou=$labOU,dc=poweradmin,dc=local"
foreach ($labUnit in $labOUs) {
$search = [System.DirectoryServices.DirectorySearcher]$labDomainOU
$search.Filter= "(&(name=$labUnit)(objectCategory=organizationalunit))"
$result = $search.FindOne()
if ($result -eq $null) {
$objOU = $labDomainOU.Create("OrganizationalUnit","ou=" + $labUnit)
$objOU.SetInfo()
Write-Host $labUnit "created"
}
else
{
Write-Host $labUnit "exists"
}
}
It should look like this if you used the same OUs as I did.
In the next part we will create the users.
posted
17/12/09
By Fredrik Wall
We have:
- Real names
- User Names (samAccountNames) with employee numbers
- OU names
- Country Names
If you have missed them, look in my older posts about
Create Lab AD.
In this part we will do:
Mail addresses
Telephone numbers
User Description
We will start with the mail addresses.
$myUserCountry = $userCountry | Get-Random
switch ($myUserCountry)
{
'Sweden' {$userCoutryCode = "se"}
'Denmark' {$userCoutryCode = "dk"}
'Finland' {$userCoutryCode = "fi"}
'Norway' {$userCoutryCode = "no"}
default {$userCoutryCode = "local"}
}
$userEmail = $userFirstName + "." + $userLastName + "@poweradmin." + $userCoutryCode
This will give us mail addresses like:
fredrik.wall@poweradmin.se
fredrik.wall@poweradmin.local
The domain name of your AD can easily be put there automatically.
For the telephone numbers I will use this little code.
$userLastTele = Get-Random -Minimum 1000 -Maximum 9999
$userTele = "+468440 " + $userLastTele
It will give us numbers like +4684402022 and +4684409988
The last thing I need before It’s time to do the add to AD part is the User description.
$userDescription = $firstName + " " + $lastName + " at " + $mylabOUs + " in " + $myUserCountry
This will give us this output:
Hadar Möller at Marketing in Norway
Peter Klint at Operations in Finland
Ylva Sten at Service in Sweden
So now we can put this together with
$firstName + " " + $lastName + " - " + $userSAM + " - " + $userEmail + " - " + $mylabOUs +
" - " + $userTele + " - " + $myUserCountry + " - " + $userDescription
and get
Hadar Möller – hamo63343 – hadar.moller@poweradmin.no – Marketing – +468440 5244 -
Norway – Hadar Möller at Marketing in Norway
Peter Klint – pekl78132 – peter.klint@poweradmin.fi – Operations – +468440 1661 – Fi
nland – Peter Klint at Operations in Finland
Ylva Sten – ylst53520 – ylva.sten@poweradmin.se – Service – +468440 7002 – Sweden –
Ylva Sten at Service in Sweden
Next post will be a start on the way to add these users to the AD
posted
17/12/09
By Fredrik Wall
We have:
- Real names
- User Names (samAccountNames) with employee numbers
In this part we will do stuff for the Lab OUs and we will also pick Country
for the users.
We will not create anything until we have what we need in information.
$labOUs = "Finance","IT","Marketing","Operations","Service","Customer Support"
$mylabOUs = $labOUs | Get-Random
The output will be one of the OUs in the $labOUs.
Finance
IT
Marketing
Need more OU names, just add yours.
Now It’s time to do the same way to make some countries for the users.
$userCountry = "Sweden", "Norway", "Denmark", "Finland"
$myUserCountry = $userCountry | Get-Random
