Active Directory

How to purge Kerberos tickets of the system account

Posted by on Mar 30, 2016 in Active Directory, Environment | 0 comments

How to purge Kerberos tickets of the system account

… or: How to update group membership information of the computer account. When updating Active Directory group membership of your users you usally ask them to logoff and logon again. You don’t tell them why, you just tell them to do so. What happens? When logging on again the group membership information of a user (within their kerberos tickets) gets updated and they can access the ressources they have access to. You can check which tickets a user has by using the klist command: But how about the system / computer account. You can’t logoff and logon the system account. You...

Read More

Ambiguous Name Resolution (ANR) for LDAP

Posted by on Dec 7, 2013 in Active Directory | 0 comments

Ambiguous Name Resolution (ANR) for LDAP

What is ANR? Ambiguous Name Resolution (ANR) is an efficient search algorithm associated with Lightweight Directory Access Protocol (LDAP) clients that allows for objects to be bound without complex search filters. ANR is useful when you are locating objects and attributes that may or may not be known by the client. A common use for ANR, for example, is in a situation in which a building name is known by the requesting client, but not the associated number. In this case, the physicalDeliveryOfficeName attribute may have a value of “Building 40” and a client might search for...

Read More

“No such object” when configuring TPM on Windows Server 2012 or Windows 8

Posted by on Feb 13, 2013 in Active Directory, BitLocker, Group Policies | 0 comments

“No such object” when configuring TPM on Windows Server 2012 or Windows 8

Scenario: You have a Windows Server 2012 or Windows 8 computer with TPM and you store your Bitlocker recovery and TPM owner information in Active Directory. When trying to configure the TPM hardware by using tpm.msc you get this error: Turn on the TPM security hardware This computer may require you to change the state of the Trusted Platform Module (TPM) manually. To perform this action, try turning on the TPM through the BIOS or performing a firmware update. Consult the computer manufacture’s documentation for instructions. There is no such object on the server. Error code: 0x80072030...

Read More

Check objectVersion on all Domain Controllers after schema update with PowerShell

Posted by on Feb 2, 2013 in Active Directory, Powershell | 1 comment

Check objectVersion on all Domain Controllers after schema update with PowerShell

Just copy and paste into PowerShell (Active Directory Module for Windows PowerShell) to get the version of AD schema on all domain controllers in current domain: $schemaContext = Get-ADRootDSE | %{$_.schemaNamingContext} Foreach ($dc in ([System.DirectoryServices.ActiveDirectory.DomainController]::findall( (new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$env:USERDNSDOMAIN)))) | %{$_.name}) { $path = 'LDAP://' + $dc + '/' + $schemaContext $Object = [adsi]$path $dc + ' ' + $Object.objectversion...

Read More

Restore deleted computer object including BitLocker recovery information

Posted by on Aug 10, 2012 in Active Directory, BitLocker, Powershell | 6 comments

Recovery of Active Directory objects became much easier with the introduction of AD recycle bin feature in Windows Server 2008 R2. Simply use the restore-adobject PowerShell cmdlet and you’re done. But what if you are using BitLocker with its keys stored in AD? You can still restore the computer object once it got deleted. But the attached msFVE-RecoveryInformation objects will not get restored automatically. This small PowerShell cmdlet will do the work for you: import-module ActiveDirectory function RestoreComputer($computername) { If ($computername.substring($computername.length -...

Read More

How to manage GPOs with vbScript?

Posted by on Mar 16, 2012 in Active Directory, Group Policies, VBScript | 0 comments

How to manage GPOs with vbScript?

You can do really really cool stuff with gpos in vbScript. I will show you how to export reports and give you some examples what else can be done going the vbScript way… The Group Policy Management console in Windows offers you the possibility to export reports about group policy object’s settings to html files – this, for example, is an excerpt of my default domain controllers policy: You can do this (and much more) by script too. Here is how you can do it… You can choose to save this report in a variable to do further processing in your script or you can save it to a file, just...

Read More