Get principals in a group Managed Service Account

Get which identities are allowed to retrieve the password for gMSA "MyGMSAAccountName":

Get-ADServiceAccount -identity MyGMSAAccountName -properties principalsallowedtoretrievemanagedpassword

Get Service Principal Names for a computer

Get SPNs for computer account "MYSERVER":

setspn -L MYSERVER

Get list of AD users that aren't in a specific group

To get a list of AD users with enabled accounts that aren't in either "Group1" or "Group2":

$results = @()
$users = Get-ADUser -Properties memberof -Filter 'enabled -eq $true'
foreach ($user in $users) {
$groups = $user.memberof -join ';'
$results += New-Object psObject -Property @{'User'=$user.name;'Groups'= $groups}
}
$results | Where-Object { ($_.groups -notmatch 'Group1') -and ($_.groups -notmatch 'Group2')} | Select-Object user | Sort-Object -Property User

To migrate Azure AD-joined Windows profile

Suggestions for moving an Azure-AD joined PC from one tenancy to another tenancy and minimising Windows profile impact for the user.

The user's web browser will lose its saved passwords during the change. You can export them before the change, and import afterwards, but best to make sure the user also knows all saved passwords to be safe.

You'll need a local administrator account.

You may wish to back up the PC to be safe.

ForensiT's User Profile Wizard will be used to adjust the user's Windows profile to work with the new tenancy.

1. On your own PC, generate the XML file for User Profile Wizard which contains the Azure AD object IDs. To do this, run the Save-AzureADUser.ps1 PowerShell script against the new tenancy and note the resulting XML file.
2. On the user's PC, take note of the default applications (as these will often be reset during the process).
3. Export user's browser passwords to file.
4. Log in as the local administrator.
5. Disconnect it from the current tenancy: Settings > Accounts > Access work or school > Disconnect. Enter the local administrator credentials, and restart the PC, when prompted.
6. Log in as the local administrator.
7. Join it to the new tenancy: Settings > Accounts > Access work or school > Connect.
8. Install User Profile Wizard on the PC. Copy the XML file into the same directory as the main application executable.
9. Run User Profile Wizard. When prompted to enter the domain, enter the name of the company per tenancy e.g. "My Business" and tick Azure AD. When prompted to enter the account name, enter the user's username in the new tenancy e.g. joe@mybusiness.com (it will display an error if it can't find this user in the XML file).
10. The PC will restart after the wizard has finished.
11. Log in with the local administrator, log out.
12. Log in with the user's new-tenancy account e.g. joe@mybusiness.com. May be prompted to set up Windows Hello e.g. PIN to log in.
13. Verify that it is using the existing profile - the user's documents etc. should be present.
14. Set the default applications to what they were previously.
15. Import user's browser passwords from file. If user was syncing their browser data to an online account, they may need to re-sign into the browser or re-set it up.
16. Check Outlook, Teams, and OneDrive functionality, and Office activation status.
17. Check Windows Credential Manager, browser saved passwords, and remove any references to the old tenancy account.
18. Sometimes BitLocker on the C drive will be paused - resume it if necessary.

Search the Security event logs by username

Search the Security event logs for a username - when filtering the log:

1. On the XML tab, click 'Edit query manually'.
2. Replace:
   
   <Select Path="Security">*</Select>
   
   with
   
   <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='USERNAME']]</Select>
   
   where 'USERNAME' is the desired username.

Thanks, Beaming?

Get AD users' email addresses

PowerShell to export email addresses for AD users:

Get-ADUser -Filter * -Properties proxyaddresses,EmailAddress | Select-Object Name,UserPrincipalName,EmailAddress, @{L = "ProxyAddresses"; E = { ($_.ProxyAddresses -like 'smtp:*') -join ";"}} | Export-Csv -Path C:\temp\AdUsersProxyAddresses.csv -NoTypeInformation

Check if profile is roaming using Registry

Check if a profile is roaming via the Registry by looking for a 'CentralProfile' string inside:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>\

Get computers with AD BitLocker recovery key

PowerShell to get machines with a BitLocker recovery key stored in AD:

Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase "OU=Workstations,DC=domain,DC=local" -Properties 'msFVE-RecoveryPassword' |ft DistinguishedName

Export and import NTFS permissions

Save NTFS permissions to a file:

icacls C:\Folder /save C:\temp\ntfs_perms.txt /t /c

Restore NTFS permissions from a file:

icacls C:\Folder /restore C:\temp\ntfs_perms.txt /t /c

Backup existing BitLocker keys to Active Directory

$bdeProtector = manage-bde -protectors -get C: -type RecoveryPassword

$keyID = [Regex]::Matches($bdeProtector, '(?<={)(.*?)(?=})') | Select -ExpandProperty Value

foreach ($key in $keyID) {
manage-bde -protectors -adbackup C: -id "{$key}"
}

Get AD Home Drive and Profile paths

Get the AD Home Drive, path, and Profile path for all users:

dsquery user -name "*" -limit 0 | dsget user -samid -hmdir -hmdrv -profile > paths.txt

Get computer Last Logon dates

Get the last logon dates for enabled Computer objects in AD:

Get-ADComputer -Filter {(Enabled -eq $True)} -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize | Out-File C:\Temp\ComputerLastLogonDate.txt

An alternative, specifying OU, different columns, and outputting to CSV:

Get-ADComputer -searchbase "CN=Computers,DC=fabrikam,DC=local" -filter * -Properties LastLogonTimeStamp,LastLogonDate,Name,Description,Created|Select Name,DistinguishedName,Created,LastLogonDate,@{n='LastLogonTimestamp';e={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}},Description,DNSHostName,Enabled | export-csv C:\temp\Output.csv

Set the AD extensionAttribute1 for multiple users

To set the extensionAttribute1 attribute to "NoSync" for all users in the Users OU, using PowerShell:

Get-ADUser -SearchBase "OU=Users,DC=domain,DC=local" -Filter * | Set-ADuser -Add @{extensionAttribute1="NoSync"}

Get list of AD users with no lastLogonTimestamp value

Retrieve a list of AD users that don't have a 'last logon' timestamp attribute value:

Get-ADUser -f {-not ( lastlogontimestamp -like "*") -and (enabled -eq $true)} |ft Name, DistinguishedName

Set ImmutableID for Office 365 user

From the Azure Active Directory command line:

Set-MsolUser -UserPrincipalName "joe@bloggs.com" -ImmutableId "123xyz"

Set to null:

Set-MsolUser -UserPrincipalName "joe@bloggs.com" -ImmutableId "$null"

Change SID of Server 2012 R2 machine

If you've cloned a Windows Server 2012 R2 machine, you may need to change its SID:

1. C:\Windows\System32\Syprep\sysprep.exe - Run As Administrator.
2. Select "Enter System Out-of-Box Experience (OOBE)", tick "Gereralize", select "Reboot", click OK. The server will restart.
3. After reboot, follow the Settings wizard.
4. Set the server's static IP address again, if necessary.

Ta, M Hamizi.

Fix broken trust relationship without rejoining domain

To fix the seemingly-random "The trust relationship between this workstation and the primary domain failed" error, you can remove the PC from the domain, then re-add it. Sometimes doing this is a PITA.

You can often fix the error using netdom.exe with the below steps. You can do it through your remote access utility, or by logging in as a local administrator.

1. Extract netdom.exe and netdom.exe.mui from the Remote Server Administration tools. Or grab them from a machine that already has the tools installed.
2. Put netdom.exe in C:\Windows\System32\ , and netdom.exe.mui in C:\Windows\System32\en-US\ , on the broken PC.
3. Run the following command on the broken PC:
   
   netdom.exe resetpwd /s:myserver /ud:MYDOMAIN\adminuser /pd:(adminpassword)
   
   (Where "myserver" is your domain controller, "MYDOMAIN\adminuser" is a domain administrator, and "adminpassword" is the domain administrator's password.)

Enable file and print sharing from the command line

Run this command on the remote computer to enable file and print sharing (all one line):

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes

Enable remote access to Event Logs from the command line

Run this command on the remote computer to allow viewing of its Windows Event Logs from another computer (all one line):

netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

Get ImmutableID for AD user

To get the ImmutableID for an AD user, run the following then look for the ObjectGUID in the output file:

ldifde –d “CN=John Doe,OU=Users,DC=domain,DC=local” –f c:\temp\data.txt

Ta, 4ward.

Or, to get the ImmutableIDs for all AD users, use the following PowerShell script:

Import-Module ActiveDirectory
$Users=Get-ADUser -Filter *
function guidtobase64
{
param($str);
$g = new-object -TypeName System.Guid -ArgumentList $str;
$b64 = [System.Convert]::ToBase64String($g.ToByteArray());
return $b64;
}
$ADUsersDump=$Users | Select SamAccountName,UserPrincipalName,@{Expression={(guidtobase64($_.ObjectGUID))}; Label="ImmutableID"}
$ADUsersDump | Export-CSV -Path C:\temp\ImmutableIDs.csv

Ta, Windows Central.

There's also this PowerShell script to get the ImmutableID for an AD user, and vice-versa.