Aug
05
2010
The purpose of this article is to show how to restore deleted objects with their group membership using Powershell. In order to achieve this you will need to set up a lag site in your domain. If your domain functional level is Windows 2008R2 and you have turned on the recycle bin, you can simply restore an object with its group membership using Microsoft Powershell 2.0 Cmdlets without any lag site.
The method we will describe to achieve practically the same result works starting Windows 2003 server and later versions. We will restore objects from the Tombstone using Quest AD Cmdlets, your administration console should be at least running Windows XP, you do not need to install the RSAT (running on Windows 7 and 2008 server). You might have noticed on the “latest AD news sidebar“ that QAD Cmdlets version 1.4 was released a few days ago. The disadvantage of the method described is that it might be not supported by MS, for best practices regarding deleted objects restore you can read this KB article, you will also need to modify your Active Directory schema. Use this method if a few accounts are deleted, if have you deleted an entire OU use a proper authoritative restore. The advantage of using the powershell script is that the restore process is really quick.
Read more »
May
09
2010
We will describe in this post how to secure your autologon workstations. Those PCs are accessed by everyone inside your company because no account and password are required to login.This is why you need to work out how to secure them.
The autologon workstation uses a service user account to open a windows session, the most obvious way to set up an autologon on a workstation is to edit registry keys. This method is not secure because the account credentials appear in clear text in the registry, meaning that the account can easily be used for other purpose.
Read more »
Apr
07
2010
You can track GPO links changes by analyzing the security eventlog, GPO links will give you information on which objects your GPO is applied to. We will monitor GPLink attribute changes.
In order to analyze in real time the security log of all your DCs you need to pay for a Syslog solution, like Snare or Kiwi. Or you can try to setup an eventlog forwarding solution if you are under Windows 2008, you can also try to run a script that catches security log events, but you might encounter some performance issues.
Read more »
Mar
31
2010
We will explain in this post how to monitor GPO changes by tracking modifications on the GPT. Only deletion, computer/user configuration modification and creation can be overlooked. About GPO monitoring you can read this article,which shows you how to activate auditing on your Sysvol share \\domainname\sysvol\domainfqdn\Policies and retrieve GPO changes via the eventlog. We will use another method, taking advantage of the replication of this folder.
Read more »
Mar
18
2010
On this post we will describe how to do a spring clean on your active directory database file ntds.dit.
The first step will be to search for stale objects in your domain, if after collecting those objects you don’t find many of them, do not hope to gain some space on your database. For example the size of a user object is at the minimum 4Ko, the size may vary depending on the number of attributes the account has. Check this article for more information on objects size.
Read more »
Mar
14
2010
When you perform a complete domain or forest recovery, after you have restored the first DC system state, you have to cleanup metadata of the DCs on which you will reinstall AD using a DCPromo. For more information about disaster recovery plans I suggest you read this document.
On a Windows 2008 server when you delete the DC computer object, server object removal (cn=ServerName,cn=Servers,cn=SiteName, cn=Sites,cn=Configuration,dc=ForestRootDomain) and metadata cleanup are performed automatically. On a Windows 2003 server you need to use the ntdsutil command line tool and delete the server object manually. This post describes how to set up a semi automated process to perform these steps.
Read more »
Mar
12
2010
Here is an application for your helpdesk that collects data about the user environment which can be useful for troubleshooting, It was developed using WMI code creator was really useful for coding this application.
Just click on the icon bellow to download the tool, if you notice any bugs and have any ideas for tool evolution, please do not hesitate to contact me.
Read more »
Mar
07
2010
If lsass process consumes too much CPU time on your domain controller the cause might be clients infected by Conficker. The link to the KB article discusses how to prevent its propagation and how to remove the worm. The purpose of this post is to identify infected clients which cause this lsass.exe overconsumption easily.
This topic was already discussed in a post of AskDS, I’ll add a few comments and scripts which will help you to eradicate the virus on your workstations.
Read more »