Moreover, it also forms a basis for many business-level decisions, like changing a user’s group/ adding new members, or splitting a group. The main problem is that many admins don’t wish to use the PowerShell script to get their AD group members’ list. It’s either too complicated or time-consuming, and for some, it’s both.

Also, to add to the confusion, there are two approaches to visualize the membership data.

• One is to get AD group membership for the user directly. Here, admins check on a user level to see which group a user belongs to.
• Another, and frankly better method, is to search through the groups themselves and list out the members that are present in them.

No worries, as this guide will show you how to list members of AD groups and export AD group members to CSV using various methods. So that you can bypass any highly technical requirements. First, let’s see what are the contents of an AD group membership report.

Table of Contents

• What’s in a AD Group Membership Report?
• Powershell to Get Active Directory Group Members
• Why PowerShell is Problematic?
• Get AD Group Members List Using CMD
• Professionally Export AD Group Members to CSV w/o PowerShell
• Automated Steps to Use the Tool
• View Group Member List with ADUC
• Get the AD Group Report using Admin Center
• Check the Event Viewer
• Conclusion
• FAQs

What Does an Active Directory Group Membership Report Tell Us?

With this report, Admins get an overview of the employee distribution inside the OU groups. It also helps to find any inconsistencies in the group structure or membership count. So it is not a surprise that many regard this as the next logical step after admins check the Active Directory user login history for an OU.

It almost always contains the date on which a group was made, thus helping to determine how long a particular group has been active. Moreover, with the help of a modified date, it’s possible for the admins to figure out when exactly someone updated the group settings.

The group membership report also reveals whether or not a group is of a special category, like a security group or distribution list. All this is present in a tabular format for better readability.

It is not fair to outright reject the PowerShell method without first knowing what it is. After all, it has been a traditional way to make a report. So, to get members of the AD Group with PowerShell, the following section is all that you require

How to Use PowerShell to Get AD Group Members?

Here is a sample script:

# Get all groups in the Active Directory
$groups = Get-ADGroup -Filter *
Clear-Host
foreach ($group in $groups) {
# Get Active Directory group membership report of the current group
$members = Get-ADGroupMember -Identity $group

if ($members.Count -eq 0) {
Write-Host "Group: $($group.Name)" -ForegroundColor Yellow
} else {
# Group with members
Write-Host "Group: $($group.Name)" -ForegroundColor Cyan
}

# Output each member of the group
foreach ($member in $members) {
Write-Host " - Member: $($member.Name)" -ForegroundColor Green
}
}

Note that this is an example script in PowerShell to get Active Directory group members and should be used only after modification from your end. An explanation for this script can be found below.

This script first fetches all the Group category objects from the Active Directory. After that, a loop runs through the acquired Groups individually and checks for members.

When inside the loop, an if-else logic takes over, which displays groups in specific color codes. Groups containing even a single member are listed in Cyan, and for the members, we use Green.

You may add functionality like determining the Group type or exporting the list to CSV, etc, on your end. As we did during the export list of disabled users from Active Directory task. However, be careful, as it may break the original PowerShell script or end up permanently damaging your AD group structure.

Why do Admins Want to Export AD Group Members to CSV without PowerShell?

Problems don’t stop once you get the PowerShell script. On the contrary, it is not wrong to say that the real problems begin afterward.

Using PowerShell to get Active Directory group members means relying on generalized scripts that take little to no information about your exact AD environment.

Not to mention that these scripts often ignore any previous security considerations that admins should take. Like the one where the dsquery commands stop working in the normal Windows machines.

Even the machines with Windows Server need an AD DS to run this. That is why it is not possible to get members of the AD Group with PowerShell in some AD environments.

Simply copying and pasting any random scripts of PowerShell to list users in a group is not going to provide you with the intended results.

Moreover, the even more dangerous scenario is when admins get false-positive results. Combine this with no direct way of verifying the result. Admins may unknowingly submit/use the wrong data.

Therefore, many admins seek ways to export Active Directory group members to CSV without PowerShell.

Moreover, even if you manage to get ad groups for users with PowerShell, the source data for all intents and purposes is near garbage. So the output it produces post-analysis is the same.

Having the script is one thing, but understanding what it does is different. If the script does not run and get the Active Directory group membership report, admins have to fix it manually.

In the worst-case scenario, it may trigger a domain-wide account lockout, so admins have to check the last password change in the Active Directory environment.

This means more time is spent on troubleshooting the script than on doing what’s required. PowerShell is not the only way to check group members in an AD. Another somewhat unorthodox approach is to use the default command line.

Say No to PowerShell and Get the AD Group Members List Using CMD

Another less intrusive code-based method is the Command line. To open and use the command line module

• Press the Windows key + R.
• Type cmd in the run box
• Type the following query.

for /f "delims=" %G in ('dsquery group -limit 0') do @echo Group: %G & dsget group %G -members

This method to list members of an AD group command line query works with the following logic, which is similar to the one used by PowerShell to list users in a group.

The “dsquery group -limit 0” part loops through all groups in Active Directory. Next, for every group, we print “Group: “ followed by its name. At last, it uses the “dsget group” tag to retrieve and display the members of each group.

This should get the required Active Directory group membership report. However, even with this easier approach, administrators don’t have the control that they desire.

Sometimes they need to be more sophisticated and detailed to work, so admins with a non-tech background may fail to get accurate results. However, people with the right skill set can exploit these commands(with modifications, of course) and get unauthorized access to your AD environment.

There is a sure-shot way to skip over these limitations, and that too with a GUI-based software.

Automated Approach to Export AD Group Members to CSV without PowerShell

Hands down, the best tool to create a full active directory group membership report is the SysTools AD Reporting Tool. It gives the admin full control to view and extract the data about the members of a specific group. This tool allows you to easily show members of AD groups without relying on complex scripts.

Download Now Purchase Now

The reporting can be categorized based on the current requirements of your organization. This means if admins want to see the group creation date, they choose to get that. Moreover, more complex group membership requests, like Distribution or Security groups, are also available.

Also Read: Why you need ADMT Replacement for AD Migration

On top of that, if admins want to verify whether or not any changes were made to the group. They have the Modified category for exactly this kind of scenario.

They can also use the tool to find empty groups in AD. Now that we have a basic overview of what the tool’s capabilities are, let’s see how to use it.

Steps to Get an Active Directory Group Membership Report via the Tool

Step 1. Download, launch, and enter “administrator” in the space provided in the User ID and password entry box.

Step 2. Activate the tool that can list AD groups and press the “REGISTER DOMAIN CONTROLLER” icon.

Step 3. Type Domain Friendly Name and IP address for your AD, and hit Save & Continue.

Step 4. You arrive at the Domain details page where you have to put the Admin credentials for your domain and validate them.

Step 5. Go to the Report tab to view the reporting options. Select Group as the workload and All as the subcategory.

Step 6. Using the breadcrumb-style filtering menu as the guide, you can identify what report you are about to extract. Change the All category to unlock the duration picker.

Step 7.  Select a time of 5, 7, 10, 30, 60, 90 days, or 1 year starting from the present date. With the custom option, you can set a starting and ending date yourself.

Step 8. Hit the preview button and make a column-wise segregation of Group membership. You can also see a total count of all Active Directory groups present in the list at the bottom part of your screen.

Step 9. Click on the arrow within the Download Report button and tap on CSV.

Step 10. Click on the Download option once again that appears inside the pop-up box.

Step 11. Browse for the location where you want to keep the report data and hit the Save icon in the Save as window.

Step 12. The CSV file containing the list of ad groups can be checked in any text editor.

There are some native GUI methods available in your AD. It would be unfair to skip these methods, so here they are.

Active Directory Users and Computers Snap-in to View Group Member List

• Launch the ADUC, select a Domain, and click on the search button from the toolbar.
• In the Find Users, Contacts, and Groups window, go to the Advanced tab.
• For the Field section, hover over Group and select Members from the Context Menu.
  
• Then, put the condition as “Present”, and click on Add > Find Now.
• Click on a Group from the list.
• Toggle the Members tab in its Properties box.
• This will show you all the users/objects that are part of this AD group.
  

To look at the memberless groups, all you have to do is change the “is present” condition to “Not Present.”

After that, follow the rest of the steps exactly like before. Here, when you toggle the Members tab, you will see that it has no entries.

In the ADUC find option,  you can’t copy or export the results. So, to get out of a preview-only mode, there is another method in ADUC through which you can export AD groups and the list of members in that AD group to CSV format. For that:

• Toggle the “Set Filtering options” icon.
• Mark the radio button in front of “Show only the following types of objects.“
• Select “Groups” and Click on OK.
  
• Now browse through the different OUs and Containers. Every object that is not a Group is hidden from view so you only see the required items.
• Once you find a big enough list, take your cursor to the Export button and click it.
• A window with the Export options opens. Choose where, and in what format, you want this AD group list to appear.
• Once done, Hit Save.
  

The Admin Center Results can be put into an Excel sheet by copying and pasting. So, some consider it a superior built-in option for admins.

Get the Active Directory Group Membership Report via the Admin Center

• Open ADAC.
• Click on Global Filter from the left-hand pane.
• Toggle the “Convert to LDAP” option.
• Paste the following command:

“(&(objectCategory=group)(objectClass=group)(member=*))”

• Click on Apply
• The first result should be automatically selected. To change the AD group whose member list is required, simply select it.
• Then click on the properties option from the right-hand pane.
• Go to the Members tab and view the list.
  

To export the AD group membership data, select all results, press Ctrl + C, open a new Excel workbook or Notepad, and Press Ctrl + V.

Moreover, if you want to get a list of AD Groups with no members in them, just make a small adjustment in the LDAP query. Which is:

“(&(objectCategory=group)(objectClass=group)(!(member=*)))”

The Exclamation mark in front of the member attribute negates it. Meaning that the query will now search for Groups no one is part of.
To confirm, check the member list of any of the Groups that appear inside the results in the same way we did for functioning groups.

Although it provides a member list, admins still have no clue when each of these members became a part of the Group. Don’t worry, your AD has got you covered thanks to Event Viewer. Let’s see how.

Check the Event Viewer and Bypass PowerShell to Get AD Group Members

An unorthodox way to track user presence in an Active Directory Group is through the Event Viewer. Every user addition and removal task is logged inside the Event Viewer with a corresponding Event ID. So, admins can thus get a rough idea of the group membership by registering the entry and exit of members. Combining it with the group creation event can help filter out the unpopulated groups from the populated ones.
Here are the steps to use the Event Viewer for this task.

• Press the Windows and R keys together on your machine, wait for the Run module to appear, then type “eventvwr.msc” in the text box. Click OK or Press Enter.
• Once the Event Viewer module opens, expand the Windows logs and Select Security from the left-hand pane.
  Now scroll through the list till you see one or more of the following IDs.

4731: Registers every time after the formation of a new Security Group.
4732: The code for a member addition in an AD Security Group.
4733: You see this when admins remove members from a Security Group.
4749: Indicates a Distribution Group creation.
4751: Triggers when a member is added to a Security Disabled group.
4752: This is the ID that contains information on an object’s exit from a distribution group.

Source: Microsoft

You can use the Find parameter to save some time. Moreover, there is also an option to set a Custom Filter to introduce repeatability. We recommend following this practice as you most certainly have to check an AD group membership sometime again in the future. It can also act as a guide for another admin who takes over your role later.

Conclusion

In this guide, we explained how to get an Active Directory group membership report from scratch. Admins saw what complete group data from AD looks like. On top of that, we helped admins understand why PowerShell scripts are not the best approach for extracting group data. As an alternative, we introduced the best option on the market. Use it and free yourself from problematic PowerShell commands.

Frequently Asked Questions

Q. How to use PowerShell to get a security Group member list?
Apply a category filter in the same script under an if-else block.

$group.GroupCategory -eq 'Security'

This filter will restrict the search scope to only include security groups. The rest of the code remains as it is. If you find the process tough, you can always use the tool as it comes with an in-built filtering option for both security and distribution groups.

Q. Is it possible to export user group membership to CSV for further analysis?
Yes, you can apply the export option to PowerShell, the command line module, and ADUC also gives you the provision to pull out a CSV file after filtering the results. Those who want to use the AD administrative center have to manually select, copy, and paste the results. No such manual intervention is necessary in the case of the tool, as it generates a CSV ready for use.

Q. Is it possible to check for nested group memberships in Active Directory?
Yes, you have to make a few tweaks in PowerShell. Here is a base script you can use.

# Function to recursively get group members and nested groups with color coding
function Get-GroupMembers {
param (
[string]$GroupName,
[int]$Level = 0
)

# Retrieve group members once
$members = Get-ADGroupMember -Identity $GroupName -ErrorAction SilentlyContinue

# Indentation for the current level
$indent = (" " * ($Level * 4))

# Display the group name in Yellow
Write-Host "$indent+ Group: $GroupName" -ForegroundColor Yellow

# Loop through members of the group
foreach ($member in $members) {
if ($member.objectClass -eq "group") {
# If member is a group, recursively process nested group
Get-GroupMembers -GroupName $member.SamAccountName -Level ($Level + 1)
} elseif ($member.objectClass -eq "user") {
# If member is a user, display user name in Green
Write-Host "$indent- User: $($member.SamAccountName)" -ForegroundColor Green
}
}
}

# Main script to process all groups in AD
$groups = Get-ADGroup -Filter * -ErrorAction SilentlyContinue

foreach ($group in $groups) {
# Start with the top-level group and process
Write-Host "Processing Group: $($group.Name)" -ForegroundColor Cyan
Get-GroupMembers -GroupName $group.SamAccountName

Write-Host "--------------------------------------" -ForegroundColor DarkCyan
}

The post Get Active Directory Group Membership Report in CSV Format  appeared first on SysTools Software.

Although we use the terms unused group and empty group interchangeably in this write-up, there are some minute differences between the two. Generally, unused groups refer to those groups that were made by admins and may even have members, but have stayed dormant since their creation/a long time.

Empty groups, on the other hand, are groups that used to serve a purpose in the AD, but changes in business requirements forced the admins to clear out all their members and make them empty.

Sometimes empty groups can still be in use, and unused groups still have members in them.

Let’s see why IT admins need to keep a record of empty groups.

Why You Must Get a List of All Unused/Memberless Groups in AD?

Empty groups are a security vulnerability; they increase the attack surface that nefarious entities could exploit. Plus, empty groups usually still retain the resource access, not monitored or used, which can be disastrous.

Moreover, memberless groups are an unnecessary administrative and management burden. Admins have to be in constant lookout to avoid adding users to the wrong group.

It is not that difficult to make an Active Directory group membership report; the real trouble is in finding the empty groups. As they can stay indivisible from the default queries, admission uses to scan for Group elements. Moreover, even when admins can list all the Group objects, it takes extra effort to split the empty ones from the rest.

Sp, let us look at the default command line utilities present in every Active Directory and how they can be used to get a list of 0 (Zero) member groups.

PowerShell Script to Find Empty AD Groups

Open a new PowerShell instance and type:

Get-ADGroup -Filter {Members -notlike "*"}

This simple cmdlet will list down all the Groups that don’t have any members in them.

If you want to color-code the information and make it more visually appealing, use the script below:

Open PowerShell ISE and save it as a .ps1 file, and run it on the console.

# Get all groups in Active Directory
$groups = Get-ADGroup -Filter *
Clear-Host
foreach ($group in $groups) {
    # Get the Active Directory group membership report of the current group
    $members = Get-ADGroupMember -Identity $group -ErrorAction SilentlyContinue
    if ($members.Count -eq 0) {
        # Empty group
        Write-Host "Group: $($group.Name) has 0 members." -ForegroundColor Yellow
    }
}

The Active Directory accepts LDAP queries as well, so if you want, you can get the same result using:

Get-ADGroup -Filter '!(member=*)'

PowerShell isn’t the only code-based method available in an AD. You can use the plain old command line as well.

Command Line Query to Get Unused Groups

Press Windows + R simultaneously, then type cmd

This will launch the terminal where you can type:

dsquery group -filter "(&(objectCategory=group)(!(member=*)))”

And see the list of groups with zero members in them. Then delete or proceed with whatever your organization’s protocol is.

Unfortunately, both the command line/and the PowerShell method we discussed earlier can’t provide any sort of reporting. They are locked in a view-only state. To get the list of empty groups out, you must modify the query, and some users lack the technical expertise required to perform such a change.

Don’t worry, we have just the right solution for you.

Professional Script Free Way to List 0-Member AD Groups

The SysTools Active Directory Reporting Tool gives admins exactly what they need. With dedicated filtering options and an easy GUI-based filtered search.

Download Now Purchase Now

This tool matches the speed of cmdlets with the ease of a GUI to give a cohesive solution for finding empty groups.

To use this automated tool and get all empty groups in Active Directory, all you have to do is follow these steps:

Step 1. Type “administrator” in both the User ID and password fields to open the tool.

Step 2. Activate the tool and click on “REGISTER DOMAIN CONTROLLER”.

Step 3. Enter your custom Domain Friendly Name and AD IP address >> hit Save & Continue.

Step 4. On the Domain details page, put the domain Admin credentials and validate.

Step 5. Inside the Report tab, choose group workload and All as the subcategory(You may select the security group subcategory if you want to find empty security groups)

Step 6. Use the tool’s filtering system to change the All category and use the duration picker.

Step 7. Pick any one option of 5, 7, 10, 30, 60, 90 days, or 1 year starting from the present date. The tool even allows you to set your very own starting and ending dates.

Step 8. Click on the preview button to see the Groups.

Step 9. Use the Download Report button and select CSV.

Step 10. Download and save the empty Group report on your PC.

Best Practices to Find Empty Groups in Active Directory using PowerShell

If you still want to use PowerShell commands despite the availability of such an excellent alternative, we won’t stop you. However, please pay attention to these best practice directives to make sure your cmdlets behave as per your needs.

Make sure you have the necessary permission needed to run the advanced queries and cmdlets described in the post. Also,  export all of the disabled users from Active Directory so you have a record of what’s been deleted.

Rename all AD groups that are empty and move them to a separate OU in your AD.

Sometimes built-in groups like “Domain Users” may appear empty due to primary group membership, but are not truly empty. So watch out for false positive results.

Likewise, false negative results are also possible. The script doesn’t check beyond the first layer of nesting, and groups can be part of other groups in an AD. So there can be a case where a parent group consists of only other groups as members, all of which are empty themselves. The script won’t be able to tell you that you will have to modify it on your end.

As mentioned earlier, exporting results requires further changes to the code, plus you won’t be able to retain the color code from the PowerShell-only visualization.

Conclusion

Here in this post, I taught you what all needs to be done in order to find empty groups in Active Directory. You need not make a PowerShell script from scratch, as we have included a sample working template for you to get a list of all unused security and distribution AD groups. Moreover, admins have the option to use the script’s free reporting tool that can look for memberless groups in your environment and provide a CSV report as well.

The post Find Empty Groups in Active Directory with PowerShell Easily appeared first on SysTools Software.

Overview and Importance of Enabling Active Directory Recycle Bin

Windows Active Directory acts as a centralized repository that houses all network resources such as user accounts, groups, OUs, computers, printers, shared folders, group policies, etc. It helps IT admins to organize and secure the network infrastructures by deploying required policies and security protocols throughout the organization. 

However, in case of AD mismanagement, they can often encounter situations such as accidental data deletions or modification of Active Directory objects. This can be critical as it poses the risk of potential data loss or operational disruption.  

To eliminate such scenarios, Microsoft has introduced the AD Recycle Bin (ADRB) feature. Enabling this allows you to easily restore the deleted AD objects with all attributes, such as backlinks, group memberships, and metadata, without the need to recover the system state backups. 

Before moving with enabling Recycle Bin in Active Directory, it is necessary to check if the feature is already enabled on your AD DC (domain controller).

How to Check if Active Directory Recycle Bin is Enabled?

If you are not sure whether the Active Directory Recycle Bin is enabled or not, then you can check the status by using PowerShell and ADAC and following the steps below. 

Enable Recycle Bin Using PowerShell

You can use the Active Directory module to run the Get-ADOptionalFeature cmdlet scripts,  with a filter for features whose name contains “Recycle. It checks the EnabledScopes property of the feature, whether the feature is enabled or not. If the Recycle Bin feature is enabled then you get a True; if not, then you get a False. 

If ((Get-ADOptionalFeature -Filter {Name -like "Recycle*"}).EnabledScopes) 

{Write-Host 'True'}

else

{Write-Host 'False'}

In this case, you can see a False, which means that the Active Directory Recycle Bin is not enabled. 

Using Active Directory Administrative Center to Enable Recycle Bin

To check if the Active Directory Recycle Bin is enabled using the Active Directory Administrative Center, you can follow these steps:

• Step 1. Open the Active Directory Administrative Center.
• Step 2. In the left pane, navigate to the root of your Active Directory forest.
• Step 3. Right-click on your domain name and select Properties.
• Step 4. In the Properties dialog box, go to the Extensions tab.
• Step 5. Look for an extension named Recycle Bin. If you see it listed, it means that the Active Directory Recycle Bin is enabled for your domain.

If you don’t see the Recycle Bin extension listed, it means that the Active Directory Recycle Bin is not enabled.

How to Enable Active Directory Recycle Bin?

Similar to the above you have two ways to enable ADRB, this includes either using the PowerShell or ADAC. Let’s discuss the steps for the same in the coming sections. 

Using PowerShell

I am using the Enable-ADOptionalFeature. This cmdlet is used to enable an optional feature in Active Directory. Additionally, I am using the scope to set it up or enable features at the Forest level. Here, CN specifies the name of the optional feature to be enabled, i.e., Recycle Bin Feature.

Enable-ADOptionalFeature –Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=cu14mail,DC=local” -Scope ForestOrConfigurationSet –Target “cu14mail.local"

When you run the above PowerShell scripts, you will get a confirmation as shown in the image mentioned – it is an irreversible process. Type Y and hit Enter to enable the recycle bin in Active Directory using PowerShell. 

Using Active Directory Administrative Center

• Step 1. Open Active Directory Administrative Center.
• Step 2. Right-click on the domain name.
• Step 3. Locate Enable Recycle Bin in the list
• Step 4. Click on it to enable the Recycle Bin feature.
• Step 5. Confirm the action by clicking OK in the pop-up window.

In this way, you can easily enable AD Recycle Bin using the ADAC.

How SysTools Can Help?

SysTools offers industry-leading Active Directory Reporter software, which is a prime choice for IT admins for Active Directory management and reporting. Using it you can streamline administrative tasks and enhance the overall security of your network infrastructure. Let’s have a look at its features.

Download Now Purchase Now

Features of the SysTools Software

• Generates detailed reports on user accounts, groups, OUs, permissions, and other Active Directory objects.
• Offers the option to customize reports to meet specific requirements and filter data based on various criteria.
• Safely exports reports from forests and cross-forests instantly. 
• Provides a search facility to locate particular objects accordingly.
• Allows viewing of User Attributes in Active Directory and generating reports.
• Offers some predefined date range filters like 5, 7, 10, 30, and 60 days for filtering results
• Compatible with Windows Server 2012 R2, 2016 & 2019 OS.

Since it can help them simplify the management of the entire AD environment. Hence, with this software, the admins can perform various day-to-day tasks more efficiently and effectively without any hassle.

If you are planning to perform migration within AD environment, be it a cross forest, or domain migration. You can rely on SysTools Active Directory Migration Tool, as using it you can streamline the process and peform the data transition effortlessly.

Conclusion

If Active Directory Recycle Bin (ADRB) is not enabled, then it can greatly impact your overall AD management. And also poses a security risk of data loss in the event of intentional, unintentional, or accidental data deletion. 

Hence, enabling Active Directory Recycle Bin (ADRB) is a crucial step to take place, as it ensures data safety and helps in quick data recovery in accidental deletions or data loss scenarios. Using the above step-by-step guide you can take a look into the process to check ADRB status and also enable Active Directory recycle bin.

The post How to Enable Active Directory Recycle Bin Using ADAC & PowerShell? appeared first on SysTools Software.

With Kerberos in AD environments, admins have a robust secure, and efficient way of user/service identification without transferring any plain text passwords across network nodes.

Despite its prevalence inside on-premise servers, not everyone knows how the protocol behaves, why it is used, or even what it is. So, to change that we have prepared this write-up that dives into the Kerberos protocol revealing its its implementation within Active Directory.

Not only that we also cover the best practices to follow during its deployment and some common vulnerabilities that users may encounter. Together with the advanced troubleshooting techniques that focus on the latest Windows Server (2016, 2019, 2022) and Windows 10/11 environments admins will gain useful insights applicable to their daily workflow. So let us start with the basics first.

What is AD Kerberos Authentication?

Kerberos is nothing but a network authentication protocol that uses the concept of a trusted third party. It can be thought of as a set of rules where a trusted independent system (i.e. Kerberos’ Key Distribution Center) verifies the user’s identity before granting (or denying) access to the network services or server resources.

Here the Key Distribution Center plays the main role and uses symmetric-key cryptography to ensure security.

The word Kerberos itself comes from Greek mythology referring to the 3 headed dog guarding the gates of the underworld.

So three heads of this modern Kerberos are:

• The Client: It can be a user or even another server that is requesting access to a resource.
• The Server (or Service on a Server): It is the destination resource to which the client wants access ( like email, storage, application, etc).
• The Key Distribution Center: The main player that acts as the trusted authority (in the Active Directory Kerberos authentication this is usually another domain controller) which can issue the authentication tickets and make interaction between the other two heads possible.

The core principle behind using Kerberos is to prevent password leaks. This protocol uses encrypted tickets and certificate authenticators to prove/disprove the identity of an entity.

Thereby reducing the risk of password interception to a minuscule amount. With the added benefit of immunity against replication-type attacks. Let us now see what components play a part in making the protocol work.

Components of Kerberos Authentication in Active Directory, their Roles, and Responsibilities

In every type of Windows Active Directory environment, there is a tight integration between the domain structure and the Kerberos protocol. It can be better understood by visualizing the role that each part plays.

Domain Controller: Every domain controller acts as a Kerberos Domain controller in some manner. It is the point where the Kerberos service runs and gains access to the Active Directory security account database. For a domain to have the standard Kerberos on it must have the AD DS Role.

Active Directory Database: This is the storage unit of the entire system. Kerberos protocol does the verification using the user and computer account information and their password hashes (by constructing cryptographic keys). Moreover, the group membership details and other security-related attributes(e.g. objectGUID, objectSID, sAMAccountName) are kept here as well.

Security Support Provider(SSP): Kerberos implementation does not happen directly on the server but is rather implemented as an SSP. A sort of Dynamic Link Library that is part of the Windows security architecture. Apps within the AD interact with Kerberos via an interface aptly named SSPI Security Support Provider Interface.

Winlogon: The Single Sign-On feature that allows users to access many resources by only logging in once is possible due to the integration of Winlogon with the Kerberos system.

Service Principal Names (SPNs): Each service that uses Kerberos in any capacity gets a unique identifier that is registered in the Active Directory. These SPNs are used for both authentication and service discovery. It has a general format that is something like

serviceclass/host:port

Realm: In AD environments the Kerberos realm part is played by the domain itself, which decides the scope or boundaries till where the Kerberos authority lies.

Process of Kerberos Authentication in Active Directory Explained Step-by-Step

The Active Directory Kerberos authentication involves many different steps where information exchange between the client, the KDC (specifically its Authentication Service and Ticket-Granting Service), and the target server. It usually starts from a:

Client Request: Whenever a user logs into a domain-joined computer or a similar service request happens the client sends out a “KRB_AS_REQ” message to the authentication service on the domain controller. In this request, there are multiple components like

Client name, requested realm (domain name), pre-authentication data (with timestamp), requested options, and encryption types.

KDC Verification: When Kerberos receives this request it starts a look-up in the AD, gets the password hash, and decodes the pre-auth data. If decryption is as per the rule set then the request is genuine and further processing is carried out otherwise the request gets terminated here itself.

KDC Response: Like the client request this is also a special message tagged as “KRB_AS_REP” containing the following parameters. This is an encrypted value that uses the KDC’s secret key part of the krbtgt account’s password hash.

Also, there is the client’s principal name.

TGT (Ticket-Granting Ticket) otherwise known as the main parameter of the Kerberos system which has the client name, realm, session key(temporary randomly generated character sequence) etc.

Attacks Against Kerberos Authentication in Active Directory

Although Kerberos protects your AD against a wide variety of threats there is always a risk factor involved. The main reason why breaching Kerberos is so lucrative is that it makes critical business data vulnerable. Moreover, almost every on-premise Active Directory uses some form of Kerberos so the potential target list is huge. Hackers can reuse the same attack pattern on many different targets. Some of the most common mechanics are:

Pass-the-Ticket (PtT): Hackers steal a valid Kerberos ticket and use it to do a replay attack to gain access.

Pass-the-Hash (PtH): Here a leaked hash value of the password key is used to obtain a TGT pass.

Kerberoasting: Attacks service accounts to request service tickets for SPNs associated with user accounts. These service tickets are encrypted with the service account’s password hash so the attacker can crack the hash offline.

Overpass-the-Hash: It is similar to a pass-the-hash attack with a slight change that it only targets the Kerberos

PAC Manipulation: Try to make changes to PAC value to escalate privileges.

Encryption Downgrade Attacks: Forced algorithmic level changes that reduce the encryption security (eg from AES to DES)

DC Shadow: A rogue/false domain controller to inject malicious code into the main server.

Conclusion

Kerberos authentication in Active Directory is vital for maintaining security. Its absence can lead to password leakages and other critical failures. Despite all its advantages Kerberos is not invulnerable and can fall victim to highly sophisticated attacks like Kerberoasting. However, with the guidelines provided here, admins can protect their environments from such threats. Additionally, if you require an AD migration anytime soon you can trust the best and most secure solution. Which is none other than SysTools Migrator for Active Directory Migration.

The post Simplifying Kerberos Authentication in Active Directory appeared first on SysTools Software.

So let us decipher the difference between the AD types starting with ADDS

Active Directory Domain Service Type

This is the classic on-premise directory service that has been part of AD since the beginning. Admins use it to perform all sorts of tasks including the management of user accounts, adding new computer devices, forming new groups, etc. All this forms the necessary foundation for organizations that keep a Windows Domain environment for their identity infrastructure.

Admins use it to perform all sorts of tasks including the management of user accounts, adding new computer devises, forming new groups and so on. Sometimes admins even have to migrate AD objects from one domain to another.

Some Key Features that Qualify AD DS as an Active Directory type are:

Centralized Management: Admins get access to a unified command and control center to perform their management duties through a single database.

Replication and Redundancy: More often than not organizations tend to use multiple domain controllers so that the service remains available during adverse events. This is an essential quality of a domain service that AD DS fulfills.

Security and Authentication: No organization wants its critical data to leak or get infiltrated with ransomware. This is prevented via direct integration with the Kerberos and LDAP to allow secure user logins and error-free access controls.

Some Use Cases of Active Directory Domain Service

One major area where ADDS makes a direct impact is the network resources. An admin can set up strict entry requirements for both entities and information coming in and out of a domain. As the starting point for all management activity AD DS contains provisions for policy, DNS integration, and much more. ADDS is not the only system there is a miniature version of this system let’s learn about it.

Type of AD Lightweight Directory Services

Many veteran admins may remember it being called AD Application Mode it was named as such because of the due to its lightweight structure which could serve as a standalone directory service for apps that require one. Microsoft later changed its name to ADLDS so that there is a better representation of its purpose as an independent LDAP‑compliant directory.

Some Key Features of AD LDS include:

Domain-free Existence: Organizations need not deploy a full domain infrastructure as the lightweight service allows independent existence with no domain requirement.

Scalability: Like its more feature-full counterpart the AD LDS also allows multiple instances on the same server.

App Integration: The biggest reason for organizations to choose this over the regular domain service is the ability to use directory-enabled applications.

The primary use case of an Active Directory of this type is when an organization needs a cost miniaturization directory service that works without the baggage of managing a custom domain.

Active Directory Federation Service

AD FS is not a full service in itself but rather can be thought of as a capacity extender to the more pronounced AD DS.

With federation Services enabled in any of the following types of Active Directory, it is able to use the SSO (Single Sign On) feature across organization boundaries.

It works by issuing account-specific security tokens. These tokens are made as per industry standards like SAML, OAuth, and OpenID Connect.

With these admins can be assured that their AD is secure enough to deliver a smooth user experience.

Here is a list of key features you need to watch out for if you want to ensure that your AD type is Active Directory Federation Service.

Federated Identity Management: This means users only have to login once all the resources and services they need become accessible no need to enter credentials multiple times.

Interoperability: ADFS can not only work with Microsoft services but extend beyond to include non-Microsoft apps as well.

Security Tokens: Tokens are unique and actively generated that expire after use to ensure security above all else.

A simple use case that highlights the importance of Active Directory Federation Service best is in organizations that collaborate with external partners. Admins can use AD FS and avoid the construction of a whole new credential set. Speaking of credentials they often require proprietary certificates dont worry as there is a type of Ad just for that.

Active Directory Certificate Services

AD CS is the component responsible for issuing and maintaining the Public Key Infrastructure (PKI) within an organization. So everything from issuing to revoking and all the management activities that take place in between are managed by these services. Moreover, admins need not worry about the security part as every time a new certificate request arises a corresponding security mechanism does the identity verification part automatically.

Like other types of Active Directory services, this too has its own set of features which are explained below:

Digital Certificate Management: Certificates can be issued to users, computers, groups, and other major AD components whenever required.

Works with Other ADs: This service works with AD DS to provide a secure email, file encryption, and VPN connection

Superior Security: Every certificate passes through industry-standard cryptographic protection so that no sensitive data is ever exposed.

Active Directory Digital services are applicable in scenarios where businesses have to conduct digitally signed communication.

AD Rights Management Services

The Active Directory RMS (no longer under active development) is designed to work as a protector for sensitive information. It does so by enforcing strict boundaries on who has what access and for how long. Essentially controlling the scope of organizational data access at the user level.

Information Protection: Applies encryption and usage restrictions to digital content.

Policy Enforcement: Allows IT admins to set granular rights for viewing, editing, or printing documents.

Integration: Works with AD DS and other services to secure information across the organization.

Use Cases for this Active Directory type.

Organizations handling confidential information use AD RMS to prevent unauthorized sharing or modification of sensitive data.

What Type of Active Directory is Purely Cloud Based?

Microsoft used to call it Azure Active Directory until 2023 when it was renamed to Entra ID. This is an entirely cloud-based identity and access management system. Organizations use it to conduct authentication of users and authorization for Microsoft 365, Dynamics 365, and other SAAS applications. If you want a cloud equivalent of Active Directory, Entra ID is the service for it. However, transitioning from an on-premises AD to Entra ID can be challenging, often requiring careful planning and the use of ADMT replacement tools.

What key features does Entra ID provide:

Modern Authentication: You can have passwordless, multifactor authentication for safe access.

Integrates with Ease: A universal sign-on feature allows seamless access to all cloud applications.

When to go for Entra ID instead of regular types of Active Directory

It is best utilized if you have an organization that operates across many different geographies. If your workforce is majorly remote use SaaS applications on multi-cloud environments and dont want to disrupt existing deployments.

Hybrid AD Environment

Organizations increasingly wish they could have a type of Active Directory in a hybrid state. So that their critical data is in a self-managed system. While still using the vast resources and services available on the cloud. This combines AD DS with Microsoft Entra ID and can be done using tools like Microsoft Entra Connect. However, the security of the data must not be forgotten so one must make sure to remove SID history after migration.

Benefits of a Two Type System

Flexibility: Admins can switch between the two environments whenever they like. for example, some legacy systems (it can be hardware that is tightly intertwined with local AD) that lack a direct cloud equivalent are often kept on-premise. While being used as a service via the Entra ID.

Unified Identity: Users can move across all environments freely without credential restrictions or other roadblocks.

Easier Full Migration: As Hybrid systems have a part of their infra on the cloud it becomes a lot easier to do a full cloud transiti

on. Moreover one must not forget to maintain a secure system so one must find disabled computers in the Active Directory. This is to keep an eye on the system.

Despite the many benefits of a Hybrid system, it is not for everyone. Building a hybrid system and maintaining it is expensive and if not planned carefully can go against any advantages an organization hopes to achieve.

Conclusion

Here we saw that Microsoft had made numerous changes and released many different types of Active Directory over the years. From the many on-premise solutions like AD DS, AD LDS, AD FS, AD CS, and AD RMS to cloud-based equivalents under the rebranded Microsoft Entra ID. Which is the flagship and the destination for all modern identity management. So if your organization needs help during this transition use SysTools Migrator for Active Directory to Entra ID migration. It is the best-in-class solution to move your on-premise setup to the cloud.

The post Active Directory: Simple Guide to Its Different Types appeared first on SysTools Software.

This is because computers, along with users, form the basic building blocks of all activity that goes on inside the AD. So after administrators find out what OU a user is in, the next natural question is locating the computer path. This is done to tally whether or not all resources are within the same group policy scope and perform any intra-AD computer relocation.

Table of Contents

• Prep for Location Retrieval (PowerShell)
• List Computers (OU/SubOU – Basic PS)
• Find Computer OU (Advanced PS)
• Alternative Tools for Admins
• Conclusion
• FAQs

Moreover, if administrators are planning to migrate AD objects from one domain to another, they must have a solid idea of where every object lies, including the computers.

Not to worry, there are quite a few ways in which administrators can achieve the result. Among them, PowerShell is the most popular. Therefore, with this writeup, we provide not only the scripts but also other alternatives for finding a computer object’s path.

Prerequisites to Use PowerShell List Computers in OU or Sub OU Script

Admins who wish to use PowerShell must get themselves familiar with the basic syntax and terminology.

Among the computer languages, PowerShell is on the simpler side so learning it won’t be that hard. Glance through a few tutorials and check out Microsoft’s official documentation; this should provide you with more than enough knowledge to understand what we are about to do here.

After the knowledge set, the most important task is to prepare your environment, Microsft makes it easier by preinstalling PowerShell on all machines. However, if you have not used PowerShell previously, then complete the following steps on your AD workstation.

• Install the Remote Server Admin tools.
• Add the ADDS (Active Directory Domain Services Role) role.
• Upgrade the Windows Management Framework to version 3.0 or later.
• Then, use the Active Directory Administrator account.
• At last, download the AD Module for PowerShell by typing the following inside a fresh module.

Install-Module -Name RSAT-AD-PowerShell

After this is done, we can start with our main objective.

Basic PowerShell to Get List of Computers in OU and Sub OU in AD

There are two ways in which administrators can make this type of report. The first is to list the OU and check what all computer objects are preset there. Another is to list down the computers one by one, along with their OU. Admins can select the PowerShell script as per their requirements.

First Scenario: Computer Objects in each OU.

Get-ADOrganizationalUnit -Filter * | ForEach-Object { 
Write-Host $_.DistinguishedName
Get-ADComputer -Filter * -SearchBase $_.DistinguishedName | ForEach-Object {
Write-Host (" " + $_.Name) 
}
}

• This script of PowerShell to Get a List of Computers in OU and Sub OU in AD retrieves all OUs.
• Loops through each OU.
• Displays OU’s Distinguished Name.
• Retrieves computers within that OU.
• Displays indented computer names.

Go for this approach of PowerShell list computers in OU when you want a detailed view of all OUs and their associated computers. It’s better for documentation purposes as it gives a complete picture of all OUs and their associated computer inventory.

Second Scenario: OU of each Computer Object.

Get-ADComputer -Filter * -Properties SAMAccountName, DistinguishedName | ForEach-Object {
# Split the DistinguishedName to get the OU part
$distinguishedNameParts = $_.DistinguishedName -split ','
$ouPath = $distinguishedNameParts[1..($distinguishedNameParts.Length - 2)] -join '/'
Write-Host $_.SAMAccountName " : " $ouPath
}

• The script loops through each computer object in AD.
• It extracts and stores the OU path from the DistinguishedName.
• Finally, it displays the computer’s SAMAccountName, and its constructed OU path.

This approach is suitable for administrators who need to quickly determine the OU hierarchy for each computer. Additionally, it helps troubleshoot access control as it maps each computer to its corresponding OU hierarchy.

However, both of these scripts have some limitations.

• Neither of them checks for any nested sub-OUs in AD.
• Both give a temporary, non-shareable, read-only output.
• Admin needs to run each of the “.ps1” cmdlets manually.

So to combat this, we have a better combination of scripts lined up for you.

Find Computer OU in Active Directory with Advanced PowerShell

Part 1. PowerShell script to make a CSV report of all OUs and Sub OUs a computer is in.

# Import the Active Directory module
Import-Module ActiveDirectory

function Get-OUTreeWithComputers {
param (
[Parameter(Mandatory=$true)]
[string]$OUPath,
[int]$Indent = 0
)

# Get all OUs under the given path
$ous = Get-ADOrganizationalUnit -Filter * -SearchBase $OUPath -SearchScope OneLevel

foreach ($ou in $ous) {
# Display the current OU
Write-Host (" " * $Indent + "|- " + $ou.Name)

# Get and display computers directly under the current OU
$computers = Get-ADComputer -Filter * -SearchBase $ou.DistinguishedName -SearchScope OneLevel -Properties Name
foreach ($computer in $computers) {
Write-Host (" " * ($Indent + 3) + "|- " + $computer.Name) -ForegroundColor Cyan
}

# Recursively process sub-OUs
Get-OUTreeWithComputers -OUPath $ou.DistinguishedName -Indent ($Indent + 3)
}
}

# Get the domain
$domain = Get-ADDomain

# Start the tree from the domain root
Write-Host "Active Directory Tree Structure:"
Write-Host "|- $($domain.Name)"

# Get computers directly under the domain root
$rootComputers = Get-ADComputer -Filter * -SearchScope OneLevel -Properties Name
foreach ($computer in $rootComputers) {
Write-Host " |- $($computer.Name)" -ForegroundColor Cyan
}

# Process all OUs
Get-OUTreeWithComputers -OUPath $domain.DistinguishedName -Indent 3

Save the script as Computer-Location-Reporter.ps1 on the path C:\Temp\AD-Computer-Reports\

• We import an instance of the AD module and create a custom function that recursively gets all sub-OUs of an object in the hierarchy.
• Then, we call all the computer objects using their DN and split the DN into its components.
• We filter out the OU part and use the custom function to see all that is in the overall hierarchy.
• Finally, we put the results into yet another custom object and export it into a CSV output.

Part 2. Deploy a PowerShell get all computers in OU script to set up continuous report generation via the Windows Task Scheduler app.

 $Time=New-ScheduledTaskTrigger -Weekly -WeeksInterval 2 -DaysOfWeek Monday -At 9am

 $Action=New-ScheduledTaskAction -Execute PowerShell.exe -WorkingDirectory C:/Scripts -Argument “C:\Temp\AD-Computer-Reports\Computer-Location-Reporter.ps1 -UserName <Admin> -Password <admin-pass>”

 Register-ScheduledTask -TaskName "Schedule Computer Location Status Report" -Trigger $Time -Action $Action -RunLevel Highest

We use PowerShell to create a scheduled task trigger that starts every Monday at 9 a.m.

The task is designed to start a PowerShell module on its own, set the directory to “C:\Temp\AD-Computer-Reports\” and then invoke the Computer-Location-Reporter.ps1 script.

The Register-ScheduledTask is to save the scheduled task on the admin workstation with the name “Schedule Computer Location Status Report”.

Both of these scripts combine to form a weekly report of all computer group changes that occur in an Active Directory environment. Admins can make changes in these scripts to better suit their own requirements.

However, truth be told, PowerShell in of itself is quite complex. Limiting the complexity of the script means losing out on functionality. So a better way would be to use an automated alternative.

Avoid PowerShell Get List of Computers in OU and Sub OU in AD With a Tool

If you want to retain the ability to pull CSV reports of computer OU data, then the SysTools AD Reporting Tool is the best possible choice. This tool combines countless lines of PowerShell scripts into a simple GUI-based interface.

Download Now Purchase Now

Users can apply special filters to their existing searches to check whether AD computers are disabled or not. On top of that, a duration picker allows admins to get access to historical data and it will present the information as per your AD settings.

With an on-screen preview area, administrators can check out the computer OU and export the results in CSV format for further sharing. All this can be done via a remote machine that does not host the AD itself. Which is a massive improvement over the traditional PowerShell scripts.

To export computers from Active Directory OU to CSV PowerShell free with this tool, administrators have to carry out the following set of steps.

Step 1. Install, open, and log in to the tool via default administrator credentials (these fill in on their own, and you can change them later).

Step 2. Click on the big blue “REGISTER DOMAIN CONTROLLER” button.

Step 3. Type the custom domain-friendly name you want to use and add the IP address of the AD.

Step 4. On the domain details page, fill out the info section with appropriate data and validate.

Step 5. Then, go to the Reports tab and choose the All Computers option present in the Computers category.

Step 6. Click on the Preview button to get a list of computers in OU and sub OU without PowerShell.

Step 7. Then, expand the Download option and choose CSV. Save, view, and share the results.

Conclusion

In this guide, the admin found the PowerShell to get a list of computers in OU and sub OU of an Active Directory. Here we gave a list of prerequisites that allow the PowerShell commands to function and taught how there is no single command to get the results.

Moreover, after revealing the scripts, readers themselves understood the complexity of PowerShell. Those who want a code-free computer path location can get it via the professional alternative.

Frequently Asked Questions on How to Find OU of a Computer using PowerShell

Can a computer belong to more than one OU simultaneously?
Think of OU as a physical storage container as you can’t keep one computer in two boxes at the same time the same logic applies here. As the OU acts as an address from where resource access, policy applicability, and other things are controlled Microsoft designed it in a manner that any object which includes a computer stays in one OU only.

If a computer is in an OU which itself is part of a second OU then does it mean that the Computer is in two OUs? Does it violate the single-point presence of a Computer object?
No, when the computer object is not directly under an OU but instead part of its Sub OU it is considered as the object of its most direct container. Every inherited policy and permission is still applied but when the path is traces or objects are listed you will see it under Sub Ou and not the parent. Therefore some modifications must be made to the default PowerShell get-adcomputer approach.

Can a Computer exist outside of an OU in Active Directory?
Although rare in certain circumstances it is possible. Sometimes the Computer may not be part of an OU but a container instead. Moreover, OU-free computers are a resource drain on the AD and the admin should either move them to an OU or disable and delete them from the Active Directory.

How can I get AD computer data in CSV format from PowerShell?
Append [Export-Csv -Path “C:\temp\computers.csv”] at the end of the script to replicate the results in a comma-separated variable file.

The post Get a List of Computers in AD OU and Its Sub-OUs Using PowerShell appeared first on SysTools Software.

Table of Content

• How to Find Disabled Users in Active Directory Using PowerShell?
• Using ADUC to Export List of Disabled Users from Active Directory
• Professional Way to Get Report of Disabled User Data from AD
• Conclusion
• FAQs

Exporting the list of disabled users from AD becomes crucial because anyone with admin privileges may enable the wrong account and thus allow it the resources that it was not supposed to use. This is especially true if your organization recently completed a project in partnership with external agents.

Apart from this, regular cleanup of an AD comes under every compliance model. It is during such procedures that administrators might need a way to find the users whose login has been revoked and find what OU a user is in. Luckily, there is more than one identification method available for use. So let us see how PowerShell commands and scripts handle this.

How to Find Disabled Users in Active Directory Using PowerShell?

Even within PowerShell, multiple variations exist; the first one we are about to tell you is a script. Run it to get the enable/disable data inside a PowerShell Module itself.

# Import the Active Directory module
Import-Module ActiveDirectory

# Get all disabled users
$disabledUsers = Get-ADUser -Filter { Enabled -eq $false } -Properties DisplayName, SamAccountName

# Display the properties of the disabled users
$disabledUsers | Select-Object DisplayName, SamAccountName

Explanation of the script

• Import-Module ActiveDirectory: Imports the Active Directory module to use its cmdlets.
• Get-ADUser -Filter { Enabled -eq $false } -Properties DisplayName, SamAccountName: Retrieves all users with the Enabled property set to False and fetches additional properties such as DisplayName and SamAccountName.
• Select-Object DisplayName, SamAccountName: Selects and displays the specified properties of the disabled users.

Finding out the exact date when disable took place may not be possible as there is no PowerShell command for that. A workaround is to run the tracker every day and compare the results from the previous day.

Apart from PowerShell, administrators can also get the list of all disabled user accounts in a domain from the command line

Hold the Windows + R key together and in the run module type cmd.

In the command line interface, paste the following query:

C:\Users\Administrator>dsquery user -o samid -disabled

This is a strict view-only result.

Active Directory offers some in-built GUI-based modules that can also be used to get the list of disabled accounts.

If PowerShell isn’t your forte, and you don’t want to deal with the command line then you can very well use the Active Directory Users and Computers (ADUC) module. This is a part of all Windows Active Directory (AD) environments.

Using ADUC to Export List of Disabled Users from Active Directory

As it is usually best practice to make a separate OU for holding disabled users, we start from there.

Step 1. Create Disabled Users OU

• Launch ADUC snap-in.
• Click on the New OU icon or right-click on the domain > New > Organizational Unit.
• Type a name (e.g., Disabled-Users) and click OK.

Step 2. Find and Put Disabled Users in the OU 

• Right-click on the Domain
• Select Find…
• Expand the Find Dropdown and Select Common Queries.

• Under the Users tab, mark the “Disabled accounts” filter > Click on Find Now.
• In the search, select the first account. Scroll down, hold the Shift key, and click on the last result.
• Right-click and select Move.
• From the dialog box, select the disabled-users OU > Press OK.

Step 3. Export the Disabled Users List in CSV format

• Go to disabled-users OU > Press Ctrl + A to select all
• Click on the Export list icon from the toolbar.
• Choose a location, Type a file name, and select the CSV option from the dropdown.
• Press Save.

You can find the resultant list in the pre-set location. Administrators also have a faster way to get a similar result via ADAC. Let us see how.

• Step 1. Open Active Directory Admin Center (ADAC)
• Step 2. Click on Global Filter
• Step 3. Toggle Convert to LDAP option.
• Step 4. Paste the query.

  (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

• Step 5. Click on Apply.
• Step 6. Select the Results > Press Ctrl + C > Paste in a Spreadsheet or Notepad.

Even with ADUC or ADAC administrators may face some problems, like being attached to the workstation on which the AD resides. This is quite cumbersome but don’t worry, as we have just the right fit.

Professional Way to Get Report of Disabled User Data from AD

The tool we have is none other than SysTools AD Reporter Software. It comes with an easy-to-learn and quick-to-deploy design. Its UI is simple, with which you can add your AD environment from any workstation. An in-depth filtering system allows you to bypass the PowerShell script to find user accounts disabled in the last 7 days. Additionally, using this tool you can also check the last password change in Active Directory. Check out this small list of steps to get all the disabled user data.

Download Now Purchase Now

Step 1. Launch the tool and use the temporary (administrator) credentials to log in.

Step 2. Click on the “REGISTER DOMAIN NAME” button on your screen.

Step 3. Add a name and enter the IP on which the AD resides. Press Save and Continue.

Step 4. On the Domain Details page, validate the admin credentials. After that, open the Report tab.

Step 5. In the Report Section, there are multiple options to choose from. To view the full range of available object categories you have to scroll. You can also generate an Active Directory group membership report.

Step 6. Choose the Disabled Users option under the User section. Apply the duration (either the premade timespans or a custom range).

Step 7. Click on Preview to see what the data is going to look like.

Step 8. If it is as per your requirement, press the Download button and select CSV.

Step 9. In the window select where you want to put this data.

Step 10. View and share the CSV report.

Conclusion

In this write-up, we taught you multiple ways to export list of disabled users from Active Directory. We saw that disabled users were present in the AD until manual removal. Moreover, to secure the environment, admins must have a user list in a shareable format. Among the multiple methods for it, the tool we suggested above is the most optimal choice.

Frequently Asked Questions Regarding User Account Disabling

Q. Which Event IDs are associated with the user account disabling process? 

Check the Event Viewer for the following IDs:

Event ID 531: This event is logged in the Security event log when a user attempts to log in, but the account they are trying to log in with is disabled in Active Directory.

Source: Security

Description: “Logon Failure – Account currently disabled.”

Logon Type: 3 (Network)

Reason: Indicates a logon failure due to an account being disabled.

Event ID 4725: This event is logged when a user account is disabled.

Source: Security

Description: “A user account was disabled.”

Reason: The account was manually disabled by an administrator.

Event ID 4738: This event is logged when a user account is changed. If a user account is disabled as part of this change, it will be noted in the event details.

Source: Security

Description: “A user account was changed.”

Reason: The account status was changed, possibly including disabling the account.

Q. Is there a way to visually distinguish between a disabled and active user account?

Disabled user accounts can be identified by a small black arrow pointing downward on top of the regular user icon. However, the icons are too small so it’s better to rely on the automated utility and directly get a list of disabled accounts.

Q. What is the difference between a disabled user and an expired user account?

Refer to the following table:

The post Export List of Disabled Users from Active Directory Find & Filter Users appeared first on SysTools Software.

Moreover, nowadays, password history viewing is not only a security check but a compliance requirement as well. Therefore, it’s even more important to have a list ready. Fret not, as we are here to help all admins with an easy-to-understand tutorial. Let us begin with the introduction to a manual auditing method that admins have at their disposal even without realizing it. And no, it is not ADUC.

Table of Content

• Password Change Date in AD with GPMC
• PowerShell Script to See Last AD Password Change
• How to Check Last Password Change Date in Active Directory with CMD?
• Problems with Scripts to Check Password History 
• Professionally Report Password Change in AD
• Steps to Use the Tool 
• Conclusion
• FAQs

How to Check Last Password Change Date in Active Directory?

Most organizations allow password updates at the user level. Moreover, admins can also make changes to user credentials on top of locating users in an AD. Both situations have a different event ID associated with them, viewable in the Group Policy Management Console. As this is an extra service, it may be absent from your AD installation. So admins first need to add it, otherwise, jump directly to stage 2.

Stage 1: Install GPME

• Use the Windows Search Bar to search for Server Manager and open it.
• Look for the roles and features option in the center section of Server Manager.
• Use the on-screen instructions till you are on the Features menu.
• Toggle the advanced features and choose gpme. Use the on-screen installation wizard for the next series of steps.
• Once it installs, go to the next stage.

Stage 2: Use the Group Policy Management Editor

Step 1. Setup Password Change Auditing

• Launch “GPME.msc”.
  
• Select Policy Object.
  
• Toggle Computer Configuration
• Choose Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
• Under Audit account management, right-click and choose Properties from the Context Menu.
  
• In the dialog box that opens, Toggle Define these policy settings and mark Success and Failure. Click on Apply then OK
  

Step 2. Configure the Event Viewer to reflect the changes made to passwords.
Follow Step 1 till Security Settings.

• Select Event Log:
• Keep security log’s maximum size  below 1 Gigabyte (1000000 kilobytes)
• Click on Apply, then OK.
  

Step 3. Check the security logs inside Event Viewer:

• Event ID 4724 means that it was the admin who reset the password.
• Event ID 4723 signifies a user attempt at password change.

If you feel navigating the GPMC portal is too cumbersome, don’t worry. For a more technical cursor-free code-based method, check out the following section.

How to Check Last Password Change in Active Directory with PowerShell?

This is probably the most sought-after method by technically savvy IT Admins. However, before you begin, ensure that your workstation is part of the AD environment. Once the checks are done, do the following.

Step 1. Press Windows Key + R on your keyboard.
Step 2. Type “PowerShell”.
Step 3. Use Import-Module Active Directory first.
Step 4. Then run the following cmdlet and check last password change in Active Directory:

Get-ADUser -Filter * -Properties pwdLastSet | Select-Object Name, @{Name="LastPasswordSet";Expression={[DateTime]::FromFileTime($_.pwdLastSet)}} | Sort-Object Name | Format-Table

Commands to See Password History in Active Directory

PowerShell is not the only way for admins to detect password updates in an AD. They can use the command line as well. Like the PowerShell method before admins need to fulfill a basic set of prerequisites here as well. This includes the workstation to be connected to the AD.

Step 1. Start by pushing Windows + R simultaneously.
Step 2. This time, type “cmd” in the space in front of Open:
Step 3. After that, you can use any one of the command line queries given below:

Query 1: To Get the Password change date in human-readable format.

> net user %username% | findstr “Password last set”

Query 2: To get the password set date of all users.

> dsquery * -filter "(objectClass=user)" -limit 0 -attr displayName pwdLastSet

Note: Directly pasting these commands is not recommended. Check your organization’s security policy and make changes to these commands before using them. Moreover, if you are unable to get the desired result then check out the limitations discussed ahead.

Problems with Scripts to and Commands for Viewing Credential History in AD

• PowerShell is highly technical. So much so that admins avoid using PowerShell to rename AD groups. Therefore, deploying any unknown external scripts may have unintended consequences that admins did not plan for. Although these can be limited by changing the scripts, admins may lack the technical know-how. Another issue is that more time is spent adjusting the script than using it. So for the small task of password change date retrieval, this seems unnecessary.
• Moreover, even the relatively simple cmd queries have quite a few drawbacks. The major one being that admins have to compromise with either the password change date of a single user or deal with a format that is not human-readable.
• Apart from this admins may skip the commands as their results can’t be directly exported into a shareable format like CSV. A clumsy workaround is sending a screenshot of the command line. But let’s be real such a practice is not acceptable in a professional setting.
• Not to mention that neither PowerShell nor CMD admins have any idea what their output is going to look like. So the only way to risk running the code on a live AD environment. However, there is one simple way to do away with the script-based methods. Let us see what it is.

Script Free Way to Check Last Password Change in Active Directory for All Users

In any Windows Active Directory, the best method to list the date of a user password change is the SysTools AD Reporting Software. With its simple yet intuitive way, any admin, no matter if they have a technical background or not, can list the historical credential updates. Just like this tool helped admins to avoid their reliance on PowerShell to get AD group members here too you get freedom from scripts.

Download Now Purchase Now

Moreover, tracking AD password changes may be a small task, but no admin can deny its significance in securing an Active Directory. Therefore, to get accurate, readable results, go through the procedure of using the tool.

Automated Instructions to Check Last Time Password Change in Active Directory

Step 1. Launch the software on your machine and put the word “administrator” in place of Username and Password.

Step 2. Once the tool is ready press the “REGISTER DOMAIN CONTROLLER” option. If you have a previous domain registered and want to add a new domain click on the building-like icon below the cross on the top-right part of your screen.

Step 3. Fill in the required details in the prompt box i.e. Domain Friendly Name and IP Address for the domain. Then hit Save & Continue.

Step 4. In the Domain Details screen enter the Admin User ID and Admin Password after that press the Save & Continue button below.

Step 5. After validation, change the screen to the Report tab. To check the last password change in Active Directory, select the Password Changed option under the Users category.

Step 6. You can also set an optional duration for the report. Either choose the premade time frame or make a custom date filter.

Step 7. Click on the Preview button to get an idea of what your report contains.

Step 8. Press Download and pick CSV from the Dropdown.

Step 9. Choose a location to save the report.

Step 10. View it on any external visualization software.

Conclusion

In this tutorial, we helped admins check last password change in Active Directory for all users. We found how this domain-wide credential history tracking forms a core component of security management in an AD. Moreover, we discussed multiple methods to see when the password update took place. Out of these, only the professional method helps in formulating a shareable CSV-style report. So it is in the best interest of admins to use the most optimal method.

Frequently Asked Questions

Q. What is the PowerShell command to check last password change in Active Directory?

The following cmdlet will show you the required data.

Get-ADUser -Filter * -Properties pwdLastSet

Q. How often can admins change user passwords in AD environments?

There is no strict intervals but regular updates to passwords are recommended. Organizations have freedom to choose their own policy.

Q. Does Active Directory maintains all the password change logs for all users?

Yes it does keep logs but not indefinitely. That’s why you need a dedicated solution that can provide you with clear cut reports of all thats happening inside your AD.

The post Check Last Password Change in Active Directory: Easy Guide appeared first on SysTools Software.

Table of Contents

• GUI Part 1 to Setup a DC
• GUI Part 2 Complete ADDS installation
• GUI Part 3 Use ADDS Configuration Wizard
• Apply PowerShell commands and Install DC
• After Installation Checks
• Conclusion

Part 1 of GUI-Based Setup of A Domain Controller Server 2012 R2

Step 1. Get to the Server Manager Portal and Open Roles and Features

Login to the workstation where you have to complete the setup and search for Server Manager.

On the right-hand side of the top menu ribbon, you will find the Manage option click on it to expand the hidden menu.

Choose the Roles and Features options from the list and wait for the installation agent to appear.

Step 2. Ensure that Roles and Features Prerequisites are Complete

Depending on your setup, you may or may not see a before you begin option. However, ensure that you complete the tasks mentioned here before proceeding.

Admin attempting the setup should have a strong password.

Static IPs and other network settings should be preconfigured.

The Windows machine should be on the latest security update.

If you do not want this screen to appear in future DC setups, toggle the checkbox. Then press Next.

Step 3. Choose an Installation Type

This is the first major junction in the answer for how to set up a domain controller server 2012 R2 environment. The options include either Role/Feature-Based Installation or Remote Desktop installation. Go with the default Role/Feature-Based option unless you have one or more of the following requirements.

• The company wants the user’s apps and their workstations to be on different servers.
• A fast but fixed-style setup is what your organization wants.
• There is no plan to expand the domain control functionality.
• Security considerations associated with remote access are acceptable.

Our steps continue with the default selections.

Part 2 in the GUI Style Setup of A DC Server 2012 R2

Step 4. Pick the Destination to Place the Server

Here also, admins have two options to choose from. The default pre-selected option is one where they have to choose a specific server from the available list. Here, the list should not display more than one server unless admins have added them manually.

Another way is to set up a virtual hard disk. The secondary requirement of a VHD is that the share should have both read and write permissions. You won’t be able to complete the setup with just the user-only access. Once done, click Next.

Step 5. Complete Server Role Selection

One of the most important steps in our progress toward how to set up a domain controller server 2012 R2 is role selection. This determines what you can and cannot do inside the new DC. Although the services can be installed later on many admins prefer to complete it alongside the installation itself.

So we suggest that you follow the same, mark the boxes next to the roles you would require. Read through the role description present in the wizard to make your section; after that, press Next.

Step 6. The Features page and ADDS page requires no changes so just press the Next button on both.

Step 7. In the Confirmation page too you need to press the Next Button. Moreover, it allows you to setup an automatic reboot of the system once the configuration is complete.

Step 8. ADDS should start installation once it is complete close this dialog box and go to the Server Manager portal. There, hit the Flag icon, click “Promote this server to Domain Controller” and move on to the next part.

Part 3 on How to Set up a Domain Controller Server 2012 R2

• Once the ADDS configuration wizard launches, select Add a new forest and fill in your root domain name. Not that it must be unique. After that, hit Next.
  
• On the Domain Controller Options Screen, don’t change the Forest functional level and Domain functional level as it is. Likewise, keep the check in the DNS box. Add a password for Directory Services Restore Mode and hit Next.
  
• The DSRM password is to ensure we can boot the DC in recovery mode.
• Skip the warning notification and hit the Next Button.
• Perform NetBIOS verification and Hit Next.
• Add the ADDS Database, Log Files, and SYSVOL folder path. The Wizard selects these paths on its own so don’t change unless required.
  
• Check your selections and press Next.
• Once the Wizard confirms the prerequisite checks hit the Install button.
• After Installation ends click on Close.
• Your machine needs to restart to reflect the changes.

Other than the GUI, users have the option to deploy PowerShell scripts too so let’s see how it’s done.

How to Set up a Domain Controller Server 2012 R2 PowerShell Cmdlets

The PowerShell method unlocks much more granular control over the installation process. However, we suggest that you stick with the GUI approach unless you have prior experience.

Step 1. Prepare the Server for Domain Controller setup.

Ensure that the OS is on the latest security patch.

To make a static IP via PowerShell use the following pair of cmdlets:

New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress "0.0.0.0" -PrefixLength 24 -DefaultGateway "0.0.0.0"

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "0.0.0.0"

Step 2. Install the ADDS (Active Directory Domain Service) Role using the following PowerShell command:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Step 3. Convert the default Server into the Domain Controller. For that import the ADDSDeployment module, then pick one of two scripts.

If deploying the DC in a new forest:

Install-ADDSForest -DomainName "example.com" -CreateDnsDelegation:$false -DatabasePath "C:\Windows\NTDS" -DomainMode "Win2012R2" -DomainNetbiosName "EXAMPLE" -ForestMode "Win2012R2" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\Windows\SYSVOL" -Force -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force)

To add the DC in an existing domain:

Install-ADDSDomainController -DomainName "example.com" -InstallDns:$true -SiteName "Default-First-Site-Name" -DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -NoRebootOnCompletion:$false -Force -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force)

Step 4. DNS configuration settings and installation verification

Get-DnsServerZone

Get-DnsServerResourceRecord -ZoneName "example.com"

Get-ADDomain

Get-ADDomainController

Get-ADForest

Step 5. Post Installation configuration

Build OU’s:

New-ADOrganizationalUnit -Name "OU_Name" -Path "DC=example,DC=com"

Create Users:

New-ADUser -Name "FName LName" -GivenName "FName" -Surname "LName" -SamAccountName "user1" -UserPrincipalName "user1@example.com" -Path "OU=Users,DC=example,DC=com" -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Enabled $true

Make Groups:

New-ADGroup -Name "Group_Name" -SamAccountName "Group_Name" -GroupCategory Security -GroupScope Global -Path "OU=Groups,DC=example,DC=com"

Add Policies:

New-GPO -Name "Policy_Name"

New-GPLink -Name "Policy_Name" -Target "OU=OU_Name,DC=example,DC=com"

Aftermath of Domain Controller Server 2012 r2 Installation

A key step that administrators need to complete is to make a report on the object behavior in the new DC. For that, they can use the SysTools Active Directory Reporting software.

Download Now Purchase Now

With it, admins can find what OU a user is in and also see if the AD user is locked or not. Moreover, it is recommended that administrators keep scheduled checks at regular intervals to check user login history in Active Directory. Apart from that, administrators may need the access to Microsoft’s official troubleshooting guide in case things go south.

Conclusion

Here in this write-up, we taught users how to set up a domain controller server 2012 r2 in an AD environment. We hope that admins are able to complete the installation by using either the GUI or PowerShell method. Other than that, once the configuration is done, we ask admins to complete the audit of their AD with the tool that is prescribed. Doing this allows the admin to double-check the object deployment and ensure that the setup happened correctly.

The post Set Up a Domain Controller on Server 2012 R2: Tips Guide appeared first on SysTools Software.