Tag Archives: Active Directory

Active Directory Integrated DNS Wildcard Search

So NSLOOKUP is the typical way one may query DNS.  Ever wanted to just grab the results as objects while using a wildcard filtered search?  If your DNS is Active Directory integrated, then it’s really pretty simple.  After all, each DNS entry is essentially an AD Object.  Why not query AD like we do for so many other things?  Basically, you just need the Distinguished name for the DNS zone and tell Get-ChildItem to look at Active Directory.  For example, if you wanted to find all host records ending in “-DC” in example.com:

Get-ChildItem "AD:DC=example.com,CN=MicrosoftDNS,CN=System,DC=example,DC=com" -Filter "name=*-dc"

By the way, if you get an error stating something similar to this:

Cannot find drive. A drive with the name 'ad' does not exist.

Then you may need to import the Active Directory module.

Import-Module ActiveDirectory

A quick test is to do a change directory to AD.

cd ad:

and the prompt should read “PS AD:\>”

Automatically Assign Licences to New Office 365 Accounts

Here’s the scenario: Users are created in Active Directory, on-premise.  The AD Sync Service then will sync up the user account to Office 365.  However, a license is not assigned.  The rule of thumb when assigning new licenses is that people in the call center get an E1 license and the rest of the employees get an E3 license.  The identifying characteristic for the call center users is that their email address is <someone>@mycallcenter.com and everyone else has a different domain for their email.  For your use case, you may have other specific identifiers to help determine the appropriate license.  If one size fits all, you can eliminate the the lines to change to an E1 license and leave the default.

I chose to use a security group to identify users that need a license assigned.  In this case it’s “ADGroup-UsersNeedingLicenses”  When the script runs it will iterate through all members of that security group  and check to see if the account has synchronized up with Office 365.  If the account is there, it will evaluate which license to assign and then assign it.  It will then get the user’s licenses from Office 365 and display them so you can validate that it was updated.  It then removes the user from the security group and we’re done.

If you like, you can set this on a scheduled task to automatically assign licenses to new users on an interval.  One would need to store credentials in a file in order for it to be automated.  I like it because it’s one less administrative task I need to deal with.  I can create the account in AD then go take care of other things.  I come back after a bit and then the user is synchronized and licensed.

<# Get credentials to connect to Office 365 using PowerShell#>
$Password = Get-Content j:\myscripts\ADCredentials.txt | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential("ServiceAccount@company.onmicrosoft.com",$password)

<# Connect to MSOL #>
Connect-MsolService -Credential $credential

<# Get AD Users designated for license assignment #>
$usersNeedingLicense = Get-ADGroupMember -Identity ADGroup-UsersNeedingLicenses

<# Iterate through the collection of AD users designated for license assignment #>
ForEach ($ADUser in $usersNeedingLicense){
 $ADUser = Get-ADUser -Identity $ADUser -Properties *
 "AD UPN: " + $ADUser.UserPrincipalName
 Try {
 $o365User = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName -ErrorAction Stop
 $licenseType = "mycompany:ENTERPRISEPACK" <# set default to E3 #>
 If ( $ADUser.UserPrincipalName.Contains("@mycallcenter.com")){$licenseType="mycompany:STANDARDPACK"} <# Assign E1 #>

 "Assign: $licenseType"
 <# Locate and assign license using matching UPN #>
 Set-MsolUser -UserPrincipalName $ADUser.UserPrincipalName -UsageLocation "US" <# Set user licensing to Unites States #>
 Set-MsolUserLicense -UserPrincipalName $ADUser.UserPrincipalName -AddLicenses $licenseType
 <# view for validation #>
 Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName | fl UserPrincipalName, Licenses
 <# Remove AD user from ADGroup-UsersNeedingLicenses #>
 Remove-ADGroupMember -Identity ADGroup-UsersNeedingLicenses -Members $ADUser.SamAccountName -Confirm:$false

 Catch [System.Exception]{
 $ADUser.UserPrincipalName + " is not in Office 365 yet."
 Finally {$error.Clear() }

Creating home drive folders for users without one

Of course I know that one can use the “Home folder” option in the Profile of the user in Active Directory.  Due to certain constraints of a situation I inherited, that’s really not an option for now.

I need to do it in bulk, for a bunch of active user accounts within a specific OU.  Additionally, I don’t know if the user has a folder or not.  Nor do I feel like waiting for these users to login and then have the folder created.

Luckily for me, I have a ton of storage and a single location for user home folders.  I simply want to walk through all the users in a specific OU, like “…this\path\to\my\ou\…”  If the folder does not exist, then go ahead and create it.

$homePath = "Q:\UserHome\"
$userHome = get-aduser -filter {enabled -eq $true} -properties SamAccountName,CanonicalName
foreach ($ADUser in $userHome)
  if ($ADUser.CanonicalName -like '*/myOu/Path/*')
    $userHomePath = $homePath + $ADUser.SamAccountName
    if (-Not (Test-Path $userHomePath))
      New-Item $userHomePath -Type Directory

Remove home drive folders for inactivated users

I ran into an challenge where there were tons of home folders for users that may or may not be active.  The folders were named according to the User ID used to login to user workstations.  In Active Directory, this was known as SamAccountName.

Going through Active Directory to find each user’s SamAccountName and then see if there’s a corresponding home drive folder would be tedious at best.  So, there must be a better way!

Here’s a script that will iterate through all the user folders in the “E:\User” folder and then remove deactivated user folders to the “E:\DeletedHomeDirectories” folder to be dealt with later.

<# RemoveFoldersWithoutUsers.ps1
By Frank Contreras
Use at your own risk
$folders = Get-ChildItem "G:\UserShare\"
foreach ($folder in $folders) 
  $ADUser = Get-ADUser -Filter {Enabled -eq $true -and SamAccountName -eq $folder.Name}
  if ($ADUser -eq $null)
    "Removing " + $folder
    $source = "G:\UserShare\"+$folder
    $destination = "E:\DeletedHomeDirectories\" + $folder.Name
    Move-Item -Path $source -Destination $destination