Skip to content

active-directory.md

Latest commit

 

History

History
128 lines (95 loc) · 3.51 KB

active-directory.md

File metadata and controls

128 lines (95 loc) · 3.51 KB

Active Directory (AD) Scripts

Note

These commands require the Active Directory PowerShell module:

OS Installation
Windows Server Install-WindowsFeature RSAT-AD-PowerShell
Windows Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Domain Management

  • Retrieve domain information:

    Get-ADForest
Get-ADDomain

  • List all domain controllers:

    Get-ADDomainController -Filter *

Replication Management

  • Force synchronization between all domain controllers:

    repadmin /syncall /AeP

  • Verify replication health with no replication latencies:

    repadmin /replsummary

Tip

In case a secondary DC (e.g., KVM-DC02) has been offline for too long (typically more than a week) and encounters authentication issues during sync, follow these steps to restore the connection:

  1. On the secondary DC, open Registry Editor.

  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

  3. Create a new DWORD (32-bit) Value:

    Field Value
    Name Replication Authenticator Compatibility
    Value 1

  4. Attempt the replication command again: repadmin /syncall /AeP.

  5. Once successful, delete the registry key to return to standard security protocols.

Computer Management

  • List all computers in the domain:

    Get-ADComputer -Filter * | Select-Object Name, Enabled, ObjectClass

  • Join a computer to a domain:

    Add-Computer -DomainName "khangvum.lab" -Server "<IP_ADDRESS>" -Credential "khangvum\<USERNAME>" -Restart -Verbose

  • Move a computer to an OU:

    Move-ADObject -Identity "CN=<HOSTNAME>,CN=Computers,DC=khangvum,DC=lab" -TargetPath "OU=<OU>,DC=khangvum,DC=lab"

User Management

  • Create a new user:

    New-ADUser -Name "<FULL_NAME>" `
    -GivenName "<FIRST_NAME>" `
    -Surname "<LAST_NAME>" `
    -DisplayName "<FULL_NAME>" `
    -SamAccountName "<USERNAME>" `
    -UserPrincipalName "<USERNAME>@<DOMAIN>" `
    -EmailAddress "<USERNAME>@<DOMAIN>" `
    -Path "CN=Users,DC=khangvum,DC=lab" `
    -AccountPassword (Read-Host -AsSecureString "Enter Password") `
    -Enabled $true

  • Reset user password:

    Set-ADAccountPassword -Identity "<USERNAME>" -Reset -NewPassword (Read-Host -AsSecureString "Enter New Password")

  • Enable/Disable a user:

    # Enable a user
Enable-ADAccount -Identity "<USERNAME>"
# Disable a user
Disable-ADAccount -Identity "<USERNAME>"

  • Unlock a user:

    Unlock-ADAccount -Identity "<USERNAME>"

Password Management

  • View current password policy:

    Get-ADDefaultDomainPasswordPolicy

  • Modify domain password policy:

    Set-ADDefaultDomainPasswordPolicy -Identity (Get-ADDomain).DNSRoot `
    -MaxPasswordAge "00:00:00" `
    -MinPasswordAge "00:00:00" `
    -PasswordHistoryCount 5