Active Directory – Ex-Shell

Add AD Tools to Computer via PowerShell

Scenario: You want to quickly install the AD tools (Active Directory Users and Computers and other AD utilities) via PowerShell.

Solution: Run PS as Admin and run the following: ADD-WindowsFeature RSAT-Role-Tools

Your message wasn’t delivered to anyone because there are too many recipients.

Scenario: A user with a Exchange Online receives the following error: “Your message wasn’t delivered to anyone because there are too many recipients. The limit is 0. Your message has 1 recipients.“

Investigation:

In Exchange Online, check the RecipientLimits on the mailbox: get-mailbox steveman | Select RecipientLimits

Fix: If not set correctly, run the following: set-mailbox -recipientlimits 500

———————————————————–

If Hybrid, also check the remote mailbox in Exchange On-Premises: get-remotemailbox steveman | Select RecipientLimits

Fix: If not set correctly, run the following (AD PowerShell):
Set-ADUser steveman -Replace @{msexchRecipLimit=”500″}

Note: There is no set-remotemailbox -recipientlimits, this is why you need to perform this using AD PowerShell

Delegate Permissions to an AD Organizational Unit via PowerShell

Scenario: You want to give Full Control delegate access to a AD Group to a specific AD Organizational Unit and its sub objects.

Scriptlet:

#Add Rights Indiviudally
 $ou = "AD:\OU=New,DC=Domain,DC=Com" 
 $group = Get-ADGroup "Exchange Admins" 
 $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID 
 $acl = get-acl $ou 
 $identity = [System.Security.Principal.IdentityReference] $SID
 $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
 $type = [System.Security.AccessControl.AccessControlType] "Allow"
 $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
 $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
 $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"GenericAll","Allow","All"
 $acl.AddAccessRule($ace) 
 set-acl -AclObject $acl $ou

Active Directory: Identify Delegated Permissions for AD Organizational Units

Scenario: You want to pull a report of all delegated permissions to AD Organizational Units.

Scriptlet:

$sourceOU = "OU=NEW,DC=Domain,DC=Com" 
 $OUs = Get-ADOrganizationalUnit -SearchBase $sourceOU -filter * | Select -ExpandProperty DistinguishedName | Sort {$_.length}
 $output = "C:\temp\ace.csv"
 $OUs | %{
     $ou = "AD:\"+$_
     "Checking $OU"
     $acl = get-acl $ou 
     $ace = $acl.access | Where IsInherited -eq $false 
     $ace | Select @{Name="OU";Expression={"$ou"}},ActiveDirectoryRights, InheritanceType,ObjectType,InheritedObjectType,ObjectFlags,AccessControlType,IdentityReference,IsInherited,InheritanceFlags,PropagationFlags | Export-csv $output -append
 }

Active Directory: Copy OU hierarchy from one OU to another OU

Scenario: You want to copy the Sub OU structure/hierarchy from one Parent OU to another Parent OU.

Scriptlet:

#Create OU's
 #Import Module
 import-module activedirectory 
 
#Variables
 $sourceOU = "OU=Old,DC=Domain,DC=com"  
 $destinationOU = "OU=New,DC=Domain,DC=com"  
 $adPath= "LDAP://" + $destinationOU  
 $objDomain=New-Object System.DirectoryServices.DirectoryEntry($adPath)  
 $ObjSearch=New-Object System.DirectoryServices.DirectorySearcher($ObjDomain)  
 [array] $OUs = @() 
 
 #Query for OUs and Exclude an OU if needed
 $OUs = Get-ADOrganizationalUnit -SearchBase $sourceOU -filter * | Where Distinguishedname -notlike "Service" | Select -ExpandProperty DistinguishedName | Sort {$_.length}
 

 #Loop to build the OU Structure
 for ($k=0; $k -le $OUs.Count -1; $k++) 
 { 
     $OriginalOU = $OUs[$k]
     $OriginalOU = "AD:\"+$OriginalOU
    $OUtoCreate = ($OUs[$k] -replace $sourceOU,$destinationOU).ToString()  
     $OUSearch = ($OUtoCreate -replace '"',"").ToString()  
    $ObjSearch.Filter = "(&(objectCategory=organizationalUnit)(distinguishedName="+ $OUSearch + "))"  
    $allSearchResult = $ObjSearch.FindAll()  

    $FinalOU = "AD:\"+$OUtoCreate 

    if ($allSearchResult.Count -eq 1)  
   {      
       "No changes were done on = " + $OUtoCreate  
    }  
    else
    {
      dsadd ou $OUtoCreate
      "OU Creation = " + $OUtoCreate  
    } 
 }

Run Get-ADUser by pulling the WindowsLiveID from the Exchange Online Mailbox

Scenario: You need to pull in additional AD properties for users with Exchange Online mailboxes that are only available when running the Get-ADUser command because they are not included in the AD Sync to Microsoft Online/Azure.

Scriptlet:

Declare Variables:

$mbx = Get-mailbox -resultsize unlimited

$ADUserData = @()

$c=0 #Just for a counter

Run the Loop:

$mbx | Where WindowsLiveID -ne “” | Sort | %{

$c++ #Increase the Counter

$upn = $_.windowsliveid #Create the UPN based off windowsliveid

$f = “Userprincipalname -eq ‘$upn'” #Create a Filter for get-aduser

“$c – $f ” #Display on PS Screen

$ADuserData += get-aduser -filter $f -properties * #Fill in $userData with Get-Aduser Data

}

CMD: Determine the current Schema Versions before applying a Exchange CU

Scenario: You are going to install the latest CU for Exchange, but you want to check the AD Schema levels to see if they need to be upgraded before the CU install

Command Line: Using CMD line, run the following: (Everything in bold needs to be edited to reflect your Exchange organization OR your domain)

dsquery * "cn=Enterprise Exchange,cn=Microsoft Exchange,cn=services,cn=configuration,dc=root,dc=domain,dc=com" -scope base -attr msExchProductID

dsquery * "cn=Enterprise Exchange,cn=Microsoft Exchange,cn=services,cn=configuration,dc=root,dc=domain,dc=com" -scope base -attr objectVersion

dsquery * "CN=Microsoft Exchange System Objects,DC=child,DC=root,DC=domain,DC=com" -scope base -attr objectVersion

dsquery * cn=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=root,dc=domain,dc=com -scope base -attr rangeUpper

Error “Get-adgroupmember : The size limit for this request was exceeded”

Scenario: You are trying to pull all members of a group into a variable and you receive this error:

Get-adgroupmember : The size limit for this request was exceeded

Solution: Since the AD Group has a lot of members in it, running the command doesn’t work since it hit a PowerShell/AD Threshold. Instead, run pull the members like this:

$group =[adsi]”LDAP://CN=ProdUsers,OU=Groups,DC=XYZ,DC=com”

$members = $group.psbase.invoke(“Members”) | foreach {$_.GetType().InvokeMember(“name”,’GetProperty’,$null,$_,$null)}

To display the results:

$members

$members.count

Get-ADUser to find Exchange Mailboxes

Scenario: You want to use Get-ADUser to find all Exchange mailboxes in your environment.

Scriptlet: Running the following will provide you with the detail:

#First, lets store some results into $1 for every mailbox
$1 = Get-ADUser -filter {HomeMDB -ne ‘$null’} -Properties MailNickName, HomeMDB, DisplayName| Select MailNickName, HomeMDB, DisplayName

#Now its time to play with your data

#Grab a count of mailboxes Excluding the HealthMailboxes
($1 | Where MailNickName -notlike “HealthMailbox*”).Count

#Grab a count of mailboxes per DB Excluding the HealthMailboxes
$1 | Where MailNickName -notlike “Healthmailbox*” | Group HomeMDB | Sort Name

#Filter mailboxes on a specific database
$1 | Where HomeMDB -like “CN=DB01*”

Get a list of all users that have a target address of a specific domain

Scenario: You wish to see how many remote mailboxes have the correct email domain configured for their remote routing address (TargetAddress). You want to perform a AD PowerShell query for speed.

Scriptlet:

Get-ADuser -filter {TargetAddress -like “*.mail.onmicrosoft.com”} | Select Name, TargetAddress

OR you just want a count:

(Get-ADuser -filter {TargetAddress -like “*.mail.onmicrosoft.com”} | Select Name, TargetAddress).count