• Microsoft Active Directory Documentation Script Update Version 2.16

    December 4, 2017

    Active Directory, PowerShell

    I finally got around to implementing the most requested feature. Making the script work for a child domain in a multi-domain Active Directory Forest. My PowerShell and AD mentor, Michael B. Smith, helped tremendously in making sure the stuff added to the script met his high standards. As usual, he also made a couple of other suggestions I implemented.

    #Version 2.16 released 4-Dec-2017

    • Add checking for users with home drive set in Active Directory Users and Computers (ADUC)
      • Added function OutputHDUserInfo
    • Add checking for users with RDS home drive set in ADUC
      • Added function from Jeff Hicks Get-RDUserSetting
      • Added function OutputRDSHDUserInfo
    • Add checking for users whose Primary Group is not Domain Users
      • Added function OutputPGUserInfo
    • Add “DC: ” in front of the domain controller name, in text output, for domain controller information
    • Add new parameter ADDomain to restrict report to a single domain in a multi-domain Forest
    • Add schema extension checking for the following items and add to Forest section:
      • ‘User-Account-Control’, #Flags that control the behavior of a user account
      • ‘msNPAllowDialin’, #RAS Server
      • ‘ms-Mcs-AdmPwd’, #LAPS
      • ‘ms-Mcs-AdmPwdExpirationTime’, #LAPS
      • ‘ms-SMS-Assignment-Site-Code’, #SCCM
      • ‘ms-SMS-Capabilities’, #SCCM
      • ‘msRTCSIP-UserRoutingGroupId’, #Lync/SfB
      • ‘msRTCSIP-MirrorBackEndServer’ #Lync/SfB
      • ‘ms-exch-schema-version-pt’ #Exchange
    • Add “Site: ” in front of Site name when listing Subnets, Servers, and Connection Objects
    • Remove several large blocks of code that had been commented out
    • Revise how $LinkedGPOs and $InheritedGPOs variables are set to work around invalid property name DisplayName when collection is empty
    • Sort Enabled Scopes in AD Optional Features
    • Text output changes to tabular data:
      • Domain Controllers (in Forest section)
      • AD Schema Items (in Forest section)
      • Services
      • Organizational Units
      • Domain Admins
      • Enterprise Admins
      • Schema Admins
      • Users with AdminCount=1
    • Updated Exchange schema versions
    • Updated help text
    • When reporting on the domain controllers in the Forest, if unable to get data from a domain controller, instead of reporting “Unknown”, use Unable to retrieve status
    • When run for a single domain in a multi-domain forest
      • Revise gathering list of domains
      • Revise testing for $ComputerName
      • Revise variable $ADContext in Function ProcessAllDCsInTheForest

    Many thanks to Choice Solutions for their support in getting this script updated and released.

    You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

    Thanks

    Webster

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    to “Microsoft Active Directory Documentation Script Update Version 2.16”

    1. Jeff Zenno Says:

      ok on reading it more I get I was off on the membership, it is more the group is indicated as an AdminSdHolder is set on it. Thanks.

      Reply

    2. Jeff Zenno Says:

      Carl, question on the “Users with AdminCount=1” and how the script is determining this. I have tried diving through the groups the users are in and found many in a admin group, but i have hundreds more that i cannot find a correlating group. Even in the Admin group section I have one group singled out that I cannot find why it would be considered administrator level. I’m down to try and looking for possible OU it might have been delegated to (or some fashion elevated directly in ADUC). Any info appreciated. Thanks.

      Reply

      • Carl Webster Says:

        Line 12920 in version 2.17:

        #http://www.shariqsheikh.com/blog/index.php/200908/use-powershell-to-look-up-admincount-from-adminsdholder-and-sdprop/
        Write-Verbose “$(Get-Date): `t`tListing users with AdminCount=1”
        $AdminCounts = Get-ADUser -LDAPFilter “(admincount=1)” -Server $Domain -EA 0

        Reply

        • Jeff Zenno Says:

          Thanks Carl, that will come in handy. I get it now, that the report output is telling me that within that group is a privileged admin account. As always appreciate the help and scripts. Thanks.

          Reply

    Leave a Reply