pwsh.AD

Modify PwdLastSet for testing Update ExtensionAttribute 14 and Description Overwrite and update the account description. With your DA account, set user account attributes. Same but with an extensionAttribute Various other examples…

To see all admin accounts in the admin’s OUs To see all admin accounts in these OUs search for “.” and zz*, so the xx.5+5 accounts

Password Not Expire Searching All Only enabled users Enable only, plus excluding HealthMailbox because it craps up the results Expiry Extend password expiration Run the following command to reset the pwdlastset attribute to 0. Next run the command to reset the pwdlastset attribute to -1. IMPORTANT: You need to run both commands do not just … Read more

PowerShell to Get OS Type and Count – more of this

Simple one liner to retrieve LAPS password Replace Export-Csv with OGV or other as needed. Gathering LAPS info in hughman readable remove -filter and add the computerName if running against 1 system Pulling from all servers

Building a report Don’t forget you need the GroupPolicy module installed. That will come from RSAT. set a variable to capture all GPO info Use this to get the access rights Script from Easy365Manager – another most excellent site

Checking AD group for users that are enabled: Checking AD group for users that are disabled: Copy users from one group to another LazyAdmin.nl – Excellent site with, well excellent information. And aren’t most admins lazy? That’s why scripting is so important to us.

Attributes Converting Manager attribute to show the manager’s email address. Contractors & Admins Searching for contractors based on a list of users provided. Filtering on Surname, DisplayName having (Contr) in it, and making sure they are enabled Disabled Accounts Searching for accounts that have been disabled and left in an OU LockedOut Accounts

Disable Search for an account with name bobdob found only in a given OU and disable Disable, but make sure it’s the correct account From a CSV file Inactive Users NOTE: Active Directory synchronizes the LastLogOnDate attribute, results returned when specifying the –AccountInactive parameter with the Search-ADAccount cmdlet can be inaccurate by as much as … Read more