Archive for the 'Active Directory' Category

PKI Management Console 1.5

Vadim‘s enterprise certificate management PowerPack went 1.5 and got significantly enhanced. The new features include:

  • Native use of Quest AD Cmdlets (version 1.4.2) – so better performance and the code which is easier to understand.
  • Additional error handling.
  • Certification Authorities information includes CA CRL status.
  • New Active Directory PKI node that contains the most common AD PKI-related containers. You can review container contents and publish/unpublish certificates/CRLs by using new actions.
  • Now the PowerPack correctly retrieves all available Enterprise OCSP Responders even if they are not running CA service.
  • For Certificates node now has two subcontainers: Certificates and CRLs. This allows you to browse both — certificates and CRLs in the local certificate store. For CRLs added new basic actions.
  • Graphical dialog boxes for certificate export and import actions.

And of course it still has the great functionality from previous versions:

Here’s a very quick summary of some of the features his tool has:

  • Certificate Authorities management:
    • CRL Distribution Points (CDP)
    • Authority Information Access (AIA) settings
    • Review CRLs
    • Publish new CRLs
    • Change CRL publishing periods including overlap settings
    • Revoked Certificates
    • Issued Certificates
    • Pending requests
    • Failed requests
    • Issued certificate templates
    • Revoke/unrevoke certificates
    • Issue or deny pending requests for certificates
    • Add/remove certificate templates to issue
    • Change CRL/CRT/OCSP URL priorities
  • Local certificate store management:
    • Import/Export certificates using various certificate types (such CER/pkcs12/pkcs7/SST)
    • Copy/move certificates between stores
    • Delete certificate from store
    • Validate certificates passing them through certificate chaining engine
    • Sign files
  • Online Certificate Status Protocol (OCSP) Responders management
    • Review and change OCSP Responder settings
    • Change OCSP URL priorities

All of these support bulk operations, filtering, and reporting. All are available with their source PowerShell code for your reference and scripting.

Learn more about the Enterprise PKI PowerPack and download it here.


New PowerShell, AD, PowerGUI Training

LeadThem Consulting together with Quest Software developed and started offering professional classes covering:

This is a great hands-on training which you can order to help IT professionals in your company get up to speed with PowerShell and these popular PowerShell tools so they can get the most out of the technology available to them.

The training is available in North America, Europe and Asia, in English, Japanese, French and Spanish.

Go to the LeadThem Consulting PowerShell training page to learn the details on the topics covered, and sign up for the training. PowerShell skills you get from a training like that make a great return on investment!

Resolving external accounts in domain groups

You do not have to do anything to do that. If you group contains an account from a trusted domain, good old

Get-QADGroupMember MyGroup

will resolve foreign security principals and show them as regular users.

However, in some cases – for example for performance reasons – you might not want AD cmdlets to perform these look-ups in trusted domains. For that, you just need to use the KeepForeignSecurityPrincipals parameter that we added in AD cmdlets 1.4:

Get-QADGroupMember MyGroup -KeepForeignSecurityPrincipals

Resolving Foreign Security Principals

Starting with version 1.4 AD cmdlets can retrieve and provide detailed information on all properties for foreign security principals.

When you add a user from a trusted domain to a group in your domain, AD creates a local auxilliary object – foreign security principal – to represent this external account. You can essentially think about this object as a pointer to the actual account in a trusted domain. You can read more about them in the Security Principals section of this TechNet article.

Now QAD cmdlets can resolve these “pointers” and show you real accounts to which they point.

For example, this command will retrieve all foreign security principals which you have in your domain (i.e. all foreign accounts ever granted any rights) and try to resolve them to external accounts from original domains:

Get-QADObject -ResolveForeignSecurityPrincipals -Type foreignSecurityPrincipal

Remove disabled accounts from groups

Get-QADGroupMember now has Disabled and Enabled parameters which are very handy when it comes to tasks such as cleaning up a group from disabled accounts:

Get-QADGroupMember MyGroup -Disabled |
    Remove-QADGroupMember MyGroup

Or obviously helps when you need to do something with group members and need to make sure that they are all valid enabled accounts:

Get-QADGroupMember MyGroup -Enabled

Happy scripting! 🙂

Manage Email addresses without Exchange cmdlets

AD cmdlets 1.4 added new cmdlets and parameters which let you manage email addresses in your environment even if you do not have Exchange Management Shell. This is very handy if you are on Exchange 2003, do not have Exchange cmdlets installed, or just don’t want to switch between snapins.

Here’s the quick overview of what we have added:

Retrieving accounts by any proxy addresses:

Now Get-QADObject, Get-QADGroup, and Get-QADUser all have PrimaryProxyAddress, ProxyAddress and SecondaryProxyAddress parameters which can let you be more specific in your queries and thus retrieve objects much faster (compared to just supplying the address as identity parameter and relying on default resolution).

For example, you could do:

Get-QADUser -ProxyAddress 'x400:C=US;A= ;P=Quest Software;O=Aliso Viejo;S=Sotnikov;G=Dmitry;I=A;'


Get-QADUser -SecondaryProxyAddress '*'

Adding email addresses:

Just use Add-QADProxyAddress and specify various parameters for specifics (pair with Clear-QADProxyAddress to replace previous addresses):

Get-QADUser company\jsmith |
  Add-QADProxyAddress -Address '' |
  Add-QADProxyAddress -Type SMTP -Address '' -Primary |
  Add-QADProxyAddress -CustomType 'sip' -Address ''

Removing all addresses:

Did I mention Clear-QADProxyAddress?

Get-QADUser company\jsmith |
  Clear-QADProxyAddress |
  Add-QADProxyAddress -Address '' |
  Add-QADProxyAddress -Type SMTP -Address '' -Primary |
  Add-QADProxyAddress -CustomType 'sip' -Address ''

Removing individual addresses:

Use Remove-QADProxyAddress and it’s parameters to operate on a specific address or a set of addresses:

Get-QADUser |
  Remove-QADProxyAddress -Pattern '*'

Modifying addresses:

Set-QADProxyAddress lets you pick and replace specific addresses:

Get-QADUser |
  Set-QADProxyAddress -From '*' -MakePrimary


Get-QADUser |
  Set-QADProxyAddress -From '*' -To '*'

Enabling or disabling email address policy:

Enable-QADEmailAddressPolicy and Disable-QADEmailAddressPolicy are your respective friends and can be applied to individual objects. For example:

Get-QADUser DomainName\UserName | Disable-QADEmailAddressPolicy
Get-QADUser -City London | Enable-QADEmailAddressPolicy

Happy scripting!

Locating obsolete users and computers

Just got easier (and faster!) in AD cmdlets 1.4! Before this release you still could manually filter user or computer records by pwdLastSet or LastLogonTimestamp – now user and computer retrieval by a bunch of attributes with an easy command like:

Get-QADUser -Inactive


Get-QADComputer -Inactive

This -Inactive parameter retrieves all accounts which have been in expired state, not used for logon, or with with password not being changed beyond the thresholds set by the  Set-QADInactiveAccountsPolicy cmdlet. Like this:

Set-QADInactiveAccountsPolicy -AccountExpiredPeriod 0 -AccountNotLoggedOnPeriod 30 -PasswordNotChangedPeriod 120

You can get the current settings in your environment by executing Get-QADInactiveAccountsPolicy.

In addition to -Inactive, there are other related parameters, such as -InactiveFor – which lets you specify the number of days the account has been in the inactive state:

Get-QADComputer -InactiveFor 30

Or you can go more granular and just use:

NotLoggedOnFor – to specify the number of days since last time the account was used to log on (note that LastLogonTimestamp parameter is used, which means that it is replicated between DCs and the retrieval is fast and works with any domain controller, but it requires 2003 or later AD schema and is only replicated every 9-14 days (so please don’t specify values less than 14):

Get-QADUser -NotLoggedOnFor 60

Get-QADComputer -NotLoggedOnFor 60

PasswordNotChangedFor – days since the account last changed password (computer accounts also have passwords which they are automatically rolling over):

Get-QADUser -PasswordNotChangedFor 180

Get-QADComputer -PasswordNotChangedFor 90

ExpiredFor – just for Get-QADUser – the number of days since the account expired:

Get-QADUser -ExpiredFor 30

You can also use a combination of Inactive/InactiveFor and ExpiredFor/NotLoggedOnFor/PasswordNotChangedFor – in which case the more specific parameters override the default inactivity criteria you set.

Read more about these cmdlets and their parameters in our online reference:

What’s New in AD cmdlets 1.4

Don’t get confused by the version number – this is a major update to the free QAD cmdlets adding significant new functionality and making Active Directory management from PowerShell easier than ever before.

Here is a quick list of what is new in this release.

You can read more about each cmdlet and parameter by following the corresponding links – or waiting till I blog about all the new functionality throughout the coming weeks.

32 new cmdlets!

Certificate and Public Key Infrastructure (PKI) management

Email address management

Auxiliary cmdlets for Progress Bar and Inactive Account Reporting

20 New Parameters

Parameters Added for Cmdlets

































ResolveForeignSecurityPrincipals Get-QADObject
Control Add-QADGroupMember











































SearchRoot parameter now accepting arrays

This lets you retrieve objects from multiple containers with one call. The change affects the following cmdlets:

  • Get-QADComputer
  • Get-QADGroup
  • Get-QADObject
  • Get-QADPasswordSettingsObject
  • Get-QADUser
  • Get-QARSAccessTemplate
  • Get-QARSAccessTemplateLink
  • Get-QARSWorkflowDefinition
  • Summary

    To get full list of all QAD cmdlets please see AD cmdlets online reference.

    Download AD cmdlets 1.4 here and let us know what you think.

    Security Webcast is Today

    [UPDATE] Recording of this webcast is available here.

    Today at 11:00 AM EDT Randy F. Smith from Ultimate Windows Security is holding a webinar on using PowerShell to ensure Active Directory and Windows Server security. The webcast is sponsored by Quest and free to attend.

    Pre-registration is required and the space is limited so you might want to register right away here.

    Learn more about the PowerShell AD/Windows security webinar here.

    Check who can send email to a group

    Today I wanted to get a list of people who had rights to send messages to a few distribution lists in our company. This information is not readily available in Outlook, but turned out to be very easy to retrieve using PowerShell – this is literally just a few attributes to retrieve from your Active Directory.

    Here’s a sample output of my script:

    PS:\> Get-DLRestriction "Worldwide Everyone"
    Checking restrictions for Worldwide Everyone
    The following users can send messages to this list:
    Anne Smith
    John Able
    Members of this group can send messages to this list: Domain\Communicators) :
    Susan Gallings
    Terry Adams
    Only authenticated users can send messages to this list.
    External senders get blocked.

    I’ve uploaded the script to poshcode, but for your convenience also posting it here:

    function Get-DLRestriction {
      param([System.String]  $DLName  )
      "Checking restrictions for $DLName"
      $DL = Get-QADGroup $DLName `
          -IncludedProperties AuthOrig, UnauthOrig, dLMemRejectPerms,`
                          dLMemSubmitPerms, msExchRequireAuthToSendTo
      # we'll set this to true if we see a restriction
      $restricted = $false
      # if the group with such a name is found
      if ( $DL -ne $null ) { 
        if ( $DL.AuthOrig -ne $null ) { 
          $restricted = $true
          "`nThe following users can send messages to this list:"
          $DL.AuthOrig | Get-QADUser
        if ( $DL.UnauthOrig -ne $null ) { 
          $restricted = $true
          "`nAnyone BUT the following users can send messages to this list:"
          $DL.UnauthOrig | Get-QADUser
        if ( $DL.dLMemSubmitPerms -ne $null ) { 
          $restricted = $true
          "`nMembers of this group can send messages to this list: $($DL.dLMemSubmitPerms | Get-QADGroup)) :"
          Get-QADGroupMember $DL.dLMemSubmitPerms
        if ( $DL.dLMemRejectPerms -ne $null ) { 
          $restricted = $true
          "`nAnyone BUT members of this group can send messages to this list: $($DL.dLMemRejectPerms | Get-QADGroup)) :"
          Get-QADGroupMember $DL.dLMemRejectPerms
        if ( $DL.msExchRequireAuthToSendTo ) { 
          $restricted = $true
          "`nOnly authenticated users can send messages to this list.`nExternal senders get blocked."
        if ( -not $restricted ) {
          "`nThis list is not restricted. Anyone can email it."
      } else {
        "`nDL $DLName not found."

    My Recent Tweets


    The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

    © 2007-2014 Dmitry Sotnikov

    March 2023
    M T W T F S S

    %d bloggers like this: