Table of Contents

Cheatsheet Active Directory

Summary: Active Directory hints, tips, oneliners and best practices.
Date: 8 December 2024

, ,

Active Directory Users

Count all users in all departments 
Get-ADUser -SearchBase "OU=Users,DC=GetShifting,DC=local" -filter * -Properties name,department,enabled  | where {$_.enabled -eq "true"} | group department | select name, count


All enabled users that have never logged in 
Get-ADUser -Filter {(lastlogondate -notlike "*" -AND enabled -eq "True")} -SearchBase "OU=Users,DC=GetShifting,DC=local"


All enabled users that have not logged on for more than 90 days 
$90Days = (get-date).adddays(-90)
Get-ADUser -Filter {(lastlogondate -le $90days -AND enabled -eq "True")} -SearchBase "OU=Users,DC=GetShifting,DC=local"


Get the most common reasons on a user for not being able to logon 
Get-ADUser User123 -Properties * | Select-Object enabled,passwordexpired,lockedout

Active Directory Groups

Get all groups in a specific OU 
Get-ADGroup -SearchBase "OU=Groups,DC=GetShifting,DC=local" -Filter * | Select-Object name


Get all groupmembers from a specific group 
Get-ADGroupMember "RDP Desktop Users" -recursive | Select-Object Name


Active Directory Servers

All servers 
Get-ADComputer -Filter {(operatingSystem -like "*windows*Server*")}

Note: Does not select Windows 2000 Servers.

Select servers on properties 
Get-ADComputer -filter {(description -like "*financial*" -AND name -like "SQL*")} -Properties * | select name, description

Active Directory DNS

Get all AD DNS zones with all properties 
Get-ChildItem "AD:CN=MicrosoftDNS,DC=DomainDNSZones,DC=getshifting,DC=local" | Select-Object *


Get all records in a DNS zone with all properties 
Get-ChildItem "AD:DC=getshifting.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=getshifting,DC=local" | Select-Object *


Get creation and modify date of AD DNS records 
Get-ChildItem "AD:DC=getshifting.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=getshifting,DC=local" | Where-Object {$_.name -like "build*"} | Get-ADObject -Properties Created,Modified | Select-Object Name,Created,Modified

Active Directory Policies

Get the max password age from the policy 
(Get-ADDefaultDomainPasswordPolicy -ErrorAction Stop).MaxPasswordAge.Days

Service Principal Names

Create a service principle name: 

setspn -A BOBJCentralMS/crystalsrv.company.local BOservice

Check: 

C:\Windows\system32>setspn -Q BOBJCentralMS/crystalsrv.company.local
CN=BusinessObjects Service,OU=ServiceAccounts,DC=company,DC=local
        BOBJCentralMS/crystalsrv.company.local
        BOBJCentralMS/crystal01srv.company.local

Existing SPN found!