Anything about IT

As we move towards the end of the year I thought it’s a good time to do some housekeeping activities within the lab infrastructure in which we work on a daily basis. Throughout the year we often create test user and computer objects within Active Directory and of course sometimes we forget to delete them.

As I don’t want to reinvent a wheel again I searched the web and soon found a whole bunch of tools and scripts that would help me identifying unused user accounts. I decided that I wanted to use a script. I first found the Last Logon Dates scripts from Richard L. Mueller which are written in WSH. But then I found the Managing AD User Accounts with PowerShell article on WindowsITPro and decided to use the opportunity of using PowerShell to accomplish my task.

Unfortunately the administration console I use hasn’t been migrated to Windows 7 yet, so I installed PowerShell 2.0 onto that Windows Vista client and then installed the Quest AD cmdlets.

On PowerShell.com I found the following script that I modified a bit so that the output is written into an HTML file.

Get-QADUser -sizeLimit 0 | where {$_.lastlogontimestamp -lt (get-date).AddDays(-30)} | Select NAme,description,lastlogontimestamp | convertto-HTML | Out-File c:\temp\adlastloggedon.htm

I wanted to do the same to find old computers, but it appears that the Get-QADComputer cmdlet has a bug, as it doesn’t return any LastLogonTimestamp values and I found various comments that this was identified as a bug which should have been fixed by now, but either the bug is still there or I might be doing something wrong. However I found a “find old computer objects” script on the Microsoft TechNet Script Center Gallery it just has a bid more lines of code

Note that your Windows domain must be at Windows 2003 Domain Functional Level for updates to the llastLogontimeStamp to occur.

If you are looking for a command-line tool to find Old Computers in your domain, I recommend the OldCmp tool from Joe.

Related content:
The LastLogonTimeStamp Attribute” – “What it was designed for and how it works

In the video below Brian Desmond and Laura talk about the new things that come with Windows Server 2008 R2 AD.

In preparation of doing some Group Policy related things, I decided to extend my Home Lab AD infrastructure running on Windows Server 2003, with  Windows Server 2008 and Windows Server 2008R2 domain controllers.

Because at some stage I want to get rid of the Windows 2003 Server I also moved the FSMO roles from the Windows 2003 domain controller to the Windows 2008 domain controller.

I used the steps described in the “Transferring FSMO roles” article. Additional information can also be found in the “How to view and transfer FSMO roles in Windows Server 2003” article.

By searching documentation on how to move FSMO roles, I found the FSMO Roles utility from dovestones software,, that simply shows you who owns the FSMO roles within your current AD infrastructure. 

Those who prefer scripts use the code described in “How to Find the FSMO Role Owners Using ADSI and WSH”.

Those interested in managing Active Directory with PowerShell, have a look at the Active Directory Power Shell Blog.

For those interested in Group Policy Preferences I recommend reading the “Expanded Control with Group Policy Preferences” that is published in the January 2009 issue on TechNet Magazine.

And as always the full January 2009 help file version can be downloaded here.

Interesting in knowing how many objects you can create within AD ? how deep your OU structure can be ? Then read “Active Directory Maximum Limits“.

I just connected to our fresh installed Windows 2008 server that we intend to use as a remote system management console. The server is a member of our Windows 2003 Active Directory domain, not a DC itself.

I wanted to launch the Active directory users and computers console, but did not find it under the Administrative tools. Okay, this must be something similar like with Windows Vista when you install the RSAT tools I thought, and yes it is, you must first enable that feature.

First, on the windows 2008 system open the server manager. Then select Features, Add features as shown in the picture below.

then select Remote Server Administration tools, Role Administration tools, and then enable Active Directory Domain Services Tools. (note the screen shot below was taken after installation, that is why it is shown as installed).

confirm the following message boxes and after a while (including a system reboot) the tools are installed and ready to use. Enjoy AD administration !

Also note that if you want to access the Group Policy Management Console, you must follow the same path, just look out for the GPMC console in the available features list.

The Windows 2003 Resource Kit contains a nice extension for the Active Directory Users and Computers console showing additional User Account information.

The additional user account information can be enabled by registering the acctinfo.dll as described below.

Follow the steps below to enable the additional user account information.

• Download the Windows 2003 Resource kit tools.
• Unpack / Install the Windows 2003 Resource Kit
• Copy the acctinfo.dll to c:\windows\system32
• Register the DLL by running the following command:

regsvr32 C:\windows\system32\acctinfo.dll

• Launch the Active Directory Users and Computers management console, then select a user object and select the Additional Account Info tab.