Tag: Active Directroy Accounts

PowerShell – Create Bulk Active Directory Accounts and Add Them to A Group

Posted in MicrosoftTagged , , Leave a comment

Recently I was tasked with helping a company build out a solution for remote training classes. We chose Microsoft’s Remote Desktop Services as the platform. I needed to develop a method to create bulk accounts for the students and place those accounts into the AD security group that granted access to the remote app.

Most admins have probably come across the New-AdUser cmdlet at some point. Combining it with a For-Each loop and a sequential digit was easy enough. The most difficult piece to figure out was adding each newly minted user to the security group that allowed access to the remote application.

The secret sauce is the passthru switch. Using it prevented me from having to code some elaborate process to find each account and add them separately. Make sure you update the variables to match your environment and the script will need to be run on a domain controller or system with the AD management tools installed.

If you wanted to configure the script to be run by an end user to setup a new class, change the script’s variables to use read-host which will prompt the for the values. For example; $Password = Read-Host “Enter Password”.

#Must be run from DC or system with AD Admin Tools installed and joined to domain
#Creates sequencial bulk users with the same password
#Adds those users to the group specified in $group use the DN 
#Change the Path to the OU you want the accounts to be created in
#Edit the ChangePasswordAtLogon switch as appropriate, $true forces users to update password and $false does not
Import-Module ActiveDirectory 
 
#Variables
$OUPath = "OU=Training,OU=Users,DC=Domain,DC=local"
$BaseUsername = "Training"
$Password = "NewStudent!"
$Number = "20"
$ADGroup = "CN=RDS Training Class,OU=Training,DC=Domain,DC=local"
$Incremeant = 1..$number
foreach ($i in $Incremeant){
	$NewUser = New-AdUser -Name $BaseUsername$i -Path $OUPath -Enabled $True -ChangePasswordAtLogon $true
	-AccountPassword (ConvertTo-SecureString "$Password" -AsPlainText -force) -passThru 
	Add-ADGroupMember -Identity "$ADGroup" -Members $NewUser
}

PowerShell; Search all Domain Controller Event Logs for Keywords

Posted in MicrosoftTagged , , , , , , Leave a comment

Do you need to know the last time a user logged on, or who created an AD account? As long as you have audit logging enabled, the data you are after is in the event logs of your domain controllers. The problem is, if you have more than one domain controller (you should) the record that you need can be on any of them.

At my day job, we have quite a few DCs and I needed to know which admin created a particular AD account. There was no way I was going to logon to dozens of servers and search them one at a time. PowerShell to the rescue!

Import-Module ActiveDirectory

$keyword = Read-Host "Enter Keyword"
$eventid = Read-Host "Enter EventID"
$logname = Read-Host "Enter the name of log you want to search, application, security, etc."

$domains = (Get-ADForest).domains
$dcs = Foreach ($domain in $domains) {
     Get-ADDomainController -Filter *|Select Name -ExpandProperty Name|sort-
     object|get-unique
}
$events = ForEach ($dc in $dcs) {
     Get-EventLog  -ComputerName $dc -LogName $logname -InstanceId $eventid -
     Message *$keyword*|Select-Object -Property *
}
$events|out-file $env:usersprofile\documents\dc_log_search.txt

This short ‘n sweet bit of code will scan your domain and find all the domain controllers. Occasionally DCs run more than one role and show up multiple times in the output of this cmdlet so we drop the duplicate names.

Then it will prompt you for a keyword to search for. In the case of account data you’d enter the samaccount name. You could also enter the name of a workstation or server for example. Next it will ask you for an Event ID Number. Finally it will ask for the name of the log; application, security, system, etc. to search.

The script will loop through each DC and find the events you’ve described. Each matching record will be output to a text file named dc_log_search.txt in your documents folder. It wouldn’t take much effort to turn this data into an HTML report, email notification, or even an archival tool.