So when I was exploring the Azure Active directory some months ago I created some AD´s and then when I had done the labs I could not find the delete button, I read on a blog post that it was not possible at that time.
But now as of yesterdays releases of the new features on Azure the “Delete” button has appeared!
Sweet stuff isn’t it? So what happens when I press that precious button?
Thats kind of good that you actively have to go in and remove all users before being able to delete so that would make an extra safety barrier for accidentally removing a AAD
When that is done I can go ahead and delete the actual AAD
I will add more posts during the week about my findings so stay tuned
Of course I would rather have all my hosts in my System Center VMM 2012 SP1 but if I do not, or I just as an ITPro admin want to check if there are some new Hyper-V servers out there in my Active Directory and if they have VM´s on them I can use PowerShell.
I have looked at Ravikanth´s blog and done some modifications, also I am using the Win2012 and Powershell v3.
I can with the following powershell cmd get all hyper-v virtual machines in my Active Directory (of some reason the VMware machines do not get registered in the AD as virtual machines). With powershell version 3 it autoloads the Active Directory Module, this requires though that I have the feature RSAT-AD-PowerShell installed, easily done with Get-WindowsFeature RSAT-AD-PowerShell | Add-WindowsFeature.
I cannot do so much more with this information, what I want is to check a list of Hyper-V servers and also try to get the VM´s on them, sadly only win2012 servers can interact with the hyper-v powershell module and give that info, but hey whom has win 2008 r2 hyper-v servers 😉
This first query gives me all Hyper-V servers in the domain, 2008->2012
Then i created with help from Jeffery Hicks post a script with a menu to enable or disable accounts in the different OU´s. As i described in a earlier post it is quite powerful to use Active Directory cmdlets and i have tried to take care of that by checking that when i enable/disable accounts i check that i really have something in my searchbase. Below are two screenshots of the script running. Update I have now updated the script with a check for the searchbase that actually works and also an extra menu option with the ability to set password on the accounts i enable!
Here is the script that creates this, i have not yet come up with a better and more dynamic way to create the switch, maybe someone can give me some help there..
Yes powershell can be used to administer your Active Directory, but you could do some serious damage also. I will show you one particular case where things can go very wrong and how to recover from it.
To use cmdlets for AD you simply start your powershell console and type
You get quite a few cmdlets to help you automate your user administration, if you write the following in your console it will list all of them.
Well now to the problem, as a domain admin you do have some privileges and say that you want to disable some user accounts and you forget to add a searchbase or your filter does not do as you wish and in one line you have disabled all accounts in your domain, including admin. IF and i say IF you realize that misstake and quickly go in and enable the accounts again, you are safe, but if you log out of your session you wont be able to log in again with any account
Get-ADUser -Filter * | Set-ADUser -Enabled $False
try to log in as domain administrator and you will get this, on any DC (as long as your replication is working and if it is not you have other problems, trust me)
So how do we fix this then? luckily there is a way to do this and it is quite easy. You have to find a windows iso and as in this case a Win 2008 r2, start it in repair mode and start a CMD
when the command promt is started do this (i found it in another blog from Matheu the difference here is that i use net user administrator /active:yes to enable instead of change password)
Go to c:\windows\system32
Rename Utilman.exe to Utilman.exe.bak
Copy cmd.exe to Utilman.exe
Reboot on Windows
Do the keyboard shortcut Windows + U when on the logon screen
net user administrator /active:yes
log on with the domain admin account
Reboot on the DVD to put back the original Utilman.exe
Instead of panicking and try to restore your AD you can easily as i described log in again. This is of course a big security thing to consider in a virtual environment where users that have access to the virtual infrastructure but are not domain admins can manipulate virtual Domain controllers to get access to the administrator password “net user Administrator newpasswd123”. Here is a link to all net user commands.
So if i am going to do some account disabling i would include a searchbase in my Get-ADUser to not get the Administrator locked out by mistake and actually take the right OU to modify users on.
In my test environment i used two DC´s and both the lock and unlocking replicated quite fast. There is maybe a way with the Active Directory Domain Services Recovery without having to do a restore, i will look into that and do a follow up post if i find any easy ways!