I needed to read out the Maximum Password age with a PowerShell script in a Windows 2003 domain.

Reading out the maxPwdAge attribute is a trivial task  in PowerShell (I am re-using the function AdsLargeIntegerToInt64):

In my case this returns the value -78624000000000 but how do we interpret this?

(more…)

Some Active Directory attributes return an 8 byte integer in the form of an IADsLargeInteger interface. An example is the pwdLastSet attribute from a user object.

Because the IADsLargeInteger object doesn’t provide type information PowerShell cannot read the HighPart and LowPart properties.

So I wrote the function below to get the Int64 value of an IADsLargeInteger:

(more…)

I am currently creating a PowerShell script that creates a user with all needed Active Directory attributes, Exchange mailbox, (TS) Home- and Profile directories and so on.

In such a script you can easily get failures because of Active Directory replication.

(more…)

In my previous post I wrote about a problem I had with duplicate RID Allocation pools.

But how do we get more insight into these RID Allocation pools?

The DCDIAG tool can display this information per domain controleler using the following syntax

Example output:

But where in Active Directory is this information stored and can we display it for all Domain Controllers at once for larger environments?

(more…)

I encountered another interesting error during Exchange 2010 installation today. During the Organization Preparation I got the following error:

The setup.log doesn’t give us much more detailed info:

I remembered from a Tweet by Helge Klein recently that the Active Directory schema has no mechanism for enforcing uniqueness of an attribute.

(more…)

Today I was testing the installation of Exchange 2010 in a VMWare sandbox environment. We created the sandbox to test migration from a 2003 AD and Exchange environment to 2008 R2 with Exchange 2010.

We used a P2V to get real copies of the Active Directory and the AD upgrade to 2008 R2 was already tested.

But during the Exchange installation in the sandbox I got the following error:

(more…)

I wanted to read the otherWellKnownObjects attribute from an Active Directory object.

In my case this was the Microsoft Exchange container in the Configuration partition:

The otherWellKnownObjects attribute is of type ADSTYPE_DN_WITH_BINARY which unfortunately cannot be viewed or edited with ADSI Edit:

(more…)

In Exchange it’s possible to hide a Mailbox from the (Global) Address List. You can do that in the Exchange System Manager:

But after you have hidden a Mailbox you cannot create an Outlook profile for it (or add it as an extra mailbox).

When you click Check Name in the wizard you’ll get an error:

The common workaround is to remove the “Hide from Exchange address lists” setting, create the profile (or add the Mailbox) and afterwards set it again.

Once the profile is created it all keeps working.

There is an easier solution though!

(more…)

In my previous post I explained how to get the recursive group membership with a very simple Powershell Script.

Commenter Michel thought that the script only tested one level deep but it doesn’t.

But let’s prove that!

Create 3 Global Groups in your Active Directory and name them Level1, 2 and 3:

Make Level3 a Member of Level 2 and make Level a member of Level 1 and finally add an account to the Level 3 group:

(more…)