Remko Weijnen's Blog (Remko's Blog) » Active Directory

Read Maximum Password Age with PowerShell

Remko — Fri, 02 Dec 2011 12:47:44 +0000

I needed to read out the Maximum Password age with a PowerShell script in a Windows 2003 domain.

Reading out the maxPwdAge attribute is a trivial task in PowerShell (I am re-using the function AdsLargeIntegerToInt64):

# Read Maximum Password Age (from Domain Policy)
# Read maxPwdAge attribute and convert to Int64
$maxPwdAge = AdsLargeIntegerToIn64 $Domain.maxPwdAge.Value(

In my case this returns the value -78624000000000 but how do we interpret this?

The value is expressed in 100 nanosecond units which is the same unit as a windows FILETIME structure uses.

Knowing that we can use the FromTicks method from the .NET TimeSpan structure to convert it to the number of days:

$maxPwdDays = [System.TimeSpan]::FromTicks([System.Math]::ABS($maxPwdAge)).Days

And $maxPwdDays is 91 in my case.

Note that I am using ABS to make the value positive since maxPwdAge is always negative.

Convert IADsLargeInteger to Int64 in PowerShell

Remko — Thu, 01 Dec 2011 15:03:46 +0000

Some Active Directory attributes return an 8 byte integer in the form of an IADsLargeInteger interface. An example is the pwdLastSet attribute from a user object.

Because the IADsLargeInteger object doesn’t provide type information PowerShell cannot read the HighPart and LowPart properties.

So I wrote the function below to get the Int64 value of an IADsLargeInteger:

function AdsLargeIntegerToIn64($adsLargeInteger)
{
[Int32]$highPart = $adsLargeInteger.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $adsLargeInteger, $null)
[Int32]$lowPart = $adsLargeInteger.GetType().InvokeMember("LowPart", [System.Reflection.BindingFlags]::GetProperty, $null, $adsLargeInteger, $null)
return [Int64]("0x{0:x8}{1:x8}" -f $highPart, $lowpart)
}

Settings NTFS Permissions by SID in PowerShell

Remko — Fri, 02 Sep 2011 15:21:42 +0000

I am currently creating a PowerShell script that creates a user with all needed Active Directory attributes, Exchange mailbox, (TS) Home- and Profile directories and so on.

In such a script you can easily get failures because of Active Directory replication.

Image that you create a new user account and later on you need set an additional attribute. What happens if the user was created while connected to Domain Controller A and you try to set an additional attribute while connected to Domain Controller B before replication has completed?

We can prevent this easily by performing all actions on the same domain controller. In my script I query for any Domain Controller that has the Global Catalog role:

# We will use a single domain controller for all operations to prevent
# replication issues
$DC = (Get-DomainController -GlobalCatalog )[0].DnsHostName

Insert the $DC variable in your ldap binding eg:

$User = [ADSI]("LDAP://{0}/CN=Administrator,CN=Users,DC=Contoso,DC=com" -f $DC)

Next problem is when you perform non ADSI operations such as setting NTFS permissions on a fileserver (eg homedirectory).

This server may not yet be able to resolve the username to it’s SID and thus the operation may fail!

We can solve this easily by giving permissions to the SID directory instead to the username. Example:

function SetNTFSPermissionsBySid([string]$directory, [System.DirectoryServices.DirectoryEntry]$objAD)
{
# Convert byte array sid to sid string
$sID = New-Object System.Security.Principal.SecurityIdentifier $objAD.objectsid[0],0

# Inheritance This Folder, Subfolders and Files)
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"

# Retrieve the ACL
$aCL = Get-Acl $directory

# Create Ace
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sID, "Modify", $inherit, $propagation, "Allow")

# Add Ace to Acl
$aCL.AddAccessRule($accessrule)

# Set Acl to the directory
Set-Acl -aclobject $aCL -path $directory
}

Check if a useraccount exists with PowerShell

Remko — Fri, 02 Sep 2011 09:51:37 +0000

Function below can be used to check if a given Username exists in Active Directory:

function UserExists([string]$Username)
{
$strFilter = "(&(objectCategory=person)(sAMAccountName=$Username))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colResults = $objSearcher.FindAll()
return [bool]($colResults -ne $null)
}

AD Internals: Display RID Allocation Pools

Remko — Mon, 27 Jun 2011 13:37:04 +0000

In my previous post I wrote about a problem I had with duplicate RID Allocation pools.

But how do we get more insight into these RID Allocation pools?

The DCDIAG tool can display this information per domain controleler using the following syntax

dcdiag /s:server /v /test:ridmanager

Example output:

But where in Active Directory is this information stored and can we display it for all Domain Controllers at once for larger environments?

Let’s start with the Active Directory part, the System container has an object named RID Manager$:

The fSMORoleOwner attribute holds the RID Master FSMO role owner.

rIDAvailablePool is a Large Integer (an 8 byte value) where the lower 4 bytes are the From (Beginning of next RID pool to be allocated) and the higher 4 bytes are the To (Total number of RIDS that can be created in a domain) as displayed by dcdiag.

The Allocation Pools and the Next RID are kept by each server in a child object called RID Set. We can find the RID Set by querying the rIDSetReferences attribute which contains the LDAP path to the RID Set:

The RID Set contains the other values we are looking for where rIDAllocationpool (the pool currently in use) and rIDPreviousAllocationpool (the pool that will be used next when the current pool is exhausted) are again Large Integers with a Low and a High part:

Now that we know where the values are stored we can write a script, I have chosen PowerShell.

First we connect to the (Default) domain and obtain the distinguishedName of the domain (DC=MyDomain, DC=local).

# Bind to domain
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
Write-Host "Domain:" $objDomain.distinguishedName
Write-Host "Netbios name:" $objDomain.name

Now we can open RID Manager Object:

# Open the RID Manager Object
$strRidManager = [String]::Concat("LDAP://CN=RID Manager$,CN=System,", $objDomain.distinguishedName)
$objRidManager = New-Object System.DirectoryServices.DirectoryEntry($strRidManager)

And query for the FSMO Role Owner:

# Check FSMO Role Owner
$objRidMaster = New-Object System.DirectoryServices.DirectoryEntry("LDAP://" + $objRidManager.FsmoRoleOwner)
$objRidMaster = New-Object System.DirectoryServices.DirectoryEntry($objRidMaster.Parent)
Write-Host "RID Master:" $objRidMaster.name

From the RID Master we read the rIDAvailablePool attribute:

# Read Available RID Pool
$objAvailPool = GetInteger8 $objRidManager.rIDAvailablePool
Write-Host "RidAvailablePool: from" $objAvailPool.LowPart "to" $objAvailPool.Highpart

GetInteger8 is a helper function to read Integer8 (Large Integer) values from Active Directory:

# This functions read an Integer8 Value from Active Directory and returns an object
# with LowPart and Highpart properties
function GetInteger8([Object] $Integer8)
{
$gp = [Reflection.Bindingflags]::GetProperty
$objType = $Integer8.GetType()
$objValue = $objType.InvokeMember("Value", $gp, $null, $Integer8, $null)
$objType = $objValue.GetType()

$return = New-Object -TypeName System.Object

$return | Add-Member -MemberType NoteProperty -Name LowPart -Value $objType.InvokeMember("LowPart", $gp, $null, $objValue, $null)
$return | Add-Member -MemberType NoteProperty -Name HighPart -Value $objType.InvokeMember("HighPart", $gp, $null, $objValue, $null)

return $return
}

We are going to store all RID Data in an array so we can use the Format options from PowerShell:

# Create array to store RID Data
$RidDataSet = @()

I wrote a function to gather and return the RID Data for a Domain Controller object:

# Note that you need to bind to the domain controller you want data from
function GetRidData([System.DirectoryServices.DirectoryEntry] $RidSet)
{
$objParent = New-Object System.DirectoryServices.DirectoryEntry($RidSet.Parent)
[string]$dcName = $objParent.Name

$return = New-Object -TypeName System.Object
# Domain Controller (Netbios) name
$return | Add-Member -MemberType NoteProperty -Name DC -Value $dcName

# rIDAllocationPool is a 64 bit value, the lowpart being the From and the highpart the To
$AllocPool = GetInteger8 $RidSet.rIDAllocationPool
$return | Add-Member -MemberType NoteProperty -Name rIDAllocationPoolFrom -Value $AllocPool.LowPart
$return | Add-Member -MemberType NoteProperty -Name rIDAllocationPoolTo -Value $AllocPool.HighPart

# rIDPreviousPool is a 64 bit value, the lowpart being the From and the highpart the To
$PrevPool = GetInteger8 $RidSet.rIDPreviousAllocationPool
$return | Add-Member -MemberType NoteProperty -Name rIDPreviousAllocationPoolFrom -Value $PrevPool.LowPart
$return | Add-Member -MemberType NoteProperty -Name rIDPreviousAllocationPoolTo -Value $PrevPool.HighPart

# rIDPreviousPool is an array with a single value
$return | Add-Member -MemberType NoteProperty -Name rIDNextRID -Value $RidSet.rIDNextRID[0]

return $return
}

Now we can Bind to the Domain Controllers OU, enumerate all children and gather the RID Data for them:

# Bind to the Domain Controllers OU
$objDCOU = New-Object System.DirectoryServices.DirectoryEntry([string]::Concat("LDAP://OU=Domain Controllers,", $objDomain.distinguishedName))

# Loop through the Domain Controllers OU
foreach ($objDC in $objDCOU.Children)
{
# Bind to the RID Set, note that’s it’s essential to bind to the domain controller you want data from
$objRIDSet = New-Object System.DirectoryServices.DirectoryEntry([string]::Concat("LDAP://", $objDC.dNSHostName, "/", $objDC.rIDSetReferences))

# Add the Data to the array
$RidDataSet += GetRidData $objRIDSet
}

Last step is outputting the Data:

# Display RID Data in a nice table
$RidDataSet | Format-Table

This is the data for my environment:

The complete script can be downloaded below.

rIDump (54)

The case of the duplicate SID’s

Remko — Mon, 27 Jun 2011 08:04:01 +0000

I encountered another interesting error during Exchange 2010 installation today. During the Organization Preparation I got the following error:

The setup.log doesn’t give us much more detailed info:

[06-22-2011 11:16:29.0614] [2] [ERROR] Active Directory operation failed on dc001.zorg.local. This error is not retriable. Additional information: The requested object has a non-unique identifier and cannot be retrieved.
Active directory response: 0000219D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

[06-22-2011 11:16:29.0630] [2] [ERROR] The server cannot handle directory requests.
[06-22-2011 11:16:29.0630] [2] Ending processing initialize-ExchangeUniversalGroups
[06-22-2011 11:16:29.0630] [1] The following 1 error(s) occurred during task execution:
[06-22-2011 11:16:29.0630] [1] 0. ErrorRecord: Active Directory operation failed on dc001.zorg.local. This error is not retriable. Additional information: The requested object has a non-unique identifier and cannot be retrieved.
Active directory response: 0000219D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

[06-22-2011 11:16:29.0630] [1] 0. ErrorRecord: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on dc001.zorg.local. This error is not retriable. Additional information: The requested object has a non-unique identifier and cannot be retrieved.
Active directory response: 0000219D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

I remembered from a Tweet by Helge Klein recently that the Active Directory schema has no mechanism for enforcing uniqueness of an attribute.

My first assumption was a duplicate sAMAccountName but I couldn’t find any evidence for that.

Then I checked for duplicate SID‘s, you can do this via NTDSUtil:

NTDSUtil creates a log file in the current directory (dupsid.log) and indeed I was having duplicate SID’s:

The SAM database has encountered a duplicate SID. The SAM account names are:
Public Folder Management and khoogeveen

The SAM database has encountered a duplicate SID. The SAM account names are:
Recipient Management and azamboni

The SAM database has encountered a duplicate SID. The SAM account names are:
View-Only Organization Management and jresink

The SAM database has encountered a duplicate SID. The SAM account names are:
UM Management and bmelgers

The SAM database has encountered a duplicate SID. The SAM account names are:
Help Desk and hvanpareren

The SAM database has encountered a duplicate SID. The SAM account names are:
Records Management and gknetemann200

The SAM database has encountered a duplicate SID. The SAM account names are:
Discovery Management and gknetemann224

The SAM database has encountered a duplicate SID. The SAM account names are:
Server Management and gknetemann248

The SAM database has encountered a duplicate SID. The SAM account names are:
Delegated Setup and gknetemann222

The SAM database has encountered a duplicate SID. The SAM account names are:
Hygiene Management and gknetemann246

What made this very interesting is that the names listed here like Public Folder Management and Recipient Management are all created during Exchange 2010 installation.

This behaviour is described in Prepare Active Directory and Domains in a little note:

To verify that this step completed successfully, make sure that there is a new OU in the root domain called Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:

Exchange Security Groups OU:
Exchange Organization Management
Exchange Recipient Management
Exchange Server Management
Exchange View-Only Organization Management
Exchange Public Folder Management
Exchange UM Management
Exchange Hygiene Management
Exchange Records Management
Exchange Discovery Management
Exchange Delegated Setup
ExchangeLegacyInterop

So what happened?

I did a P2V of 2 existing domain controller to test an AD upgrade in a Sandbox. After the AD upgrade I kept the sandbox and decided to test Exchange installation as well.

I first created a P2V of DC002, the least important domain controller, and put in online in the sandbox to test the P2V process.

Because the DC002 had the RID Master FSMO role it was possible to allocate a block (the same block) of relative ID’s in both the sandbox and the production environment.

A couple of days later I did the P2V of the other domain controller and placed it online as well. And this is where the duplicate block became a problem.

Because I am in a sandbox I could take the easy solution which is use the cleanup duplicate sid command in NTDSUtil:

Warning: the cleanup duplicate sid command will delete BOTH objects having the same sid!

Sidenote: It seems that the problem with the otherWellKnownObjects attribute I described earlier was actually caused by the Exchange Setup as well!

My recommendations for P2V of Domain Controllers:

P2V all Domain Controllers at the same time.
If you cannot p2v all Domain Controllers at the same time, do not bring a copy online before you finished all P2V’s.
Make sure the RID Master is brought online LAST

Exchange 2010 well-known object entry install error

Remko — Fri, 24 Jun 2011 10:52:30 +0000

Today I was testing the installation of Exchange 2010 in a VMWare sandbox environment. We created the sandbox to test migration from a 2003 AD and Exchange environment to 2008 R2 with Exchange 2010.

We used a P2V to get real copies of the Active Directory and the AD upgrade to 2008 R2 was already tested.

But during the Exchange installation in the sandbox I got the following error:

The setup log (located in C:\ExchangeSetupLogs) shows a little more detail:

[06-22-2011 11:28:58.0530] [2] [ERROR] Unexpected Error
[06-22-2011 11:28:58.0530] [2] [ERROR] The well-known object entry B:32:C262A929D691B74A9E068728F8F842EA:CN=Organization Management\0ADEL:c1b94668-b67b-4231-8e5a-b11ecf5b7838,CN=Deleted Objects,DC=zorg,DC=local on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=zorg,DC=local points to an invalid DN or a deleted object. Remove the entry, and then rerun the task.
[06-22-2011 11:28:58.0546] [2] Ending processing initialize-ExchangeUniversalGroups
[06-22-2011 11:28:58.0546] [1] The following 1 error(s) occurred during task execution:
[06-22-2011 11:28:58.0546] [1] 0. ErrorRecord: The well-known object entry B:32:C262A929D691B74A9E068728F8F842EA:CN=Organization Management\0ADEL:c1b94668-b67b-4231-8e5a-b11ecf5b7838,CN=Deleted Objects,DC=zorg,DC=local on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=zorg,DC=local points to an invalid DN or a deleted object. Remove the entry, and then rerun the task.
[06-22-2011 11:28:58.0546] [1] 0. ErrorRecord: Microsoft.Exchange.Management.Tasks.InvalidWKObjectException: The well-known object entry B:32:C262A929D691B74A9E068728F8F842EA:CN=Organization Management\0ADEL:c1b94668-b67b-4231-8e5a-b11ecf5b7838,CN=Deleted Objects,DC=zorg,DC=local on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=zorg,DC=local points to an invalid DN or a deleted object. Remove the entry, and then rerun the task.
[06-22-2011 11:28:58.0546] [1] [ERROR] The following error was generated when "$error.Clear();
initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions

" was run: "The well-known object entry B:32:C262A929D691B74A9E068728F8F842EA:CN=Organization Management\0ADEL:c1b94668-b67b-4231-8e5a-b11ecf5b7838,CN=Deleted Objects,DC=zorg,DC=local on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=zorg,DC=local points to an invalid DN or a deleted object. Remove the entry, and then rerun the task.".
[06-22-2011 11:28:58.0546] [1] [ERROR] The well-known object entry B:32:C262A929D691B74A9E068728F8F842EA:CN=Organization Management\0ADEL:c1b94668-b67b-4231-8e5a-b11ecf5b7838,CN=Deleted Objects,DC=zorg,DC=local on the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=zorg,DC=local points to an invalid DN or a deleted object. Remove the entry, and then rerun the task.
[06-22-2011 11:28:58.0546] [1] [ERROR-REFERENCE] Id=443949901 Component=

The strange thing is that it’s referring to a deleted object (since it’s in the deleted objects container). So what’s going on?

I used the ldp.exe tool to connect to the deleted objects container and inspect the Organization Management object but I couldn’t find any invalid data in it. So I was looking at the wrong place

But if you break down the error message then it’s actually very clear where you need to look:

The attribute otherWellKnownObjects of the object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=zorg,DC=local (which is a multivalued object) has a value that refers to a deleted item (B:32:C262A929D691B74A9E068728F8F842EA:CN=Organization Management\0ADEL:c1b94668-b67b-4231-8e5a-b11ecf5b7838,CN=Deleted Objects,DC=zorg,DC=local).

So I opened ADSI Edit and navigated to the Microsoft Exchange container:

Then I looked at the properties of CN=Microsoft Exchange we can see the otherWellKnownObjects attribute:

But unfortunately ADSI Edit cannot view or modify this attribute:

My next attempt was ADExplorer from SysInternals (version 1.42). Once again I navigated to the Microsoft Exchange container:

AD Explorer has no problems showing the values:

I thought I was almost there: I right clicked the wellKnownObjects Attribute then Modify and after selecting the Deleted value I clicked Remove followed by OK:

And this made AD Explorer hang itsself:

Followed by Crash:

So I had to solve it myself with the help of a PowerShell script.

First I read the the otherWellKnownObjects attribute with PowerShell (I wrote about that earlier).

This returns a Collection that I walk backwards with a for loop, this is important when removing items in a collection during a loop (don’t shoot yourself in the foot).

For each item in the Collection I get the distinguishedName from the DNString property and if it contains “0ADEL” then I assume the object it refers to has been deleted so I remove this item from the Collection.

Finally I check if we have deleted at least one item and if so I call SetInfo() to commit the changes to Active Directory.

If you want to test the script, be sure to comment the SetInfo() call to prevent the actual deletion in your Active Directory!

# Get Microsoft Exchange Container
$objDE = New-Object System.DirectoryServices.DirectoryEntry
$ExchangeDN = [string]::Concat("LDAP://CN=Microsoft Exchange,CN=Services,CN=Configuration,", $objDE.distinguishedName)
$objCN = New-Object System.DirectoryServices.DirectoryEntry($ExchangeDN)

$gp = [Reflection.Bindingflags]::GetProperty

# get otherWellKnownObjects Collection
$objCol = $objCN.otherWellKnownObjects
$delCount = 0

# Walk though the Collection backwards (always do that when deleting items)
for ($i=$objCol.Count-1; $i -ge 0; $i–)
{
$objWKO = $objCol[$i]
$objType = $objWKO.GetType()
# Get the distinguishedName
$DNString = $objType.InvokeMember("DNString", $gp, $null, $objWKO, $null)

$BV = $objType.InvokeMember("BinaryValue", $gp, $null, $objWKO, $null)
$Guid = [GUID][System.BitConverter]::ToString($BV).Replace("-", "")

Write-Host "DNString: $DNString"
Write-Host "Guid: $Guid"

# Check if the item was deleted
if ($DNString.Contains("0ADEL"))
{
Write-Host "This is a Deleted Item" -foregroundcolor Red
# Remove the item (WARNING: No Confirmation asked)
$objCol.RemoveAt($i)
Write-Host "Object Removed" -foregroundcolor Red
$DelCount++
}
}

# Did we delete something?
if ($DelCount -gt 0)
{
Write-Host "Commiting Changes" -foregroundcolor Blue
# Commit changes, remove this line if you just want to test
# If you don’t commit you will not delete anything
$objCN.SetInfo()
}

Reading the otherWellKnownObjects attribute with PowerShell

Remko — Fri, 24 Jun 2011 09:19:25 +0000

I wanted to read the otherWellKnownObjects attribute from an Active Directory object.

In my case this was the Microsoft Exchange container in the Configuration partition:

The otherWellKnownObjects attribute is of type ADSTYPE_DN_WITH_BINARY which unfortunately cannot be viewed or edited with ADSI Edit:

So I wrote a script to read the values with PowerShell but it’s not very straightforward how to do this.

Reading the otherWellKnownObjects property returns a collection of IADsDNWithBinary interfaces but this interface is unknown in PowerShell.

Using reflection we can read the values:

$objCN = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=zorg,DC=local")
$gp = [Reflection.Bindingflags]::GetProperty

foreach ($objWKO in $objCN.otherWellKnownObjects)
{
$objType = $objWKO.GetType()
$DNString = $objType.InvokeMember("DNString", $gp, $null, $objWKO, $null)
$BV = $objType.InvokeMember("BinaryValue", $gp, $null, $objWKO, $null)
$Guid = [GUID][System.BitConverter]::ToString($BV).Replace("-", "")
Write-Host "DNString=$DNString" -foregroundcolor Blue
Write-Host "Guid=$Guid" -foregroundcolor Blue
}

Adding a hidden Exchange mailbox to Outlook

Remko — Tue, 25 Jan 2011 12:11:42 +0000

In Exchange it’s possible to hide a Mailbox from the (Global) Address List. You can do that in the Exchange System Manager:

But after you have hidden a Mailbox you cannot create an Outlook profile for it (or add it as an extra mailbox).

When you click Check Name in the wizard you’ll get an error:

The common workaround is to remove the “Hide from Exchange address lists” setting, create the profile (or add the Mailbox) and afterwards set it again.

Once the profile is created it all keeps working.

There is an easier solution though!

If you add the mailbox using the legacyExchangeDN attribute then Outlook happily accepts.

This works because Outlook really uses this value and not the user’s accountname to connect to a Mailbox.

The Error above occurs because Outlook cannot resolve the username to the legacyExchangeDN name using the Address List.

So how do we get the user’s legacyExchangeDN?

It can be read using ADSI Edit:

But I prefer to read it with a script since it means less clicking.

Using PowerShell it’s also a very simple script:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain

$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ct, "MYDOMAIN\gtest01")
$user.GetUnderlyingObject().legacyExchangeDN

Now we take the result, in my case:

/O=My Organisation/OU=DMN-ORGANISATION/cn=Recipients/cn=gtest01

Now we copy & paste this into the User Name Edit:

And Outlook will resolve it to the username

The same procedure can be used if you want to Add a Hidden Mailbox as Additional Mailbox:

Recursive Groups #2

Remko — Tue, 18 Jan 2011 18:51:15 +0000

In my previous post I explained how to get the recursive group membership with a very simple Powershell Script.

Commenter Michel thought that the script only tested one level deep but it doesn’t.

But let’s prove that!

Create 3 Global Groups in your Active Directory and name them Level1, 2 and 3:

Make Level3 a Member of Level 2 and make Level a member of Level 1 and finally add an account to the Level 3 group:

Now run the script and the output should include all 3 groups:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain

$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::Current
$groups = $user.GetAuthorizationGroups() | where {$_ -like "G_LEVEL*"} | select SamAccountName
foreach ($group in $groups)
{
$group
}

And the Output: