July 10th, 2019 | Tags:

This how to will walk you through using Restricted groups to put users in the local admin group on all PCs. It will also add them to the Remote Desktop user’s group.
The usefulness in this is keeping as many people out of the domain admin group as possible while allowing the techs to work.
I see this in forums every once in a while but since I am revamping some policies with 2008R2 I thought I would take the time to write down the steps to do this handy little procedure.
I have created these instructions for 2008R2 it should work with 2003 just fine but if you need more details on 2003 check my reference below.

Read more…

July 10th, 2019 | Tags:

In Active Directory, the default container for user objects is the Users container and the default container for computer objects is the Computers container.
Read more…

July 5th, 2019 | Tags:

AD Delegation allows you to give users/groups access to certain parts of your AD without giving them full admin access. A great example is allowing Help Desk users to reset user passwords; this is actually quite easy and is a default option when delegating permissions to an OU. However, you may want your Help Desk users to be able to join/remove computer accounts to your domain which is a bit more difficult. By default, a standard user account can join up to 10 workstations to your domain and more than likely you’ll want them to join more. Here are the necessary steps as well as my recommendations:

1 – Create New OU for your Computers

In this example, I made the top OU called Computer and made several sub OU’s.  I suggest using an OU because you can apply a GPO at the topmost level to apply specific security to all of your computers.

2 – Redirect the Default Computers Container to the New Computer OU in AD

By default, computers joined to an AD domain are put in the Computers Container, which cannot have a GPO applied because it’s a container and not an OU.  You can redirect that container to our new Computer OU using Redircmp.exe (http://support.microsoft.com/kb/324949).  On your AD Domain Controller, run the following command (Replace DC=contoso,DC=local with your domain name):

 3 – Create a Global Security Group to Join/Delete Computers

Create a new Global Security Group, which we will use to delegate who can Join/Delete computers from AD.  In my example, I’ll use a group called Join-Move-Delete Computer OU

4 – Delegate the Join and Delete Permissions

  • Right-Click the Computer OU and select Properties
  • Click the Security tab and click the Advanced button

  • Click the Add button, enter the name of the security group Join-Move-Delete Computer OU and click OK. You can now add any users you desire to this group.

  • Under Apply to, select This object and all descendant objects
  • Under the Allow column, select Create Computer Objects and Delete Computer Objects
  • Click OK on all of the screens to save the changes

All members of the Join-Move-Delete Computer OU group can now Add and Delete Computers in your domain.

5 – Delegate Moving Objects to Sub-OU’s in the Computer OU (Optional)

Optionally but likely, you may want your users to be able to move the computers they join to the proper OU.  In that case, we need to add 1 more permission.

  • Right-Click the Computer OU and select Properties
  • Click the Security tab and click the Advanced button
  • Click the Add button, enter the name of the security group Join-Move-Delete Computer OU and click OK.
  • Under Apply to, select Descendant Computer objects
  • Under the Allow column, select Write all properties
  • Click OK on all of the screens to save the changes

All members of the Join-Move-Delete Computer OU group can now move computers between all of the Sub-OU’s in the Computer OU.

 

July 1st, 2019 | Tags:

我们通过wmic 命令来将虚拟内存设置在D盘最小8G最大16G并删除C盘的虚拟内存文件 pagefile.sys.

wmic PageFileSet create name="D:\\pagefile.sys",InitialSize="8096",MaximumSize="16384"
wmic PageFileSet where "name='C:\\pagefile.sys'" delete
May 6th, 2019 | Tags:

Get all user with selected info and Dl group By powershell.

Get-ADUser -Filter * -Properties * -SearchBase "OU=CPG,DC=ISNET,DC=CORP,DC=ORG" | Select-Object givenName,sn,displayName,physicalDeliveryOfficeName,streetAddress,l,st,postalCode,co,title,department,company,homeMDB,@{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }} | export-csv -path c:\temp\allusers.scv
April 30th, 2019 | Tags:

Remove user account from local Administrators group :

The following powershell commands remove the given AD user account from local Admins group.

$user = "DomainName/user1";
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$userObj = [ADSI]"WinNT://$user,user"
$groupObj.Remove($userObj.Path)

If you want to remove non-domain local user account, you need to just pass the username as shown below:

$user = "ComputerName/user1";

Remove multiple users from local Administrators group :

Use the below PowerShell script to remove set of Active Directory user accounts from local Admins group. First create the text file users.txt which includes one user name in each line.

$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
ForEach ($user in (Get-Content "C:\users.txt"))
{
   $userObj = [ADSI]"WinNT://$user,user"
   $groupObj.Remove($userObj.Path)
}

Remove user from local Admins group on Remote computer :

We need to provide the remote computer name to remove local Administrators group member on a remote computer.

$computer = "GEN8";
$domainUser = "DomainName/user1";
$groupObj =[ADSI]"WinNT://$computer/Administrators,group" 
$userObj = [ADSI]"WinNT://$domainUser,user"
$groupObj.Remove($userObj.Path)
April 30th, 2019 | Tags:

Add a user account to the local Administrators group :

The following powershell commands add the given user account to local Admin group.

$user = "ComputerName/user1";
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$userObj = [ADSI]"WinNT://$user,user"
$groupObj.Add($userObj.Path)

Add a AD domain user account to the local Admin group :

We can use the above same commands to add domain user account by just passing the domain user.

$domainUser = "DomainName/user1";
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$userObj = [ADSI]"WinNT://$domainUser,user"
$groupObj.Add($userObj.Path)

Add a domain user account to the local Administrators group on a Remote computer:

We need to just pass the remote machine name to add an Active Directory user to the local Administrators group on a remote Windows computer with PowerShell.

$computer = "GEN8";
$domainUser = "DomainName/user1";
$group = "Administrators";
$groupObj =[ADSI]"WinNT://$computer/$group,group" 
$userObj = [ADSI]"WinNT://$domainUser,user"
$groupObj.Add($userObj.Path)
April 30th, 2019 | Tags:

Get Computer List from DC

Get-ADComputer -Filter * -SearchBase "CN=Workstations, DC=contoso, DC=com"

删除输入文件的双引号

... | ConvertTo-Csv -NoTypeInformation | % { $_ -replace '"' } | Out-File $csv

如果要删除首行

... | select -Skip 1 | Out-File $csv

完整实例

Get-ADComputer -Filter * -SearchBase "OU=cpg computers,dc=isnet,DC=corp,DC=org" -Properties * |Select name| ConvertTo-Csv -NoTypeInformation | % { $_ -replace '"' } | select -Skip 1 |Out-File C:\Script\PingEnduser\RemoteComputers.txt

PING IP and Send email

############ping tEST############### 
Get-Content C:\Script\PingEnduser\RemoteComputers.txt | ForEach-Object{
$pingstatus = ""
IF (Test-Connection -BufferSize 32 -Count 1 -ComputerName $_ -Quiet) {
        $pingstatus = "Online"
} Else {
        $pingstatus = "Offline"
}

New-Object -TypeName PSObject -Property @{
      Computer = $_
      Status = $pingstatus }
} | Export-Csv C:\Script\PingEnduser\PingStatus_$(get-date -f dd_MMM).csv -NoTypeInformation -Encoding UTF8

###########Email Sending Part######## 

###########Define Variables######## 
 
$fromaddress = "[email protected]" 
$toaddress = "[email protected]" 
$CCaddress = "[email protected]"
#$bccaddress = "[email protected]" 
#$CCaddress = "[email protected]" 
$Subject = "Offline check for Enduser" 
$body = "PING Test for all CPG laptop and Desktop after office hour."
#$body = get-content .\content.htm 
$attachment = "C:\Script\PingEnduser\PingStatus_$(get-date -f dd_MMM).csv" 
$smtpserver = "[email protected]" 
 
#################################### 
 
$message = new-object System.Net.Mail.MailMessage 
$message.From = $fromaddress 
$message.To.Add($toaddress)
$message.CC.Add($CCaddress) 
#$message.Bcc.Add($bccaddress) 
$message.IsBodyHtml = $True 
$message.Subject = $Subject 
$attach = new-object Net.Mail.Attachment($attachment)
$message.Attachments.Add($attach)
$message.body = $body 
$smtp = new-object Net.Mail.SmtpClient($smtpserver)
$smtp.Send($message)
 
#################################################################################
April 12th, 2019 | Tags:

因为在看相关资料,所以看到该篇不错的文章,所以转载过来。文章原址 Read more…

April 11th, 2019 | Tags:

Easy way is

Copy-Item "C:\Test_CopyItem" -Destination "\\DC01\C$" -Recurse

Advanced Version

$source='\\server1\folder'
$destination='\\PC1\c$\temp\folder'
Copy-Item -Recurse -Filter *.* -path $source -destination $destination -Force