Wednesday, January 26, 2011

Admin Group Policy fails to apply

Problem: 

  • Group Policy doesn't apply, but gpresult doesn't show any problem.
  • Some Policies are working on the same computer
  • The same policy is working on other computers
  • The windows log has an error with something like this:
    • The client-side extension could not remove computer policy settings for ' ' because it failed with error code '0x8007000d The data is invalid.' See trace file for more details.

Solution:

  • Delete all files in this path: C:\ProgramData\Microsoft\Group Policy\History
  • In Windows XP: D:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\History
  • In a command window run "gpupdate /force"



I ran into a problem where our administrator group policy was not applying for some reason, while other policies were applying. I could not find any information in gpresult or in any group policy settings or information. The policy is the same that is on all the other machines in the domain, and was working, except for one or two machines. 


I've spent several hours searching for a solution to this problem, and I we've re-imaged computers because of the problem, the actual solution will only take you 5 minutes. Other policies might not be applying also such as the password reset, even though they show that they are applying in gpresult. 


The problem is a corrupt file in this location: C:\ProgramData\Microsoft\Group Policy\History. The solution is to delete everything in that folder and let Group Policy re-create it with gpupdate /force.


To give credit, here's where I found the solution. It might have a better answer anyways.
http://tools4pros.blogspot.com/2009/05/group-policy-error-0x8007000d-data-is.html

Wednesday, January 19, 2011

Export Domain Users to CSV with PowerShell

If you would like to create a list of all domain users in excel with a powershell script you are in luck. Quest software has created some pretty awesome tools to manage Microsoft Active Directory. Here's how to do it:

1. You'll need to install the Quest ActiveRoles management shell v. 1.4 or later, located here: http://www.quest.com/powershell/activeroles-server.aspx

2. Create a PowerShell file with the following script. Basically, just copy this text into a text file and rename the extension to .ps1.



#This script requires Quest ActiveRoles management shell v.1.4 or later and Powershell to be installed. http://www.quest.com/powershell/activeroles-server.aspx
#The script may be run on any machine that is bound to the domain and actively connected. You do not have to be a domain administrator.
#Two files will be created. One CSV with results and one TXT log file.

$strTimestamp =  [string](Get-Date -format "yyyy-MM-dd_hh-mm")
start-transcript DomainScriptLog-$strTimestamp.txt #starting log file to verify that the script did not have any errors.

Get-Date -format s

# $strFilePath = ($Home + "\My Documents\") 
#This is the path of the logged in user. Use this if you want to save to My Documents (add below into csv-export and out-file commands, otherwise it will save where the script is located.

$strFileName = ("DomainUsers_" + $strTimestamp + ".csv")
Write "Writing File to $strFileName. This may take some time..."

#set sizelimit to 0 for full list
#you can set the various attributes that you would like as columns here
Get-QADUser -Sizelimit '0' -ShowProgress -ProgressThreshold 0 | select-object Name, SAMAccountName, givenName, sn, title, manager, employeeID, employeeNumber, employeeType, defaultGroup, postalAddress, City, postalCode, PasswordNeverExpires, AccountIsDisabled, Description | export-csv ($strFileName) -notype

#this will put a timestamp in the file if it finished correctly
"Execution Completed successfully starting $strTimestamp ending: " + [string](Get-Date -format "yyyy-MM-dd_hh-mm") | Out-File ($strFileName) -append
Write "Execution Complete"
Get-Date -format s
stop-transcript



3. Open the Quest ActiveRoles Management Shell for Active Directory program that you installed in step 1 and find the ps1 file that you created. If you run it in normal a normal PowerShell it won't work. Your computer should be logged in to a domain account and have an active connection. The process may take a while, but this script includes a progress bar as well as telling you which account it's working on.


PowerShell script with progress bar




4. You might get an error saying:

"File ....ps1 cannot be loaded. The file ....ps1 is not digitally signed. The script will not execute on the system. Please see "get-help about_signing" for more details.."

You can either figure out how to digitally sign the script by following these long instructions:
http://www.hanselman.com/blog/SigningPowerShellScripts.aspx

Or you can just turn off the check because you know what it's doing:
Set-ExecutionPolicy Unrestricted
http://technet.microsoft.com/en-us/library/dd347628.aspx



If you want to query specific groups such as admins, there's a similar tutorial here:
http://www.yanzzee.com/2011/01/use-powershell-to-create-domain-admin.html

Wednesday, January 12, 2011

Export Domain Admins to CSV with Powershell

It would be nice to be able to run a PowerShell script to query certain domain groups in Microsoft Active Directory, and write them to .CSV files for easy review in excel. Here's one way to do it:

1. You'll need to install the Quest ActiveRoles management shell v. 1.4 or later, located here: http://www.quest.com/powershell/activeroles-server.aspx

2. Create a text file with .ps1 extension, and the following text. You can review the comments in the script to see what each part does, or just google the commands you don't know. Quest has some documentation last time I checked.



#the AD groups that will be queried. These are groups that are considered domain admins
$aGroups = @("Administrators", "Domain Admins", "Server Operators", "Enterprise Admins", "Account Operators", "Backup Operators", "Group Policy Creator Owners", "Schema Admins",  "Domain Controllers")

#where the results are saved. you may want to change this
$strOutputPath = "C:\Users\username\Desktop\"

#creates a time-stamp for the file name
$strTimestamp = [string](Get-Date).Year + "-" + [string](Get-Date).Month + "-" + [string](Get-Date).Day + "_" +  [string](Get-Date).Hour + "-" + [string](Get-Date).Minute

#the query happens for the groups provided above, and will record the details listed here and export it to a csv file for each with the timestamp
foreach ($group in $aGroups){
Get-QADGroupMember $group -Indirect -Type 'user'| select-object Name, sAMAccountName, title, manager, employeeID, employeeNumber, employeeType, associatedDomain, ObjectClass, defaultGroup, postalAddress, City, postalCode, PasswordNeverExpires, AccountIsDisabled, Description  | export-csv ($strOutputPath + "_" + $strTimestamp + "_" + $group + ".csv") -notype
}



3. Run the powershell script on a domain machine that is currently on the network. You will have to open the Quest ActiveRoles Management Shell that you installed in step one. You should get a CSV file for each group specified. You shouldn't have to be a domain admin to run the script successfully, but your user and computer should be on the domain.

4. You might get an error saying:
"File ....ps1 cannot be loaded. The file ....ps1 is not digitally signed. The script will not execute on the system. Please see "get-help about_signing" for more details.."

You can either figure out how to digitally sign the script by following these long instructions:
http://www.hanselman.com/blog/SigningPowerShellScripts.aspx

Or you can just turn off the check because you know what it's doing:
Set-ExecutionPolicy Unrestricted
http://technet.microsoft.com/en-us/library/dd347628.aspx