« Posts under Active Directory

Powershell: New-ADPasswordReminder

A single, self-extracting, self-scheduling, AD password change notice PowerShell script. »Read More

Exchange: Stop Email Exfiltration

When your users leave or get removed from the organization they may still be getting company confidential information. Here is how you can find out and stop this from happening.

»Read More

Exchange 2013: Server Component State Script

Exchange 2013 includes some powershell commands which allow you to set and view several components in the messaging infrastructure. This is important to be aware of as it means all Exchange related services can be running when looking at them in service manager (services.msc) but not actually doing anything. I went ahead put together a script to better gather this information for administrators.

»Read More

Lync and UM Correlation with Powershell

I’ve been working on an Exchange/Lync voice deployment lately and have found a new level of frustration for the lack of connectivity between the several voice components involved in turning up such a solution. That being said it is not very difficult to validate your deployment with a bit of Powershell.

There are a few necessary results to gather where I believe it can be easy to ‘miss’ configuration steps when turning up or disabling users:

  • You enable a user for enterprise voice but forget to set their pin
  • You enable a user for enterprise voice but forget to UM enable their mailbox
  • You disable a previously lync enabled user (enterprise voice enabled or not) and forget to disable them in Lync
  • You enable a user for lync enterprise voice and um enable their mailbox but use the wrong extension.

These are just a few areas which can go awry in your environment either during the initial deployment or simply occur over time.

Here is a pretty simple function which I’ve put together which gathers info about all lync enabled accounts and contacts in the environment. As I extrapolate the Exchange UM information from AD attributes this function needs only be run on a Lync server or remote session. Here are the important bits broken down for those who are interested. If you just want the function and do not care for my ramblings you can download it either at the technet gallery or at my new github repo.

First ensure that the lync modules are loaded and available (I use -Verbose:$false throughout the script as I only want my own verbose output to be shown, not verbose output from every lync cmdlet that runs). ‘Break’ is a nice way to simply exit the function. As it is very unlikely this function will be called in a non-standalone manner this kind of non-terminating non-error throwing exit is fine. I throw out a warning at least.

I also break out the properties I’m going to be snatching from users and contacts in AD. This is not at all necessary but it makes for easier script reading later on. Contacts and users are not the same so were I to try and use the user properties against a contact when querying AD I’d get errors.

I then go ahead and query AD for users which are lync enabled. I use an old school LDAP filter because I’m an old school type of guy (well that and opath filters do not always have the nuanced properties available for me to filter against).

If the user is Lync enabled then they also have a primary user address so I use that to gather even more information about the account. I have to do this in order to get the PIN information as that is not held in AD from what I could tell. In fact, if you remove the -Verbose:$false from the Get-CSClientPinInfo and run this whole function with the -Verbose parameter you will see the Lync cmdlet spit out primary frontend server names that are getting queried for PIN info.

At this point since I already have the Lync info I go ahead and use it to determine if the user is UM enabled or not. If it is UM enabled I look for any proxyAddress starting with eum: followed by some digits and that is very likely an extension for the voicemail for this user.

With the information we have collected I create another object and return it. I use a bit of regex trickery to extract the telephone number and extension from the full LYnc URI while I’m at it.

As it is very possible to have enterprise voice enabled contacts (that is all an autoattendant is in AD) we should probably get that information as well. I use Get-ADObject with another ldap filter to only look for contacts which are lync enabled.

I then return everything pretty much the same way as I did for user accounts except skip the voicemail and pin checking (though now that I’m writing this and thinking about it a pin check against enterprise voice enabled contacts may not be a bad idea….).

With this function you can now create and export reports with some interesting information that may help in your deployment. Here are a few examples.

As always, I welcome feedback and improvements. You can download the function in its entirety from the technet gallery or at my new github repo.


Exchange: Receive Connector Tango! – Part 1

Exchange receive connectors are often configured incorrectly or worse, insecurely. This is the first of a two part series about Exchange receive connectors and what to look out for when setting them up. »Read More

Powershell Tip – Connecting With ADSI to Another Forest

Using a bit of Powershell and ADSI it is pretty easy to connect to another forest. Finding out how to do so is not very clear though. Here is what I came up with to accomplish this task.
»Read More

AD Audit Report with Powershell: Part 3

This is my third and final major update to my AD auditing script. This includes a handful of new useful sections such as domain published printers, NPS servers, DHCP servers, as well as SCCM sites and DPs. Other improvements include easier to use script parameters and bug fixes.

»Read More

AD Audit Report With Powershell: Part 2

I’ve updated my AD auditing report. The forest level report now includes AD integrated zones, GPOs, and fixed code to conform to strict v2 Powershell. I’ve also included a new domain level report! This report provides some user/group stats, all privileged group membership, and more.

»Read More

Active Directory Audit Report With Powershell

Not too long ago I wrote a quick post on how easy it is to gather information from AD. As a case in point example I provided a script to gather all the disabled user accounts which are still assigned Lync IDs. In this script I take it one step further and provide a full blown Active Directory reporting script which can be produced with any non-privileged domain user account.

»Read More

Visualize Active Directory Site Connections

In this post I use powershell with graphviz to create an Active Directory diagram of all site connections between servers. Additionally, I’ve included some code which displays site connection options. You may be able to use this to find isolated DCs or just to see a pretty diagram.

»Read More


Get every new post delivered to your Inbox

Join other followers