├── Chapter1.ps1
├── Chapter15.ps1
├── .other
    └── cover.png
├── Chapter3.ps1
├── Chapter2.ps1
├── Chapter13.ps1
├── Chapter10.ps1
├── Chapter20.ps1
├── Chapter5.ps1
├── LICENSE
├── Chapter9.ps1
├── Chapter19.ps1
├── Chapter14.ps1
├── Chapter11.ps1
├── README.md
├── Chapter4.ps1
├── Chapter12.ps1
├── Chapter6.ps1
├── Chapter8.ps1
├── Chapter16.ps1
├── Chapter7.ps1
├── Chapter18.ps1
└── Chapter17.ps1


/Chapter1.ps1:
--------------------------------------------------------------------------------
1 | # View SID Value of an User Object
2 | 
3 | Get-ADUser username
4 | 
5 | 
6 | 


--------------------------------------------------------------------------------
/Chapter15.ps1:
--------------------------------------------------------------------------------
1 | # Install ADRMS Role
2 | 
3 | Install-WindowsFeature ADRMS -IncludeManagementTools
4 | 


--------------------------------------------------------------------------------
/.other/cover.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PacktPublishing/Mastering-Active-Directory-Third-Edition/HEAD/.other/cover.png


--------------------------------------------------------------------------------
/Chapter3.ps1:
--------------------------------------------------------------------------------
1 | # Find Domain Functional Level
2 | 
3 | Get-ADDomain | fl Name,DomainMode
4 | 
5 | # Find Forest Functional Level
6 | 
7 | Get-ADForest | fl Name,ForestMode
8 | 
9 | 


--------------------------------------------------------------------------------
/Chapter2.ps1:
--------------------------------------------------------------------------------
 1 | # Find AD Forest Mode
 2 | 
 3 | Get-ADForest | fl Name,ForestMode
 4 | 
 5 | # Enable Privileged Access Maangment Feature
 6 | 
 7 | Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target rebeladmin.com
 8 | 
 9 | # Find Memebrs of Domain Admin Group
10 | 
11 | Get-ADGroupMember "Domain Admins"
12 | 
13 | # Time Based Group Membership
14 | 
15 | Add-ADGroupMember -Identity 'Domain Admins' -Members 'acurtiss' -MemberTimeToLive (New-TimeSpan -Minutes 60)
16 | 
17 | # Show TTL value
18 | 
19 | Get-ADGroup 'Domain Admins' -Property member -ShowMemberTimeToLive
20 | 
21 | 


--------------------------------------------------------------------------------
/Chapter13.ps1:
--------------------------------------------------------------------------------
 1 | # ADCS Role Install with MGMT Tools
 2 | 
 3 | Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
 4 | 
 5 | # Configre Standalone CA
 6 | 
 7 | Install-ADcsCertificationAuthority -CACommonName "REBELAdmin Root CA" -CAType StandaloneRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 20
 8 | 
 9 | # Install Web Server
10 | 
11 | Install-WindowsFeature Web-WebServer -IncludeManagementTools
12 | 
13 | # Setting up Issuing CA
14 | 
15 | Install-ADcsCertificationAuthority -CACommonName "REBELAdmin IssuingCA" -CAType EnterpriseSubordinateCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -HashAlgorithmName SHA256 -KeyLength 2048


--------------------------------------------------------------------------------
/Chapter10.ps1:
--------------------------------------------------------------------------------
 1 | # View GPO Details
 2 | 
 3 | Get-GPO -name "Test Users"
 4 | 
 5 | # Check Group Inheritance
 6 | 
 7 | Get-GPInheritance -Target "OU=Users,OU=Europe,DC=rebeladmin,DC=com"
 8 | 
 9 | # Block Inheritance
10 | 
11 | Set-GPInheritance -Target "OU=Users,OU=Europe,DC=rebeladmin,DC=com" -IsBlocked Yes
12 | 
13 | # Create New GPO
14 | 
15 | New-GPO -Name GPO-Test-A
16 | 
17 | # Create New GP Link
18 | 
19 | New-GPLink -Name GPO-Test-A -Target "OU=Users,OU=Europe,DC=rebeladmin,DC=com"
20 | 
21 | # New GPO and GP Link
22 | 
23 | New-GPO -Name GPO-Test-B | New-GPLink -Target "OU=Users,OU=Europe,DC=rebeladmin,DC=com"
24 | 
25 | # Disable GP Link
26 | 
27 | Set-GPLink -Name GPO-Test-B -Target "OU=Users,OU=Europe,DC=rebeladmin,DC=com" -LinkEnabled No
28 | 
29 | # Remove GP Link
30 | 
31 | Remove-GPLink -Name GPO-Test-B -Target "OU=Users,OU=Europe,DC=rebeladmin,DC=com"
32 | 
33 | # Remove GPO
34 | 
35 | Remove-GPO -Name GPO-Test-A


--------------------------------------------------------------------------------
/Chapter20.ps1:
--------------------------------------------------------------------------------
 1 | ## Replication Faliures ##
 2 | 
 3 | Get-ADReplicationFailure -Target REBEL-SRV01
 4 | 
 5 | ## Check Multiple Servers for replication faliures ##
 6 | 
 7 | Get-ADReplicationFailure -Target REBEL-SRV01,REBELNET-PDC01
 8 | 
 9 | ## Target all the domain controllers in domain ##
10 | 
11 | Get-ADReplicationFailure -Target "therebeladmin.com" -Scope Domain
12 | 
13 | ## Target all the domain controllers in forest ##
14 | 
15 | Get-ADReplicationFailure -Target " therebeladmin.com" -Scope Forest
16 | 
17 | ## List all the partner details ##
18 | 
19 | Get-ADReplicationConnection -Filter *
20 | 
21 | ## Filter replication connections ##
22 | 
23 | Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq "REBEL-SRV01"}
24 | 
25 | ## Force sync object ##
26 | 
27 | Sync-ADObject -object "adam" -source REBEL-SRV01 -destination REBELNET-PDC01
28 | 
29 | ## Check AD Connect tool connectivity ##
30 | 
31 | Invoke-WebRequest -Uri https://login.microsoftonline.com


--------------------------------------------------------------------------------
/Chapter5.ps1:
--------------------------------------------------------------------------------
 1 | # Schema Master Role Holder
 2 | 
 3 | Get-ADForest | select SchemaMaster
 4 | 
 5 | # Find DomainNamingMaster 
 6 | 
 7 | Get-ADForest | select DomainNamingMaster
 8 | 
 9 | # Find PDCEmulator
10 | 
11 | Get-ADDomain | select PDCEmulator
12 | 
13 | # Find RIDMaster
14 | 
15 | Get-ADDomain | select RIDMaster
16 | 
17 | # Find InfrastructureMaster
18 | 
19 | Get-ADDomain | select InfrastructureMaster
20 | 
21 | # Move Some FSMO roles
22 | 
23 | Move-ADDirectoryServerOperationMasterRole -Identity REBEL-SDC02 -OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster
24 | 
25 | # Move All FSMO Roles
26 | 
27 | Move-ADDirectoryServerOperationMasterRole -Identity REBEL-SDC02 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster
28 | 
29 | # Seize FSMO Roles
30 | 
31 | Move-ADDirectoryServerOperationMasterRole -Identity REBEL-PDC-01 -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster -Force


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Packt
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Chapter9.ps1:
--------------------------------------------------------------------------------
 1 | # View Syntax for New-ADOrganizationalUnit
 2 | 
 3 | Get-Command New-ADOrganizationalUnit -Syntax
 4 | 
 5 | # Create new OU
 6 | 
 7 | New-ADOrganizationalUnit -Name "Asia" -Description "Asia Branch"
 8 | 
 9 | # OU properties
10 | 
11 | Get-ADOrganizationalUnit -Identity "OU=Asia,DC=rebeladmin,DC=com"
12 | 
13 | # Change OU Attributes
14 | 
15 | Get-ADOrganizationalUnit -Identity "OU=Asia,DC=rebeladmin,DC=com" | Set-ADOrganizationalUnit -ManagedBy "Asia IT Team"
16 | 
17 | # Protect OU from accedental deletion
18 | 
19 | Get-ADOrganizationalUnit -Identity "OU=Asia,DC=rebeladmin,DC=com" | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
20 | 
21 | # Create Sub-OU
22 | 
23 | New-ADOrganizationalUnit -Name "Users" -Path "OU=Asia,DC=rebeladmin,DC=com" -Description "Users in Asia Branch"
24 | 
25 | # Move Object to OU
26 | 
27 | Get-ADUser "tuser3" | Move-ADObject -TargetPath "OU=Users,OU=Asia,DC=rebeladmin,DC=com"
28 | 
29 | # Move Multiple Object to OU
30 | 
31 | Get-ADUser -Filter 'Name -like "Test*"' -SearchBase "OU=Users,OU=Europe,DC=rebeladmin,DC=com" | Move-ADObject -TargetPath "OU=Users,OU=Asia,DC=rebeladmin,DC=com"
32 | 
33 | # Remove OU
34 | 
35 | Remove-ADOrganizationalUnit "OU=Laptops,OU=Europe,DC=rebeladmin,DC=com"


--------------------------------------------------------------------------------
/Chapter19.ps1:
--------------------------------------------------------------------------------
 1 | ## Add member to event log readers group ##
 2 | 
 3 | Add-ADGroupMember –identity 'Event Log Readers' –members REBELNET-PDC01$
 4 | 
 5 | ## will list the details about the log files in your local system, including the log file name, max log file size, and number of entries ##
 6 | 
 7 | Get-EventLog -List
 8 | 
 9 | ## List all the events under the Directory Service log file ##
10 | 
11 | Get-EventLog -LogName 'Directory Service' | fl
12 | 
13 | ## List latest 5 events ##
14 | 
15 | Get-EventLog -Newest 5 -LogName 'Directory Service'
16 | 
17 | ## List latest 5 events - Errors ##
18 | 
19 | Get-EventLog -Newest 5 -LogName 'Directory Service' -EntryType Error
20 | 
21 | ## List latest 5 events with in last 24 hours ##
22 | 
23 | Get-EventLog -Newest 5 -LogName 'Directory Service' -EntryType Error –After (Get-Date).AddDays(-1)
24 | 
25 | ## List latest 5 events from given source ##
26 | 
27 | Get-EventLog -Newest 5 -LogName 'Directory Service' -ComputerName 'REBEL-SRV01' | fl -Property *
28 | 
29 | ## List latest 5 events from multiple sources ##
30 | 
31 | Get-EventLog -Newest 5 -LogName 'Directory Service' -ComputerName “localhost”,“REBEL-SRV01”
32 | 
33 | ## list the events with the source NTDS KCC ##
34 | 
35 | Get-EventLog -LogName 'Directory Service' -Source "NTDS KCC"
36 | 
37 | ## list the events with eventID as 1000 ##
38 | 
39 | Get-EventLog -LogName 'Directory Service' | where {$_.eventID -eq 1000}
40 | 


--------------------------------------------------------------------------------
/Chapter14.ps1:
--------------------------------------------------------------------------------
 1 | # Install ADFS Role
 2 | 
 3 | Install-WindowsFeature ADFS-Federation -IncludeManagementTools
 4 | 
 5 | # Configre ADFS Role
 6 | 
 7 | Import-Module ADFS
 8 | $credentials = Get-Credential
 9 | Install-AdfsFarm `
10 | -CertificateThumbprint:"938E369FA88B2F884A5BBC495F2338BE9FA0E0BB" `
11 | -FederationServiceDisplayName:"REBELADMIN INC" `
12 | -FederationServiceName:"adfs.rebeladmin.com" `
13 | -ServiceAccountCredential $credentials
14 | 
15 | # Install Web Application Proxy Feature
16 | 
17 | Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
18 | 
19 | # Configure the proxy
20 | 
21 | $credentials = Get-Credential
22 | Install-WebApplicationProxy
23 | -FederationServiceName "adfs.rebeladmin.com"
24 | -FederationServiceTrustCredential $credentials
25 | -CertificateThumbprint "3E0ED21E43BEB1E44AD9C252A92AD5AFB8E5722E"
26 | 
27 | # Add Application to Proxy
28 | 
29 | Add-WebApplicationProxyApplication 
30 | -BackendServerUrl 'https://myapp.rebeladmin.com/myapp/' 
31 | -ExternalCertificateThumbprint '3E0ED21E43BEB1E44AD9C252A92AD5AFB8E5722E' 
32 | -ExternalUrl 'https://myapp.rebeladmin.com/myapp/' 
33 | -Name 'MyApp' 
34 | -ExternalPreAuthentication AD FS 
35 | -ADFSRelyingPartyName 'myapp.rebeladmin.com'
36 | 
37 | # Create Cert for Azure MFA configuration
38 | 
39 | $certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID 05c6f80c-61d9-44df-bd2d-4414a983c1d4
40 | 
41 | # Connect to Microsoft Services
42 | 
43 | Connect-MsolService
44 | 
45 | # Configure Principle Cred
46 | 
47 | New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certbase64
48 | 
49 | # Enable Azure MFA for ADFS 
50 | 
51 | Set-AdfsAzureMfaTenant -TenantId 05c6f80c-61d9-44df-bd2d-4414a983c1d4 -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720


--------------------------------------------------------------------------------
/Chapter11.ps1:
--------------------------------------------------------------------------------
 1 | # Create User in LDS
 2 | 
 3 | New-ADUser -name "tidris" -Displayname "Talib Idris" -server 'localhost:389' -path "CN=webapp01,DC=rebeladmin,DC=com"
 4 | 
 5 | # List users in LDS
 6 | 
 7 | Get-ADUser -Filter * -SearchBase "CN=webapp01,DC=rebeladmin,DC=com" -server 'localhost:389'
 8 | 
 9 | # Review existing replication site configuration
10 | 
11 | Get-ADReplicationSite -Filter *
12 | 
13 | # Change Site Name
14 | 
15 | Rename-ADObject -Identity "CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com" -NewName "LondonSite"
16 | 
17 | # Change site description
18 | 
19 | Get-ADReplicationSite -Identity LondonSite | Set-ADReplicationSite -Description "UK AD Site"
20 | 
21 | # Create New Site
22 | 
23 | New-ADReplicationSite -Name "CanadaSite" -Description "Canada AD Site"
24 | 
25 | # List Domaincontrollers
26 | 
27 | Get-ADDomainController -Filter * | select Name,ComputerObjectDN,Site | fl
28 | 
29 | # Move Dc to a Site
30 | 
31 | Move-ADDirectoryServer -Identity "REBEL-SDC-02" -Site "CanadaSite"
32 | 
33 | # Create New sitelink
34 | 
35 | New-ADReplicationSiteLink -Name "London-Canada" -SitesIncluded LondonSite,CanadaSite -Cost 205 -ReplicationFrequencyInMinutes 30 -InterSiteTransportProtocol IP
36 | 
37 | # New site link bridge
38 | 
39 | New-ADReplicationSiteLinkBridge -Name "London-Canada-Bridge" -SiteLinksIncluded "London-Canada","London-CanadaDRLink"
40 | 
41 | # Remove site link from site link bridge
42 | 
43 | Set-ADReplicationSiteLinkBridge -Identity "London-Canada-Bridge" -SiteLinksIncluded @{Remove='London-CanadaDRLink'}
44 | 
45 | # Add site link to site link bridge
46 | 
47 | Set-ADReplicationSiteLinkBridge -Identity "London-Canada-Bridge" -SiteLinksIncluded @{Add='London-CanadaDRLink'}
48 | 
49 | # Create subnet 
50 | 
51 | New-ADReplicationSubnet -Name "192.168.0.0/24" -Site LondonSite
52 | 
53 | # Change values of existing subnet
54 | 
55 | Set-ADReplicationSubnet -Identity "192.168.0.0/24" -Site CanadaSite
56 | 
57 | # View subnet data
58 | 
59 | Get-ADReplicationSubnet -Filter {Site -Eq "CanadaSite"}


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | 
 4 | # Mastering-Active-Directory-Third-Edition
 5 | Mastering Active Directory, Third Edition , Published by Packt
 6 | 
 7 | # Mastering Active Directory, Third Edition
 8 | [<img src="./.other/cover.png" width="248">](https://www.amazon.com/Mastering-Active-Directory-protect-Services/dp/1801070393/ref=sr_1_3?keywords=dishan+francis&qid=1638187369&sr=8-3)
 9 | 
10 | Become an expert at managing enterprise identity infrastructure with Active Directory Domain Services 2022
11 | ## Links
12 | 
13 | * [Amazon](https://www.amazon.com/Mastering-Active-Directory-protect-Services/dp/1801070393/ref=sr_1_3?keywords=dishan+francis&qid=1638187369&sr=8-3)
14 | * [Packt Publishing](https://www.packtpub.com/product/mastering-active-directory-third-edition/9781801070393)
15 | 
16 | ## Key Features
17 | Design and update your identity infrastructure by utilizing the latest Active Directory features and core capabilities.
18 | Overcome migration challenges as you update to Active Directory Domain Services 2022
19 | Establish a strong identity foundation in the cloud by consolidating secure access.
20 | 
21 | ## What you will learn
22 | - Install, protect, and manage Active Directory Domain Services (Windows Server 2022)
23 | - Design your hybrid identity by evaluating business and technology requirements
24 | - Automate administrative tasks in Active Directory using Windows PowerShell 7.x
25 | - Protect sensitive data in a hybrid environment using Azure Information Protection
26 | - Learn about Flexible Single Master Operation (FSMO) roles and their placement
27 | - Manage directory objects effectively using administrative tools and PowerShell
28 | - Centrally maintain the state of user and computer configuration by using Group Policies
29 | - Harden your Active Directory using security best practices
30 | 
31 | ## Who This Book Is For
32 | If you are an Active Directory administrator, system administrator, or IT professional who has basic knowledge of Active Directory and is looking to become an expert in this topic, this book is for you.
33 | You need to have some experience of working with Active Directory to make the most of this book.
34 | 
35 | 
36 | 
37 | ### Download a free PDF
38 | 
39 |  <i>If you have already purchased a print or Kindle version of this book, you can get a DRM-free PDF version at no cost.<br>Simply click on the link to claim your free PDF.</i>
40 | <p align="center"> <a href="https://packt.link/free-ebook/9781801070393">https://packt.link/free-ebook/9781801070393 </a> </p>


--------------------------------------------------------------------------------
/Chapter4.ps1:
--------------------------------------------------------------------------------
 1 | # List DNS Forwarders
 2 | 
 3 | Get-DnsServerForwarder
 4 | 
 5 | # List Root Servers
 6 | 
 7 | Get-DnsServerRootHint
 8 | 
 9 | # View SOA Record
10 | 
11 | Get-DnsServerResourceRecord -ZoneName "REBELADMIN.COM" -RRType "SOA" | Select-Object -ExpandProperty RecordData
12 | 
13 | # Create A Record
14 | 
15 | Add-DnsServerResourceRecordA -Name "blog" -ZoneName "REBELADMIN.COM" -IPv4Address "192.168.0.200"
16 | 
17 | # Remove A Record
18 | 
19 | Remove-DnsServerResourceRecord -ZoneName "REBELADMIN.COM" -RRType "A" -Name "blog"
20 | 
21 | # List A Records
22 | 
23 | Get-DnsServerResourceRecord -ZoneName "REBELADMIN.COM" -RRType "A"
24 | 
25 | # Find NS Records
26 | 
27 | Get-DnsServerResourceRecord -ZoneName "REBELADMIN.COM" -RRType "NS"
28 | 
29 | # List SRV Records
30 | 
31 | Get-DnsServerResourceRecord -ZoneName "REBELADMIN.COM" -RRType "SRV"
32 | 
33 | # Detailed output of SOA record
34 | 
35 | Get-DnsServerResourceRecord -ZoneName "REBELADMIN.COM" -RRType "SRV" | Select-Object -ExpandProperty RecordData
36 | 
37 | # Add Primary Zone
38 | 
39 | Add-DnsServerPrimaryZone -Name "rebeladmin.net" -ReplicationScope "Forest" -PassThru
40 | 
41 | # Allow Zone Transfer
42 | 
43 | Set-DnsServerPrimaryZone -Name "rebeladmin.net" -SecureSecondaries TransferToSecureServers -SecondaryServers 192.168.0.106
44 | 
45 | # Add Secondry Zone
46 | 
47 | Add-DnsServerSecondaryZone -Name "rebeladmin.net" -ZoneFile "rebeladmin.net.dns" -MasterServers 192.168.0.105
48 | 
49 | # Add Reverse Lookup Zone
50 | 
51 | Add-DnsServerPrimaryZone -NetworkID "10.10.10.0/24" -ReplicationScope "Domain"
52 | 
53 | # Create Condtional Forwarder
54 | 
55 | Add-DnsServerConditionalForwarderZone -Name "rebeladmin.net" -ReplicationScope "Forest" -MasterServers 10.0.0.5
56 | 
57 | # Add DNS server client subnet
58 | 
59 | Add-DnsServerClientSubnet -Name "blockA" -IPv4Subnet 10.0.0.6/32
60 | 
61 | # Add DNS Policy 
62 | 
63 | Add-DnsServerQueryResolutionPolicy -Name "blockApolicy" -Action IGNORE -ClientSubnet  "EQ,blockA"
64 | 
65 | # Add Primary Zone
66 | 
67 | Add-DnsServerPrimaryZone -Name "dev.rebeladmin.com" -ZoneFile "dev.rebeladmin.com.dns"
68 | 
69 | # Create A Record
70 | 
71 | Add-DnsServerResourceRecordA -Name "app1" -ZoneName "dev.rebeladmin.com" -AllowUpdateAny -IPv4Address "192.168.0.110"
72 | 
73 | # DNS Zone Deligation
74 | 
75 | Add-DnsServerZoneDelegation -Name "rebeladmin.com" -ChildZoneName "dev" -NameServer "REBEL-SDC-01.rebeladmin.com" -IPAddress 192.168.0.110
76 | 
77 | 
78 | 


--------------------------------------------------------------------------------
/Chapter12.ps1:
--------------------------------------------------------------------------------
 1 | # Create Conditional Forwarder
 2 | 
 3 | Add-DnsServerConditionalForwarderZone -Name "contoso.com" -ReplicationScope "Forest" -MasterServers 10.1.5.4
 4 | Add-DnsServerConditionalForwarderZone -Name "rebeladmin.com" -ReplicationScope "Forest" -MasterServers 10.1.0.4
 5 | 
 6 | # Search AD User
 7 | 
 8 | Get-ADUser -Server CON-DC01.contoso.com -Filter * -SearchBase "OU=Test,DC=CONTOSO,DC=COM"
 9 | Get-ADUser -Server DC01.rebeladmin.com -Filter * -SearchBase "OU=Sales,DC=rebeladmin,DC=com"
10 | 
11 | # Create RODC Computer Account
12 | 
13 | Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName REBEL-RODC-01 -DomainName rebeladmin.com -DelegatedAdministratorAccountName "rebeladmindfrancis" -SiteName LondonSite
14 | 
15 | # Install AD DS Role
16 | 
17 | Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools
18 | 
19 | # Create RODC
20 | 
21 | Import-Module ADDSDeployment 
22 | Install-ADDSDomainController ` 
23 | -Credential (Get-Credential) ` 
24 | -CriticalReplicationOnly:$false ` 
25 | -DatabasePath "C:WindowsNTDS" ` 
26 | -DomainName "rebeladmin.com" ` 
27 | -LogPath "C:WindowsNTDS" `
28 | -ReplicationSourceDC "REBEL-PDC-01.rebeladmin.com" `
29 | -SYSVOLPath "C:WindowsSYSVOL" ` 
30 | -UseExistingAccount:$true ` 
31 | -Norebootoncompletion:$false 
32 | -Force:$true
33 | 
34 | # Review Password Replication Policy Allowed list
35 | 
36 | Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Allowed
37 | 
38 | # Review Password Replication Policy Denied list
39 | 
40 | Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Denied
41 | 
42 | # Add user to allowed list
43 | 
44 | Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -AllowedList "user1"
45 | 
46 | # Add user to deny list
47 | 
48 | Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -DeniedList "user2"
49 | 
50 | # Enable AD recycle bin
51 | 
52 | Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target rebeladmin.com
53 | 
54 | # List deleted objects
55 | 
56 | Get-ADObject -filter 'isdeleted -eq $true' -includeDeletedObjects
57 | 
58 | # Restore Object
59 | 
60 | Get-ADObject -Filter 'samaccountname -eq "dfrancis"' -IncludeDeletedObjects | Restore-ADObject
61 | 
62 | # Install Backup Feature
63 | 
64 | Install-WindowsFeature -Name Windows-Server-Backup –IncludeAllSubFeature
65 | 
66 | # Recover from Systemstate backup
67 | 
68 | $ADBackup = Get-WBBackupSet | select -Last 1
69 | Start-WBSystemStateRecovery -BackupSet $ADBackup
70 | 


--------------------------------------------------------------------------------
/Chapter6.ps1:
--------------------------------------------------------------------------------
 1 | # Install AD DS Feature
 2 | 
 3 | Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
 4 | 
 5 | # Configre First Domain Controller
 6 | 
 7 | Install-ADDSForest -DomainName "rebeladmin.com" -CreateDnsDelegation:$false -DatabasePath "C:\Windows\NTDS" -DomainMode "7" -DomainNetbiosName "REBELADMIN" -ForestMode "7" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$True -SysvolPath "C:\Windows\SYSVOL" -Force:$true
 8 | 
 9 | # Check Service Status
10 | 
11 | Get-Service adws,kdc,netlogon,dns
12 | 
13 | # Domain Controller Details
14 | 
15 | Get-ADDomainController 
16 | 
17 | # Domain Properties
18 | 
19 | Get-ADDomain rebeladmin.com
20 | 
21 | # Sysvol Share details
22 | 
23 | Get-smbshare SYSVOL
24 | 
25 | # Setup Additional Domain Controller
26 | 
27 | Install-ADDSDomainController -CreateDnsDelegation:$false -NoGlobalCatalog:$true -InstallDns:$true -DomainName "rebeladmin.com" -SiteName "Default-First-Site-Name" -ReplicationSourceDC "REBEL-SDC01.rebeladmin.com" -DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$true -SysvolPath "C:\Windows\SYSVOL" -Force:$true
28 | 
29 | # Domain Controller Details
30 | 
31 | Get-ADDomainController -Filter * |  Format-Table Name, IPv4Address, Site
32 | 
33 | # Confirm Global Catalog Status
34 | 
35 | Get-ADDomainController -Discover -Service "GlobalCatalog"
36 | 
37 | # Move FSMO Role
38 | 
39 | Move-ADDirectoryServerOperationMasterRole -Identity REBEL-SDC-02 -OperationMasterRole InfrastructureMaster
40 | 
41 | # List Installed Windows Features
42 | 
43 | Get-WindowsFeature -ComputerName DC01 | Where Installed
44 | 
45 | # Verify FSMO Role Holder
46 | 
47 | Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
48 | Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster  
49 | 
50 | # Move FSMO Roles
51 | 
52 | Move-ADDirectoryServerOperationMasterRole -Identity DC22 -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster
53 | 
54 | # Uninstall AD DS
55 | 
56 | Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition 
57 | 
58 | # Upgrade Domain Functional Level
59 | 
60 | Set-ADDomainMode -identity rebeladmin.net -DomainMode Windows2016Domain
61 | 
62 | # Upgrade Forest Functional Level
63 | 
64 | Set-ADForestMode -Identity rebeladmin.net -ForestMode Windows2016Forest
65 | 
66 | # Verify Domain Mode
67 | 
68 | Get-ADDomain | fl Name,DomainMode
69 | 
70 | # Verify Forest Mode
71 | 
72 | Get-ADForest | fl Name,ForestMode
73 | 
74 | # View Events
75 | 
76 | Get-EventLog -LogName 'Directory Service' | where {$_.eventID -eq 2039 -or $_.eventID -eq 2040} | Format-List
77 | Get-EventLog -LogName 'Directory Service' | where {$_.eventID -eq 1458} | Format-List
78 | 
79 | # Domain Controller Details
80 | 
81 | Get-ADDomainController -Filter * | Format-Table Name, IPv4Address
82 | 
83 | 
84 | 
85 | 


--------------------------------------------------------------------------------
/Chapter8.ps1:
--------------------------------------------------------------------------------
  1 | # Filter Custom Attribute Value
  2 | 
  3 | Get-ADuser "tuser4" -Properties nINumber | ft nINumber
  4 | 
  5 | # New User Template
  6 | 
  7 | New-ADUser -Name "_TechSupport_Template" -GivenName "_TechSupport" -Surname "_Template" -SamAccountName "techtemplate" -UserPrincipalName "techtemplate@rebeladmin.com" -Path "OU=Users,OU=Europe Office,DC=rebeladmin,DC=com" -AccountPassword(Read-Host -AsSecureString "Type Password for User") -Enabled $false
  8 | 
  9 | # Add Template to Group
 10 | 
 11 | Add-ADGroupMember "Technical Department" "techtemplate"
 12 | 
 13 | # Create Managed Service Account
 14 | 
 15 | New-ADServiceAccount -Name "MyAcc1" -RestrictToSingleComputer
 16 | 
 17 | # Associate MSA with Host
 18 | 
 19 | Add-ADComputerServiceAccount -Identity REBEL-SRV01 -ServiceAccount "MyAcc1"
 20 | 
 21 | # Install MSA
 22 | 
 23 | Install-ADServiceAccount -Identity "MyAcc1"
 24 | 
 25 | # Test MSA
 26 | 
 27 | Test-ADServiceAccount "MyAcc1"
 28 | 
 29 | # View MSA Account Properties
 30 | 
 31 | Get-ADServiceAccount "MyAcc1"
 32 | 
 33 | # KDS Root Key
 34 | 
 35 | Add-KdsRootKey –EffectiveImmediately
 36 | 
 37 | # Remove 10 Hours Replication Time
 38 | 
 39 | Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
 40 | 
 41 | # Create gMSA
 42 | 
 43 | New-ADServiceAccount "Mygmsa1" -DNSHostName "web.rebeladmin.com" –PrincipalsAllowedToRetrieveManagedPassword "IISFARM"
 44 | 
 45 | # View gMSA Properties 
 46 | 
 47 | Get-ADServiceAccount "Mygmsa1"
 48 | 
 49 | # Install gMSA
 50 | 
 51 | Install-ADServiceAccount -Identity "Mygmsa1"
 52 | 
 53 | # Test gMSA
 54 | 
 55 | Test-ADServiceAccount " Mygmsa1"
 56 | 
 57 | # Uninstall MSA
 58 | 
 59 | Remove-ADServiceAccount –identity "Mygmsa1"
 60 | 
 61 | # View Syntax for New-ADGroup Command
 62 | 
 63 | Get-Command New-ADGroup -Syntax
 64 | 
 65 | # Create New AD Group
 66 | 
 67 | New-ADGroup -Name "Sales Team" -GroupCategory Security -GroupScope Global -Path "OU=Users,OU=Europe,DC=rebeladmin,DC=com"
 68 | 
 69 | # Protect Group From Accedental Deletion 
 70 | 
 71 | Get-ADGroup "Sales Team" | Set-ADObject -ProtectedFromAccidentalDeletion:$true
 72 | 
 73 | # Add members to group
 74 | 
 75 | Add-ADGroupMember "Sales Team" tuser3,tuser4,tuser5
 76 | 
 77 | # Remove member from group
 78 | 
 79 | Remove-ADGroupMember "Sales Team" tuser4
 80 | 
 81 | # View group properties
 82 | 
 83 | Get-ADGroup "Sales Team"
 84 | 
 85 | # Filter data in group
 86 | 
 87 | Get-ADGroup "Sales Team" -Properties DistinguishedName,Members | fl DistinguishedName,Members
 88 | 
 89 | # Change group scope
 90 | 
 91 | Set-ADGroup "Sales Team" -GroupScope Universal
 92 | 
 93 | # Remove AD group
 94 | 
 95 | Remove-ADGroup "Sales Team"
 96 | 
 97 | # Create iNetOrgPerson object
 98 | 
 99 | New-ADUser -Name "Inet User1" -GivenName "Inet"
100 |  -Surname "User1" -SamAccountName "inetuser1"
101 |  -UserPrincipalName "isuer1@rebeladmin.com"
102 |  -AccountPassword (Read-Host -AsSecureString
103 |  "Type Password for User")
104 |  -Enabled $true -Path "OU=Users,OU=Europe,DC=rebeladmin,DC=com"
105 |  –Type iNetOrgPerson
106 | 
107 |  # Convert iNetOrgPerson object to user object
108 | 
109 |  Set-ADUser "inetuser1" -Remove @{objectClass='inetOrgPerson'}
110 | 
111 | 
112 | 
113 | 


--------------------------------------------------------------------------------
/Chapter16.ps1:
--------------------------------------------------------------------------------
 1 | # Find Memebers of a Group
 2 | 
 3 | Get-ADGroupMember "First Line Engineers"
 4 | 
 5 | # Create a new user
 6 | 
 7 | New-ADUser -Name "Dale" -Path "OU=Users,OU=Europe,DC=rebeladmin,DC=com"
 8 | 
 9 | # Remove user
10 | 
11 | Remove-ADUser -Identity "CN=Dishan Francis,OU=Users,OU=Europe,DC=rebeladmin,DC=com"
12 | 
13 | # Change Password
14 | 
15 | Set-ADAccountPassword -Identity difrancis
16 | 
17 | # Create a fine-grained password policy
18 | 
19 | New-ADFineGrainedPasswordPolicy -Name "Domain Admin Password Policy" -Precedence 1 `
20 | -MinPasswordLength 12 -MaxPasswordAge "30" -MinPasswordAge "7" `
21 | -PasswordHistoryCount 50 -ComplexityEnabled:$true `
22 | -LockoutDuration "8:00" `
23 | -LockoutObservationWindow "8:00" -LockoutThreshold 3 `
24 | -ReversibleEncryptionEnabled:$false
25 | 
26 | # List Properties of a fine-grained password policy
27 | 
28 | Get-ADFineGrainedPasswordPolicy –Identity "Domain Admin Password Policy"
29 | 
30 | # Assign a fine-grained password policy
31 | 
32 | Add-ADFineGrainedPasswordPolicySubject -Identity "Domain Admin Password Policy" -Subjects "Domain Admins"
33 | 
34 | # List where policy is applying to
35 | 
36 | Get-ADFineGrainedPasswordPolicy -Identity "Domain Admin Password Policy" | Format-Table AppliesTo –AutoSize
37 | 
38 | Get-ADFineGrainedPasswordPolicy -Filter * | Format-Table Name,Precedence,AppliesTo –AutoSize
39 | 
40 | # Add user to protected user group
41 | 
42 | Get-ADGroup -Identity "Protected Users" | Add-ADGroupMember –Members "CN=Adam,CN=Users,DC=rebeladmin,DC=com"
43 | 
44 | # Create an authentication policy
45 | 
46 | New-ADAuthenticationPolicy -Name "AP_1hr_TGT" -UserTGTLifetimeMins 60 -Enforce
47 | 
48 | # Create Policy Silo
49 | 
50 | New-ADAuthenticationPolicySilo -Name Restricted_REBEL_PC01 -UserAuthenticationPolicy AP_1hr_TGT -ComputerAuthenticationPolicy AP_1hr_TGT -ServiceAuthenticationPolicy AP_1hr_TGT -Enforce
51 | 
52 | # Add objects to policy silos
53 | 
54 | Grant-ADAuthenticationPolicySiloAccess -Identity Restricted_REBEL_PC01 -Account Peter
55 | 
56 | Get-ADComputer -Filter 'Name -like "REBEL-PC01"' | Grant-ADAuthenticationPolicySiloAccess -Identity Restricted_REBEL_PC01
57 | 
58 | # Define access control condition
59 | 
60 | Set-ADAuthenticationPolicy -Identity AP_1hr_TGT -UserAllowedToAuthenticateFrom "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == `"Restricted_REBEL_PC01`"))"
61 | 
62 | # Install RSAT tools
63 | 
64 | Install-WindowsFeature RSAT-AD-Tools -IncludeAllSubFeature -IncludeManagementTools
65 | 
66 | # Change Object permissions
67 | 
68 | Set-AdmPwdComputerSelfPermission -OrgUnit RAServers
69 | 
70 | # Add extended rights
71 | 
72 | Set-AdmPwdReadPasswordPermission -Identity "RAServers" -AllowedPrincipals "ITAdmins"
73 | 
74 | # Register proxy with Azure AD
75 | 
76 | Import-Module AzureADPasswordProtection
77 | Register-AzureADPasswordProtectionProxy -AccountUpn 'admin@rebeladm.onmicrosoft.com'
78 | 
79 | # Reigster AD forest
80 | 
81 | Import-Module AzureADPasswordProtection
82 | Register-AzureADPasswordProtectionForest -AccountUpn 'admin@rebeladm.onmicrosoft.com'
83 | 
84 | # Set user password 
85 | 
86 | Set-ADAccountPassword -Identity testuser -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "rebeladmin@A123" -Force)
87 | 
88 | 
89 | 
90 | 


--------------------------------------------------------------------------------
/Chapter7.ps1:
--------------------------------------------------------------------------------
  1 | # Syntax for New-ADUser
  2 | 
  3 | Get-Command New-ADUser -Syntax
  4 | 
  5 | # Create New User
  6 | 
  7 | New-ADUser -Name "Talib Idris" -GivenName "Talib" -Surname "Idris" -SamAccountName "tidris" -UserPrincipalName "tidris@rebeladmin.com" -Path "OU=Users,OU=Europe,DC=rebeladmin,DC=com" -AccountPassword(Read-Host -AsSecureString "Type Password for User") -Enabled $true
  8 | 
  9 | # Create Bulk Users
 10 | 
 11 | Import-Csv "C:\ADUsers.csv" | ForEach-Object {
 12 |     $upn = $_.SamAccountName + "@rebeladmin.com" 
 13 |     New-ADUser -Name $_.Name `
 14 |      -GivenName $_."GivenName" `
 15 |      -Surname $_."Surname" `
 16 |      -SamAccountName $_."samAccountName" `
 17 |      -UserPrincipalName $upn `
 18 |      -Path $_."Path" `
 19 |      -AccountPassword (ConvertTo-SecureString "Pa$$w0rd" -AsPlainText -force) -Enabled $true
 20 |     }
 21 | 
 22 | # Syntax for New-ADComputer
 23 | 
 24 | Get-Command New-ADComputer -Syntax
 25 | 
 26 | # Create Computer Object
 27 | 
 28 | New-ADComputer -Name "REBEL-PC-01" -SamAccountName "REBEL-PC-01" -Path "OU=Computers,OU=Europe,DC=rebeladmin,DC=com"
 29 | 
 30 | # Add Attibute Values
 31 | 
 32 | Set-ADUser tidris -OfficePhone "0912291120" -City "London"
 33 | 
 34 | # Update Exisiting Attibute Values
 35 | 
 36 | Set-ADUser tidris -OfficePhone "0112291120"
 37 | 
 38 | # Search AD Users
 39 | 
 40 | Get-ADUser -Filter * -SearchBase 'OU=Users,OU=Europe,DC=rebeladmin,DC=com' | Set-ADUser -City "London"
 41 | 
 42 | # Search and Update
 43 | 
 44 | Get-ADUser -Filter {City -like "London"} | Set-ADUser -City "Kingston"
 45 | 
 46 | # Update Computer Object
 47 | 
 48 | Set-ADComputer REBEL-PC-01 -Description "Sales Computer"
 49 | 
 50 | # Search and Update
 51 | 
 52 | Get-ADComputer -Filter {Name -like "REBEL-PC-*"} | Set-ADComputer -Location "M35 Building"
 53 | 
 54 | # Syntax for Remove-ADUser
 55 | 
 56 | Get-Command Remove-ADUser -Syntax
 57 | 
 58 | # Remove AD User
 59 | 
 60 | Remove-ADUser -Identity "dzhang"
 61 | 
 62 | # Search and Remove
 63 | 
 64 | Get-ADUser -Filter {Name -like "Test1*"} | Remove-ADUser
 65 | 
 66 | # Remove Computer Object
 67 | 
 68 | Remove-ADComputer -Identity "REBEL-PC-01"
 69 | 
 70 | # Search and Remove
 71 | 
 72 | Get-ADComputer -Filter * -SearchBase 'OU=Computers,OU=Europe,DC=rebeladmin,DC=com' | Remove-ADComputer
 73 | 
 74 | # View User Attributes
 75 | 
 76 | Get-ADUser -Identity user1 -Properties *
 77 | 
 78 | # Filter User based on attibutes
 79 | 
 80 | Get-ADUser -Filter * -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified
 81 | Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified 
 82 | 
 83 | # Export search results
 84 | 
 85 | Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | select-object Name,UserPrincipalName,Modified | Export-csv -path C:\ADUSerList.csv
 86 | 
 87 | # Syntax for Search-ADAccount 
 88 | 
 89 | Get-Command Search-ADAccount -Syntax
 90 | 
 91 | # Search for lockedout accounts
 92 | 
 93 | Search-ADAccount -LockedOut | FT Name,UserPrincipalName
 94 | 
 95 | # Prevent accedental deletion
 96 | 
 97 | Set-ADObject -Identity ‘CN=Dishan Francis,DC=rebeladmin,DC=com’ -ProtectedFromAccidentalDeletion $true
 98 | 
 99 | # Enable RecycleBin
100 | 
101 | Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target rebeladmin.com
102 | 
103 | # Deleted Objects
104 | 
105 | Get-ADObject -filter 'isdeleted -eq $true' -includeDeletedObjects
106 | 
107 | # Restore Deleted Object
108 | 
109 | Get-ADObject -Filter 'samaccountname -eq "dfrancis"' -IncludeDeletedObjects | Restore-ADObject
110 | 
111 | 
112 | 
113 | 
114 | 
115 | 
116 | 


--------------------------------------------------------------------------------
/Chapter18.ps1:
--------------------------------------------------------------------------------
 1 | ## Enable TLs 1.2 ##
 2 | 
 3 | New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
 4 | 
 5 | 	New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
 6 | 
 7 | 	New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
 8 | 
 9 | 	New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
10 | 
11 | 	New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null
12 | 
13 | 	New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null
14 | 
15 | 	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
16 | 	
17 | 	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
18 | 	
19 | 	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
20 | 	
21 | 	New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
22 | 	
23 | 	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
24 | 	
25 | 	New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
26 | 	Write-Host 'TLS 1.2 has been enabled.'
27 | 
28 | ## Sync NTLM Hash ##
29 | 
30 | $adConnector = "<CASE SENSITIVE AD CONNECTOR NAME>"
31 | $azureadConnector = "<CASE SENSITIVE AZURE AD CONNECTOR NAME>"
32 | Import-Module adsync
33 | $c = Get-ADSyncConnector -Name $adConnector
34 | $p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParamter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
35 | $p.Value = 1
36 | $c.GlobalParameters.Remove($p.Name)
37 | $c.GlobalParameters.Add($p)
38 | $c = Add-ADSyncConnector -Connector $c
39 | Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
40 | Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true
41 | 
42 | ## Create self-sign Certificate for secure LDAP ##
43 | 
44 | $domainname="rebeladmlive.onmicrosoft.com"
45 | $certlife=Get-Date
46 | New-SelfSignedCertificate -Subject *.$domainname -NotAfter $certlife.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.$domainname, $domainname
47 | 
48 | ## Enable NTLM hash sync for Azure AD DS ##
49 | 
50 | Login-AzAccount
51 | $DomainServicesResource = Get-AzResource -ResourceType "Microsoft.AAD/DomainServices"
52 | $securitySettings = @{"DomainSecuritySettings"=@{"NtlmV1"="Disabled";"SyncNtlmPasswords"="Enabled";"TlsV1"="Disabled"}}
53 | Set-AzResource -Id $DomainServicesResource.ResourceId -Properties $securitySettings -Verbose -Force
54 | 
55 | 
56 | ## Setup new resourse group ## 
57 | 
58 | New-AzResourceGroup -Name REBELDRRG1 -Location "West US"
59 | 
60 | ## Setup new virtual network ## 
61 | 
62 | $drvmsubnet = New-AzVirtualNetworkSubnetConfig -Name drvmsubnet -AddressPrefix "10.1.3.0/24"
63 | New-AzVirtualNetwork -Name REBELDRVN1 -ResourceGroupName REBELDRRG1 -Location "West US" -AddressPrefix "10.1.0.0/16" -Subnet $drvmsubnet
64 | 
65 | ## Create Global VNET peering from REBELVN1 to REBELDRVN1 ##
66 | 
67 | $vnet1 = Get-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1
68 | $vnet2 = Get-AzVirtualNetwork -Name REBELDRVN1 -ResourceGroupName REBELDRRG1
69 | Add-AzVirtualNetworkPeering -Name REBELVN1toEBELDRVN1 -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id
70 | 
71 | ## Create Global VNET peering from REBELDRVN1 to REBELVN1 ##
72 | 
73 | $vnet1 = Get-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1
74 | $vnet2 = Get-AzVirtualNetwork -Name REBELDRVN1 -ResourceGroupName REBELDRRG1
75 | Add-AzVirtualNetworkPeering -Name REBELDRVN1toREBELVN1 -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id


--------------------------------------------------------------------------------
/Chapter17.ps1:
--------------------------------------------------------------------------------
  1 | ## Install AD Role ##
  2 | 
  3 | Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools
  4 | 
  5 | ## Install RSAT Tools ##
  6 | 
  7 | Add-WindowsFeature RSAT-AD-PowerShell
  8 | 
  9 | ## List all commands under module ##
 10 | 
 11 | Get-Command -Module ActiveDirectory
 12 | 
 13 | ## List command syntax ###
 14 | 
 15 | Get-Command New-ADUser -Syntax
 16 | 
 17 | ## Help for command ##
 18 | 
 19 | Get-Help New-ADUser
 20 | 
 21 | ## More information about the command ##
 22 | 
 23 | Get-Help New-ADUser -Detailed
 24 | 
 25 | ## Technical information about the command ##
 26 | 
 27 | Get-Help New-ADUser -Full
 28 | 
 29 | ## Online help ##
 30 | 
 31 | Get-Help New-ADUser -Online
 32 | 
 33 | ## Directory information ##
 34 | 
 35 | Get-ADRootDSE
 36 | 
 37 | ## List FSMO roles ##
 38 | 
 39 | Get-ADDomainController -Filter * | Select-Object Name,IPv4Address,IsGlobalCatalog,OperationMasterRoles
 40 | 
 41 | ## List domain controllers with name,IP and site info ##
 42 | 
 43 | Get-ADDomainController -Filter * | Select-Object Name,IPv4Address,Site
 44 | 
 45 | ## List forest,domain,domain controller ip and site details ##
 46 | 
 47 | $Forestwide = (Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ } write-output $Forestwide -Filter * | Select-Object Name,Forest,Domain,IPv4Address,Site
 48 | 
 49 | ## List rodc ##
 50 | 
 51 | $Domain = Read-Host 'What is your Domain Name ?'
 52 | Get-ADDomain -Identity $Domain | select ReplicaDirectoryServers,ReadOnlyReplicaDirectoryServer
 53 | 
 54 | ## List inbound replication partners for domain controller ##
 55 | 
 56 | Get-ADReplicationPartnerMetadata -Target REBEL-SRV01.rebeladmin.com
 57 | 
 58 | ## List inbound replication partners for domain ##
 59 | 
 60 | Get-ADReplicationPartnerMetadata -Target "rebeladmin.com" -Scope Domain
 61 | 
 62 | ## List replication faliures for a domain controller ##
 63 | 
 64 | Get-ADReplicationFailure -Target REBEL-SRV01.rebeladmin.com
 65 | 
 66 | ## List replication faliures for a domain ##
 67 | 
 68 | Get-ADReplicationFailure -Target rebeladmin.com -Scope Domain
 69 | 
 70 | ## List replication faliures for forest ##
 71 | 
 72 | Get-ADReplicationFailure -Target rebeladmin.com -Scope Forest
 73 | 
 74 | ## List replication faliures for a site ##
 75 | 
 76 | Get-ADReplicationFailure -Target LondonSite -Scope Site
 77 | 
 78 | ## Active Directory Domain Controller Replication Status##
 79 | 
 80 |  $domaincontroller = Read-Host 'What is your Domain Controller?'
 81 |  ## Define Objects ##
 82 |  $report = New-Object PSObject -Property @{
 83 |  ReplicationPartners = $null
 84 |  LastReplication = $null
 85 |  FailureCount = $null
 86 |  FailureType = $null
 87 |  FirstFailure = $null
 88 |  }
 89 | 
 90 | ## Replication Partners  Report ##
 91 | 
 92 |  $report.ReplicationPartners = (Get-ADReplicationPartnerMetadata -Target $domaincontroller).Partner
 93 |  $report.LastReplication = (Get-ADReplicationPartnerMetadata -Target $domaincontroller).LastReplicationSuccess
 94 | 
 95 | ## Replication Faliures ##
 96 | 
 97 |  $report.FailureCount = (Get-ADReplicationFailure -Target $domaincontroller).FailureCount
 98 |  $report.FailureType = (Get-ADReplicationFailure -Target $domaincontroller).FailureType
 99 |  $report.FirstFailure = (Get-ADReplicationFailure -Target $domaincontroller).FirstFailureTime
100 | 
101 | ## Format Output ##
102 | 
103 |  $report | select ReplicationPartners,LastReplication,FirstFailure,FailureCount,FailureType | Out-GridView
104 | 
105 | ## AD replication site objects ##
106 | 
107 | Get-ADReplicationSite -Filter *
108 | 
109 | ## List replication site links ##
110 | 
111 | Get-ADReplicationSiteLink -Filter {SitesIncluded -eq "CanadaSite"} | Format-Table Name,Cost,ReplicationFrequencyInMinutes -AutoSize
112 | 
113 | ## Site-link bridge information ##
114 | 
115 | Get-ADReplicationSiteLinkBridge -Filter *
116 | 
117 | ## Replication subnet details ##
118 | 
119 | Get-ADReplicationSubnet -Filter * | Format-Table Name,Site -AutoSize
120 | 
121 | ## List bridge head servers ##
122 | 
123 | $BHservers = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com").bridgeheadServerListBL
124 | $BHservers | Out-GridView
125 | 
126 | ## Script to gather information about Replication Topology ##
127 | 
128 |  ## Define Objects ##
129 |  $replreport = New-Object PSObject -Property @{
130 |  Domain = $null
131 |  }
132 | 
133 | ## Find Domain Information ##
134 | 
135 |  $replreport.Domain = (Get-ADDomain).DNSroot
136 | 
137 | ## List down the AD sites in the Domain ##
138 | 
139 |  $a = (Get-ADReplicationSite -Filter *)
140 |  Write-Host "########" $replreport.Domain "Domain AD Sites" "########"
141 |  $a | Format-Table Description,Name -AutoSize
142 | 
143 |  ## ------------------------------------------------------------------------------ ##
144 | 
145 | ## List down Replication Site link Information ##
146 | 
147 |  $b = (Get-ADReplicationSiteLink -Filter *)
148 |  Write-Host "########" $replreport.Domain "Domain AD Replication SiteLink Information" "########"
149 |  $b | Format-Table Name,Cost,ReplicationFrequencyInMinutes -AutoSize
150 |  ## List down SiteLink Bridge Information ##
151 |  $c = (Get-ADReplicationSiteLinkBridge -Filter *)
152 |  Write-Host "########" $replreport.Domain "Domain AD SiteLink Bridge Information" "########"
153 |  $c | select Name,SiteLinksIncluded | Format-List
154 | 
155 |   ## ------------------------------------------------------------------------------ ##
156 | 
157 | ## List down Subnet Information ##
158 |  $d = (Get-ADReplicationSubnet -Filter * | select Name,Site)
159 |  Write-Host "########" $replreport.Domain "Domain Subnet Information" "########"
160 |  $d | Format-Table Name,Site -AutoSize
161 |  ## List down Prefered BridgeHead Servers ##
162 |  $e = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com").bridgeheadServerListBL
163 |  Write-Host "########" $replreport.Domain "Domain Prefered BridgeHead Servers" "########"
164 |  $e
165 |  ## End of the Script ##
166 | 
167 |   ## ------------------------------------------------------------------------------ ##
168 | 
169 |   ## Replicate Object to From Domain Controller to Another ##
170 | 
171 | $myobject = Read-Host 'What is your AD Object Includes ?'
172 | $sourcedc = Read-Host 'What is the Source DC ?'
173 | $destinationdc = Read-Host 'What is the Destination DC ?'
174 | $passobject = (Get-ADObject -Filter {Name -Like $myobject})
175 | Sync-ADObject -object $passobject -source $sourcedc -destination $destinationdc
176 | Write-Host "Given Object Replicated to" $destinationdc
177 | 
178 |   ## ------------------------------------------------------------------------------ ##
179 | 
180 |   ## Last login time ##
181 | 
182 |   $username = Read-Host 'What is the User account you looking for ?'
183 |    $dcs = Get-ADDomainController -Filter {Name -like "*"}
184 |       foreach($dc in $dcs)
185 |    { 
186 |      $hostname = $dc.HostName
187 |      $user = Get-ADUser $userName -Server $hostname -Properties lastLogon
188 |      $lngexpires = $user.lastLogon
189 |      if (-not ($lngexpires)) {$lngexpires = 0 }
190 |      If (($lngexpires -eq 0) -or ($lngexpires -gt [DateTime]::MaxValue.Ticks))
191 |      {
192 |        $LastLogon = "User Never Logged In"
193 |      }
194 |       Else
195 |      {
196 |        $Date = [DateTime]$lngexpires
197 |        $LastLogon = $Date.AddYears(1600).ToLocalTime()
198 |      }
199 |   }
200 |   Write-Host $username "last logged on at:" $LastLogon
201 | 
202 |     ## ------------------------------------------------------------------------------ ##
203 | 
204 |     ## Script For Filter user with Last logon Time ##
205 | 
206 | $htmlformat = "<style>BODY{background-color:LightBlue;}</style>"
207 | Get-ADUser -Filter * -Properties "LastLogonDate" | sort-object -property lastlogondate -descending | Select-Object Name,LastLogonDate | ConvertTo-HTML -head $htmlformat -body "<H2>AD Accounts Last Login Date</H2>"| Out-File C:\lastlogon.html
208 | Invoke-Expression C:\lastlogon.html
209 | 
210 |     ## ------------------------------------------------------------------------------ ##
211 | 
212 |     ## Report for DC login Failures ##
213 | 
214 | $failedevent = $null
215 | $Date= Get-date 
216 | $dc = Read-Host 'What is the Domain Controller ?'
217 | $Report= "C:\auditreport.html"
218 | $HTML=@"
219 | <title>Failed Login Report for $dc</title>
220 | <style>
221 | BODY{background-color :LightBlue}
222 | </style>
223 | "@
224 |  $failedevent = Get-Eventlog security -Computer $dc -InstanceId 4625 -After (Get-Date).AddDays(-7) |
225 |  Select TimeGenerated,ReplacementStrings |
226 |  % {
227 |  New-Object PSObject -Property @{
228 |  SourceComputer = $_.ReplacementStrings[13]
229 |  UserName = $_.ReplacementStrings[5]
230 |  SourceIPAddress = $_.ReplacementStrings[19]
231 |  Date = $_.TimeGenerated
232 |  }
233 |  }
234 |  $failedevent | ConvertTo-Html -Property SourceComputer,UserName,SourceIPAddress,Date -head $HTML -body "<H2>Failed Login Report for $dc</H2>"|
235 |  Out-File $Report
236 |  Invoke-Expression C:\auditreport.html
237 | 
238 |      ## ------------------------------------------------------------------------------ ##
239 | 
240 | ## Locked Accounts ##
241 | 
242 | Search-ADAccount -Lockedout | Select name,samAccountName,Lockedout
243 | 
244 | ## Unlock user account ##
245 | 
246 | Unlock-ADAccount tuser4
247 | 
248 | ## Search and unlock ##
249 | 
250 | Search-ADAccount -Lockedout | Unlock-ADAccount
251 | 
252 |      ## ------------------------------------------------------------------------------ ##
253 | 
254 | ## Password Expire Report ##
255 | $passwordreport = $null
256 | $dc = (Get-ADDomain | Select DNSRoot).DNSRoot
257 | $Report= "C:\passwordreport.html"
258 | $HTML=@"
259 | <title>Password Expire Report For $dc</title>
260 | <style>
261 | BODY{background-color :LightBlue}
262 | </style>
263 | "@
264 | $passwordreport = Get-ADUser -filter * –Properties "SamAccountName","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "SamAccountName",@{Name="Last Password Change";Expression={[datetime]::FromFileTime($_."pwdLastSet")}},@{Name="Next Password Change";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
265 | $passwordreport | ConvertTo-Html -Property "SamAccountName","Last Password Change","Next Password Change"-head $HTML -body "<H2>Password Expire Report For $dc</H2>"|
266 | Out-File $Report
267 | Invoke-Expression C:\passwordreport.html
268 | 
269 |      ## ------------------------------------------------------------------------------ ##
270 | 
271 | ## Sensative Group Report ##
272 | 
273 | $HTML=@"
274 | <title>Sensative Groups Memebrship Report</title>
275 | <style>
276 | BODY{background-color :LightBlue}
277 | </style>
278 | "@
279 | $enterpiseadmins = Get-ADGroupMember -Identity "Enterprise Admins" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Enterprise Admins</h2>"
280 | $schemaadmins = Get-ADGroupMember -Identity "Schema Admins" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Schema Admins</h2>"
281 | $domainadmins = Get-ADGroupMember -Identity "Domain Admins" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Domain Admins</h2>" 
282 | $accountoperators = Get-ADGroupMember -Identity "Account Operators" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Account Operators</h2>" 
283 | $serveroperators = Get-ADGroupMember -Identity "Server Operators" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Server Operators</h2>"
284 | $printoperators = Get-ADGroupMember -Identity "Print Operators" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Print Operators</h2>"
285 | $dnsadmins = Get-ADGroupMember -Identity "DnsAdmins" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>DNS Admins</h2>"
286 | $Reportvalues = ConvertTo-HTML -Body "$enterpiseadmins $schemaadmins $domainadmins $accountoperators $serveroperators $printoperators $dnsadmins" -Head $HTML
287 | $Reportvalues | Out-File "C:\sensativegroupreport.html"
288 | 
289 |      ## ------------------------------------------------------------------------------ ##
290 | 
291 | ## Sensative Group Members Inactive for 30 days ##
292 | 
293 | $30Days = (get-date).adddays(-30)
294 | $HTML=@"
295 | <title>Sensative Groups Memebrship Report : USers Inactive for 30 days</title>
296 | <style>
297 | BODY{background-color :LightBlue}
298 | </style>
299 | "@
300 | $enterpiseadmins = Get-ADGroupMember -Identity "Enterprise Admins" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate |Where {$_.LastLogonDate -le $30Days}| select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Enterprise Admins</h2>"
301 | $schemaadmins = Get-ADGroupMember -Identity "Schema Admins" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | Where {$_.LastLogonDate -le $30Days}| select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Schema Admins</h2>"
302 | $domainadmins = Get-ADGroupMember -Identity "Domain Admins" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | Where {$_.LastLogonDate -le $30Days}| select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Domain Admins</h2>" 
303 | $accountoperators = Get-ADGroupMember -Identity "Account Operators" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | Where {$_.LastLogonDate -le $30Days}| select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Account Operators</h2>" 
304 | $serveroperators = Get-ADGroupMember -Identity "Server Operators" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | Where {$_.LastLogonDate -le $30Days}| select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Server Operators</h2>"
305 | $printoperators = Get-ADGroupMember -Identity "Print Operators" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | Where {$_.LastLogonDate -le $30Days}| select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>Print Operators</h2>"
306 | $dnsadmins = Get-ADGroupMember -Identity "DnsAdmins" | where {$_.objectclass -eq 'user'} | Get-ADUser -Properties LastLogonDate | Where {$_.LastLogonDate -le $30Days}| select Name,LastLogonDate | ConvertTo-Html -Property "Name","LastLogonDate" -Fragment -PreContent "<h2>DNS Admins</h2>"
307 | $Reportvalues = ConvertTo-HTML -Body "$enterpiseadmins $schemaadmins $domainadmins $accountoperators $serveroperators $printoperators $dnsadmins" -Head $HTML
308 | $Reportvalues | Out-File "C:\inactiveusers.html"
309 | 
310 |      ## ------------------------------------------------------------------------------ ##
311 | 
312 | ## Dormant Accounts ##
313 | 
314 | $InactiveDate = (Get-Date).Adddays(-30)
315 | $HTML=@"
316 | <title>Dormant Accounts Report</title>
317 | <style>
318 | BODY{background-color :LightBlue}
319 | </style>
320 | "@
321 | $disabledaccounts = Get-ADUser -Filter {Enabled -eq $false} | select samAccountName,GivenName,Surname | ConvertTo-Html -Property "samAccountName","GivenName","Surname" -Fragment -PreContent "<h2>Disabled Account</h2>"
322 | $inactiveaccounts = Get-ADUser -Filter {LastLogonDate -lt $InactiveDate -and Enabled -eq $true} -Properties LastLogonDate | select samAccountName,GivenName,Surname,LastLogonDate | ConvertTo-Html -Property "samAccountName","GivenName","Surname","LastLogonDate" -Fragment -PreContent "<h2>Inactive Accounts</h2>"
323 | $Reportvalues = ConvertTo-HTML -Body "$disabledaccounts $inactiveaccounts" -Head $HTML
324 | $Reportvalues | Out-File "C:\dormantusers.html"
325 | 
326 | ## Users with Password Never Expires Setting ##
327 | 
328 | Get-ADUser -Filter  {passwordNeverExpires -eq $true -and Enabled -eq $true } -Properties * | Select samAccountName,GivenName,Surname
329 | 
330 | ## List down available commmand for module ###
331 | 
332 | Get-Command -module AzureAD
333 | 
334 | ## view syntax help for the command ##
335 | 
336 | Get-Help Get-AzureADUser
337 | 
338 | ## Get Azure domain info ##
339 | 
340 | Get-AzureADDomain | fl
341 | 
342 | ## List DNS records for domain verification ##
343 | 
344 | Get-AzureADDomainVerificationDnsRecord -Name M365x562652.onmicrosoft.com | fl
345 | 
346 | ## List tenant details ##
347 | 
348 | Get-AzureADTenantDetail | fl
349 | 
350 | ## Last sync time ##
351 | 
352 | Get-AzureADTenantDetail | select CompanyLastDirSyncTime
353 | 
354 | ## User details ##
355 | 
356 | Get-AzureADUser -ObjectId AdeleV@M365x562652.OnMicrosoft.com | fl
357 | 
358 | ## Search for the users ##
359 | 
360 | Get-AzureADUser -Filter "startswith(GivenName,'Adele')"
361 | 
362 | ## Search user ##
363 | 
364 | Get-AzureADUser -Filter "GivenName eq 'Adele'"
365 | 
366 | ## List of disbaled accounts ##
367 | 
368 | Get-AzureADUser -All $true -Filter 'accountEnabled eq false'
369 | 
370 | ## Filter data further for disabled accounts ##
371 | 
372 | Get-AzureADUser -All $true -Filter 'accountEnabled eq false' | select DisplayName,UserPrincipalName,Department
373 | 
374 | ## Synced users ##
375 | 
376 | Get-AzureADUser -All $true -Filter 'DirSyncEnabled eq true'
377 | 
378 | ## Last sync value ##
379 | 
380 | Get-AzureADUser  -All $true -Filter 'DirSyncEnabled eq true' | select DisplayName,UserPrincipalName,LastDirSyncTime
381 | 
382 | ## Export filtered data to CSV ##
383 | 
384 | Get-AzureADUser  -All $true -Filter 'DirSyncEnabled eq true' | select DisplayName,UserPrincipalName,LastDirSyncTime | Export-CSV -Path .\syncaccount.csv
385 | 
386 | ## immutableid value null ##
387 | 
388 | Get-AzureADUser -All $true | where-Object {$_.ImmutableId -eq $null}
389 | 
390 | ## Export filtered data to CSV ##
391 | 
392 | Get-AzureADUser -All $true | where-Object {$_.ImmutableId -eq $null} | select DisplayName,UserPrincipalName | Export-CSV -Path .\cloudaccount.csv
393 | 
394 | ## Licence associated with account ##
395 | 
396 | Get-AzureADUserLicenseDetail -ObjectId MeganB@M365x562652.OnMicrosoft.com | fl
397 | 
398 | ## Subscribed sku ##
399 | 
400 | Get-AzureADSubscribedSku | fl
401 | 
402 | ## SKU details ##
403 | 
404 | Get-AzureADSubscribedSku | select SkuPartNumber,ConsumedUnits -ExpandProperty PrepaidUnits
405 | 
406 | ## Licence status of a synced user ##
407 | 
408 | Get-AzureADUserLicenseDetail -ObjectId ADJellison@M365x562652.onmicrosoft.com | fl
409 | 
410 | ## Remove licences from a user ##
411 | 
412 | $licenseB = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
413 | $licenseB.RemoveLicenses =  (Get-AzureADSubscribedSku | Where-Object {$_.SkuPartNumber -eq 'ENTERPRISEPREMIUM'}).SkuId
414 | Set-AzureADUserLicense -ObjectId "ADJellison@M365x562652.onmicrosoft.com" -AssignedLicenses $licenseB
415 | 
416 |      ## ------------------------------------------------------------------------------ ##
417 | 
418 | #######Script to Assign Licences to Synced Users from On-Permises AD#############
419 | Import-Module AzureAD
420 | Connect-AzureAD
421 | ###Filter Synced Users who doesn't have licence assigned#######
422 | $ADusers = Get-AzureADUser -All $true -Filter 'DirSyncEnabled eq true'
423 | $notlicenced = Get-AzureADUser -All $true | Where-Object {$ADusers.AssignedLicenses -ne $null} | select ObjectId | Out-File -FilePath C:\users.txt
424 | #####Set UsageLocation value to sync users#########
425 | (Get-Content "C:\users.txt" | select-object -skip 3) | ForEach { Set-AzureADUser -ObjectId $_ -UsageLocation "US" }
426 | #####Set User Licecnes############
427 | $newlicence = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
428 | $newlicenceadd = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
429 | $newlicence.SkuId = (Get-
430 | AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuId
431 | $newlicenceadd.AddLicenses = $newlicence
432 | (Get-Content "C:\users.txt" | select-object -skip 3) | ForEach { Set-AzureADUserLicense -ObjectId $_ -AssignedLicenses $newlicenceadd }
433 | 
434 | ## Create new user ##
435 | 
436 | $Userpassword = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
437 | $Userpassword.Password = "London@1234"
438 | New-AzureADUser -DisplayName "Andrew Xavier" -PasswordProfile $Userpassword -UserPrincipalName "Andrew.Xavier@M365x562652.onmicrosoft.com" -AccountEnabled $true -MailNickName "AndrewXavier"
439 | 
440 | ## Create users from CSV ##
441 | 
442 | $Userpassword = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
443 | $Userpassword.Password = "London@1234"
444 | Import-Csv -Path C:\newuser.csv | foreach {New-AzureADUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -MailNickName $_.MailNickName -PasswordProfile $Userpassword -AccountEnabled $true}
445 | 
446 |      ## ------------------------------------------------------------------------------ ##
447 | 
448 | ########A Script to create new users and assign Azure AD licences#######
449 | Import-Module AzureAD
450 | Connect-AzureAD
451 | ###########Create New Users using CSV ###################
452 | $Userpassword = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
453 | $Userpassword.Password = "London@1234"
454 | Import-Csv -Path C:\newuser.csv | foreach {New-AzureADUser -UserPrincipalName $_.UserPrincipalName -DisplayName $_.DisplayName -MailNickName $_.MailNickName -PasswordProfile $Userpassword -UsageLocation "US" -AccountEnabled $true} | select ObjectId | Out-File -FilePath C:\users.txt
455 | ###########Assign Licences#################
456 | $newlicence = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
457 | $newlicenceadd = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
458 | $newlicence.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuId
459 | $newlicenceadd.AddLicenses = $newlicence
460 | (Get-Content "C:\users.txt" | select-object -skip 3) | ForEach { Set-AzureADUserLicense -ObjectId $_ -AssignedLicenses $newlicenceadd }
461 | 
462 | ## Remove Azure AD User ##
463 | 
464 | Remove-AzureADUser -ObjectId "JDAllen@M365x562652.onmicrosoft.com"
465 | 
466 | ## Search user and delete ##
467 | 
468 | Get-AzureADUser -Filter "startswith(DisplayName,'Dishan')" | Remove-AzureADUser
469 | 
470 | ## Search for group ##
471 | 
472 | Get-AzureADGroup -SearchString "sg"
473 | 
474 | ## Filter group based on object id ##
475 | 
476 | Get-AzureADGroup -ObjectId 93291438-be19-472e-a1d6-9b178b7ac619 | fl
477 | 
478 | ## Synced user groups ##
479 | 
480 | Get-AzureADGroup -Filter 'DirSyncEnabled eq true' | select ObjectId,DisplayName,LastDirSyncTime
481 | 
482 | ## Cloud only groups ##
483 | 
484 | Get-AzureADGroup -All $true | where-Object {$_.OnPremisesSecurityIdentifier -eq $null}
485 | 
486 | ## View group members ##
487 | 
488 | Get-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a
489 | 
490 | ## Add member to group ##
491 | 
492 | Add-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a -RefObjectId a6aeced9-909e-4684-8712-d0f242451338
493 | 
494 | ## Remove member from a group ##
495 | 
496 | Remove-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a -MemberId a6aeced9-909e-4684-8712-d0f242451338
497 | 
498 |      ## ------------------------------------------------------------------------------ ##
499 | 
500 | #######Script to Add Multiple users to Security Group#############
501 | 
502 | Import-Module AzureAD
503 | Connect-AzureAD
504 | ##### Search for users in Marketing Department ##########
505 | Get-AzureADUser -All $true -Filter "Department eq 'Marketing'" | select ObjectId | Out-File -FilePath C:\salesusers.txt
506 | #####Add Users to Sales Group#########
507 | (Get-Content "C:\salesusers.txt" | select-object -skip 3) | ForEach { Add-AzureADGroupMember -ObjectId f9f51d29-e093-4e57-ad79-2fc5ae3517db -RefObjectId $_ }
508 | 
509 | ## Create Cloud only group ##
510 | 
511 | New-AzureADGroup -DisplayName "REBELADMIN Sales Team" -MailEnabled $false -MailNickName "salesteam" -SecurityEnabled $true
512 | 
513 | ## Remove a group ##
514 | 
515 | Remove-AzureADGroup -ObjectId 7592b555-343d-4f73-a6f1-2270d7cf014f
516 | 
517 | ## List administrative roles ##
518 | 
519 | Get-AzureADDirectoryRoleTemplate
520 | 
521 | ## List directory roles ##
522 | 
523 | Get-AzureADDirectoryRole
524 | 
525 | ## Enable administrative role ##
526 | 
527 | Enable-AzureADDirectoryRole -RoleTemplateId e6d1a23a-da11-4be4-9570-befc86d067a7
528 | 
529 | ## Assign administrative role to a user ##
530 | 
531 | Add-AzureADDirectoryRoleMember -ObjectId b63c1671-625a-4a80-8bae-6487423909ca -RefObjectId 581c7265-c8cc-493b-9686-771b2f10a77e
532 | 
533 | ## Remove role from a user ##
534 | 
535 | Remove-AzureADDirectoryRoleMember -ObjectId 36b9ac02-9dfc-402a-8d44-ba2d8995dc06 -MemberId 165ebcb7-f07d-42d2-a52e-90f44e71e4a1


--------------------------------------------------------------------------------