Active Directory

PowerShell: Mapping GPOs to their Linked Organizational Units

Posted on Updated on

As an Active Directory environment grows, keeping track of where specific Group Policy Objects (GPOs) are linked becomes a significant challenge. The “Group Policy Management Console” (GPMC) is great for looking at one GPO at a time, but if you need a bird’s-eye view of your entire inheritance structure, you need automation.

This PowerShell script sweeps through all Organizational Units (OUs), identifies the unique GUIDs of linked policies, resolves those GUIDs into human-readable GPO names, and exports the mapping to a CSV file.

The PowerShell Script

Before running, create a folder at C:\temp\GroupPolicyandLinkedOU\. This script requires the Active Directory and Group Policy modules (included with RSAT).

PowerShell
# Initialize the output file with headers
$Header = "GPO_Name;OU_Name;OU_DistinguishedName"
$Path = "C:\temp\GroupPolicyandLinkedOU\out.csv"
if (!(Test-Path "C:\temp\GroupPolicyandLinkedOU\")) { New-Item -ItemType Directory -Path "C:\temp\GroupPolicyandLinkedOU\" }
$Header | Out-File $Path
# Get all OUs with their linked GPO attributes
$policies = Get-ADOrganizationalUnit -Filter * -Properties LinkedGroupPolicyObjects
$policies | ForEach-Object { 
    $OUName = $_.Name
    $OUDN = $_.DistinguishedName
    $LinkedGPOs = $_.LinkedGroupPolicyObjects
    
    foreach($LinkedGPO in $LinkedGPOs) {
        # Extract the GUID from the DistinguishedName string
        # String format is usually: cn={GUID},cn=policies,cn=system,DC=domain...
        $GUID = $LinkedGPO.Split(",")[0].Replace("cn={","").Replace("}","").Replace("CN={","")
        
        try {
            # Resolve the GUID to a friendly Display Name
            $GPO = Get-GPO -Guid $GUID
            $msg = "$($GPO.DisplayName);$OUName;$OUDN"
            
            # Output to console and file
            Write-Host "Mapped: $($GPO.DisplayName) -> $OUName" -ForegroundColor Cyan
            $msg | Out-File $Path -Append
        }
        catch {
            Write-Warning "Could not resolve GPO GUID: $GUID linked at $OUName"
        }
    }
}

How it Works

  • LinkedGroupPolicyObjects Property: The script looks at the raw attribute on the OU object. In Active Directory, links aren’t stored as names; they are stored as the DistinguishedName of the GPO container, which includes the GUID.
  • String Manipulation: The script uses .Split and .Replace to strip away the LDAP syntax, leaving only the raw GUID string.
  • Get-GPO -Guid: This cmdlet takes that raw ID and queries the domain for the actual GPO metadata, allowing us to retrieve the DisplayName.
  • Semicolon Delimited: The output uses ; as a delimiter. When opening the file in Excel, you can easily use “Text to Columns” to separate the data into clean fields.

Why Use This Script?

  1. Inheritance Audits: Quickly see if a legacy GPO is linked to an OU it shouldn’t be.
  2. Troubleshooting: If a user is getting a strange setting, you can search the CSV for their OU and see every policy applied.
  3. Clean-up: Identify “ghost” links—SIDs/GUIDs that remain linked to an OU even though the GPO itself has been deleted.

#PowerShell #ActiveDirectory #GroupPolicy #SysAdmin #WindowsServer #ITAutomation #LazyAdmin #TechTips #ITPro #Infrastructure

This entry was posted in Active Directory, Scripts, Windows and tagged , , , , , , , , , .

PowerShell Script: Quickly Convert SIDs to Usernames

Posted on Updated on

Have you ever looked at a security log or a orphaned folder permission and seen a string like S-1-5-21-3623811015-3361044348-30300820-1013? Those are SIDs (Security Identifiers). While they are great for the Windows OS, they are nearly impossible for humans to read.

If you have a list of these SIDs from an audit or a log file, you don’t have to look them up one by one. This PowerShell script will take a bulk list of SIDs and “translate” them into readable Usernames (UIDs).

The PowerShell Script

Save this script as SIDtoUID.ps1. It uses the .NET SecurityIdentifier class to perform the translation locally or against your Active Directory domain.

PowerShell
# Create or clear the output file
Out-File UID.txt
# Loop through each SID in the source text file
foreach ($SID in (Get-Content SID.txt))
{
    # Create a SID object
    $objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
    
    Try
    {
        # Attempt to translate the SID to an NT Account name
        $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
        
        # Append the Username to the output file
        $objUser.Value >> UID.txt
        Write-Host "Translated: $SID -> $($objUser.Value)" -ForegroundColor Green
    }
    Catch
    {
        # If translation fails (e.g., deleted account), keep the original SID
        $SID >> UID.txt
        Write-Warning "Failed to translate: $SID"
    }
}

How to Use It

  1. Create your input: Create a file named SID.txt in the same folder as the script. Paste your SIDs there, one per line.
  2. Run the script: Open PowerShell and execute .\SIDtoUID.ps1.
  3. Check your results: A new file named UID.txt will appear, containing the translated usernames in the same order as your original list.

Why do SIDs sometimes fail to translate?

In the Catch block of the script, we tell PowerShell to just output the original SID if it can’t find a match. This usually happens for two reasons:

  • Deleted Accounts: The user or group no longer exists in Active Directory, leaving behind an “orphaned” SID.
  • Connectivity: Your machine cannot reach the Domain Controller to perform the lookup.

#PowerShell #ActiveDirectory #SysAdmin #ITPro #CyberSecurity #WindowsServer #Automation #LazyAdmin #TechTips #ITAudit

This entry was posted in Active Directory, Scripts, Windows and tagged , , , , , , , , .

PowerShell Script: Export User Group Memberships to CSV

Posted on Updated on

Auditing which users belong to which groups is one of the most frequent requests for a System Administrator. Whether it’s for a security audit, a helpdesk ticket, or a “copy permissions” request, digging through the Member Of tab in Active Directory is slow and prone to error.

This PowerShell script simplifies the process by generating a clean, object-based list of memberships that you can easily export to CSV, HTML, or plain text.

The PowerShell Script

Save the following code as Get-UserGroupMembership.ps1. It is designed to handle single users, lists from text files, or entire Organizational Units (OUs) via the pipeline.

PowerShell
Param (
    [Parameter(Mandatory=$true,ValueFromPipeLine=$true)]
    [Alias("ID","Users","Name")]
    [string[]]$User
)
Begin {
    Try { Import-Module ActiveDirectory -ErrorAction Stop }
    Catch { Write-Host "Unable to load Active Directory module. Is RSAT installed?"; Break }
}
Process {
    ForEach ($U in $User) {
        Try {
            $UN = Get-ADUser $U -Properties MemberOf
            $Groups = ForEach ($Group in ($UN.MemberOf)) {
                (Get-ADGroup $Group).Name
            }
            
            # Sort groups alphabetically for a cleaner report
            $Groups = $Groups | Sort
            
            ForEach ($Group in $Groups) {
                New-Object PSObject -Property @[ordered]@{
                    User  = $UN.Name
                    Group = $Group
                }
            }
        }
        Catch {
            Write-Warning "Could not find user: $U"
        }
    }
}

How to Use the Script

1. Single User Lookup

To quickly see the groups for one specific user:

PowerShell

.\Get-UserGroupMembership.ps1 -User "John.Doe"

2. Bulk Export from a Text File

If you have a list of usernames in users.txt, use this command to generate a full CSV report:

PowerShell

Get-Content C:\Temp\users.txt | .\Get-UserGroupMembership.ps1 | Export-CSV C:\Temp\UserMemberships.csv -NoTypeInformation

3. Audit an Entire OU

To see the memberships for every user within a specific department or location:

PowerShell

Get-ADUser -Filter * -SearchBase "OU=Users,DC=yourdomain,DC=local" | .\Get-UserGroupMembership.ps1 | Export-CSV C:\audit_output.csv -NoTypeInformation

Why This Method Beats the GUI

  • Alphabetical Sorting: Groups are presented A-Z, making it much easier to read than the random order in ADUC.
  • Pipeline Support: Because it outputs a PSObject, you can pipe it directly into ConvertTo-HTML for a report or Out-GridView for an interactive window.
  • Automation Ready: You can schedule this script to run weekly to maintain a “snapshot” of your environment’s security posture.

#PowerShell #ActiveDirectory #SysAdmin #WindowsServer #ITAdmin #CyberSecurity #Automation #LazyAdmin #TechTips #ITAudit

This entry was posted in Active Directory, Scripts, Windows and tagged , , , , , , , , .

Automating Active Directory: Export All AD Groups and Members to CSV

Posted on Updated on

Auditing Active Directory groups is a fundamental part of identity management. Whether you are performing a quarterly security review or preparing for a domain migration, knowing exactly who is in which group—and what the scope of those groups is—is essential.

This PowerShell script does more than just list group names; it iterates through every group in your domain, identifies the members (skipping disabled users to keep your data clean), and exports everything into a dated CSV file.

The PowerShell Script

Save this script as ADGroupsExport.ps1 in C:\Temp\ExportADgroups. Ensure you are running this from a machine with the RSAT (Remote Server Administration Tools) installed and logged in with a domain account that has read permissions.

PowerShell
# Get year and month for the filename
$DateTime = Get-Date -f "yyyy-MM"
# Set CSV file destination
$CSVFile = "C:\Temp\ExportADgroups\AD_Groups_"+$DateTime+".csv"
if (!(Test-Path "C:\Temp\ExportADgroups")) { New-Item -ItemType Directory -Path "C:\Temp\ExportADgroups" }
$CSVOutput = @()
# Fetch all AD groups
$ADGroups = Get-ADGroup -Filter *
$i = 0
$tot = $ADGroups.count
foreach ($ADGroup in $ADGroups) {
    $i++
    $status = "{0:N0}" -f ($i / $tot * 100)
    Write-Progress -Activity "Exporting AD Groups" -status "Processing Group $i of $tot : $status% Completed" -PercentComplete ($i / $tot * 100)
    $Members = ""
    # Fetch members and filter for enabled objects
    $MembersArr = Get-ADGroup $ADGroup.DistinguishedName -Properties Member | Select-Object -ExpandProperty Member
    if ($MembersArr) {
        foreach ($Member in $MembersArr) {  
            $ADObj = Get-ADObject -Filter "DistinguishedName -eq '$Member'" -Properties Enabled
            
            # Skip disabled users to keep the report relevant
            if ($ADObj.ObjectClass -eq "user" -and $ADObj.Enabled -eq $false) {
                continue
            }
            $Members = $Members + "," + $ADObj.Name  
        } 
        if ($Members) { 
            $Members = $Members.Substring(1) 
        } 
    }
    # Create ordered hash table for clean CSV columns
    $HashTab = [ordered]@{
        "Name"     = $ADGroup.Name
        "Category" = $ADGroup.GroupCategory
        "Scope"    = $ADGroup.GroupScope
        "Members"  = $Members
    }
    $CSVOutput += New-Object PSObject -Property $HashTab
}
# Sort by name and export
$CSVOutput | Sort-Object Name | Export-Csv $CSVFile -NoTypeInformation
Write-Host "Export Complete: $CSVFile" -ForegroundColor Green

Key Features of this Script

  • Progress Bar: Since large domains can take a long time to process, the Write-Progress bar gives you a real-time percentage of the completion.
  • Clean Membership Lists: The script concatenates all members into a single “Members” column, separated by commas, making it easy to read in Excel.
  • Disabled User Filtering: It intelligently checks the Enabled status of user objects. If a user is disabled, they are omitted from the report to focus on active security risks.
  • Scope & Category: Clearly identifies if a group is Security vs. Distribution and Global vs. Universal.

#ActiveDirectory #PowerShell #SysAdmin #ITAutomation #WindowsServer #IdentityManagement #LazyAdmin #TechTips #Reporting #CyberSecurity

This entry was posted in Active Directory, Scripts, Windows and tagged , , , , , , , , .

How to Export Folder and Share Permissions to CSV via PowerShell

Posted on Updated on

Auditing file share permissions is a critical task for security and compliance. While the Windows GUI allows you to view permissions one folder at a time, it is impossible to get a “big picture” view without automation.

By using the Get-Acl (Access Control List) cmdlet in PowerShell, you can recursively scan a directory and export every user and group permission to a clean CSV file for review in Excel.

The PowerShell Script

Save the following code as ExportFolderPermissions.ps1. Before running it, ensure you update the $FolderPath and the output path for the CSV file.

PowerShell
# Define the source path (Local folder or UNC Share)
$FolderPath = dir -Directory -Path "\\ServerName\SharePath" -Recurse -Force
$Report = @()
Foreach ($Folder in $FolderPath) {
    # Fetch the Access Control List for the current folder
    $Acl = Get-Acl -Path $Folder.FullName
    
    foreach ($Access in $acl.Access) {
        # Create an ordered object for each permission entry
        $Properties = [ordered]@{
            'FolderName'         = $Folder.FullName
            'AD Group or User'   = $Access.IdentityReference
            'Permissions'        = $Access.FileSystemRights
            'Inherited'          = $Access.IsInherited
        }
        $Report += New-Object -TypeName PSObject -Property $Properties
    }
}
# Export the final report to CSV
$Report | Export-Csv -Path "C:\Temp\FolderPermissions.csv" -NoTypeInformation

How the Script Works

  1. dir -Recurse: This command crawls through every subfolder within your target directory. The -Directory switch ensures we only look at folders, not individual files (which would make the report massive).
  2. Get-Acl: This retrieves the security descriptor for the folder, including who has access and what specific rights they have (Read, Write, Full Control, etc.).
  3. PSObject: We bundle the folder name, user identity, and rights into a custom object so that Export-Csv can easily format them into columns.
  4. IdentityReference: This shows you the exact AD Group or User name assigned to that folder.

💡 Lazy Admin Tips

  • Run as Admin: You must run PowerShell as an Administrator and have “Read Permissions” rights on the target folders, or the script will return “Access Denied” errors.
  • Performance: Scanning thousands of subfolders over a slow network link can take time. If you have a massive file server, run the script locally on the server itself rather than over a mapped drive.
  • Filter Results: Once you open the CSV in Excel, use Filters to quickly find “Everyone” or “Anonymous” permissions, or to see which folders have inheritance disabled.

#PowerShell #SysAdmin #ActiveDirectory #SecurityAudit #WindowsServer #ITPro #Coding #LazyAdmin #CyberSecurity #TechTips

This entry was posted in Scripts, Windows and tagged , , , , , , , , .

Mapping Your AD: VBScript to List OUs in Parent-Child Order | Lazy Admin Blog

Posted on Updated on

When you’re managing a complex Active Directory environment, getting a clear “birds-eye view” of your structure is essential. While the Active Directory Users & Computers (dsa.msc) snap-in is great for manual navigation, sometimes you need a flat text output that preserves the visual hierarchy of your Organizational Units (OUs).

The following VBScript crawls your LDAP directory and mirrors the parent-child nesting you see in your GUI tools.

📜 The Script: ListAllOUs_ParentChild.vbs

Copy the code below and save it as ListAllOUs_ParentChild.vbs.

VBScript
Option Explicit
Const ADS_SCOPE_SUBTREE = 2
Dim ObjConn, ObjRS, ObjRootDSE
Dim StrSQL, StrDomName, ObjOU
' Get the local domain name
Set ObjRootDSE = GetObject("LDAP://RootDSE")
StrDomName = Trim(ObjRootDSE.Get("DefaultNamingContext"))
Set ObjRootDSE = Nothing
' SQL Query to find OUs (Excluding Domain Controllers)
StrSQL = "Select Name, ADsPath From 'LDAP://" & StrDomName & "' Where ObjectCategory = 'OrganizationalUnit' And Name <> 'Domain Controllers'"
Set ObjConn = CreateObject("ADODB.Connection")
ObjConn.Provider = "ADsDSOObject"
ObjConn.Open "Active Directory Provider"
Set ObjRS = CreateObject("ADODB.Recordset")
ObjRS.Open StrSQL, ObjConn
If Not ObjRS.EOF Then
    ObjRS.MoveLast: ObjRS.MoveFirst
    WScript.Echo vbNullString
    WScript.Echo "Total OU: " & Trim(ObjRS.RecordCount)
    WScript.Echo "==================="
    WScript.Echo vbNullString
    
    While Not ObjRS.EOF
        Set ObjOU = GetObject(Trim(ObjRS.Fields("ADsPath").Value))
        ' Check if it's a top-level Parent OU
        If StrComp(Right(Trim(ObjOU.Parent), Len(Trim(ObjOU.Parent)) - 7), StrDomName, VbTextCompare) = 0 Then
            WScript.Echo "Parent OU: " & Trim(ObjRS.Fields("Name").Value)
            GetChild(ObjOU)
        End If      
        ObjRS.MoveNext
        Set ObjOU = Nothing
    Wend
End If
ObjRS.Close: Set ObjRS = Nothing
ObjConn.Close: Set ObjConn = Nothing
' Subroutine to find first-level children
Private Sub GetChild(ThisObject)
    Dim ObjChild
    For Each ObjChild In ThisObject
        If StrComp(Trim(ObjChild.Class), "OrganizationalUnit", VbTextCompare) = 0 Then
            WScript.Echo vbTab & ">> Child OU: " & Right(Trim(ObjChild.Name), Len(Trim(ObjChild.Name)) - 3)
            GetGrandChild (ObjChild.ADsPath)
        End If      
    Next
End Sub
' Recursive subroutine to find all nested children
Private Sub GetGrandChild (ThisADsPath)
    Dim ObjGrand, ObjItem
    Set ObjGrand = GetObject(ThisADsPath)
    For Each ObjItem In ObjGrand
        If StrComp(Trim(ObjItem.Class), "OrganizationalUnit", VbTextCompare) = 0 Then
            WScript.Echo vbTab & vbTab & ">> Child OU: " & Right(Trim(ObjItem.Name), Len(Trim(ObjItem.Name)) - 3)
            GetGrandChild Trim(ObjItem.ADsPath)
        End If
    Next    
    Set ObjGrand = Nothing
End Sub

🚀 How to Execute

To run this script correctly and avoid “Windows Script Host” popup boxes for every line, you must use the command-line engine (CScript).

Example Command: CScript /NoLogo ListAllOUs_ParentChild.vbs

Output Preview:

Parent OU: Sales

Child OU: North_Region

Child OU: South_Region

>> Child OU: Retail_Stores

#ActiveDirectory #SysAdmin #WindowsServer #Automation #VBScript #ITAdmin #LazyAdmin #LDAP #DirectoryServices #InfrastructureAsCode #Scripting #ADUC

This entry was posted in Active Directory, Scripts and tagged , , , , , , , , , .

Deep Audit: Listing Nested Active Directory Group Members via VBScript | Lazy Admin Blog

Posted on Updated on

Have you ever looked at a “Domain Admins” group and thought it looked suspiciously small? The culprit is usually nesting. Standard AD queries often fail to “recurse,” meaning they show you the subgroup but not the people inside it.

This script, ListGroupMembers_IncludingNested.vbs, uses a recursive function to dive into every sub-group and extract the actual users, ensuring your security audits are 100% accurate.

The Script: How it Works

The script utilizes a Dictionary Object to keep track of groups it has already scanned. This is a critical “Lazy Admin” safety feature—it prevents the script from getting stuck in an infinite loop if two groups are members of each other.

Usage Instructions

  1. Copy the code below into Notepad.
  2. Edit the StrGroupName variable to match your target group.
  3. Save the file as ListGroupMembers.vbs.
  4. Run it from the command prompt using cscript ListGroupMembers.vbs.
VBScript
' -- Save as ListGroupMembers_IncludingNested.vbs
Option Explicit
Dim ObjRootDSE, ObjConn, ObjRS, ObjCustom
Dim StrDomainName, StrGroupName, StrSQL, StrGroupDN, StrEmptySpace
Set ObjRootDSE = GetObject("LDAP://RootDSE")
StrDomainName = Trim(ObjRootDSE.Get("DefaultNamingContext"))
' -- Edit the line below with your Group Name
StrGroupName = "YourGroupNameHere" 
StrSQL = "Select ADsPath From 'LDAP://" & StrDomainName & "' Where ObjectCategory = 'Group' AND Name = '" & StrGroupName & "'"
Set ObjConn = CreateObject("ADODB.Connection")
ObjConn.Provider = "ADsDSOObject": ObjConn.Open "Active Directory Provider"
Set ObjRS = ObjConn.Execute(StrSQL)
If ObjRS.EOF Then
    WScript.Echo "Group not found: " & StrGroupName
Else
    StrGroupDN = Trim(ObjRS.Fields("ADsPath").Value)
    Set ObjCustom = CreateObject("Scripting.Dictionary")
    GetAllNestedMembers StrGroupDN, " ", ObjCustom
End If

Why VBScript in 2026?

While PowerShell is the modern standard, many legacy environments and automated scheduled tasks still rely on VBScript because it requires zero execution policy changes and runs natively on every Windows machine since Server 2000. It is the “Old Reliable” of the AD world.

Key Features of this Script

  • Recursive Discovery: It doesn’t just stop at the first layer.
  • Class Identification: Clearly marks if a member is a User, Computer, or another Group.
  • Loop Protection: Uses the Scripting.Dictionary to escape circular nesting traps.

#ActiveDirectory #WindowsServer #CyberSecurity #SysAdmin #ITAudit #VBScript #Automation #LazyAdmin #TechArchive

This entry was posted in Active Directory, Scripts and tagged , , , , , , , , .

Stop Hunting for Web Servers: How to Auto-Discover Every IIS Instance in Your Domain | Lazy Admin Blog

Posted on Updated on

IIS Discovery

Have you ever been asked for a list of every active web server in your environment, only to realize your documentation is six months out of date? You could check your DNS records manually, or you could let PowerShell do the detective work for you.

This script scans your Active Directory for Windows Servers, checks if the World Wide Web Publishing Service (W3SVC) is actually running, and then pulls a deep-profile of the hardware, OS, and network configuration for every active hit.

The Setup

  1. Create the workspace: Create a folder at C:\Temp\ServersRunningIIS.
  2. Prepare the list: The script will automatically generate a list of all Windows Servers from AD, but ensure you have the Active Directory PowerShell module installed.
  3. Run with Privileges: Since the script uses WMI to query remote system info (RAM, OS Version, etc.), run your PowerShell ISE or Console as a Domain Admin.

The PowerShell Script

PowerShell
# Script: IIS Server Discovery & Profiler
# Location: lazyadminblog.com
# Purpose: Identify active IIS nodes and collect hardware/OS specs
Import-Module ActiveDirectory
# 1. Harvest all Windows Servers from AD
Write-Host "Gathering server list from Active Directory..." -ForegroundColor Cyan
$servers = Get-ADComputer -Filter {operatingsystem -Like "Windows server*"} | Select-Object -ExpandProperty Name
$servers | Out-File "C:\Temp\ServersRunningIIS\serverlist.txt"
# 2. Load the list for processing
$serversall = Get-Content "C:\Temp\ServersRunningIIS\serverlist.txt" 
Start-Transcript -Path "C:\Temp\ServersRunningIIS\log_output.txt" -Append
foreach($vm in $serversall) {
    try {
        # Check if IIS Service (W3SVC) exists and is running
        $iis = Get-WmiObject Win32_Service -ComputerName $vm -Filter "name='W3SVC'" -ErrorAction SilentlyContinue
        
        if($iis.State -eq "Running") {
            Write-Host "FOUND: IIS is active on $vm" -BackgroundColor DarkBlue -ForegroundColor DarkYellow
            
            # Collect Network Info
            $ipinfo = Get-WmiObject Win32_NetworkAdapterConfiguration -ComputerName $vm | 
                      Where-Object {$_.IPEnabled -eq $true -and $_.IPAddress -like "1*"} | Select-Object -First 1
            
            # Collect Hardware Info
            $hwinfo = Get-WmiObject Win32_Computersystem -ComputerName $vm 
            
            # Collect OS Info
            $osinfo = Get-WmiObject Win32_OperatingSystem -ComputerName $vm 
            # Flattening data for CSV-style output
            $allinfo = "$($hwinfo.Name);$($hwinfo.Domain);$($ipinfo.IPAddress);$($ipinfo.IPSubnet);$($ipinfo.DefaultIPGateway);$($hwinfo.TotalPhysicalMemory);$($hwinfo.Manufacturer);$($hwinfo.Model);$($osinfo.Caption);$($osinfo.OSArchitecture);$($osinfo.ServicePackMajorVersion);$($osinfo.SystemDrive);$($osinfo.Version)"
            
            # Save results to our 'Running' list
            $allinfo | Out-File "C:\Temp\ServersRunningIIS\RunningWebServers.txt" -Append
        }
    }
    catch {
        Write-Host "Could not connect to $vm" -ForegroundColor Red
    }
}
Stop-Transcript
Write-Host "Audit Complete! Check C:\Temp\ServersRunningIIS\RunningWebServers.txt" -ForegroundColor Green

What’s inside the report?

The output file (RunningWebServers.txt) uses a semicolon (;) delimiter, making it easy to import into Excel. It captures:

  • Network: IP Address, Subnet, and Gateway.
  • Hardware: Manufacturer, Model, RAM, and Domain membership.
  • Software: OS Version, Architecture (x64/x86), and System Drive.

Lazy Admin Tip

If you want to open the results immediately in Excel, just rename the output file from .txt to .csv and use the “Text to Columns” feature in Excel with the semicolon as the separator!

This entry was posted in Active Directory, Scripts and tagged , , , , , , , , , , , .

Guide to ADFS Federation (Metadata Import Edition) | Lazy Admin Blog

Posted on Updated on

How to set up a Relying Party Trust in 5 minutes using XML metadata.

Setting up a manual federation trust is a recipe for typos. If a 3rd party sends you a URL or an XML file, use it. Importing metadata ensures that certificates, identifiers, and endpoints are configured perfectly without you having to manually paste long strings of thumbprints.

1. The Pre-Reqs (Don’t start without these!)

Before you open the ADFS console, make sure you have:

  • The Metadata: Either a file or a URL (e.g., https://adfs.xyz.com/federationmetadata/2007-06/federationmetadata.xml).
  • The Claim Mapping: Exactly which LDAP attribute they need (e.g., Employee-ID) and what it should be called on their end (e.g., Name ID).
  • Contact Info: Name, email, and phone for their admin. Put this in the Notes field so the next admin isn’t hunting for it during a certificate expiry.

2. Step-by-Step: Adding the Trust

  1. Open ADFS Management and go to Trust Relationships > Relying Party Trusts.
  2. Right-click and select Add Relying Party Trust.
  3. Select Data Source: Choose “Import data about the relying party from a file” and point it to their federationmetadata.xml.
  4. MFA: Select “I do not want to configure multi-factor authentication” (unless required by your security policy).
  5. Authorization: Select “Permit all users to access this relying party.”
  6. Finish: On the final screen, open the Notes tab and paste the 3rd party contact details.

3. Configuring the Claim Rules

This is the “handshake” where you translate your AD data into something they can read.

  1. Right-click your new trust and select Edit Claim Rules.
  2. Click Add Rule and choose “Send LDAP Attributes as Claims.”
  3. Claim Rule Name: “Send EmployeeID as NameID” (Be descriptive!).
  4. Attribute Store: Active Directory.
  5. Mapping:
    • LDAP Attribute: Employee-ID
    • Outgoing Claim Type: Name ID

4. The “Lazy” Testing Method

Don’t wait for them to tell you it’s broken. Test it yourself:

  1. Go to your ADFS sign-on page: https://your-adfs-url.com/adfs/ls/idpinitiatedsignon.htm.
  2. Select the new trust from the list and sign in.
  3. The Proof: Take a screenshot of the successful login page and send it to the 3rd party. If you can see the trust, you’ve done your part.

This entry was posted in Active Directory and tagged , , , , , , , , , .

Setting Up Microsoft Entra Connect (Step-by-Step) | Lazy Admin Blog

Posted on Updated on

Why do manual user management when you can let a sync engine do the heavy lifting?

If you’re still manually creating users in both on-premises Active Directory and the Microsoft 365 portal, stop. You’re working too hard. Microsoft Entra Connect (formerly Azure AD Connect) is the “bridge” that syncs your local identities to the cloud. Set it up once, and your users get one identity for everything.

1. The “Pre-Flight” Checklist (Don’t skip this!)

The biggest mistake admins make is running the installer before the environment is ready. To be truly “lazy,” do the prep work so the installation doesn’t fail midway.

  • Server: A domain-joined Windows Server 2016 or later (2022 is recommended).
  • Hardware: Minimum 4GB RAM and a 70GB hard drive.
  • Permissions: * Local: You need to be a Local Admin on the sync server.
    • On-Prem: An Enterprise Admin account for the initial setup.
    • Cloud: A Global Administrator or Hybrid Identity Administrator account in Entra ID.
  • Software: .NET Framework 4.7.2 or higher and TLS 1.2 enabled.

Pro Tip: Run the Microsoft IdFix tool first. It finds duplicate emails and weird characters in your AD that would otherwise break the sync.

2. Step-by-Step Installation

Download the latest version of the Entra Connect MSI here.

Step A: The Express Route

  1. Launch AzureADConnect.msi.
  2. Agree to the terms and click Use Express Settings. (Note: Use “Custom” only if you have multiple forests or need specific attribute filtering).
  3. Connect to Entra ID: Enter your Cloud Admin credentials.
  4. Connect to AD DS: Enter your Enterprise Admin credentials.
  5. Entra ID Sign-in: Ensure your UPN suffixes match. If your local domain is corp.local but your email is lazyadminblog.com, you need to add lazyadminblog.com as a UPN suffix in AD.

Step B: The “Staging Mode” Safety Net

Before you hit install, you’ll see a checkbox for “Start the synchronization process when configuration completes.” If you are replacing an old server or are nervous about what will happen to your 5,000 users, check the “Enable staging mode” box. This allows the server to calculate the sync results without actually exporting anything to the cloud. You can “peek” at the results before going live.

3. Post-Setup: The “Lazy” Health Check

Once installed, the sync runs every 30 minutes by default. You don’t need to babysit it, but you should know how to check it:

  • The Desktop Tool: Open the Synchronization Service Manager to see a green “Success” status for every run.
  • The PowerShell Way: To force a sync right now (because you’re too impatient for the 30-minute window), run:PowerShellStart-ADSyncSyncCycle -PolicyType Delta

4. Troubleshooting Common “Gotchas”

  • “Top-level domain not verified”: You forgot to add your domain (e.g., https://www.google.com/search?q=myblog.com) to the Entra ID portal.
  • “Object Synchronization Triggered Deletion”: By default, Entra Connect won’t delete more than 500 objects at once. This is a safety feature to stop you from accidentally wiping your cloud directory. If you intended to delete them, you’ll need to disable the export deletion threshold.

The “Lazy Admin” Sync Monitor Script

Copy and save this as Monitor-EntraSync.ps1 on your sync server.

# --- CONFIGURATION ---
$SMTPServer = "smtp.yourrelay.com"
$From = "EntraAlert@lazyadminblog.com"
$To = "you@yourcompany.com"
$Subject = "⚠️ ALERT: Entra ID Sync Failure on $(hostname)"
# --- THE LOGIC ---
# Import the AdSync module (usually already loaded on the server)
Import-Module ADSync
# Get the statistics of the very last sync run
$LastRun = Get-ADSyncRunProfileResult | Sort-Object StartDateTime -Descending | Select-Object -First 1
# Check if the result was NOT 'success'
if ($LastRun.Result -ne "success") {
    $Body = @"
    The last Entra ID Sync cycle failed!
    
    Server: $(hostname)
    Run Profile: $($LastRun.RunProfileName)
    End Time: $($LastRun.EndDateTime)
    Result: $($LastRun.Result)
    
    Please log in to the Synchronization Service Manager to investigate.
"@
    # Send the alert
    Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Subject $Subject -Body $Body -Priority High
}

🛠️ How to set it up (The Lazy Way)

To make this fully automated, follow these steps:

  1. Create a Scheduled Task: Open Task Scheduler on your Entra Connect server.
  2. Trigger: Set it to run every hour (or every 30 minutes to match your sync cycle).
  3. Action: * Program/script:powershell.exe
    • Add arguments: -ExecutionPolicy Bypass -File "C:\Scripts\Monitor-EntraSync.ps1"
  4. Security Options: Run it as SYSTEM or a Service Account that has local admin rights so it can access the ADSync module.

Why this is better than “Default” monitoring:

  • No Noise: You only get an email if there is an actual problem.
  • Proactive: You’ll likely know the sync is broken before your users start complaining that their new passwords aren’t working.
  • Zero Cost: No need for expensive third-party monitoring tools for a single-server task.

References & Further Reading

This entry was posted in Azure and tagged , , , , , , , , , , , , , , .