Category Archives: Active Directory

Secure Your Wireless Network With WPA2-EAP

I have been reading a bit about wireless security over the past week, as it is part of the 70-642 MCTS Exam “Configuring Windows 2008 Network Infrastructure” that I am currently studying (I will be sitting the exam in the next week or two, so subscribe to my RSS Feed so you don’t miss out on some inside tips !!!). We are curently running a wireless infrastructure with Cisco 1200 Access Points, a Windows 2003 Radius Server and using WEP 128bit (keys auto rotated every hour) encryption and Auto Enrolled Certificates from our Windows 2003 CA for authentication. This has been working pretty well, but with WPA2, an updated version of WPA and comes in two flavours WPA2-PSK and WPA2-EAP, it offers improved security and better protection from attacks. Now if all clients can support WPA2-EAP then this should be your first choice.

To kick things off you first of all need a PKI Infrustructure and enable autoenrollment so that all your wireless clients obtain the correct certificates for the authentication process.

1. Install the Active Directory Certificate Services (ADCS) Role to the server and just use the default settings here.

2. Next Open up the Group Policy Management Console and either edit a policy or create a new one to apply the wireless settings to your clients. The section we want is Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. In the details pane now you need to right click the Certificate Services Client – Autoenrollment and then select properties. In the Properties dialog box select enabled from the rop down box and then place a tick in the other boxes, which is optional.
Continue reading

How To Migrate User Home Directories with RoboCopy

Here is a task that most Network Administrators will face at one time or another, moving User Home Directories from one Server to another. We are in the process of organising new Servers for 2009 and these will be Windows Server 2008 and the current Servers are running on Windows 2003 Server Standard Edition. Now currently our Home Folders are individually shared as hidden shares, and I want to move to a convention of a parent shared User Folder with individual folders for each user in there that are not shared.

Now I wanted to explore the PowerShell option to copy from the source server to the destinsation server and keep the NTFS Permissions intact after the copy, as I have previosuly used PowerShell to do a bulk import of users into Active Directory and that woked a treat. I was a bit dissapointed with the PowerShell options using GET-ACL and SET-ACL because I could do individual folders one at a time but that would take forever, and I couldn’t see an easy way to iterate through them….

Continue reading

How To Use PowerShell to Bulk Import Users into Active Directory

Well it is coming to that time of year again where we will be given a list of new students that will be enrolled for the 2009 School Year, and of course it is up to the IT Department to created the hundreds of accounts. This year I thought I would have a crack at using PowerShell to do a bulk import into Active Directory.

The first thing that I found was that PowerShell doesn’t have any specific Active Directory CMDLets, so I found these PowerShell CMDLets from Quest. A must have if you are working with Active Directory and PowerShell. There are a few pre requesests before installing so grab the PDF document associated and have a read. Let’s build the script!

I want to be able to import users from a CSV file so the the cmdlet that I amm interested in is Import-CSV which takes a parameter for the file name like so:

Import-CSV C:\New.csv

Next Step is to iterate through the file. This is done by piping the contents of the csv file to the For-EachObject cmdlet which inturn uses the New-QADUser cmdlet.

ForEach-Object {New-QADUser -ou domain.local/Students/2009 -name $_.Name -Description $_.Description -City $_.City -UserPassword $_.Password -SamAccountName $_.sAMAccountName -FirstName $_.FirstName -LastName $_.LastName -DisplayName $_.Name -UserPrincipalName $_.UPN}

If you type in get-help New-QADUser you will see the syntax and all the parameters you can include. In the above script you will see $_.Name etc etc. These correlate to the CSV File. My CSV File had Name, Description, UserPassword, sAMAccountName, FirstName, LastName, DispplayName and UPN. You can see the connection above. It doesn’t even matter what order they are in in the CSV File!

Did you Like This Post? Stay Updated with more How To’s and Tips by Subscribing to My RSS Feed

Disable Inactive Active Directory User Accounts

Let me first start by saying that we have a pretty unorginsaeed Active Directory Structure at the moment, but that will change. Today I took the first step to getting some order in our AD Structure, disable all accounts that ahve been inactive for a period of time. To do this I simply used DSQuery and piped the results to DSMod and there we have it all the accounts are disabled.

Here was the command I used:

dsquery user -inactive 40 -limit 0 | dsmod user -disabled yes

I know, I know pretty simple but something that is good to have in the tool kit. I then went on and did it using the computer accounts. Then from Active Directory Users and Computers snap in I could then create a query to lookup all the disabled user and computer account and eother delete them or move them to a temp OU before deleting.

Daniel Anderson
Cleaning up my Active Directory.