Getting a list of users in your AD domain via Powershell

Get-ADUser -Filter * -Properties HomeDirectory,LastLogonDate | Select-Object Name, LastLogonDate, HomeDirectory

will cause the following to display

Name       LastLogonDate          HomeDirectory
----       ---------------------  ---------------

CollinsP   11/12/2015 6:04:12 AM  \\\HomeDrive\CollinsP
SprouleK   19/12/2015 2:08:12 PM  \\\HomeDrive\SprouleK
ReithP     23/12/2015 8:45:54 PM  \\\HomeDrive\ReithP

How to output to a file?
Get-ADUser –Filter * -Properties HomeDirectory,LastLogonDate | Select-Object Name, LastLogonDate, HomeDirectory | Export-CSV 'c:\temp\AllDomainUserNames.CSV'

This article seem familar?  That will be because I wrote how to do this with Quest Active Server Roles Powershell Module, back in 2010.

The Microsoft page on Get-ADUser is here.

So where, oh where is “AGPM.ADM”?

Advanced Group Policy Management logoDespite several Microsoft Advanced Group Policy Management pages saying

You can centrally configure optional logging and tracing for Advanced Group Policy Management (AGPM) using Administrative templates.

they don’t tell you where to find the Group Policy AGPM.ADM or AGPM.ADMX files.

After much searching, and time wasted; I can tell you that if you install the AGPM client, you will have a copy of AGPM.ADMX dropped into your local %windir%\PolicyDefinitions directory.

Configure Logging and Tracing
Ask the Directory Services Team – AGPM Production GPOs (under the hood)
Active Directory Infrastructure Self-Study Training Kit: Stanek & Associates Training Solutions

Network drives were dropping out

grouppolicy_thumb.jpgNetwork drives were dropping out.  We were also seeing 15+ minutes slow logon times at some remote sites.

We’d mostly see the slow logon times with Windows 7.  We’d see the “network drives dropping out” issue with Windows 8.

Looking at OfflineFiles event log we saw several 1004 events logged.  Looking at the details of the event, we’d see details like:
Path \\Noddyland\CorpData$ transitioned to slow link with latency = 140 and bandwidth = 202123

Why was it happening?  The following table might help:

Operating system Slow bandwidth limit Slow latency threshold
Windows XP 64Kbps n/a
Windows Vista <nil> (opt-in policy) n/a
Windows 7 64Kbps 80ms
Windows 8 64Kbps 35ms

From the event above “transitioned to slow link with latency = 140 and bandwidth = 202123“, you can see we had plenty of bandwidth, but our network latency was too high at 140ms.  Which triggered the network share (\\Noddyland\CorpData$) to go Offline.

We fixed the issue by setting Latency=200 for \\Noddyland\CorpData$, in Group Policy Computer Configuration\Administrative Templates\Network\Offline Files\Configure slow-link mode.

“Configure slow-link mode” policy on Vista for Offline Files
Configuring New Offline Files Features for Windows 7 Computers Step-by-Step Guide
Slow-Link with Windows 7 and DFS Namespaces
The “Configure slow-link mode” Policy is not taking effect

Getting a list of printers published in an Active Directory domain

So I need to get a list of print servers and printers in the domain.

Using Powershell.

Looking around the interwebs, I found a PowerShell commandline here which formed the basis of this commandline:
Get-ADObject -LDAPFilter "(objectCategory=printQueue)" -Properties cn, drivername, location, printername, portname, servername | select portname, cn, drivername, location, printername, servername | Format-Table -Property * -AutoSize | Out-String -Width 4096 | Out-File C:\wisefaq\printerlist.txt

Which outputs to a text file, like this:
portname cn drivername location printername servername
-------- -- ---------- -------- ----------- ----------
{} PRT001-LZR960-2 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-2
{} PRT001-LZR960-1 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-1
{} PRT001-LZR960-3 Dataproducts LZR 960 PCL US/UT/Boort/99 Anytown St LZR960-3
{} PRT001-LZR960-4 Dataproducts LZR 960 PS US/UT/Boort/99 Anytown St LZR960-4
{} PRT001-LZR960-5 Dataproducts LZR 960 PCL US/UT/Boort/99 Anytown St LZR960-5

So why did I use Out-File instead of Export-CSV?
Export-CSV is refusing to output the {ip.addresses}. I don’t know why, and I’ve wasted an hour trying to work around the issue.

Update: December 2015
Adrian suggests that I could use Powershell Custom Objects to fix the issue of ip.addresses not outputting.

PowerShell Quick Tip: Creating wide tables with PowerShell

Searching for Specific Printers in a Domain (Attributes for the printQueue Object)

Print-Queue class

PowerShell print server inventory script (looks very useful, but you need admin access to each of the printers)

Disabling Windows Update via Group Policy

grouppolicy You can do this via Group Policy via Computer Configuration –> Administrative Templates –> Windows Components –> Windows Update –> Configure Automatic Updates.


It seems that Windows Update will still deliver updates if it was previously configured to do so.  In other words, this policy only seems to work with freshly built PCs.

My current workaround is to stop the Windows Update service via Group Policy Preferences.

Saturday Link Roundup

Mirror_Dinghy_on_Combs_ReservoirGroup Policy Search – powered by Windows Azure.

How to bring harmony to your mixed wired and wireless networks
The article discusses several different ways to cause your WiFi enabled Windows PCs to switch to a wired connection when it is available.  The one which impresses me is the use of DHCP Default Router Metric Base property.

Sandy Mackinnon’s unlikely voyage through the canals of Europe
In a Mirror Dinghy no less.

Getting a list of users in an AD Group. using Vbscript.

I much prefer using Quest to do this (see this post), but I needed to use Vbscript as I had to output the results into an Excel spreadsheet.

If you look around the internet, you’ll find plenty of examples of how to do that.

But when I ran the following code on my system, it failed:
For Each objUser in objGroup.Members
    Wscript.Echo "Name: " & objUser.DisplayName
    Wscript.Echo "Department: " & objUser.department
    Wscript.Echo "Street address: " & objUser.streetAddress
    Wscript.Echo "Title: " & objUser.title
    Wscript.Echo "Description: " & objUser.description
    Wscript.Echo “Account Disabled?: “ & objUser.AccountDisabled

After much head scratching, I realised that another AD Group was a member of the current group, AND AD Groups do not have a AccountDisabled attribute.

The solution was to check the class attribute to see if the group member was a “user” or something else.
For Each objUser in objGroup.Members
    Wscript.Echo "Name: " & objUser.DisplayName
    Wscript.Echo "Department: " & objUser.department
    Wscript.Echo "Street address: " & objUser.streetAddress
    Wscript.Echo "Title: " & objUser.title
    Wscript.Echo "Description: " & objUser.description
    If LCase(objUser.class) = “user” Then
        Wscript.Echo “Account Disabled?: “ & objUser.AccountDisabled
        Wscript.Echo “I am a AD Group. “
    End If

How Can I Return Information For Each Member in a Group? (Hey Scripting Guy! Blog)
User Attributes – Inside Active Directory by Sakari Kouti
Active Directory Explorer by Sysinternals

Configuring DNS Suffix Search List via Group Policy

DNS Suffix Search List It seemed like a good idea at the time, configure the DNS Suffix Search List centrally so everyone gets the same thing.

The wheels fell off when I went to configure the 15th domain suffix.  The DNS Suffix Search List Group Policy accepted the value, but the desktop client wasn’t reading it.

The reason I needed to add another prefix, was that an off-site internal website, http://Noddyhome, was not resolving.  It was working if the customer typed in the fully qualified domain name,

After much head scratching, it looks as if there is a 200 character limit to that policy.  ““ just wouldn’t fit.

The fix?  We used the GlobalNames Zone feature of Windows 2008.

Setting DNS Suffix Search List via GPO (Ryan Adams Blog)

Bypassing Internet Explorer Group Policy lockdowns.

We lock down Internet Explorer, to prevent our non IT-savvy staff from changing settings which will break their internet access.  We apply those same settings to ourselves, which isn’t as bad as it sounds.  It ensures that when we make a Group Policy change, we’re impacted in the same way if it goes wrong.

But there are times when we need to bypass those settings.  One way we do that is by deleting the Group Policy Registry keys which control Internet Explorer.  We put the following in a .reg file and execute it:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

It works quite well.

What happens if my Windows Domain time clock is fast …

… and I want to change it back?

It depends on the operating system.

The latest documentation from Microsoft states


Registry path

Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2

This entry specifies the maximum offset (in seconds) for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1. …

The article goes on to show you, with a formula, how to calculate what will happen if you change your time clock.

How Windows 2000 did it