Getting a list of users in your AD domain.

Update 12/2015: A Powershell version of this article is here.

There are several ways to do this, but the method I prefer to use is GET-QADUser command from the Quest Active Server Roles PowerShell module, as it will dump the information I want with a minimum of fuss.

  1. Start the ‘ActiveRoles Management Shell for Active Directory’ console
  2. Enter the following command string
    Get-QADUser -sizelimit 0 | Select-Object sAMAccountName, DisplayName
  3. and then press Enter

    SamAccountName    DisplayName
    DaggF             Fred Dagg
    CollinsP          Paul Collins
    SprouleK          Ken Sproule
    ReithP            Peter Reith
    SmithC            Coach Smith
    RookeM            Mike Rooke

Or if I want to dump it out to a CSV file, so I can look at it in Excel:
Get-QADUser -sizelimit 0 | Select-Object sAMAccountName, DisplayName | Export-CSV 'c:\temp\AllDomainUserNames.CSV'

To dump all the user details out, you could doing something like:
Get-QADUser -sizelimit 0 -IncludeAllProperties -SerializeValues | Export-CSV 'c:\temp\AllDomainUserDetails.csv'

Detecting broken or not installed SMS/SCCM clients.

You take all your computer accounts in Active Directory, filter out the old records (I use a cut-off of 30 days), and then compare it to your SMS or SCCM database.
(I showed you how to export the LastLogin date from Active Directory here).

An aside:
I love Active Directory, as you can use it as an “Authoritative Source”.  If the computer is not in Active Directory then it won’t be able to use AD resources, such as the corporate intranet or email or network printing; if your sysadmin is particularly clever.

You’re going to have 3 cases where computers aren’t reporting into SMS/SCCM, but are in Active Directory.

1. SMS/SCCM client is not installed
This is the easy to detect.  You can see it in the Active Directory but it’s not in your SMS/SCCM database.  Simple fix, install the SMS/SCCM client.

2. SMS/SCCM client is installed but has never reported.
Investigate and resolve the issue.  If there are lots of clients not reporting, it might be a site boundary issue.

3. SMS/SCCM client is installed but has stopped reporting.
The client has become broken.  When I last had this problem, it was WMI based and I wrote a custom script to repair it.  With mixed results.

The way I tell if a client has stopped reporting?
I subtract the SMS last contact date from the Active Directory LastLogin date.  If the difference is greater than 14 days, it’s likely the SMS client has a problem.

You could fix these broken clients manually, but a better way would be to have something in your users logon script.  Which runs at user logon and just detects and fixes common SMS/SCCM problems.  Which someone has already done.  You can find it here:
SMS 2003 Client Health Startup Script v4.19


  • 30 days?  Well people go on holidays for 4 weeks, and their computer may be turned off…
  • Corey Hynes suggested at TechEd 2005 that you should automate repeative tasks with scripts.  He was right you know.
    Microsoft Systems Management Server 2003
    Microsoft System Center Configuration Manager 2007

Bookmark and Share

Detecting inactive computers in your AD domain.

Use the LastLogonTimeStamp or the LastLogin Active Directory attribute.

If you are on a Windows 2003 Functional Domain or later, use LastLogonTimeStamp.  If you are on a Windows 2000 Functional Domain, you’re stuck with LastLogon (and a bit more work).

This is how I got the LastLogonTimeStamp for all the computers in my domain, by using PowerShell and Quest’s Active Server Roles (free!) product.

  1. Start the ‘ActiveRoles Management Shell for Active Directory’ console
  2. Enter the following command string
    GET-QADCOMPUTER -SizeLimit 0 -IncludedProperties LastLogonTimeStamp | Select-Object Name, LastLogonTimeStamp, OSName, ParentContainerDN
  3. and then press Enter

Or if I want to dump it out to a CSV file, so I can look at it in Excel:
GET-QADCOMPUTER -SizeLimit 0 -IncludedProperties LastLogonTimeStamp | Select-Object Name, LastLogonTimeStamp, OSName, ParentContainerDN | Export-CSV 'c:\temp\Report.csv'

LastLoginTimeStamp isn’t available in a Windows 2000 Functional Domain, so you’re stuck with LastLogin.  Which does not replicate between domain controllers.  This means you need to connect to each domain controller, and extract the information (sigh).

First we connect to a known domain controller, let’s say FRED01, by entering the connect-QADService on a command line
connect-QADService -service 'FRED01'

Next we get list off computers in the FRED domain:
get-QADComputer -computerRole 'DomainController'

Name             Type            DN
----             ----            --
FRED18           computer        CN=FRED18,OU=Domain Controllers,DC=xxx
FRED01           computer        CN=FRED01,OU=Domain Controllers,DC=xxx
FRED19           computer        CN=FRED19,OU=Domain Controllers,DC=xxx

Now we have the list of domain controllers, we need to connect to each Domain Controller:
connect-QADService -service 'FRED18'

and run the command to do the export from this domain controller to a CSV file
GET-QADCOMPUTER -SizeLimit 0 –IncludedProperties LastLogon | Select-Object Name, LastLogon, OSName, ParentContainerDN | Export-CSV 'c:\temp\FRED18.csv'


  • the Export-CSV Powershell cmdlet will overwrite your CSV if you re-run it.
    So change the report name for each different domain controller you connect to.
  • You need to connect to each domain controller to get all the LastLogin dates.
  • Yes, you could script this, and if I was doing it often, I would.
  • Yes, if you had Windows 2008 R2 or Windows 7 with RSAT, you could do this with the Active Directory Domain Services Cmdlets

Bookmark and Share

Windows 2000 had Active Directory folders.

In Windows 2000 you could create a shortcut to an Active Directory resource, and turn it into an Windows Explorer view.  One of my (now long gone) predecessors worked out it would make life easier for end users.

“Oh, you just want to see the security groups you have delegation rights too?  No problems.  I’ll create you a shortcut.”

The AD Folder shortcut would look like this on a Windows 2000 system:
This is an Active Directory folder

The user reported that since a Windows XP upgrade, the icon looked like this:
This is an Broken Active Directory folder
(and the shortcut no longer worked.)

You can tell the Windows 2000 shortcut looks like a Folder shortcut.  The Windows XP shortcut, just looks broken.

Continue reading

Using %homeshare% seemed like a good idea at the time.

AD User - Terminal Services Profile We used to hard-code a user’s home directory in a logon script; just like this:

net use H: \\NODDY22\%Username%$

Of course, it becomes a problem when you need to change some of the users to another server.  Say for load balancing.

So you think to yourself, “Oh, I’ll just use the %homeshare% variable!”
(%homeshare% contains the link to the user’s home directory, as stored in Active Directory).

net use H: %homeshare%

All goes fine, until someone logs onto a Citrix/Terminal Server.

“Wahhhh, I don’t have a home drive anymore”.

The cause? In the AD User Properties, you have a Profiles tab AND a Terminal Services Profile tab.

Guess which %homeshare% is loaded when you log on to a Terminal Server?  That’ll be the one in the Terminal Services Profile tab Chucky.  And yes, it was different from the users normal home directory.

Bookmark and Share

Semi-regular web-link clearance (3) – January 2010

How to Install GPMC on Server 2008, 2008 R2, and Windows 7 (via RSAT)

Can You See Me – Open Port Check Tool

Is a free utility for remotely verifying a port is open or closed. It will be useful for users who wish to check to see if a server is running or a firewall or ISP is blocking certain ports.

Setting up a Windows 7 Media Center

Windows XP Power Management and Group Policy Preferences

Windows XP only has one active power scheme for the entire computer and that scheme is based on the current or previously logged on user—that is to say Windows XP power schemes are only user-based. This means the power scheme can change as each user logs on. Also, it means that last logged on user’s power settings are the settings that remain once the user logs off. And yes, each user has its own power configuration; however, the entire operating system only has one active power scheme.

PHP and IE8 Web Slices

Internet Explorer 8 (IE8) shipped with a new feature for web users called Web Slices. … Essentially it lets you add enhanced links to your favorite bar that allow you to preview snippets of content from websites that you frequently visit without having to open up the page. It’s really useful to do little tasks like check on your web based Inbox, check the weather in cities you live or visit, traffic status, stock tickers, headlines, sports, the list goes on and on and you can check the IE add-on gallery for more examples of useful web slices and for inspiration.

How to customize default user profiles in Windows 7 (KB973289)

To customize a default user profile or a mandatory user profile, you must first customize the default user profile. Then, the default user profile can be copied to the appropriate shared folder to make that user profile either the default user profile or a mandatory user profile.

Bookmark and Share

Semi-regular web-link clearance – January 2010


Today I learned a little bit about how to get to some of the data stored within special shell folders.  You can get a list of all of the easy-to-get-to special folders here.  I noticed one folder in particular that a bunch of systems administrators I know want to read, and that’s the Nearby Computers page.  Here’s a quick 23-line function that will go and get all of the computers from the Nearby Computers page, ping them, and return the Win32_PingStatus objects.

End-to-End WAN Optimization with BranchCache

Expanding a business into new regions of the world with branch offices is a great idea from a business perspective, but it often presents challenges to network architects and implementers. To connect each branch office to a central location requires some sort of physical or logical connection, with bandwidth that is typically orders of magnitude smaller than local area connections. Low bandwidth combined with the trend toward centralizing organization data often yields branch office links that are congested, resulting in poor performance for applications. Moreover, many types of wide area network (WAN) links are expensive and can incur substantial startup and monthly costs.

Understanding DFSR conflict algorithms (and doing something about conflicts)

I’m frequently asked to explain the DFSR conflict algorithm – i.e. what happens when files are created or modified on two servers before replication takes place. What we don’t document well is that there are actually three conflict algorithms and they all behave quite differently. I am breaking these out into scenarios for easier understanding.

The Configuration Manager Service Pack Install Guide

This document was created to help in troubleshooting Configuration Manager Service Pack 2 (SP2) install failures. This document is not entirely specific to Service Pack 2 and can apply to Service Pack 1 installs, upgrades from SMS 2003 to SCCM, and future service pack or Configuration Manager versions that rely on .mof file compilations, SQL SPNS, provider DLLs, etc.

PowerScripting Podcast with Ed Wilson

Some troubleshooting resouces:

Bookmark and Share

Seen @ W2K3 to W2K8 Active Directory Upgrade Considerations

W2K3 to W2K8 Active Directory Upgrade Considerations

I have collected some upgrade considerations from a couple colleagues of mine and have been sharing them on our internal technical DLs as the question comes up.  I have gotten positive feedback on the notes and have been encouraged to post them.  So, here they are.  Though, the real thanks go out to my colleages Tom and Arren.

Here are some of the problems customers run into when upgrading W2K3 DCs to W2K8

A very comprehensive list of solutions to problems people run into when upgrading from a Windows 2003 domain to a Windows 2008 domain.  Thank you Glenn LeCheminant.

Bookmark and Share