Category Archives: AD

Apr 22

Run Active Directory Management Tools as Another User

Posted on by

There’s quite a few situations where you may need to run Active Directory Management tools like Active Directory Users and Computers with different credentials. For example:

  • Computer is not joined to the domain
  • Need to connect to another domain/forest
  • Logged in as a standard domain user and need to supply different credentials
  • etc…

Step 1 – Install Remote Server Administration Tools (RSAT)

If you are using a 2008 or 2012 WIndows member server, RSAT is a feature you must enable using the directions below:

RSAT Server 2008 or 2012

If you’re using Windows Vista, WIndows 7, Windows 8, or Windows 10 you must download, install, and enable the RSAT feature.  Here are the links to download RSAT:

RSAT Vista SP1

RSAT Windows 7 SP1

RSAT Windows 8

RSAT Windows 8.1

RSAT Windows 10 (By default all features are enabled)

Once you’ve installed RSAT you need to enable the feature (Except Windows 10).  Open Control Panel, click Programs and Features, and click Turn Windows features on or off.  Then enable the following:

Windows Features Enable RSAT

Step 2 – Make Sure You’re on the Domain Network

Make sure you’re on the same network as the Domain Controller.  This simply means, connect to the LAN they’re on, or connect to a VPN if you’re remote.

Step 3 – Run As Commands for AD Management Tools

The key to running AD Management tools is the Runas command in Windows, which allows you to specify alternate credentials.  However, there are a few gotcha’s with runas such as needing to specify the /netonly command when on a non-domain computer.  Here are the commands you’ll need to run to successfully launch the AD Management tools, and all will work whether or not the computer is joined to a domain:

  • C:\Windows\System32\runas.exe – Default path to runas
  • /netonly – Credentials are specified for remote access, which is required for computers not joined to a domain but still works if the computer is on the domain
  • /user: – specify the username by the samaccountname(DOMAIN\user) or UPN(user@domain.local)
  • “mmc %SystemRoot%\system32\snapin.msc” – Microsoft Management Console with the path to the snapin.
C:\Windows\System32\runas.exe /netonly /user:user@domain.local "mmc %SystemRoot%\system32\adsiedit.msc"
C:\Windows\System32\runas.exe /netonly /user:user@domain.local "mmc %SystemRoot%\system32\domain.msc /server=pdc.domain.local"

Note: I’ve added an extra parameter to specify the PDC Emulator, otherwise you may receive the error “You cannot modify domain or trust information because a Primary Domain Controller (PDC) emulator cannot be contacted.”

C:\Windows\System32\runas.exe /netonly /user:user@domain.local "mmc %SystemRoot%\system32\dssite.msc /domain=domain.local"

Note: I’ve added an extra parameter to specify the domain, otherwise you may receive the error “Naming information cannot be located because: The specified domain either does not exist or could not be contacted.”

C:\Windows\System32\runas.exe /netonly /user:user@domain.local "mmc %SystemRoot%\system32\dsa.msc /domain=domain.local"

Note: I’ve added an extra parameter to specify the domain, otherwise you may receive the error “Naming information cannot be located because: The specified domain either does not exist or could not be contacted.”

Step 4 – Applying Run As Commands

Option 1: Run from an Elevated Command prompt

Right-click the command prompt (cmd.exe), select Run as Administrator, and enter one of the runas commands in the previous section.

CMD Runas RSAT

option 2: create shortcut and run as administrator

Right-click in the Windows file explorer, select New, click shortcut, for the location enter one of the runas commands from the previous section, click Next, name the shortcut appropriately, and click Finish.  Whenever you launch the shortcut, right-click it and select Run as Administrator.

Shortcut Runas RSAT

option 3: modify RSAT shortcuts

Under Administrative Tools on the start menu, right-click each RSAT shortcut, click Properties, and modify the target using the appropriate runas command from the previous section.  Whenever you launch the shortcut, right-click it and select Run as Administrator.

Modify RSAT Target
Jun 12

Delegate Add/Delete Computer Objects in AD

Posted on by

AD Delegation allows you to give users/groups access to certain parts of your AD without giving them full admin access. A great example is allowing Help Desk users to reset user passwords; this is actually quite easy and is a default option when delegating permissions to an OU. However, you may want your Help Desk users to be able to join/remove computer accounts to your domain which is a bit more difficult. By default, a standard user account can join up to 10 workstations to your domain and more than likely you’ll want them to join more. Here are the necessary steps as well as my recommendations:

1 – Create New OU for your Computers

Computer OU

In this example, I made the top OU called Computer and made several sub OU’s.  I suggest using an OU because you can apply a GPO at the topmost level to apply specific security to all of your computers.

2 – Redirect the Default Computers Container to the New Computer OU in AD

By default, computers joined to an AD domain are put in the Computers Container, which cannot have a GPO applied because it’s a container and not an OU.  You can redirect that container to our new Computer OU using Redircmp.exe (http://support.microsoft.com/kb/324949).  On your AD Domain Controller, run the following command (Replace DC=contoso,DC=local with your domain name):

C:\windows\system32>redircmp OU=computer,DC=contoso,DC=local

 

 3 – Create a Global Security Group to Join/Delete Computers

Create a new Global Security Group, which we will use to delegate who can Join/Delete computers from AD.  In my example, I’ll use a group called Join-Move-Delete Computer OU

4 – Delegate the Join and Delete Permissions

  • Right-Click the Computer OU and select Properties
  • Click the Security tab and click the Advanced button

ComputerOU Properties

  • Click the Add button, enter the name of the security group Join-Move-Delete Computer OU and click OK. You can now add any users you desire to this group.

ComputerOU Advanced Security

  • Under Apply to, select This object and all descendant objects
  • Under the Allow column, select Create Computer Objects and Delete Computer Objects
  • Click OK on all of the screens to save the changes

ComputerOU Create-Delete Permissions

All members of the Join-Move-Delete Computer OU group can now Add and Delete Computers in your domain.

5 – Delegate Moving Objects to Sub-OU’s in the Computer OU (Optional)

Optionally but likely, you may want your users to be able to move the computers they join to the proper OU.  In that case, we need to add 1 more permission.

  • Right-Click the Computer OU and select Properties
  • Click the Security tab and click the Advanced button
  • Click the Add button, enter the name of the security group Join-Move-Delete Computer OU and click OK.
  • Under Apply to, select Descendant Computer objects
  • Under the Allow column, select Write all properties
  • Click OK on all of the screens to save the changes

All members of the Join-Move-Delete Computer OU group can now move computers between all of the Sub-OU’s in the Computer OU.

 

 

 

 

Jan 24

Find Email Address in Active Directory

Posted on by

Did you ever try to create a new email address and receive an error message that it already exists?  Or did you ever have someone ask who is using an email address?  Here are some methods to find the email address:

1 – Active Directory Users and Computers Saved Queries (Server 2003 and up)

  • In Active Directory Users and Computers, right-click the Saved Queries container and click New->Query
  • Enter a name for the query then click the Define Query button
  • Click the Find drop-down menu and click Custom Search
  • Click the Advanced tab and enter the following query (Replace jdoe@domain.com with the email you want to find)
(proxyAddresses=SMTP:jdoe@domain.com)
  • Click OK

LDAP proxyAddresses Query

 

2 – Exchange 2010/2007 Management Shell

To find a particular email address use the following command (Replace jdoe@domain.com with the email you want to find)

get-recipient | where {$_.emailaddresses -match “jdoe@domain.com”} | select name,emailaddresses

To find all email addresses for a particular domain use the following command (Replace domain.com with the domain you want to find)

get-recipient | where {$_.emailaddresses -match “domain.com”} | select name,emailaddresses

 

 

3 – Outlook

In Outlook, create a new message and type the email address into the to field.  Click the Check Names button or press Ctrl+K to resolve the email to the display name.  Note: this will not work if recipient is hidden from the GAL or Address List!!!