Lead, Follow, or Move » Active Directory

Moving and Renaming objects in Active Directory

Adam Bell — Tue, 04 Mar 2008 16:07:46 +0000

I went to move some AD objects with PowerShell recently, and realised that I didn’t have any examples to hand. Despite covering AD permission delegation and GPO operations, I’d somehow missed the fairly obvious task of moving and renaming objects!

So this seemed like a good time fix that …

We need to bind to some objects in AD, starting with the Users OU, and a fictional OU for our example, Service Accounts where we will move our objects to.



$root = [adsi]""

$users = [adsi]("LDAP://cn=users,"+$root.distinguishedName)

$sa = [adsi]("LDAP://ou=Service Accounts,"+$root.distinguishedName)

Now that we have bindings to the directory locations, we need to bind to an account we’d like to move.



$admin = [adsi]("LDAP://cn=Administrator,"+$users.distinguishedName)

The actually moving of an object isn’t made available through the PowerShell wrapper from what I could see. So to achieve this we need to expose the raw .Net methods using psbase.



$admin.psbase | get-member | where-object {$_.Name -eq "MoveTo"}

System.Void MoveTo(DirectoryEntry newParent), System.Void MoveTo(DirectoryEntry newParent, String newName)

I already knew the name of the method we’d need to use MoveTo(), so we used a where-object cmdlet to reduce our output to just what we needed. Looking at the above method, we can see that we can also rename the object by passing a second set of parameters.

Having bound to the Service Accounts OU, and the Administrator account, the only thing left to do is the actual move:



$admin.PSBase.MoveTo($sa)

Something to bear in mind if we want to rename an object, is that we could pass the same DirectoryEntry location as the object current exists in, or a new location. This method won’t update the sAMAccountName attribute.

If you want to change attributes on an object, it’s worth doing this before the move, and the binding becomes invalid. In our example of renaming the account, there’s a couple of attributes worth changing:



$admin.put("sAMAccountName", "zNobodyHere")

$admin.put("Description", "Nobody Service Account")

$admin.put("userPrincipalName", "zNobodyHere@leadfollowmove.com")

$admin.Setinfo()

Renaming, the Administrator account, and keeping it in the Users container:



$admin.PSBase.MoveTo($users, "cn=zNobodyHere")

Renaming the Administrator account, and moving it to our Service Accounts OU:



$admin.PSBase.MoveTo($sa, "cn=zNobodyHere")

Alternatively, you could use the Quest AD cmdlets to move or rename. Sometimes, however you don’t always have the tools available that you might like!

Windows 2003 DNS Server rights issue

Adam Bell — Wed, 27 Feb 2008 14:45:11 +0000

Apparently there is a permissions issue regarding hosting DNS zones in the ForestDNSZones, or DomainDNSZones partitions in Server 2003. I haven’t looked to see if this has been resolved in 2008. The issue and solution is detailed in Microsoft KB939090.

This issue occurs because of the permissions that are set in the Active Directory directory service….
The members of the DnsAdmins group do not have permissions on the following application partitions:
CN=MicrosoftDNS,DC=ForestDNSZones,DC=Domain…
CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain…

The documented solution is to edit your Active Directory with ADSIEdit and go in to fix the problem:

To resolve this issue, set permissions for the DnsAdmins group on the DomainDNSZones application partition and on the ForestDNSZones application partition.

We have taken a pretty close look at manipulating permissions in AD with PowerShell before, covering:
Standard Rights
Removing Rights in AD
Inheritance and Propagation
Extended Rights
and Controlling Access Rights in AD

We’re going to build a function similar to Add-DsAce.ps1 we used in the Standard Rights post, but this time we’re going to use a slightly different constructor, so that we can apply the correct inheritance. We want this to affect “This object and all Child Objects”, which means we need to use:



[System.DirectoryServices.ActiveDirectorySecurityInheritance]"SelfAndChildren"

So, our modified function looks like this:
Add-DsAce2.ps1



#----------------------------------------------------------------------------------------------------------

function Add-DsAce

#----------------------------------------------------------------------------------------------------------

{

Param (

  $DSobject,

  $Identifier,

  $DSrights,

  $AccessType = "Allow",

  $Inheritance

  )

  # GetAccessRules: Explicit ACE's, Inherited ACE's, TargetType

  $account = New-Object system.security.principal.ntaccount($Identifier)

 

  # Retrieve the SID - as a manual step you can check it's not empty :)

  $sid = $account.translate([system.security.principal.securityidentifier])

 

  $Inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"SelfAndChildren"

  $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($account, $DSrights, $AccessType, $Inheritance)

  $DSobject.psbase.get_objectsecurity().AddAccessRule($ace)

  $DSobject.psbase.CommitChanges()

}

#----------------------------------------------------------------------------------------------------------

Now that we have the ability to modify the AD, and presuming we dot source the newly created function we could do the following:



$root = [adsi]""

$ForestDNSZones = [adsi]("LDAP://DC=ForestDNSZones,"+$root.distinguishedName)

$DomainDNSZones = [adsi]("LDAP://CN=MicrosoftDNS, DC=DomainDNSZones,"+$root.distinguishedName)

 

Add-DSace $ForestDNSZones "DNSAdmins" "GenericAll"

Add-DSAce $DomainDNSZones "DNSAdmins" "GenericAll"

Basically, we’ve bound to AD via ADSI so that we can dynamically provide the domain DN, and the two locations in AD we want to apply the ACE to. Then it’s just a matter of passing the created function the parameters needed.

Dynamically populating user properties in Active Directory

Adam Bell — Thu, 04 Oct 2007 11:19:51 +0000

Recently I was asked to help out with a small issue pertaining to rolling out MS Live Communications Server. Two SIP properties (msRTCSIP-LineServer & msRTCSIP-Line) on the user object in AD were set dependent on which office the user was located in, and their Direct Dial (DDI) number. These properties needed to be set on the users on 3 sites, and I was asked if PowerShell could assist.

Seeing as I don’t have the schema extensions in my test lab, we will step through a similar scenario, but we’ll update the users description property instead.

In this example we have two test users:

We’re interested in the two User properties: Office and Telephone number. These would make up part of the SIP information for LCS, but in our example we just want to add them to the description property for easier viewing in AD User’s and Computers.

Presuming, that we want to update the description field against a large selection of users we will take advantage of how PowerShell handles CSV’s:

set-usrdesc.ps1



# 

# NAME:     Set-UsrDesc.ps1

# 

# AUTHOR:   Adam Bell, http://www.leadfollowmove.com

# RELEASE:  Contractors Creed - All care taken, no responsibility admitted. Use at your own risk.

# VERSION:

# 1.0.1    25/09/2007  Adam Bell  Initial.

# 1.0.2    26/09/2007  Adam Bell  refined for live.

# 

# COMMENT: Best viewed using Notepad2

#   

# -----------------------------------------------------------

# Check command-line arguments

# -----------------------------------------------------------

  if ($args.count -ne 1)

  {

    write-host "Usage: "

    write-host "CSV requires a header line."

    write-host " UserName,OU is the only data needed. No DomainDN in the OU DN."

    write-host ""

    exit

  }

  $InFile = $args[0]

  If (-not(test-path $InFile))

  {

    write-host "Unable to locate" $InFile

    exit

  }

# -----------------------------------------------------------

# Globals

# -----------------------------------------------------------

# If there are any errors,we'll handle them in code.

$erroractionpreference = "SilentlyContinue" $root = [adsi]"" # ----------------------------------------------------------- function set-Desc # ----------------------------------------------------------- { # Inputs: 1) The CN UserName of the Account object # 2) The OU DN without the Domain DN portion included. # Objective: 1) Process each user, and update the description property based on Office and DDI info. # Returns: 1) Nothing. Updates the users props. Param ( $UserName, $OUname ) $error.clear() $user = [adsi]("LDAP://cn="+$UserName ` +","+$OUname+","+$root.distinguishedName) if (!$?) { write-warning "Unable to bind to $UserName" write-host "" continue } $office = $user.get("physicalDeliveryOfficeName") if (!$?) { write-warning "Unable to retrieve Office Location for $UserName" write-host "" continue } $ddi = $user.get("telephoneNumber") if (!$?) { write-warning "Unable to retrieve DDI number for $UserName" write-host "" continue } $user.put("description", "($office) $ddi") $user.setinfo() If (!$error[0]) { write-host "$username updated." -foregroundcolor "green" } else { write-warning "Updating $UserName failed!" } write-host "" } # ----------------------------------------------------------- function get-userlist # ----------------------------------------------------------- { # Inputs: 1) Path to CSV file containing Users to process. Needs a header line: UserName, OU # Objective: 1) Get the data from the CSV file and pass it to Set-Desc # Returns: 1) Nothing. # Depends: 1) Set-Desc Param ( $PathToCSV ) $accounts = Import-Csv $PathToCSV foreach ($account in $accounts) { $UserName = $account.UserCN If ($UserName.StartsWith("#") -eq $true) { } Else { "Processing ... "+$UserName set-Desc $UserName $account.OU } } } # ----------------------------------------------------------- # Main # ----------------------------------------------------------- get-userlist $InFile # -----------------------------------------------------------

A couple of points of interest, from the script above:
The Username is the CN (usually the displayName property), and is added with the ouName provided in the CSV, and the distinguishedName of the domain to build the ADSI binding to the user object.

The get(),put() and setinfo() methods are pretty self explanatory, especially if you’ve done any ADSI scripting before.

What’s nice about PowerShell is that you can user variables “inline”. It doesn’t work when constructing the ADSI binding, but it does when constructing strings (in this case for out put() method).

The (!$?) if block is a nice error checking step that check’s if the the last command wasn’t successful.

The !error[0] if block tests if we have had any errors in our process, and provides feedback to the console accordingly.

Running the script gives us the following output:

And if we check the user account, we can see that the description field has been updated for easy viewing , if we had a lot of users.

Control Access Rights in Active Directory

Adam Bell — Tue, 03 Apr 2007 20:41:55 +0000

Recently we looked at Extended-Rights in Active directory, and today we’ll complete our series of posts on permissions in AD with a post on Control Access Rights, also known as Specific Rights.

Control Access Rights are similar to Standard Rights in the permissions applied, however it is applied to a specific object, or property set. This property is also represented by a system.guid like we have previously seen with Extended Rights.

In this case however the GUID is the schemaIDGUID attribute on the object located in the Schema partition. Provided the Common Name (cn) is known of the object needed the function below will retrieve the GUID in question:
Get-SchemaGUID.ps1



$dse = [adsi]("LDAP://RootDSE")

 

#----------------------------------------------------------------------------------------------------------

function get-SchemaGUID

#----------------------------------------------------------------------------------------------------------

{

Param (

  $DSobject

  )

  $guid = $null

  $obj = [adsi]("LDAP://cn="+$DSobject+","+$dse.schemaNamingContext)

  [system.guid]$guid = $obj.schemaIDGUID[0]

  return $guid.ToString()

}

#----------------------------------------------------------------------------------------------------------

get-schemaguid "computer"

Once we have the GUID for the object or Property Set, we can then start thinking about our ACE. For Control Access Rights there are two types of scenarios, and hence two constructors available. We would use the following constructor when delegating the ability to create and delete computer objects in the computers container, for example.



Void .ctor(

Void .ctor(

  System.Security.Principal.IdentityReference, 

  System.DirectoryServices.ActiveDirectoryRights, 

  System.Security.AccessControl.AccessControlType, 

  System.Guid,

  System.DirectoryServices.ActiveDirectorySecurityInheritance)

The ACE can be further controlled by specificing the type of object that may inherit the ACE. In that scenario you would use the following constructor:



Void .ctor(

  System.Security.Principal.IdentityReference, 

  System.DirectoryServices.ActiveDirectoryRights, 

  System.Security.AccessControl.AccessControlType, 

  System.Guid, 

  System.DirectoryServices.ActiveDirectorySecurityInheritance, 

  System.Guid)

As you can see with two GUID’s in the syntax it becomes much easier to get things in the wrong order and in turn get an unexpected result.

MSDN has a clearer description of the constructors, and you can see that the GUID’s are for different objects.

So, armed with the GUID of the object, and the rest of the of our information we can go about setting the Control Access Right.
Set-CAR.ps1



$root    = [adsi]""

$test    = [adsi]("LDAP://ou=Test OU,"+$root.distinguishedName)

 

$account  = New-Object System.Security.Principal.NTAccount("bella")

$inherit  = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"All"

 

$rights    = "CreateChild, DeleteChild"

$gplink    = "f30e3bbe-9ff0-11d1-b603-0000f80367c1"

$ace    = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($acc, $rights, "Allow", $gplink, $Inherit)

 

$test.psbase.get_objectSecurity().AddAccessRule($ace)

$test.psbase.CommitChanges()

The above example gives the Bella account the rights to link Group Policy objects in the Test OU, and any sub OU’s (due to the inheritances flag).

Now we’ve covered the three types of permissions within the Active Directory, you should be able to apply any combination of permissions you need to organise the delegation model within your environment.

It makes me smile when I think back to the old NT4 days! ;)

[Updated:] The paragraph describing InheritedObjectTypes was rewritten to try and clarify the difference between the constructors.

Extended Rights in Active Directory

Adam Bell — Wed, 28 Mar 2007 20:16:42 +0000

Extended Rights are one of the mechanisms behind Active Directory permissions that allow for such granular control over the delegation of tasks in your environment. There’s a Technet article that explains delegation and touches on Extended Rights (near the bottom).

Extended Rights exists in AD as objects stored within the Extended-Rights container, which is located in the Configuration partition.

If you’re not sure about the different partitions within AD there is an excellent primer on TechNet about AD Architecture.

So how do we set an Extended Right permission? It’s actually very similiar to applying a Standard Rights ACE. The difference comes in the parameters we pass, and hence the constructor we use in the ActiveDirectoryAccessRule method.



Void .ctor(

  System.Security.Principal.IdentityReference, 

  System.DirectoryServices.ActiveDirectoryRights, 

  System.Security.AccessControl.AccessControlType, 

  System.Guid, 

  System.DirectoryServices.ActiveDirectorySecurityInheritance)

In this case the ActiveDirectoryRights value is the keyword “ExtendedRight“, and the system.Guid refers to an attribute of the Extended Rights object called the rightsGUID.

I’ve got a function that takes the CN of the right as input and returns the GUID.

Lookup Extended-Right GUID:
get-erGUID.ps1



$dse = [adsi]("LDAP://Rootdse")

 

#----------------------------------------------------------------------------------------------------------

function Get-RightsGUID

{

Param (

  $ExtendedRight

  )

  $ER = [adsi]("LDAP://cn=Extended-Rights,"+$dse.configurationNamingContext)

  $DSobject = [adsi]("LDAP://cn="+$ExtendedRight+","+$ER.distinguishedName)

  $ERguid = $DSobject.rightsGUID

  return $ERguid

}

#----------------------------------------------------------------------------------------------------------

Get-RightsGUID "Change-PDC"

If you don’t know the right you’re looking for you have a couple of options. TechNet have a reference that lists them, but we can also look them up.
RightsTbl.ps1



$dse  = [adsi]("LDAP://Rootdse")

 

# Build a Hashtable to translate the displayName (used by DSACL) to the objects CN.

$ERtbl  = @{}

$ext  = [adsi]("LDAP://cn=Extended-rights,"+$dse.configurationNamingContext)

$ext.psbase.children |% { $ERtbl.Add($_.displayName.toString(), $_.cn.toString()) }

The function above enumerates through the Extended-Rights container and loads the values for the displayName and cn into an associative array (hash table). Now we can look them up by either typing



$ERtbl

Which will list our complete hash table, or we can lookup specific translations



$ERtbl["Change PDC"]

So far so good. So putting it all together then. A code block to add the Change PDC right on the domain:
ChangeFSMORight.ps1



$root    = [adsi]""

 

$account  = New-Object System.Security.Principal.NTAccount("bella")

$inherit  = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"All"

$rights    = "ExtendedRight"

 

$changepdc  = "bae50096-4752-11d1-9052-00c04fc2d4cf"

$ace    = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($account, $rights, "Allow", $changpdc, $Inherit)

 

$root.psbase.get_objectSecurity().AddAccessRule($ace)

$root.psbase.CommitChanges()

Next time we’ll look at our last post in on the topic of Active Directory permissions when we look at Control Access Rights.

Inheritance and Propagation in Active Directory permissions

Adam Bell — Thu, 22 Mar 2007 17:58:10 +0000

Disclaimer:
As mentioned before I’m not a programmer, so the information in the next few posts may not be 100%. What I will pass on is what I have found in my experience, and any external links to valid sources that may help provide more detail. With this in mind if you find any inaccuracies, or just have more information to add please feel free to let me know …. :)

There are three types of permissions in regards to Active Directory security: Standard Rights, Extended Rights, and Control Access Rights. We’ve covered Standard Rights in a recent post, and in building up to the remaining two we’ll take a look at Inheritance and Propagation.

Now if we’re dealing with NTFs permissions, we use the System.Security.AccessControl namespace and the Inheritance and Propagation flags.

In AD we use a different method, but the concept is the same. There is only one flag used, and this is ActiveDirectorySecurityInheritance.

For example in NTFS you may have used:



$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit"

$propagation = [system.security.accesscontrol.PropagationFlags]"InheritOnly"

In Active Directory the same result would be achieved by:



$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"descendents"

An article that explains this subject well can be found on MSDN here. In particular the paragraph on inheritance and figure 5.

If we want to stop permissions being inherited from the parent Organizational Unit or container, you can use the SetAccessRuleprotection method. The syntax for which is available here
And a simple example:
BlockInheritance.ps1



$root = [adsi]""

$test = [adsi]("LDAP://ou=Test ou,"+$root.distinguishedName)

 

# [bool]IsProtected, [bool]PreserveInheritance

# The second option decides whether the inherited ACE's are copied, or dropped.

$test.psbase.get_objectsecurity().SetAccessRuleProtection($true, $false)

 

$test.psbase.CommitChanges()

In the next post we’ll build a couple of useful functions for retrieving data needed for Extended and Access Control Rights.

Removing ACE’s from Active Directory with PowerShell

Adam Bell — Tue, 20 Mar 2007 22:14:24 +0000

Soon we’ll be looking into some pretty low level permission schemes that can be applied to Active Directory. For now however, following on from yesterdays post, we’ll take a look at how to remove Acccess Control Entries from the Security Descriptor in AD.

Below is our function:
remove-DSace.ps1



$root = [adsi]""

 

#----------------------------------------------------------------------------------------------------------

function remove-DSace

#----------------------------------------------------------------------------------------------------------

{

Param (

  $DSobject,

  $DSidentity

  )

  $sd = $DSobject.psbase.get_objectSecurity().getAccessRules($true, $false, [System.Security.Principal.NTAccount])

  $rar = $sd |? {$_.IdentityReference -eq $DSidentity}

  if ($rar -is [array])

  {

    foreach ($ace in $rar)

    {

      $DSobject.psbase.get_ObjectSecurity().RemoveAccessRule($ace)

      $DSobject.psbase.commitchanges()

    }

  }

  else

  {

    $DSobject.psbase.get_ObjectSecurity().RemoveAccessRule($rar)

    $DSobject.psbase.commitchanges()

  }

}

#----------------------------------------------------------------------------------------------------------

$ou = [adsi]("LDAP://ou="+$ARGS[0]+","+$root.distinguishedName)

remove-DSace $ou $ARGS[1]

Points of interest then:
Details on the parameters for GetAccessRules are here. We then filter our rules to those that match our Group/Account as defined by the IdentityReference attribute on the object, and store these in the $rar variable. By testing if this variable is an array or not we can determine if we have one ACE or several that need removing.

Using an If..Else code block we remove the ACE or ACEs as applicable and commit our changes back to the directory. If the ACE was configured to propagate down the directory this will have the effect of completely removing that permission from everywhere.

Tomorrow we really will look into Propagation and Inheritence ;)

Active Directory Permissions – Standard Rights

Adam Bell — Mon, 19 Mar 2007 20:46:21 +0000

We’ve previously covered manipulating NTFS permissions, and in this post we’ll take that basis and apply it to Active Directory.

Marc covered this topic on his old blog, while PowerShell was still in beta (Pre RC2). The approach is basically the same, but you need to utilise psbase in PowerShell 1.0.

So, we want to give our test user bella full control over the Test OU. I would suggest not making permission changes to your AD if you don’t know what you’re doing because things can get nasty very quickly. A bit of useful reading on the subject can be found here and here.

Below is our basic function:
function add-DSace.ps1



#----------------------------------------------------------------------------------------------------------

function Add-DSace

#----------------------------------------------------------------------------------------------------------

{

Param (

  $DSobject,

  $Identifier,

  $DSrights,

  $AccessType = "Allow"

  )

  # GetAccessRules: Explicit ACE's, Inherited ACE's, TargetType

  $account = New-Object system.security.principal.ntaccount($Identifier)

 

  # Retrieve the SID - as a manual step you can check it's not empty :)

  $sid = $acc.translate([system.security.principal.securityidentifier])

  #$sid.ToString()

 

  $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($account, $DSrights, $AccessType)

  $DSobject.psbase.get_objectsecurity().AddAccessRule($ace)

  $DSobject.psbase.CommitChanges()

}

#----------------------------------------------------------------------------------------------------------

$root = [adsi]""

$test = [adsi]("LDAP://ou=Test OU,"+$root.distinguishedName)

 

Add-DSace $Test "bella" "GenericAll"

Okay, so points of interest then:

Once we’ve created a variable for the OU we want to add an ACE to, we then define our Security Principal. This can be either a user or a group, and we can present this in either SID format or as the account name.

In this example we’re targeting a user. We could have validated the account by retrieving it’s SID, but for this we’re presuming that everything exists and no checking is performed.

There are several constructors available for the ActiveDirectoryAccessRule. You can see what’s available, by looking at the constructors:



# List the constuctors available to this method:

[System.DirectoryServices.ActiveDirectoryAccessRule].GetConstructors() |% {"$_"}

I’ve found this to be a really useful way of discovering the specific requirements for a method. Once you know what types the method is expecting you can then investigate what each element is. In this instance we are utilising the following constructor:



Void .ctor(

  System.Security.Principal.IdentityReference, 

  System.DirectoryServices.ActiveDirectoryRights, 

  System.Security.AccessControl.AccessControlType)

You can then either look them up on MSDN or feed in some false data, and see if the constructor will provide you with details on what it needs.

Once we have the ACE, the last two lines are where we add the ACE to the Security Descriptor and then commit our changes back to the directory.

As you can see we need to use psbase. This gives us the “raw” view of the object. I find using psbase very difficult. It’s almost a fall back, for when you can’t seem to make it work any other way. At the moment I just put it down as one of PowerShell’s little quirks ;)

Over the next few days we’ll take a closer look at Propagation, Inheritance and Active Directory Extended Rights.

Two day seminar on Active Directory – 14th & 15th March 2007 (London)

Adam Bell — Tue, 06 Mar 2007 11:58:56 +0000

A couple of years ago I attended a 5 day seminar on Active Directory at the NEC in Birmingham. It was a TechNet sponsored event presented by John Craddock and Sally Storey. Now John is regarded as one of the top AD guys in the UK, and with good reason.

Next week John and Sally have a two day seminar on in London. Here is the link on the UK TechNet Events website. I know it’s a little late, and there may not be any places left, but I can tell you without doubt it will be a great two days.

A few years ago I was working on an AD project for a large environment and at the time I was struggling to achieve some of the automation mile stones. After several weeks of scouring the web and news groups I completed all my tasks. Just after this I got a copy of John and Sally’s book. The pound to page ratio on this is quite high, but what I found within was all the obscure answers for the problems I’d spent weeks searching for.

Now before you ask, I’m not affiliated with these guys in any way, and am not being paid for this. These guys are just good, and well worth a look if AD is in any way your thing ;)

Searching Active Directory for Windows 2000 and Windows NT4 Domain Controllers with PowerShell

Adam Bell — Tue, 20 Feb 2007 13:45:46 +0000

When I posted the article on raising AD functionality levels recently David Saxon pointed out that more could be done in regards to confirming the Domain Controllers are at the required level, i.e. they are Windows 2003 Domain Controllers.

Since we’ve looked at searching the Directory yesterday, this seems like a good time to take a closer look into this.
Microsoft have a good article here on what features are available depending on you functionality level.

So we’d start with:



$query = new-object system.directoryservices.directorysearcher

$root = [adsi]""

And presuming our DC’s are located in the default location, we can narrow our search down:



$ou = [adsi]("LDAP://ou=Domain Controllers,"+$root.distinguishedName)

$query.SearchRoot = $ou

$query.SearchScope = "OneLevel"

The key to our search is going to be the filter() that we use. If you look around there’s a few different ways of identifying what we might want to search on.

In KB article 322692 there is a good filter for finding NT4 Domain Controllers:



$query.filter = "(&(objectCategory=computer)(operatingSystem Version=4*)(userAccountControl:1.2.840.113556.1.4.803:=8192))"

Here we’re filtering on the computer object, the OS version, and the UAC value. Let’s break this down a bit more. The first one is pretty obvious, the OS version is easy enough too. Anything with a 4 in the version relates to NT4. Windows 2000 is 5.0, and Windows 2003 is 5.2. So what’s with the UAC filter? The bitwise filter is an Object ID (OID) that means all the flags have to be set for a match. The value of 8192 specifies that the account is a Domain Controller.

We can search for Windows 2000 Domain Controllers using the following filter, as described in KB article 325379



$query.filter = "(&(objectCategory=computer)(primaryGroupID=516)(operatingSystemVersion=5.0*))"

Similar to the above example, we’re filtering on the computer object again. This time rather than use the UAC approach though we’ve used the PrimaryGroupID which we’ve touched on previously. The OS version corresponds to the versions discussed above.

It seems to me that our best approach would be to filter on any computer account, that’s not Windows 2003. As we’re only searching in the Domain Controllers OU we shouldn’t need to try and check the UAC or Primary Group information, but you could just to be sure if you felt that way inclined.



$query.filter = "(&(objectCategory=computer)(!operatingSystem Version=5.2*)(userAccountControl:1.2.840.113556.1.4.803:=8192))"

There’s a subtle difference between this filter and the first example. Basically we’re looking for OS version that’s not (!) equal to Windows 2003. In theory this should give us all the other Domain Controllers ;)

So to finish off then:



$result = $query.FindAll()

if ($result -eq $null)

{ 

  return $null

}

else

{

  foreach ($machine in $result)

  {

    $ADobject = $machine.GetDirectoryEntry()

    write-host $ADobject.distinguishedName

  }

}

Of course just because we have accounts in AD doesn’t actually mean that there are machines still out there. You could tie this into a function that then calls a ping test against the names that are retrieved. That’s still not gospel, but if it’s a DC, it’s more likely to be up if it’s still out there!

If you’re new to LDAP queries and would like more information Microsoft have a good primer here.