Apr 06 2017

Windows Managed Service Accounts

Published by under Windows




Managed service accounts appeared with Windows 2008 R2 Server. MSA provide a dedicated account for each service without the hassle of managing password assignment or reset; less management, more security.
However, an account can only be used on one server.
 
Setting up a service account is done in 2 steps:
Create it on the Active Directory domain controller and install it on the machine where the service will run.
 
On the domain controller, launch the two following commands in Powershell to create the account which cannot be done through a graphic interface:

Import-Module ActiveDirectory
New-ADServiceAccount -Name Service_Account -Enabled $true

 
The account shows up under “Managed Service Accounts” in Active Directory Users and Computers (CocherCheck Advanced features in the View tab)
Then assign the account to the machine where the service will run:

Add-ADComputerServiceAccount -Identity Target_Server -ServiceAccount Service_Account

 
On the target machine, add the AD module for Powershell feature:
 
Add Feature:
Remote Server Administration Tools
   Role Administration Tools
     AD DS and AD LDS Tools
      Active Directory module for Windows PowerShell
 
And install the service account in Powershell:

Install-ADServiceAccount -identity Service_Account

 

 
Launch the service with DOMAIN\Service_Account$ leaving a blank password. Don’t forget the $ in the account name!

 

No responses yet

Mar 21 2017

Count Results in PowerShell

Published by under Windows





 

I was astonished to see PowerShell would display nothing when it should count 0 or 1.
 
Here’s a screenshot retrieving the number of AD accounts.
 
Instead use the Measure cmdLet and select the count value:

C:\>(Get-ADUser -filter {SamAccountName -like "dron*"} |
     select SamAccountName | measure).count
1

 

 
Another useful command:
The “tee” command lets you store the result set into a variable and its number of elements into another:
 

C:\>$accountnb = (Get-ADUser -filter {SamAccountName -like "dr*"} |
                 select SamAccountName |
                 tee -Variable accounts | measure).count
C:\>$accountnb
3
C:\>$accounts

SamAccountName                                                                                                     
--------------                                                                                                     
draguene                                                                                                           
drondy                                                                                                             
droze                                                                                                              
 

No responses yet

Mar 09 2017

Move RDS profiles to another volume/drive

Published by under Windows




You’re in charge of a Remote Desktop Services (RDS) server but unfortunately, C: drive starts running out of space, RDS profiles being on that same volume.
Lucky enough, a huge amount of space remains on D: drive, but how shall I migrate?
 
You can run a GPO that creates new profiles in D: like this:
Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Profiles -> Set path for Remote Desktop Services Roaming Profiles
It works for new profiles but older ones need to be moved as follow:
– Migrate user folder from C: to the new drive and assign proper rights.
If older profiles connect with a temporary profile, you should also:
– Remove the entry in Control Panel -> User accounts -> Configure user profiles advanced properties.
– Remove the registry entry HKLM\Software\Microsoft\Windows NT\CurrentVerison\ProfileList\S-1-5-21… with a ProfileImagePath key matching the user profile path
Advantage: All new profiles will be in this new location
 
or
 
Edit the path in the above registry key, move the profile folder to the new location and assign user’s rights.
New profiles will still be created on C: but you can migrate some on D: as you wish, and spread data on 2 volumes.
 
The best is clearly to define a GPO right from the start on a dedicated volume other than C:

 

No responses yet

« Prev - Next »