Managed Service Accounts in Active Directory

We all heard that one of many features in Windows server 2008 R2 is Managed Service Account.

Prerequisites for that is domain functionality raised to Windows Server 2008 R2

Most common mistake is that you will create managed service account using Active Directory Users And Computers snap-in. You will not.

Either if you are created account in Managed Service Accounts container it is still user account. To make it work you must give user rights “logon as a service” and “logon as a bat job”.

To create Managed Service Account you must use Power Shell. Creating service accounts is not so complicated. You can create it using simple script

New-ADServiceAccount –name (desired name of account).

Of course before you must “tell” powershell to use Active Directory module. Syntax for this is:

Import-module ActiveDirectory

And before that you must have installed feature:

Active Directory module for Power Shell

image

I’ve described this reversed with reason.

Most common is that you first load module to Power Shell and then start wit Your managed service accounts.

When you are created service account you need to install it on server where You want to use it. Syntax is:

install-ADServiceAccount –identity “(name of service account)”

To install account you must “run as administrator” Power Shell or you will receive error.

image

REMEMBER: You must have ONE managed service account per server. This is the big difference between managed service account and former virtual account.

Now you are ready to use managed service account with specific services

image

image

 

 

For more on this topic you can contact this link

Deploying Windows XP SP3 without GPO and WSUS

If You are managing wide infrastructure of your organization You could be unpleasantly surprise that Windows XP SP3 is not deployed to every Windows XP machine.

For some reason WSUS is not an option and GPO is upgraded to Windows Server 2008 R2 functionality. What You will do?

Using GPO is not an option because of too much configuration and lot of requested modification.

Using of logon script could be a point.

Requests is that you can deploy and install Windows XP SP3 without disturbing users.

At first we must create temporary user with administrative rights

After that we must download lsrunas tool. We will use it for passing the password. You can download it from here.

After that we will put Windows XP SP3 (WindowsXP-KB936929-SP3-x86-ENU) in network share accessible for domain users.

Check that every user can see it.

Create .bat script with following parameters

lsrunas.exe /user:tempadmin /password:password /domain:domain /command:xpsp3.cmd /runpath:

Create .cmd script with parameters:

net use x: /delete /y (where x is logical name of ntw share where SP3 is)

net use x: \\server\share ( reconnect share)

x:

cd sp3 (where Sp3 is name of directory where .exe file is)

WindowsXP-KB936929-SP3-x86-ENU.exe /quiet /promptrestart

Job done.

You can use this switches:

[/help] [/quiet] [/passive] [/norestart] [/forcerestart] [/warnrestart] [/promptrestart] [/overwriteoem] [/nobackup] [/forceappsclose] [/integrate: ] [/d: ] [/log: ]
/help Displays this message
SETUP MODES
/quiet Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)
RESTART OPTIONS
/norestart Do not restart when installation is complete
/forcerestart Restart after installation
/warnrestart[: ] Warn and restart automatically if required (default timeout 30 seconds)
/promptrestart Prompt if restart is required
SPECIAL OPTIONS
/overwriteoem Overwrite OEM files without prompting
/nobackup Do not backup files needed for uninstall
/forceappsclose Force other programs to close when the computer shuts down
/integrate: Integrate this software update into
/d: Back up files into
/log: Create log file at

Querying Computers in Active Directory

If you need to do some reports in active directory best tool for use is DSQUERY which is part of Remote Server Administrative Tools

First common query is how to list all computers spreaded in different Ous

And here it is:

dsquery computer

As dsquery shows first 100 results option for showing more is:

dsquery computer –limit 1000

This will show first 1000 computers in your active directory. If You have more than 1000 computers just change number.

If You need this for some reports You can put results in a text file and later on import it to excel

Syntax for this is:

dsquery computer –limit 1000 >computers.txt

If You need to know which computer is running which OS syntax will be:

dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows XP*))"

OR

dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows Server*))"

For those who wants to know what service pack is on those OS:

dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack"  -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP*))" -limit 100000

Last two syntax is announced on sheenaustin.com