View the creation date for AD-integrated DNS records

6 months in to my new job, and I’ve still got a big mess of old static DNS records to clean up from our Active Directory-integrated DNS.

The DNS management console doesn’t show any sort of date information, but I knew that because the data is stored in AD, there should be some sort of created/modified date on each record.

I had a look using ADSIEdit, and sure enough, there were the dates! Here’s a quick one-liner to pull out the records and their created/modified dates:

Get-ChildItem "AD:DC=contoso.com,CN=MicrosoftDNS,CN=System,DC=contoso,DC=com" | Get-ADObject -Properties Created,Modified | Select-Object Name,Created,Modified | Sort-Object -Property Created

Armed with the creation date of each record, I’m in a better position to determine which ones are no longer needed.

Office 365/Azure AD: Find all users with an email address that matches a specific string

We have a lot of shared mailboxes in Office 365. Today, I needed to find a subset of those,  change their UPN, and set the FirstName and LastName attributes.

I came across this lengthy PowerShell script that someone had created years ago to find users, but the simplest way to do this is via this one line of PowerShell, once you’ve connected to Azure AD:

Get-MsolUser -MaxResults 1000 | Where-Object {($_.ProxyAddresses -like '*texttomatch*')}

An alternative method, if you’re not connected to Azure PowerShell, but are connected to Exchange Online via PowerShell, is to use Get-Mailbox:

Get-Mailbox -ResultSize 1000 | ? {$_.EmailAddresses -like '*texttomatch*'}

Use PowerShell to remove home directories for users who no longer exist in AD

Today I had to migrate a home directory share to another server. I didn’t want to migrate folders for users who no longer existed in AD or were disabled, so I wrote a script to move those users’ folders into another location.

You could tweak this to be run as a scheduled task, thereby keeping your user home directory share clear of old users’ folders.

Note that this requires the ActiveDirectory PowerShell module in order to enumerate the list of users from AD. I started looking at a fallback method using [adsisearcher], but it wasn’t worth my time.

$homeDriveRoot = "\server1userfolders"
$leaversRoot = "\server1userfoldersoldusers"

# Get the list of folders in the home drive share
$folders = Get-ChildItem $homeDriveRoot | Select -ExpandProperty Name

# Get the list of active users from AD
$activeUsers =  Get-ADUser -Filter {Enabled -eq $true} | Select -ExpandProperty SamAccountName

# Compare the list of users to the list of folders
$differences = Compare-Object -ReferenceObject $activeUsers -DifferenceObject $folders | ? {$_.SideIndicator -eq "=>"} | Select -ExpandProperty InputObject

# For each folder that shouldn't exist, move it
$differences | ForEach-Object {Move-Item -Path "$homeDriveRoot$_" -Destination "$leaversRoot$_" -Force}

Copy Active Directory Group Membership with PowerShell

If you need to copy AD group memberships from one user or computer account to another, you can do so with the following two lines of PowerShell.

This depends on the ActiveDirectory module being loaded, or auto-loaded in PS 3.0 or newer.

# Get the memberships from the source computer account
$memberships = Get-ADComputer source -Properties memberof | Select-Object -ExpandProperty memberof

# Apply the memberships to the destination computer account
Get-ADComputer destination | Add-ADPrincipalGroupMembership -MemberOf $memberships -Verbose -WhatIf