Bulk reset of passwords

Recently, I had to reset a whole bunch of passwords. This can be easily done via PowerShell.

$Excludes = @('user1', 'user2')

$Password = ConvertTo-SecureString -AsPlainText -Force 'mypassword'

$SearchBase = "OU=Some OU,DC=Some DC,DC=Some DC"

Import-Module ActiveDirectory

Get-ADUser -Filter * -SearchBase $SearchBase | Where-Object {$Excludes -notcontains $_.SamAccountName} | Set-ADAccountPassword -NewPassword $Password

Then to check what was done:

Get-ADUser -Filter * -Properties SamAccountName, PasswordLastSet | Select-Object SamAccountName, PasswordLastSet | Sort-Object PasswordLastSet -Descending

Server and AD trust relationships

Recently one of my servers started having trust issues. I would RDP to the server and it would appear to accept my domain login credentials fine, but then kick me back to the Windows server login screen with the following error:
The username or password is incorrect

I logged in as a local administrator and saw the following in the Security log
Unknown user name or bad password
... with the following status codes: 0xc000006d 0xc000006a

I tried disconnecting from the domain and reconnecting, with the required reboots, and now I get this error:
The trust relationship between this workstation and the primary domain failed

I tried to disconnect, remove the computer account, reconnect, but this resulted in this error:
The security database on the server does not have a computer account for this workstation trust relationship

This is very frustrating so finally, I did the following:
Disconnect from the domain (with a reboot)
Remove the computer account from AD
Reboot both the primary and secondary DCs
Rejoin the domain (with a reboot)

That finally worked. So, when in doubt reboot possibly everything.

Set-ADAccountPassword : Access is denied

I was trying to reset  a bunch of passwords and was trying to do this in Powershell:

Set-ADAccountPassword -Identity myuser -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'newpassword' -Force)

However, it was coming back with the following despite running the Powershell console as Administrator:

Set-ADAccountPassword : Access is denied
At line:1 char:22
+ Set-ADAccountPassword <<<<  -Identity myuser -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'newpassword' -Force)
    + CategoryInfo          : PermissionDenied: (christys:ADAccount) [Set-ADAccountPassword], UnauthorizedAccessException
    + FullyQualifiedErrorId : Access is denied,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPassword

I did a quick search and found this, which didn't help, but it did inspire me to try this:

$newpassword = ConvertTo-SecureString -AsPlainText 'newpassword' -Force
Set-ADAccountPassword -Identity myuser -Reset -NewPassword $newpassword



This worked well.

Managed Service Accounts not supported by SQL Server

I have been setting up a new Active Directory Domain Services running in Windows Server 2008 R2 functional level. According to the documentation What's New in Services Accounts in Windows Server 2008 and Windows 7: "The managed service account is designed to provide crucial applications such as SQL Server and IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts." So I create an account to run the SQL services and install SQL server. However, when I try to pick the service account, my SQL user will not show up in the picker at all. Searching around some more, I come across the Managed Service Accounts Frequently Asked Questions (FAQ). It states: "The use of managed service accounts with Microsoft SQL Server is not supported." Argh!

Limiting the People Picker in SharePoint

We have multiple SharePoint environments that share the same Active Directory. However, there are cases where we need to keep the various groups of users separated. Normally the People Picker will return results from the entire Active Directory.

Doing some quick research I found that some settings available through stsadm that control how the People Picker behaves. This is described in the Microsoft TechNet article on Configure the People Picker. In particular we were interested in 2 properties

• peoplepicker-Peopleeditoronlyresolvewithinsitecollection - To force People Picker to only return users who have permissions in the site collection when the Check Names button is clicked
• peoplepicker-onlysearchwithinsitecollection - To force People Picker to only return users who have permissions in the site collection when the Select People and Groups dialog box is used

It appears that the phrase "have permissions in the site collection" did not mean what I expected. I would have expected that this would include anybody who has security permissions to the site. Instead, it means that a permission is set. That is the user is in the SPWeb.AllUsers collection (ie: has accessed the system).

Furthermore, the Check Names button has more than one function. If you enter an exact match, then Check Names verifies the name you entered. If you enter a partial match, it actually does a search which is controlled by the peoplepicker-onlysearchwithinsitecollection property.

Clear as mud? 

Active Directory Primary Domain Controller went belly up

I was alerted to a login problem on one of our servers by a user. I found a Event 537 with status code 0xC000005E logged in the event viewer. Here is the corresponding KB article: http://support.microsoft.com/kb/908355

It turns out our primary active directory domain controller had died. I don't really have any experience with setting up AD servers so needed a little help with this. Luckily this was quite useful: Installing an Additional Domain Controller by Using the Graphical User Interface (GUI).

So, I started doing this, but then ran into a problem when running the Active Directory Domain Services Installation Wizard (dcpromo.exe): You will not be able to install a writable replica domain controller at this time because the RID master [my primary DC] is offline.
After clicking on No, the following popup was displayed: The transfer of the operations master role cannot be performed because: The requested FSM operation failed. The current FSMO holder could not be contacted.
Well, duh! As I was saying, the primary DC is down. Doing some more searching I found this: Seizing FSMO Roles.

So, I went back to my old backup DC, seized all FSMO roles, then made my new box the new backup DC as I originally started out doing. Now everything is okay again. I just have to update all my DNS search settings since the new box has a different IP address.