Searching For Email Groups Without Members

This is quick one for a reference, searching for AD groups with present email address, but without members using LDAP filter and powershell:

 Get-ADObject -LDAPFilter "(&(objectcategory=group)(!(member=*))(mail=*))" 

Same LDAP filter can be used with Active Directory Users and Computers:

Happy hunting :) 

Event ID 4769 Audit failure with Failure Code 0xC

In this case there was a two way forest trust between two forests. Forest 1 was containing single domain1, Forest 2 was containing several domain trees. Also, there was a external trust between Domain 1 and domain B.

Users from both forest we're able to login successfully on workstations that were also members in both forests. But, when users from domain B were trying to access resources (file share \\server1.domain1.local\fileshare) in Domain1, there was a credential prompt requesting for valid username and password. On domain controllers in Domain1 Audit failure was logged with following details:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Failure

Description:
A Kerberos service ticket was requested.

Account Information:
 Account Name:  user@domainB.local
 Account Domain:  domainB.local
 Logon GUID:  {00000000-0000-0000-0000-000000000000}

Service Information:
 Service Name:  cifs/server1.domain1.local
 Service ID:  NULL SID

Network Information:
 Client Address:  ::ffff:a.b.c.d
 Client Port:  49783

Additional Information:
 Ticket Options:  0x40810000
 Ticket Encryption Type: 0xffffffff
 Failure Code:  0xc
 Transited Services: -

From https://technet.microsoft.com/en-us/library/bb463166.aspx Failure code 0xC is KDC_ERR_POLICY.

I have successfully resolved this issue by enabling name suffix Domainb using Trust properties, Name Suffix Routing tab in Forest 1. After enabling Domainb in Name suffix routing tab, users from DomainB were successfully accessing resources in Domain1 using Kerberos without any credential prompt.
 

Finding scripts in GPOs

For this case I wrote a simple PowerShell easy to read script for finding GPOs with scripts and their links to OUs. The script requires domain administrator credential for enumerating GPOs machine startup folder. For populating $dc and $dom variables the script requires online domain controller and domain name. Then the script will start to enumerate policies folders searching for files with vbs,bat, and vbe extensions. It will also filter out with regex the gpo guid found between the curly brackets "{}"in the full file path. Using the gpo guid the script will resolve the gpo name and OUs where that gpo is linked. At the end the script will output the data.

$dc = Read-Host "Online DC (example:dc1)"
$dom = Read-Host "Domain name (example:domain.com)"

dir \\$dc\SYSVOL\$dom\Policies -Include *.vbs,*.bat,*.vbe -Recurse | select -ExpandProperty Fullname | Select-String -Pattern "(?<=\{).*?(?=\})"  | % {

    $id=$_.matches[0].value
    $gpo=get-gpo -guid $id
    $ou =Get-ADOrganizationalUnit -LDAPFilter "(gPLink=*$id*)"

    Write-host $_
    Write-Host "GPOName=" -ForegroundColor Red -NoNewline
    Write-host $gpo.DisplayName -NoNewline
    Write-Host "`tStatus=" -ForegroundColor Yellow -NoNewline
    Write-host $gpo.GpoStatus
    Write-Host "OUlinks=" -ForegroundColor Green -NoNewline
    Write-host $ou.Name
    Write-Host " "

}


Feel free to customize or modify the script to satisfy your needs.
 

Object "computername" contains other objects

If you try to delete computer object in AD, you might receive warning message that Object <computername> contains other objects. To see what that computer object contains select in View menu "Users,Contacts,Groups and Computers as containers" in Active Directory Users and Computers Console and you will be able to see what that computer object contains.

In most cases it will be a printer, if the computer object is client workstation.