Tag Archives: Active Directory

Get/Set Active Directory Photos by using PowerShell

Hello everyone. Today a colleague asked me if I know of a simple way to get user pictures from Active Directory. Of course I do and I will show you how you can get and set pictures in Active Directory by using PowerShell.

Important: The following scripts require Remote Server Administration Tools to be installed on your computer if you do not run them on a Domain Controller.

To get pictures from a user in Active Directory simply run the script below and provide a UserName and a Path (For example: C:\example.jpg) where the picture should be stored:

Param([parameter(Mandatory=$true)][alias("User")]$UserName, [parameter(Mandatory=$true)][alias("Picture")]$PicturePath)

Import-Module ActiveDirectory

$user = Get-ADUser $UserName -Properties thumbnailPhoto
$user.thumbnailPhoto | Set-Content $PicturePath -Encoding byte

To update a users photo simply run the script below and provide a UserName and Path of the new picture:

Param([parameter(Mandatory=$true)][alias("User")]$UserName, [parameter(Mandatory=$true)][alias("Picture")]$PicturePath)

Import-Module ActiveDirectory

$photo = [byte[]](Get-Content $PicturePath -Encoding byte)
Set-ADUser $UserName -Replace @{thumbnailPhoto=$photo}

That´s it. You can get/set pictures in Active Directory as simple as this.

As always you can download my scripts from here.

Sources:

http://241931348f64b1d1.wordpress.com/2011/05/12/how-to-put-and-retrive-active-directory-photo-attribute/

 

Advertisements
Tagged ,

Group Policy – Use Regional Settings to change Date Format

Hello everyone. Today I want to share some knowledge with you which might be useful if you need to change the regional settings of your customers. Today I had the requirement to change the American Date format (MM/dd/yyyy) to the ISO8601 format (yyyy-MM-dd).

Configure Group Policy

First open Group Policy Management and go to User Configuration -> Preferences -> Control Panel Settings -> Regional Options.

group_policy_regional_options

Next right click on the area and choose New -> Regional Options.

Now go to Date and set the following values:

  • Short date format: yyyy-MM-dd
  • Date separator:

group_policy_new_regional_option_before

Now the important part: Go through all tabs and press F5. You will notice that all red lines will change into green lines.

group_policy_new_regional_option_after

Now go to the Common tab and click on OK.

It is important to go through all tabs and to press F5 otherwise the settings will not apply. I do not know why but I found this solution here.

Apply the settings to your Clients

To apply the settings simply do the following things:

  • Restart your Client machine

Or

Run cmd as Administrator and run the following command:

gpupdate /force

After the command executed successfully you need to Log off and Log on again on your Client machine to apply the settings.

The result will look like this:

group_policy_regional_options_client_date_format

That´s it. You have successfully changed the date format.

I wanted to share this information since I wasted quite some time searching for a solution why my settings would not apply. I hope this post is useful for you. See you next time.

Sources:

http://www.frickelsoft.net/blog/?p=126

http://technet.microsoft.com/en-us/library/cc754020.aspx

Tagged

Restrict old Internet Explorer Versions

Hello everyone. Today I´m going to show you how to use AppLocker to block old versions of Internet Explorer from Execution. The requirement I had to fulfill was to make sure that Internet Explorer versions below 9 will not be able to run. Here is how you can do this:

Open up your Group Policy Management Editor.

restrict_old_ie_versions_gpo_start

Now go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services and look for the service Application Identity. This service is needed to identify your application. When this service is not running your Allow and Deny rules will not apply.

restrict_old_ie_versions_application_identity_service

Select Automatic to start this service automatically when the system is started.

restrict_old_ie_versions_application_identity_service_properties

Next go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules.

restrict_old_ie_versions_gpo_application_control_policies

Now click on Create New Rule…

restrict_old_ie_versions_application_new_rule

This will open up a wizard. The first thing you need to do is to choose Deny and leave Everyone filled in in the text box (Because we want to deny everyone the right to start old Internet Explorer versions).

restrict_old_ie_versions_application_new_rule_deny

Next choose Publisher.

restrict_old_ie_versions_application_new_rule_publisher

Now click on Browse… and go to C:\Program Files\Internet Explorer and choose iexplore.exe. (By the way: You can also go to C:\Program Files (x86)\Internet Explorer and choose iexplore.exe. It does not matter. The rule we are defining will block the 32bit version as well as the 64bit version from Execution.)

Next check Use custom values and go to File version: enter 9.0.0.0 into the text box and choose And below.

restrict_old_ie_versions_application_new_rule_version_below

On the next page you have the choice to add Exceptions if you want to add some. But we will simply add none and click on Next.

restrict_old_ie_versions_application_exceptions

Now you can enter a Name and a Description for your Rule.

restrict_old_ie_versions_application_name_and_description

Now your Rule is finished. If you are asked if you want to create the Default rules click on Yes.

restrict_old_ie_versions_application_exexecutable_rules

If a user with a Internet Explorer version below 9 wants to start it he/she will receive the following error message:

restrict_old_ie_versions_application_error_message

A user with a higher Internet Explorer version will see no difference at all as you can see:

restrict_old_ie_versions_application_ie10_working

 

Well that´s it. Pretty simple, right? This way you can prevent security issues caused by old Internet Explorer versions. I hope my post was useful for you. See you next time.

Sources:

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Securing-Application-Execution-Microsoft-AppLocker.html

http://www.kodyaz.com/articles/windows-7-applocker-tool-step-by-step.aspx

http://www.grouppolicy.biz/2010/04/how-to-configure-applocker-group-policy-in-windows-7-to-block-third-party-browsers/

http://esihere.wordpress.com/2011/06/18/step-by-step-guide-on-configuring-applocker-in-the-domain/

http://4sysops.com/archives/applocker-tutorial-part-4-deployment/

Tagged ,

Active Directory Search for Clients

Hello everyone. Today I discovered that there is a way to give non-admin users the possibility to search the Active Directory for information. It is pretty simple. All you need to do is to create this Shortcut on your users Desktops :

%SystemRoot%\System32\rundll32.exe dsquery,OpenQueryWindow

That´s it. That is all you need to do to make it work.

If you want to publish this Shortcut to a larger group of people you might consider using Group Policies.

The first step is to create a new Shortcut item. I called mine “Active Directory Search”.

ActiveDirectorySearch_GPO_Shortcut

Then I applied the following settings:

  • Target path: %SystemRoot%\System32\rundll32.exe
  • Arguments: dsquery,OpenQueryWindow
  • Location: Desktop

ActiveDirectorySearch_GPO_Shortcut_Properties_General

I would also recommend to apply the setting “Remove this item when it is no longer applied” to make sure the Shortcut will be removed when you want to retract this solution.

ActiveDirectorySearch_GPO_Shortcut_Properties_Common

If you configured everything correctly your Shortcut will appear on your users Desktops.

ActiveDirectorySearch_Shortcut

Now every time your users use this Shortcut this window will open allowing them to search your Active Directory.

ActiveDirectorySearch_AD_Users_and_Computers

Here is a screenshot of an example search:

ActiveDirectorySearch_AD_Users_and_Computers_Search_Result

Info: Don´t worry about users editing your Active Directory system. If they do not have the appropriate permissions to change things they will only be able to read information.

That´s it for today. I hope my post was useful for you.

Sources:

http://anandthearchitect.com/2010/05/08/windows-7-how-to-search-active-directory/

Tagged