Archives for posts with tag: active directory

So What Brought This On?

Well we are in the process of adding a new SAN to our network at one of our locations.  The path to the roaming profile folders will need to change as a result of this.  However, we only need to make this change for a group of users at a specific location and whose roaming profile is currently pointing to the old server.

PowerShell to the Rescue!

Whenever I get the chance to write a PowerShell script, I get sorta excited about it.  Since we are still on Windows XP SP3 over here, I don’t get the chance to do a lot of cool stuff and all of our servers are not yet running Windows Server 2008 (even though we are getting there).

So I decided to write a handy script that will automate this process for me.  There are a few things to be aware of when running this script.
I ran into an issue when I attempted to run the script from a Domain Controller.  I was getting the message Set-ADUser : Insufficient access rights to perform the operation.  There must be some type of security setting or something that disallows this Active Directory editing locally.

So I tried pointing it to a server running Windows Server 2003 by using the -Server parameter but got the following message: Unable to contact the server.  This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.  This would be because it’s a Windows 2003 Server Domain Controller (duh).

So I pointed it to another domain controller running Windows Server 2008 and it worked just fine.

The Script



Changes the roaming profile path of all Downtown user accounts in Active Directory to a new location.


Searches Active Directory for all users whos profiles reside on OLDNAS and changes their profile path to a share on NEWNAS


PS C:\>Change-ProfilePath-for-Downtown-Users


# Import the AD Module

Import-Module ActiveDirectory -ErrorAction SilentlyContinue

# Get credentials

$AdminCredentials = Get-Credential

# Get users from Active Directory

$Users = Get-ADUser -Filter {ProfilePath -like "\\OLDNAS\profiles*"} -Properties ProfilePath | Sort SamAccountName

# Loop through the users and change their profile paths

ForEach ($User in $Users ) {

Write-Host "Changing Profile for User:" $User .Name

$ProfilePath = "\\NEWNAS\PROFILES$\" + $User .SamAccountName

Set-ADUser $User -ProfilePath $ProfilePath -Credential $AdminCredentials -Server "lafayettedc2.citysecurities.local"



Snow & Ice

Well, here in Indiana we were hit with a snow & ice storm a few days ago and many people in our firm were unable to make it into the office.  So we had a record number of users working from home over VPN.  Our HelpDesk person was able to make it in (thanks to public transportation) and was bombarded with calls about users being unable to login to VPN.  I am not ashamed to admit that some things get overlooked during the account creation process (which is not my responsibility mind you) and this is one of them.

Remote Access Permission (Dial-Up or VPN)

Remote Access Permission

So the problem was that for some reason the Remote Access Permissions were set to Deny Access for a small minority of end users.  Not a big deal to fix but annoying nonetheless.  So this issue made me consider a long-term solution which would be to make changes to the account creation process and ensure that these settings are set correctly.  Furthermore, I wanted to know how to find out who in our Active Directory does not have Remote Access/VPN. Read the rest of this entry »