Change all users to an alternate domain suffix

In Active Directory users and computers, right click Queries> New. Give it a name, click “define query”. Stay on the “Users” tab. Select “Is not” and type an invalid name like testtesttest. Click ok, ok. It should return a result with all users whose name is <<not>> testtesttest. Select all, right click> Properties. Go to Account tab> check “UPN Suffix” and change it to the appropriate suffix. That’s it! There are PowerShell methods to do this too but when handling hundreds of user accounts, you have to be absolutely careful in PowerShell. There are solutions online that work fine that I am not going to post here. This is purely for the GUI. Good luck!

Exchange and AD Powershell Useful Commands

I’ve had a few odd issues & tasks with Exchange 2010 and AD recently and wanted to take a moment to document them as well as the command used to resolve the issue:

The following command was useful to resolve an issue of multiple copies of the same shared mailbox showing where only one would allow access and the other copies would only fail to open.

Add-MailboxPermission -Identity <shared mailbox alias> -User <your mailbox alias> -AccessRights FullAccess -InheritanceType All -Automapping $false

The following will find all active user accounts whose Password Never Expires attribute is set to true formatted in a nice table of username and the value. Value is not really necessary because it should only return true, but everyone loves a sanity check right?

get-aduser -filter * -properties Name, PasswordNeverExpires | where { $_.passwordNeverExpires -eq "true" } | where {$_.enabled -eq "true"} | Format-Table -Property Name, PasswordNeverExpires -AutoSize

Swap Domain Controller

I was tasked with moving the domain controller to another server so the license for the Server Essentials 2012 could be re-purposed for a specific software program. This also removed the 25 user restriction limit of Server Essentials. I had to first virtualize the environment which is another story altogether. So here’s what I had to do:

  1. Install the Server 2012 Standard
  2. Install the Active Directory Role — the process is pretty straightforward
  3. Point DHCP server to the new Server Install IP for DNS.
  4. Verify a few clients have picked up the new IP over the next few days. It will take time to renew the IP leases. I didn’t uninstall the DNS role from the Essentials copy anyhow so this wasn’t mandatory for me.
  5. Open Active Directory Users and Computers on the new DC
  6. Right click and choose Operations Masters. Click change on each tab.
  7. Open Active Directory Domains and Trusts, right click the root node and click Operations Master. Click Change.
  8. Open cmd as admin and type regsvr32 schmmgmt.dll and push enter
  9. Type mmc and push enter
  10. File> Add/Remove snapin, Find Active Directory Schema snap-in and open it
  11. Right click the new snapin, click Change Active Directory Domain Controller…
  12. Click on your new DC and click OK. You’ll get a message, don’t worry about it.
  13. Right click again on the snapin and click Operations Master… Click Change
    1. Change grayed out? Make sure you are a schema admin member in AD Users/ Groups. Log off and back on.
  14. Run dcdiag /a to verify everything is ok and proceed to demoting your old DC.


This is a great tutorial as well:

Transferring FSMO Roles

Allow Local Admin Privileges When Using Domain

Typically when you set up a domain on your network and domain users, you might want to give them local admin access to do things like install programs on that PC without making them an administrative member of the domain.

1. Right-Click Computer> Manage

2. Expand System Tools> Local Users & Groups> Groups

3. Right-Click Administrators and choose Properties

4. Go to Add… and then add the users you want to have local admin privileges to install software and make LOCAL changes. In my case, I add Domain Users.