If you ever wondered if there is a cooler or faster way to update a computer's group membership without having to reboot: well there is. If you delete or "purge" the kerberos tickets on the machine and then perform a gpupdate, the client is going to retrieve a new kerberos ticket with the new group membership.

Here are the two (well, if have never heard of gpupdate /force):

klist -lh 0 -li 0x3e7 purge

gpupdate /force

References:

https://www.shellandco.net/update-computer-membership-without-reboot/

In an Active Directory environment, it is best practice to enable DNS Aging and Scavenging. Aging and Scavenging will ensure that old DNS entries (such as decommissioned servers or computers) are deleted regularly. You will find this option by opening the properties in DNS Manager under the advanced tab or in the properties of a Forward Lookup Zone.

For detailed information, check out https://www.windowstechno.com/dns-aging-and-scavenging/.

On old Windows Active Directory environments, you might need to upgrade the Sysvol share from File Replication Service to Distributed File System Replication. This is very easy to do and it should be done asap in your environment.

Unfortunately I do not have screenshots to share with you, but here are the steps:

With dfsrmig /getmigrationstate you can see the status of the migration. Dfsrmig has 4 states starting from 0:

• State 0 - started
• State 1 - prepared
• State 2 - redirected
• State 3 - eliminated

Step 1:

dfsrmig /setglobalstate 0

Wait untill all Domain Controllers have the state "started". You can check the state with dfsrmig /getmigrationstate. Be very patient as it might take some time to replicate changes particularly if you have Domain Controllers on remote offices.

Step 2:

dfsrmig /setglobalstate 1

Wait until all Domain Controller have the state "prepared". You can check the state with dfsrmig /getmigrationstate. Once again, be very patient and double check the output.

Step 3:

dfsrmig /setglobalstate 2

Wait until all Domain Controller have the state "redirected". You can check the state with dfsrmig /getmigrationstate. Be very patient and double-check the output.

Step 3:

dfsrmig /setglobalstate 3

Wait until all Domain Controller have the state "eliminated". You can check the state with dfsrmig /getmigrationstate. Be very patient and double-check the output.

In addition to the last migration state, make sure the File Replication Service service is disabled on every Domain Controller.

References:

https://www.rebeladmin.com/2015/04/step-by-step-guide-for-upgrading-sysvol-replication-to-dfsr-distributed-file-system-replication/

With this awesome script, you can read Active Directory group membership and convert that information into a CSV file, which can be imported in Microsoft Excel.

The file will be saved inside C:\Temp. The result looks something like this (I'm no Excel wizard):

https://github.com/ajnik/AD-Group-Membership-to-Excel/blob/main/AD-Groups-To-CSV.ps1

Note: Not my script. Check credits.

You can easily run one or multiple programs at logon without messing with the Registry by using Group Policy Object (GPOs).

Under User (or Computer) configuration > Administrative Templates > System > Logon > Run these programs at user logon you can insert the path of the executable. Very clean and straight forward.