ADFS: Set Account Lockout Threshold and Duration

To enable protection against brute-force hacking against your domain user accounts, it is recommended that account lockout threshold and duration be enabled. To do so, execute the following command, changing any parameters as required.

1
2
3
4
Set-ADFSProperties –EnableExtranetLockout $true `
–ExtranetLockoutThreshold 15 `
–ExtranetObservationWindow ( New-TimeSpan –Minutes 30 ) `
–ExtranetLockoutPDC $false

Script to Batch Create Test User Accounts in Active Directory

Recently I have been working in my test labs and needed to create a large number of Test User Accounts in Active Directory. Rather than manually create the users using the GUI (which would take forever), I wrote a script to automate the process. You’ll find the script below and should be able to easily modify the script to work in your own environment.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
# --------------------------------------------------------------------------------- #
.SYNOPSIS
 
Creates a batch of Test Users in Active Directory
 
.DESCRIPTION
 
Use this script to create a number of test user accounts within Active
Directory. Modify the following variables to customise this script for
your environment.
 
.PARAMETER
 
N/A
 
.NOTES
 
Version: 1.0
Author: Craig Bull
Creation Date: 10th September 2018
 
.EXAMPLE
 
N/A
 
# ---------------------------------------------------------------------------------#
#>
 
Import-Module ActiveDirectory
 
# DEFINE VARIABLES
 
$AdminCredentials = Get-Credential "YOURDOMAIN\Administrator"
 
# Use the following password for the User Accounts being created.
$Password = "@Passw0rd" | ConvertTo-SecureString -AsPlainText -Force
 
# Change this variable to the hostname of one of the domain controllers.
$ServerName = "YOURDC.YOURDOMAIN.COM"
 
# Customise this variable for a custom description on user accounts.
$Description = "Test User"
 
# Change this variable to match the DN of the OU where you want to create the
# the new user accounts.
$Path = "OU=Users,DC=YOURDOMAIN,DC=COM"
 
# Change this variable to match the UPN of your domain.
$UPNSuffix = "@YOURDOMAIN.COM"
 
# Change this variable to equal the number of user accounts you wish to create.
$NumberUsers = "100"
 
$i = 0
 
Write-Host " "
Write-Host "Script: Create AD User Test Accounts" -ForegroundColor White
Write-Host " "
 
# START LOOP
 
While ($i -ne $NumberUsers)
{
# INCREMENT COUNTER
 
$i = $i + 1
 
# DEFINE VARIABLES
 
$Name = "Test User $i"
$SamAccountName = "Test $i"
$UserPrincipalName = "TestUser$i$UPNSuffix"
 
Try
{
# TRY TO CREATE NEW TEST USER IN ACTIVE DIRECTORY
 
New-ADUser -Credential $AdminCredentials `
-Name $Name `
-GivenName "Test" `
-Surname "User" `
-SamAccountName $SamAccountName `
-Server $ServerName `
-AccountPassword $Password `
-Enabled $True `
-ChangePasswordAtLogon $False `
-PasswordNeverExpires $True `
-UserPrincipalName $UserPrincipalName `
-DisplayName "Test User" `
-Description $Description `
-Path $Path
}
 
Catch
 
{
# AN EXCEPTION WAS DETECTED, DISPLAY ERROR INFORMATION AND BREAK OUT OF SCRIPT
 
$ErrorMessage = $_.Exception.Message
Write-Host "An Error Occurred: $ErrorMessage" -ForegroundColor Red
Write-Host " "
Write-Host "Check Active Directory to confirm whether Test User accounts already exist." -ForegroundColor Yellow
Break
}
 
# DISPLAY USER CREATED MESSAGE
 
Write-Host "Created User Account: $Name" -ForegroundColor Green
}
 
Write-Host " "
Write-Host "Script execution completed successfully. Tidying up." -ForegroundColor White
Write-Host " ";
 
# CLEAR VARIABLES
 
$AdminCredentials = $Null
$ServerName = $Null
$Password = $Null
$Description = $Null
$Path = $Null
$UPNSuffix = $Null
$NumberUsers = $Null
$i = $Null