Skip to content

Instantly share code, notes, and snippets.

@1RedOne

1RedOne/caution.md

Last active April 22, 2025 16:56
Show Gist options
  • Save 1RedOne/f76371bf8f5e00ad8f23b79cdbe74887 to your computer and use it in GitHub Desktop.
Save 1RedOne/f76371bf8f5e00ad8f23b79cdbe74887 to your computer and use it in GitHub Desktop.
Download ZIP
That time I destroyed Active Directory
Raw
caution.md

Premature Optimization

Maybe once a month I would get a request to make a new user in a department. The format was always "make user A just like user B with all of the same groups she has".

I was just learning PowerShell and hated having to do this by hand and also not have any trail of my work. So I wrote a nice script that made UserB a member of all of UserA's groups, with some nice logging and tested it over and over in -What If mode.

Eventually I get a new ticket request and tell my coworker, "hey, check This out!" And run the script and it outputs

PS>Now copying all groups from user A
 
Setting user A as member of Exchange Users
 
Setting user A as member of Building Physical Access
 
Setting user A as member of Parking deck access
 
Setting user A as member of Internet access enabled

Etc etc.

I was so proud--And then the phones started to ring like crazy.

Unscheduled Rapid Disassembly

File shares couldn't be accessed. People couldn't badge in, people couldn't enter the parking deck.

It was hard to conceive of the true problem, until I opened up Active Directory Users and Computers and opened one of the groups from the log just to sanity check things.

The group had a member alright...only one member. It was just User B.

image

It turns out the Set-AdGroupMember command sets the groups sole member. If you want to add this user to the group, you want to use the -append flag.

If you fail to add the append flag, results will be inconvenient

Recovering

My logging did a lot of tracking of the user addition, but I never thought users would leave a group using this command. So I did not log what the membership was before the command.
We went to our backups to find...the tape system had been quietly failing for 30 days at least. So we had no records of membership or any sort of backup available. The single saving grace was that we had a remote office out in the boonies with a read only domain controller, that was just two weeks out of date and connected to us with a 14.4k connection. It took a premier support call to microsoft and about 8 hours to do an Authoratitive Domain Controller Restore and caused total havoc.

All to save about a minute of work, approximately once a month.

If you'd like to know how I kept my job, then keep on reading here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment