Getting GPO GUID, Name from Active Directory

You don’t have to rely on the Group Policy Module to resolve the display name of a GPO from the GUID, or the GUID from the display name.  Here are two short functions that will get that information from Active Directory. The first will return the GPO displayname attribute from a GUID. The GUID (sometimes called the ID), can be entered with or without the surrounding curly brackets.

The second function does the reverse, returning the GUID from the DisplayName:

The domain parameter should be the DNS Domain root, not the NetBIOS or short name.

Posted in Active Directory, Functions, Group Policy Objects, PowerShell, Scripting, Scriptlets | Tagged , , , | Leave a comment

Undelete-ADObject

Undelete-ADObject.ps1 is a GUI form based script for undeleting user, computer, group, print queue, and contacts from Active Directory.  You can display all of the objects of the selected type, or search by the name. I use this script frequently.  It has a test mode, plus logging.

Script Text
Posted in Active Directory, Alan's Favorites, PowerShell, Scripting, Windows Administration | Tagged , | Leave a comment

Sort Clipboard Text with PowerShell

Sort-ClipText.ps1 reads the text in your clipboard, sorts it, and creates a new sorted item in your clipboard.  Note that the split statement is a regular expression.  The pipe character represents the logical OR.  I also used splitstringoptions to remove the empty lines after sorting.

Script Text

Posted in PowerShell, Scripting | Tagged | Leave a comment

Export to Textbox with Out-TextBox

Out-TextBox.ps1 is an advanced function which outputs object to a resizable text box for display.  Not much more I can say about it, except that you can copy the text in the box.

Script Text
Posted in Functions, PowerShell | Tagged | Leave a comment

Get-ADSystemInfo – Wrapping the ADSystemInfo ComObject

When I was writing in vbscript, I often used the ADSystemInfo ComObject.  It is a quick and easy way to get these properties:  Current user’s distinguished name, Current computer’s distinguished name, the site name, the Domain short (NetBIOS) Name,  the domain DNSName,  the forest DNSName,  the PDC Role Owner,  the Schema Role Owner, and whether the domain is running in Native Mode.  The script on TechNet doesn’t “marshall” (cleanup) after the Com object is used.  My version, Get-ADSystemInfo.ps1, makes this an advanced function with the proper cleanup.

Script Text
Posted in Functions, PowerShell, Scripting | Tagged , , | Leave a comment

Not a Typewriter

Booting Linux in Safe Mode: “STDIn: Not a Typewriter”

Linux programmers have a sense of humor. If Microsoft programmers do, it is rarely seen.

Posted in Computing, Linux | Tagged | Leave a comment

Add-WindowsFeature Alternative for Client OS

Waiting for the add remove features dialog populate on my client OS computer is slow.  Since I started using Add-WindowsFeature wither Server 2008, and Install-WindowsFeature beginning with Server 2012, I was disappointed by the lack of a similar cmdlet for Windows 10.  Unfortunately, Add/Install-WindowsFeature relies on ServerManager — which doesn’t exist on a workstation.  The alternative command line method is DISM.  The DISM command line, is difficult to manage.  I decided to use PowerShell to create the DISM command line on the fly. Edit-ClientFeatureList.ps1 provides this functionality with a quick and easy GUI.  Highlighted choices will change state — enabled items will be disabled, and conversely, disabled items will be installed.

Select Features Screen Capture

Since you are changing features, the script must be run as and administrator.  I test that state with this function:

version 1.1 9/17/17 Bugfix plus echo to console of DISM command.

Script Text
Posted in PowerShell, Scripting, Windows 10, Windows 7, Windows 8, Windows Administration | Tagged , , | Leave a comment

Export and Import Delegated OU Permissions with PowerShell

There are some delegations of permissions within Active Directory which cannot be made without extra effort. Some properties are flagged as hidden in a file called Dssec.dat, in %windir%\System32 on computers with the Active Directory Users and Computers (ADUC) MMC. Dssec.dat is a hidden text file that can be viewed and modified with Notepad. When you open Dssec.dat, you’ll notice that it’s divided into headings based on object class. Be sure to go to the [User] heading to make changes. Otherwise, you won’t see any effect on the GUI display. For example, to show the PhysicalDeliveryOfficeName and other properties in the GUI, change the Dssec.dat value from 7 to 0 and save the changes. For more, see: https://mcpmag.com/articles/2003/11/01/finetuning-active-directory-access.aspx. Note too, that you can use delegwiz.inf for custom delegations.

If you need to copy the delegations to apply over many OUs within a domain this can be cumbersome.  You have to copy the modified dssec.dat or delegwiz.inf to each systems running the ADUC.  If you choose to simply go with a modified dssec.dat file select the right combination of permissions can be difficult.   Here is my solution:

1) Run the export script, Export-SelectedOUPermissions.ps1,  selecting domain and path which has the permissions you want to copy.
2) Optionally edit the permissions files to change the Identity Reference — the user or group to get the permissions.
3) Run the import script, Import-SelectedOUPermissions.ps1, select domain and destination(s).  You can use the graphical list to put checkboxes beside your selections.

If you are running the import script from within the ISE, the editor will be temporarily minimized to make sure you can see the menus.  You really should run the script in test mode first, and apply your delegation to a test OU before running in production.  Because Set-ACL often fails outside of the local domain with a “server refused” error, I used the .NET ObjectSecurity.SetSecurityDescriptorSddlForm method to apply the changes.

Recently an admin accidentally removed a complex delegation from an OU at 4:00 pm.  We were able to copy the delegation from another source and have the site back up and running within 10 minutes.

 

Posted in Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Security, Windows Administration | Tagged , , , | Leave a comment

Clear GPO Cache on Remote Computer with PowerShell

Clearing the GPO cache on a computer may be the only way to fix a persistent problem.  Doing this involves deleting files, registry entries, and rebuilding the security database.  Clear-GPOCache.ps1 works by creating a custom batch file on the remote computer, then scheduling a task running as System to run the process with the required rights.

There are some interesting code bits, such as getting the remote time for the scheduled task.  The task is logged in a text file and in the event log.

Script Text
Posted in Active Directory, Batch, Group Policy Objects, PowerShell, Scripting, Windows Administration | Tagged , | Leave a comment

Get and Read RDP Certificate from a Remote Host with PowerShell

Sometimes, I get some interesting questions from other teams within my organization.  Read-RDPCert.ps1 addresses a request to read the SSL certificates from a list of remote hosts.  This is based on the code and following comments at https://blogs.technet.microsoft.com/parallel_universe_-_ms_tech_blog/2014/06/26/reading-a-certificate-off-a-remote-ssl-server-for-troubleshooting-with-powershell/.

Script Text
Posted in PowerShell, Scripting, Security | Tagged , | Leave a comment