Passwords for Password Resets

I discovered that my script to generate passwords, RandomPW.vbs, isn’t popular with users because the passwords are random.  I have an even more complicated but unposted PowerShell version with the same issue.

I wanted to create something that was easier for the help desk and users.  Get-TempPW.ps1 is my answer to those objections.  This script is pretty well commented, so I won’t go into details about the code here.   What the script does is get a randomly selected word from the web, capitalizes a random letter within the word, then appends numbers and special characters to the end.  You can set the minimum word length and the number of numbers and special characters with variables within the code.  The default is and eight character word plus a number and special character.  The order of the numbers and special characters are randomized. An example password is “hypeRimmunization4&”.

Script Text


Get the Parent OU for an AD Object

I have mentioned before that the Charlotte PowerShell User group was frequented by Scripting Guy Ed Wilson, and his wife Teresa. I’m sad to say that they have moved away, but am happy that Brian Wilhite has been running the meetings since.  I mentioned to Brian that I had a cool way to get the parent container of an Active Directory object using ADSI:

The string method is, of course faster. But If the parent object isn’t an OU, try the first method. It always works.

Get IE Zone Information

Like most large enterprises, we use a group policies to manage Internet Explorer settings.  We manage the security settings, and we enforce which sites are in Trusted Sites and the other internet zones.  The user cannot change the list, or even view the list.  This creates a problem for troubleshooting when a  user has opened a ticket reporting that the website needs to be added to trusted sites.  IT staff wants to know whether the site is already in the proper zone, and whether the GPO applied properly.

Get-IEZones.ps1 is a PowerShell script which will let you view the IE zone information from the local or a remote computer.  The script uses the WMI accelerator instead of a registry cmdlet to read this data from the registry.   Out-GridView displays the results which can be copied to your clipboard.

Script Text

A Really Recursive Group Enumeration

Get-GroupHierarchy.ps1 gets a fully recursive listing of group membership.  The script is based on a script by the same name posted at  I made a large number of changes to the original code.  This script takes the SamAccountName of a group, such as Domain\MyGroupName, and then gives you all the members of the group.  If a group is a member, it indents and gets the list of members of that group.  Loops throw a warning.

It writes out a text log to your desktop.  I used this code as the basis of a script which I used to fix a problem with a group used in SharePoint which had buried sub groups which were not mail enabled distribution groups.  I’ll post that soon.

A tip of the hat to faithful reader, Bill P.  He was really surprised when I called

Create Import file for Remote Desktop Connection Manager 2.7

Remote Desktop Connection Manager 2.7, “manages multiple remote desktop connections. It is useful for managing server labs or large server farms where you need regular access to each machine such as automated check-in systems and data centers. It is similar to the built-in MMC Remote Desktops snap-in, but more flexible.”  If you have been disappointed with Remote Desktops, then this bit of Microsoft freeware is what you want.

One of the nice things about the program is that it will import a list of server names.  My vbscript, RDPhistory.vbs, will export the list of recent connections you have made using the Remote Desktop Connection application.  Clean it up, and you have what you need to start.

Export DNS Server Records with PowerShell

I am frequently asked to export DNS records, such as, “Give me the list of A, MX and CName records in DNSZone1 and DNSZZone2”. Server 2012 has got some nice cmdlets, but I wanted something more universal with a GUI. Export-DNSEntries.ps1 uses a combination of Out-GridView and a custom from to allow you to pick DNS zones and the records you want to export. An excerpt of the script follows — note that I have word wrap enabled in the Crayon code display window:

As you can see in line 272, I get the list of zones by querying the WMI Namespace Root\MicrosoftDNS  and Class “MicrosoftDNS_Zone”.  I use a custom form to dynamically get the record types, then query WMI for each type in each zone.

Script Text

Auditing Active Directory Permissions with Powershell

Active Directory permissions aren’t easy to audit.  It is a lot easier to delegate permissions to a user or a group than it is to figure out later who has what rights on what containers and organizational units.  I have taken a few runs at it, including a vbscript version which was terrible.  That is why I was very happy when I found this script by Microsoft Premier Field Engineer Ashley McGlone.  His script gives you the choice of a full dump of the local domain, or a list of the assigned (not inherited) permissions.

Because I work in a larger multi-domain forest, I wanted a script that would allow me to choose what domain to audit, and to also have more control over what data would be in the filtered list.  The resulting script is Get-OUPermissions.ps1.  In my script the filtered list looks for assigned rights containing Create, Write, Delete or All, as those are the ones I find interesting.  Using Where-Object was terribly slow, so I switched to a regex solution from a Scripting Guy article.  I have commented the script pretty heavily to show where I changed things from the original script.  My version wraps the original script in an advanced function, and so you can run it and use Get-Help to see all of the parameters and choices.  There is some pretty interesting things in here, but what stumped me for a while was how to use Get-ACL for an AD object outside the current domain.  What I came up was is something like this:
$a = Get-ADUser -Identity $env:username -server $dnsdom -Properties * $a.nTSecurityDescriptor |
Select-Object -ExpandProperty Access |
Select-Object *

By using the ntSecurityDescriptor you can specify the domain by using the DNS Domain Name in the Server parameter of the Get-AD* cmdlet.

Script Text