Alan's Blog

"Yeah. I wrote a script that will do that."

Get IE Zone Information

Posted on June 27th, 2015

Like most large enterprises, we use a group policies to manage Internet Explorer settings.  We manage the security settings, and we enforce which sites are in Trusted Sites and the other internet zones.  The user cannot change the list, or even view the list.  This creates a problem for troubleshooting when a  user has opened a ticket reporting that the website needs to be added to trusted sites.  IT staff wants to know whether the site is already in the proper zone, and whether the GPO applied properly.

Get-IEZones.ps1 is a PowerShell script which will let you view the IE zone information from the local or a remote computer.  The script uses the WMI accelerator instead of a registry cmdlet to read this data from the registry.   Out-GridView displays the results which can be copied to your clipboard.

Script Text

Filed under PowerShell, Windows Administration, WMI | No Comments »

A Really Recursive Group Enumeration

Posted on April 9th, 2015

Get-GroupHierarchy.ps1 gets a fully recursive listing of group membership.  The script is based on a script by the same name posted at  I made a large number of changes to the original code.  This script takes the SamAccountName of a group, such as Domain\MyGroupName, and then gives you all the members of the group.  If a group is a member, it indents and gets the list of members of that group.  Loops throw a warning.

It writes out a text log to your desktop.  I used this code as the basis of a script which I used to fix a problem with a group used in SharePoint which had buried sub groups which were not mail enabled distribution groups.  I’ll post that soon.

A tip of the hat to faithful reader, Bill P.  He was really surprised when I called

Filed under Active Directory, PowerShell, Scripting, Windows Administration | No Comments »

Create Import file for Remote Desktop Connection Manager 2.7

Posted on March 9th, 2015

Remote Desktop Connection Manager 2.7, “manages multiple remote desktop connections. It is useful for managing server labs or large server farms where you need regular access to each machine such as automated check-in systems and data centers. It is similar to the built-in MMC Remote Desktops snap-in, but more flexible.”  If you have been disappointed with Remote Desktops, then this bit of Microsoft freeware is what you want.

One of the nice things about the program is that it will import a list of server names.  My vbscript, RDPhistory.vbs, will export the list of recent connections you have made using the Remote Desktop Connection application.  Clean it up, and you have what you need to start.

Filed under Scripting, VbScript, Windows Administration | No Comments »

Export DNS Server Records with PowerShell

Posted on March 8th, 2015

I am frequently asked to export DNS records, such as, “Give me the list of A, MX and CName records in DNSZone1 and DNSZZone2”. Server 2012 has got some nice cmdlets, but I wanted something more universal with a GUI. Export-DNSEntries.ps1 uses a combination of Out-GridView and a custom from to allow you to pick DNS zones and the records you want to export. An excerpt of the script follows — note that I have word wrap enabled in the Crayon code display window:

As you can see in line 272, I get the list of zones by querying the WMI Namespace Root\MicrosoftDNS  and Class “MicrosoftDNS_Zone”.  I use a custom form to dynamically get the record types, then query WMI for each type in each zone.

Script Text

Tags: ,
Filed under PowerShell, Scripting, Windows Administration | No Comments »

Auditing Active Directory Permissions with Powershell

Posted on November 22nd, 2014

Active Directory permissions aren’t easy to audit.  It is a lot easier to delegate permissions to a user or a group than it is to figure out later who has what rights on what containers and organizational units.  I have taken a few runs at it, including a vbscript version which was terrible.  That is why I was very happy when I found this script by Microsoft Premier Field Engineer Ashley McGlone.  His script gives you the choice of a full dump of the local domain, or a list of the assigned (not inherited) permissions.

Because I work in a larger multi-domain forest, I wanted a script that would allow me to choose what domain to audit, and to also have more control over what data would be in the filtered list.  The resulting script is Get-OUPermissions.ps1.  In my script the filtered list looks for assigned rights containing Create, Write, Delete or All, as those are the ones I find interesting.  Using Where-Object was terribly slow, so I switched to a regex solution from a Scripting Guy article.  I have commented the script pretty heavily to show where I changed things from the original script.  My version wraps the original script in an advanced function, and so you can run it and use Get-Help to see all of the parameters and choices.  There is some pretty interesting things in here, but what stumped me for a while was how to use Get-ACL for an AD object outside the current domain.  What I came up was is something like this:
$a = Get-ADUser -Identity $env:username -server $dnsdom -Properties * $a.nTSecurityDescriptor |
Select-Object -ExpandProperty Access |
Select-Object *

By using the ntSecurityDescriptor you can specify the domain by using the DNS Domain Name in the Server parameter of the Get-AD* cmdlet.

Script Text

Tags: ,
Filed under Active Directory, Alan's Favorites, PowerShell, Scripting, Security, Windows Administration | No Comments »

Get List of Computers from Active Directory

Posted on November 22nd, 2014

Get-ADComputerList.ps1 is pretty simple.  It gets a list of all the computers in the domain you specify.  Reported are the DNS Name, IP v4 Address, Active Directory Path and OS.  A comma delimited log file is written to your desktop.
Script Text

Tags: ,
Filed under Active Directory, PowerShell, Scripting, Windows Administration | No Comments »

Compare Group Policy Objects

Posted on September 14th, 2014

Our Active Directory lead recently complained to me that he didn’t have a good way to compare Group Policy Objects.  I had already written the Group Policy Reporter, which exports GPOs to HTML files, and it occurred to me that comparing two HTML files would be pretty easy.  But my experiments with Compare-Object led to some pretty ugly results.  I frequently compare documents using MS Word, and I decided to use Word to do the comparison of the files.

The new script, GPOCompare.ps1, makes a list of your GPOs and displays that list using Out-GridView.  After you select two GPOs, you are asked which is the “original” (earlier) GPO for Word to use as the original document.  The HTML reports are created, then a comparison is made using Word.  This script requires PowerShell 3, The Group Policy Management Console, and Word installed.

The Word COM object is not fun to work with in PowerShell.  In particular, you cannot use $Null for some of the unused parameters, and note that many must be explicit references, example [REF]$True.

Script Text

Filed under Active Directory, PowerShell, Windows Administration | No Comments »

Upgrading from Server 2008 to Server 2012 R2 – Lessons Learned

Posted on August 16th, 2014

I am a member of a terrific IT User group, Carolina IT Professional Group.  This group is focused on educating its members, and giving back to the community.  But what really keeps people to the end are the terrific door prizes.  At the July meeting, I won a copy of Server 2012 R2.  I had been running Server 2008 on my home network and decided that it was time to upgrade.  The first lesson is this:  Server 2008 is the Vista codebase, and Server 2012 R2 is the Windows 8.1 codebase.  You can’t upgrade from Vista to 8.1, nor can you upgrade to 2012 R2 from 2008.

A fresh OS install on my old domain controller — and fresh drives – was appropriate.  I downloaded an evaluation copy of Server 2012 R2 and installed it on one of my more capable workstations.  I installed the appropriate roles, moving AD and DNS over to it.  No problem. After migrating the home directories onto a 2TB drive,  I went on and installed a boot disk to replace the aging mirrored 500GB drives in the old DC.

I then installed my licensed copy of 2012 R2, and went looking for my home directories.   To make a long story short,  lesson two is remembering about the necessity of importing “foreign drives” when you move a disk between Windows installs.  Somehow along the way the security for the home drive folders got hosed, and I took a significant amount of time resetting the ACLs.

I have installed AD and DNS on my permanent DC, and am waiting for things to calm down before I remove those roles from the temporary DC.

The last lesson is this:  Server 2012 R2 has the same idiot UI as 8 and 8.1.  I was happy to find that Classic Shell works just fine at restoring a traditional start menu to Server 2012 R2.  For my thoughts on 8.1 and Classic Shell, visit this blog post.

Update: I have installed the “Windows Server Essentials Experience” which allows me to remotely backup all my workstations.  For more information, visit

Filed under Active Directory, Computing, Windows Administration | No Comments »

PowerShell GUI for AD Recycle Bin

Posted on June 14th, 2014

This blog post has been replaced by my guest appearance in the Hey, Scripting Guy blog.  Please follow it to find my post and link to the script.

Filed under Active Directory, PowerShell, Scripting, Windows Administration | No Comments »

Remote Windows Update 3.1

Posted on March 5th, 2014

Looking for a script to run Windows Update remotely?   WindowsUpdate.hta version 3.1 is an HTML application which allows you to connect to a remote machine, determine what patches it requires from Windows Update, and install the patches.  You can schedule a reboot time. This version allows you to look at he Windows Update log, and the log created by the program itself.  There is a button to allow you to change the update source to, which is helpful in places where WSUS or SUP is not working properly.  You can install all security patches, or select patches individually.

HTA files are best run from your local drive. Version 3.0 was released in 2011, version 3.1 only changes the background color to blue.  The transition color method I had used for the background is no longer supported in IE, and the program appeared to be broken.

Change _hta.txt extension to .HTA.
Script Text

Filed under Alan's Favorites, Patching, Scripting, Security, Windows Administration | 2 Comments »

Please Note:

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.


Bad Behavior has blocked 555 access attempts in the last 7 days.