Archive for the ‘Active Directory’ Category

Get All GPOs Linked to an OU

Wednesday, March 1st, 2017

Get-AllGPOsLinkedToOU.ps1 returns a unique list of all GPO’s linked to an OU. You can also run a onelevel or subtree search to get a unique list of linked OUs at or below the selected OU. You are prompted for the domain, and navigate to desired OU.
Script Text

Reset GPO Cache

Wednesday, March 1st, 2017

This script deletes the locally stored copies of GPOs and forces a GPUPdate on a computer. Reset-GPOCache.ps1 works by a remote connection to the registry provider to get the path to the Group Policy\History folder, then deletes the files beneath that path. This ensures a fresh application of group polices.

Script Text

Get Resultant Set of Polices (RSOP) with User Selection

Wednesday, March 1st, 2017

The Get-GPResultantSetOfPolicy cmdlet in the GroupPolicy module of PowerShell has a parameter for a user name.  Often I have no idea who has logged onto the computer.  Get-RSOP.ps1 uses WMI to give you a pick list of users on the remote computer and then passes that to the user parameter of Get-GPResultantSetOfPolicy.

Script Text

Remove Active Directory Delegations

Saturday, February 25th, 2017

Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise.  Removing the delegations for a user or group can be slow, especially if you do it manually.  Microsoft has a good article about this process, but none of the methods I found did what I needed.  I wanted a script which could look at all or selected OUs in AD for a delegation, and then delete them all.

Remove-DelegatedOUPermissions.ps1 is an advanced function which can be used to report and remove assigned delegated permissions from OU objects and containers.  You can choose the domain and searchbase, and you can search for full name or partial matches.  For example, if you wanted to report on or delete the delegations for Site1PWAdmins and Site2PWAdmins, you could simply specify “PWAdmins”.  The search is case-insensitive, and you can search for more than one string by separating your search terms with a comma.

This function always creates a log file.  The default name is derived from the domain name, and the default location is the desktop.  The function requires the ActiveDirectory module, but unlike Set-ACL, it can be used to write permissions in another domain.  It supports WhatIf, and a confirmation is required before you commit changes.  Because it is an advanced function, you can use Get-Help for details about use.

Script Text

Adding Terminal Services Information to User Reports

Saturday, February 4th, 2017

Add-ADTSInfo.ps1 adds TerminalServicesHomeDrive, TerminalServicesHomeDirectory, TerminalServicesProfilePath and AllowLogon as additional members returned by a query of Active Directory user objects.  As you may know, when looking at a user’s properties in the Active Directory Users and Computers MMC there is a tab for these fields.  However, if you look at the properties of a user object, these items simply aren’t there.  There are a few articles and scripts addressing this problem, and you will find that the only way to get the data is by binding to each individual user object and using the a method like this: $ADSIUser.psbase.InvokeGet(‘TerminalServicesProfilePath’).

My script differs from others in that you can pipe an object containing user objects with any properties, and it will add the fields listed above to your results.  I added sorting of the new resulting so that the property names are in order.  This is an advanced function with comment based help.

Script Text

Get the NetBIOS AD Domain Name from the FQDN

Monday, January 30th, 2017

I hate using NameTranslate, because it is a COM object, and because the output is often really hard to get into a clean, trimmed string.  The netBIOS name isn’t a part of the AD domain object, but I suspected that the information could be gotten using a LDAP query.  My searching lead me to a post on StackFlow.  It wasn’t PowerShell, but it did give me an interesting hint.  The filter’s objectcategory was “CrossRef”.  I used this to port the code to PowerShell:

This query is quick, and avoids the formatting problems with NameTranslate.  There is a large table of LDAP queries on TechNet, but this one isn’t in the list.

Convert System.DirectoryServices.SearchResult to a PSObject

Sunday, December 25th, 2016

The ADSI accelerator is fast, and built into PowerShell, unlike the Active Directory Module.  When use it, or the ADSISearcher, you have results which look like this [Image from previous Microsoft URL]:

FindAll Results

Getting the properties out to a file can be tricky.  I wrote two little functions to make this easier:

Get-AllDNSServersInForest.ps1, demonstrates how to use these functions.  It uses the ADSI accelerator to create the ADSI Searcher, then  sends a list of all DNS servers in the forest to Out-Gridview, by using the query “(servicePrincipalName=DNS*)”
Script Text

Test Replication – A PowerShell Wrapper for RepAdmin

Saturday, December 10th, 2016

Repadmin is a standard tool in an AD admin’s toolbox, and “showrepl” displays the status of replication in your domain. The results of this command are quite verbose, and can make your eyes glaze over in late night troubleshooting.  A number of people have noticed that you can pipe RepAdmin CSV output to the ConvertFrom-CSV cmdlet in PowerShell. I wanted a little more than what others had done. The script below is my effort.  It (naturally) requires repadmin and the Out-Gridview cmdlet.

Remove DNS Host Record and PTR with PowerShell

Saturday, December 10th, 2016

You have been asked, “Please remove the host record for these 15 computers, plus their associated PTR records”.  It isn’t a difficult task, but it can be time consuming, especially if you have a large DNS database.  The bit can be annoying to do over and over again.  When I first decided to automate this task, I went looking to see who had done something similar before, and found  My code, Remove-DNSRecord.ps1,  is based on his, and extends it by searching all zones, and by creating an advanced function.  The script relies on the PowerShell DNSServer Module, which is available on Server 2008 and later.
Script Text

Who Added this User to the Domain?

Saturday, December 10th, 2016

On of the questions that I am frequently asked is “who created that user”.  In a small shop, the answer should be “me”.  But in a really large environment the answer may not be quite so clear. When an object is created in Active Directory, the owner of the object is the creator of the object. You will see the name of the account as the owner, unless that account is a member of Domain Admins or Enterprise Admins.

I wrote Get-WhoAddedUser.ps1 to quickly look up the owner of a user object. The script takes the distinguished name of the user object as input, because I began with a CSV file of distinguished names. It can be easily modified to take the SamAccountName.


Script Text