Alan's Blog

"Yeah. I wrote a script that will do that."

Export and Import Delegated OU Permissions with PowerShell

Posted on August 13th, 2017

There are some delegations of permissions within Active Directory which cannot be made without extra effort. Some properties have been flagged as hidden in a file called Dssec.dat, located in %windir%\System32 on computers with the Active Directory Users and Computers (ADUC) MMC. Dssec.dat is a hidden text file that can be viewed and modified with Notepad. When you open Dssec.dat, you’ll notice that it’s divided into headings based on object class. Be sure to go to the [User] heading to make modifications. Otherwise, you won’t see any effect on the GUI display. For example, to show the PhysicalDeliveryOfficeName and other properties in the GUI, change the Dssec.dat value from 7 to 0 and save the changes. For more, see: https://mcpmag.com/articles/2003/11/01/finetuning-active-directory-access.aspx. Note too, that you can use delegwiz.inf for custom delegations.

If you need to copy the delegations to apply over many OUs within a domain this can be cumbersome.  You have to copy the modified dssec.dat or delegwiz.inf to each systems running the ADUC.  If you choose to simply go with a modified dssec.dat file select the right combination of permissions can be difficult.   Here is my solution:

1) Run the export script, Export-SelectedOUPermissions.ps1,  selecting domain and path which has the permissions you want to copy.
2) Optionally edit the permissions files to change the Identity Reference — the user or group to get the permissions.
3) Run the import script, Import-SelectedOUPermissions.ps1, select domain and destination(s).  You can use the graphical list to put checkboxes beside your selections.

If you are running the import script from within the ISE, the editor will be temporarily minimized to ensure you can see the menus.  You really should run the script in test mode first, and apply your delegation to a test OU before running in production.  Because Set-ACL often fails outside of the local domain with a “server refused” error, I used the .NET ObjectSecurity.SetSecurityDescriptorSddlForm method to apply the changes.

Recently an accidentally removed a complex delegation from an OU at 4:00 pm.  We were able to copy the delegation from another source and have the site back up and running within 10 minutes.

 

Tags: , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Clear GPO Cache on Remote Computer with PowerShell

Posted on August 13th, 2017

Clearing the GPO cache on a computer may be the only way to fix a persistent problem.  Doing this involves deleting files, registry entries, and rebuilding the security database.  Clear-GPOCache.ps1 works by creating a custom batch file on the remote computer, then scheduling a task running as System to run the process with the required rights.

There are some interesting code bits, such as getting the remote time for the scheduled task.  The task is logged in a text file and in the event log.

Script Text

Tags: ,
Filed under Active Directory, Batch, Group Policy Objects, PowerShell, Scripting, Windows Administration | No Comments »

Powershell Date LDAP filters

Posted on August 13th, 2017

This snippet can be used for easier date formatting when using an LDAP date filter with PowerShell.  This demonstrates how to get users created within the previous 30 days using LDAP:

 

Tags: ,
Filed under Active Directory, PowerShell, Scripting, Scriptlets | No Comments »

OU of Current PC from anywhere in the Forest

Posted on August 12th, 2017

There are a lot of ways to get the OU of the current computer, but most don’t work if you are outside your home domain. This code does, without requiring AD cmdlets:

Tags: ,
Filed under Active Directory, Scripting, Scriptlets | No Comments »

Create an AD Drive for Specified Domain

Posted on April 16th, 2017

When you load the Active Directory Module, you get, by default, an Active Directory PSDrive for the current domain.   You can avoid the drive from loading by setting $Env:ADPS_LoadDefaultDrive = 0. When writing scripts to export and import AD delegations, connecting to this remote drive became important to me. Here is an example of the code I used:

Tags: , ,
Filed under Active Directory, Functions, PowerShell, Scripting | No Comments »

Get All GPOs Linked to an OU

Posted on March 1st, 2017

Get-AllGPOsLinkedToOU.ps1 returns a unique list of all GPO’s linked to an OU. You can also run a onelevel or subtree search to get a unique list of linked OUs at or below the selected OU. You are prompted for the domain, and navigate to desired OU.
Script Text

Tags: ,
Filed under Active Directory, Group Policy Objects, PowerShell, Windows Administration | No Comments »

Reset GPO Cache

Posted on March 1st, 2017

This script deletes the locally stored copies of GPOs and forces a GPUPdate on a computer. Reset-GPOCache.ps1 works by a remote connection to the registry provider to get the path to the Group Policy\History folder, then deletes the files beneath that path. This ensures a fresh application of group polices.

Script Text

Tags: ,
Filed under Active Directory, Group Policy Objects, PowerShell, Windows Administration | No Comments »

Get Resultant Set of Polices (RSOP) with User Selection

Posted on March 1st, 2017

The Get-GPResultantSetOfPolicy cmdlet in the GroupPolicy module of PowerShell has a parameter for a user name.  Often I have no idea who has logged onto the computer.  Get-RSOP.ps1 uses WMI to give you a pick list of users on the remote computer and then passes that to the user parameter of Get-GPResultantSetOfPolicy.

Script Text

Tags: ,
Filed under Active Directory, Group Policy Objects, PowerShell, Scripting, Windows Administration | No Comments »

Remove Active Directory Delegations

Posted on February 25th, 2017

Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise.  Removing the delegations for a user or group can be slow, especially if you do it manually.  Microsoft has a good article about this process, but none of the methods I found did what I needed.  I wanted a script which could look at all or selected OUs in AD for a delegation, and then delete them all.

Remove-DelegatedOUPermissions.ps1 is an advanced function which can be used to report and remove assigned delegated permissions from OU objects and containers.  You can choose the domain and searchbase, and you can search for full name or partial matches.  For example, if you wanted to report on or delete the delegations for Site1PWAdmins and Site2PWAdmins, you could simply specify “PWAdmins”.  The search is case-insensitive, and you can search for more than one string by separating your search terms with a comma.

This function always creates a log file.  The default name is derived from the domain name, and the default location is the desktop.  The function requires the ActiveDirectory module, but unlike Set-ACL, it can be used to write permissions in another domain.  It supports WhatIf, and a confirmation is required before you commit changes.  Because it is an advanced function, you can use Get-Help for details about use.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, Functions, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Adding Terminal Services Information to User Reports

Posted on February 4th, 2017

Add-ADTSInfo.ps1 adds TerminalServicesHomeDrive, TerminalServicesHomeDirectory, TerminalServicesProfilePath and AllowLogon as additional members returned by a query of Active Directory user objects.  As you may know, when looking at a user’s properties in the Active Directory Users and Computers MMC there is a tab for these fields.  However, if you look at the properties of a user object, these items simply aren’t there.  There are a few articles and scripts addressing this problem, and you will find that the only way to get the data is by binding to each individual user object and using the a method like this: $ADSIUser.psbase.InvokeGet(‘TerminalServicesProfilePath’).

My script differs from others in that you can pipe an object containing user objects with any properties, and it will add the fields listed above to your results.  I added sorting of the new resulting so that the property names are in order.  This is an advanced function with comment based help.

Script Text

Tags: , , ,
Filed under Active Directory, Functions, PowerShell, Scripting | No Comments »

Please Note

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Site Search

Categories

Archives

SQL Site

Bad Behavior has blocked 262 access attempts in the last 7 days.