Alan's Blog

"Yeah. I wrote a script that will do that."

Export and Import Delegated OU Permissions with PowerShell

Posted on August 13th, 2017

There are some delegations of permissions within Active Directory which cannot be made without extra effort. Some properties have been flagged as hidden in a file called Dssec.dat, located in %windir%\System32 on computers with the Active Directory Users and Computers (ADUC) MMC. Dssec.dat is a hidden text file that can be viewed and modified with Notepad. When you open Dssec.dat, you’ll notice that it’s divided into headings based on object class. Be sure to go to the [User] heading to make modifications. Otherwise, you won’t see any effect on the GUI display. For example, to show the PhysicalDeliveryOfficeName and other properties in the GUI, change the Dssec.dat value from 7 to 0 and save the changes. For more, see: https://mcpmag.com/articles/2003/11/01/finetuning-active-directory-access.aspx. Note too, that you can use delegwiz.inf for custom delegations.

If you need to copy the delegations to apply over many OUs within a domain this can be cumbersome.  You have to copy the modified dssec.dat or delegwiz.inf to each systems running the ADUC.  If you choose to simply go with a modified dssec.dat file select the right combination of permissions can be difficult.   Here is my solution:

1) Run the export script, Export-SelectedOUPermissions.ps1,  selecting domain and path which has the permissions you want to copy.
2) Optionally edit the permissions files to change the Identity Reference — the user or group to get the permissions.
3) Run the import script, Import-SelectedOUPermissions.ps1, select domain and destination(s).  You can use the graphical list to put checkboxes beside your selections.

If you are running the import script from within the ISE, the editor will be temporarily minimized to ensure you can see the menus.  You really should run the script in test mode first, and apply your delegation to a test OU before running in production.  Because Set-ACL often fails outside of the local domain with a “server refused” error, I used the .NET ObjectSecurity.SetSecurityDescriptorSddlForm method to apply the changes.

Recently an accidentally removed a complex delegation from an OU at 4:00 pm.  We were able to copy the delegation from another source and have the site back up and running within 10 minutes.

 

Tags: , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Enable New User Mailboxes with PowerShell

Posted on August 13th, 2017

Mail enabling new users should be easy to do from within the Exchange management console.  If you are in a really large organization, you soon discover that it is painfully slow.  When we create new users it takes time to replicate to Exchange, so we don’t mail enable new users upon creation.  Making matters worse is that our mail alias isn’t the default for Exchange, which is the UPN.

Enable-NewUserMailboxes.ps1 is a PowerShell script which bulk enables new user accounts, permitting a custom Exchange alias.  For publication I have set this to the SamAccountName, but with a little bit of coding, you can change it to your requirements.

The script runs interactively, and will automatically checks for and loads the remote Exchange shell.  If you have not specified a starting OU for search at the top of the script, you will be prompted to select the OU to query for user accounts.  Then a list of users is collected and display using Out-Gridview:

Capturing output from Enable-Mailbox turned out to be a challenge.  I ended up doing this:

The script creates a logfile, which is placed by default on your desktop. The log folder can be edited.

Script Text

Tags: ,
Filed under Alan's Favorites, Exchange, PowerShell, Scripting, Windows Administration | No Comments »

Update GPOs with Newer Version

Posted on March 1st, 2017

If you use GPOs to enforce baselines, you may find that your enterprise is moving from version 1.1 to version 1.2 of a GPO.  Unfortunately for you, version 1.1 linked in a dozen places.  Wouldn’t you rather just you search for version 1.1 and replace it with version 1.2?  Use Update-GPOLinks.ps1 to do just that.  The script not only finds all the original links and updates them to the new version, it also keeps the link order.

Script Text

Tags: ,
Filed under Alan's Favorites, My Best, PowerShell, Scripting, Windows Administration | No Comments »

Remove Active Directory Delegations

Posted on February 25th, 2017

Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise.  Removing the delegations for a user or group can be slow, especially if you do it manually.  Microsoft has a good article about this process, but none of the methods I found did what I needed.  I wanted a script which could look at all or selected OUs in AD for a delegation, and then delete them all.

Remove-DelegatedOUPermissions.ps1 is an advanced function which can be used to report and remove assigned delegated permissions from OU objects and containers.  You can choose the domain and searchbase, and you can search for full name or partial matches.  For example, if you wanted to report on or delete the delegations for Site1PWAdmins and Site2PWAdmins, you could simply specify “PWAdmins”.  The search is case-insensitive, and you can search for more than one string by separating your search terms with a comma.

This function always creates a log file.  The default name is derived from the domain name, and the default location is the desktop.  The function requires the ActiveDirectory module, but unlike Set-ACL, it can be used to write permissions in another domain.  It supports WhatIf, and a confirmation is required before you commit changes.  Because it is an advanced function, you can use Get-Help for details about use.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, Functions, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Export to XLSX without Excel: Export-XLSX.ps1 Revisited and Tweaked

Posted on January 30th, 2017

I often look at the code of others with respect and admiration. Peter Kriegel (Germany) wrote Export-XLSX.ps1, an amazing script which lets you export data into a real XLSX file without Excel being installed. The script also enables you to directly append worksheets to XLXS files. His website, http://www.admin-source.de, hasn’t been updated in a while, and the automatic translate function is broken. It isn’t clear to me how to reach Peter, as I typically don’t post the code of others with so few changes, so I want to be clear — this isn’t my work.

I converted the original script to an advanced function, and made sure the Help was functioning right.  The only limitation is with formatting, which means it will look pretty much like a file from Export-CSV.  Nonetheless, if you have scripts running on servers where you really don’t want to install Excel, this is an excellent function to use.  The script is heavily commented and has examples in the help.

Script Text

Tags: ,
Filed under Alan's Favorites, Excel, Functions, PowerShell, Scripting | No Comments »

Finding MTU for all Hops in a Trace Route

Posted on October 1st, 2016

I know, finding the “maximum” MTU is a redundancy, as MTU is an acronym for “Maximum Transmission Units”.  However, my needs were to find all the MTUs to each hop of a tracert.  Like many scripts, Find-MaxMTU.ps1 turned out to be a cut and paste exercise.  I started with the Find-MTU script written by Robin CM.  I added to it a function which converts tracert output to an object written by Mathias R. Jessen. Because I wanted to be able to run this from Windows Core, I avoided my usual graphical inputs and instead used a host read method written by Scripting Guy Ed Wilson.  I added a new bit of code  for avoiding the PowerShell command window from closing:

The resulting script will give you all the MTU to a selected destination, optionally including the MTU for all the intermediate hops.  This will let you see the maximum of the MTUs — hence the name.   The code is commented with the code attribution, and notes about what I changed.
 
Script Text

Tags:
Filed under Alan's Favorites, PowerShell, Scripting | No Comments »

Quickly Check Domain Controller Health

Posted on September 5th, 2016

How can you tell whether an Active Directory domain controller is functioning properly?  How do you know whether some over-zealous VLAN ACL is blocking necessary ports?  Testing ICMP, is easy, just ping it.  Testing LDAP response isn’t hard, I wrote a vbScript to do that years ago.  But to complete, we want to check more.  My list of things to check are this:

  • Ping
  • TCP Ports 53,88,135,389,445,464,636,3689
  • UDP Ports 53,389,464,636,3689
  • If you are running NetBIOS add 139 TCP and UDP ports 137,138
  • If the DNS port is open run NSLookup to check lookups
  • If LDAP port is open, do a test bind

Since a large enterprise may have a large number of DCs, I wanted to multi-thread the script.  For compatibility, I wanted to be able to run it on PowerShell 3 from a Windows 7 host without admin rights.

What I discovered is that testing TCP ports with PowerShell is pretty easy.  UDP connections, however, turned out to be more difficult.  After about 45 minutes of frustration, I found a great Test-Port function from PowerShell MVP Boe Prox.  It is contained inside the script.

In my view, WorkFlows, introduced in Version 3, are the easiest way to multi-thread in PowerShell, and is a way which does not require special setup or rights on the remote systems. On my system, I see about 4 simultaneous queries using this method.

Test-DCs.ps1 can be edited to choose the testing of whatever ports you require and could easily be changed to test other systems such as web servers, Exchange or SharePoint servers.

Update 10-1-19:  This version has many improvements, including multi-threading and dynamically determining whether query of DNS or GC ports is required. Updated 4/16/2017 to fix some bugs, and to add switch for optional scanning of secure ports.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Windows Administration | No Comments »

A GUI to Select Object Properties in Pipeline

Posted on May 14th, 2016

My first attempt at a GUI to select objects properties demonstrated that I didn’t have a firm grasp on how to pipeline an object through an advanced function.  The problem I had at the time was not understanding how to have the form only appear once.  Why is that difficult?  Because the Begin Block won’t accept an variable created as an argument to the function.  If you put the form block into the Process Block, you get it popping up once for each item in the pipeline.  The desired result is to run the form just once.  The solution in my new version of Select-PropertyForm.ps1 is to create a variable to cause the form to be created only one time:

Note from above that $script:NewList is a list of the selected properties.  The selection form looks just like the previous version:
.

I have added a parameter to the function to set the title.  This has been changed to a full advanced function.  You must include it in your own code or “dot source” it to run.

An example:

This user the Get-User AD cmdlet to get all users with the last name of “Smith”, returning AD properties.  I then pipe to Convert-ADValues to ensure that dates and other values export okay, send results to CSV file.  The output for this is  Selected.Microsoft.ActiveDirectory.Management.ADUser

Script Text

Tags: , ,
Filed under Alan's Favorites, My Best, PowerShell, Scripting | No Comments »

Copy Distinguished Name of OU to Clipboard (OUADSPath2Clip Updated)

Posted on April 28th, 2016

OUADSPathToClip.ps1 is an updated version of OUADSPath2Clip.ps1 and is an example implementation of the new Select-OU.ps1 script.  Fast navigation of OU structure to copy the OU’s DistinguishedName into your clipboard. Version 1.1 allows control of form and button text.
Script Text

Tags: ,
Filed under Active Directory, Alan's Favorites, PowerShell, Scripting | No Comments »

Fast PowerShell Treeview OU Selection Form

Posted on April 28th, 2016

A large number of my scripts involve picking an Active Directory Organizational Unit (OU). I have been using Out-Gridview for OU navigation. This is because I was unable to find a form based GUI OU picker that worked fast enough in my very large AD environment.  The scripts I have seen tended to collect all objects at once, and are very slow to load.  Now that I have been working with PowerShell for nearly three years, I decided it was time to give in another try.  The result of my efforts is Select-ADOU.ps1.

This PowerShell script begins by finding the AD Forest, and enumerating all domains.  The user’s current domain is set as the default, and the first level of the domain is automatically expanded and put into the TreeView.  This expansion of the first level is done with any domain selected.  Double click on an node to expand the list of OU below the branch.  The script uses the [adisiSearcher] accelerator with a OneLevel query of “(ObjectCategory=OrganizationalUnit)”  — the ActiveDirectory module does not need to be loaded for it to work.  When the OU is selected, the function returns an object which contains the DNS domain name, the OU Name and distinguishedname attributes.  This makes it easy to use the information in subsequent code. Version 1.1 allows control of form and button text.  Updated 4/16/2017 to include optional check-boxes, selection of initial domain, showing containers, and locking domain selection to single OU. Please note that some parameter names have changed so this is not a drop in replacement for the previous version.
Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting | No Comments »

Please Note

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Site Search

Categories

Archives

SQL Site

Bad Behavior has blocked 262 access attempts in the last 7 days.