Alan's Blog

"Yeah. I wrote a script that will do that."

Update GPOs with Newer Version

Posted on March 1st, 2017

If you use GPOs to enforce baselines, you may find that your enterprise is moving from version 1.1 to version 1.2 of a GPO.  Unfortunately for you, version 1.1 linked in a dozen places.  Wouldn’t you rather just you search for version 1.1 and replace it with version 1.2?  Use Update-GPOLinks.ps1 to do just that.  The script not only finds all the original links and updates them to the new version, it also keeps the link order.

Script Text

Tags: ,
Filed under Alan's Favorites, My Best, PowerShell, Scripting, Windows Administration | No Comments »

Remove Active Directory Delegations

Posted on February 25th, 2017

Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise.  Removing the delegations for a user or group can be slow, especially if you do it manually.  Microsoft has a good article about this process, but none of the methods I found did what I needed.  I wanted a script which could look at all or selected OUs in AD for a delegation, and then delete them all.

Remove-DelegatedOUPermissions.ps1 is an advanced function which can be used to report and remove assigned delegated permissions from OU objects and containers.  You can choose the domain and searchbase, and you can search for full name or partial matches.  For example, if you wanted to report on or delete the delegations for Site1PWAdmins and Site2PWAdmins, you could simply specify “PWAdmins”.  The search is case-insensitive, and you can search for more than one string by separating your search terms with a comma.

This function always creates a log file.  The default name is derived from the domain name, and the default location is the desktop.  The function requires the ActiveDirectory module, but unlike Set-ACL, it can be used to write permissions in another domain.  It supports WhatIf, and a confirmation is required before you commit changes.  Because it is an advanced function, you can use Get-Help for details about use.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, Functions, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Export to XLSX without Excel: Export-XLSX.ps1 Revisited and Tweaked

Posted on January 30th, 2017

I often look at the code of others with respect and admiration. Peter Kriegel (Germany) wrote Export-XLSX.ps1, an amazing script which lets you export data into a real XLSX file without Excel being installed. The script also enables you to directly append worksheets to XLXS files. His website,, hasn’t been updated in a while, and the automatic translate function is broken. It isn’t clear to me how to reach Peter, as I typically don’t post the code of others with so few changes, so I want to be clear — this isn’t my work.

I converted the original script to an advanced function, and made sure the Help was functioning right.  The only limitation is with formatting, which means it will look pretty much like a file from Export-CSV.  Nonetheless, if you have scripts running on servers where you really don’t want to install Excel, this is an excellent function to use.  The script is heavily commented and has examples in the help.

Script Text

Tags: ,
Filed under Alan's Favorites, Excel, Functions, PowerShell, Scripting | No Comments »

Finding MTU for all Hops in a Trace Route

Posted on October 1st, 2016

I know, finding the “maximum” MTU is a redundancy, as MTU is an acronym for “Maximum Transmission Units”.  However, my needs were to find all the MTUs to each hop of a tracert.  Like many scripts, Find-MaxMTU.ps1 turned out to be a cut and paste exercise.  I started with the Find-MTU script written by Robin CM.  I added to it a function which converts tracert output to an object written by Mathias R. Jessen. Because I wanted to be able to run this from Windows Core, I avoided my usual graphical inputs and instead used a host read method written by Scripting Guy Ed Wilson.  I added a new bit of code  for avoiding the PowerShell command window from closing:

The resulting script will give you all the MTU to a selected destination, optionally including the MTU for all the intermediate hops.  This will let you see the maximum of the MTUs — hence the name.   The code is commented with the code attribution, and notes about what I changed.
Script Text

Filed under Alan's Favorites, PowerShell, Scripting | No Comments »

Quickly Check Domain Controller Health

Posted on September 5th, 2016

How can you tell whether an Active Directory domain controller is functioning properly?  How do you know whether some over-zealous VLAN ACL is blocking necessary ports?  Testing ICMP, is easy, just ping it.  Testing LDAP response isn’t hard, I wrote a vbScript to do that years ago.  But to complete, we want to check more.  My list of things to check are this:

  • Ping
  • TCP Ports 53,88,135,389,445,464,636,3689
  • UDP Ports 53,389,464,636,3689
  • If you are running NetBIOS add 139 TCP and UDP ports 137,138
  • If the DNS port is open run NSLookup to check lookups
  • If LDAP port is open, do a test bind

Since a large enterprise may have a large number of DCs, I wanted to multi-thread the script.  For compatibility, I wanted to be able to run it on PowerShell 3 from a Windows 7 host without admin rights.

What I discovered is that testing TCP ports with PowerShell is pretty easy.  UDP connections, however, turned out to be more difficult.  After about 45 minutes of frustration, I found a great Test-Port function from PowerShell MVP Boe Prox.  It is contained inside the script.

In my view, WorkFlows, introduced in Version 3, are the easiest way to multi-thread in PowerShell, and is a way which does not require special setup or rights on the remote systems. On my system, I see about 4 simultaneous queries using this method.

Test-DCs.ps1 can be edited to choose the testing of whatever ports you require and could easily be changed to test other systems such as web servers, Exchange or SharePoint servers.

Update 10-1-19:  This version has many improvements, including multi-threading and dynamically determining whether query of DNS or GC ports is required. Updated 4/16/2017 to fix some bugs, and to add switch for optional scanning of secure ports.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Windows Administration | No Comments »

A GUI to Select Object Properties in Pipeline

Posted on May 14th, 2016

My first attempt at a GUI to select objects properties demonstrated that I didn’t have a firm grasp on how to pipeline an object through an advanced function.  The problem I had at the time was not understanding how to have the form only appear once.  Why is that difficult?  Because the Begin Block won’t accept an variable created as an argument to the function.  If you put the form block into the Process Block, you get it popping up once for each item in the pipeline.  The desired result is to run the form just once.  The solution in my new version of Select-PropertyForm.ps1 is to create a variable to cause the form to be created only one time:

Note from above that $script:NewList is a list of the selected properties.  The selection form looks just like the previous version:

I have added a parameter to the function to set the title.  This has been changed to a full advanced function.  You must include it in your own code or “dot source” it to run.

An example:

This user the Get-User AD cmdlet to get all users with the last name of “Smith”, returning AD properties.  I then pipe to Convert-ADValues to ensure that dates and other values export okay, send results to CSV file.  The output for this is  Selected.Microsoft.ActiveDirectory.Management.ADUser

Script Text

Tags: , ,
Filed under Alan's Favorites, My Best, PowerShell, Scripting | No Comments »

Copy Distinguished Name of OU to Clipboard (OUADSPath2Clip Updated)

Posted on April 28th, 2016

OUADSPathToClip.ps1 is an updated version of OUADSPath2Clip.ps1 and is an example implementation of the new Select-OU.ps1 script.  Fast navigation of OU structure to copy the OU’s DistinguishedName into your clipboard. Version 1.1 allows control of form and button text.
Script Text

Tags: ,
Filed under Active Directory, Alan's Favorites, PowerShell, Scripting | No Comments »

Fast PowerShell Treeview OU Selection Form

Posted on April 28th, 2016

A large number of my scripts involve picking an Active Directory Organizational Unit (OU). I have been using Out-Gridview for OU navigation. This is because I was unable to find a form based GUI OU picker that worked fast enough in my very large AD environment.  The scripts I have seen tended to collect all objects at once, and are very slow to load.  Now that I have been working with PowerShell for nearly three years, I decided it was time to give in another try.  The result of my efforts is Select-ADOU.ps1.

This PowerShell script begins by finding the AD Forest, and enumerating all domains.  The user’s current domain is set as the default, and the first level of the domain is automatically expanded and put into the TreeView.  This expansion of the first level is done with any domain selected.  Double click on an node to expand the list of OU below the branch.  The script uses the [adisiSearcher] accelerator with a OneLevel query of “(ObjectCategory=OrganizationalUnit)”  — the ActiveDirectory module does not need to be loaded for it to work.  When the OU is selected, the function returns an object which contains the DNS domain name, the OU Name and distinguishedname attributes.  This makes it easy to use the information in subsequent code. Version 1.1 allows control of form and button text.  Updated 4/16/2017 to include optional check-boxes, selection of initial domain, showing containers, and locking domain selection to single OU. Please note that some parameter names have changed so this is not a drop in replacement for the previous version.
Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting | No Comments »

Lync 2010 and Powershell – Toggle Mute, Export Participants

Posted on April 19th, 2015

I spent a lot of time in Lync conferences. There are two things about the Lync 2010 client which drive me nuts. The first is that there is no way to toggle your mute on and off without clicking on the microphone.  The second is that there is no easy way to export the list of participants without using OneNote.  Not until Lync 2013 you can toggle the mute button with Windows logo key+F4.

Being a scripting guy, I decided to try to solve both of these issues.  Some web searching led me to the Lync 2013 Software Developers Kit (SDK), which appears to have a method to mute and unmute.  I have Lync 2010, and so I downloaded the 2010 Lync SDK — which did not contain this method.  I was undeterred.  Why not try the 2013 SDK?  Well, it won’t install on your computer unless you have Lync 2013 (aka “Skype for Business”) installed on your computer.

I am a stubborn and determined man.  I watched the install steps using ProcMon, and found a setup file in a temp folder which I was able to launch.  With the 2013 SDK finally installed, I began looking at the interfaces for first the mute script, and then the participant script.  I was happy to see that the 2013 SDK works just fine with Lync 2010.

As far as I can tell no one else has been successful in scripting these two things with PowerShell.  I wrote Toggle-LyncMute.ps1, which toggles the Lync Mute on and off. Get-LyncParticipants.ps1 sends the participant list to your clipboard, including the phone numbers of dial in callers.  The updated (5/16/15) zip also includes Set-BRBAndLock.ps1, which sets your status to “Be Right Back” and locks your computer.  The files are in, which contains the necessary Microsoft SDK files from the Lync SDK and the scripts.

Extract the files in the “Files” folder to your computer so that the Lync-2013-SDK folder is found in the same location as the PowerShell PS1 files, example:

C:\MyUserName\My Documents\Scripts\

You may, but are not required to keep the files in the “Scripts” folder, so long as you keep the SDK files in the same folder as the script.

Then run the “Make Lync Shortcuts.vbs” script by double-clicking on it.  This will create shortcuts on your desktop to the PowerShell scripts.  Technical note: The shortcuts run with the -bypass parameter to ensure they run even if your executionpolicy is otherwise restricted.

Important note:  PowerShell uses the trusted locations from Internet Explorer. Some people have had problems running this when installing to a folder off the root of their local drive.  If you install to a restricted directory, you will get an error: HRESULT: 0x80131515.  I know that “..\My Documents\Scripts\” works.

As always, the scripts are commented.  The SDK files are signed by Microsoft.  You don’t have to understand PowerShell or vbScripts to make this work for you.

You may delete the “Make Lync Shortcuts.vbs” scripts after you are setup.

Script Zip

Tags: ,
Filed under Alan's Favorites, Computing, PowerShell, Scripting, VbScript | No Comments »

Auditing Active Directory Permissions with Powershell

Posted on November 22nd, 2014

Active Directory permissions aren’t easy to audit.  It is a lot easier to delegate permissions to a user or a group than it is to figure out later who has what rights on what containers and organizational units.  I have taken a few runs at it, including a vbscript version which was terrible.  That is why I was very happy when I found this script by Microsoft Premier Field Engineer Ashley McGlone.  His script gives you the choice of a full dump of the local domain, or a list of the assigned (not inherited) permissions.

Because I work in a larger multi-domain forest, I wanted a script that would allow me to choose what domain to audit, and to also have more control over what data would be in the filtered list.  The resulting script is Get-OUPermissions.ps1.  In my script the filtered list looks for assigned rights containing Create, Write, Delete or All, as those are the ones I find interesting.  Using Where-Object was terribly slow, so I switched to a regex solution from a Scripting Guy article.  I have commented the script pretty heavily to show where I changed things from the original script.  My version wraps the original script in an advanced function, and so you can run it and use Get-Help to see all of the parameters and choices.  There is some pretty interesting things in here, but what stumped me for a while was how to use Get-ACL for an AD object outside the current domain.  What I came up was is something like this:
$a = Get-ADUser -Identity $env:username -server $dnsdom -Properties * $a.nTSecurityDescriptor |
Select-Object -ExpandProperty Access |
Select-Object *

By using the ntSecurityDescriptor you can specify the domain by using the DNS Domain Name in the Server parameter of the Get-AD* cmdlet.

Script Text

Tags: ,
Filed under Active Directory, Alan's Favorites, PowerShell, Scripting, Security, Windows Administration | No Comments »

Please Note

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Site Search



SQL Site

Bad Behavior has blocked 268 access attempts in the last 7 days.