Alan's Blog

"Yeah. I wrote a script that will do that."

Export and Import Delegated OU Permissions with PowerShell

Posted on August 13th, 2017

There are some delegations of permissions within Active Directory which cannot be made without extra effort. Some properties have been flagged as hidden in a file called Dssec.dat, located in %windir%\System32 on computers with the Active Directory Users and Computers (ADUC) MMC. Dssec.dat is a hidden text file that can be viewed and modified with Notepad. When you open Dssec.dat, you’ll notice that it’s divided into headings based on object class. Be sure to go to the [User] heading to make modifications. Otherwise, you won’t see any effect on the GUI display. For example, to show the PhysicalDeliveryOfficeName and other properties in the GUI, change the Dssec.dat value from 7 to 0 and save the changes. For more, see: Note too, that you can use delegwiz.inf for custom delegations.

If you need to copy the delegations to apply over many OUs within a domain this can be cumbersome.  You have to copy the modified dssec.dat or delegwiz.inf to each systems running the ADUC.  If you choose to simply go with a modified dssec.dat file select the right combination of permissions can be difficult.   Here is my solution:

1) Run the export script, Export-SelectedOUPermissions.ps1,  selecting domain and path which has the permissions you want to copy.
2) Optionally edit the permissions files to change the Identity Reference — the user or group to get the permissions.
3) Run the import script, Import-SelectedOUPermissions.ps1, select domain and destination(s).  You can use the graphical list to put checkboxes beside your selections.

If you are running the import script from within the ISE, the editor will be temporarily minimized to ensure you can see the menus.  You really should run the script in test mode first, and apply your delegation to a test OU before running in production.  Because Set-ACL often fails outside of the local domain with a “server refused” error, I used the .NET ObjectSecurity.SetSecurityDescriptorSddlForm method to apply the changes.

Recently an accidentally removed a complex delegation from an OU at 4:00 pm.  We were able to copy the delegation from another source and have the site back up and running within 10 minutes.


Tags: , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Get and Read RDP Certificate from a Remote Host with PowerShell

Posted on August 13th, 2017

Sometimes, I get some interesting questions from other teams within my organization.  Read-RDPCert.ps1 addresses a request to read the SSL certificates from a list of remote hosts.  This is based on the code and following comments at

Script Text

Tags: ,
Filed under PowerShell, Scripting, Security | No Comments »

Remove Active Directory Delegations

Posted on February 25th, 2017

Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise.  Removing the delegations for a user or group can be slow, especially if you do it manually.  Microsoft has a good article about this process, but none of the methods I found did what I needed.  I wanted a script which could look at all or selected OUs in AD for a delegation, and then delete them all.

Remove-DelegatedOUPermissions.ps1 is an advanced function which can be used to report and remove assigned delegated permissions from OU objects and containers.  You can choose the domain and searchbase, and you can search for full name or partial matches.  For example, if you wanted to report on or delete the delegations for Site1PWAdmins and Site2PWAdmins, you could simply specify “PWAdmins”.  The search is case-insensitive, and you can search for more than one string by separating your search terms with a comma.

This function always creates a log file.  The default name is derived from the domain name, and the default location is the desktop.  The function requires the ActiveDirectory module, but unlike Set-ACL, it can be used to write permissions in another domain.  It supports WhatIf, and a confirmation is required before you commit changes.  Because it is an advanced function, you can use Get-Help for details about use.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, Functions, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Fix User’s Home Directory Permissions with Take Ownership

Posted on February 15th, 2017

Fix-HomeDrivePerms.ps1 is a PowerShell script which attempts to reset folder security when the permissions are really hosed.  It uses a take ownership function, Set-Owner, by Boe Prox, instead of takeown.exe, but does shell out to iCacls.exe.  I wrote this to fix home directories where a user might be logged on with files open a the time, and so it doesn’t rip out the old permissions and replace.

This will require a some editing to run, and this code fragment is set up to do one user folder at a time.  But it might get you going in the right direction.

Script Text

Tags: ,
Filed under PowerShell, Scripting, Scriptlets, Security, Windows Administration | No Comments »

Another User Folder Security Reset Script

Posted on February 11th, 2017

This simple batch file resets the inheritance on users folders and then grants them “modify” using the builtin icacls.exe.   This script does not address issues which require you to take ownership — I will post one that does that soon.

I added the “echo” command so you can see what it is doing — remove “echo” when you are ready to run it.

Remember that the variable character for batch files is the percentage sign “%” which must be escaped with a second percentage sign inside a batch file. So if you intend to run this from a command line, you would need to use only a single percentage sign for each variable.

PushD does a temporary drive mapping and changes you to the folder. Popd is the undo for PushD. Both are available inside of PowerShell.

The “FOR” command reads like this: For each directory assign the variable %u.  Run iCacls  to reset security, traversing the folders and continuing  on errors.  The expression %~fu expands %u to a fully qualified path name. The semi-colon allows multiple commands to be stacked. The next iCacls command grants the user modify based on the assumption that the username and folder name are the same.  %~du expands %u to a drive letter only – here, the temporary drive you got from the pushd command.

Variable assignments in the batch for command are case sensitive. If you run “FOR /?” from a command line, you will see a long list of interesting things that the tilde modifier can do with a batch variable.

Tags: , ,
Filed under Batch, Scripting, Security, Windows Administration | No Comments »

Who Added this User to the Domain?

Posted on December 10th, 2016

On of the questions that I am frequently asked is “who created that user”.  In a small shop, the answer should be “me”.  But in a really large environment the answer may not be quite so clear. When an object is created in Active Directory, the owner of the object is the creator of the object. You will see the name of the account as the owner, unless that account is a member of Domain Admins or Enterprise Admins.

I wrote Get-WhoAddedUser.ps1 to quickly look up the owner of a user object. The script takes the distinguished name of the user object as input, because I began with a CSV file of distinguished names. It can be easily modified to take the SamAccountName.


Script Text

Filed under Active Directory, PowerShell, Scripting, Security, Windows Administration | No Comments »

Get Oldest Windows Event

Posted on February 13th, 2016

Get-OldestEvent.ps1 is a PowerShell advanced function which returns the oldest event from a Windows computer event log, and will help you determine the rollover time for an event log by also returning the age of the record as a time span with the time created. Optionally you can return the entire oldest record with the age as an added member. Age is calculated from the time the script collects the information.  You must, of course, have admin rights to query remote event logs. Running locally requires that PowerShell be run elevated. Because it is an advanced function, it must first be loaded with “dot sourcing”.

Example: Get the time created and age for the oldest event in the Security log of this computer.

Example: Get the time created and age for the oldest event in the Application log of this computer.
Get-OldestEvent -eLog Application

Example: Get the oldest event from the Security log on MyServerName, plus Age of event.
Get-OldestEvent -ComputerName MyServerName -eLog security -ReturnAll

Script Text

Tags: , ,
Filed under PowerShell, Scripting, Security, Windows Administration | No Comments »

Passwords for Password Resets

Posted on September 7th, 2015

I discovered that my script to generate passwords, RandomPW.vbs, isn’t popular with users because the passwords are random.  I have an even more complicated but unposted PowerShell version with the same issue.

I wanted to create something that was easier for the help desk and users.  Get-TempPW.ps1 is my answer to those objections.  This script is pretty well commented, so I won’t go into details about the code here.   What the script does is get a randomly selected word from the web, capitalizes a random letter within the word, then appends numbers and special characters to the end.  You can set the minimum word length and the number of numbers and special characters with variables within the code.  The default is and eight character word plus a number and special character.  The order of the numbers and special characters are randomized. An example password is “hypeRimmunization4&”.

Script Text


Tags: , , ,
Filed under PowerShell, Scripting, Security, Windows Administration | No Comments »

Auditing Active Directory Permissions with Powershell

Posted on November 22nd, 2014

Active Directory permissions aren’t easy to audit.  It is a lot easier to delegate permissions to a user or a group than it is to figure out later who has what rights on what containers and organizational units.  I have taken a few runs at it, including a vbscript version which was terrible.  That is why I was very happy when I found this script by Microsoft Premier Field Engineer Ashley McGlone.  His script gives you the choice of a full dump of the local domain, or a list of the assigned (not inherited) permissions.

Because I work in a larger multi-domain forest, I wanted a script that would allow me to choose what domain to audit, and to also have more control over what data would be in the filtered list.  The resulting script is Get-OUPermissions.ps1.  In my script the filtered list looks for assigned rights containing Create, Write, Delete or All, as those are the ones I find interesting.  Using Where-Object was terribly slow, so I switched to a regex solution from a Scripting Guy article.  I have commented the script pretty heavily to show where I changed things from the original script.  My version wraps the original script in an advanced function, and so you can run it and use Get-Help to see all of the parameters and choices.  There is some pretty interesting things in here, but what stumped me for a while was how to use Get-ACL for an AD object outside the current domain.  What I came up was is something like this:
$a = Get-ADUser -Identity $env:username -server $dnsdom -Properties * $a.nTSecurityDescriptor |
Select-Object -ExpandProperty Access |
Select-Object *

By using the ntSecurityDescriptor you can specify the domain by using the DNS Domain Name in the Server parameter of the Get-AD* cmdlet.

Script Text

Tags: ,
Filed under Active Directory, Alan's Favorites, PowerShell, Scripting, Security, Windows Administration | No Comments »

PowerShell and .Nessus File Revisited

Posted on October 11th, 2014

I previously wrote about processing .Nessus files using Posh-NVS.  I found my needs to be a little different from what that project provides, so I decided to take a crack at my own script for reading .Nessus files.  Unlike Posh-NVS, it has no modules to install and my Convert-Nessus.ps1 adds the host information onto the line with the vulnerability data.  Although it creates a larger file, it is nice to have the IP Address, OS, MAC addresses, and NETBIOS Name in the same line for the file. Update:  Convert-Nessus4.ps1 adds a GUI to select what properties you want in the output.

Script Text

Tags: ,
Filed under PowerShell, Scripting, Security | No Comments »

Please Note

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Site Search



SQL Site

Bad Behavior has blocked 262 access attempts in the last 7 days.