Archive for the ‘Security’ Category

Remove Active Directory Delegations

Saturday, February 25th, 2017

Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise.  Removing the delegations for a user or group can be slow, especially if you do it manually.  Microsoft has a good article about this process, but none of the methods I found did what I needed.  I wanted a script which could look at all or selected OUs in AD for a delegation, and then delete them all.

Remove-DelegatedOUPermissions.ps1 is an advanced function which can be used to report and remove assigned delegated permissions from OU objects and containers.  You can choose the domain and searchbase, and you can search for full name or partial matches.  For example, if you wanted to report on or delete the delegations for Site1PWAdmins and Site2PWAdmins, you could simply specify “PWAdmins”.  The search is case-insensitive, and you can search for more than one string by separating your search terms with a comma.

This function always creates a log file.  The default name is derived from the domain name, and the default location is the desktop.  The function requires the ActiveDirectory module, but unlike Set-ACL, it can be used to write permissions in another domain.  It supports WhatIf, and a confirmation is required before you commit changes.  Because it is an advanced function, you can use Get-Help for details about use.

Script Text

Fix User’s Home Directory Permissions with Take Ownership

Wednesday, February 15th, 2017

Fix-HomeDrivePerms.ps1 is a PowerShell script which attempts to reset folder security when the permissions are really hosed.  It uses a take ownership function, Set-Owner, by Boe Prox, instead of takeown.exe, but does shell out to iCacls.exe.  I wrote this to fix home directories where a user might be logged on with files open a the time, and so it doesn’t rip out the old permissions and replace.

This will require a some editing to run, and this code fragment is set up to do one user folder at a time.  But it might get you going in the right direction.

Script Text

Another User Folder Security Reset Script

Saturday, February 11th, 2017

This simple batch file resets the inheritance on users folders and then grants them “modify” using the builtin icacls.exe.   This script does not address issues which require you to take ownership — I will post one that does that soon.

I added the “echo” command so you can see what it is doing — remove “echo” when you are ready to run it.

Remember that the variable character for batch files is the percentage sign “%” which must be escaped with a second percentage sign inside a batch file. So if you intend to run this from a command line, you would need to use only a single percentage sign for each variable.

PushD does a temporary drive mapping and changes you to the folder. Popd is the undo for PushD. Both are available inside of PowerShell.

The “FOR” command reads like this: For each directory assign the variable %u.  Run iCacls  to reset security, traversing the folders and continuing  on errors.  The expression %~fu expands %u to a fully qualified path name. The semi-colon allows multiple commands to be stacked. The next iCacls command grants the user modify based on the assumption that the username and folder name are the same.  %~du expands %u to a drive letter only – here, the temporary drive you got from the pushd command.

Variable assignments in the batch for command are case sensitive. If you run “FOR /?” from a command line, you will see a long list of interesting things that the tilde modifier can do with a batch variable.

Who Added this User to the Domain?

Saturday, December 10th, 2016

On of the questions that I am frequently asked is “who created that user”.  In a small shop, the answer should be “me”.  But in a really large environment the answer may not be quite so clear. When an object is created in Active Directory, the owner of the object is the creator of the object. You will see the name of the account as the owner, unless that account is a member of Domain Admins or Enterprise Admins.

I wrote Get-WhoAddedUser.ps1 to quickly look up the owner of a user object. The script takes the distinguished name of the user object as input, because I began with a CSV file of distinguished names. It can be easily modified to take the SamAccountName.


Script Text

Get Oldest Windows Event

Saturday, February 13th, 2016

Get-OldestEvent.ps1 is a PowerShell advanced function which returns the oldest event from a Windows computer event log, and will help you determine the rollover time for an event log by also returning the age of the record as a time span with the time created. Optionally you can return the entire oldest record with the age as an added member. Age is calculated from the time the script collects the information.  You must, of course, have admin rights to query remote event logs. Running locally requires that PowerShell be run elevated. Because it is an advanced function, it must first be loaded with “dot sourcing”.

Example: Get the time created and age for the oldest event in the Security log of this computer.

Example: Get the time created and age for the oldest event in the Application log of this computer.
Get-OldestEvent -eLog Application

Example: Get the oldest event from the Security log on MyServerName, plus Age of event.
Get-OldestEvent -ComputerName MyServerName -eLog security -ReturnAll

Script Text

Passwords for Password Resets

Monday, September 7th, 2015

I discovered that my script to generate passwords, RandomPW.vbs, isn’t popular with users because the passwords are random.  I have an even more complicated but unposted PowerShell version with the same issue.

I wanted to create something that was easier for the help desk and users.  Get-TempPW.ps1 is my answer to those objections.  This script is pretty well commented, so I won’t go into details about the code here.   What the script does is get a randomly selected word from the web, capitalizes a random letter within the word, then appends numbers and special characters to the end.  You can set the minimum word length and the number of numbers and special characters with variables within the code.  The default is and eight character word plus a number and special character.  The order of the numbers and special characters are randomized. An example password is “hypeRimmunization4&”.

Script Text


Auditing Active Directory Permissions with Powershell

Saturday, November 22nd, 2014

Active Directory permissions aren’t easy to audit.  It is a lot easier to delegate permissions to a user or a group than it is to figure out later who has what rights on what containers and organizational units.  I have taken a few runs at it, including a vbscript version which was terrible.  That is why I was very happy when I found this script by Microsoft Premier Field Engineer Ashley McGlone.  His script gives you the choice of a full dump of the local domain, or a list of the assigned (not inherited) permissions.

Because I work in a larger multi-domain forest, I wanted a script that would allow me to choose what domain to audit, and to also have more control over what data would be in the filtered list.  The resulting script is Get-OUPermissions.ps1.  In my script the filtered list looks for assigned rights containing Create, Write, Delete or All, as those are the ones I find interesting.  Using Where-Object was terribly slow, so I switched to a regex solution from a Scripting Guy article.  I have commented the script pretty heavily to show where I changed things from the original script.  My version wraps the original script in an advanced function, and so you can run it and use Get-Help to see all of the parameters and choices.  There is some pretty interesting things in here, but what stumped me for a while was how to use Get-ACL for an AD object outside the current domain.  What I came up was is something like this:
$a = Get-ADUser -Identity $env:username -server $dnsdom -Properties * $a.nTSecurityDescriptor |
Select-Object -ExpandProperty Access |
Select-Object *

By using the ntSecurityDescriptor you can specify the domain by using the DNS Domain Name in the Server parameter of the Get-AD* cmdlet.

Script Text

PowerShell and .Nessus File Revisited

Saturday, October 11th, 2014

I previously wrote about processing .Nessus files using Posh-NVS.  I found my needs to be a little different from what that project provides, so I decided to take a crack at my own script for reading .Nessus files.  Unlike Posh-NVS, it has no modules to install and my Convert-Nessus.ps1 adds the host information onto the line with the vulnerability data.  Although it creates a larger file, it is nice to have the IP Address, OS, MAC addresses, and NETBIOS Name in the same line for the file. Update:  Convert-Nessus4.ps1 adds a GUI to select what properties you want in the output.

Script Text

PowerShell and .Nessus files

Wednesday, October 1st, 2014

Tenable Nessus is a commonly used scanner in the enterprise.  The native (version 2) .nessus files which it creates are XML files which contain information about the scan settings, plus the data collected about the hosts.  Parsing these files is typically done with a Python script — a Google search yields over 140K results.  Looking for something in PowerShell will lead you to the Posh-NVS module written by Carlos Perez, at

You can get the Posh-NVS module from  Download the ZIP and extract it.  Rename the folder to Posh-NVS,  Before you copy or move the Posh-NVS under your modules folder., you should remove all streams from the files in the Posh-NVS folder.  I used the command:
gci -Recurse |  Remove-Item -Stream *

If you fail to do this you may get an “Operation is not supported” error importing the module.

There are many interesting cmdlets in the Posh-NVS module, but I was most interested in reading a .nessus file.  The cmdlet for this is Import-NessusV2Report.  When you use this cmdlet, the result is a hash table which needs to be expanded to be in a format we want.  Import-NessusReport.ps1 is an example script which prompts for a .nessus file and then converts the file and exports as CSV.  It could easily be modified to do a bulk insert into SQL.

I corresponded with Mr. Perez several times trying to get this to work.  I hope this helps spread the word and ease installation.

UPDATE:  I have written my own PowerShell .Nessus file converter which does not require a module.
Script Text

Remote Windows Update 3.1

Wednesday, March 5th, 2014

Looking for a script to run Windows Update remotely?   WindowsUpdate.hta version 3.1 is an HTML application which allows you to connect to a remote machine, determine what patches it requires from Windows Update, and install the patches.  You can schedule a reboot time. This version allows you to look at he Windows Update log, and the log created by the program itself.  There is a button to allow you to change the update source to, which is helpful in places where WSUS or SUP is not working properly.  You can install all security patches, or select patches individually.

HTA files are best run from your local drive. Version 3.0 was released in 2011, version 3.1 only changes the background color to blue.  The transition color method I had used for the background is no longer supported in IE, and the program appeared to be broken.

Change _hta.txt extension to .HTA.
Script Text