Alan's Blog

"Yeah. I wrote a script that will do that."

Remove Active Directory Delegations

Posted on February 25th, 2017

Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise.  Removing the delegations for a user or group can be slow, especially if you do it manually.  Microsoft has a good article about this process, but none of the methods I found did what I needed.  I wanted a script which could look at all or selected OUs in AD for a delegation, and then delete them all.

Remove-DelegatedOUPermissions.ps1 is an advanced function which can be used to report and remove assigned delegated permissions from OU objects and containers.  You can choose the domain and searchbase, and you can search for full name or partial matches.  For example, if you wanted to report on or delete the delegations for Site1PWAdmins and Site2PWAdmins, you could simply specify “PWAdmins”.  The search is case-insensitive, and you can search for more than one string by separating your search terms with a comma.

This function always creates a log file.  The default name is derived from the domain name, and the default location is the desktop.  The function requires the ActiveDirectory module, but unlike Set-ACL, it can be used to write permissions in another domain.  It supports WhatIf, and a confirmation is required before you commit changes.  Because it is an advanced function, you can use Get-Help for details about use.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, Functions, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Get Downtime Using PowerShell

Posted on February 25th, 2017

I have been having problem with a computer with random reboots, and hanging on restart.  I wanted to know how long the computer had been unavailable.   I decided to use System Event ID 12 as the startup event for the purposes of my calculations.  The script takes these steps: 1) connect to the remote system and get the oldest event from the System Log.  Use this as the earliest start date for queries.  2) Collect all the startup events from user selected date.  3) For each startup event, collect the event immediately previous by record number.  4) Calculate the difference.

Get-DownTime.ps1 is the advanced function which gets the information.  It is the first function I have written which includes A Dot Source Reminder for Advanced Functions.

Script Text

Filed under Computing, Functions, PowerShell, Scripting, Windows Administration | No Comments »

Fix User’s Home Directory Permissions with Take Ownership

Posted on February 15th, 2017

Fix-HomeDrivePerms.ps1 is a PowerShell script which attempts to reset folder security when the permissions are really hosed.  It uses a take ownership function, Set-Owner, by Boe Prox, instead of takeown.exe, but does shell out to iCacls.exe.  I wrote this to fix home directories where a user might be logged on with files open a the time, and so it doesn’t rip out the old permissions and replace.

This will require a some editing to run, and this code fragment is set up to do one user folder at a time.  But it might get you going in the right direction.

Script Text

Tags: ,
Filed under PowerShell, Scripting, Scriptlets, Security, Windows Administration | No Comments »

Another User Folder Security Reset Script

Posted on February 11th, 2017

This simple batch file resets the inheritance on users folders and then grants them “modify” using the builtin icacls.exe.   This script does not address issues which require you to take ownership — I will post one that does that soon.

I added the “echo” command so you can see what it is doing — remove “echo” when you are ready to run it.

Remember that the variable character for batch files is the percentage sign “%” which must be escaped with a second percentage sign inside a batch file. So if you intend to run this from a command line, you would need to use only a single percentage sign for each variable.

PushD does a temporary drive mapping and changes you to the folder. Popd is the undo for PushD. Both are available inside of PowerShell.

The “FOR” command reads like this: For each directory assign the variable %u.  Run iCacls  to reset security, traversing the folders and continuing  on errors.  The expression %~fu expands %u to a fully qualified path name. The semi-colon allows multiple commands to be stacked. The next iCacls command grants the user modify based on the assumption that the username and folder name are the same.  %~du expands %u to a drive letter only – here, the temporary drive you got from the pushd command.

Variable assignments in the batch for command are case sensitive. If you run “FOR /?” from a command line, you will see a long list of interesting things that the tilde modifier can do with a batch variable.

Tags: , ,
Filed under Batch, Scripting, Security, Windows Administration | No Comments »

Set Share Folder Icon for Server 2012 and Windows 10

Posted on February 5th, 2017

I like to look at a folder and know whether or not it is shared. In earlier Windows OS there was a hand overlay which shows you this information. In Server 2012, this indicator has been omitted. Set-SharedFolderIcons.ps1 lets you use the icon of your choosing to restore this hint that a folder is shared.   There is a bit at the bottom of the script which you may edit:

The icon is generated with the Icon Extractor, and is used to preview your choice like this:

Confirm Icon Dialog

The script will enumerate shares, skipping admin shares, and, on a domain controller, it skips Sysvol and NetLogon shares.  The list goes to Out-Gridview, and selected shares get the new icon by editing the desktop.ini file.

Script Text

 

Tags: ,
Filed under PowerShell, Scripting, Windows 10, Windows Administration | No Comments »

Get the NetBIOS AD Domain Name from the FQDN

Posted on January 30th, 2017

I hate using NameTranslate, because it is a COM object, and because the output is often really hard to get into a clean, trimmed string.  The netBIOS name isn’t a part of the AD domain object, but I suspected that the information could be gotten using a LDAP query.  My searching lead me to a post on StackFlow.  It wasn’t PowerShell, but it did give me an interesting hint.  The filter’s objectcategory was “CrossRef”.  I used this to port the code to PowerShell:

This query is quick, and avoids the formatting problems with NameTranslate.  There is a large table of LDAP queries on TechNet, but this one isn’t in the list.

Tags: , ,
Filed under Active Directory, Functions, PowerShell, Scriptlets, Windows Administration | No Comments »

Test Replication – A PowerShell Wrapper for RepAdmin

Posted on December 10th, 2016

Repadmin is a standard tool in an AD admin’s toolbox, and “showrepl” displays the status of replication in your domain. The results of this command are quite verbose, and can make your eyes glaze over in late night troubleshooting.  A number of people have noticed that you can pipe RepAdmin CSV output to the ConvertFrom-CSV cmdlet in PowerShell. I wanted a little more than what others had done. The script below is my effort.  It (naturally) requires repadmin and the Out-Gridview cmdlet.

Tags: , ,
Filed under Active Directory, PowerShell, Scripting, Windows Administration | No Comments »

Remove DNS Host Record and PTR with PowerShell

Posted on December 10th, 2016

You have been asked, “Please remove the host record for these 15 computers, plus their associated PTR records”.  It isn’t a difficult task, but it can be time consuming, especially if you have a large DNS database.  The in-addr.arpa bit can be annoying to do over and over again.  When I first decided to automate this task, I went looking to see who had done something similar before, and found https://rcmtech.wordpress.com/2014/02/26/get-and-delete-dns-a-and-ptr-records-via-powershell/.  My code, Remove-DNSRecord.ps1,  is based on his, and extends it by searching all zones, and by creating an advanced function.  The script relies on the PowerShell DNSServer Module, which is available on Server 2008 and later.
Script Text

Tags: , ,
Filed under Active Directory, Windows Administration | No Comments »

Who Added this User to the Domain?

Posted on December 10th, 2016

On of the questions that I am frequently asked is “who created that user”.  In a small shop, the answer should be “me”.  But in a really large environment the answer may not be quite so clear. When an object is created in Active Directory, the owner of the object is the creator of the object. You will see the name of the account as the owner, unless that account is a member of Domain Admins or Enterprise Admins.

I wrote Get-WhoAddedUser.ps1 to quickly look up the owner of a user object. The script takes the distinguished name of the user object as input, because I began with a CSV file of distinguished names. It can be easily modified to take the SamAccountName.

 

Script Text

Filed under Active Directory, PowerShell, Scripting, Security, Windows Administration | No Comments »

Quickly Check Domain Controller Health

Posted on September 5th, 2016

How can you tell whether an Active Directory domain controller is functioning properly?  How do you know whether some over-zealous VLAN ACL is blocking necessary ports?  Testing ICMP, is easy, just ping it.  Testing LDAP response isn’t hard, I wrote a vbScript to do that years ago.  But to complete, we want to check more.  My list of things to check are this:

  • Ping
  • TCP Ports 53,88,135,389,445,464
  • UDP Ports 53,389,464
  • If you are running NetBIOS add 139 TCP and UDP ports 137,138
  • If the DNS port is open run NSLookup to check lookups
  • If LDAP port is open, do a test bind

Since a large enterprise may have a large number of DCs, I wanted to multi-thread the script.  For compatibility, I wanted to be able to run it on PowerShell 3 from a Windows 7 host without admin rights.

What I discovered is that testing TCP ports with PowerShell is pretty easy.  UDP connections, however, turned out to be more difficult.  After about 45 minutes of frustration, I found a great Test-Port function from PowerShell MVP Boe Prox.  It is contained inside the script.

In my view, WorkFlows, introduced in Version 3, are the easiest way to multi-thread in PowerShell, and is a way which does not require special setup or rights on the remote systems. On my system, I see about 4 simultaneous queries using this method.

Test-DCs.ps1 can be edited to choose the testing of whatever ports you require and could easily be changed to test other systems such as web servers, Exchange or SharePoint servers.

Update 10-1-19:  This version has many improvements, including multi-threading and dynamically determining whether query of DNS or GC ports is required.

Script Text

Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Windows Administration | No Comments »

Please Note:

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Categories

Translate

Bad Behavior has blocked 138 access attempts in the last 7 days.