Alan's Blog

"Yeah. I wrote a script that will do that."

Create an AD Drive for Specified Domain

Posted on April 16th, 2017

When you load the Active Directory Module, you get, by default, an Active Directory PSDrive for the current domain.   You can avoid the drive from loading by setting $Env:ADPS_LoadDefaultDrive = 0. When writing scripts to export and import AD delegations, connecting to this remote drive became important to me. Here is an example of the code I used:

Tags: , ,
Filed under Active Directory, Functions, PowerShell, Scripting | No Comments »

Adding Terminal Services Information to User Reports

Posted on February 4th, 2017

Add-ADTSInfo.ps1 adds TerminalServicesHomeDrive, TerminalServicesHomeDirectory, TerminalServicesProfilePath and AllowLogon as additional members returned by a query of Active Directory user objects.  As you may know, when looking at a user’s properties in the Active Directory Users and Computers MMC there is a tab for these fields.  However, if you look at the properties of a user object, these items simply aren’t there.  There are a few articles and scripts addressing this problem, and you will find that the only way to get the data is by binding to each individual user object and using the a method like this: $ADSIUser.psbase.InvokeGet(‘TerminalServicesProfilePath’).

My script differs from others in that you can pipe an object containing user objects with any properties, and it will add the fields listed above to your results.  I added sorting of the new resulting so that the property names are in order.  This is an advanced function with comment based help.

Script Text

Tags: , , ,
Filed under Active Directory, Functions, PowerShell, Scripting | No Comments »

Test Replication – A PowerShell Wrapper for RepAdmin

Posted on December 10th, 2016

Repadmin is a standard tool in an AD admin’s toolbox, and “showrepl” displays the status of replication in your domain. The results of this command are quite verbose, and can make your eyes glaze over in late night troubleshooting.  A number of people have noticed that you can pipe RepAdmin CSV output to the ConvertFrom-CSV cmdlet in PowerShell. I wanted a little more than what others had done. The script below is my effort.  It (naturally) requires repadmin and the Out-Gridview cmdlet.

Tags: , ,
Filed under Active Directory, PowerShell, Scripting, Windows Administration | No Comments »

Quickly Check Domain Controller Health

Posted on September 5th, 2016

How can you tell whether an Active Directory domain controller is functioning properly?  How do you know whether some over-zealous VLAN ACL is blocking necessary ports?  Testing ICMP, is easy, just ping it.  Testing LDAP response isn’t hard, I wrote a vbScript to do that years ago.  But to complete, we want to check more.  My list of things to check are this:

  • Ping
  • TCP Ports 53,88,135,389,445,464,636,3689
  • UDP Ports 53,389,464,636,3689
  • If you are running NetBIOS add 139 TCP and UDP ports 137,138
  • If the DNS port is open run NSLookup to check lookups
  • If LDAP port is open, do a test bind

Since a large enterprise may have a large number of DCs, I wanted to multi-thread the script.  For compatibility, I wanted to be able to run it on PowerShell 3 from a Windows 7 host without admin rights.

What I discovered is that testing TCP ports with PowerShell is pretty easy.  UDP connections, however, turned out to be more difficult.  After about 45 minutes of frustration, I found a great Test-Port function from PowerShell MVP Boe Prox.  It is contained inside the script.

In my view, WorkFlows, introduced in Version 3, are the easiest way to multi-thread in PowerShell, and is a way which does not require special setup or rights on the remote systems. On my system, I see about 4 simultaneous queries using this method.

Test-DCs.ps1 can be edited to choose the testing of whatever ports you require and could easily be changed to test other systems such as web servers, Exchange or SharePoint servers.

Update 10-1-19:  This version has many improvements, including multi-threading and dynamically determining whether query of DNS or GC ports is required. Updated 4/16/2017 to fix some bugs, and to add switch for optional scanning of secure ports.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Windows Administration | No Comments »

Copy Distinguished Name of OU to Clipboard (OUADSPath2Clip Updated)

Posted on April 28th, 2016

OUADSPathToClip.ps1 is an updated version of OUADSPath2Clip.ps1 and is an example implementation of the new Select-OU.ps1 script.  Fast navigation of OU structure to copy the OU’s DistinguishedName into your clipboard. Version 1.1 allows control of form and button text.
Script Text

Tags: ,
Filed under Active Directory, Alan's Favorites, PowerShell, Scripting | No Comments »

Fast PowerShell Treeview OU Selection Form

Posted on April 28th, 2016

A large number of my scripts involve picking an Active Directory Organizational Unit (OU). I have been using Out-Gridview for OU navigation. This is because I was unable to find a form based GUI OU picker that worked fast enough in my very large AD environment.  The scripts I have seen tended to collect all objects at once, and are very slow to load.  Now that I have been working with PowerShell for nearly three years, I decided it was time to give in another try.  The result of my efforts is Select-ADOU.ps1.

This PowerShell script begins by finding the AD Forest, and enumerating all domains.  The user’s current domain is set as the default, and the first level of the domain is automatically expanded and put into the TreeView.  This expansion of the first level is done with any domain selected.  Double click on an node to expand the list of OU below the branch.  The script uses the [adisiSearcher] accelerator with a OneLevel query of “(ObjectCategory=OrganizationalUnit)”  — the ActiveDirectory module does not need to be loaded for it to work.  When the OU is selected, the function returns an object which contains the DNS domain name, the OU Name and distinguishedname attributes.  This makes it easy to use the information in subsequent code. Version 1.1 allows control of form and button text.  Updated 4/16/2017 to include optional check-boxes, selection of initial domain, showing containers, and locking domain selection to single OU. Please note that some parameter names have changed so this is not a drop in replacement for the previous version.
Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting | No Comments »

Passwords for Password Resets

Posted on September 7th, 2015

I discovered that my script to generate passwords, RandomPW.vbs, isn’t popular with users because the passwords are random.  I have an even more complicated but unposted PowerShell version with the same issue.

I wanted to create something that was easier for the help desk and users.  Get-TempPW.ps1 is my answer to those objections.  This script is pretty well commented, so I won’t go into details about the code here.   What the script does is get a randomly selected word from the web, capitalizes a random letter within the word, then appends numbers and special characters to the end.  You can set the minimum word length and the number of numbers and special characters with variables within the code.  The default is and eight character word plus a number and special character.  The order of the numbers and special characters are randomized. An example password is “hypeRimmunization4&”.

Script Text

 

Tags: , , ,
Filed under PowerShell, Scripting, Security, Windows Administration | No Comments »

Get the Parent OU for an AD Object

Posted on September 7th, 2015

I have mentioned before that the Charlotte PowerShell User group was frequented by Scripting Guy Ed Wilson, and his wife Teresa. I’m sad to say that they have moved away, but am happy that Brian Wilhite has been running the meetings since.  I mentioned to Brian that I had a cool way to get the parent container of an Active Directory object using ADSI:

The string method is, of course faster. But If the parent object isn’t an OU, try the first method. It always works.

Tags: ,
Filed under Active Directory, PowerShell, Scripting, Windows Administration | No Comments »

Test Whether Organizational Unit or Account Exists

Posted on September 7th, 2015

Here are two quick functions which I have recently found useful. The first tests whether a user account exists. It takes the Domain and Identity as arguments. Using the “Stop” error action with Try/Catch keeps it from showing any errors. You can do this with any of the AD cmdlets, such as Get-ADOrganizationalUnit, Get-ADComputer and others. The first example tests for the existence of a user account:

This tests whether an OU exists:

Tags: , ,
Filed under Active Directory, PowerShell, Scripting | No Comments »

Auditing Active Directory Permissions with Powershell

Posted on November 22nd, 2014

Active Directory permissions aren’t easy to audit.  It is a lot easier to delegate permissions to a user or a group than it is to figure out later who has what rights on what containers and organizational units.  I have taken a few runs at it, including a vbscript version which was terrible.  That is why I was very happy when I found this script by Microsoft Premier Field Engineer Ashley McGlone.  His script gives you the choice of a full dump of the local domain, or a list of the assigned (not inherited) permissions.

Because I work in a larger multi-domain forest, I wanted a script that would allow me to choose what domain to audit, and to also have more control over what data would be in the filtered list.  The resulting script is Get-OUPermissions.ps1.  In my script the filtered list looks for assigned rights containing Create, Write, Delete or All, as those are the ones I find interesting.  Using Where-Object was terribly slow, so I switched to a regex solution from a Scripting Guy article.  I have commented the script pretty heavily to show where I changed things from the original script.  My version wraps the original script in an advanced function, and so you can run it and use Get-Help to see all of the parameters and choices.  There is some pretty interesting things in here, but what stumped me for a while was how to use Get-ACL for an AD object outside the current domain.  What I came up was is something like this:
$a = Get-ADUser -Identity $env:username -server $dnsdom -Properties * $a.nTSecurityDescriptor |
Select-Object -ExpandProperty Access |
Select-Object *

By using the ntSecurityDescriptor you can specify the domain by using the DNS Domain Name in the Server parameter of the Get-AD* cmdlet.

Script Text

Tags: ,
Filed under Active Directory, Alan's Favorites, PowerShell, Scripting, Security, Windows Administration | No Comments »

Please Note

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Site Search

Categories

Archives

SQL Site

Bad Behavior has blocked 169 access attempts in the last 7 days.