Posts Tagged ‘Active Directory’

Adding Terminal Services Information to User Reports

Saturday, February 4th, 2017

Add-ADTSInfo.ps1 adds TerminalServicesHomeDrive, TerminalServicesHomeDirectory, TerminalServicesProfilePath and AllowLogon as additional members returned by a query of Active Directory user objects.  As you may know, when looking at a user’s properties in the Active Directory Users and Computers MMC there is a tab for these fields.  However, if you look at the properties of a user object, these items simply aren’t there.  There are a few articles and scripts addressing this problem, and you will find that the only way to get the data is by binding to each individual user object and using the a method like this: $ADSIUser.psbase.InvokeGet(‘TerminalServicesProfilePath’).

My script differs from others in that you can pipe an object containing user objects with any properties, and it will add the fields listed above to your results.  I added sorting of the new resulting so that the property names are in order.  This is an advanced function with comment based help.

Script Text

Test Replication – A PowerShell Wrapper for RepAdmin

Saturday, December 10th, 2016

Repadmin is a standard tool in an AD admin’s toolbox, and “showrepl” displays the status of replication in your domain. The results of this command are quite verbose, and can make your eyes glaze over in late night troubleshooting.  A number of people have noticed that you can pipe RepAdmin CSV output to the ConvertFrom-CSV cmdlet in PowerShell. I wanted a little more than what others had done. The script below is my effort.  It (naturally) requires repadmin and the Out-Gridview cmdlet.

Copy Distinguished Name of OU to Clipboard (OUADSPath2Clip Updated)

Thursday, April 28th, 2016

OUADSPathToClip.ps1 is an updated version of OUADSPath2Clip.ps1 and is an example implementation of the new Select-OU.ps1 script.  Fast navigation of OU structure to copy the OU’s DistinguishedName into your clipboard. Version 1.1 allows control of form and button text.
Script Text

Fast PowerShell Treeview OU Selection Form

Thursday, April 28th, 2016

A large number of my scripts involve picking an Active Directory Organizational Unit (OU). I have been using Out-Gridview for OU navigation, such as found in OUADSPath2Clip.ps1. This is because I have been unable to find a form based GUI OU picker that worked fast enough in my very large AD environment.  The one’s I have seen tended to collect all objects at once, and are very slow to load.  Now that I have been working with PowerShell for nearly three years, I decided it was time to give in another try.  The result of my efforts is Select-ADOU.ps1.

This PowerShell script begins by finding the AD Forest, and enumerating all domains.  The user’s current domain is set as the default, and the first level of the domain is automatically expanded and put into the TreeView.  This expansion of the first level is done with any domain selected.  Double click on an node to expand the list of OU below the branch.  The script uses the [adisiSearcher] accelerator with a OneLevel query of “(ObjectCategory=OrganizationalUnit)”  — the ActiveDirectory module does not need to be loaded for it to work.  When the OU is selected, the function returns an object which contains the DNS domain name and the OUs distinguishedname attributes.  This makes it easy to use the information in subsequent code. Version 1.1 allows control of form and button text.
Script Text

Passwords for Password Resets

Monday, September 7th, 2015

I discovered that my script to generate passwords, RandomPW.vbs, isn’t popular with users because the passwords are random.  I have an even more complicated but unposted PowerShell version with the same issue.

I wanted to create something that was easier for the help desk and users.  Get-TempPW.ps1 is my answer to those objections.  This script is pretty well commented, so I won’t go into details about the code here.   What the script does is get a randomly selected word from the web, capitalizes a random letter within the word, then appends numbers and special characters to the end.  You can set the minimum word length and the number of numbers and special characters with variables within the code.  The default is and eight character word plus a number and special character.  The order of the numbers and special characters are randomized. An example password is “hypeRimmunization4&”.

Script Text


Get the Parent OU for an AD Object

Monday, September 7th, 2015

I have mentioned before that the Charlotte PowerShell User group was frequented by Scripting Guy Ed Wilson, and his wife Teresa. I’m sad to say that they have moved away, but am happy that Brian Wilhite has been running the meetings since.  I mentioned to Brian that I had a cool way to get the parent container of an Active Directory object using ADSI:

The string method is, of course faster. But If the parent object isn’t an OU, try the first method. It always works.

Test Whether Organizational Unit or Account Exists

Monday, September 7th, 2015

Here are two quick functions which I have recently found useful. The first tests whether a user account exists. It takes the Domain and Identity as arguments. Using the “Stop” error action with Try/Catch keeps it from showing any errors. You can do this with any of the AD cmdlets, such as Get-ADOrganizationalUnit, Get-ADComputer and others. The first example tests for the existence of a user account:

This tests whether an OU exists:

Auditing Active Directory Permissions with Powershell

Saturday, November 22nd, 2014

Active Directory permissions aren’t easy to audit.  It is a lot easier to delegate permissions to a user or a group than it is to figure out later who has what rights on what containers and organizational units.  I have taken a few runs at it, including a vbscript version which was terrible.  That is why I was very happy when I found this script by Microsoft Premier Field Engineer Ashley McGlone.  His script gives you the choice of a full dump of the local domain, or a list of the assigned (not inherited) permissions.

Because I work in a larger multi-domain forest, I wanted a script that would allow me to choose what domain to audit, and to also have more control over what data would be in the filtered list.  The resulting script is Get-OUPermissions.ps1.  In my script the filtered list looks for assigned rights containing Create, Write, Delete or All, as those are the ones I find interesting.  Using Where-Object was terribly slow, so I switched to a regex solution from a Scripting Guy article.  I have commented the script pretty heavily to show where I changed things from the original script.  My version wraps the original script in an advanced function, and so you can run it and use Get-Help to see all of the parameters and choices.  There is some pretty interesting things in here, but what stumped me for a while was how to use Get-ACL for an AD object outside the current domain.  What I came up was is something like this:
$a = Get-ADUser -Identity $env:username -server $dnsdom -Properties * $a.nTSecurityDescriptor |
Select-Object -ExpandProperty Access |
Select-Object *

By using the ntSecurityDescriptor you can specify the domain by using the DNS Domain Name in the Server parameter of the Get-AD* cmdlet.

Script Text

Get List of Computers from Active Directory

Saturday, November 22nd, 2014

Get-ADComputerList.ps1 is pretty simple.  It gets a list of all the computers in the domain you specify.  Reported are the DNS Name, IP v4 Address, Active Directory Path and OS.  A comma delimited log file is written to your desktop.
Script Text

Delete a List of Computer Accounts from Active Directory

Saturday, January 18th, 2014

Although I have spent most of my time recently writing PowerShell code, I still get requests from the field for vbscripts.  The security model differences make it more time consuming to explain how to run a PowerShell script than vbscript’s “double click this”.  DisablePCsFromList.vbs is an updated version of a 2006 vbscript which reads a text file with a list of computer accounts, and deletes the list.  A log file is written to the user desktop.