Alan's Blog

"Yeah. I wrote a script that will do that."

Remove Active Directory Delegations

Posted on February 25th, 2017

Over time, Active Directory delegations tend to accumulate and drift from the standards in the enterprise.  Removing the delegations for a user or group can be slow, especially if you do it manually.  Microsoft has a good article about this process, but none of the methods I found did what I needed.  I wanted a script which could look at all or selected OUs in AD for a delegation, and then delete them all.

Remove-DelegatedOUPermissions.ps1 is an advanced function which can be used to report and remove assigned delegated permissions from OU objects and containers.  You can choose the domain and searchbase, and you can search for full name or partial matches.  For example, if you wanted to report on or delete the delegations for Site1PWAdmins and Site2PWAdmins, you could simply specify “PWAdmins”.  The search is case-insensitive, and you can search for more than one string by separating your search terms with a comma.

This function always creates a log file.  The default name is derived from the domain name, and the default location is the desktop.  The function requires the ActiveDirectory module, but unlike Set-ACL, it can be used to write permissions in another domain.  It supports WhatIf, and a confirmation is required before you commit changes.  Because it is an advanced function, you can use Get-Help for details about use.

Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, Functions, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Fast PowerShell Treeview OU Selection Form

Posted on April 28th, 2016

A large number of my scripts involve picking an Active Directory Organizational Unit (OU). I have been using Out-Gridview for OU navigation. This is because I was unable to find a form based GUI OU picker that worked fast enough in my very large AD environment.  The scripts I have seen tended to collect all objects at once, and are very slow to load.  Now that I have been working with PowerShell for nearly three years, I decided it was time to give in another try.  The result of my efforts is Select-ADOU.ps1.

This PowerShell script begins by finding the AD Forest, and enumerating all domains.  The user’s current domain is set as the default, and the first level of the domain is automatically expanded and put into the TreeView.  This expansion of the first level is done with any domain selected.  Double click on an node to expand the list of OU below the branch.  The script uses the [adisiSearcher] accelerator with a OneLevel query of “(ObjectCategory=OrganizationalUnit)”  — the ActiveDirectory module does not need to be loaded for it to work.  When the OU is selected, the function returns an object which contains the DNS domain name, the OU Name and distinguishedname attributes.  This makes it easy to use the information in subsequent code. Version 1.1 allows control of form and button text.  Updated 4/16/2017 to include optional check-boxes, selection of initial domain, showing containers, and locking domain selection to single OU. Please note that some parameter names have changed so this is not a drop in replacement for the previous version.
Script Text

Tags: , , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting | No Comments »

Please Note

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Site Search

Categories

Archives

SQL Site

Bad Behavior has blocked 262 access attempts in the last 7 days.