Alan's Blog

"Yeah. I wrote a script that will do that."

Export and Import Delegated OU Permissions with PowerShell

Posted on August 13th, 2017

There are some delegations of permissions within Active Directory which cannot be made without extra effort. Some properties have been flagged as hidden in a file called Dssec.dat, located in %windir%\System32 on computers with the Active Directory Users and Computers (ADUC) MMC. Dssec.dat is a hidden text file that can be viewed and modified with Notepad. When you open Dssec.dat, you’ll notice that it’s divided into headings based on object class. Be sure to go to the [User] heading to make modifications. Otherwise, you won’t see any effect on the GUI display. For example, to show the PhysicalDeliveryOfficeName and other properties in the GUI, change the Dssec.dat value from 7 to 0 and save the changes. For more, see: Note too, that you can use delegwiz.inf for custom delegations.

If you need to copy the delegations to apply over many OUs within a domain this can be cumbersome.  You have to copy the modified dssec.dat or delegwiz.inf to each systems running the ADUC.  If you choose to simply go with a modified dssec.dat file select the right combination of permissions can be difficult.   Here is my solution:

1) Run the export script, Export-SelectedOUPermissions.ps1,  selecting domain and path which has the permissions you want to copy.
2) Optionally edit the permissions files to change the Identity Reference — the user or group to get the permissions.
3) Run the import script, Import-SelectedOUPermissions.ps1, select domain and destination(s).  You can use the graphical list to put checkboxes beside your selections.

If you are running the import script from within the ISE, the editor will be temporarily minimized to ensure you can see the menus.  You really should run the script in test mode first, and apply your delegation to a test OU before running in production.  Because Set-ACL often fails outside of the local domain with a “server refused” error, I used the .NET ObjectSecurity.SetSecurityDescriptorSddlForm method to apply the changes.

Recently an accidentally removed a complex delegation from an OU at 4:00 pm.  We were able to copy the delegation from another source and have the site back up and running within 10 minutes.


Tags: , ,
Filed under Active Directory, Alan's Favorites, My Best, PowerShell, Scripting, Security, Windows Administration | No Comments »

Get and Read RDP Certificate from a Remote Host with PowerShell

Posted on August 13th, 2017

Sometimes, I get some interesting questions from other teams within my organization.  Read-RDPCert.ps1 addresses a request to read the SSL certificates from a list of remote hosts.  This is based on the code and following comments at

Script Text

Tags: ,
Filed under PowerShell, Scripting, Security | No Comments »

Enable New User Mailboxes with PowerShell

Posted on August 13th, 2017

Mail enabling new users should be easy to do from within the Exchange management console.  If you are in a really large organization, you soon discover that it is painfully slow.  When we create new users it takes time to replicate to Exchange, so we don’t mail enable new users upon creation.  Making matters worse is that our mail alias isn’t the default for Exchange, which is the UPN.

Enable-NewUserMailboxes.ps1 is a PowerShell script which bulk enables new user accounts, permitting a custom Exchange alias.  For publication I have set this to the SamAccountName, but with a little bit of coding, you can change it to your requirements.

The script runs interactively, and will automatically checks for and loads the remote Exchange shell.  If you have not specified a starting OU for search at the top of the script, you will be prompted to select the OU to query for user accounts.  Then a list of users is collected and display using Out-Gridview:

Capturing output from Enable-Mailbox turned out to be a challenge.  I ended up doing this:

The script creates a logfile, which is placed by default on your desktop. The log folder can be edited.

Script Text

Tags: ,
Filed under Alan's Favorites, Exchange, PowerShell, Scripting, Windows Administration | No Comments »

Drag and Drop Form for Powershell

Posted on August 13th, 2017

Get-DragAndDrop.ps1 is drag and drop PowerShell form is based on  All the interesting coding bits were written by Dan.  I modified the script to make it an advanced function which has parameters for the form title, instructions, status and button title.  The default form looks like this:

Screen Capture for Drop and Drag Function

Screen Capture for Drop and Drag Function

Script Text

Filed under Functions, PowerShell | No Comments »

Create an AD Drive for Specified Domain

Posted on April 16th, 2017

When you load the Active Directory Module, you get, by default, an Active Directory PSDrive for the current domain.   You can avoid the drive from loading by setting $Env:ADPS_LoadDefaultDrive = 0. When writing scripts to export and import AD delegations, connecting to this remote drive became important to me. Here is an example of the code I used:

Tags: , ,
Filed under Active Directory, Functions, PowerShell, Scripting | No Comments »

Update to Dot Source Reminder with Search and Replace

Posted on April 2nd, 2017

“The pause doesn’t work for me”, said one of my team members about the pause function in my  Dot Source Reminder code.  We took some time to analyze why and found that his shell settings were different from mine.  Instead I decided to focus on whether the code executed inside the ISE.  Next was to update all the affected scripts.  Here is what I did:

A couple of notes.  I used the “here string” option for the search and replace text.   Next, I used the RegEx escape method to make sure that the replacement code would be properly interpreted.   The code above does a search and replace of all of scripts in z:\PowerShell, replacing the old text with the new.

Tags: , ,
Filed under PowerShell, Scripting | No Comments »

Get MAC Address from IP Address

Posted on March 18th, 2017

I got a call last week from a member of one the other teams where I work.  He asked, “Do you have a script which will resolve a list of IP Addresses to MAC Addresses?” My answer was, “not yet”.  I did a search and found some very convoluted Pinvoke code. I wanted something easier.

When I automate a task, I begin with the manual steps for the task. To get a MAC address from an IP address, I ping the address, then look at the ARP cache. Get-MACFromIP.ps1 does the same thing,  using the inline script method to make the process run in parallel for speed.  It does not require any administrative rights to run, and is an advanced function.  A use example follows, others are in the code help:

I the use WMI ping method to enable name resolution and the return codes.  The script outputs the IP address, DNS Name (if it can be resolved), MAC address, and the verbose level ping reply.  Capture of the output of the ARP table is based on this post, by Joe Keohan.  Version 1.1 added support for alternate MAC format of ‘0000.1111.2222’.

Script Text

Tags: , ,
Filed under Functions, PowerShell, Scripting, Windows Administration, WMI | No Comments »

Open the PowerShell ISE (and other Programs) with Alternate Credentials

Posted on March 14th, 2017

RunAS for PowerShell is pretty easy. This opens the ISE:


Filed under PowerShell, Scriptlets | No Comments »

Update GPOs with Newer Version

Posted on March 1st, 2017

If you use GPOs to enforce baselines, you may find that your enterprise is moving from version 1.1 to version 1.2 of a GPO.  Unfortunately for you, version 1.1 linked in a dozen places.  Wouldn’t you rather just you search for version 1.1 and replace it with version 1.2?  Use Update-GPOLinks.ps1 to do just that.  The script not only finds all the original links and updates them to the new version, it also keeps the link order.

Script Text

Tags: ,
Filed under Alan's Favorites, My Best, PowerShell, Scripting, Windows Administration | No Comments »

Get All GPOs Linked to an OU

Posted on March 1st, 2017

Get-AllGPOsLinkedToOU.ps1 returns a unique list of all GPO’s linked to an OU. You can also run a onelevel or subtree search to get a unique list of linked OUs at or below the selected OU. You are prompted for the domain, and navigate to desired OU.
Script Text

Tags: ,
Filed under Active Directory, Group Policy Objects, PowerShell, Windows Administration | No Comments »

Please Note

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Site Search



SQL Site

Bad Behavior has blocked 262 access attempts in the last 7 days.