Posts RSS Comments RSS 253 Posts and 411 Comments till now

Archive for the 'HowTo' Category

BriForum rocked!

As I am sitting here on my way back to NJ from BrForum I am thinking about the week. All I can say is awesome. The content was only matched by the company. People often underestimate the value in conferences and often it is not the actual sessions. In the case of BriForum there is significant value in both. If you have never been to BriForum and you are in the SBC (server based computing) world you are missing out.

p.s. @ShawnBass, @JasonConger, @LauraWhalen, @JimMoyle. You guys rock and I had an absolute blast.

Get/Set-ADACL (ACL and SDDLs for Active Directory!)

A friend had a need to get/set Active Directory ACLs. So I wrote these.

They will use [System.DirectoryServices.ActiveDirectoryAccessRule] objects or SDDLs strings.

Note: I put the .NET classes and MS Spec for SDDLs at the bottom. Dont miss it!

Get-ADACL.ps1

# Get-ADACL.ps1
Param($DNPath,[switch]$SDDL,[switch]$help,[switch]$verbose)
function HelpMe{
    Write-Host
    Write-Host " Get-ADACL.ps1:" -fore Green
    Write-Host "   Gets ACL object or SDDL for AD Object"
    Write-Host
    Write-Host " Parameters:" -fore Green
    Write-Host "   -DNPath                : Parameter: DN of Object"
    Write-Host "   -sddl                  : [SWITCH]:  Output SDDL instead of ACL Object"
    Write-Host "   -Verbose               : [SWITCH]:  Enables Verbose Output"
    Write-Host "   -Help                  : [SWITCH]:  Displays This"
    Write-Host
    Write-Host " Examples:" -fore Green
    Write-Host "   Get ACL for ‘cn=users,dc=corp,dc=lab’" -fore White
    Write-Host "     .\Get-ADACL.ps1 ‘cn=users,dc=corp,dc=lab’" -fore Yellow
    Write-Host "   Get SDDL for ‘cn=users,dc=corp,dc=lab’" -fore White
    Write-Host "     .\Get-ADACL.ps1 ‘cn=users,dc=corp,dc=lab’ -sddl " -fore Yellow
    Write-Host
}

if(!$DNPath -or $help){HelpMe;return}

Write-Host
if($verbose){$verbosepreference="continue"}

Write-Verbose " + Processing Object [$DNPath]"
$DE = [ADSI]"LDAP://$DNPath"

Write-Verbose "   – Getting ACL"
$acl = $DE.psbase.ObjectSecurity
if($SDDL)
{
    Write-Verbose "   – Returning SDDL"
    $acl.GetSecurityDescriptorSddlForm([System.Security.AccessControl.AccessControlSections]::All)
}
else
{
    Write-Verbose "   – Returning ACL Object [System.DirectoryServices.ActiveDirectoryAccessRule]"
    $acl.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
}

Set-ADACL.ps1

# Set-ADACL.ps1
Param($DNPath,$acl,$sddl,[switch]$verbose,[switch]$help)
function HelpMe{
    Write-Host
    Write-Host " Set-ADACL.ps1:" -fore Green
    Write-Host "   Sets the AD Object ACL to ‘ACL Object’ or ‘SDDL’ String"
    Write-Host
    Write-Host " Parameters:" -fore Green
    Write-Host "   -DNPath                : Parameter: DN of Object"
    Write-Host "   -ACL                   : Parameter: ACL Object"
    Write-Host "   -sddl                  : Parameter: SDDL String"
    Write-Host "   -Verbose               : [SWITCH]:  Enables Verbose Output"
    Write-Host "   -Help                  : [SWITCH]:  Displays This"
    Write-Host
    Write-Host " Examples:" -fore Green
    Write-Host "   Set ACL on ‘cn=users,dc=corp,dc=lab’ using ACL Object" -fore White
    Write-Host "     .\Set-ADACL.ps1 ‘cn=users,dc=corp,dc=lab’ -ACL $acl" -fore Yellow
    Write-Host "   Set ACL on ‘cn=users,dc=corp,dc=lab’ using SDDL" -fore White
    Write-Host "     .\Set-ADACL.ps1 ‘cn=users,dc=corp,dc=lab’ -sddl `$mysddl" -fore Yellow
    Write-Host
}

if(!$DNPath -or (!$acl -and !$sddl) -or $help){HelpMe;Return}

Write-Host
if($verbose){$verbosepreference="continue"}
Write-Verbose " + Processing Object [$DNPath]"

$DE = [ADSI]"LDAP://$DNPath"
if($sddl)
{
    Write-Verbose "   – Setting ACL using SDDL [$sddl]"
    $DE.psbase.ObjectSecurity.SetSecurityDescriptorSddlForm($sddl)
}
else
{
    foreach($ace in $acl)
    {
        Write-Verbose "   – Adding Permission [$($ace.ActiveDirectoryRights)] to [$($ace.IdentityReference)]"
        $DE.psbase.ObjectSecurity.SetAccessRule($ace)
    }
}
$DE.psbase.commitchanges()
Write-Host

More Info
I used the following .NET Classes
System.DirectoryServices.DirectoryEntry
http://msdn2.microsoft.com/en-us/library/system.directoryservices.directoryentry.aspx
System.DirectoryServices.ActiveDirectoryAccessRule
http://msdn2.microsoft.com/en-us/library/system.directoryservices.activedirectoryaccessrule.aspx
System.DirectoryServices.ActiveDirectorySecurity
http://msdn2.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurity.aspx
System.Security.AccessControl.AccessControlSections
http://msdn2.microsoft.com/en-us/library/system.security.accesscontrol.accesscontrolsections(vs.80).aspx

SDDL Info
MS: http://msdn2.microsoft.com/en-us/library/aa379567.aspx

More userAccountControl Flag Fun (Convert-ToUACFlag.ps1)

A question on the NG made me think about this. While I personally prefer the decimal that comes from userAccountControl, others may prefer to actually see the FLAGS that are set.

Here is the script I came up with. It will output and array by default, but -toString will output a “,” delimited string.

It has a great -help function with -verbose output that explains each UAC Flag

Convert-ToUACFlag.ps1

# Convert-ToUACFlag.ps1
Param([int]$uac,[switch]$ToString,[switch]$help,[switch]$verbose)
function HelpMe{
    Write-Host
    Write-Host " Convert-ToUACFlag.ps1:" -fore Green
    Write-Host "   Converts UAC from Decimal or Hex to User Account Control Flags (described verbose help)"
    Write-Host
    Write-Host " Parameters:" -fore Green
    Write-Host "   -UAC                   : Parameter User Account Control Value"
    Write-Host "   -toString              : [SWITCH]  Output to String instead of Array"
    Write-Host "   -Help                  : [SWITCH]  Displays This"
    Write-Host "   -Verbose               : [SWITCH]  Displays This and User Account Control Definitions"
    Write-Host
    Write-Host " Examples:" -fore Green
    Write-Host "   Convert to Flag getting back array" -fore White
    Write-Host "     .\Convert-ToUACFlag.ps1 69649" -fore Yellow
    Write-Host "   Convert to Flag getting back string" -fore White
    Write-Host "     .\Convert-ToUACFlag.ps1 69649 -toString" -fore Yellow
    Write-Host
    if($verbose)
    {
        Write-Host " User Account Control Flags and Definition" -fore Green
        Write-Host "  + SCRIPT" -fore Yellow
        Write-Host "    – The logon script will be run."
        Write-Host
        Write-Host "  + ACCOUNTDISABLE" -fore Yellow
        Write-Host "    – The user account is disabled."
        Write-Host
        Write-Host "  + HOMEDIR_REQUIRED" -fore Yellow
        Write-Host "    – The home folder is required."
        Write-Host
        Write-Host "  + PASSWD_NOTREQD" -fore Yellow
        Write-Host "    – No password is required."
        Write-Host
        Write-Host "  + PASSWD_CANT_CHANGE" -fore Yellow
        Write-Host "    – The user cannot change the password."
        Write-Host "    – This is a permission on the user’s object."
        Write-Host
        Write-Host "  + ENCRYPTED_TEXT_PASSWORD_ALLOWED" -fore Yellow
        Write-Host "    – The user can send an encrypted password."
        Write-Host
        Write-Host "  + TEMP_DUPLICATE_ACCOUNT" -fore Yellow
        Write-Host "    – This is an account for users whose primary account is in another domain."
        Write-Host "    – This account provides user access to this domain,"
        Write-Host "      but not to any domain that trusts this domain."
        Write-Host "    – This is sometimes referred to as a local user account."
        Write-Host
        Write-Host "  + NORMAL_ACCOUNT" -fore Yellow
        Write-Host "    – This is a default account type that represents a typical user."
        Write-Host
        Write-Host "  + INTERDOMAIN_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    – This is a permit to trust an account for a system domain that trusts other domains."
        Write-Host
        Write-Host "  + WORKSTATION_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    – This is a computer account for a computer that is running"
        Write-Host "    – Microsoft Windows NT 4.0 and above and is a member of this domain."
        Write-Host
        Write-Host "  + SERVER_TRUST_ACCOUNT" -fore Yellow
        Write-Host "    – This is a computer account for a domain controller that is a member of this domain."
        Write-Host
        Write-Host "  + DONT_EXPIRE_PASSWD" -fore Yellow
        Write-Host "    – Represents the password, which should never expire on the account."
        Write-Host
        Write-Host "  + MNS_LOGON_ACCOUNT" -fore Yellow
        Write-Host "    – This is an MNS logon account."
        Write-Host
        Write-Host "  + SMARTCARD_REQUIRED" -fore Yellow
        Write-Host "    – When this flag is set, it forces the user to log on by using a smart card."
        Write-Host
        Write-Host "  + TRUSTED_FOR_DELEGATION" -fore Yellow
        Write-Host "    – When this flag is set, the service account (the user or computer account)"
        Write-Host "      under which a service runs is trusted for Kerberos delegation."
        Write-Host "    – Any such service can impersonate a client requesting the service."
        Write-Host "    – To enable a service for Kerberos delegation, you must set this flag on the"
        Write-Host "      userAccountControl property of the service account."
        Write-Host
        Write-Host "  + NOT_DELEGATED" -fore Yellow
        Write-Host "    – When this flag is set, the security context of the user is not delegated to"
        Write-Host "      a service even if the service account is set as trusted for Kerberos delegation."
        Write-Host
        Write-Host "  + USE_DES_KEY_ONLY" -fore Yellow
        Write-Host "    – (Windows 2000/Windows Server 2003) Restrict this principal to use only"
        Write-Host "      Data Encryption Standard (DES) encryption types for keys."
        Write-Host
        Write-Host "  + DONT_REQUIRE_PREAUTH" -fore Yellow
        Write-Host "    – (Windows 2000/Windows Server 2003) This account does not require"
        Write-Host "      Kerberos pre+authentication for logging on."
        Write-Host
        Write-Host "  + PASSWORD_EXPIRED" -fore Yellow
        Write-Host "    – (Windows 2000/Windows Server 2003) The user’s password has expired."
        Write-Host
        Write-Host "  + TRUSTED_TO_AUTH_FOR_DELEGATION" -fore Yellow
        Write-Host "    – (Windows 2000/Windows Server 2003) The account is enabled for delegation."
        Write-Host "    – This is a security-sensitive setting."
        Write-Host "    – Accounts with this option enabled should be tightly controlled."
        Write-Host "    – This setting allows a service that runs under the account to assume a client’s"
        Write-Host "      identity and authenticate as that user to other remote servers on the network."
    }
    Write-Host
}

if(!$uac -or $help){HelpMe;Return}
$flags = @()
switch ($uac)
{
    {($uac -bor 0x0002) -eq $uac}    {$flags += "ACCOUNTDISABLE"}
    {($uac -bor 0x0008) -eq $uac}    {$flags += "HOMEDIR_REQUIRED"}
    {($uac -bor 0x0010) -eq $uac}    {$flags += "LOCKOUT"}
    {($uac -bor 0x0020) -eq $uac}    {$flags += "PASSWD_NOTREQD"}
    {($uac -bor 0x0040) -eq $uac}    {$flags += "PASSWD_CANT_CHANGE"}
    {($uac -bor 0x0080) -eq $uac}    {$flags += "ENCRYPTED_TEXT_PWD_ALLOWED"}
    {($uac -bor 0x0100) -eq $uac}    {$flags += "TEMP_DUPLICATE_ACCOUNT"}
    {($uac -bor 0x0200) -eq $uac}    {$flags += "NORMAL_ACCOUNT"}
    {($uac -bor 0x0800) -eq $uac}    {$flags += "INTERDOMAIN_TRUST_ACCOUNT"}
    {($uac -bor 0x1000) -eq $uac}    {$flags += "WORKSTATION_TRUST_ACCOUNT"}
    {($uac -bor 0x2000) -eq $uac}    {$flags += "SERVER_TRUST_ACCOUNT"}
    {($uac -bor 0x10000) -eq $uac}   {$flags += "DONT_EXPIRE_PASSWORD"}
    {($uac -bor 0x20000) -eq $uac}   {$flags += "MNS_LOGON_ACCOUNT"}
    {($uac -bor 0x40000) -eq $uac}   {$flags += "SMARTCARD_REQUIRED"}
    {($uac -bor 0x80000) -eq $uac}   {$flags += "TRUSTED_FOR_DELEGATION"}
    {($uac -bor 0x100000) -eq $uac}  {$flags += "NOT_DELEGATED"}
    {($uac -bor 0x200000) -eq $uac}  {$flags += "USE_DES_KEY_ONLY"}
    {($uac -bor 0x400000) -eq $uac}  {$flags += "DONT_REQ_PREAUTH"}
    {($uac -bor 0x800000) -eq $uac}  {$flags += "PASSWORD_EXPIRED"}
    {($uac -bor 0x1000000) -eq $uac} {$flags += "TRUSTED_TO_AUTH_FOR_DELEGATION"}
}
if($toString){$flags | %{if($mystring){$mystring += ",$_"}else{$mystring = $_}};$mystring}else{$flags}

Oisin the “obsessive programmer” sent me this as another option

param
([int]$value)
$flags = @("","ACCOUNTDISABLE","", "HOMEDIR_REQUIRED",
"LOCKOUT", "PASSWD_NOTREQD","PASSWD_CANT_CHANGE", "ENCRYPTED_TEXT_PWD_ALLOWED",
"TEMP_DUPLICATE_ACCOUNT", "NORMAL_ACCOUNT", "","INTERDOMAIN_TRUST_ACCOUNT", "WORKSTATION_TRUST_ACCOUNT",
"SERVER_TRUST_ACCOUNT", "", "", "DONT_EXPIRE_PASSWORD", "MNS_LOGON_ACCOUNT", "SMARTCARD_REQUIRED",
"TRUSTED_FOR_DELEGATION", "NOT_DELEGATED","USE_DES_KEY_ONLY", "DONT_REQ_PREAUTH",
"PASSWORD_EXPIRED", "TRUSTED_TO_AUTH_FOR_DELEGATION")
1..($flags.length) | ? {$value -band [math]::Pow(2,$_)} | % { $flags[$_] }

A collection of LDAP Filter Info

I often find myself googling for LDAP filter info. This time I decided to post the resulting set of websites I hit for this info.

NOTE: MS release the Specs for Active Directory’s LDAP Compliance here. GREAT DOC!
http://download.microsoft.com/download/d/c/8/dc83e0b8-fc2c-4af4-bd27-45b5963ad98d/AD%20LDAP%20Compliance.doc

Blog Entry on LDAP Filters
————————-
http://bsonposh.com/modules/wordpress/?p=78

LDAP Filter Articles
——————-
query Active Directory by using a bitwise filter
http://support.microsoft.com/kb/269181

Search Filter Syntax
http://msdn2.microsoft.com/en-us/library/aa746475.aspx

Mastering the LDAP search filter
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1191071,00.html

userAccountControl
——————-
UserAccountControl flags
http://support.microsoft.com/kb/305144

User-Account-Control Attribute (Windows)
http://msdn2.microsoft.com/en-us/library/ms680832.aspx

Citrix Policies and Powershell (Double the Pleasure!)

I notice there was entry on Brian Madden forums about creating Citrix Policies. http://www.brianmadden.com/Forum/Topic/97139

I decided to spend a little time looking at this from a script perspective and here are some examples of dealing with Citrix Policies that I came up with.

Just a FYI
I hear tell there will be some Citrix CMDLets coming very soon that will make working with Citrix amazingly simple (which will include an import/export Citrix policy cmdlets.) I cannot tell you how revolutionary this will be for your typical Citrix Admin.

You can find the Citrix Enums here
http://bsonposh.com/modules/wordpress/?p=62

Script To Get Citrix Policy

# Get-CitrixPolicy.ps1
Param($Server,$PolicyName = ".*")

# Enums in Use
$MetaFrameUnknownObject = 0
$MetaFrameWinFarmObject = 1

# Getting Farm Object
$type = [System.Type]::GetTypeFromProgID("MetaframeCOM.MetaframeFarm",$Server)
$mfarm = [system.Activator]::CreateInstance($type)
$mfarm.Initialize($MetaFrameWinFarmObject)

# Getting Policies that Match Name and Loading Data
$pol = $mfarm.policies($MetaFrameUnknownObject) | ?{$_.Name -match $PolicyName}
$pol | %{$_.LoadData($true)}
$pol

Script To Create a New Citrix Policy

# New-CitrixPolicy.ps1
Param($Server,$PolicyName,$PolicyDescription)
if(!$PolicyDescription){$PolicyDescription=$PolicyName)
$type = [System.Type]::GetTypeFromProgID("MetaframeCOM.MetaframeFarm",$Server)
$mfarm = [system.Activator]::CreateInstance($type)
$mfarm.Initialize(1)
$NewPolicy = $mfarm.CreatePolicy(19,$PolicyName,$PolicyDescription)

Script To Remove a Citrix Policy

# Remove-CitrixPolicy.ps1
Param($Server,$PolicyName = $(throw ‘$PolicyName is Required’),[switch]$whatif)

# Enums in Use
$MetaFrameUnknownObject = 0
$MetaFrameWinFarmObject = 1

# Getting Farm Object
$type = [System.Type]::GetTypeFromProgID("MetaframeCOM.MetaframeFarm",$Server)
$mfarm = [system.Activator]::CreateInstance($type)
$mfarm.Initialize($MetaFrameWinFarmObject)

# Getting Policies that Match Name and Loading Data
$policies = $mfarm.policies($MetaFrameUnknownObject) | ?{$_.Name -eq $PolicyName}
foreach($pol in $policies)
{
    if($whatif){Write-Host " What if: Performing operation `"Delete`" on Target `"$($pol.Name)`". " -foreground yellow}
    else{Write-Host " – Deleting $($pol.Name)";$pol.Delete()}
}

Check Active Directory Latency

The other day I had a need to see how long it took for an object to be replicated to all the Domain Controllers in my Environment.

Here is the script I came up with. It does the following:
– Finds all Domain Controllers in the Domain (using .NET)
– Creates a contact object in a specified OU (Default is users container for the Domain)
– Gets the start Time
– Loops and Checks each DC for the object.
– Once all DCs have the object it gets End Time
– Outputs the results

Some extra features
– re-writes screen using $host.UI.RawUI.CursorPosition. No scrolling text 🙂
– Outputs a custom object with Name and Time to Replicate (-table)

Parameters/Switches
-target: DC to create object on. (Default: it will find one for you)
-fqdn: Used to Find Domain Controllers (Default: Use current Domain)
-ou: DN of the path to create contact objects (Default Users Container)
-remove: If $true it removes the temp object (default is $true)
-table: switch that will return a table with the DC and Time it took to replicate (as output)

Here is the code:

Param($target = (([ADSI]"LDAP://rootDSE").dnshostname),
      $fqdn = (([ADSI]"").distinguishedname -replace "DC=","" -replace ",","."),
      $ou = ("cn=users," + ([ADSI]"").distinguishedname),
      $remove = $true,
      [switch]$table
      )

$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$fqdn)
$dclist = [System.DirectoryServices.ActiveDirectory.DomainController]::findall($context)
if($table)
{
    $DCTable = @()
    $myobj = "" | select Name,Time
    $myobj.Name = ("$target [SOURCE]").ToUpper()
    $myobj.Time = 0.00
    $DCTable += $myobj
}

$name = "rTest" + (Get-Date -f MMddyyHHmmss)
Write-Host "`n  Creating Temp Contact Object [$name] on [$target]"
$contact = ([ADSI]"LDAP://$target/$ou").Create("contact","cn=$Name")
$contact.SetInfo()
$dn = $contact.distinguishedname
Write-Host "  Temp Contact Object [$dn] Created! `n"

$start = Get-Date

$i = 0

Write-Host "  Found [$($dclist.count)] Domain Controllers"
$cont = $true

While($cont)
{
    $i++
    $oldpos = $host.UI.RawUI.CursorPosition
    Write-Host "  =========== Check $i ===========" -fore white
    start-Sleep 1
    $replicated = $true
    foreach($dc in $dclist)
    {
        if($target -match $dc.Name){continue}
        $object = [ADSI]"LDAP://$($dc.Name)/$dn"
        if($object.name)
        {
            Write-Host "  – $($dc.Name.ToUpper()) Has Object [$dn]" (" "*5) -fore Green
            if($table -and !($dctable | ?{$_.Name -match $dc.Name}))
            {
                $myobj = "" | Select-Object Name,Time
                $myobj.Name = ($dc.Name).ToUpper()
                $myobj.Time = ("{0:n2}" -f ((Get-Date)$start).TotalSeconds)
                $dctable += $myobj
            }
        }
        else{Write-Host "  ! $($dc.Name.ToUpper()) Missing Object [$dn]" -fore Red;$replicated  = $false}
    }
    if($replicated){$cont = $false}else{$host.UI.RawUI.CursorPosition = $oldpos}
}

$end = Get-Date
$duration = "{0:n2}" -f ($end.Subtract($start).TotalSeconds)
Write-Host "`n    Took $duration Seconds `n" -fore Yellow

if($remove)
{
    Write-Host "  Removing Test Object `n"
    ([ADSI]"LDAP://$target/$ou").Delete("contact","cn=$Name")
}
if($table){$dctable | Sort-Object Time | Format-Table -auto}

Lab Build w/ Quest tools (coming soon!)

A user (valdezdj) pointed out that my build script would be much shorter if I had used the Quest tools.

I agree and have always planned on releasing a Quest version. I just haven’t had time 🙁

I love the Quest tools, but there are tons of people at there that don’t have the ability to use them. This is why usually only post “Powershell Only” examples. In this case I planned on posting both to show the power of the Quest CMDLets.

To Download Quest AD CMDLets: http://www.quest.com/powershell/

p.s. This is challenge… you guys and post code to 🙂

Build Lab (v1 w/out Quest Tools)

This script worked for me… just took a few days 🙂

To Recap. This does the following. In my final revision I am removing the last two steps… it TAKES FOREVER!!! and its not the useful.

# A TestOU OU
# A TestComputers OU
# A TestUsers OU
# A TestGroups OU
# 10K OU’s Under TestOU
## Each of the 10k OUs will have 4 Child OUs
### Each OU should have 5 users Accounts and 5 Machines Accounts
# Create 500 Group Policies.
# Link 100 policies on the 10k Base OUs
# Create 2000 Users in the TestUser OU
# Create 2000 Computers in the TestComputer OU
# Find all the Users
# Create 2K Groups
## Add Even Numbered Users to Even Groups
## Add Odd Numbered Users to Odd Groups

function New-ADOU{
    Param($Name,$OU,$DC)
    # Get Root Path for OU
    if($dc -and $ou){$root = "LDAP://$dc/$ou"}
    if($dc -and !$ou){$root = "LDAP://{0}" -f $dc,(([ADSI]"LDAP://$dc/rootDSE").DefaultNamingContext)}
    if(!$dc -and $ou){$root = "LDAP://$OU"}
    if(!$dc -and !$ou){$root = "LDAP://{0}" -f (([ADSI]"LDAP://rootDSE").DefaultNamingContext)}

    #Write-Host ("Creating OU [{0}] Using Path [{1}]" -f $Name,$Root)

    # Creating Account in OU
    $BaseOU = [ADSI]"$root"
    $NewOU = $BaseOU.Create("organizationalUnit","OU=$Name")
    $NewOU.Setinfo()
    $NewOU.distinguishedName
}
function New-ADUSer{
    Param($user,$password="P@ssw0rd",$dc,$ou)

    # Get Root Path for OU
    if($dc -and $ou){$root = "LDAP://$dc/$ou"}
    if($dc -and !$ou)
    {$root = "LDAP://{0}/CN=Users,{1}" -f $dc,(([ADSI]"LDAP://$dc/rootDSE").DefaultNamingContext)}
    if(!$dc -and $ou)
    {$root = "LDAP://$OU"}
    if(!$dc -and !$ou)
    {$root = "LDAP://CN=Users,{0}" -f (([ADSI]"LDAP://rootDSE").DefaultNamingContext)}

    #Write-Host ("Creating user [{0}] Using Path [{1}]" -f $user,$Root)

    # Creating Account in OU
    $UserOU = [ADSI]"$root"
    $userObj = $UserOU.Create("User","CN=$user")

    # Set samAccountName
    $userObj.put("samAccountName","$user")
    $userObj.Setinfo()

    # Set Password
    $userObj.psbase.invoke("setpassword",$password)
    $userObj.Setinfo()

    # Enable Account
    $userObj.psbase.invokeset(‘accountdisabled’, $false)
    $userObj.Setinfo()
    $userObj.distinguishedName
}
function New-ADComputer{
    Param($Name,$OU,$DC)
    # Get Root Path for OU
    if($dc -and $ou){$root = "LDAP://$dc/$ou"}
    if($dc -and !$ou)
    {$root = "LDAP://{0}/CN=Users,{1}" -f $dc,(([ADSI]"LDAP://$dc/rootDSE").DefaultNamingContext)}
    if(!$dc -and $ou)
    {$root = "LDAP://$OU"}
    if(!$dc -and !$ou)
    {$root = "LDAP://CN=Computers,{0}" -f (([ADSI]"LDAP://rootDSE").DefaultNamingContext)}

    #Write-Host ("Creating user [{0}] Using Path [{1}]" -f $user,$Root)

    # Creating Account in OU
    $CompOU = [ADSI]"$root"
    $CompObj = $CompOU.Create("Computer","CN=$Name")

    # Set samAccountName
    $CompObj.put("samAccountName","$Name`$")
    $CompObj.Setinfo()

    # Enable Account
    $CompObj.psbase.invokeset(‘accountdisabled’, $false)
    $CompObj.Setinfo()
    $CompObj.distinguishedName
}
function New-ADGroup{
    Param($OU,$Grp,$dc)
    Write-Host " + Creating Group [$Grp] in OU [$OU]"

    # Get Root Path of OU
    if($dc){$GroupOU  = [ADSI]"LDAP://$dc/$ou"}
    else{$GroupOU  = [ADSI]"LDAP://$ou"}

    # Create Group
    $GroupObj = $GroupOU.Create("Group","CN=$Grp")
    $Groupobj.SetInfo()
    $Groupobj.distinguishedName
}
function Add-UsertoGroup{
    Param($User,$Grp,$DC)
    if($DC){$myGroup = [ADSI]"LDAP://$DC/$Grp"}
    else{$myGroup = [ADSI]"LDAP://$Grp"}
    #Write-Host "     – Processing User [$User] in Group [$Grp]"
    $myGroup.Add("LDAP://$user")
    $myGroup.SetInfo()
}

#A TestOU OU
Write-Host " + Creating TestOU"
$TestOU = New-ADOU -name TestOU

#A TestComputers OU
Write-Host " + Creating TestComputers OU"
$TestComp = New-ADOU -name TestComputers

#A TestUsers OU
Write-Host " + Creating TestUsers OU"
$TestUsers = New-ADOU -name TestUsers

#A TestGroups OU
Write-Host " + Creating TestGroups OU"
$TestGroups = New-ADOU -name TestGroups

#10K OU’s Under TestOU
foreach($n in 1..10000)
{
    Write-Host " + Creating Level1 OU [Level1OU$N]"
    $Level1 = New-ADOU -name "Level1OU$N" -ou $TestOU
    # Each of the 10k OUs will have 4 Child OUs
    foreach($i in 1..4)
    {
        Write-Host "   + Creating Level2 OU [Level2OU$i]"
        $Level2 = New-ADOU -name "Level2OU$i" -ou $Level1
        #Each OU should have 5 users Accounts and 5 Machines Accounts
        foreach($x in 1..5)
        {
            Write-Host "     – Creating User [Lvl2User$n$i$x] in [$Level2]"
            New-ADUSer -user "Lvl2User$n$i$x" -OU $Level2 | out-Null
            Write-Host "     – Creating Computer [Lvl2Comp$n$i$x] in [$Level2]"
            New-ADComputer -name "Lvl2Comp$n$i$x" -OU $Level2 | out-Null
        }
    }
}

#Create 500 Group Policies.
1..500 | %{New-SDMgpo "TestGPO$_"}

#Link 100 policies on the 10k Base OUs
1..100 | %{Add-SDMgplink -name "TestGPO$_" -Scope "OU=Level1OU$_,$TestOU" -Location -1}

#Create 2000 Users in the TestUser OU
1..2000 | %{New-ADUSer -user "TestUser$_" -OU $TestUsers}

#Create 2000 Computers in the TestComputer OU
1..2000 | %{New-ADComputer -user "TestComputer$_" -OU $TestComputers}

# Find all the Users
$props = @("sAMAccountName","distinguishedName")
$ds = new-Object System.DirectoryServices.DirectorySearcher([ADSI]"","(objectcategory=user)",$props)
$ds.pagesize = 100
$users = $ds.Findall()
$eUsers = $users | ?{ $_.properties.item("sAMAccountName") -match ‘(2|4|6|8|0)$’ } | `
              select-Object @{n="Name";e={$_.properties.item("distinguishedName")}}
$oUsers = $users | ?{ $_.properties.item("sAMAccountName") -match ‘(1|3|5|7|9)$’ } | `
              Select-Object @{n="Name";e={$_.properties.item("distinguishedName")}}

#Create 2K Groups
foreach($i in 1..2000)
{
    $NewGrp = New-ADGroup -Grp "TestGrp$i" -OU $TestGroups
    if($i%2 -eq 0)
    {
        Write-Host "   + Adding Even Users to Group [$NewGrp]"
        $eUsers | Select-Object | %{ Add-UsertoGroup -user $_.name -Grp $NewGrp }
    }
    else
    {
        Write-Host "   + Adding Odd Users to Group [$NewGrp]"
        $oUsers | Select-Object |%{ Add-UsertoGroup -user $_.name -Grp $NewGrp }
    }
}

Interpreting > Parsing (who knew!)

I found out some interesting information yesterday. I thought I would share it.

Back Story:
A question was asked on how to include $env:ComputerName to a string. I quickly piped up “HA! That is easy just wrap $() around the variable and it will work.” While this indeed works and is what I have been doing for the last couple of years… There was a better way!

It turns out that Jim Truher was watching this particular thread discussion and quickly informed me that this was “quite inefficient” and I should use ${} instead. So of course, I had to know why. Luckily Bruce Payette was also watching this thread and explained the following.

I hope he doesn’t mind if I quote him.

“The big difference is whether the parser gets involved or not. In the ${foo} case, the interpreter simply extracts the string, looks up the variable and inserts the result. In the $($var) case, the string is extracted, parsed and then executed which is more overhead.”

More Info (provided by Keith Hill):
$() is used within strings to evaluate statements (potentially multiple statements) and the results are converted into a string (Using OFS.)

${} is simply used to prevent the interpreter from “interpreting” the name of the variable instead it is treated as the literal name of the variable

Moral of the Story?
From now on I am using ${} when no evaluating is needed.

Jims Blog
http://jtruher.spaces.live.com/

Keith Hill has an awesome Series called Effective Powershell
http://keithhill.spaces.live.com/

Bruce hangs out on the Powershell Forum
http://blogs.msdn.com/PowerShell/

Bruce also wrote Windows Powershell in Action
http://www.manning.com/payette/

p.s. I tested this with this code

# with ${}
( Measure-Command {1..10000 | %{ "${env:path}" } } ).TotalMilliseconds
# vs with $()
( Measure-Command {1..10000 | %{ "$($env:path)" } } ).TotalMilliseconds

SpecOps and Group Policies… What a match!

Special Operations Software has created an Incredible marriage of Powershell and Group Policy. Please take some time to watch these Demos. AWESOME!

Specops Command done by Darren Mar-Elia:

Specops Deploy done by Derek Melber:

Next »