BSonPoSH

Rick Sheikh asked me about the Windows 2008 R2 GP cmdlets on blog post Build Lab w/ Quest AD CMDLets.

Here is a list (you have to add it via features.) and how to find them

tshell :: Sep.22.2009 :: All :: 1 Comment »

The other day a friend asked me how I would get Active Directory Schema information using Powershell. I knew of the schema property on the DirectoryServices.ActiveDirectory.Forest class and that is where I started.

Initially I just called the static method GetCurrentForest on the Forest class and then accessed the schema using the property like this.

$Forest = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$Forest.Schema

This worked find and gave me the Schema object I was after but information I got back was minimal. It only returned Schema Role Owner and the Distinguished Name. I found that if you want to get real data like the classes and properties you needed to call methods on object (DirectoryServices.ActiveDirectory.ActiveDirectorySchema) returned from Schema property.

At this point it is not all that complicated but I thought it would be nice to have functions that would abstract all this.

Below is a couple of functions you may find useful. They work both V1 and V2 of Powershell.

Get-Forest : Gets the Forest Object
- DomainController [optional] - DNS Name of the Host to connect to
- Credential [optional] - Network credentials to use.

Get-ADSchema : Gets the Schema
- DomainController [optional] - DNS Name of the Host to connect to
- Credential [optional] - Network credentials to use.

Get-ADSchemaClass : Gets a specific Schema Class
- Class [optional] - Class Object to get (Default is all)
- DomainController [optional] - DNS Name of the Host to connect to
- Credential [optional] - Network credentials to use.

Get-ADSchemaProperty : Gets a specific Schema Property
- Property [optional] - Property to get (Default is all)
- DomainController [optional] - DNS Name of the Host to connect to
- Credential [optional] - Network credentials to use.

NOTE: These will be included in my "Soon to be available" BSONPOSH module (v2 only.)

function Get-Forest
{
    Param($DomainController,[Management.Automation.PSCredential]$Credential)
 
    if(!$DomainController)
    {
        [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
        return
    }
 
    if($Creds)
    {
        $Context = new-object DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$DomainController,$Creds.UserName,$Creds.GetNetworkCredential().Password)
    }
    else
    {
        $Context = new-object DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer",$DomainController)
    }
    [DirectoryServices.ActiveDirectory.Forest]::GetForest($Context)
}

function Get-ADSchema
{
    Param($DomainController,[Management.Automation.PSCredential]$Credential)
    if($DomainController -and !$Credential)
    {
        $Forest = Get-Forest -DNSName $DomainController
    }
    elseif($DomainController -and $Credential)
    {
        $Forest = Get-Forest -DNSName $DomainController -Credential $Credential
    }
    else
    {
        $Forest = Get-Forest
    }
    $Forest.Schema
}

function Get-ADSchemaClass
{
    Param($Class = ".*",$DomainController,[Management.Automation.PSCredential]$Credential)
 
    if($DomainController -and !$Credential)
    {
        $Forest = Get-Forest -DNSName $DomainController
    }
    elseif($DomainController -and $Credential)
    {
        $Forest = Get-Forest -DNSName $DomainController -Credential $Credential
    }
    else
    {
        $Forest = Get-Forest
    }
 
    $Forest.Schema.FindAllClasses() | ?{$_.Name -match "^$Class`$"}
}

function Get-ADSchemaProperty
{
    Param($Property = ".*",$DomainController,[Management.Automation.PSCredential]$Credential)
 
    if($DomainController -and !$Credential)
    {
        $Forest = Get-Forest -DNSName $DomainController
    }
    elseif($DomainController -and $Credential)
    {
        $Forest = Get-Forest -DNSName $DomainController -Credential $Credential
    }
    else
    {
        $Forest = Get-Forest
    }
 
    $Forest.Schema.FindAllProperties() | ?{$_.Name -match "^$Property`$"}
 
}

tshell :: Aug.25.2009 :: Active Directory, All :: No Comments »

Last week I talked about how to "discover" information using the built in .NET classes for ActiveDirectory. This week I would like to show how you can do similar things with the ActiveDirectory cmdlets that ship with Win7 and R2.

The first task we discussed was getting Forest information like Domains, Sites, ForestMode, RootDomain, and Forest masters.

With .NET we do this

$Forest = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

With the cmdlets we do this

$Forest = Get-ADForest

Next we discussed getting Domain information like Domain Controllers, DomainMode, Domain Masters, and Forest Root.

$Domain = [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

With the cmdlets we do this

$Domain = Get-ADDomain

Now the object we get back is slightly different so lets take a look

First lets look at what $Forest has to offer

PS C:UsersAdministrator> $Forest
 
ApplicationPartitions : {}
CrossForestReferences : {}
DomainNamingMaster    : Win2K8R2DC1.R2.Dev.Lab
Domains               : {R2.Dev.Lab}
ForestMode            : Windows2008R2Forest
GlobalCatalogs        : {Win2K8R2DC1.R2.Dev.Lab}
Name                  : R2.Dev.Lab
PartitionsContainer   : CN=Partitions,CN=Configuration,DC=R2,DC=Dev,DC=Lab
PSShowComputerName    : {}
RootDomain            : R2.Dev.Lab
SchemaMaster          : Win2K8R2DC1.R2.Dev.Lab
Sites                 : {Default-First-Site-Name}
SPNSuffixes           : {}
UPNSuffixes           : {}
WriteErrorStream      : {}

Finally, Lets look at $Domain

PS C:UsersAdministrator> $domain
 
AllowedDNSSuffixes                 : {}
ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=R2,DC=Dev,DC=Lab
DeletedObjectsContainer            : CN=Deleted Objects,DC=R2,DC=Dev,DC=Lab
DistinguishedName                  : DC=R2,DC=Dev,DC=Lab
DNSRoot                            : R2.Dev.Lab
DomainControllersContainer         : OU=Domain Controllers,DC=R2,DC=Dev,DC=Lab
DomainMode                         : Windows2008R2Domain
DomainSID                          : S-1-5-21-4244231903-4101880959-1987002231
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=R2,DC=Dev,DC=Lab
Forest                             : R2.Dev.Lab
InfrastructureMaster               : Win2K8R2DC1.R2.Dev.Lab
LastLogonReplicationInterval       :
LinkedGroupPolicyObjects           : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=R2,DC=Dev,DC=Lab}
LostAndFoundContainer              : CN=LostAndFound,DC=R2,DC=Dev,DC=Lab
ManagedBy                          :
Name                               : R2
NetBIOSName                        : R2
ObjectClass                        : domainDNS
ObjectGUID                         : c2d8e67d-2a49-4352-a795-de2b6508b1dc
ParentDomain                       :
PDCEmulator                        : Win2K8R2DC1.R2.Dev.Lab
QuotasContainer                    : CN=NTDS Quotas,DC=R2,DC=Dev,DC=Lab
ReadOnlyReplicaDirectoryServers    : {}
ReplicaDirectoryServers            : {Win2K8R2DC1.R2.Dev.Lab}
RIDMaster                          : Win2K8R2DC1.R2.Dev.Lab
SubordinateReferences              : {CN=Configuration,DC=R2,DC=Dev,DC=Lab}
SystemsContainer                   : CN=System,DC=R2,DC=Dev,DC=Lab
UsersContainer                     : CN=Users,DC=R2,DC=Dev,DC=Lab

Here are some more specific examples on how to use these variables:

To see the forest roles

$forest | select SchemaMaster,DomainNamingMaster

To see the domain roles

$domain | select PDCEmulator,RIDMaster,InfrastructureMaster

To see what application partitions your forest has

$forest.ApplicationPartitions

NOTE: you can use this command to see all the AD Cmdlets have to offer

get-command -Module ActiveDirectory

tshell :: Jun.22.2009 :: Active Directory, All :: No Comments »

I often to get asked what I mean by "Select-Object changes the object type." I believe this one of those things that is easier to illustrate than just explain. First let me show the object type Change

PS> ($dir = Get-item C:\temp).Gettype()
 
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     DirectoryInfo                            System.IO.FileSystemInfo
 
PS> ($dir = Get-item C:\temp | select-Object Fullname,Name,Parent).Gettype()
 
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     False    PSCustomObject                           System.Object
 
Even if you specifiy PSBASE you have new object type.
 
PS> ($dir = Get-item C:\temp).psbase.Gettype()
 
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     DirectoryInfo                            System.IO.FileSystemInfo
 
PS> ($dir = Get-item C:\temp | select-Object Fullname,Name,Parent).psbase.Gettype()
 
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     False    PSCustomObject                           System.Object

Now look at what you lose using this method.

First you will notice you have 21 items returned from Get-Member (I only included Properties for simplicity, but methods work the same way.)

PS> get-item C:\temp | Get-Member -MemberType Properties | ft Name
 
Name
----
PSChildName
PSDrive
PSIsContainer
PSParentPath
PSPath
PSProvider
Attributes
CreationTime
CreationTimeUtc
Exists
Extension
FullName
LastAccessTime
LastAccessTimeUtc
LastWriteTime
LastWriteTimeUtc
Name
Parent
Root
Mode
ReparsePoint
 
## After piping to Select-Object you now only have 3
 
PS> Get-Item C:\temp | Select-Object Name,Fullname,Parent | Get-Member -MemberType Properties | ft name
 
Name
----
FullName
Name
Parent
 
## Now.. methods before "Conversion"
 
PS>  Get-item C:\temp | Get-Member -MemberType Methods | ft name
 
Name
----
Create
CreateObjRef
CreateSubdirectory
Delete
Equals
GetAccessControl
GetDirectories
GetFiles
GetFileSystemInfos
GetHashCode
GetLifetimeService
GetObjectData
GetType
get_Attributes
get_CreationTime
get_CreationTimeUtc
get_Exists
get_Extension
get_FullName
get_LastAccessTime
get_LastAccessTimeUtc
get_LastWriteTime
get_LastWriteTimeUtc
get_Name
get_Parent
get_Root
InitializeLifetimeService
MoveTo
Refresh
SetAccessControl
set_Attributes
set_CreationTime
set_CreationTimeUtc
set_LastAccessTime
set_LastAccessTimeUtc
set_LastWriteTime
set_LastWriteTimeUtc
ToString
 
## After
 
PS>  Get-item C:\temp | select-object FullName,Name,Parent | Get-Member -MemberType Methods | ft name
 
Name
----
Equals
GetHashCode
GetType
ToString

As you can see... Effectively they are all gone on the new object. When I first experienced this.. I thought maybe the methods were just hidden... but try to access them

PS> $dir = Get-Item C:\temp
PS> $dir.GetDirectories()
 
Mode           LastWriteTime       Length Name
----           -------------       ------ ----
d----     5/22/2007  1:58 PM              Console
d----     5/10/2007  4:36 PM              test32
 
PS> $dir = Get-Item C:\temp | Select-Object FullName,Name,Parent
PS>  $dir.GetDirectories()
Method invocation failed because [System.Management.Automation.PSCustomObject] doesn't contain a method named 'GetDirectories'.
At line:1 char:20

I want to be clear... This is not a bug. Its not even a bad idea. I find it useful, but I think it confuses a lot of people. Like most people I didn't read the help before I used it or I would have seen this excerpt from get-help Select-Object:

If you use Select-Object to select specified properties, it copies the values of those properties from the input objects and creates new objects that have the specified properties and copied values.

So, the moral of the story is don't be shocked when your object changes after using Select-Object. Embrace the change :)

tshell :: Jun.10.2009 :: Active Directory, All :: No Comments »

Once you grab a hold of the "Object" concept in Powershell it brings a whole new light to scripting. The power that is at your finger tips is basically limitless, but to harness this power you not only need to know how to use objects but also create them as well.

Here is my way of creating objects.

$myobj = ""| select-Object Server,Result

IMO this is the simplest way to create custom objects.

Effectively what happens is you set your $myobj to a empty string and pipe to select-object. While this may seem odd, its actually quite useful because what select-object returns is a PSCustomObject with the properties that you specify. This allows you to create you object with defined properties that you can fill out later in one line.

The "proper" way to create a custom object is to do this.

$myobj = new-object System.Object
$myobj | add-member -membertype noteproperty -name Server -value $sname
$myobj | add-member -membertype noteproperty -name Result -value $sResult

While this isn't that much more work... I think its harder to read (and more typing) so I go with this shortcut

$myobj = "" | select-Object Server,Result
$myobj.Server = $sname
$myobj.Result = $sResult

I will give you one warning about select-object (not related, but while I'm on this subject.) select-object does Change the object type and therefore you lose methods and properties you may expect to be there. I have seen numerous post on the news groups that have this exact problem.

If you pipe Get-ChildItem to Get-member you get tons of methods and properties for both System.IO.FileInfo and System.IO.DirectoryInfo

PS> get-childitem | gm

Now pipe it to select-object and do a Get-Member

PS> (get-childitem | select-object Fullname,length) | gm
 
TypeName: System.Management.Automation.PSCustomObject
 
Name MemberType Definition
---- ---------- ----------
Equals Method System.Boolean Equals(Object obj)
GetHashCode Method System.Int32 GetHashCode()
GetType Method System.Type GetType()
ToString Method System.String ToString()
FullName NoteProperty System.String FullName=C:WindowsSystem32409
length NoteProperty length=null

Just be careful to remember this. I actually avoid using select-object to filter objects simply because of this. Instead... I just use the properties.

tshell :: Jun.04.2009 :: Active Directory, All :: No Comments »

I manage a large number of servers and this management involves a ton of WMI queries. A long time back I got sick of waiting and waiting for my WMI queries so I developed a little script called Test-Port that would do a WMI ping or would test a specific port (for firewalls) and pass the object on if connectivity passed.

You can see more details about that script here: Test-Port (kinda like portqry without verbose output)

With v2 just on the horizon I wanted to see what I could improve using Powershell v2 and decided to re-write the code (found below.)

Some of the new features are:
- Rename to Test-Host
- Built in Help and examples (biggy)
- Parameter Binding
- Added more logging with -verbose switch

This can be very useful if you ever have the need to do a task on a number of Computers (specifically WMI.) For example, If I needed to get all the machines running x64 in my domain I could something like this:

$computers = Get-QADComputer -search $OU | %{$_.dnshostname} | Test-Host -tcp 135
$query = "SELECT * FROM win32_processor WHERE addresswidth='64'"
Get-WMIObject -query $query -comp $computers -asJob

Here is the code for Test-Host
Can download here: Test-Host.ps1 (from Poshcode.org)

function Test-Host
{
 
    [CmdletBinding()]
 
    Param(
        [Parameter(ValueFromPipeline=$true,Mandatory=$True)]
        [string]$Server,
        [Parameter()]
        [int]$TCPPort,
        [Parameter()]
        [int]$timeout=1000,
        [Parameter()]
        [string]$property
        )
    Begin
    {
        function TestPort {
            Param($srv,$tport,$tmOut)
            Write-Verbose " [TestPort] :: Start"
            Write-Verbose " [TestPort] :: Setting Error state = 0"
            $Error\3ActionPreference = "SilentlyContinue"
 
            Write-Verbose " [TestPort] :: Creating [system.Net.Sockets.TcpClient] instance"
            $tcpclient = New-Object system.Net.Sockets.TcpClient
 
            Write-Verbose " [TestPort] :: Calling BeginConnect($srv,$tport,$null,$null)"
            $iar = $tcpclient.BeginConnect($srv,$tport,$null,$null)
 
            Write-Verbose " [TestPort] :: Waiting for timeout [$timeout]"
            $wait = $iar.AsyncWaitHandle.WaitOne($tmOut,$false)
            # Traps     
            trap 
            {
                Write-Verbose " [TestPort] :: General Exception"
                Write-Verbose " [TestPort] :: End"
                return $false
            }
            trap [System.Net.Sockets.SocketException]
            {
                Write-Verbose " [TestPort] :: Exception: $($_.exception.message)"
                Write-Verbose " [TestPort] :: End"
                return $false
            }
            if(!$wait)
            {
                $tcpclient.Close()
                Write-Verbose " [TestPort] :: Connection Timeout"
                Write-Verbose " [TestPort] :: End"
                return $false
            }
            else
            {
                Write-Verbose " [TestPort] :: Closing TCP Sockett"
                $tcpclient.EndConnect($iar) | out-Null
                $tcpclient.Close()
            }
            if($?){Write-Verbose " [TestPort] :: End";return $true}
        }
        function PingServer {
            Param($MyHost)
            Write-Verbose " [PingServer] :: Pinging $MyHost"
            $pingresult = Get-WmiObject win32_pingstatus -f "address='$MyHost'"
            Write-Verbose " [PingServer] :: Ping returned $($pingresult.statuscode)"
            if($pingresult.statuscode -eq 0) {$true} else {$false}
        }
    }
    Process
    {
        Write-Verbose ""
        Write-Verbose " Server   : $Server"
        if($TCPPort)
        {
            Write-Verbose " Timeout  : $timeout"
            Write-Verbose " Port     : $TCPPort"
            if($property)
            {
                Write-Verbose " Property : $Property"
                if(TestPort $Server.$property -tport $TCPPort -tmOut $timeout){$Server}
            }
            else
            {
                if(TestPort $Server -tport $TCPPort -tmOut $timeout){$Server} 
            }
        }
        else
        {
            if($property)
            {
                Write-Verbose " Property : $Property"
                if(PingServer $Server.$property){$Server} 
            }
            else
            {
                Write-Verbose " Simple Ping"
                if(PingServer $Server){$Server}
            }
        }
        Write-Verbose ""
    }
}

tshell :: May.26.2009 :: Active Directory, All :: No Comments »

A common problem when dealing with Active Directory is the end user trying to parse the results themselves.

Let take this example

$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = [ADSI]""
$selector.pagesize = 1000
$adobj= $selector.findall() | where {$_.properties.objectcategory -match "CN=Person"}
foreach ($person in $adobj) {
   $date120DaysAgo = [DateTime]::Now.AddDays(-120).ToFileTime()
   $LL1 = $person.properties.lastlogontimestamp
   if(($LL1 -le $date120DaysAgo) -and ($person.GetDirectoryEntry().psbase.invokeget('AccountDisabled'))){$person}
}

Instead of doing the parsing on results side... we should let the server do the work. How do we do that?

With LDAP filters. Here is an example.

$filter = "(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(lastlogontimestamp>=$date))"
$ds = New-Object DirectoryServices.DirectorySearcher([ADSI]"",$filter)
$ds.PageSize = 1000
$users = $ds.FindAll()
$users

Or with Quest tools... even easier!

$date = (Get-Date).AddDays(-120).ToFileTime()
$filter = "(lastlogontimestamp>=$date)"
Get-QADUser -LdapFilter $filter -disabled

I think you will find with an LDAP filter you can save a TON of time.

Here is the output of measure-command for the two examples above (this was a very small sample.)

Without Filter
--------------
Days : 0
Hours : 0
Minutes : 0
Seconds : 3
Milliseconds : 477
Ticks : 34776670

With Filter
-----------
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 34
Ticks : 340740

If you were to do this on a large AD the difference in time would be HUGE! Here is an example with 600K users...

With Filter
------------
Days : 0
Hours : 0
Minutes : 0
Seconds : 17
Milliseconds : 353
Ticks : 173535605

I can't post one with out filter... because it has been hours and it is still not done :)

tshell :: May.22.2009 :: Active Directory, All :: No Comments »

If there is one functionality that has been requested from myself and Citrix it is the ability to import/export applications.

With the XenApp cmdlets this is super trivial.

This is the SUPER COMPLEX Script

Not at all complex is it? Great stuff.

Here is a demo that shows how to do it.
Download XenAppExport Demo

tshell :: May.15.2009 :: Active Directory, All :: No Comments »