Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Wednesday, January 27, 2010

How to change a Description on the Boot menu in Windows 7

Let's say for some odd reason, you need to have more then one installation of Windows 7 on your PC. When you do this, the boot menu has two entries. Each one says "Windows 7". How do you know which one to choose?

The default boot will be on the copy you just installed. To make life a little bit easier for you, and anyone else in your organization that needs to duel boot, you can change the description with BDCEdit.

  • Open a command prompt as an Administrator.
  • Type BCDEdit to get a list of available partitions.
  • To Change the current discription type: Bcdedit /set {current} description “New Win 7 Installation”
  • Over course you can name it anything you want.
Once you reboot the computer, you will see the new description listed.

Tuesday, January 26, 2010

How to turn on Active Directory Recycle Bin in 2008 R2

A new feature of Active Directory in Server 2008 R2 is the Recycle Bin. The Recycle bin allow you to recover objects that have been deleted. Unlike an Authorative restore, the properties of the object are also restored. The recycle bin is not turned on by default. Once on, it cannot be turned off. To turn it on:

1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:

For this example, my domain is

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=MCTNet,DC=COM’ –Scope ForestOrConfigurationSet –Target ‘’

This process does not put a nice recycle bin for you to use. Next Tuesday's blog will provide a PowerShell Script to help out.


Monday, January 25, 2010

DFS: If a folder gets sent to Conflict and delete will there be an event log?

After evaluating the DFS Replication log, I only found event 4104. This event reported the successful initial replication of our DFS Namespace to the other replication partners. It also said that if there were any pre-existing content, it was moved to a new folder inside the replicated folder called \DfsrPrivate\PreExisting. To access this file simply type the full path in windows Explorer. For example, if the path was C:\YearEndData, you would need to type C:\YearEndData\DfsrPrivate\PreExisting. You can now move this data back into the replicate folder. The moved data will be replicated to the other members of the DFS replication group.

Wednesday, January 20, 2010

Does running GPUpdate /Force cause the computer to reboot?

Running GPUpdate with the /Boot switch will reboot your computer if a change has been made that requires a reboot. Otherwise it will not reboot the system. Items that will require a reboot are those client side extensions that cannot update in the background. Software installations that are assigned to a computer would be an example.

Tuesday, January 19, 2010

How to add a PowerShell Snapin

Powershell is integrated into almost off of Microsoft's latest software. This is one of the reasons why PowerShell is expandable. One way that Powershell is expanded is through the use of Snapins. When you install software, say Exchange 2007, you also install the Exchange PowerShell Snapins for that product. For this demonstration, we will be using Exchange 2007 as our example software.
Before we install the Snapins, lets to a little test. Execute the following commands.
$a = Get-Command
This will list the number of cmdlets currently on your computer. On my test computer, I have 180 cmdlets.
If you have not installed Exchange yet (or what ever Microsoft product you want to install), do so now. If this is a workstation, you may only need to installed the support tools for the product. Read the product documentation to determine what you need to do.
This commmand should list the currently installed snapins on your computer.
Get-PSSnappi -registered
This will list the snapins that have registered with PowerShell, but have not yet installed. Below is what I received.
Name: Microsoft.Exchange.Mamangement.PowerShell.Admin
PSVersion: 1.0
Description: Admin Tasks for the Exchange Server
Name: Microsoft.Exchange.Management.PowerShell.Supprt
PSVersion: 1.0
Description: Support Tasks for the Exchange Server
At this point, we need to add the snapings to PowerShell with the following commands:
Add-PSSanpin Microsoft.Exchange.Management.PowerShell.admin
Add-PSSanpin Microsoft.Exchange.Management.PowerShell.Support
Now to continue on with our little experiment type this:
$b = Get-Command
This will list the number of new cmdlets added to PowerShell. My number came out to be 525. By adding the Exchange 2007 PowerShell Snapins, we extended PowerShell's capabilties by 345 cmdlets. Go ahead and type Get-Command to see them all.

Monday, January 18, 2010

Minimum Service pack level for Windows XP to utilize GPO preferences.

The following is from a blog at TechNet that answers what is the minimum server pack level for windows XP to be able to utilized GPO preferences. (

Windows Vista RTM and Service Pack 1

Windows Server 2003 Service Pack 1

Windows XP Service Pack 2

Wednesday, January 13, 2010

How to change the default location for a new computer account.

By default, new computers are placed in the on a container called "Computers" as opposed to being placed in an Organizational Unit. OUs have the advantage of having Group Policy supplied to them. Take this example:
You have Windows Software Update Services servers located in each of your geographically dispersed offices. Using Organization Units, you have divided up the client by site and used Group Policy to direct them to their local WSUS server. You add a new computer to your domain. Will it be told where to find its WSUS server? Most likely not. You must first move it to an OU that had a GPO assigned. Then end result could be security configurations that are not applied to the client. By redirecting where the new computer accounts are created in Active Directory, you can make sure that the new client is brought online in the most secure fashion possible.
Below is the step by step procedure copied from the reference link at the end of this article. The redircmp command is part of windows and does not need to be downloaded.
Redirecting CN=Computers to an administrator-specified organizational unit
1. Log on with Domain Administrator credentials in the domain where the CN=computers container is being redirected.
2. Transition the domain to the Windows Server 2003 domain in the Active Directory Users and Computers snap-in (Dsa.msc) or in the Domains and Trusts (Domains.msc) snap-in. For more information about increasing the domain functional level, click the following article number to view the article in the Microsoft Knowledge Base:
322692 ( ) How to raise domain and forest functional levels in Windows Server 2003
3. Create the organizational unit container where you want computers that are created with earlier-version APIs to be located, if the desired organizational unit container does not already exist.
4. Run the Redircmp.exe file at a command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly created computer objects that are created by down-level APIs:
redircmp container-dn container-dn
Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. For example, to change the default location for a computer that is created with earlier-version APIs such as Net User to the OU=mycomputers container in the CONTOSO.COM domain, use the following syntax:
C:\windows\system32>redircmp ou=mycomputers,DC=contoso,dc=com
Note When Redircmp.exe is run to redirect the CN=Computers container to an organizational unit that is specified by an administrator, the CN=Computers container will no longer be a protected object. This means that the Computers container can now be moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the CN=Computers container, you will see that the systemflags attribute was changed from -1946157056 to 0. This is by design.

Tuesday, January 12, 2010

Query AD for Operating system with PowerShell.

The following script is a modification of the one written by The Scripting Guy: You will find a detailed explanation of the steps below at the link above.

It will also return the OS version to you. I put my modifications in green

$strCategory = "computer"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = ("(objectCategory=$strCategory)")

$colProplist = "name", “operatingsystem”

foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)

{$objComputer = $objResult.Properties



Write-host “ “


Monday, January 11, 2010

What is the error message when a disable computer tries to log in?

In our test environment, we determined that the user was able to log on and access network recourses. We discovered that the computer was not able to authenticate itself and therefore was not able to take advantage of active directory. For example, we were not able to to update the computer portion of group policy

Another problem is that if the user did not have a cached profile on the client, the user will recieve the following error at login:

The trust relationship between this workstation and the primary domain failed.

Once logged in with a user account that had cached credentials (or a local account) an examination of the System log revealed

Level: Error


Event ID: 5721


The Session setup in Windows NT or Windows 2000 Domain Controller %\\Server\domain% for the domain %domain% failed because the Domain Controller did not have an account %Client% needed to set up the session by this computer %Client%.


If this computer is a member of or a Domain Controller in the specified domain, the aforementioned account is a copmuter account for this computer in the specified domain. Otherwise, the account is an interdomain trust account with the specified domain.

Level: Warning

Source: Time-Service

Event ID: 130


NtpClient was unable to set a domain peer to use as a time source because of failure in establishing a trust relationship between this copmuter and the '%domain%' domain in order to securely sycronize time. NtpClient will try again in 15 minutes and double the reattempted interval therafter. The error was: then trust relationship between this workstation and the primary domain failed. (0x800706FD)

Level: Error

Source: GroupPolicy

Event ID: 1129


The processing fo Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connect to the domain controller and Group Policy has succesfully processed. if you do not see a secure message for several hours, then contact your administrator.

Wednesday, January 6, 2010

Are the encryption levels in TS 2008 the same as TS 2003?

After reviewing the specs on RDP 5.4 and 5.3, they do contain the same encryption levels as RDP 6. These levels are:
  • Low: All data sent from the client to the server is protected by encryption based on the maximum key strength supported by the client.
  • Client Compatible: All data sent between the client and the server is protected by encryption based on the maximum key strength supported by the client.
  • High: All data sent between the client and server is protected by encryption based on the server's maximum key strength. Clients that do not support this level of encryption cannot connect.
  • FIPS: All data sent between the client and server is protected using Federal Information Processing Standard 140-1 validated encryption methods. Clients that do not support this level of encryption cannot connect.

Tuesday, January 5, 2010

How do you call functions from different code?

PowerShell Allows you to call up functions that are stored in other scripts. A few things that you need to consider before you do this.

1 – Your calling script must always have access to the script that it is including in its code.

2 – Troubleshooting. You now must consider multiple scripts with looking into bugs.

3- It will be harder to read your script because you will have to open multiple scripts.

We are going to first look at the calling script.

  1. . d:\PowerShell\functionlib.ps1
  2. $Name = Read-Host "What is your name: "
  3. WriteName($Name)
  4. StaggerName($Name)

Line 1 is telling our script the file path to another script to include. In this case, . d:\PowerShell\FunctionLib.ps1.

Line 2 is asking for the user to input data.

Lines 3 and 4 call 2 different functions from the same external script.

Now let us look at the external script being called.

  1. Function WriteName($strName)
  2. {
  3. Write-Host $Name
  4. }

  1. Function StaggerName($strName)
  2. {
  3. $RevName = ""
  4. For($i=0; $i -le $strName.length-1; $i++)
  5. {
    1. $RevName = $strName.Remove($i)
    2. $RevName
  6. }
  7. }

There are two functions listed here, WriteName and StaggerName. We are also sending data to each of these functions.

This can be advantageous so you do not need to rewrite code or do a Copy-Paste between source files. Just remember if that code is being used by multiple scripts before you modify it.

Monday, January 4, 2010

How to delegate Admin on an RODC.

Read Only Domain Controllers are a great option for sites with less then desierable security. When deploying RODCs, one thing to consider is a local administrator. Unlike traditional Domain Controllers, RODCs areable to have a local administrator. These local administrators do not have Domain Administrator rights. They can only work on their RODC. Some of the tasks they can perform are:
· Install hardware devices, such as network adapters and disk drives
· Manage disk drives and other devices
· Install software updates and drivers
· Stop and start Active Directory Domain Services (AD DS)
· Install and remove other server roles and features
· View logs in Event Viewer
Manage shares and other applications and services

How do you delegate the local administrator role for an RODC? If you are using the wizard, you can delegate this role to a user or group on the Delegation of RODC installation and Administration page. (See below)

You can also delegate after installation in one of two ways. By opening the RODC account property, you can specify the local administrator in the Managed by tab. Click Change and select the user or group you want to delegate to.

You can also do it using the commands ntdsutil local roles or dsmgmt local roles command. Delgation via command line is not recommended because it is stored locally, not in Active Directory.