Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Friday, December 31, 2010

Happy New Year!!!


Thank you to all my clients who have made 2010 such a good year.  I’m looking forward to spending 2011 with all of you.

How to mount a VHD in Disk Management

To complete this you will need a Windows 7 or Windows Server 2008 R2 client available.

Click Start and type Disk Management.

In the menu, click Create and format hard disk partitions.  This will open up Disk Manager

Click Action \ Attach VHD


Next, enter the location of your VHD file and click OK


Notice that you can check the box to mount the VHD in Read-only mode.


The drive will be loaded and you can open it just like it was an actual hard drive.

Wednesday, December 29, 2010

Using SConfig to set IP address on Server Core 2008 R2

Microsoft gave us a nice tool to use with the release of Windows Server 2008 R2 when working with server core. To set the IP address on Server Core 2008 R1, you would have to follow this procedure:

· Type netsh interface ipv4 show interfaces
· Press Enter
· Record the name of the interface you want to set a static IP address for. Sample output is below.

Idx Met MTU State Name
--- --- ----- ----------- -------------------
3 5 1500 Connected Local Area Connection

· Type netsh interface ipv4 set address name=3 source=static address= mask=
· Optionally, you can add a gateway address by appending gateway=address to the end of the command.
· In the Name parameter, we used the Idx value. We could have also typed “Local Area Network”.

The above method still works if you need to batch file something. Now with the R2 version, you can use a menu based system thanks to SConfig.

On you Server Core 2008 R2, log in and type sconfig.


Press 8 for Network Settings.


Select the index number for the network adapter that you want to configure. In this case, it will be 0.


Press 1 to Set Network Adapter IP Address


We can set this server core for DHCP by pressing D. It will only take a few seconds for the change to take effect. Had this adapter already been set to DHCP, we could click S for Static address.


You will need to enter data for the IP Address, Subnet Mask, and Default Gateway.

Once completed, you can set the DNS server if necessary by selecting 2


You will be given a chance to configure both a primary, and a secondary DNS server if you need to.

Once you are finished, press 4 to exit to the main menu and then 13, to exit SConfig.

Monday, December 27, 2010

RSAT (Remote Server Administration Tools)

For Windows Server 2000 and 2003, the installation media contained a support tools folder that allowed us to install the server management software on our clients. From Windows Server 2008, you need to download them. Below are the links to RSAT for both Vista and Windows 7. Remember to down load the correct version for both OS and processor. Below are the installation instructions from Microsoft.

1. On a computer that is running Windows 7, download the Remote Server Administration Tools for Windows 7 package from the Microsoft Download Center.

2. Open the folder into which the package downloaded, and double-click the package to unpack it, and then start the Remote Server Administration Tools for Windows 7 Setup Wizard.

Important: You must accept the License Terms and Limited Warranty to start to install the Administration Tools pack.

3. Complete all the steps that you must follow by the wizard, and then click Finish to exit the wizard when installation is completed.

4. Click Start, click Control Panel, and then click Programs.

5. In the Programs and Features area, click Turn Windows features on or off.

6. If you are prompted by User Account Control to enable the Windows Features dialog box to open, click Continue.

7. In the Windows Features dialog box, expand Remote Server Administration Tools.

8. Select the remote management tools that you want to install.

9. Click OK.

10. Configure the Start menu to display the Administration Tools shortcut, if it is not already there.

• Right-click Start, and then click Properties.

• On the Start Menu tab, click Customize.

• In the Customize Start Menu dialog box, scroll down to System Administrative Tools, and then select Display on the All Programs menu and the Start menu. Click OK. Shortcuts for snap-ins installed by Remote Server Administration Tools for Windows 7 are added to the Administrative Tools list on the Start menu.



Friday, December 24, 2010

Change Server Core 2008 R2 Windows Update Settings

In Server Core 2008 R1, this was a bit of a mess.  Microsoft provided us with a script.  We had to type:

Cscript c:\Windows\system32\scregedit.wsf /AU 4 to turn Automatic updates on.

To turn them back off we had to type Cscript c:\Windows\system32\scregedit.wsf /AU 0.

With R2, we have an easier method.  Type sconfig and press Enter

Press 5 for Windows Update Settings.


Press A for Automatic or M for Manual.


You will receive the prompt above to let you know that you disabled Automatic updates or, you will see the one below if you turned them on.


Wednesday, December 22, 2010

How to tell how long it has been since a computer logged in with PowerShell

This is an easy one liner in PowerShell.

Open PowerShell V2.

Once open, we need to access the Active Directory objects by typing Import-Module ActiveDirectory.

Now Type Get-adcomputer –filter * -properties lastlogondate | Where {$_.LastLogonDate –le [DateTime]::Now.AddDays(-7)}

We first use the Get-ADCopmuter cmdlet to access the computer objects in Active Directory. Setting –filter * allows us to work with all the computer objects. Next we added the –properties LastLogonDate. This is done because that attribute is normally now returned with the object. Second, we piped the output of the first command to the Where cmdlet. The $_.LastLogonDate variable looks at each input one at a time and grabs the LastLogonDate attribute for analysis. We then compare it to [DateTime]::Now.AddDays(-7) This command gets the current date/time from the host and subtracts 7 days from it. We then use the –le comparision operator (Less than or equal to) to determine if the date in Active Directory for the computer object is more than 7 days old.

Friday, December 17, 2010

Will a file screen look inside a .ZIP file?

From my testing, it does not. I set up a file screen to prevent .TXT files from being copied into a folder. In another folder that was not screened, I created two text files and then sent them to a compressed (.zip) file. I was able to copy the .zip file to the screen folder. To help prevent blocked files from being saved to restricted locations, you may want to consider also blocking .ZIP files.

Wednesday, December 15, 2010

Making sure your OUs have Deletion Protection

Deletion Protection is a feature that prevents an OU from being accidently deleted.  This is a feature of Windows Server 2008.  For those servers upgraded from Windows Server 2003, Deletion Protection is not turned on.  Until now the only way to turn on the Deletion Protection is manually.  Well, now you can use PowerShell V2 to take care of this for you.

Windows PowerShell V2 comes installed on Windows 7 and Windows Server 2008 R2. For previous versions of Windows, you can download PowerShell V2 from here:

You will also need to make sure the Active Directory Module for Windows PowerShell is installed.  This can be found as a feature in the Remote Server Administrator Tools.

The First step is to launch the PowerShell environment.  If you do not have an icon on the screen, you will find it is  Start \ All Programs \ Accessories \ Windows PowerShell \ Windows PowerShell

Once the Shell loads, you need to add the Active Directory module by typing Import-Module ActiveDirectory and pressing Enter.

First off, look for OUs that do not have Deletion Protection turned on:

Get-ADOrganizationalUnit – Filter * -Properties ProtectedFromAccidentalDeletion | Where {$_.ProtectedFromAccidentalDeletion –eq $False} | FT DistinguishedName

If any OUs are listed, you may want to enable the Deletion Protection.  To do this:

Get-ADOrganizationalUnit – Filter * -Properties ProtectedFromAccidentalDeletion | Where {$_.ProtectedFromAccidentialDeletion –eq $False} | Set-ADOrganizationalUnit –ProtectedFromAccidentalDeletion $True

Running the first command will verify that the protection is turned on.

Monday, December 13, 2010

How to prevent users from shutting down the PC

There may be situations in which you do not want to allow a user to shut down a client. This is an easy one to fix.

In Group Policy expand User Configuration \ Policies \ Administrative Templates \ Start Menu and Taskbar. Enable the policy for Remove and Prevent access to the Shut Down , Restart, Sleep, and Hibernate commands.

Or you can set it in the local policies on the client. User Configuration \ Administrative Templates \ Templates \ Start Menu and Taskbar. Enable the policy for Remove and Prevent access to the Shut Down , Restart, Sleep, and Hibernate commands.

Friday, December 10, 2010

Rename a Server Core 2008 R2 Server

This is now a very easy task over the R1 version.  The R1 method involed using the NETDOM command.  It went something like this:

netdom RenameCOmputer Old-Name /NewName:New-Name

you then had to manually reboot the machine by typing Shutdown /r /t 0.

In Server Core 2008 R2, you can use the sconfig command.

Log into your server core server.

Type sconfig and press enter.

Type 2 for Computer Name: and the press Enter.

Enter the computer name and press Enter.

You will then be asked for the username of a user who has the rights to change this servers name and then press Enter..


A new window will open up asking for that users password.  Enter it and press Enter.


You will need to click Yes to reboot the server.

Wednesday, December 8, 2010

How to clear the print queue when the user logs off (Domain Version)

A common problem with using a client that multiple users log into is that a sensitive document could be stuck in the local print queue. With law suit heavy lawyers running around, you do not want to put your organization at risk. The below procedure will help to mitigate this issue. (Note: The following procedure is performed and tested on Windows 7) This procedure will set up your clients to clear their print queues when a user logs off. This prevents the printer from coming online and printing sensitive information when another user logs on.

On your Windows 7 client, click image , type Notepad and press Enter.

Copy and past the following code:

net stop spooler
del %systemroot%\system32\spool\printers\*.shd
del %systemroot%\system32\spool\printers\*.spl
net start spooler

Click File \ Save As

In the Save as Type: dropdown box, select All FIles.

In the File name: box, type C:\DeletePrinJobs.cmd.

In a production environment, you may want to put this somewhere other then the C: drive. The above batch file will clear out any stuck printouts in the print queue on the local client when it the batch file is ran. To test this, I created two fictitious printers. One is the default printer, the other is not.


I sent test pages to both. Right now we have documents pending in both queues. When the batch file was ran, both queues emptied. To get this to happen each time a user logs off, you need to place it in a log off script.

You need to save the script in a location that all users will have access to. Also, you want this script replicated to all domain controllers. to do this, save it in the following location on a domain controller


Now, we need to modify a Group Policy to deliver this instruction to your clients.

On a Domain Controller, click Start \ Administrative tools \ Group Policy Management

Expand Forest:<YourDomainName>\Domains\<YourDomainName>\Group Policy Objects

Right click Group Policy Objects and click New

Give the GPO a name.

Click OK

Right click the GPO you just created and select Edit

Expand User Configuration \ Policies \ Windows Settings

Click Scripts (Logon/Logoff)


Click Double click Logoff

Click Add

Click Browse

You need to access the script through the namespace of your network. This ensures that any client requesting the script will get it from their local Domain Controller. For example, if your domain is, you would look in the location \\\SysVol\\scripts

Click the script that you created and then click Open

Click OK

Close the policy.

From here you will have to apply the GPO according to your company policies.

Once the GPO is applied, each time you users log off the client, any printouts in the local print queue will be deleted.

Friday, December 3, 2010

Can you use a file screen to prevent files from being redirected?

Yes you can. The scenario here is we have set up our clients, through Group Policy, to redirect the desktop to a server. I have also set up a files screen on the shared folder that will host the data. This file screen is configured to block .TXT files. When the user tries to create a .TXT file on their desktop, they are prevented from doing so. Below is the setup procedure to do this.

Step 1: configure the folder to hold the user data.

I created a folder on my server

Next I shared it by right clicking the folder and selecting Properties.



Click Advanced Sharing.

Click Permissions.

Click Add

In the Enter the object names to select box, type Authenticated Users and click Check Names.

Click OK


Click Authenticated Users

Check Full Control.

Click OK

Click OK

Click Close

The folder is not set up for your users to have their desktops redirected to this location.


Step 2

We now need to create the Group Policy that will redirect the users desktop to this location.

On your Domain Controller, click Start / Administrator Tools / Group Policy Management

Expand the tree until you expand Group Policy Objects.

Right click Group Policy Objects and click New.


Give the GPO a name.  In this example, we will call it DesktopRedirection.  Click OK

Under Group Policy Objects, right click DesktopRedirection and then click Edit.

Expand User Configuration / Windows Settings / Folder Redirection.

Right click Desktop and select Properties.

In the Settings drop down box, select Basic – Redirect everyone’s folder to the same location.

In Target folder location select Create a folder for each user under the root path.

IN Root Path, enter the UNC path to the folder we created earlier.  In this example, it is \\MCT-1\Desktop.


Click the Settings tab.

By default, Grant the user exclusive rights to Desktop.  For this example, I unchecked it.

Click OK


Close Group Policy Management Editor

In the Group Policy Management window, drag and drop the GPO onto the Organizational Unit that holds your user accounts.  Remember, you cannot link a GPO to the default users container.

This policy is now being applied to your users.


Step 3 Install FSRM

On the server that holders the Desktop folder, clickStart \ Administrator Tools \ Server Manager

You need to add the File Server Resource Manager Role service to this server.  If File Services are not installed, click Add Roles and add the File Services role to this computer.

In Server Manager click Roles.

Scroll down until you get to the Role Services section and click Add Role Services


Check File Server Resource Manager and then click Next.

Select the drive that you have the Desktop folder on.

Click Next

Click install.

Close the window when completed.


Step 4 Set up the file screen

Click Start / Administrator Tools / File Server Resource Manager

Expand File Screen Management

Right click File Screens and select Create File Screen.

In the File screen path, choose the Desktop folder that you created.

In Derive properties from this file screen template (recommended), choose the file screen you want to use.  For our example, we are using a custom file screen.  This screen blocks .TXT files.


We are now ready to test the screen

Log into your client as a user who has the Group Policy applied to them.

Attempted to create a .TXT file.  You should receive an error like the one below:


If not, make sure your group policies have replicated and this client has downloaded the policy.