Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, December 12, 2011

How to let users see websites that do not have a rating

Content advisor uses a rating system known as Recreational Software Advisory Council on the Internet ) RSACi to determine if the content in a web site is suitable to the user based on the users preferences.  Below shows the rating levels:

Level Language Nudity Sex Violence
4 Explicit or crude language Provocative frontal nudity Explicit sexual activity Wanton and gratuitous violence
3 Obscene gestures Frontal nudity Non-explicit sexual touching Killing with blood and gore
2 Moderate expletives Partial nudity Clothed sexual touching Killing
1 Mild expletives Revealing attire Passionate kissing Fighting
0 Inoffensive slang No nudity No sexual acts No violence

If content advisor is turned on and a website does not include a RSACi rating, that content is blocked.  To override this, open the Internet Explorer’s Properties.

Click the Content tab.

Click Settings

In the Content Advisor window, click the General tab.

Check Users can see websites that have no rating and then click OK twice


Friday, December 9, 2011

How to control the installation of Add-Ons in Internet Explorer.

For many organizations, controlling what can be added to clients help to reduce the Total Cost of Ownership (TCO) of a network.  Controlling what extensions can be added to Internet Explorer is part of the TCO reduction effort by preventing the IT staff from support issues caused me non-approved Add-ons.


The first thing we need to do is to discover the GUID of an Add-On that we want to prevent from being installed.  For this reason, you fist need to install it on a test client.


Once installed, open Internet Explorer.


Click Tools / Manage Add-ons.


Browser to the Add-on that you want to prevent the installation of.


Right mouse click the Add-on and select More Information.


Record the GUID ( curly braces as well ) and the Name.



Close the window.


Open a Group Policy that is scoped to the computers that your want to prevent add-ons from being installed.


Browse to Computer Configuration / Policies / Administrative Templates / Windows Components / Internet Explorer / Security Features / Add-on Management.


Enable the policy for Add-on List.


Click Show  and enter the Name in the Value Name field and the Class ID/GUID in the Value field. Click OK when done.


Click OK again.


Enable the policy for Deny all add-ons unless specifically allowed in the Add-on List.


Now, only the Add-on that you listed can be installed once this GPO is applied to your clients.

Thursday, December 8, 2011

Case sensitive “Contains” operator in PowerShell

In PowerShell, we can use the –contains operator to determine if a string contains something that we care looking for.  Here is an example:


$collection = "One","Two","Three"
$collection -contains "One"

In this example, True would be returned. In the next example, True would also be returned.

$collection -contains "one"

The difference is the ‘O’ is lower case.  This may not serve your needs if case sensitivity is a requirement.  The below code will prove a case sensitive test.


$collection -ccontains "one"


Now the result will be False.

Thursday, December 1, 2011

How to Disable the clients from removing the IE Menu Bar with Group Policy.

This is a simple fix utilizing Group Policy.  Make sure you are doing this in a GPO that is properly scoped to the Users that you want affected by this policy.

In your GPO, browse to User Configuration \ Policy \ Administrative Templates \ Windows Components \ Internet Explorer \ Toolbars.
Enable the following policies:
  • Disable customizing browser toolbar buttons.
  • Disable customizing browser toolbars.


Tuesday, November 29, 2011

MCTExpert is now on the Android Market!

Today MCTExpert is proud to announce our first step in the exciting world of mobile apps.  After a month of research and development, our first demo app is on the Android Marketplace.  “American Road Trip” was inspired by a game played with 12x12 inch cards on family road trips a long time ago with my brothers in the back seat of the car.   This version is more dynamic.

This demo app served as our test bed for developing our first code library for the Android platform.  It also allowed us to work on the procedures that are needed to get an application fro the design board to the Android Marketplace.  I invite you to download this app and give your kids a video game that will keep their eyes more on the world around them.

Plans are on the table to take on more challenging projects as we continue to build our code library and bring some great ideas to the Android Market.

Monday, November 28, 2011

Prevent a specific type of device from installing on a client.

This process can be completed in either local or Group Policy.


Plug in the device that you wish to restrict.


Open Device Manager and then open the properties of the device.



Click the Details tab.

From the Property drop down box, select Device class guid.

Record the Value.



Close Device Manager


Open either local policy or the GPO that you will use to manage this restriction.


Expand Computer Configuration / Administrative Templates / System / Device Installation /Device Installation Restrictions.


Double click Prevent installation of devices using drivers that match these device setup classes.



Click Enable and then click Show.




Enter the GUID you recorded earlier.  Include both the open and close curly braces on each end of the GUID. Click OK.



Click OK. Close the policy editor.

Friday, November 25, 2011

Password Change prompt in Windows 7

You can set the number of days in advanced that a user receives a warning about their password expiring using Group Policy.


You will find this setting at: Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options \ Interactive Logon: Prompt user to change password before expiration.


Just enable this policy and set the number of days that you want the warnings to begin.  This will appear as a pop up balloon.  If you are preventing balloon pop ups, the user will not receive notification.


If you do not want to enable balloon notifications, try the logon script located at this site.  Make sure you test it before using it in a production environment.

Thursday, November 24, 2011

What does the–b switch do in OSCDIMG command?

In class, we used the OSCDIMG command to create a Windows PE image a question came about as to when the –b switch does. According to Microsoft, the –b option specifies the location of the El Torito boot sector file.
From Wikipedia, the El Torito Bootable CD Specification is an extension to the ISO 9660 CD-ROM specification. It is designed to allow a computer to boot from a CD-ROM.  In short, this helps us create a bootable image.

Wednesday, November 23, 2011

Change the number of cached credentials

Many years ago, Microsoft allowed users to logon to Windows clients utilized a set of cached credentials.  These were credentials from a previous authentication with a domain controller.  This allowed for two things.


1) The user could log on to a mobile computer without contacting a domain controller and,

2) The user could logon to the client before the network connection initialized.  This gave the appearance of Windows booting faster.  It is also why the hard drive is still going strong on the I/O operations after you log in.

By default, Windows 7 stores the last 10 logged on users credentials and Windows Server 2008 stores the previous 25.  You can change these values to better suite your organizations needs.

Click Start.

Type Regedit and press Enter.

Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

Change the value of CachedLogonCount to any value between 0 and 50.


Giving the value of zero will disable cached credentials.  Any value above 50 will be treated as 50.

Tuesday, November 22, 2011

How to turn off Windows 7 System Restore with Group Policy


Click Start / Administrative Tools/ Group Policy Management

Create or use an existing GPO that is scoped to the clients you want to make this change to.



Edit your GPO

Browse to Computer Configuration / Policies / Administrative Templates / System / System Restore

Double click Turn off Configuration.

Set this olicy to Enable and click OK.

Close the Group Policy Management Editor.

Scope the GPO to deploy the GPO to the target computers.


Remember, it may take a few reboots for the GPO to take effect.

Monday, November 21, 2011

How to prevent new USB devices from being installed on a client.

In local (or Group) policy, expand Computer Configuration / Administrative Templates / System / Device Installation /Device Installation Restrictions.


Double click Prevent installation of Removable Devices.


Select Enable and click OK.

Close local (or Group) policy.

Friday, November 18, 2011

How to list all the WMI namespaces and their classes in PowerShell

Get ready for a real long list, but here is how you do it.

Get-WMIObject –Namespace root –List -Recurse
Simple, yet effective.  Be prepared though. My Windows 7 Ultimate returned 4,608 classes.

Get-WMIObject –Namespace root –List -Recurse | Get-Member
I receive 60251 classes. There is a lot of information in WMI.

Thursday, November 17, 2011

How to Delete a DNS Zone

When it is time to remove a DNS zone for a server, log on with an account that has local administrative rights to the server. We are going to delete a zone called

Type the following line.

dnscmd nyc-dc1 /zonedelete

Press Y to confirm the delete.

Wednesday, November 16, 2011

How to sort an object with one property descending and another property ascending with PowerShell?

I’ll admit, I did not come up with the answer to this one.  I pulled it from the help file for Sort-Object  It was a good question though.

get-service | sort-object -property @{Expression="Status";Descending=$true}, @{Expression="DisplayName";Descending=$false}

The above command is all on the same line.

First we used Get-Service to get some objects to work with.  We then piped it to Sort-Object  and we used the –Property parameter to tell PowerShell what values we are interested in sorting.


Next we switch to creating a hash table to specify that we first want to sort the Status property in descending order.  We do this by setting the Descending flag to Boolean True  In PowerShell Boolean true is $true and Boolean false is $false.  We the specify the next value that we want to sort by which is DisplayName and we set the Descending flag to Boolean $false.


The end result is a list of all running processes that is sorted in descending order by status and then ascending order by DisplayName.

Tuesday, November 15, 2011

Windows 8 app History

Note: Information provided from Windows 8 Developer Preview


Windows 8 has a new tab in the task manager called App History.  This tab allows you to monitor the usage of Metro app.


With Windows 8 being designed for a more mobile workforce, I can see this tab being very useful.  You can identify how much CPU time but more importantly, how much network bandwidth is being consumed.  With our more mobile society, one network hogging app and really degrade the users experience.

Monday, November 14, 2011

Windows 7 Installation does not see my hard drive.

It is possible that on some very advanced systems, the Windows 7 installer may not have the drivers for your hard drive.  Follow this simple set of instructions to load your drivers into Windows 7 during installation.


Boot from the Installation DVD.


Choose your language and click Next.



Click Install Now.



Check I accept the license agreement and click Next.



Click Custom.



Click Load Driver.



Browse to the media that contains your drivers.  Once loaded, you may need to click Refresh to see your hard drive.

Friday, November 11, 2011

List all properties of a user object with PowerShell

Enumerating a user account’s properties in PowerShell using the command get-ADUser – Filter ‘name –like “username”’ only gets you a small subset of the data.


If you want to see it all, try this:

get-aduser –filter ‘name –like “username”’ –Properties *


You will see all the attributes of the user object.

Thursday, November 10, 2011

How to join a client to a domain via command line

Windows 7/2008 R2 have a feature that allows you to join a client to the domain without actually having access to the client.  It is called Offline Domain Join.  This process involves creating a file on the domain controller and then using that file on the client to join it to the domain.  Let’s take a look at how to make that happen.


We are going to perform this on the server.  The idea is to join a client, NYC-CL1 to the domain in an Organizational Unit called Clients  The default container for joining clients to the domain is Computers, but this exercise will allow you to join the client to the OU that you want the computer object to be stored in.

On the Domain Controller, click Start.


Type CMD.


Right click the CMD.exe that appears in the search list and then click Run as Administrator.


Type djoin /provision /domain /machine nyc-cl1 /savefile nyc-cl1_File /MachineOU “OU=Clients,DC=contoso,dc=com”


Once this is done, we can see the computer object has been created in the Clients OU.




You now need to copy that file to the machine to be joined.


On the client computer, open an elevated command prompt as you did earlier on the server.


Make sure the nyc-cl1_File is accessable in the file structure where you are typing this command line.


Type djoin /requestODJ /loadfile NYC-CL1_File /windowspath %SystemRoot% /localos


You should see a message similar to the one below.


Reboot the client.


Below is Microsoft's information on some of the switches used in this demo.


/provision Creates a computer account in AD DS.
/domain Specifies the name of the domain to join.
/machine Specifies the name of the computer that you want to join to the domain
/savefile Saves provisioning data to a file.
/machineou Specifies the name of the organizational unit (OU) in which you want the computer account to be created. By default, the computer account is created in the Computers container.
/requestodj Requests an offline domain join at the next start.
/Loadfile Specifies the output from a previous provisioning command.
/windowspath Specifies the path to the Windows directory of the offline image. If you are using the/localos parameter, specify %systemroot% or %windir% as the value of the/windowspath parameter.
/localos Targets the local operating system installation, instead of an offline image, with the domain join information. If you use this parameter, the value that you specify for/windowspath should be %systemroot% or %windir%. Run this parameter only on a destination computer that you want to join to the domain. This parameter is blocked from being run on a domain controller. Because this parameter injects the blob data into the locally running operating system image, you must restart the computer to complete the domain join operation, as you must also do for an online domain join.

Wednesday, November 9, 2011

Rename all the files in a directory to lowercase with PowerShell

Here is a case where I was thinking to much.  While I was naming about 500 image files for an app that I was working on, I named them in all uppercase lettering.  Well, lowercase was required.  I then started writing a small PowerShell function to go through the folder and rename every image file to lowercase.  Way to much work.  It ended up being a one liner.

Get-ChildItem *.txt | ForEach {$_ | Rename-Item -NewName $_.Name.TpLower()}

Seriously, it is that easy.

Tuesday, November 8, 2011

List installed roles and features in Server Core 8

Tested on Windows Server 8 Developer Preview.

On the 2008 R1 and R2 versions of Server Core, we could list all the roles and features using the OCList command.  This gave us a large and messy list.  We can use PowerShell to give us a list of what is installed, and separately what is not.
At the command prompt, type PowerShell and press Enter.

We need to expand the normal cmdlet set for PowerShell by importing the ServerManager module.

Import-Module ServerManager

To get a list of all installed components:

Get-WindowsFeature | Where {$_.Installed –eq $True}

Conversely, we can also get this list of roles and features that are not installed.
Get-WindowsFeature | Where {$_.Installed –eq $False}

Monday, November 7, 2011

Reliability Monitor is Empty in Server 2008

On some installation of Server 2008, the Reliability Monitor does not record data.  The instructions below are from Microsoft and I’ve tested them out.  They do work.


  1. Click Start, type Task Scheduler in the Search box, and then click Task Scheduler.
  2. Enable the trigger that regularly starts the RacTask task.
    1. In Task Scheduler, expand Task Scheduler Library, expand Microsoft, and then expandWindows.
    2. Right-click RAC, click View, and then click to select the Show Hidden Tasks command.
      Note If the Show Hidden Tasks command is already selected, go to step 2c.
    3. Double-click RacTask.
    4. In the RacTask Properties dialog box, click the Triggers tab.
    5. On the Triggers tab, double-click the One time trigger.
    6. In the Edit Trigger dialog box, click to select the Enabled option, and then click OK.
    7. In the RacTask Properties dialog box, click OK.
    8. Close Task Scheduler.
  3. Update a registry setting.
    1. Click Start, type Regedit in the Search box, and then click Regedit.
    2. In Registry Editor, set the value of the following registry entry to 1:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\WMI\WMIEnable

  4. Restart the computer.

Friday, November 4, 2011

PowerShell 3 on the Horizon

This is just a “I told you so.”  For those of you who have taken my classes over the past 2 years you know that I’ve been encouraging all network administrators to learn PowerShell.  I’m now looking at Windows Server 8 DP.  PowerShell v3 is on it and WOW!  The additional functionality.  The help files are not fully in place, but I can see hundreds of not functions and cmdlets to support the virtual/cloud environment.

My next PowerShell class is in Portland, Maine on December 12th at VTEC.  I also will be providing another one in Fort Wayne, IN in early 2012 and ENS.  Please contact these training centers and book your seat. 

Thursday, November 3, 2011

How to shut down Windows 8

This was one of my big frustrations.  For years the Shut Down option has been in the Start menu.  If you are working with Windows 8 with the touch based interface turned off, the shut down procedure has not changed.  With Metro turned on, it is different.


Just move yore finger to the lower left corner of the screen or press your finger on the right side and move it left.  A menu similar to the one below appears.


Touch Settings

Touch the Power icon (highlighted in blue)


Now touch Shut Down



Wednesday, November 2, 2011

How long can a GPO name be?

This was a unique one.  I created a GPO with the longest name possible.  Instead of counting I switched to PowerShell.


Open PowerShell on the Domain Controller.

Type Import-Module Group Policy

The name I used was a repeating 0123456789 to help make locating it easier.  I then used the following PowerShell line to count the characters of the name for me.

((Get-GPO –all | Where {$_.DisplayName –like “01234*”}).DisplayName).Length

The returned value was 255.

Tuesday, November 1, 2011

What is the DUID found with IPv6 DHCP?

Below is a screen shot of an IPConfig /all command:


The question from class is “What is the DUID?”


According to section 9 of RFC3315, DHCP servers use DUIDs to identify clients for the selection of configuration parameters and in the association of IAs with clients.  An IA (Identity Association) is a collection of addresses assigned to a client.  The DUID must be both unique in the environment and to be dynamically created.  This is because some devices cannot store this information.  For this reason, a DUID is generated in one of 3 ways.  The link above contains more detailed information.

  • Link-layer Address Plus Time
  • Vendor-assigned unique ID based on Enterprise Number
  • Link-Layer address

Monday, October 31, 2011

Use GPO Preferences to populate built–in groups on your clients.

If you need to populate users or domain group in the built-in groups on your clients, you have 2 choices.  You can use restricted groups.  The problem with restricted groups is that they will remove any existing members of that group and prevent you from adding anymore without using Group Policy.  Another option is to your GPO preferences.

Create a GPO to hold this GPO preference.

Edit the policy and expand Computer Configuration / Preferences / Control Panel Settings.

Click Local Users and Groups and then right mouse click it.

Select New –> Local Group

In the Action drop down list, ensure Update is selected.  The Update action will not remove the group if it already exists.  If it does not exist, the group will be created.

In the Group Name field, type the name of the group that you want to add members to.

Under Members, click Add.

Click OK when completed.


Apply this policy to the appropriate portion of Active Directory.

Refresh the GPO’s on your client and examine the local built-in group.  Your users should now be members of that group.

Friday, October 28, 2011

DFSR Migration for RODC is stuck

During a DFSR sysvol migration on Windows Server 2008, problems can occur with the migration of Read Only Domain Controllers.

See the image below.


The RODC is stuck trying to move to the Prepared state.  First go to the RODC and type Repadmin /SyncAll /AeD.


On the PDC Emulator, run dfsrmig /GetMigrationState.

If the migration completed, continue on.  If not type dfsrmig /CreateGlobalObjects. This will manually create the global objects for DFS replication.

On the PDC Emulator, run dfsrmig /GetMigrationState. You should be ready to move on to the next step in the migration process.

Thursday, October 27, 2011

Delete a DNS zone with PowerShell

When it comes time to remove a zone from a DNS server, you can accomplish this task with PowerShell


We are going to remove a zone called


Log into your DNS server with an account that has the permissions to delete the zone.


Open PowerShell and type the following command.


Get-WMIObject –NameSpace “Root\MicrosoftDNS” –Class MicrosoftDNS_Zone | Where-Object {$_.Name –eq “Test.Contoso.Com”} | Remove-WMIObject


You may need to close and then reopen the DNS console to see the zone completely removed.

Wednesday, October 26, 2011

Utilizing Windows Server 2008 R2 Bare Metal Recovery

A new feature of Server 2008 R2 allows you to recover a server from a completely failed hard drive.  The Image restore capability is a combination of using Windows Server Backup and Windows Recovery Environment (WinRE).

Windows Server Backup is utilized to create the image where WinRE is used to apply the image.

To create the image, first install Windows Server Backup feature on your server.
Open Server Manager
Click Features.
Click Add Features
Scroll down the list and click Windows Server Backup Features and then click Install/Next until the installation completes.

Next, create a bare metal recovery image
Open Windows Server Backup
Create a backup.  In this example, we are clicking Backup Once.
Make sure Different options is selected and then click Next.

For this demonstration, we are going to select Custom. Full Server will also work.  By using Custom, we can select Bare Metal recovery and take the minimum data required.

In the Select Items for Backup window, click Add Items.

Check Bare metal recovery.  The rest of the required items will auto-check.  Click OK.

At the Select Items for Backup window, click Next.

At the Select Destination Type window, select what is appropriate for your environment.  I am select Remote Shared Folder.

On the Specify Remote Folder window, provide a UNC path to the share where this data will be stored.
In the Access control area, select what is appropriate for your environment.
Click Next.

If prompted, provide appropriate credentials.

On the Confirmation window, click Backup.
Wait for the backup to complete.

Once the backup was completed, I rebooted this server using Windows PE.  Utilizing the Diskpart command, I formatted the C: drive to simulate a new hard drive to replace the existing one.

Use the installation media for Server 2008 R2 to boot the server.
At the first screen, select the language that you want to use and click Next.

Click Repair your computer.

At the System Recovery Options window, select Restore your computer using a system image that you created and click Next.

At the Re-image Your Computer warning, click Cancel.

In the Select a system image backup, click Next.

In the Select the location of the backup for the computer you want to restore, click Advanced.

At the next prompt, click Search for a system image on the network.

At the Are you sure you want to connect to the network prompt, click Yes.

Provide the UNC path to the share where the backup image is stored and click OK.

Provide credentials in the form of domain\useraccount that has access to this backup. Click OK.

Select the image that you want to use and click Next.

If you have problems reading the above image, click Refresh and try again.

Select the Date/Time of the image and click Next.

On the Choose additional restore options windows, click Next.
Click Finish.
Click Yes at the warning.

The restore will now begin.

Once completed, the default options reboot the server.  At this point, the restore is completed.