Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, July 30, 2012

How to get the FSMO roles in PowerShell

Even though our domains are multimaster domains, not all functionality can be handled by each machine independently. For example, let’s take a look at the RID Master role.

And RID is what uniquely identifies all security objects in a domain. A security object is either a user, computer, group, or INetOrgPerson. Each of these objects have a Security Identifier (SID). A SID looks like this:


To break this down:


The string is a SID


The revision level


The identifier value. Possible identifier authority values are:

0 – Null Authority

1 – World Authority

2 – Local Authority

3 – Creator Authority

4 – Non-unique Authority

5 – NT Authority

9 – Resource Manager Authroity


Domain or local computer identifier

Relative Identifier (RID). This is unque in the domain.



Active Directory uses the SID to identify an object that can have security access assigned to it. You and I use the user name. the username name maps to a SID with the RID portion being unique in the domain. If two domain controller are handing our RIDs to new objects, there is a chance that two objects could get the same SID. This would allow the two different users to have the same access as the other one. With the RID Master being a single domain controller, this cannot happen.

The easiest way to discover the FSMO (Flexible Single Master Operation) roles was to use NETDOM Query FSMO.


If you need to discover these roles in a PowerShell script, this would be difficult as the information is returned as a string of text. To execute the below PowerShell commands, you must do this on a client or server with the ActiveDirectory module installed.

Import-Module ActiveDirectory

$FSMOObj = New-Object PSObject
# Retrieve the Schema Master
$FSMOObj | Add-Member -MemberType NoteProperty -Name "Schema" -Value (Get-ADForest).SchemaMaster
# Retrieve the Domain Naming
$FSMOObj | Add-Member -MemberType NoteProperty -Name "DomainNaming" -Value(Get-ADForest).DomainNamingMaster
# Retrieve the PDC
$FSMOObj | Add-Member -MemberType NoteProperty -Name "PDC" -Value(Get-ADDomain).PDCEmulator
# Retrieve the Infrastructure Master
$FSMOObj | Add-Member -MemberType NoteProperty -Name "Infrasturcture" -Value(Get-ADDomain).InfrastructureMaster
# Retrieve the RID pool manager
$FSMOObj | Add-Member -MemberType NoteProperty -Name "RID" -Value(Get-ADDomain).RIDMaster

#Send the object to the Pipeline.
Write-Output $FSMOObj

This will send objects into the PowerShell pipeline that you can use in your code.

Friday, July 27, 2012

Easily open a Remote PowerShell Session on Server 2012

The GUI is good,but PowerShell is better.  Many IT Pros in my classes are confused with why we are moving more and more to a text based administration.  All I can say is “everything old is new again.” 

Remember back in the day when we had the expensive main frame that was larger than most peoples living rooms?  End users accessed it via terminals.  We moved on to the Client/Server model when hardware began to shrink and became cheaper.   Now we are moving to virtualized desktops and are accessing them from terminals.  Well, the same thing is happening on the administrative side. 

We used to do everything in a text when it came to network administration.  With Windows NT 3.5, we started doing it graphically.  This made management very intuitive. There are some limitations though.  If I needed to find all user SIDs that ended in 4 and were both part of the Newark OU and also in both the Finance and HR security groups.  If I find them, I need to change their address and add them to another group and do this search and change every week, well the GUI cannot do that.  So, we need to know PowerShell to handle things like this.

Server 2012 is designed to allow you to manage multiple servers from one.  Let’s say that I need to open a remote PowerShell session on another server.  This is one way to do it:

  • Open PowerShell
  • Type Enter-PSSession –ComputerName Indy-SVR1


Noticed the command prompt has changed to let me know that I am not executing commands on Indy-SVR1.

Now try this.

  • Open Server Manager.
  • Right click the server that you want to open the remote PowerShell session on.


  • Click Windows PowerShell.


Take a look at the command prompt.  You are remotely administering the remote server via PowerShell.  if you selected multiple server in Server Manager and then did this procedure, you would open a remote PowerShell session on each one in a separate Shell.

Wednesday, July 25, 2012

Create a New Password Setting Object in Windows Server 2012

Password Setting Object (PSO) is another name for Fine Grain Password Policies.  These PSOs allowed us to set up a different password policy based on security group membership.  For example, an employee who is working on a multi billion dollar drug might need to have more characters in their password and more frequent password changes than someone who does not handle critical company data.  PSOs allow us to do that.


Up until now, PSOs were created with the ADSI Edit application or PowerShell.  Now, we can use the Active Directory Administrative Center.

  • Open the Active Directory Administrative Center.
  • Change to Tree View.
  • Expand System
  • Click Password Settings Container


  • Right Click Password Settings Container and then select New –> Password Settings.



Here you can see all the settings that go into a PSO.  A few items to point out.

Precedence In the case of a conflict in which a user is a member of more than one group with different PSOs assigned to each group, the one with the Precedence number that is lower will be the effective PSO
Direct Applies To If you do not any users or groups to the PSO it will not apply to anybody.

Another nice feature of the AD Administrative Center is that you can easily see the precedence values that have been used and which PSO is using them.


Monday, July 23, 2012

Enable Active Directory Recycle Bin in Server 2012

In Windows Server 2008 R2, We had a new, and very welcome feature added into our administrative tool bag.  The Active Director Recycle Bin allowed us to bring back deleted objects from Active Directory without loosing any property of that object.  Turning it on was an issue.  Below is how you turn on the AD Recycle Bin in a 2008 R2 forest with a domain named.

1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:

For this example, my domain is

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=MCTNet,DC=COM’ –Scope ForestOrConfigurationSet –Target ‘’

With Server 2012, you now can now turn on the AD Recycle Bin in the GUI.

  • On a 2012 Domain Controller, open Server Manager.
  • Click Tools
  • Click  Active Directory Administrative Center.
  • Right click the name of your domain (Contoso in this case) and select Enable Recycle Bin…


Notice that this is a one way operation just like in Server 2008 R2.

  • Click Yes.


Your AD Recycle bin will be fully active once all the Domain Controllers have been notified.



Friday, July 20, 2012

Join Windows Server 2012 to a Domain from Server Manager

When you first install Windows Server 2012, you will notice you are not asked for the name of the server during the installation.  This is because a random name is generated.  Take a look at the section of the server manager below. Make sure you click Local Server.


Notice the name.  In this exercise we are going to change the name and join this server to the domain.  In reality, this process has not changed much since Windows 2000. 

Click on either the Computer name or the WORKGROUP name.


The System Properties windows that we are familiar with appears.

Click the Change button.


Provide the new name for this server and the name of the domain.  Click OK.


Provide the appropriate credentials to add a client to this domain.


Once you get the welcome message, click OK.

Click Close and the Restart Now.

That is it for the GUI method of adding a server to your domain.

Wednesday, July 18, 2012

Running PowerShell as an Administrator from Server Core

Here is one that I had not thought of.  I’m exploring some AD DS installation option for Server Core.  While looking around, I discovered that I needed to update my Help files.  No problem except you need to op PowerShell as an administrator.  From the command prompt, start was something that I had not done.   After some exploring I came up with this.

Type PowerShell to enter a PowerShell session.

Type Start-Process PowerShell –Verb RunAs and press Enter.

No problems updating help now.

Monday, July 16, 2012

Shutting Down Windows 8 on a PC


As we continue our march to Microsoft’s biggest redesign of the Windows user interface in over a decade, Windows 8, we need to be on the lookout for a few interface changes that may frustrate our users.  Here is one.  How to shut down Windows 8.

To shut down Windows 8, you need to access the Charm Bar.  You can do this by moving your mouse to the upper or lower right. I’ve noticed that this is especially difficult in an RDP connection.  Your other option is to press Window_Key + C.


Click Settings.


Inside the Settings charm, click Power and then Shut Down.

This may be something to include in your initial end user training for Windows 8.  Users will more than likely be frustrated with this interface at first.  Taking the time to demonstrate to your end users will greatly help in end user acceptable of Windows 8.

Wednesday, July 11, 2012

Server 2012 makes sure you see when updates are available.


As I continue my transition of my physical servers from Windows Server 2008 R2 to Windows 2012, I’m taking note of the changes.  Below is a screen shot of the message you get when Windows 2012 has a pending update.


The rest works like Server 2008.