Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Friday, February 10, 2012

Get the number of days that a local account password has been changed.

This method utilizes PowerShell to discover the number of days since a local account password has been changed.  For this process, we are going to take a look at the local Administrator account.

First, open PowerShell.
$admin = [ADSI]"WinNT://./Administrator,user"

This collected the Administrator object and placed it in a variable called $admin


This will list some of the properties of this account.

The PasswordAge property reports the password age in seconds.  To convert this to days, we will need to divid it by 86400 (60 seconds in a minute X 60 minutes in an hour X 24 hours in a day).


First the command evaluates the content in the parenthesis. This will be the value of the PasswordAge property as an integer value. Then we divide by 86400 seconds to get the result in days.

Wednesday, February 8, 2012

Phonetic attributes in Active Directory

Sometimes you come across a user account or maybe a resource that is named in a way that is not common to your native language.  When users search for this resource they may have some difficulty.  In Active Directory there is now several phonetic attributes to help your users out.

Contains the phonetic given name or first name of the person.

Contains the phonetic last name of the person.

Contains the phonetic department name where the person works.

Contains the phonetic company name where the person works.

The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used.


To test this I manually populated the ms-DS-Phonetic-First-Name attribute with Bbrraadd for the user named Brad.  In Active Directory Users and computers, I did a search for the name Bbrr.  It returned the correct users.

I tested this in PowerShell with the following command.

Get-ADUser filter Name like Brad”’

I received several user objects with the first name of brad.  I then tried the phonetic name.

Get-ADUser filter Name like Bbrr*”’


I received nothing.  I then changed the attribute for the search.

Get-ADUser filter msDs-PhoneticFirstName like Bbrr*”’

I then received only the Brad account with the Phonetic name.  With PowerShell, you must still specify the exact property you are looking for when search for users when you use the Phonetic attributes.

Monday, February 6, 2012

Expire and Un-Expire User Accounts with PowerShell

In class we had a project that required us to read in a text file that started with a users email address and then was followed by dates on the same line.  The data file appeared as below,1/12/2012,1/13/2012,1/14,2012,2/3/2012,3/4/2012

The requirement was for this script to run every morning and expire any accounts who had a date that matched the current date.  Also, any accounts who’s expiration date was the previous day needed to be un-expired.  Below is the code to do it.


Function: Test-File
Verifies that a file exists.

Returns True is the file is present.

Function Test-File
$FilePath, $FileName

$TestPath = $FilePath + "\" + $FileName
$FileReady = Test-Path -path $TestPath
Write-output $FileReady

#End: Test File


Confirms if a module is available.


Confirms if the provided parameter is available on
the local client.


The name of the module who?s presence is being checked.


Confirm-Module ActiveDirectory

Checks to see if the ActiveDirectory module is
present on the local machine

Returns True is present and False if not.





Function Confirm-Module


($ModuleName = $(Throw "You need to provide a module name."))

# Place the name of the module from Get-Module into
# the variable $Data
$Data = (Get-Module -ListAvailable -Name $ModuleName).name

# If the contents of $Data is equal to the variable
# $ModuleName, the module is present, return
# True. If not, return $False.
If ($Data -eq $ModuleName){Return $True}
Else {Return $False}


Exampines a list of users and date and expires a users account should the date match the present date.
Also will un-expire any user account that had an expiration date of the previous date.


Exampines a list of users and date and expires a users account should the date match the present date.
Also will un-expire any user account that had an expiration date of the previous date.

The data file is in the format

Any number of dates can be to the right of the email address as long as the dates are seperated by commas and the short date format (ie. 1/20/2012)

Designed to run as a scheduled task in the morning.


Forlder location of the data file.
ex: c:\data


Name of the data file.
ex: VacationDates.txt


Expore-Users C:\Data VacationDates.txt

Parses a list of user email addresses and dates and determines which user accounts should be expired.




Function Expire-User
($FilePath = "C:\Users\Administrator\Documents",
$FileName = "vacationData.txt"

# Verify that thefile exists.
# Return TRUE if it does.
# Break fro mthe script if FALSE.
$Result = Test-File $FilePath $FileName
If (-not $Result)
Write-host "Data File not found" -ForegroundColor White -BackgroundColor DarkRed

# Verify that the Active Directory module is available.
If (-not (Confirm-Module ActiveDirectory))
Write-host "Active Directory Module not available"
-ForegroundColor White -BackgroundColor DarkRed
Import-Module ActiveDirectory

# Read the data file.
$UserList = Get-Content ($FilePath + "\" + $FileName)

# Get Todays date - Use the .NET Frameforwork date format:
# d - Short date
$Date = Get-Date -Format d

# Loop Through each string in the data file and find
# user data that contains todays date.

ForEach ($UserData in $UserList)
If ($UserData -match $Date)
$UserObject = ($StringArr = ($UserData.Split(",")[0]))
#Get-ADUser -filter 'EmailAddress -eq $UserObject' |
#Set-ADUser -AccountExpirationDate $date

# End: ForEach ($User in $UserList)

# Check for accounts that need to reset the expiration.
$Yesterday = ((Get-Date).AddDays(-1)).ToShortDateString()

# Create the date object to store the AD un-expired time
# of January 1, 1970
$NewDate = Get-Date 1/1/1970

# Get any user object that was expired on the previous
# day and unexpire the account.
Get-ADUser -filter * -Properties AccountExpirationDate |
Where-Object {$_.AccountExpirationDate -eq $Yesterday} |
Set-ADUser -AccountExpirationDate $NewDate

Write-host "End"

# End: Function Expire-User


Friday, February 3, 2012

How to extract the file permissions of every file and folder, and subfolder, inside of a share.

The objective of this one liner is to allow you to enumerate all the shares on a client. Then recurse through the files and folders to get the NTFS permissions on each.

Get-WmiObject Win32_Share | Select-Object Property Path | Get-ChildItem recurse | get-acl

To get only directorys:

Get-WmiObject Win32_Share | Select-Object Property Path | Get-ChildItem recurse | Where-Object {$_.mode match d} | get-acl

To only get information on files:

Get-WmiObject Win32_Share | Select-Object Property Path | Get-ChildItem recurse | Where-Object {$_.mode notmatch d} | get-acl

Wednesday, February 1, 2012

Case Sensitive PowerShell–Contains Comparison Operator

In PowerShell, you can test to see if a variable or array contains a specific piece of data.  Take the following example:

$Arr1 = "PowerShell","Rocks","The","Windows","World"

If I was interested in knows if this array contained the string “rocks”, I would execute this command:

$Arr1 -contains "rocks"

The response would be True.  Notice that in the array, the data is spelled with a capitol letter.  The query used a lower case letter.  PowerShell has a case sensitive contains operator called ccontains.  When the same query is executed, but this time with ccontains, the answer returned is False.  If the query was changed to

$Arr1 -ccontains "Rocks"

Then the response would be True