Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Wednesday, July 31, 2013

How to Turn off Chinese Input Method in Windows 8

Recently while delivering a PowerShell class, I received a real shock from Windows 8.  Take a look at the image below.

image

It was also interfering with PowerShell’s Autocomplete feature.  I automatically assumed that I accidently triggered a Windows 8 keyboard shortcut that I was not aware of.  To enable or disable this feature, press Ctrl + Space.

Monday, July 29, 2013

How to Get a Users UserAccountControl Setting from Active Directory Without Using the ActiveDirectory PowerShell Module

While delivering a PowerShell class, it came to light that the users of PowerShell were not going to have access to the ActiveDirectory module.  This changes a lot.  The AD module is full of useful cmdlets to help make a Network Administrators life easier.  as a matter of fact, I did not move to PowerShell from AD administration until I PowerShell V2 and the ActiveDirectory module were available to me.

One of the more cryptic properties that can be pulled from the user account object is the UserAccountControl property.  Here is a description of the flags that can be set with this property. (Source: http://support.microsoft.com/kb/305144)

  • SCRIPT - The logon script will be run.
  • ACCOUNTDISABLE - The user account is disabled.
  • HOMEDIR_REQUIRED - The home folder is required.
  • PASSWD_NOTREQD - No password is required.
  • PASSWD_CANT_CHANGE - The user cannot change the password. This is a permission on the user's object. For information about how to programmatically set this permission, visit the following Web site:

    http://msdn2.microsoft.com/en-us/library/aa746398.aspx

  • ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
  • TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
  • NORMAL_ACCOUNT - This is a default account type that represents a typical user.
  • INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
  • WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
  • DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
  • MNS_LOGON_ACCOUNT - This is an MNS logon account.
  • SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
  • TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
  • NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
  • PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
  • TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network. 
  • PARTIAL_SECRETS_ACCOUNT - (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

Here is the kicker.  This property is a single value that can represent multiple flags.  The value is stored as a decimal value, but converted to binary to determine which flags are set to true.  Each flag is represented by a power of 2”

 

Power Decimal Decimal Flag
0 0 1 SCRIPT
1 1 2 ACCOUNTDISABLE
2 10 4 HOMEDIR_REQUIRED
3 11 8 N/A
4 100 16 LOCKOUT
5 101 32 PASSWD_NOTREQD
6 110 64 PASSWD_CANT_CHANGE
7 111 128 ENCRYPTED_TEXT_PASSWORD_ALLOWED
8 1000 256 TEMP_DUPLICATE_ACCOUNT
9 1001 512 NORMAL_ACCOUNT
10 1010 1024 N/A
11 1011 2048 INTERDOMAIN_TRUST_ACCOUNT
12 1100 4096 WORKSTATION_TRUST_ACCOUNT
13 1101 8192 SERVER_TRUST_ACCOUNT
14 1110 16384 N/A
15 1111 32768 N/A
16 10000 65536 DONT_EXPIRE_PASSWD
17 10001 131072 MNS_LOGON_ACCOUNT
18 10010 262144 SMARTCARD_REQUIRED
19 10011 524288 TRUSTED_FOR_DELEGATION
20 10100 1048576 NOT_DELEGATED
21 10101 2097152 USE_DES_KEY_ONLY
22 10110 4194304 DONT_REQUIRE_PREAUTH
23 10111 8388608 PASSWORD_EXPIRED
24 11000 16777216 TRUSTED_TO_AUTH_FOR_DELEGATION
25 11001 33554432 N/A
26 11010 67108864 PARTIAL_SECRETS_ACCOUNT

The formula to figure out which flags are set is to a bit complicated.  Lets say the value of UserAccountContorl is 546.  Moving up the chart, we look for a decimal value that, if subtracted from 546, will leave a value that is greater than or equal to 0.  That number is 512.  The NORMAL_ACCOUNT flag is set.  We then take the remaining value (546 – 512 = 34).  Moving up the list, the next number that we can subtract from 34 without the result dropping below zero is 32.  The PASSWD_NOTREQD flag is set.  This leaves us with 2.  The ACCOUNTDISABLE flag is set.

Here is some code to help you out with this.  This method uses the Active Directory Services Interface [ADSI] as opposed to using the ActiveDirectory PowerShell module.

 

# get the User Account Control number.

$ObjUser = [ADSI]"LDAP://CN=User Name,DC=Domain,DC=Com"

$UAC = $ObjUser.userAccountControl

$Num = "$($UAC)"

 

$Power = 26

Do

{

    $Test = [Math]::Pow(2,$Power)

    If (($Num - $Test) -ge 0)

    {

        Switch ($Power)

        {

            26 {Write-Host "ADS_UF_PARTIAL_SECRETS_ACCOUNT"}

            24 {Write-Host "ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION"}

            23 {Write-Host "ADS_UF_PASSWORD_EXPIRED"}

            22 {Write-Host "ADS_UF_DONT_REQUIRE_PREAUTH"}

            21 {Write-Host "ADS_UF_USE_DES_KEY_ONLY    "}

            20 {Write-Host "ADS_UF_NOT_DELEGATED"}

            19 {Write-Host "ADS_UF_TRUSTED_FOR_DELEGATION"}

            18 {Write-Host "ADS_UF_SMARTCARD_REQUIRED"}

            17 {Write-Host "ADS_UF_MNS_LOGON_ACCOUNT"}

            16 {Write-Host "ADS_UF_DONT_EXPIRE_PASSWD"}

            13 {Write-Host "ADS_UF_SERVER_TRUST_ACCOUNT"}

            12 {Write-Host "ADS_UF_WORKSTATION_TRUST_ACCOUNT"}

            11 {Write-Host "ADS_UF_INTERDOMAIN_ TRUST_ACCOUNT"}

            9  {Write-Host "ADS_UF_NORMAL_ACCOUNT"}

            8 {Write-Host "ADS_UF_TEMP_DUPLICATE_ACCOUNT"}

            7 {Write-Host "ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED"}

            6 {Write-Host "ADS_UF_PASSWD_CANT_CHANGE"}

            5 {Write-Host "ADS_UF_PASSWD_NOTREQD"}

            3 {Write-Host "ADS_UF_LOCKOUT"}

            2 {Write-Host "ADS_UF_HOMEDIR_REQUIRED"}

            1 {Write-Host "ADS_UF_ACCOUNTDISABLE"}

            0 {Write-Host "ADS_UF_SCRIPT"}

        }

        $Num = $Num - $Test

    }

 

        $Power--

} While ($Power -ge 0)

Wednesday, July 24, 2013

What Snap-ins are required to access the Exchange Cmdlets?

PowerShell utilized both Snapins and Modules to expand its functionality.  For those of you needing to do some exchange scripting, you will need access to the Exchange Snapins.  These snap ins are installed on your Exchange server.  If you would like to work off of a client, then use the Exchange installation media to install the Exchange Management Tools to your client.

 

These snapins are for Exchange 2010.

Microsoft.Exchange.Management.PowerShell.E2010

Microsoft.Exchange.Management.PowerShell.Setup

Microsoft.Exchange.Management.PowerShell.Support

 

To register these snapins quickly in the ISE, type this command in the Command window:

Get-PSSnapin –Registered | ForEach-Object {Add-PSSnapin –Name $_.Name}

Monday, July 22, 2013

How to Exceed the Maximum Number of Allowed Objects from Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets

One of the reason why the cmdlets in the ActiveDirectory module limit the properties from objects or the number of objects returned is because you may accidentaly ask for 2 billion objects if you are not careful.  A recent question from one of my posts asked about how to exceed the threshold for Get-ADGroupMember. 
The error that the user received was:
Get-ADGroupMember : The size limit for this request was exceeded
The default limit is 5000 objects.  This is a limitation imposed by the Active Directory Web Service.  ADWS is a requirement for utilizing the ActiveDirectoy module for PowerShell. If you have multiple instances on ADWS on multiple Domain Controllers, you will need to perform this procedure on each one.  Since you do not know for sure which DC your client will bind to, changing this setting on all of the ADWS services will prevent random issues from happening in the future.
On the file c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config
After the <appSettings> tag, place this entry:
<add key=”MaxGroupOrMemberEntries” value=”10000”/>
This assumes that you need to return up to 10000 objects from these cmdlets.  Also take note that you will still have a 5 minute timeout imposed on all your requests.  If you cannot recover the information in 5 minutes, the request will fail.  Filter your request to contain only the information that you need to work with.
Your next steep is to stop and then restart the ADWS service on the Domain Controller. 

Wednesday, July 17, 2013

How to Stop Background Windows from Popping Up in Windows 8

Recently I purchased a Windows 8 laptop as part of my normal 3 year hardware refresh.  Love it.  It is nice and fast.  I installed Office Professional Plus 2013 without any issues.  When I was asked to deliver a virtual class using Lync, I had an issue.  A quick fix was to uninstall Lync 2013 and just use the web based client.  That is when it all started.

Out of the blue, windows in the background, or even minimized, would pop up and take focus. It was very embarrassing to have to deliver a class when I could barely maintain control of my own system.  Here is how I fixed it.

Open Programs and Features.

Select Microsoft Officer Professional Plus 2013 and then click Change.

image

Select to Repair your installation. 

image

I am happy to say, no more issues.

Monday, July 15, 2013

What to do if the Shift Key Gets Stuck in a Hyper-V Session

It happened again.  I was doing a demonstration in a class and my shift key got stuck inside of the Virtual Machine Connection windows for Hyper-V.  Normally these leads to a reboot of the VM.  Fortunately, one of my students found a much better work around.  Simply Pause the VM and the Resume it.  The Pause and Resume buttons are in the same place on the menu bar.

image

 

image

This quick and effective work around should make this random issue a bit easier to work with.

Monday, July 8, 2013

Search a PowerShell Module’s Help Files for Key Words

This past week I have been working on a project in Windows Azure and PowerShell.  As I’m learning the Azure platform, I’m coming across the need to be able to find key words in the help files to help me discover the cmdlets that I need.  Here is the command line that I am using.

Get-Command -Module Azure | ForEach-object -process {Get-help $_.name -Detailed} | Select-ObjectProperty Name, Description | Where-Object Description -like "*blob*" | Select-ObjectProperty Name

 

The –Module parameter is used to ensure the Get-Command cmdlet only returns objects from the Azure module.

 

The ForEach-Object cmdlet will cycle through each cmdlet and call the detailed help file for each cmdlet.

 

We can filter some of our data at this point and ask for only the cmdlet’s name and description.

 

Finally, the Where-Object cmdlet is used to look for a pattern.  In this case, I am looking for any help file from the Azure module that has the work “blob” in it.

 

Optionally, I added one more Select-Object filter to give me only the name of the cmdlet.

 

PS C:\> Get-Command -Module Azure |

ForEach-object -process {Get-help $_.name -Detailed} |

Select-Object -Property Name, Description |

Where-Object Description -like "*blob*" |

Select-Object -Property Name

 

Name                                                                                                   ----

Start-AzureStorageBlobCopy

Stop-AzureStorageBlobCopy 

Add-AzureDataDisk

Add-AzureVhd

Get-AzureStorageBlob

Get-AzureStorageBlobContent

Get-AzureStorageBlobCopyState

New-AzureStorageAccount

Remove-AzureDataDisk

Remove-AzureDisk

Remove-AzureStorageBlob

Remove-AzureVMImage

Save-AzureVhd

Set-AzureStorageBlobContent

Start-AzureStorageBlobCopy

Stop-AzureStorageBlobCopy

At this point, I can now look for a verb/noun combination that looks good and investigate the individual help file.

Wednesday, July 3, 2013

Getting Around the Word 2013 not posting to Blogger issue.

This is a problem that seems to have vexed a lot of people.  Windows Live Writer worked just fine.  Word 2013 will not register with Blogger nor allow you to install Windows Live Writer.

Here is how you get around that little issue.  Download Windows Essentials.  I know that it is not the best, but it works fine for me.  I de-selected everything but Windows Live Writer and I am now able to post to my Blogger account.

I have read many postings starting with Word 2007 about this issue.  Hopefully this will help a bit.

Monday, July 1, 2013

Getting the NMCI Webmail to work on Windows 8

Here is a simple solution for my Shipmates moving to Windows 8. When you access the NMCI Webmail client, you may not be able to see any emails and the menu bar may look like this:

clip_image002

To correct this, we need to make sure that the NMCI web client loads in Internet Explorer compatibility mode. What is the IE Compatibility mode? Since IE version 8, not all websites compile correctly. The Compatibility mode makes Internet Explorer compile a web page as if you were using IE 7. To be honest, I have all Navy website do this. Here is how to set this up.

Go to the Windows 8 desktop and open Internet Explorer from there. Do not do it from the touch interface.

If you do not see the Menu Bar in IE, right click the top of the window and check Menu bar.

clip_image004

Click Tools à Compatibility View Settings.

Add in Navy.mil and then click Add. Click Close when finished.

clip_image006

Let the browser reload and you will get to your NMCI email.

clip_image008