PowerShell to the rescue

Sunday, March 7, 2010

A member of my team came in this morning with a scripting request: "If we ran a full backup on all of our servers (fixed disks), how much disk space would they all consume altogether? We need to give the boss a ‘ball-park number’ by the end of the day!" So, how can we get that number? Here’s a quick & dirty version. 1. Get all computers objects (names only). We keep our servers in a dedicated OU in active directory. ...

Modifying multivalued Active Directory attributes

Thursday, February 4, 2010

Updating an attribute value in Active directory is usually not a big deal. Most of the attributes are single valued and you can easily modify them. However, dealing with multi valued attributes is another game. With Quest AD cmdlets you don’t have to pull your hair out, there is special syntax for working with multi valued attributes and you use it via the ObjectAttributes parameter. The syntax is as follows (nested hashtable): Set-QADUser  -Identity <Identity> -ObjectAttributes @{AttributeName=@{KeyName=@(‘value1’,’value2’…)}} AttributeName – The LDAP name of the attribute.KeyName         - The action you want to perform on the attribute value(s). The values @(‘value1’,’value2’…) – An...

Protecting OU from accidental deletion

Sunday, September 13, 2009

When you create new Organizational Units in Active Directory Users And Computers (ADUC) in Server 2008 (or with RSAT on 2003 domains), ADUC gives you the option to protect the OU from accidental deletion. When this option is selected, ADUC updates the security descriptor of the object and, potentially, its parent, with Deny ACE for the Everyone domain group, which denies all administrators or users of this domain and domain controller the ability to delete this object. Note: This setting does not provide protection against accidental deletion of a subtree that contains the protected object. Therefore, it is recommend...

Mailbox Users Storage limit

Sunday, August 30, 2009

My morning task today includes the following: get all mailboxes (Exchange 2003) larger than X megs where the associated user mailbox storage limits are overriding the settings of the Mailbox store. Storage limit information for user accounts is available in Active Directory Users and Computers on the user ‘Exchange General’ tab (click on ‘Storage Limits’ at the bottom). The ‘Storage Limits’ dialog box specifies the mailbox storage limits for warning or prohibiting a mailbox-enabled user from sending or receiving email. You can also use this dialog box to specify the number of days a deleted item is stored in the...

How to inform users that their password is about to expire

Sunday, August 2, 2009

I got several requests to publish the latest version of a script I wrote once to retrieve all mail enabled user accounts that have the password configured to never expire. Once the accounts are retrieved, based on the DaysToExpire variable value, a mail message is sent to the users stating that their password will expire in X days. Notice that the script requires the latest version of Quest AD cmdlets and is also compatible with PowerShell version 1 or 2. $ReqVersion = "" ...

List of Exchange 2003 Administrators

Thursday, July 23, 2009

The following script lists all the groups or users that have been delegated as exchange admins at the organizational level. There are three types of administrative roles: Exchange Full Administrator Exchange Administrator Exchange View Only Administrator   $cnc = (Get-QADObject (Get-QADRootDSE).ConfigurationNamingContext).DN $DN = "CN=Microsoft Exchange,CN=Services,$cnc" Get-QADPermission $DN -Inherited -SchemaDefault | ` Where-Object...

How to audit AD groups in one line of PowerShell

Monday, July 20, 2009

I was tasked this morning with the following: Get all groups from Active Directory and produce a report that includes each group Name,distinguishedName, the type of the group, its scope, mail address, description and group membership count. Armed with Quest's AD cmdlets I wrote the following. It took 3 minutes to write the code and send it to my manager with PowerShell v2 Send-MailMessage cmdlet:   Get-QADGroup -SizeLimit 0 | Select-Object Name,DN,GroupType,GroupScope,@{Name="MemberCount";Expression={ @(Get-QADGroupMember -SizeLimit 0 -Identity $_).Count }},Mail,Description | Sort-Object MemberCount -Descending | Export-Csv .\ADGroupsReport.csv #This section requires PowerShell v2$PSEmailServer= "EmailServerName" Send-MailMessage -From "Me@domain.com" -To "Manager@domain.com" -Attachments .\ADGroupsReport.csv -Subject  "AD Groups...

Mapping WMI mailbox object to its AD user account

Thursday, July 16, 2009

Few days ago I got a request from a reader of my blog: "I found the WMI commands to get info from Exchange 2003 servers and the following gets me the displayname, servername, storagegroupname, and storename but am I able to get the SamAccountName?  Do you know any way?" Get-WmiObject -Class Exchange_Mailbox -NameSpace root\microsoftexchangev2 -ComputerName ExchangeServer | Sort-Object MailboxDisplayName | Format-Table MailboxDisplayName, ServerName, StorageGroupName, StoreName, Size -auto First, lets see how a sample mailbox output looks like when we issue the above WMI command (without piping to sort and format-table):(...) AssocContentCount : 159 Caption ...

Get all users that cannot change their password

Monday, July 6, 2009

Earlier today a colleague of mine asked me for a script solution: "I want to get all users that cannot change their password from Active Directory but I can't find any attribute on the user account with that info." Correct, there is no such attribute. When a user account is set with the 'User cannot change password' account option, two (Deny) Access Control Entries (ACEs) are added to the account in question: 1. Deny for the user account (SELF) 2. Deny for everyone else (Everyone built-in group)   To see the ACEs go to the 'Security' tab and then click the...