Insufficient access rights when modifying useraccountcontrol attribute

Set-ADAccountControl : Insufficient access rights to perform the operation

this error appear only when the command is run on a domain controller;

to pas by you need to add "-Server" parameter and indicate an alternate domain controller.

Set-ADAccountControl $_ -PasswordNotRequired $false -Server dcname

Get curent logonserver

[System.Environment]::GetEnvironmentVariable("logonserver")

Find vmware ESX version and build number

find vmware ESX version and buld number from vSphere clinet: select the host and go to the summary tab.

Test for null, empty or white-space characters

[string]::IsNullOrWhiteSpace($variablename)

Scripting on users synchronization

Register Schema Console

if you need to use schema console you need to first register the console:

run in a elevated command prompt:

regsvr32 C:\Windows\System32\schmmgmt.dll

after that you can lunch the mmc then from the File menu click Add / Remove Snap-in, select in the right window Active Directory Schema and click Add and then OK.

Script prerequisites

if you need to ensure your script with powershell minimum version, loaded module, PSSnapin you can use the #Requires statement :

#Requires -Version 3.0
#Requires -Modules ActiveDirectory

Find method details

'a' | Get-Member Split | Format-List

Send mail message from powershell

Send-MailMessage -From "user@domain.com" -To "user@domain.com" -Subject "subject" -Body "Message" -SmtpServer servername.local


or by using splatting:


$body = "body message"

$email = @{
From = "user@domain.com"
To = "user@domain.com"
Subject = "subject"
SMTPServer = "servername.local"
Body = $body
}

Send-MailMessage @email

Windows 2008 R2 - close open files

open Share and Storage Management console an on the right panel click on "Manage open files...".

Windows update client name - wuauclt.exe

i allways findit hard to remeber the name of the windows update client file name so i can lunch it and force an update check so i search the internet to find more detail about his name;
from what i manged to find, wuauclt, stand for Windows Update / Automatic Updates CLienT

i also found more option to use for this application:

/DetectNow – force a search for updates
/ReportNow – forces a Report to the WSUS server
/UpdateNow – Triggers a forced update event

Disable IE enhanced security on windows server 2012

Internet Explorer enhanced security is not recomanded to be disabled on a production environment;

Only disabled in testing and development environment;

Go to "Server Manager" - "Local Server" an on the right tab you will find the option.

Different colors on the same line

In order to have different font colors or different background colors in your console output you can use Write-Host cmdlet with the -NoNewline parameter:


Write-Host '1' -ForegroundColor Red -NoNewline
Write-Host '2' -ForegroundColor Green -NoNewline
Write-Host '3' -ForegroundColor Yellow -NoNewline

will output:

123

Hide user from GAL / Global Address List

Set-Mailbox -HiddenFromAddressListsEnabled $true -Identity $user.UserPrincipalName

Full error Exception details

If you need full error name for your catch cmdlet or any other reason the only way to obtain it is by piping  the $Error automatic varialbe to one of the Format cmdlet and use the -Force parameter.
The Exception property of the $Error variable will contain the information:

$Error[0] | Format-Table * -Force

Exception  : Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException:  Cannot find an object with identity: 'kajdhlkasd' under: 'DC=home,DC=net'.

OWA - blind and low vision experience

you can enable or disable blind and low vision experience on OWA for all users by modifying "OWALightEnabled" atribute:

Set-OwaVirtualDirectory -Identity 'server_name\owa (Default Web Site)' -OWALightEnabled $false

Protect OU from accidental delettion

verifiy if all organizational units from your actuve directory domain are protected from accidental deletion:

Get-ADOrganizationalUnit -Filter * -Properties * | Select-Object name , ProtectedFromAccidentalDeletion

to protect all your organizational unit objects use:

Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

users can also be protected using:

Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

User's picture in active directory

To import the picture:

Import-RecipientDataProperty -Identity marius.dumitru -Picture -FileData ([Byte[]]$(Get-Content -Path "C:\tmp\user.jpg" -Encoding Byte -ReadCount 0))

To remove the picture:

Set-Mailbox samAccountName -RemovePicture

Compare 2 text files

fc.exe can be use to compare 2 files; can use binary or ASCII to compare files;

C:\>fc /?
Compares two files or sets of files and displays the differences between them

Ex: fc file1.txt file2.txt

Search for inactive active directory accounts

i found a neat cmdlet that can retrieve inactive, disabled, expired or expiring active directory accounts;

full details about the command can be found on technet;

pay attention to the "-TimeSpan" argument - if you do not use the correct /accepted formatting the search will return wrong objects;



Search-ADAccount -AccountInactive -UsersOnly -SearchBase 'OU=Users,DC=domain,DC=intra' -TimeSpan 90.00:00:00.0 | Select-Object name, lastlogondate

Sharing multiple folders

net share command can be used to share folders and grant permissions

for ($i=1; $i -le 100; $i++){
    $share = 'T' +$i
    $user= 'ST_Samba.T' + $i
    net share $share=E:\Software\$share "/grant:$user,full"
}

Remove spaces from distribution group alias

$groups = Get-ADGroup -Filter * -Properties mailNickname
foreach ($grup in $groups){
       Set-ADGroup -Identity $grup -Replace @{mailnickname=($grup.mailnickname.Replace(' ',''))} -Credential $cred -PassThru
       }

Query active directory with dsquery

dsquery can be used to retrieve any active directory attribute or filter for any active directory attribute using LDAP filter;

Ex: find user with employeeid=1234

dsquery * -filter (employeeid=1234) -attr attribute_name

to retrieve all active directory attribute user star (-attr *);

Find all domain controllers in domain

Using powershell one can find all domain controllers in domain using:

1. a LDAP filter:

Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"


2. "Domain controllers" group and retreive his memebers:

Get-ADGroupMember 'Domain Controllers'


3. Get-ADDomainController cmdlet:

Get-ADDomainController -Filter * | Select-Object name

Enable fully qualified domain names in DFS

1.     If the DFS server hosts a DFS root or replica, remove it from the server. (If you accidentally activated the DfsDnsConfig parameter without removing configuration information, you can clear it by typing dfsutil /clean: computername.


2.     Start Registry Editor and open the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs

3.     If you find a DfsDnsConfig value, click Edit Value on the Edit menu, and then change the value to 1. If there is no DfsDnsConfig value, click Add Value on the Edit menu, and then add the following information value:
Value Name: DfsDnsConfig
Data Type: REG_DWORD
Value Data: 0 or 1

If you set the data value to 1, all roots added to the DFS tree use a fully qualified domain name. 0 specifies the default behavior.Note This registry Key takes effect only after the DFS Service is restarted.

LAN Manager - Windows 7

In windows 7 you may encounter problems in accessing network resources because of default "LAN Manager authentication level" group policy setting.

To modify this setting navigate to:
Local Computer Policy - Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options - LAN Manager authentication level

Retrieve computer manufacturer and model

WMI class Win32_ComputerSystem has information about computer hardware manufacturer and computer model:

Get-WmiObject -Class Win32_ComputerSystem


Manufacturer     : Dell Inc.
Model               : OptiPlex 740 Enhanced

Get-WmiObject can also be used to retrieve this information from remote computers:

Get-WmiObject -Class Win32_ComputerSystem -ComputerName computer_name

LDAP syntax

LDAPFilter parameter of the Get-ADuser cmdlet is much easy to use an type;

One LDAPFilter conditions is enclosed in parenthesis and an operator will precede two conditions:

Eg. ( & (condition one) (condition two) ) - translate as condition one AND condition two

( | (condition one) (condition two) ) - translate as condition one OR condition two

 Logical conditions are formed using Active Directory attributes names like objectClass, objectCategory, name.

Eg.: to search for all users whose name start with "z" we will use:
(&(objectcategory=person)(name=z*))


 Get-ADUser -LDAPFilter {(&(objectCategory=person)(name=z*))}

It is recomended to use objectCategory instead of objectClass when ever possible because objectClass attribute can have multiple values and objectCategory is an indexed attribute in Active Directory and will speed up the search.

Powershell 3 help files

Powershell 3 ( or Windows Management Framework 3 ) does not contain help files so if you need local help about cmdlets you will need to update your help files;

Update-Help is the cmdlet that will update your help files; you need to run your powershell with elevated rights (Run As Administrator).

Keep in mind that your user interface language setting will be used when help files are updated and the content of the files will be in your locale language;

You can also use the "-UICulture" parameter to specify for what language to download or update help files;