Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, October 31, 2011

Use GPO Preferences to populate built–in groups on your clients.

If you need to populate users or domain group in the built-in groups on your clients, you have 2 choices.  You can use restricted groups.  The problem with restricted groups is that they will remove any existing members of that group and prevent you from adding anymore without using Group Policy.  Another option is to your GPO preferences.

Create a GPO to hold this GPO preference.

Edit the policy and expand Computer Configuration / Preferences / Control Panel Settings.

Click Local Users and Groups and then right mouse click it.

Select New –> Local Group

In the Action drop down list, ensure Update is selected.  The Update action will not remove the group if it already exists.  If it does not exist, the group will be created.

In the Group Name field, type the name of the group that you want to add members to.

Under Members, click Add.

Click OK when completed.


Apply this policy to the appropriate portion of Active Directory.

Refresh the GPO’s on your client and examine the local built-in group.  Your users should now be members of that group.

Friday, October 28, 2011

DFSR Migration for RODC is stuck

During a DFSR sysvol migration on Windows Server 2008, problems can occur with the migration of Read Only Domain Controllers.

See the image below.


The RODC is stuck trying to move to the Prepared state.  First go to the RODC and type Repadmin /SyncAll /AeD.


On the PDC Emulator, run dfsrmig /GetMigrationState.

If the migration completed, continue on.  If not type dfsrmig /CreateGlobalObjects. This will manually create the global objects for DFS replication.

On the PDC Emulator, run dfsrmig /GetMigrationState. You should be ready to move on to the next step in the migration process.

Thursday, October 27, 2011

Delete a DNS zone with PowerShell

When it comes time to remove a zone from a DNS server, you can accomplish this task with PowerShell


We are going to remove a zone called


Log into your DNS server with an account that has the permissions to delete the zone.


Open PowerShell and type the following command.


Get-WMIObject –NameSpace “Root\MicrosoftDNS” –Class MicrosoftDNS_Zone | Where-Object {$_.Name –eq “Test.Contoso.Com”} | Remove-WMIObject


You may need to close and then reopen the DNS console to see the zone completely removed.

Wednesday, October 26, 2011

Utilizing Windows Server 2008 R2 Bare Metal Recovery

A new feature of Server 2008 R2 allows you to recover a server from a completely failed hard drive.  The Image restore capability is a combination of using Windows Server Backup and Windows Recovery Environment (WinRE).

Windows Server Backup is utilized to create the image where WinRE is used to apply the image.

To create the image, first install Windows Server Backup feature on your server.
Open Server Manager
Click Features.
Click Add Features
Scroll down the list and click Windows Server Backup Features and then click Install/Next until the installation completes.

Next, create a bare metal recovery image
Open Windows Server Backup
Create a backup.  In this example, we are clicking Backup Once.
Make sure Different options is selected and then click Next.

For this demonstration, we are going to select Custom. Full Server will also work.  By using Custom, we can select Bare Metal recovery and take the minimum data required.

In the Select Items for Backup window, click Add Items.

Check Bare metal recovery.  The rest of the required items will auto-check.  Click OK.

At the Select Items for Backup window, click Next.

At the Select Destination Type window, select what is appropriate for your environment.  I am select Remote Shared Folder.

On the Specify Remote Folder window, provide a UNC path to the share where this data will be stored.
In the Access control area, select what is appropriate for your environment.
Click Next.

If prompted, provide appropriate credentials.

On the Confirmation window, click Backup.
Wait for the backup to complete.

Once the backup was completed, I rebooted this server using Windows PE.  Utilizing the Diskpart command, I formatted the C: drive to simulate a new hard drive to replace the existing one.

Use the installation media for Server 2008 R2 to boot the server.
At the first screen, select the language that you want to use and click Next.

Click Repair your computer.

At the System Recovery Options window, select Restore your computer using a system image that you created and click Next.

At the Re-image Your Computer warning, click Cancel.

In the Select a system image backup, click Next.

In the Select the location of the backup for the computer you want to restore, click Advanced.

At the next prompt, click Search for a system image on the network.

At the Are you sure you want to connect to the network prompt, click Yes.

Provide the UNC path to the share where the backup image is stored and click OK.

Provide credentials in the form of domain\useraccount that has access to this backup. Click OK.

Select the image that you want to use and click Next.

If you have problems reading the above image, click Refresh and try again.

Select the Date/Time of the image and click Next.

On the Choose additional restore options windows, click Next.
Click Finish.
Click Yes at the warning.

The restore will now begin.

Once completed, the default options reboot the server.  At this point, the restore is completed.

Tuesday, October 25, 2011

How to handle attributes with hyphens in PowerShell

Some attributes that you can pull from Active Directory may have a hyphen in them.  That makes them a bit difficult to work with in PowerShell.  When PowerShell sees the hyphen, it assumes that you just put a cmdlet in the wrong place.  To handle a hyphenated attribute, you need to rename that property.  For this example, I am going to use the msDS-ResultantPSO.  Take a look at the code below.

$UserList = Get-AdUser -filter * -property msDS-ResultantPSO | Select name, @{Name="ResultantPSO";Expression={$_."msDS-ResultantPSO"}}

The @ symbol tells us we are about to rename a property.  In the first section inside double quotes, we declare the new name of the property.  In the Expression portion, we tell PowerShell what attribute we want to rename.  Notice we use the $_. to tell PowerShell to look at the current object passed to it for this attribute.  From here on out, this property is now referred to as msDsResultantPSO.  This is now an attribute that PowerShell can use.

Monday, October 24, 2011

Commands for Server Core

Below is a list of commands that I picked up from TechNet Magazine.  Remember that SCONFIG now replaces some of these in Server Core 2008 R2.

Here are links to more information on SCONFIG

How to open the firewall

How to add a users to the Local Administrators group

How to move a Server Core 2008 R2 from a domain to a workgroup

Add Server Core to a domain

Setting IP Addresses

Change Windows Update settings

Rename Server Core

Enable Remote Desktop on Server Core



Control desk.cpl - View or set display settings.
Control intl.cpl - View or set regional and language options, including formats and the keyboard layout.
Control sysdm.cpl - View or set system properties.
Control timedate.cpl - View or set the date, time, and time zone.
Cscript slmgr.vbs –ato - Activate the operating system.
DiskRaid.exe - Configure software RAID.
ipconfig /all - List information about the computer’s IP address configuration.
NetDom RenameComputer - Set the server’s name and domain membership.
OCList.exe - List roles, role services, and features.
OCSetup.exe - Add or remove roles, role services, and features.
PNPUtil.exe - Install or update hardware device drivers.
Sc query type=driver - List installed device drivers.
Scregedit.wsf - Configure the operating system. Use the /cli parameter to list available configuration areas.
ServerWerOptin.exe - Configure Windows Error Reporting.
SystemInfo - List the system configuration details.
WEVUtil.exe - View and search event logs.
Wmic datafile where name=“FullFilePath” get version - List a file’s version.
Wmic nicconfig index=9 call enabledhcp - Set the computer to use dynamic IP addressing rather than static IP addressing.
Wmic nicconfig index=9 call enablestatic(“IPAddress”), (“SubnetMask”) - Set a computer’s static IP address and network mask.
Wmic nicconfig index=9 call setgateways(“GatewayIPAddress”) - Set or change the default gateway.
Wmic product get name /value “ - List installed MSI applications by name.
Wmic product where name=“Name” call uninstall - Uninstall an MSI application.
Wmic qfe list - List installed updates and hotfixes.
Wusa.exe PatchName.msu /quiet - Apply an update or hotfix to the operating system.

Friday, October 21, 2011

What happens to the FSMO roles on a DC if it is demoted to a member server?

To test this out, I used NETDOM QUERY FSMO to make sure that all the FSMO roles were on the server that I was about to demote to a member server.


When DCPromo was executed, the FSMO roles were transferred to another DC.


Thursday, October 20, 2011

How to prioritize which Domain Controller clients attempt to bind to first.

When a client boots on your network, it needs to bind to a domain controller for authentication and to receive Group Policy.  It is always a best practice to have at least DCs per AD site.  Both DCs will allow for a client to bind to them.  If you want one DC to be preferred over the other, you simply need to change one property in DNS.


On one of your DCs, open the DNS console.

Expand Forward Lookup Zones

Expand <Domain name>.  In this case

Expand _Sites

Expand <Site name.  In this case Default-First-Site-Name.

Expand _TCP

Double click the resource record of the server that you do not want as the primary domain controller for this site.



Change the priority to something other than zero.  Zero is the highest priority.  This will tell clients to attempt to bind to the other DC before attempting to bind to this one.



Wednesday, October 19, 2011

Determine what is stored in the Global Catalog with DSQuery

It is rare these days that I use a DS command, but in this case it worked out well.  Use the command below do return the attributes that are currently stored on in the Global Catalog in your domain.  This command was executed with administrative level permissions on a Domain Controller.  Replace YourDomain with the correct LDAP information.

dsquery * "cn=Schema,cn=Configuration,dc=YourDomain,dc=com" -filter "(&(objectCategory=AttributeSchema)(IsMemberOfPartialAttributeSet=TRUE))" -attr LDAPDisplayName -limit 0
The resulting list are the attributes in Active Directory that are also in the Global Catalog.

Tuesday, October 18, 2011

List the PSO associated with a user account with PowerShell



PSO’s (Password Setting Objects) is another name for Fine Grain Password Policy.  A PSO allows an organization to have different password policies based on a security group.  That means that unlike in an Windows 2003 domain where all password meet the same rules, in a 2008 domain you can have multiple rules for your passwords.


The code below allows you two obtain a list of all user accounts that have a PSO assigned to and that PSO is.  It is designed to be used as a function or dot sourced into PowerShell.


Returns a list of user names and there PSO.
Returns a list of user names and the Resultant
PSO that is currently in effect on that user.


Returns a list to the pipeline of the username and the
PSO currently in effect on the user account.
Get-PSOUsers | Sort-Object PSO

Returns a list of users with assigned PSO's, sorted
by the PSO.

Name PSO
---- ---
John Yokim CN=IT PSO,CN=Password Settings C...
Ofer Daliot CN=IT PSO,CN=Password Settings C...
Dave Barnett CN=IT PSO,CN=Password Settings C...
Neville Burdan CN=IT PSO,CN=Password Settings C...

function Get-PSOUsers
Import-Module ActiveDirectory -Cmdlet Get-ADUser

# Get a list of user accounts and also pull the # attribute msDs-ResultantPSO. Also, rename the # msDs-ResultantPSO so it can be processed.
$UserList = Get-AdUser -filter * -property msDS-ResultantPSO | Select name, @{Name="ResultantPSO";Expression={$_."msDS-ResultantPSO"}}

# Create the object to hold the output of this function.
$UserObj = @()

# Loop through each user object and filter # out those do not have a value in the # msDs-ResultantPSO field.
foreach ($User in $UserList)

if ($User.ResultantPSO -Like "*Password*")
# If there is a value in the msDS-ResultantPSO
# than add it to the output.
$UObj = New-Object PSObject
$UObj | Add-Member NoteProperty -Name Name -Value $User.Name
$UObj | Add-Member NoteProperty -Name PSO -Value $User.ResultantPSO
$UserObj += $UObj


Monday, October 17, 2011

How to create a new VM from a snapshot

In Hyper-V R1, we had the option to export out a VM and then later import it back in again.  For many in testing environments, this created large export files when only the VM with a specific snapshot was needed.  With Hyper-V R2 we can now create a new VM from a snapshot of another one.  This is advantageous because now you can create an entire new VM without all the extra files from other snapshots that you may not want.  Take a look at my screen shot below of my snapshot tree.

Let’s say that I want to create a new VM from this one. Apply the snapshot that you want to use as the base for the new VM. Right click the VM and select Export.  Give it a location and click Export.

One thing that I do not like about this process is that you will not see any progress bars or other indicators to let you know when the export is finished.  Your VMs will not be able to start until the export is completed.  If you look in the destination that you specified, you will see a new folder containing the name of the VM that you are exporting.  Open this folder.
When the Config.xml file is created, the export is completed.

On the Hyper-v Manager, click Import Virtual Machine.
Select the folder and click Import.
You will now have a new VM that does not have any snapshots, but it will boot to the snapshot image you exported.  This is not the base for this VM.

Friday, October 14, 2011

Add Roles and Features to Windows 8 Server Core

This demo is tested on Windows 8 Server Developer Preview
Server Core has been something that many Network Administrators shy away from due to the text based interface. Windows gain much of their market share by the graphical interface and pulled market share from Novel and Unix in the 90’s. Why did Microsoft go back? Well, look at it from my perspective:
  • Fewer updates mean less reboots.
  • Without the extra code needed to generate the GUI, you have fewer vulnerabilities.
  • Best of all, fewer resources required for the OS means more resources available to the applications.
In Windows Server Core 2008 R1, we had to execute many command lines and scripts to do basic tasks. With the R2 version, the sconfig menu driven interface relieved us of much of the memorizations of NETSH and scripts. We still needed to manually install roles and features through the text environment. We had the ability to manages those roles and features from a full installation of Windows Server or a Vista/Win7 client with RSAT installed, but still have to do the installation at the command prompt.
With Windows Server 8 Developer Preview, we no longer have to do this. Once you join the server core to the domain, go to your DC our server that you are using for server management.
Step 1: Configure Server Core for remote management.
On the server core, type sconfig and press Enter.
Select option 4) Configure Remote Management
Select option 1) Enable Remote Management
Confirm your selection.
Step 2: Add the server to a full Windows 8 installation’s Server Manager.
Click Manage and then select Add Servers

Type part of the servers name in the blank field under All Machines.

Click the Search image icon.
Select the name of the server and then click the image to add the server to the list.

Click Finish.

Step 3: Add Roles and Features.

On the Server Manager Dashboard, click Add Roles.


Click Next twice.

Select the Server Core from the list of available servers and click Next.

Select the Roles that you want to install and click Next

Select the Features that you and click Next.

You will now need to do the initial configuration of the roles and features that you selected and tell the Server Manager to Install.

If you receive a failure of the installation, it may mean that Server Core needs to reboot.
Once the installation completed, and if necessary a reboot finishes, click Finish.

Click All Servers, select the server core and scroll to the bottom on the page.

You can now see the installed role.

Thursday, October 13, 2011

Installing Windows 8 Server


This procedure is tested on the Developer Preview.

Windows 8 Developer Preview has now been out for a few weeks.  I’ve given it a try on a touch device and thought that it work well.  I let my class try it out and they gave it positive comments.  Windows 8 Server Developer Preview is also out, but it is only available for MSDN subscribers.  Well this week we did an extra server installation exercise using Windows 8.  Following are a few of the screen shots from the installation


This installation is from a CD onto a virtual machine.

First up came the “What language do you speak” screen.


So far nothing different from Windows 2008 R2.  Click Install.



Here is a hint at what is to come. Notice the Full and Server Core is still present.  The new one is Features On Demand.  Full Installation is selected for this demo.


The usual license agreement.


Since this is a fresh installation, we are going to select Custom.


Still nothing new (Except the color)  Click Drive options and format the drive.



Once formatted, you can see Windows carved a little bit out for itself.

Click Next


This installation does not take to long.


Let Windows restart. (It may reboot twice)


Provide the local Administrator password for the server.



The new logon screen.


Provide your credentials


Finally, you arrive at the Dashboard of the Server Manager.



Not a whole lot to relearn at this point.  Testing will continue as I try to look at the management of this first look at the future of Windows.