Active Directory Friday: Find empty Organizational Unit

As an Active Directory Administrator there are some moments, few and far in between where you might have a moment to yourself. In this article I will give you a short line of code so you can use this moment to find out if you have any empty Organizational Units in your domain. The definition of empty is an OU that does not contain any child objects. By this definition an OU containing another OU would not be considered empty. Because there is no LDAP filter for this we will take a look at how to do this using the Cmdlets and the [adsisearcher] type accelerator.

In the following example I will use Get-ADOrganizationalUnit in combination with an if-statement and Get-ADObject to gather empty OUs:

Get-ADOrganizationalUnit -Filter * | ForEach-Object {
	   if (-not (Get-ADObject -SearchBase $_ -SearchScope OneLevel -Filter * )) {
      		$_
   	}
}

So lets have a look at what this code does, the first portion is straight forward, gather all OUs using the Get-ADOrganizationalUnit cmdlet and pipe it into the ForEach-Object cmdlet. The if-statement is the interesting part here, I am using the Get-ADObject cmdlet to establish if this OU contains any child object, by setting the SearchBase to that OU and setting the SearchScope to OneLevel. Setting the SearchScope to OneLevel will only return direct child objects of the parent, the OU, without returning the OU itself. Because of this Get-ADObject will not return any objects if the OU is empty.

For more information about the SearchScope parameter and the possible arguments have a look at the following link: Specifying the Search Scope

Because you might not have the ActiveDirectory module loaded in your current PowerShell session it can be useful to know the [adsisearcher] alternative:

([adsisearcher]'(objectcategory=organizationalunit)').FindAll() | Where-Object {
   -not (-join $_.GetDirectoryEntry().psbase.children) }

This is a slightly different approach to illustrate a different method of gathering empty OUs, here we check the Children property part of the base object that is retrieved. The -join operator is used to ensure the -not does not evaluate the empty System.DirectoryServices.DirectoryEntries object as true.

Using the logic in this post it is also possible to filter for other specific objects contained in the OUs. For example display OUs that only have user objects, display OUs with both user and computer objects and so on.

For more information on this subject please refer to the following links:

Additional resources
Specifying the Search Scope
Get-ADObject
Get-ADOrganizationalUnit

New article on PowerShell Magazine: Connect to Azure Virtual Machines without being prompted for credentials

The mstsc tool unfortunately does not support credentials, because of this I have written a short function that uses mstsc in combination a input of username and password or a PowerShell credential object. In the tip on PowerShell Magazine I show how to use this function to connect to Azure virtual machines. The full article  is available on PowerShell Magazine : Connect to Azure Virtual Machines without being prompted for credentials

Connect-Mstsc –ComputerName cloudservice.cloudapp.net:58142 –U jaapbrasser -P secretpw1

For more articles like this, have a look at the External Articles section of my blog, it contains all the articles I have posted on external sources such as PowerShell Magazine.

Links in this Article
PSTip: Connect to Azure Virtual Machines without being prompted for credentials
PowerShell Magazine
External Articles
Connect-Mstsc
My entries in TechNet Script Gallery
TwitterLinkedInFacebookGoogle+RedditWordPressEmailTumblrPinterestHacker NewsShare

New article on PowerShell Magazine: Change a drive letter using Win32_Volume class

In Powershell there are a lot of neat little tricks available, today I will show how to change a drive letter using the Win32_Volume WMI class. The full article  is available on PowerShell Magazine : Change a drive letter using Win32_Volume class

$DvdDrive = Get-CimInstance -Class Win32_Volume -Filter "driveletter='F:'"
Set-CimInstance -InputObject $DvdDrive -Arguments @{DriveLetter="Z:"}

For more articles like this, have a look at the External Articles section of my blog, it contains all the articles I have posted on external sources such as PowerShell Magazine.

Links in this Article
PSTip: Change a drive letter using Win32_Volume class
PowerShell Magazine
External Articles

QuickTip: Automate variable creation using New-Variable

Occasionally I get the question: “But what if I want to create fifty variables, how do I do that in PowerShell?”. My initial thought usually is: “Why?”, but seeing as there might be some scenarios in which it can be useful to batch create a large number of variables. Aside from that it is also just interesting to see how to do things like this in PowerShell.

For example if we would like to create group A-Z as empty arrays the following code can be used:

65..90 | ForEach-Object {
 New-Variable "Group$([char]$_)" -Value @()
}

Personally I would prefer creating a hash table which contains all these arrays as it is easier to work with. If you would like to automatically create a hash table that can be done in a similar manner using the following code:

65..90 | ForEach-Object -Begin {
 $HashTable = @{}
} -Process {
 $HashTable."Group$([char]$_)" = @()
}

Storing the arrays in a hash table has the advantage of having a single point of access, for example by accessing the GetEnumerator() method to display the key – value pairs that are contained in the hash table:

$HashTable.GetEnumerator()

Connect-Mstsc – New version in TechNet Script Gallery

My Connect-Mstsc function was overdue for an update and I took the opportunity to add some additional feature to Connect-Mstsc as well. The purpose of this function is to start an RDP session with the specified user name and password. This functionality is not included in the mstsc.exe tool, which is why I wrote this script. The script is available for download in the TechNet script library: Connect-Mstsc.

This script accepts many parameters but two things need to be present, the ComputerName and either the combination of a User and a Password or a Credential object which will be used to authenticate the user against the remote system.

A simple example of how to use this function is as follows:

.EXAMPLE 
Connect-Mstsc -ComputerName server01 -User contoso\jaapbrasser -Password supersecretpw

Description 
----------- 
A remote desktop session to server01 will be created using the credentials of  contoso\jaapbrasser

Alternatively the -Credential parameter can be used to connect to a remote host:

.EXAMPLE
Connect-Mstsc -ComputerName 192.168.1.10 -Credential $Cred

Description 
----------- 
A RDP session to the system at 192.168.1.10 will be created using the credentials in   the $cred variable

The complete function is available in the TechNet Script Library. To view this script or to participate in the discussions about this script either comment here or in the TechNet Script Gallery. Because some of the new functionality, specifically the parameter sets and support for common parameter, the latest version of Connect-Mstsc is not compatible with PowerShell 2.0. To remedy this problem I have uploaded a PowerShell 2.0 compatible version as well.

TechNet Script Library
My entries in TechNet Script Gallery
Connect-Mstsc
Connect-Mstsc (PowerShell 2.0)