Monthly Archives: April 2015

QuickTip: Update Windows Defender definitions using Update-MPSignature

Since protecting your computer is as important as anything it might be nice to know that there is also a PowerShell cmdlet available to manually update your virus and malware definitions:


So for example if you would like your Windows Defender definitions to be updated every time a new PowerShell window is opened the following code could be added to your PowerShell profile:

Update-MPSignature -AsJob

I added in the -AsJob so the updating will take place in the background and PowerShell is immediately available to use. To add this to your current PowerShell profile you could execute the following code:

Add-Content -Path $Profile -Value "`r`nUpdate-MPSignature -AsJob`r`n"

The next time you launch PowerShell it will automatically update your definitions:


Active Directory Friday: Find empty Organizational Unit

As an Active Directory Administrator there are some moments, few and far in between where you might have a moment to yourself. In this article I will give you a short line of code so you can use this moment to find out if you have any empty Organizational Units in your domain. The definition of empty is an OU that does not contain any child objects. By this definition an OU containing another OU would not be considered empty. Because there is no LDAP filter for this we will take a look at how to do this using the Cmdlets and the [adsisearcher] type accelerator.

In the following example I will use Get-ADOrganizationalUnit in combination with an if-statement and Get-ADObject to gather empty OUs:

Get-ADOrganizationalUnit -Filter * | ForEach-Object {
	   if (-not (Get-ADObject -SearchBase $_ -SearchScope OneLevel -Filter * )) {

So lets have a look at what this code does, the first portion is straight forward, gather all OUs using the Get-ADOrganizationalUnit cmdlet and pipe it into the ForEach-Object cmdlet. The if-statement is the interesting part here, I am using the Get-ADObject cmdlet to establish if this OU contains any child object, by setting the SearchBase to that OU and setting the SearchScope to OneLevel. Setting the SearchScope to OneLevel will only return direct child objects of the parent, the OU, without returning the OU itself. Because of this Get-ADObject will not return any objects if the OU is empty.

For more information about the SearchScope parameter and the possible arguments have a look at the following link: Specifying the Search Scope

Because you might not have the ActiveDirectory module loaded in your current PowerShell session it can be useful to know the [adsisearcher] alternative:

([adsisearcher]'(objectcategory=organizationalunit)').FindAll() | Where-Object {
   -not (-join $_.GetDirectoryEntry().psbase.children) }

This is a slightly different approach to illustrate a different method of gathering empty OUs, here we check the Children property part of the base object that is retrieved. The -join operator is used to ensure the -not does not evaluate the empty System.DirectoryServices.DirectoryEntries object as true.

Using the logic in this post it is also possible to filter for other specific objects contained in the OUs. For example display OUs that only have user objects, display OUs with both user and computer objects and so on.

For more information on this subject please refer to the following links:

Additional resources
Specifying the Search Scope

New article on PowerShell Magazine: Connect to Azure Virtual Machines without being prompted for credentials

The mstsc tool unfortunately does not support credentials, because of this I have written a short function that uses mstsc in combination a input of username and password or a PowerShell credential object. In the tip on PowerShell Magazine I show how to use this function to connect to Azure virtual machines. The full article  is available on PowerShell Magazine : Connect to Azure Virtual Machines without being prompted for credentials

Connect-Mstsc –ComputerName –U jaapbrasser -P secretpw1

For more articles like this, have a look at the External Articles section of my blog, it contains all the articles I have posted on external sources such as PowerShell Magazine.

Links in this Article
PSTip: Connect to Azure Virtual Machines without being prompted for credentials
PowerShell Magazine
External Articles
My entries in TechNet Script Gallery

New article on PowerShell Magazine: Change a drive letter using Win32_Volume class

In Powershell there are a lot of neat little tricks available, today I will show how to change a drive letter using the Win32_Volume WMI class. The full article  is available on PowerShell Magazine : Change a drive letter using Win32_Volume class

$DvdDrive = Get-CimInstance -Class Win32_Volume -Filter "driveletter='F:'"
Set-CimInstance -InputObject $DvdDrive -Arguments @{DriveLetter="Z:"}

For more articles like this, have a look at the External Articles section of my blog, it contains all the articles I have posted on external sources such as PowerShell Magazine.

Links in this Article
PSTip: Change a drive letter using Win32_Volume class
PowerShell Magazine
External Articles

QuickTip: Automate variable creation using New-Variable

Occasionally I get the question: “But what if I want to create fifty variables, how do I do that in PowerShell?”. My initial thought usually is: “Why?”, but seeing as there might be some scenarios in which it can be useful to batch create a large number of variables. Aside from that it is also just interesting to see how to do things like this in PowerShell.

For example if we would like to create group A-Z as empty arrays the following code can be used:

65..90 | ForEach-Object {
 New-Variable "Group$([char]$_)" -Value @()

Personally I would prefer creating a hash table which contains all these arrays as it is easier to work with. If you would like to automatically create a hash table that can be done in a similar manner using the following code:

65..90 | ForEach-Object -Begin {
 $HashTable = @{}
} -Process {
 $HashTable."Group$([char]$_)" = @()

Storing the arrays in a hash table has the advantage of having a single point of access, for example by accessing the GetEnumerator() method to display the key – value pairs that are contained in the hash table:


Connect-Mstsc – New version in TechNet Script Gallery

My Connect-Mstsc function was overdue for an update and I took the opportunity to add some additional feature to Connect-Mstsc as well. The purpose of this function is to start an RDP session with the specified user name and password. This functionality is not included in the mstsc.exe tool, which is why I wrote this script. The script is available for download in the TechNet script library: Connect-Mstsc.

This script accepts many parameters but two things need to be present, the ComputerName and either the combination of a User and a Password or a Credential object which will be used to authenticate the user against the remote system.

A simple example of how to use this function is as follows:

Connect-Mstsc -ComputerName server01 -User contoso\jaapbrasser -Password supersecretpw

A remote desktop session to server01 will be created using the credentials of  contoso\jaapbrasser

Alternatively the -Credential parameter can be used to connect to a remote host:

Connect-Mstsc -ComputerName -Credential $Cred

A RDP session to the system at will be created using the credentials in   the $cred variable

The complete function is available in the TechNet Script Library. To view this script or to participate in the discussions about this script either comment here or in the TechNet Script Gallery. Because some of the new functionality, specifically the parameter sets and support for common parameter, the latest version of Connect-Mstsc is not compatible with PowerShell 2.0. To remedy this problem I have uploaded a PowerShell 2.0 compatible version as well.

TechNet Script Library
My entries in TechNet Script Gallery
Connect-Mstsc (PowerShell 2.0)

Active Directory Friday: Use the ANR filter for LDAP Queries

ANR or Ambiguous Name Resolution is used to query for objects in Active Directory if the exact identity of an object is not known. A query containing Ambigious Name Resolution will query for all the attributes for example, Given Name, Sur Name, Display Name and samaccountname. For Windows Server 2008 and later versions this is the full list of ANR Attributes included in the search results:

For a full list of all the attributes that are queried please refer to the following TechNet article: ANR Attributes.

  • Display-Name
  • Given-Name
  • Physical-Delivery-Office-Name
  • Proxy-Addresses
  • RDN
  • SAM-Account-Name
  • Surname
  • Legacy-Exchange-DN
  • ms-DS-Additional-Sam-Account-Name
  • ms-DS-Phonetic-Company-Name
  • ms-DS-Phonetic-Department
  • ms-DS-Phonetic-Display-Name
  • ms-DS-Phonetic-First-Name
  • ms-DS-Phonetic-Last-Name

For a full list of all the attributes that are queried please refer to the following TechNet article: ANR Attributes.

An ANR query is useful in a number of scenarios, for example when relying on user input in your script. In this case querying against a samaccountname might fail if the spelling does not match the samaccountname. Similarly an export from a different department or database might be close to what is stored in Active Directory but not an exact match, again this is somewhere where an ANR query might be useful. Something that should be kept in mind is that this is a relatively expensive query and therefore should be avoided when it is not required. In this article we will discuss how to create an ANR filter and what happens exactly in such a query.

In the next example we will be using Get-ADUser cmdlet, which is part of the ActiveDirectory module, in combination with the LDAPFilter parameter in order to execute our query:

Get-ADUser -LDAPFilter '(anr=Jaap Brasser)'

This will query against all the attributes in the list as ‘Jaap Brasser*’ and two additionally queries: ‘GivenName=Jaap*’ and ‘SurName=Brasser*’ as well as ‘GivenName=Brasser*’ and ‘SurName=Jaap*’. As a result more than one result might be returned, as different attributes of a user account might overlap or are not unique to a single user account. This is the downside of this method of querying.

In the following example I will use the [adsisearcher] type accelerator to execute the same query:

([adsisearcher]'(anr=Jaap Brasser)').FindAll()

Alternatively the DirectorySearcher object can be manually created to execute a query:

$ADSearcher = New-Object DirectoryServices.DirectorySearcher -Property @{
 Filter = '(anr=Jaap Brasser)'
 PageSize = 100

For more information on this Ambiguous Name Resolution (ANR) have a look at the following resources:

Ambiguous Name Resolution
MSDN Ambiguous Name Resolution
ANR Attributes
KB Ambiguous Name Resolution for LDAP in Windows 2000