Tag Archives: ADSI

Working with type accelerators in PowerShell

Type accelerators are a great way in PowerShell to access .Net classes without having to write their full names. In essence they are aliases for .Net classes. If you have worked with PowerShell then you probably have used a type accelerator without knowing.

To get the list of available type accelerators the following command can be executed:

1
[psobject].Assembly.GetType("System.Management.Automation.TypeAccelerators")::Get

Depending on your version of PowerShell this will generate an output similar to this:

2016-02-26 (2)

Using the Get-TypeAccelerator function we can also display the available Type Accelerators in an easier to view way:

TypeAcc

It is useful for quickly defining objects without the complete notation of the class, for example compare the following two examples:

1
2
[System.Management.Automation.PSObject]@{'Property'='PowerShell Object'}
[pscustomobject]@{'Property'='PowerShell Object'}

Two type accelerators I use a lot are the [adsi] and [adsisearcher] Type Accelerators, this allows me to access and manipulate Active Dirclectory objects without relying on additional PowerShell modules. Here are some examples of querying Active Directory:

1
2
([adsisearcher]'samaccountname=jaap').FindOne()
[adsi]'LDAP://CN=Jaap,OU=AdminUsers,DC=JaapBrasser,DC=Com'

This allows for very short lines of code and used appropriately this can improve the readability of your code. Another few examples of type accelerators are the following:

1
2
3
4
[ipaddress]'8.8.8.8'
[version]'1.0.2.123'
[regex]::Replace('Type','e','e Accelerator')
[void] (Get-Process)

For more information on the different type and how to use them to define objects, queries or to access data you can view its article on MSDN. For example by executing the following code:

1
Start-Process -FilePath "http://social.msdn.microsoft.com/Search/en-US?query=$([psobject].Assembly.GetType("System.Management.Automation.TypeAccelerators")::Get.wmisearcher.ToString())"

There are a number of ways to use Type Accelerators in PowerShell, do you already use them and if so what are some of your favorite uses of them. Feel free to discuss them below in the comments section.

New article on PowerShell Magazine: Get last login date for local account

LastLogon

Two weeks ago I wrote Get-LocalLastLogonTime and blogged about this. In this script I use the [adsi] type accelerator in combination with the WinNT provider to retrieve the LastLogin property of a user account. I wrote a short article on this for PowerShell Magazine : Get last login date for local account

1
([ADSI]"WinNT://computer/jaapbrasser").lastlogin

For more articles like this, have a look at the External Articles section of my blog, it contains all the articles I have posted on external sources such as PowerShell Magazine.

Links in this Article
PSTip: Get last login date for local account
PowerShell Magazine
External Articles
My entries in TechNet Script Gallery
Get-LocalLastLogonTime

Free ebook – Active Directory Friday All Articles

ADF-AllArticles

The Active Directory Friday articles have proven to be quite popular among my readers and as a thank you to all my readers I decided to publish the series as an Ebook. The reason for publishing this series as an ebook is to make the content more easily accessible. The ebook is available in PDF, EPUB and MOBI formats to allow for complete portability and free choice for any device to read these articles upon. I have placed this ebook in the Books section of my blog and the download links are available below.

PDF_download Download PDF EPub_logo Download EPUB mobi Download MOBI

The ebook covers the following topics:

  • Creating Active Directory groups using PowerShell
  • Determine the forest functional level
  • Find empty Organizational Unit
  • Use the ANR filter for LDAP Queries
  • Find users with password never expires
  • Change a user’s password
  • Create new OU
  • Determine tombstone lifetime
  • Search for computers accounts
  • List password information for Domain Administrators
  • Get DistinguishedName of current domain
  • Query Group Policy Objects in Active Directory
  • Find user accounts that have not changed password in 90 days

This resource will be updated on a regular basis as new articles are published, to keep the content up-to-date with the latest articles. If you have any requests or feedback for topics to be included in this ebook or the Active Directory Friday series, please leave a comment below.

Active Directory Friday All Articles
Books
Active Directory Friday
PDF_download Download PDF
EPub_logo Download EPUB
mobi Download MOBI

Manage SCOM Report Operators role using PowerShell

Sharing SCOM reports with other users can be facilitated by adding those users to the SCOM Report Operator role. To view the users and groups that are a member of this role the following can be executed:

1
Get-SCOMUserRole -Name 'Operations Manager Report Operators'

The best practice is to add users into an AD group and then placing the user in that AD group. If there is already an AD Group in the User Role then the user can be added to that group directly. Otherwise an AD Group can be created and added to the SCOM User Role as follows:

1
2
3
4
5
6
7
8
9
10
11
# Create Domain Local Security Group
$TargetOU = [adsi]'LDAP://OU=SCOM,OU=Groups,DC=jaapbrasser,DC=com'
$Group = $TargetOU.Create('group','cn=SCOM_Report_Operators')
$Group.put('grouptype',0x80000004)
$Group.put('samaccountname','SCOM_Report_Operators')
$Group.SetInfo()
 
# Add the newly created group to the SCOM User Role
Get-SCOMUserRole -Name 'Operations Manager Report Operators' | ForEach-Object {
    Set-SCOMUserRole -UserRole $_ -User ($_.Users+'jaapbrasser\SCOM_Report_Operators')
}

Since the Set-SCOMUserRole cmdlet does not support adding a group or user account we are used to use ForEach-Object as an alternative to include the current User Role Members. By concatenating the existing users with the new user, domain\jaapbrasser, the new user is added to the User Role Members.
Now that the Active Directory group has been created and added to the list the user account can be added to the AD group:

1
2
3
4
$ADGroup = [adsi]([adsisearcher]'samaccountname=SCOM_Report_Operators').findone().path
$User = ([adsisearcher]'samaccountname=jaapbrasser').findone().path
$ADGroup.add($User)
$ADGroup.psbase.commitchanges()

Now that the AD Group has been added as a User Role member and the user has been added to the correct Active Directory group the user has the appropriate permissions to be able to view the reports created by SCOM.

SCOM Report Operators User Role
Implementing User Roles
Get-SCOMUserRole
Set-SCOMUserRole

Active Directory Friday: Distribution group membership for AD User

To get a list of distribution groups an Active Directory user account is a member of of we can query Active Directory. For example by combining the Get-ADUser and Get-ADGroup cmdlets. To generate this list the following code can be used:

1
2
3
Get-ADUser -Identity JaapBrasser -property memberof |
Select-Object -ExpandProperty memberof | Get-ADGroup |
Where-Object {$_.groupcategory -eq 'Distribution'}

The Get-ADUser cmdlet gets all the groups Jaap Brasser is a member of, the Select-Object cmdlet expands the MemberOf attribute which is then piped into the Get-ADGroup cmdlet. The last step is using the Where-Object cmdlet to filter out only the Distribution groups to get the desired results.

Alternatively the DirectoryServices DirectorySearcher object can be used. This object does not require the Active Directory module to be installed and can run on any version of PowerShell. The following code can be used:

1
2
3
4
5
6
7
8
9
10
$ADSearcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = "(samaccountname=JaapBrasser)"
} | ForEach-Object {
    $_.FindOne().Properties.memberof | ForEach-Object {
        $CurrentGroup = [adsi]"LDAP://$_"
        if (-not ([int](-join $CurrentGroup.Properties.grouptype) -band 0x80000000)) {
            $CurrentGroup.Properties.name
        }
    }
}

This sample works by querying Active Directory for the samaccountname JaapBrasser. Of this user account the distinguishedname of each group object is retrieved. The group type is explained in last weeks post as well, in which I explained about the hex codes which defines whether a group is a Security Group or a Distribution group. The article is available here: Creating Active Directory groups using PowerShell

For more information on this subject please refer to the following links:

Distribution group membership
Get-ADGroup
Get-ADUser
Understanding Groups
2.2.12 Group Type Flags
Creating Active Directory groups using PowerShell

Active Directory Friday: Creating Active Directory groups using PowerShell

Creating a group in Active Directory using PowerShell is relatively simple when using the Active Directory module. To create a Global Distribution Group the following code can be executed:

1
New-ADGroup -Name NewGlobalDG_1 -GroupScope Global -GroupCategory Distribution

When creating a Domain Local Security Group the GroupScope can be changed to DomainLocal and GroupCategory can be omitted since the default is a Security Group:

1
New-ADGroup -Name NewDLSG_1 -GroupScope DomainLocal

Creating groups using the [adsi] provider is a three step process. First we bind to the OU in which the group should be created. Secondly we enter the name and the properties of the group that should be created. And by finally calling the SetInfo() method to create the group. The following code will create a group:

1
2
3
4
5
$TargetOU = [adsi]'LDAP://OU=Groups,DC=jaapbrasser,DC=com'
$Group = $TargetOU.Create('group','cn=System_Operators')
$Group.put('grouptype',0x80000004)
$Group.put('samaccountname','System_Operators')
$Group.SetInfo()

To specify the Group Type a hexadecimal value is required as specified in the following MSDN article: 2.2.12 Group Type Flags. The following table lists all the possible values:

Symbolic name Value
GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001
GROUP_TYPE_ACCOUNT_GROUP 0x00000002
GROUP_TYPE_RESOURCE_GROUP 0x00000004
GROUP_TYPE_UNIVERSAL_GROUP 0x00000008
GROUP_TYPE_APP_BASIC_GROUP 0x00000010
GROUP_TYPE_APP_QUERY_GROUP 0x00000020
GROUP_TYPE_SECURITY_ENABLED 0x80000000

It is important to note that only four values are relevant to us when creating Active Directory accounts:

  • GROUP_TYPE_ACCOUNT_GROUP – 0x00000002
  • GROUP_TYPE_RESOURCE_GROUP – 0x00000004
  • GROUP_TYPE_UNIVERSAL_GROUP – 0x00000008
  • GROUP_TYPE_SECURITY_ENABLED – 0x80000000

To simplify the creation of groups these values can be place in a hashtable:

1
2
3
4
5
6
$GroupType = @{
    Global      = 0x00000002
    DomainLocal = 0x00000004
    Universal   = 0x00000008
    Security    = 0x80000000
}

Using the values stored in the hash table it is now possible to create any of the three group scopes as either a distribution group or security group. The following example uses the -bor operator to combine the values to create a Universal Security Group:

1
2
3
4
5
$TargetOU = [adsi]'LDAP://OU=Groups,DC=jaapbrasser,DC=com'
$Group = $TargetOU.Create('group','cn=Universal_Operators')
$Group.put('grouptype',($GroupType.Universal -bor $GroupType.Security))
$Group.put('samaccountname','Universal_Operators')
$Group.SetInfo()

That is all there is to it, using this methodology it is possible to create any type of Active Directory group using either the Active Directory module or the [adsi] type accelerator. Below I have included some links in regards to this topic.

Creating Active Directory Groups
New-ADGroup
Understanding Groups
2.2.12 Group Type Flags