The updated release is available on MSDN as version 0.2.0.

code.msdn.microsoft.com/dnsshell

Basic help is available for each of the new CmdLets.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

# The current Domain

$DomainNC = ([ADSI]"LDAP://RootDSE").DefaultNamingContext

# The Primary Group Token for Domain Users and Guests will always be
# the same value (no matter the forest). Used as a demonstration of
# how the value can be retrieved

$OldGroup = [ADSI]"LDAP://CN=Domain Users,CN=Users,$DomainNC"
$OldGroup.GetInfoEx(@("primaryGroupToken"), 0)
$OldGroupToken = $OldGroup.Get("primaryGroupToken")

$NewGroup = [ADSI]"LDAP://CN=Domain Guests,CN=Users,$DomainNC"
$NewGroup.GetInfoEx(@("primaryGroupToken"), 0)
$NewGroupToken = $NewGroup.Get("primaryGroupToken")

# Determine which accounts will be effected by the change

$BaseOU = [ADSI]"LDAP://OU=SomeWhere,$DomainNC"
$LdapFilter = "(&(objectClass=user)(objectCategory=person)" + `
  "(primaryGroupId=$OldGroupToken))"

# Find the users

$Searcher = New-Object DirectoryServices.DirectorySearcher($BaseOU, $LdapFilter)
$Searcher.PageSize = 1000

$Searcher.FindAll() | %{
  $User = $_.GetDirectoryEntry()

  # The user must be a member of the group first

  $NewGroup.Add($User.AdsPath)

  # Change the Primary Group

  $User.Put("primaryGroupId", $NewGroupToken)
  $User.SetInfo()

  # Then the old group can be removed

  $OldGroup.Remove($User.AdsPath)
}

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Properties

Usage examples

Standard output (reporting on organizational units in the current domain):

Get-DsAcl

Format Table:

Get-DsAcl | Format-Table

Store in a variable:

ACLs = Get-DsAcl

Export to CSV:

Get-DsAcl | Export-CSV "Rights.csv"

Reporting on User objects:

Get-DsAcl -ObjectType "user"

Reporting on a sub-OU:

Get-DsAcl "OU=Test,DC=domain,DC=com"
# Or
Get-DsAcl -SearchRoot "OU=Test,DC=domain,DC=com"

Reporting on contacts in a sub-OU:

Get-DsAcl "OU=Test,DC=domain,DC=com" -ObjectType "contact"

Using a custom LDAP filter:

Get-DsAcl -LdapFilter "(objectClass=*)"

Including Inherited entries:

Get-DsAcl -LdapFilter "(name=Chris Dent)" -Inherited | Format-Table

Get-DsAcl

Function Get-DSACL {
  # Function to list permissions assigned to objects in Active Directory
  # This function reports on organizationalUnits within the domain by default.

  Param(
    $SearchRoot = ([ADSI]"LDAP://RootDSE").Get("defaultNamingContext"),
    $ObjectType = "organizationalUnit",
    $LdapFilter = "(&(objectClass=$ObjectType)(objectCategory=$ObjectType))",
    [Switch]$Inherited = $False
  )

  # Set the output field separator (default is " ")
  $OFS = "\"

  # Connect to RootDSE
  $RootDSE = [ADSI]"LDAP://RootDSE"
  # Connect to the Schema
  $Schema = [ADSI]"LDAP://$($RootDSE.Get('schemaNamingContext'))"
  # Connect to the Extended Rights container
  $Configuration = $RootDSE.Get("configurationNamingContext")
  $ExtendedRights = [ADSI]"LDAP://CN=Extended-Rights,$Configuration"

  # Find objects based on $SearchRoot and $ObjectType
  $Searcher = New-Object DirectoryServices.DirectorySearcher(`
    [ADSI]"LDAP://$SearchRoot", `
    $LdapFilter)

  $Searcher.FindAll() | %{
    $Object = $_.GetDirectoryEntry()

    # Retrieve all Access Control Entries from the AD Object
    $ACL = $Object.PsBase.ObjectSecurity.GetAccessRules(`
      $True, `
      $Inherited, `
      [Security.Principal.NTAccount])

    # Get interesting values
    $ACL | Select-Object @{n='Name';e={ $Object.Get("name") }}, `
      @{n='DN';e={ $Object.Get("distinguishedName") }}, `
      @{n='ObjectClass';e={ $Object.Class }}, `
      @{n='SecurityPrincipal';e={ $_.IdentityReference.ToString() }}, `
      @{n='AccessType';e={ $_.AccessControlType }}, `
      @{n='Permissions';e={ $_.ActiveDirectoryRights }}, `
      @{n='AppliesTo';e={
        #
        # Change the values for InheritanceType to friendly names
        #
        Switch ($_.InheritanceType) {
          "None"            { "This object only" }
          "Descendents"     { "All child objects" }
          "SelfAndChildren" { "This object and one level Of child objects" }
          "Children"        { "One level of child objects" }
          "All"             { "This object and all child objects" }
        } }}, `
      @{n='AppliesToObjectType';e={
        If ($_.InheritedObjectType.ToString() -NotMatch "0{8}.*") {
          #
          # Search for the Object Type in the Schema
          #
          $LdapFilter = `
            "(SchemaIDGUID=\$($_.InheritedObjectType.ToByteArray() | `
            %{ '{0:X2}' -f $_ }))"
          $Result = (New-Object DirectoryServices.DirectorySearcher(`
            $Schema, $LdapFilter)).FindOne()
          $Result.Properties["ldapdisplayname"]
        } Else { "All" } }}, `
      @{n='AppliesToProperty';e={
        If ($_.ObjectType.ToString() -NotMatch "0{8}.*") {
          #
          # Search for a possible Extended-Right or Property Set
          #
          $LdapFilter = "(rightsGuid=$($_.ObjectType.ToString()))"
          $Result = (New-Object DirectoryServices.DirectorySearcher(`
            $ExtendedRights, $LdapFilter)).FindOne()
          If ($Result) {
            $Result.Properties["displayname"]
          } Else {
            #
            # Search for the attribute name in the Schema
            #
            $LdapFilter = "(SchemaIDGUID=\$($_.ObjectType.ToByteArray() | `
              %{ '{0:X2}' -f $_ }))"
            $Result = (New-Object DirectoryServices.DirectorySearcher(`
              $Schema, $LdapFilter)).FindOne()
            $Result.Properties["ldapdisplayname"]
          }
        } Else { "All" } }}, `
      @{n='Inherited';e={ $_.IsInherited }}
  }
}

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Function Get-SendToPermissions {
  Param(
    [String]$Identity,
    [String]$SearchRoot = $Null,
    [String]$LDAPFilter = "(objectCategory=group)",
    [Switch]$GC
  )

  If ($GC) { $Port = "GC" } else { $Port = "LDAP" }
  If ($SearchRoot) { $SearchRoot = [ADSI]"$Port://$SearchRoot" }

  $Properties = @("name", "distinguishedName", "dLMemSubmitPerms", `
    "dLMemRejectPerms", "authOrig", "unauthOrig", "msExchRequireAuthToSendTo")

  $Searcher = New-Object `
    DirectoryServices.DirectorySearcher($SearchRoot, $LDAPFilter)
  $Searcher.PageSize = 1000
  $Searcher.PropertiesToLoad.AddRange($Properties)

  $Searcher.FindAll() | %{
    $_ | Select-Object `
      @{n='Name';e={ $_.Properties['name'] }}, `
      @{n='DN';e={ $_.Properties['distinguishedname'] }}, `
      @{n='RequireAuthToSendTo';e={
        If ($_.Properties['msexchrequireauthtosendto']) {
          $True
        } Else {
          $False
        } }}, `
      @{n='AcceptFromMembersOfGroup';e={ $_.Properties['dlmemsubmitperms'] }}, `
      @{n='RejectFromMembersOfGroup';e={ $_.Properties['dlmemrejectperms'] }}, `
      @{n='AcceptFromUsers';e={ $_.Properties['authorig'] }}, `
      @{n='RejectFromUsers';e={ $_.Properties['unauthorig'] }}
  }
End Function

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Date attributes

This LDAP Filter format can be used for the following attributes:

• createTimeStamp
• dsCorePropagationData
• expirationTime
• modifyTimeStamp
• whenChanged
• whenCreated

VbScript

' The date the filter is supposed to find
dtmDate = Now() - 1

arrDateParts = Array("yyyy", "m", "d", "h", "n", "s")

For Each strInterval in arrDateParts
  intDatePart = DatePart(strInterval, dtmDate)
  If intDatePart < 10 Then
    strDateTime = strDateTime & "0" & intDatePart
  Else
    strDateTime = strDateTime & intDatePart
  End If
Next
strDateTime = strDateTime & ".0Z"

' WhenCreated is after strDateTime. i.e. objects created since strDateTime.
WScript.Echo "(whenCreated>=" & strDateTime & ")"

This will produce a filter like “(whenCreated>=20090826110816.0Z)”. Accuracy is based on the source date, using Date() instead of Now() would result in accuracy to a day (e.g. “(whenCreated>=20090826000000.0Z)”).

PowerShell

# Convert yesterday to a Universal date-time string
$DateString = (Get-Date).AddDays(-1).ToString("u") -Replace "-|:|\s"
$DateString = $DateString -Replace "Z", ".0Z"

Write-Host "(whenCreated>=$DateString)"

As with the VbScript version this returns a string accurate to seconds. Accuracy can be modified by using (Get-Date).Date.AddDays(-1).

Interger8 attributes

An Interger8 date is represented by the number of 100-nanosecond intervals since the Microsoft epoch (01/01/1601 00:00:00). This format applies to the following attributes:

• accountExpires
• badPasswordTime
• lastLogon
• lastLogonTimeStamp
• lockoutTime
• pwdLastSet

Note that lastLogoff also uses this format but the value for the attribute is not maintained by Active Directory.

VbScript

' The number of days to remove from the current date
Const DAYS_TO_REMOVE = 1

dblInt8 = CDbl(DateDiff("s", CDate("01/01/1601 00:00:00"), Now - DAYS_TO_REMOVE))
' Earlier than the current date. i.e. Passwords set before the generated date
WScript.Echo "(&(pwdLastSet<=" & CStr(dblInt8) & "0000000)(!pwdLastSet=0))"

This produces a filter like “(&(pwdLastSet<=128957595350000000)(!pwdLastSet=0))". As with the previous filter this is accurate to seconds, that can be modified by changing the source date in the same way as before.

PowerShell

$DaysToRemove = 1
$Int8Date = [Math]::Round(( `
  New-TimeSpan $(Get-Date("01/01/1601 00:00:00")) `
  ((Get-Date).AddDays(-$DaysToRemove))).TotalSeconds, 0)

$Int8Date = "$($Int8Date.ToString())0000000"

$LdapFilter = "(&(pwdLastSet<=$Int8Date)(!pwdLastSet=0))"

accountExpires

Certain attributes, such as accountExpires, have default values that can make filtering using a date string difficult.

The following LDAP filter can be used to return all accounts that are set to expire.

"(accountExpires<=9223372032559810000)(!accountExpires=0))"

Where 9223372032559810000 is the default attribute value in most cases, and 0 is the default in the rest.

accountExpires exhibits inconsistent behaviour depending on how it is accessed. If using iADSUser.AccountExpirationDate an account that does not expire is denoted by the date “01/01/1970 00:00:00″. This epoch date differs from the epoch used with the underlying attribute, “01/01/1601 00:00:00″.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Const ADS_SCOPE_SUBTREE = 2

' Trust Type
' http://msdn.microsoft.com/en-us/library/cc223771(PROT.10).aspx
Dim objTrustTypes
Set objTrustTypes = CreateObject("Scripting.Dictionary")
objTrustTypes.Add 4, "DCE"
objTrustTypes.Add 3, "MIT"
objTrustTypes.Add 2, "UpLevel"
objTrustTypes.Add 1, "DownLevel"

' Trust Attributes
' http://msdn.microsoft.com/en-us/library/cc223779(PROT.10).aspx
Dim objTrustAttributes
Set objTrustAttributes = CreateObject("Scripting.Dictionary")
objTrustAttributes.Add 128, "UsesRC4Encryption"
objTrustAttributes.Add 64, "TreatAsExternal"
objTrustAttributes.Add 32, "WithinForest"
objTrustAttributes.Add 16, "CrossOrganisation"
objTrustAttributes.Add 8, "ForestTransitive"
objTrustAttributes.Add 4, "QuarantinedDomain"
objTrustAttributes.Add 2, "UpLevelOnly"
objTrustAttributes.Add 1, "NonTransitive"

' Trust Direction
' http://msdn.microsoft.com/en-us/library/cc223768(PROT.10).aspx
Dim objTrustDirection
Set objTrustDirection = CreateObject("Scripting.Dictionary")
objTrustDirection.Add 3, "BiDirectional"
objTrustDirection.Add 2, "Outbound"
objTrustDirection.Add 1, "Inbound"
objTrustDirection.Add 0, "Disabled"

Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT distinguishedName, name, trustType, " & _
  "trustAttributes, trustDirection, trustPartner, whenCreated " & _
  "FROM 'GC://" & objRootDSE.Get("rootDomainNamingContext") & _
  "' WHERE objectClass='trustedDomain'"

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False

Dim objRecordSet : Set objRecordSet = objCommand.Execute

While Not objRecordSet.EOF
  WScript.Echo "Trusted Domain: " & objRecordSet.Fields("name").Value
  WScript.Echo "Trust Type: " & _
    objTrustTypes(objRecordSet.Fields("trustType").Value)

  Dim dblFlag
  Dim strFlags : strFlags = ""
  For Each dblFlag in objTrustAttributes
    If objRecordSet.Fields("trustAttributes").Value And dblFlag Then
      strFlags = strFlags & objTrustAttributes(dblFlag) & " "
    End If
  Next
  WScript.Echo "Trust Attributes: " & strFlags

  WScript.Echo "Trust Direction: " & _
    objTrustDirection(objRecordSet.Fields("trustDirection").Value)
  WScript.Echo "Trust Partner: " & objRecordSet.Fields("trustPartner").Value
  WScript.Echo "Distinguished Name: " & _
    objRecordSet.Fields("distinguishedName").Value
  WScript.Echo "Created: " & objRecordSet.Fields("whenCreated").Value

  objRecordSet.MoveNext
Wend

objConnection.Close

Usage example

In the past I have used the script above to monitor trust settings across a forest. The following script uses the trust information to build a text file storing trust configuration sends an e-mail if that configuration changes.

Option Explicit

' Script to get trusts, compare with stored configuration and notify if changed

Sub ShowUsage
  Dim strUsage
  strUsage = "Usage:" & vbCrLf & vbCrLf & _
    WScript.ScriptName & _
    " /Command:[Update | Notify] [/MailServer:<serverName>] " & _
    "[/Recipient:<address>]" & vbCrLf & vbCrLf & _
    "Arguments:" & vbCrLf & vbCrLf & _
    "    Command      Update - Updates the contents of the text " & _
    "file with data from the global catalog" & vbCrLf & _
    "                 Notify - Notifies the recipient using mailserver " & _
    "if the trust data changes" & vbCrLf & _
    "    MailServer   Server used to send mail. Default: localhost" & vbCrLf & _
    "    Recipient    Email address of person or group to notify" & vbCrLf

  WScript.Echo strUsage
  WScript.Quit
End Sub

Function GetTrusts
  ' Returns a Scripting.Dictionary object containing details of the Trust
  ' Format:
  ' Key: DistinguishedName
  ' Data: Array(
  '           Trusted Domain,
  '           Type,
  '           Attributes,
  '           Direction,
  '           Partner,
  '           Created,
  '           Changed )

  Const ADS_SCOPE_SUBTREE = 2

  ' Trust Type
  ' http://msdn.microsoft.com/en-us/library/cc223771(PROT.10).aspx
  Dim objTrustTypes
  Set objTrustTypes = CreateObject("Scripting.Dictionary")
  objTrustTypes.Add 4, "DCE"
  objTrustTypes.Add 3, "MIT"
  objTrustTypes.Add 2, "UpLevel"
  objTrustTypes.Add 1, "DownLevel"

  ' Trust Attributes
  ' http://msdn.microsoft.com/en-us/library/cc223779(PROT.10).aspx
  Dim objTrustAttributes
  Set objTrustAttributes = CreateObject("Scripting.Dictionary")
  objTrustAttributes.Add 128, "UsesRC4Encryption"
  objTrustAttributes.Add 64, "TreatAsExternal"
  objTrustAttributes.Add 32, "WithinForest"
  objTrustAttributes.Add 16, "CrossOrganisation"
  objTrustAttributes.Add 8, "ForestTransitive"
  objTrustAttributes.Add 4, "QuarantinedDomain"
  objTrustAttributes.Add 2, "UpLevelOnly"
  objTrustAttributes.Add 1, "NonTransitive"

  ' Trust Direction
  ' http://msdn.microsoft.com/en-us/library/cc223768(PROT.10).aspx
  Dim objTrustDirection
  Set objTrustDirection = CreateObject("Scripting.Dictionary")
  objTrustDirection.Add 3, "BiDirectional"
  objTrustDirection.Add 2, "Outbound"
  objTrustDirection.Add 1, "Inbound"
  objTrustDirection.Add 0, "Disabled"

  Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
  objConnection.Provider = "ADsDSOObject"
  objConnection.Open "Active Directory Provider"

  Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
  objCommand.ActiveConnection = objConnection

  Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
  objCommand.CommandText = "SELECT distinguishedName, name, " & _
    "trustType, trustAttributes, trustDirection, trustPartner, " & _
    "whenCreated, whenChanged " & _
    "FROM 'GC://" & objRootDSE.Get("rootDomainNamingContext") & _
    "' WHERE objectClass='trustedDomain'"

  objCommand.Properties("Page Size") = 1000
  objCommand.Properties("Timeout") = 600
  objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
  objCommand.Properties("Cache Results") = False

  Dim objRecordSet : Set objRecordSet = objCommand.Execute

  Dim objTrusts : Set objTrusts = CreateObject("Scripting.Dictionary")

  While Not objRecordSet.EOF
    Dim dblFlag
    Dim strAttributes : strAttributes = ""
    For Each dblFlag in objTrustAttributes
      If objRecordSet.Fields("trustAttributes").Value And dblFlag Then
        strAttributes = strAttributes & objTrustAttributes(dblFlag) & " "
      End If
    Next

    objTrusts.Add objRecordSet.Fields("distinguishedName").Valuem, Array( _
      objRecordSet.Fields("name").Value, _
      objTrustTypes(objRecordSet.Fields("trustType").Value), _
      strAttributes, _
      objTrustDirection(objRecordSet.Fields("trustDirection").Value), _
      objRecordSet.Fields("trustPartner").Value, _
      objRecordSet.Fields("whenCreated").Value, _
      objRecordSet.Fields("whenChanged").Value)

    objRecordSet.MoveNext
  Wend

  objConnection.Close

  Set objRecordSet = Nothing
  Set objCommand = Nothing
  Set objConnection = Nothing

  Set GetTrusts = objTrusts
End Function

Sub SendMail(strRecipient, strBody, strMailServer)

  Set objMail = CreateObject("CDO.Message")
  objMail.Subject = "Trust monitor"

  objMail.From = strRecipient
  objMail.To = strRecipient

  objMail.TextBody = strBody

  objMail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
  objMail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = _
    strMailServer
  objMail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25

  objMail.Configuration.Fields.Update
  objMail.Send
End Sub

'
' Main Code
'

Dim objFileSystem
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Dim objFile

Dim objTrusts : Set objTrusts = GetTrusts

If LCase(WScript.Arguments.Named("command")) = "update" Then
  Set objFile = objFileSystem.OpenTextFile("Trusts.txt", 2, True, 0)

  Dim strDN
  For Each strDN in objTrusts
    objFile.WriteLine strDN & vbTab & Join(objTrusts(strDN), vbTab)
  Next

ElseIf LCase(WScript.Arguments.Named("command")) = "notify" Then

  strRecipient = WScript.Arguments.Named("recipient")

  If strRecipient = "" Then
    WScript.Echo "ERROR: No recipient defined"
    ShowUsage
  End If

  strMailServer = WScript.Arguments.Named("mailserver")

  If strMailServer = "" Then
    strMailServer = "localhost"
  End If

  If objFileSystem.FileExists("Trusts.txt") Then
    Set objFile = objFileSystem.OpenTextFile("Trusts.txt", 1, False, 0)

    Dim objTrustsInFile
    Set objTrustsInFile = CreateObject("Scripting.Dictionary")

    Dim arrTrustData()
    Do While Not objFile.AtEndOfStream
      Dim arrTrustInFile : arrTrustInFile = Split(objFile.ReadLine, vbTab)

      ReDim arrTrustData(0)
      Dim i
      For i = 1 to UBound(arrTrustInFile)
        ReDim Preserve arrTrustData(i - 1)
        arrTrustData(i - 1) = arrTrustInFile(i)
      Next

      objTrustsInFile.Add arrTrustInFile(0), arrTrustData
    Loop
  End If

  Dim strTrust

  ' Comparison - Check for new Trusts

  Dim objNewTrusts : Set objNewTrusts = CreateObject("Scripting.Dictionary")

  For Each strTrust in objTrusts
    If Not objTrustsInFile.Exists(strTrust) Then
      objNewTrusts.Add strTrust, objTrusts(strTrust)
    End If
  Next

  ' Comparison - Check for removed Trusts

  Dim objRemovedTrusts
  Set objRemovedTrusts = CreateObject("Scripting.Dictionary")

  For Each strTrust in objTrustsInFile
    If Not objTrusts.Exists(strTrust) Then
      objRemovedTrusts.Add strTrust, objTrustsInFile(strTrust)
    End If
  Next

  ' Data: Array(
  '           Trusted Domain,
  '           Type,
  '           Attributes,
  '           Direction,
  '           Partner,
  '           Created,
  '           Changed )

  Dim strMessageBody
  Dim booNotify : booNotify = False
  If objNewTrusts.Count > 0 Then
    booNotify = True
    strMessageBody = "New Trusts:" & vbCrLf & vbCrLf
    For Each strTrust in objNewTrusts
      strMessageBody = strMessageBody & "DN: " & strTrust & vbCrLf & _
        "Trusted Domain: " & objNewTrusts(strTrust)(0) & vbCrLf & _
        "Type: " & objNewTrusts(strTrust)(1) & vbCrLf & _
        "Attributes: " & objNewTrusts(strTrust)(2) & vbCrLf & _
        "Direction: " & objNewTrusts(strTrust)(3) & vbCrLf & _
        "Partner: " & objNewTrusts(strTrust)(4) & vbCrLf & _
        "Created: " & objNewTrusts(strTrust)(5) & vbCrLf & _
        "Changed: " & objNewTrusts(strTrust)(6) & vbCrLf & vbCrLf
    Next
  End If
  If objRemovedTrusts.Count > 0 Then
    booNotify = True
    For Each strTrust in objRemovedTrusts
      strMessageBody = strMessageBody & "DN: " & strTrust & vbCrLf & _
        "Trusted Domain: " & objRemovedTrusts(strTrust)(0) & vbCrLf & _
        "Type: " & objRemovedTrusts(strTrust)(1) & vbCrLf & _
        "Attributes: " & objRemovedTrusts(strTrust)(2) & vbCrLf & _
        "Direction: " & objRemovedTrusts(strTrust)(3) & vbCrLf & _
        "Partner: " & objRemovedTrusts(strTrust)(4) & vbCrLf & _
        "Created: " & objRemovedTrusts(strTrust)(5) & vbCrLf & _
        "Changed: " & objRemovedTrusts(strTrust)(6) & vbCrLf & vbCrLf
    Next
  End If
  If booNotify = True Then
    strMessageBody = strMessageBody & _
      "If these trusts are correct please run " & _
      WScript.ScriptName & " /Command:Update"

    SendMail strRecipient, strMessageBody, strMailServer
  End If
Else

  ShowUsage

End If

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Michael Smith has a very pretty PowerShell script which uses the structures below, and a few more, to convert the DnsRecord attribute into a human readable format on his blog, Michael’s meanderings….

Update 02/02/2010: In December 2009, Microsoft released a (not entirely accurate) protocol specification including details of dnsRecord and dnsProperty: MS-DNSP.pdf

About the mapped structure

The map created below for DNSRecord is incomplete, the remaining values seem to defy testing. While the map below is probably accurate I reserve the right to be wrong. Despite that, the structures can be used to manually construct or decode DNSRecords via LDAP rather than using the GUI, dnscmd or WMI. Edit: The map is now complete.

About DNSRecord

The dnsRecord attribute appears on dnsNode objects. The dnsRecord attribute is multi-valued. This means that each node can contain more than one record. This is most obvious for the node representing “same as parent folder” which will hold the NS records and SOA records as a minimum.

Structures: DNSRecord

The DNSRecord attribute is composed of the fields described in the table below.

These values produce the following binary array.

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                 RDATA LENGTH                  |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      TYPE                     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                  UNKNOWN (1)                  |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                 UPDATEDATSERIAL               |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      TTL                      |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                  UNKNOWN (2)                  |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                   TIMESTAMP                   |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
    /                     RDATA                     /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Unknown 1 is a difficult value to interpret. It may contain several separate fields, however as none appear easy to decipher they were left as a single block in the map. Testing shows that “unknown 1″ has the following values:

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |           5           |     AdvRecordType     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |           0           |           0           |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Edit: The structure of Unknown 1 is as follows.

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |        VERSION        |     AdvRecordType     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     FLAGS                     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Modifying the first byte to any (decimal) value other than 5 will cause the record to vanish from the DNS system. It will remain in the directory, but appears to render it useless. Edit: 5 is the Version number and is a static value.

The second byte, termed AdvRecordType, appears to have a number of possible values. Experimentation shows that Root Hints have the value set to decimal 8, out-of-zone records (normally Glue for NS Records) have 128, delegations within a zone have 130 and everything else has 240. A larger data set than I have available is required to draw conclusions other than those.

Edit: The values for AdvRecordType, referred to as Rank in the documentation above are represented by this Enumeration.

public enum RankFlag : uint
{
  // The record came from the cache.
  CacheBit = 1,
  // The record is a preconfigured root hint.
  RootHint = 8,
  // This value is not used.
  OutsideGlue = 32,
  // The record was cached from the additional section of a
  // nonauthoritative response.
  CacheNAAdditional = 49,
  // The record was cached from the authority section of a
  // nonauthoritative response.
  CacheNAAuthority = 65,
  // The record was cached from the additional section of an
  // authoritative response.
  CacheAAdditional = 81,
  // The record was cached from the answer section of a
  // nonauthoritative response.
  CacheNAAnswer = 97,
  // The record was cached from the authority section of an
  // authoritative response.
  CacheAAuthority = 113,
  // The record is a glue record in an authoritative zone.
  Glue = 128,
  // The record is a delegation (type NS) record in an
  // authoritative zone.
  NSGlue = 130,
  // The record was cached from the answer section of an
  // authoritative response.
  CacheAAnswer = 193,
  // The record comes from an authoritative zone.
  Zone = 240
 }

The final two bytes appear to be set to 0 in all instances. Edit: Referred to as Flags, the value must be 0.

Edit: Unknown 2 is reserved for future use and should be set to 0 in all cases.

Structures: RDATA

Each of the structures below is a minimal representation of the record data, the structures show single-label names. In each case the “Label Length” and “Data” structures repeat where multiple labels are used, this also applies to “Responsible Person” in the SOA record.

A

The RDATA block for the A record is a static 4 byte (32 bit) field. Each byte represents an octet in the IP address.

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     DATA                      |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

CNAME and NS

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    |--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

MX

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    PRIORITY                   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    |--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

SOA

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     SERIAL                    |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    REFRESH                    |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     RETRY                     |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    EXPIRE                     |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                  MINIMUM TTL                  |
    |                                               |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    +--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    |--+--+--+--+--+--+--+--+                       |
    /               RESPONSIBLE PERSON              /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

SRV

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    PRIORITY                   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                     WEIGHT                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      PORT                     |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |         LENGTH        |   NUMBER OF LABELS    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LABEL LENGTH     |                       |
    |--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

TXT

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |      LENGTH           |                       |
    |--+--+--+--+--+--+--+--+                       |
    /                     DATA                      /
    /                                               /
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

The differences

The following table notes the differences in property names between Exchange 2003 and Exchange 2007.

In addition to these the MailboxGuid attribute is formatted slightly differently. The MailboxGuid is enclosed in curly braces, {}, these are stripped in the code (or added when a search is being performed using a GUID)

No formatting is applied to the output. The output from this function can be made to look like the Exchange 2007 version of Get-MailboxStatistics by using Format-Table.

Get-2003MailboxStatistics | Format-Table MailboxDisplayName, TotalItems, `
  StorageLimitStatus, LastLogonTime

This is the code for the function, it is not as flexible as the Exchange 2007 version with regard to pipelines, but it should accept simple input and work in much the same way otherwise.

Usage examples

# With a Mailbox Display Name
Get-2003MailboxStatistics "Chris Dent"
# With a Legacy Exchange DN ("-Identity" itself is optional)
Get-2003MailboxStatistics -Identity "/O=SomeOrg/OU=AdminGroup/CN=RECIPIENTS/CN=Someone"
# For a single Mailbox Database
Get-2003MailboxStatistics -Database "Mailbox Database"
# For a different server
Get-2003MailboxStatistics -Server "ExchangeServer02"

Get-MailboxStatistics for Exchange 2003

Function Get-2003MailboxStatistics {
  Param(
     [String]$Identity = "",
     [String]$Server = $Env:ComputerName,
     [String]$Database = ""
  )

  $Filter = "ServerName='$Server'"
  if ($Database -ne "" ) {
    $Filter = "$Filter AND StoreName='$Database'"
  }
  if ($Identity -ne "") {
    $Filter = "$Filter AND (MailboxGuid='{$Identity}' OR LegacyDN='$Identity'"
    $Filter = "$Filter OR MailboxDisplayName='$Identity')"
  }

  Get-WMIObject -ComputerName $Server `
    -Namespace "root/MicrosoftExchangeV2" -Class "Exchange_Mailbox" `
    -Filter $Filter | `
  Select-Object `
    AssocContentCount, `
    @{n='DateDiscoveredAbsentInDs';e={
      If ($_.DateDiscoveredAbsentInDs -ne $Null) {
        [Management.ManagementDateTimeConverter]::ToDateTime(`
          $_.DateDiscoveredAbsentInDs)
      }} }, `
    MailboxDisplayName, TotalItems, LastLoggedOnUserAccount, `
    @{n='LastLogonTime';e={ if ($_.LastLogonTime -ne $Null) { `
      [Management.ManagementDateTimeConverter]::ToDateTime($_.LastLogonTime)}}
    }, `
    @{n='LastLogoffTime';e={ if ($_.LastLogoffTime -ne $Null) { `
      [Management.ManagementDateTimeConverter]::ToDateTime($_.LastLogoffTime)}}
    }, `
    LegacyDN, `
    @{n='MailboxGuid';e={
      ([String]$_.MailboxGuid).ToLower() -Replace "\{|\}" }}, `
    @{n='ObjectClass';e={ "Mailbox" }}, `
    @{n='StorageLimitStatus';e={ `
      Switch ($_.StorageLimitInfo) {
        1 { "BelowLimit" }
        2 { "IssueWarning" }
        4 { "ProhibitSend" }
        8 { "NoChecking" }
        16 { "MailboxDisabled" } }} }, `
    DeletedMessageSize, Size, `
    @{n='Database';e={
      "$($_.ServerName)\$($_.StorageGroupName)\$($_.StoreName)" }}, `
    ServerName, StorageGroupName, StoreName, `
    @{n='Identity';e={ ([String]$_.MailboxGuid).ToLower() -Replace "\{|\}" }}
}

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Custom Group Policy Template

The first thing to note about the custom policy is that it is an Unmanaged Policy. That means that any setting change will not revert if the policy is set to Disabled or Not Configured. The setting would have to be manually reversed or removed.

The second thing to note is that Unmanaged Policies are not displayed by default. After adding this template select the Administrative Templates folder under User Configuration, then View and Filtering. Remove the tick from “Show only policy settings that can be fully managed”. The policy will appear with a red icon instead of the regular blue icon.

This is a template that can be used to set the wallpaper on a client. It must be saved as a Administrative Template (.adm) file and manually added into a policy.

CLASS USER

CATEGORY "Desktop"
  CATEGORY "Custom Policies"

    KEYNAME "Control Panel\Desktop"

    POLICY "Desktop Wallpaper"

      EXPLAIN !!ExplainText

      PART !!WallpaperPathText EDITTEXT REQUIRED
        VALUENAME "Wallpaper"
      END PART

      PART !!WallpaperStyleText DROPDOWNLIST
        VALUENAME "WallpaperStyle"

        ITEMLIST
          NAME "Centre" VALUE NUMERIC 0 DEFAULT
          NAME "Stretch" VALUE NUMERIC 2
        END ITEMLIST
      END PART

      PART !!TileWallpaperText DROPDOWNLIST
        VALUENAME "TileWallpaper"

        ITEMLIST
          NAME "No" VALUE NUMERIC 0 DEFAULT
          NAME "Yes" VALUE NUMERIC 1
        END ITEMLIST
      END PART

    END POLICY

  END CATEGORY
END CATEGORY

[Strings]
ExplainText="Specifies the desktop background (wallpaper) displayed on all users' desktops.\n\nThe wallpaper image must be in bitmap (bmp) format.\n\nTo use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.bmp or a UNC path, such as \\Server\Share\Corp.bmp. If the specified file is not available when the user logs on, no wallpaper is displayed. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched.\n\nTo set wallpaper to Centre Tile must be disabled. To set wallpaper to Tiled both Centre and Tiled must be selected."
WallpaperPathText="Full UNC or path to Bitmap (bmp) file:"
WallpaperStyleText="Centre or Stretch Wallpaper:"
TileWallpaperText="Tile Wallpaper (if centre is selected):"

VbScript

Alternatively, the same registry entries can be set using VbScript. This has the potential to be more flexible depending on the environment. It will run under a standard user, no need to grant extra rights on the PC.

Option Explicit

' Network and local locations for the wallpaper file.
' Must be BMP for the screen refresh to work
Const WALLPAPER_SOURCE = "\\server01\netlogon\Wallpaper.bmp"

Sub SetWallpaper
  ' Copies and sets the client wallpaper

  Const REG_HKCU = &H80000001

  Dim objShell, objFileSystem, objFile, objRegistry
  Dim strWallpaperDestination, strKeyPath, strCommand

  ' Get the current user profile so we can copy the wallpaper there.
  Set objShell = CreateObject("WScript.Shell")
  strWallpaperDestination = objShell.ExpandEnvironmentStrings("%USERPROFILE%")

  ' Get the wallpaper file from the source
  Set objFileSystem = CreateObject("Scripting.FileSystemObject")
  Set objFile = objFileSystem.GetFile(WALLPAPER_SOURCE)

  ' Update the destination path to include the file name
  strWallpaperDestination = strWallpaperDestination & "\" & objFile.Name
  objFile.Copy strWallpaperDestination, True
  Set objFileSystem = Nothing

  ' Connect to the Registry on the local machine
  Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv")

  ' Set the values for the Wallpaper
  strKeyPath = "Control Panel\Desktop"
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "Wallpaper", _
    strWallpaperDestination

  ' Set the Position to Stretch
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "TileWallpaper", "0"
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "WallpaperStyle", "2"
  Set objRegistry = Nothing

  ' Update the system settings (refresh)
  strCommand = "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters"
  objShell.Run strCommand, 1, True
  Set objShell = Nothing
End Sub

SetWallpaper

Random wallpaper with VbScript

I once had to deploy one of a selection of wallpapers to client computers on a network. It had to change (or at least attempt to change) each time the user logged on. This snippet uses the Randomize function in VbScript to generate a random number and pick a random file.

Option Explicit

Sub SetWallpaper
  ' Copies and sets the client wallpaper

  Const REG_HKCU = &H80000001

  Dim objShell, objFileSystem, objFile, objRegistry
  Dim strWallpaperSource, strWallpaperDestination, strKeyPath, strCommand

  ' Get the current user profile so we can copy the wallpaper there.
  Set objShell = CreateObject("WScript.Shell")
  strWallpaperDestination = objShell.ExpandEnvironmentStrings("%USERPROFILE%")

  ' Get the source path
  strWallpaperSource = RandomizeWallpaper

  ' Get the wallpaper file from the source
  Set objFileSystem = CreateObject("Scripting.FileSystemObject")
  Set objFile = objFileSystem.GetFile(strWallpaperSource)

  ' Update the destination path to include the file name
  strWallpaperDestination = strWallpaperDestination & "\" & objFile.Name
  objFile.Copy strWallpaperDestination, True
  Set objFileSystem = Nothing

  ' Connect to the Registry on the local machine
  Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv")

  ' Set the values for the Wallpaper
  strKeyPath = "Control Panel\Desktop"
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "Wallpaper", strWallpaperDestination

  ' Set the Position to Stretch
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "TileWallpaper", "0"
  objRegistry.SetStringValue REG_HKCU, strKeyPath, "WallpaperStyle", "2"
  Set objRegistry = Nothing

  ' Update the system settings (refresh)
  strCommand = "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters"
  objShell.Run strCommand, 1, True
  Set objShell = Nothing
End Sub

Function RandomizeWallpaper
  Dim objShell, objFolder, objSubFolder, objFile
  Dim  strLogonServer
  Dim arrWallpaper()
  Dim i

  ' Get the current user profile so we can copy the wallpaper there.
  Set objShell = CreateObject("WScript.Shell")
  strLogonServer = objShell.ExpandEnvironmentStrings("%LOGONSERVER%")
  Set objShell = Nothing

  Set objFolder = objFileSystem.GetFolder(strLogonServer & "\NetLogon\Wallpaper")
  i = 0

  ' Get all the files beneath the folder
  For Each objFile in objFolder.Files
    ReDim Preserve arrWallpaper(i)
    arrWallpaper(i) = objFile.Path
    i = i + 1
  Next
  Randomize()

  ' Choose a random file
  i = Int(UBound(arrWallpaper) * Rnd())
  RandomizeWallpaper = arrWallpaper(i)
End Function

SetWallpaper

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

VbScript: Getting the OU for a user

Set objUser = GetObject( _
  "LDAP://CN=Chris Dent,OU=Somewhere,DC=internal,DC=highorbit,DC=co,DC=uk")
strParent = objUser.Parent

WScript.Echo strParent

In VbScript the value returned is a string, to get the name of the OU either connect to the object then get the name attribute or parse the name out of the string (Split, or Mid, etc). The example below shows connecting to the parent object and echoing the name.

Set objParent = GetObject(strParent)
WScript.Echo objParent.Get("name")

PowerShell: Getting the OU for a user

$DN = "CN=Chris Dent,OU=Somewhere,DC=internal,DC=highorbit,DC=co,DC=uk"
$User = [ADSI]"LDAP://$DN"
$Parent = $User.PSBase.Parent

PowerShell is a little different, the returned value is a DirectoryEntry, that means we can directly access any other property or attribute without connecting again.

$DN = "CN=Chris Dent,OU=Somewhere,DC=internal,DC=highorbit,DC=co,DC=uk"
$User = [ADSI]"LDAP://$DN"
$Name = ($User.PSBase.Parent).Name

Example: Getting the OU for all members of a group

These examples assume that the group path is known, no searches are involved.

VbScript

Set objGroup = GetObject( _
  "LDAP://CN=Domain Admins,CN=Users,DC=internal,DC=highorbit,DC=co,DC=uk")

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objFile = objFileSystem.OpenTextFile( _
  objGroup.Get("name") & " - Members.txt", 2, True, 0)

For Each objMember in objGroup.Members
  objFile.WriteLine objMember.Get("sAMAccountName") & VbTab & _
    objMember.Get("cn") & VbTab & _
    objMember.Parent
Next

Set objFile = Nothing
Set objFileSystem = Nothing

Set objGroup = Nothing

PowerShell

The note above about Parent returning a DirectoryEntry does not apply if using the Members method in PowerShell. The object returned is a COM Object and will not work in quite the same way. This is the equivalent of the VbScript above.

$DN = "CN=Domain Admins,CN=Users,DC=internal,DC=highorbit,DC=co,DC=uk"
$Group = [ADSI]"LDAP://$DN"
$Group.PSBase.Invoke("Members") `
  | Select-Object `
    @{n="sAMAccountName";e={
      $_.GetType().InvokeMember("sAMAccountName", "GetProperty", `
        $Null, $_, $Null)}}, `
    @{n="CN";e={
      $_.GetType().InvokeMember("cn", "GetProperty", `
        $Null, $_, $Null)}}, `
    @{n="Parent";e={
      $_.GetType().InvokeMember("parent", "GetProperty", `
        $Null, $_, $Null)}}

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.