Archive | PowerShell

I wanted to run a command on all machines in an OU. I know this documented all over the place, but this is the syntax I like:

foreach ($COMPUTER in $(Get-ADComputer -Filter * -Searchbase 'OU=SubOU,OU=TopLevelOU,DC=DOMAIN,DC=LOCAL')){
  write-host "Connecting to $($COMPUTER.Name)"
  Invoke-Command $COMPUTER.Name {ipconfig /renew}
}

I am interested in using Active Setup more throughout our environment. The thing I like about Active Setup is that if I screw up, it will only run once and not over and over! Kidding, but the “run one” nature of Active Setup is nice. I wanted a PowerShell function to create Active Setup registry entries, so I can script the updates on multiple machine. Here is that function:

Function JBMURPHY-AddToActiveSetup {
  Param([parameter(Mandatory = $true)]$ActiveSetupUniqueName,
	[parameter(Mandatory = $true)]$ActiveSetupStubPath,
	[parameter(Mandatory = $true)]$ActiveSetupVersion)
  $ParentKey="HKLM:Software\Microsoft\Active Setup\Installed Components"
  $Key=$ParentKey + "\" + $ActiveSetupUniqueName
  # Check for key
  if (!(Test-Path $Key)){
    New-Item -type Directory $($ParentKey + "\" + $ActiveSetupUniqueName)
  }
  else {
    write-host "Key exists"
  }
  Set-ItemProperty $($Key) -name "StubPath" -value $ActiveSetupStubPath
  Set-ItemProperty $($Key) -name "Version" -value $ActiveSetupVersion
}

I made an error. More like an incorrect assumption in this post, specifically this code.:

Function JBMURPHY-AD-GetHomeSite {
Param($username=$(cat env:username))
foreach ($group in "OfficeGroup1","OfficeGroup2","OfficeGroup3") {
    foreach ($user in $(Get-ADGroupMember $group)){
    if ($user.SamAccountName -eq $username) {return $group}
    }
}
}

My incorrect assumption was that the AD PowerShell components were installed on every machine (they are only my machine). I needed to rewire this code above to use ADSI, since Get-ADGroupMember is not on everyone’s machine. Below is that code:

Function JBMURPHY-AD-GetHomeSite {
Param($username=$($env:USERNAME))
$groups=([AdsiSearcher]"samaccountname=$username").Findone().properties.memberof | % {([adsi]"LDAP://$_").cn}
foreach ($officegroup in "OfficeGroup2","OfficeGroup2","OfficeGroup3") {
    foreach ($group in $groups){
    if ($group -eq $officegroup) {return $group}
    }
}
}

I wanted a function that I could pass some text, and it would put that text in a dialog box for the user to click okay. Simple, but I will reuse it I am sure.

Function JBMURPHY-DisplayWindowsForm(){
Param([parameter(Mandatory = $true)]$TextToDisplay,
$Title="DefaultTitle")
		[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") 
		[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
		$objForm = New-Object System.Windows.Forms.Form 
		$objForm.Text = $Title
		$objForm.Size = New-Object System.Drawing.Size(600,500) 
		$objForm.StartPosition = "CenterScreen"
		$OKButton = New-Object System.Windows.Forms.Button
		$OKButton.Location = New-Object System.Drawing.Size(250,400)
		$OKButton.Size = New-Object System.Drawing.Size(75,23)
		$OKButton.Text = "OK"
		$OKButton.Add_Click({$x=$objTextBox.Text;$objForm.Close()})
		$objForm.Controls.Add($OKButton)
		$objLabel = New-Object System.Windows.Forms.Label
		$objLabel.Location = New-Object System.Drawing.Size(10,20) 
		$objLabel.Size = New-Object System.Drawing.Size(500,400) 
		$objLabel.Text = $TextToDisplay
		$objForm.Controls.Add($objLabel) 
		$objForm.Topmost = $True
		$objForm.Add_Shown({$objForm.Activate()})
		[void] $objForm.ShowDialog()
}

If you have users in distribution groups associated with each site in your organization, it should be easy to tell if a user is visiting from another office (more on why I want to do this later). First function returns the current site that the user is logging into:

Function JBMURPHY-AD-GetCurrentSite {
return [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().name
}

The second function loops through all “office groups” and if a user is in that office, it returns the group name

Function JBMURPHY-AD-GetHomeSite {
Param($username=$(cat env:username))
foreach ($group in "OfficeGroup1","OfficeGroup2","OfficeGroup3") {
	foreach ($user in $(Get-ADGroupMember $group)){
	if ($user.SamAccountName -eq $username) {return $group}
	}
}
}

Simple I know, but I want to put these together to do some custom startup activity (maybe via “Active Startup”)

In my previous post, I showed how to create a new ACL and apply it to a folder. Why apply it to the folder if the folder is already set correctly? I wrote the following function to compare the ACLs of a folder to a desired set of ACLs (either created by hand (lines 3-12) or copied from an existing folder (lines 12-15).

function JBMURPHY-PERMS-ArePermsCorrect {
        Param([parameter(Mandatory = $true)]$Path,
              [parameter(Mandatory = $true)]$CorrectACL,
              [switch]$ShowCorrect)

    $folderACLs=get-acl(get-item $Path)
    if ((compare-object $($folderACLs.access) $($CorrectACL.access) -property FileSystemRights,IdentityReference,InheritanceFlags,PropagationFlags).count -gt 0) {
    Write-host "$PATH is INCORRECT"
    return $false
    }
    else {
    if ($ShowCorrect.IsPresent){write-host "$PATH is correct"}
    return $true
    }
}

If the compare-object command returns nothing, then they are the same, if they are not the same then the items returned will be greater than 0, and the first part of the conditional will be used.

In my previous post, I used PowerShell to change the permissions of a top level folder. In that script, I took the folder in question and copied the inherited permissions to it, and then I tinkered it to be what I wanted. I wanted to do something similar, but I wanted a set of permission that differed from the parent. Basically I wanted the folder to have unique permissions. Below is the function to do that:

function JBMURPHY-PERMS-ClientsFolderReBase {
    Param([parameter(Mandatory = $true)]$Path)
    $correctACLs = New-Object System.Security.AccessControl.DirectorySecurity
    $correctACLs.SetAccessRuleProtection($true,$true)
    $Rule_Admin = New-Object Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators",@("FullControl"),"ContainerInherit, ObjectInherit","None","Allow")
    $Rule_System = New-Object Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM",@("FullControl"),"ContainerInherit, ObjectInherit","None","Allow")
    $Rule_Users1 = New-Object Security.AccessControl.FileSystemAccessRule("BUILTIN\Users",@("ReadAndExecute", "Synchronize"),"None","None","Allow")
    $Rule_Users2 = New-Object Security.AccessControl.FileSystemAccessRule("BUILTIN\Users",@("Modify, Synchronize"),"ContainerInherit, ObjectInherit","InheritOnly","Allow")
    $correctACLs.AddAccessRule($Rule_Admin)
    $correctACLs.AddAccessRule($Rule_System)
    $correctACLs.AddAccessRule($Rule_Users1)
    $correctACLs.AddAccessRule($Rule_Users2)
    write-host "Changing $Path"
    set-acl $path $correctACLs
}

In line 3 I create a new ACl, and in line 4, I set the cal to not inherit parent permissions.

Lines 4-8 are the specific permissions I want to apply (they are addressing the same issue I described here)

Lines 9-12 add the new perms to the new ACL, and line 14 set the ACL of the folder to the new ACL.

A little different want o go about this, as I created an ACL from the start.

I just figured this out late last night. I was pulling my hair out. If you look at the following PowerShell code

($MyArray=1,2,3,4,5) | foreach-object {
write-host $_
if ($_ -eq 3 ){return}
}

You get a result of:
1
2
3
4
5

Next, if you look at this code (the only real difference being the lack of a pipe.)

foreach ($item in ($MyArray=1,2,3,4,5)) {
write-host $item
if ($item -eq 3 ){return}
}

You get:
1
2
3

That stumped me. Why would they not produce the same thing? Then I ran across this thread. The replier said

I think because ForEach-Object processes each item in the pipeline, but the foreach statement processes the collection as a whole.

This led me to this page, and specifically this quote clears it up for me (kinda):

 . . . [the object] it is sent into the pipeline and execution continues in the next section of the pipeline.  . . . the foreach alias gets executed and the object is run through the process script block of ForEach-Object.  Once the process script block completes, the object is discarded and the next object is [sent] . . .

In summary, last night I learned that when using a pipeline, the first item is passed to the script block, the script block is run, and then the next item is passed to the script block, and so on.

That sound correct? Can you come up with a better description?