PowerShell for Windows Admins

December 14, 2016  5:38 AM

Active Directory Schema Versions

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Active Directory, Powershell

With the release of Windows Server 2016 its time to update my schema versions script

$sch = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()
$de = $sch.GetDirectoryEntry()
switch ($de.ObjectVersion) {
    13{"{0,25} " -f "Schema Version $($de.ObjectVersion) = Windows 2000"; break}
    30{"{0,25} " -f "Schema Version $($de.ObjectVersion) = Windows 2003"; break}
    31{"{0,25} " -f "Schema Version $($de.ObjectVersion) = Windows 2003 R2"; break}
    44{"{0,25} " -f "Schema Version $($de.ObjectVersion) = Windows 2008"; break}
    47{"{0,25} " -f "Schema Version $($de.ObjectVersion) = Windows 2008 R2"; break}
    56{"{0,25} " -f "Schema Version $($de.ObjectVersion) = Windows 2012"; break}
    69{"{0,25} " -f "Schema Version $($de.ObjectVersion) = Windows 2012 R2"; break}
    87{"{0,25} " -f "Schema Version $($de.ObjectVersion) = Windows 2016"; break}
    default{"{0,25} {1,2} " -f "Unknown Schema Version", $($de.ObjectVersion); break}

The script uses the GetCurrentSchema static method on System.DirectoryServices.ActiveDirectory.ActiveDirectorySchema. Derives a directory entry and uses the ObjectVersion to determine the corresponding Windows Server version.

November 30, 2016  3:52 PM

Conference–time to book

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Registration is open for the PowerShell Summit (USA) and PowerShell Conference (Europe). Now is an excellent time to decide which one you’re going to attend next year. If you’re serious about PowerSHell you should be at one of these events.

PowerShell Summit – https://eventloom.com/event/home/summit2017

PowerShell Conference – http://www.psconf.eu/

November 18, 2016  6:55 AM

PowerShell finally the de facto shell

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell, Windows 10

After 10 years PowerShell has become the de facto shell for Windows!

Windows Insider Preview build 14971 released yesterday uses PowerShell instead of cmd.exe as the default shell in Start Menu or File Explorer.

See https://blogs.windows.com/windowsexperience/2016/11/17/announcing-windows-10-insider-preview-build-14971-for-pc/#66Smq5KicvsTBzld.97

For this and other new features.

November 18, 2016  5:14 AM

Changing the samAccountName

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Active Directory, Powershell

I was recently asked how the samAccountName – also referred to as the login id – could be changed.

First lets look at an account:
PS C:\Scripts> Get-ADUser -Identity 'FredFox'

DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org
Enabled           : True
GivenName         :
Name              : FOX Fred
ObjectClass       : user
ObjectGUID        : db5a3975-980d-4749-b9c0-48aff9217b2a
SamAccountName    : FredFox
SID               : S-1-5-21-759617655-3516038109-1479587680-1314
Surname           :
UserPrincipalName : FredFox@manticore.org

Once you’ve confirmed you have the correct account then pipe it into Set-ADUser and use the –samAccountName parameter:

PS C:\Scripts> Get-ADUser -Identity 'FredFox' | Set-ADUser -SamAccountName 'foxfred' -PassThru
DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org
Enabled           : True
GivenName         :
Name              : FOX Fred
ObjectClass       : user
ObjectGUID        : db5a3975-980d-4749-b9c0-48aff9217b2a
SamAccountName    : foxfred
SID               : S-1-5-21-759617655-3516038109-1479587680-1314
Surname           :
UserPrincipalName : FredFox@manticore.org

I used the –Passthru parameter so the new account details are shown. Note that the User Principal Name (UPN) isn’t changed. Use the –UserPrincipalName parameter as well if you need to change the UPN at the same time

November 17, 2016  10:16 AM

New PowerShell console on Server Core

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Server Core is great for reducing the footprint of your VMs – Nano server is smaller but it can’t be a domain controller

One draw back to server core is that you only get a single console. If you hang that for any reason you have to either try and open another one (Hyper-V console greys out CTRL-DEL-ALT) or open a few when you logon to the machine.

You still get a cmd.exe console instead of PowerShell – that should be changed. Its 10 years since PowerShell came along! So run Powershell to open  Powershell in the default console.

“Start-Process -FilePath powershell.exe -Verb RunAS” > new-powershell.ps1

Will create a simple script to open a new elevated Powershell console.

Run it as many times as you want. Perform your work in the new Powershell console and if it hangs – just shut it down. Keep the default console for just opening new PowerShell consoles and then you’ll always be able to keep working.

November 17, 2016  8:18 AM

Creating test accounts in Active Directory

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Active Directory, Powershell

There’s often a need to create test accounts in AD. You may want to create a a set of test accounts or if you have a demo/test lab you may need accounts in that. Creating the names for the accounts is a pain unless you go down the test1, test2 etc route.

One way to real looking names is I use a couple of loops like this:

$fnames = @(

$lnames = @(

$secpass = Read-Host -Prompt 'Password' -AsSecureString
$ou = "OU=UserAccounts,DC=Manticore,DC=org"

foreach ($fname in $fnames){
  foreach ($lname in $lnames){
    $name = $lname.TOUpper() + " $fname"
    $sam = "$fname$lname"
    $upn = "$sam@manticore.org"

    New-ADUser -Name $name -SamAccountName $sam -UserPrincipalName $upn -AccountPassword $secpass -Path $ou -Enabled $true

First create an array of first names & another array of second names

Get a secure string for the Password – I’m using the same password for all as its my demo/test environment

Set the OU you want the accounts in.

Iterate over the set of first names and in that loop iterate over the last name. Within the inner loop create the name, samAccountName and UPN and call New-ADUser.

You end up with a set of new accounts where every first name is joined with every last name to create accounts. Names look a bit samey but for demo environment it works. Also, saves you having to think up individual names.

I’ve used 10 names in each of the first and last name arrays so end up with 100 new accounts.

November 16, 2016  11:22 AM

Exploring PowerShell automation

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Books, Powershell

My PowerShell books have all been published by Manning, A while back they asked me to put together a selection of extracts that show the depth and breadth of PowerShell. Its now available – for free – https://www.manning.com/books/exploring-powershell-automation

The book highlights PowerShell remoting and administering SQL Server, IIS and Active Directory through PowerShell. These are core skills these days and the book will give you a good introduction to these areas

November 15, 2016  12:48 PM

PowerShell 10 year anniversary videos

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Yesterday was the PowerShell 10 year anniversary event – broadcast live on channel 9

The session recordings are available


November 11, 2016  11:29 AM

Hyper-V book

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
book, Hyper-V

I’ve been working with Andy Syrewicze on Learn Hyper-V in a Month of Lunches.

Its now available in Manning’s Early Access program (MEAP) https://www.manning.com/books/learn-hyper-v-in-a-month-of-lunches

Until 14 November 2016 you can get the MEAP for half price using code mlsyrewicze

November 5, 2016  10:59 AM

Creating a new AD forest

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Active Directory, Powershell, Windows Server 2016

As I’ve completely rebuilt my demo/lab machine I need to re-create the Active Directory

This is now so simple even on a server core machine

First install the roles and features needed

Add-WindowsFeature -Name AD-Domain-Services, RSAT-AD-PowerShell, DNS, RSAT-DNS-Server, DHCP, RSAT-DHCP

This adds AD, DNS, DHCP and the appropriate admin tools – as its server core we’re really talking about the relevant PowerShell modules

Installing AD just gets you ready – it doesn’t create the forest

You get the ADDSDeployment module

PS C:\Scripts> Get-Command -Module ADDSDeployment


To create the forest and the first domain controller

PS C:\Scripts> Install-ADDSForest -DomainName ‘Manticore.org’ -ForestMode Default -DomainMode Default -InstallDns
SafeModeAdministratorPassword: ********

You’ll be asked to confirm the safe mode password

Default for forest and domain mode matches the Windows version

PS C:\Users\Administrator> Get-ADForest
ApplicationPartitions : {}
CrossForestReferences : {}
DomainNamingMaster    : W16DC01.Manticore.org
Domains               : {Manticore.org}
ForestMode            : Windows2016Forest
GlobalCatalogs        : {W16DC01.Manticore.org}
Name                  : Manticore.org
PartitionsContainer   : CN=Partitions,CN=Configuration,DC=Manticore,DC=org
RootDomain            : Manticore.org
SchemaMaster          : W16DC01.Manticore.org
Sites                 : {Default-First-Site-Name}
SPNSuffixes           : {}
UPNSuffixes           : {}


PS C:\Users\Administrator> Get-ADDomain
AllowedDNSSuffixes                 : {}
ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=Manticore,DC=org
DeletedObjectsContainer            : CN=Deleted Objects,DC=Manticore,DC=org
DistinguishedName                  : DC=Manticore,DC=org
DNSRoot                            : Manticore.org
DomainControllersContainer         : OU=Domain Controllers,DC=Manticore,DC=org
DomainMode                         : Windows2016Domain
DomainSID                          : S-1-5-21-759617655-3516038109-1479587680
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=Manticore,DC=org
Forest                             : Manticore.org
InfrastructureMaster               : W16DC01.Manticore.org
LastLogonReplicationInterval       :
LinkedGroupPolicyObjects           : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Manticore,DC=o
LostAndFoundContainer              : CN=LostAndFound,DC=Manticore,DC=org
ManagedBy                          :
Name                               : Manticore
NetBIOSName                        : MANTICORE
ObjectClass                        : domainDNS
ObjectGUID                         : 05d9aa61-d422-4728-9595-77754934b948
ParentDomain                       :
PDCEmulator                        : W16DC01.Manticore.org
PublicKeyRequiredPasswordRolling   : True
QuotasContainer                    : CN=NTDS Quotas,DC=Manticore,DC=org
ReadOnlyReplicaDirectoryServers    : {}
ReplicaDirectoryServers            : {W16DC01.Manticore.org}
RIDMaster                          : W16DC01.Manticore.org
SubordinateReferences              : {CN=Configuration,DC=Manticore,DC=org}
SystemsContainer                   : CN=System,DC=Manticore,DC=org
UsersContainer                     : CN=Users,DC=Manticore,DC=org

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: