PowerShell for Windows Admins

August 26, 2013  2:37 PM

Get-AdUser and –properties

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

The Get-ADuser cmdlet returns a small subset of properties by default:

PS> Get-ADUser -Identity Richard

DistinguishedName : CN=Richard,CN=Users,DC=Manticore,DC=org
Enabled : True
GivenName : Richard
Name : Richard
ObjectClass : user
ObjectGUID : b94a5255-28d0-4f91-ae0f-4c853ab92520
SamAccountName : Richard
SID : S-1-5-21-3881460461-1879668979-35955009-1104
Surname :
UserPrincipalName : Richard@Manticore.org

You can use the –Properties parameter to return more properties

Get-ADUser -Identity Richard -Properties *

returns all properties

You can select a subset of properties by specifying their names

Get-ADUser -Identity Richard -Properties MemberOf, Country

If you want to use wildcards you need to use select

Get-ADUser -Identity Richard -Properties * | select last*

August 26, 2013  1:40 PM

String Concatenation revisited

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

There a few ways to concatenate (join together) strings in PowerShell.

The obvious way is to use the concatenation operator +

£> $a = “Hello”
£> $b = “World”
£> $a + ” ” + $b
Hello World

You can use string substitution

£> $a = “Hello”
£> $b = “World”
£> “$a $b”
Hello World

but remember that only works when you are using double quotes. Single quotes give you

£> ‘$a $b’
$a $b

You can also use the format operator –f

£> $a = “Hello”
£> $b = “World”
£> “{0} {1}” -f $a, $b
Hello World

One final method is to put your strings into the elements of an array and use the –join operator

£> $d = @()
£> $d += “Hello”
£> $d += “World”
£> $d
£> $d -join ” ”
Hello World

Which one should you use. Simple, whatever works best to solve your problem.

PowerShell often supplies multiple options to solve a problem. Use whichever you are most comfortable with and is the easiest to use in the context of the problem you are trying to solve.

August 14, 2013  1:17 PM

PowerShell 4 available in October

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Microsoft has announced that Windows 2012 R2, System Center 2012 R2 and Windows 8.1 will be on general availability on October 18. The important point being that Windows 2012 R2 & Windows 8.1 bring PowerShell v4


If the pattern of previous releases is followed they will be available earlier through MSDN.

Pity it couldn’t have been 8 days earlier – would have made a nice birthday present

August 13, 2013  2:41 PM

PowerShell Jump start pt 2

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

The second part of the PowerShell jump start – Tools and Scripting – was broadcast on 1 August

The recordings are now available from


The first set of recordings are still available at


I even get a mention Smile

August 13, 2013  2:35 PM

AD Management in a Month of Lunches–chapter 16 MEAP

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

The next chapter of AD Management in a Month of Lunches has been released to MEAP


Chapter 16 deals with Sites and Subnets


August 13, 2013  2:30 PM

Finding the typo

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

A project I’m working on involves 1000s of lines of code, across numerous modules and folders. When I make changes, like everyone else, I sometimes mistype a command. When your system throws an error and its in nested several levels deep in your code and you’re not sure where it is – who you going to call?

Unfortunately, Ghostbusters can’t help you. But PowerShell can help. I’d type [swtch] instead of [switch]. Nice easy way to find the spelling mistake. Open a PowerShell prompt in the top folder and

Get-ChildItem -Recurse -File | Select-String -Pattern “[swtch]” –SimpleMatch

You will get the file and line number containing the typo. Simple.

August 12, 2013  3:38 PM

More prompts

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

In this post http://msmvps.com/blogs/richardsiddaway/archive/2013/07/21/fun-with-prompts.aspx I showed some of the things you can do to change the prompt in PowerShell. I now use £> as my prompt.

What I hadn’t realised is that there is a PowerShell help file:

get-help about_Prompts

It builds on the information in my post including information on how the prompt changes when you enter a remote session

August 12, 2013  1:48 PM

Active Directory Cookbook 4th Ed

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

The Active Directory Cookbook (O’Reilly ISBN: 978-1-449-36142-6) has been a constant resource for me since the first edition covering Windows 2003. I plundered the book for a lot of my early forays in scripting AD. The cookbook supplied answers using as many as possible of the GUI tools, command line tools and scripts.

In those days VBscript was the language we had to use though a couple of scripts in other languages crept into the book. The third edition, covering Windows 2008, finally brought PowerShell into the book. VBScript was still the predominant scripting language. The GUI and command line tools are still present. The PowerShell scripts were written using either the Quest AD cmdlets or by scripting using the .NET classes and the [adsi] & [adsisearcher] accelerators.

The fourth edition covers Windows 2012. PowerShell is now the standard scripting language – using the Microsoft cmdlets where possible and the approperiate .NET classes to fill in the gaps. VBscript is more or less removed. The command line tools and the GUI options still remain.

The book runs to 830 pages and which is a decrease from the third edition but it appears that is mainly due to the removal of the wordy VBSript examples.

The book covers the whole range of AD activity – users, groups, OUs, domain & forests, trusts, domain controllers, computers, GPO, schema, sites, replication, dns (the new DNS cmdlets in Windows 2012 are show cased), security, logging, backup, ADLS, ADFS, Exchange 2013 and FIM.

With over 465 recipes in the cookbook it covers most of the situations you are likely to meet.

A few minor cautions are needed. Firstly, the individual recipes are just that individual. If you want to create a user – you get an example. If you want to add a user to a group – you get an example. If you want to create a user and add to a group you need to work out how to combine the two scripts.

Secondly, the PowerShell examples aren’t always as good as they could be. They work and will get the job done but don’t always conform to best practice.

Thirdly, you need to learn PowerShell somewhere else. This book won’t teach you and to be fair it doesn’t and shouldn’t try. The cookbook is a domain specific resource.

For the next edition I would recommend dropping the command line tools where there is a PowerShell option. Those tools will eventually disappear. Use PowerShell so you can integrate all of your Windows automation work.

This is a book that I still refer to – even if its just to check some odd AD related fact – and expect to continue to refer to as long as I’m automating AD administration tasks. I can’t recommend this book enough. Get yourself a copy – you won’t regret it.

August 11, 2013  3:33 PM

Time Spans

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

I’ve been using Search-ADaccount a lot recently. One of the options is to input a timespan to determine for far back in time to search e.g. for accounts that have been inactive for 90 days

The cmdlet takes a string that can be turned into a timespan. if you look at the documentation the data type is a Timespan.

To search for accounts that have been inactive for 90 days

Search-ADaccount –AccountInactive –TimeSpan “90:00:00:00”

Alternatively, if you can’t remember the timespan structure

Search-ADaccount –AccountInactive –TimeSpan (New-TimeSpan -Days 90 )

August 11, 2013  1:56 PM

WMI and Trusts

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

When you install AD on a machine you get the MicrosoftActiveDirectory WMI namespace as well. This namespace was deprecated in Windows 2012 but while it is still available there are few useful things we can do with it. Even with my fondness of WMI I’m not suggesting moving to using WMI wholesale for AD admin but one of the more useful things is testing a trust’s status.

PS> Get-CimInstance -ClassName Microsoft_DomainTrustStatus -Namespace root\MicrosoftActiveDirectory |
select Flatname, Trust*

Flatname : SPHINX
TrustAttributes : 8
TrustDirection : 3
TrustedDCName :
TrustedDomain : sphinx.org
TrustIsOk : False
TrustStatus : 1355
TrustStatusString : The specified domain either does not exist or could not be contacted.
TrustType : 2

The error messages are because the VM hosting the remote domain is switched off. If you want a quick test of your trust status this is a good way.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: