Pat Spencer

Below is my quick command that requires no customization to run on any installation: Get-DatabaseAvailabilityGroup |%{ .\CollectOverMetrics.ps1 -DatabaseAvailabilityGroup "$($_.name)" -StartTime ((get-date).AddDays(-365)) -EndTime ((get-date)) -MergeCSVFiles} Note that this script is located in the "Scripts" directory of your Exchange v15 installation. 

I stumbled on this gem today. Basically, if you use Security Filtering on a User GPO, it may not work any more due to Microsoft Patch  MS 16-072 , which was released on June 14, 2016. See https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ This is an excellent article and explains it very well. Basically, this Microsoft patch changes the way that GPO's are processed. In summary: After applying the appropriate patch to your systems, User group policies are retrieved from SYSVOL differently than before. Prior to the update, domain joined computers used the user’s security context to make the connection and retrieve the policies. After the update is applied, domain joined computers will now retrieve all policies using the computer security context. What this means is that if you have used Security Filtering on a GPO with User scope, and you do not have "Authenticated Users" in the list of delegates with Read permissions, you need to add "...

Use Splatting, Proxy, and Metadata in Powershell Splatting is the ability to use a dictionary or a list to supply parameters to a command. Example: $MailMessage = @{     To = “me@mycompany.com ”     From = “me@mycompany.com ”     Subject = “Hi”     Body = “Hello”     Smtpserver = “smtphost”     ErrorAction = “SilentlyContinue” } Send-MailMessage @MailMessage Proxy commands are wrappers of existing commands in Windows PowerShell, and to make this possible, a number of different things had to be enabled in the language that can have interesting other uses. Metadata provides information about the command and parameters of different commands, and provides a structure that you can use to “write” a command without typing out the whole script. https://blogs.technet.microsoft.com/heyscriptingguy/2010/10/18/use-splatting-to-simplify-your-powershell-scripts/

I am sure that everyone who administrates AD runs into this problem at some point. Here is an article that thoroughly lays it all out. http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx The summary of this article is, that if you want to find out the TRUE last logon activity for a user, it is best to use the command Search-ADAccount -AccountInactive -DateTime ((get-date).adddays(-90)) -UsersOnly If you are ONLY interested in dates that are more than 14 days ago, then you can safely use the "LASTLOGONDATE" attribute.   Less than 14 days of viewing and you cannot rust this attribute.  You must get fancy and query all of the DC's individually. 

Fix Trust Relationship if a simple Computer password reset is required http://blog.blksthl.com/2013/03/18/fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/ This is dead simple, but if you were not aware, you do not necessarily need to rejoin the domain if the trust relationship is broken with AD.  Just resetting the password is all . Steps using Powershell: Login locally to the server Run the PowerShell command: Reset-ComputerMachinePassword -Server -Credential Restart-Computer

There are lots of great blogs out there on how to do the overall migration of Public folders from previous versions of Exchange to 2013, but few of them detailed how to deal with a few choice issues that I encountered in a recent migration that I performed. For a good, detailed, checklist of how to do the migration, see any of the following:     http://exchangeserverpro.com/exchange-server-2010-2013-migration-moving-public-folders/     http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-4-step-by-step-exchange-2007-to-2013-migration.aspx     http://www.msexchange.org/articles-tutorials/exchange-server-2013/migration-deployment/migrating-public-folders-exchange-2013-part1.html My migration was for 50,000 folders, and about 130GB of data. The issues that I ran into were (but not limited to):     Needing a System Attendant mailbox on each server hosting Public Folders     Spaces at the end of the names of fold...

This is a quick and dirty but works. Here is a simple script to export and then import the OU structure from one AD to another, such as when you want to create a lab from a production AD. To export the Prod OU's to a CSV, enter the following command:  Get-ADOrganizationalUnit -Filter *|select name,@{n="Path";E={($_.DistinguishedName).replace("OU="+$_.name+",","") }} | ConvertTo-Csv -NoTypeInformation |out-file -FilePath Prod-OUS-4-Import.csv Next,  edit the domain name in the CSV to change it to the new domain. Also, clean up the file to remove any OU's that are out of scope.  Third, run the following script using the CSV to import the names and Path of the OU's # Command Line Parameters Param(  [Parameter(Mandatory=$false,HelpMessage='CSV FIle')][string]$Inputfile=".\Prod-OUS-4-Import.csv" ) import-module activedirectory # Read in data $OUS = import-csv $InputFile $ous |ft -a  #validate data on screen # get current ...

I was recently asked to evaluate an Active Directory environment to determine it's health, specifically relating to GPO's and how they were being used. I discovered that the number and configuration of the OU's, GPO's, and contents, were a clear indication that the administration of GPO's was not well understood by the committee of people who were managing them, and that there were clearly problems being self-inflicted due to these issues. The question, however, was how can we quickly assess whether the management of GPO's was in trouble, and also how can we quantify the issue? The first thing to understand is that there are Recommended Best Practices from Microsoft for how to manage GPO's.  See https://technet.microsoft.com/en-us/library/cc785903(v=ws.10).aspx But how to quantify these subjective suggestions? First,  "Minimize the Use of the Block Policy Inheritance Feature".   You can determine the number of OU's that have Blocked Policy Inhe...

I have been working for a little while on creating tools for an administrator to be able to manage an Active Directory for Least Privileges Principles, and to secure AD Access. Specifically here, I will be talking about configuring Monitoring and Alerts for suspicious behavior in the administration of Active Directory. The first activity to monitor and to generate an alert is a logon by a member of the Microsoft Privileged Groups.  It is assumed that you have read and are following the Microsoft Best Practice of normally having ZERO members of the Privileged Groups (Domain Admins, Enterprise Admins, etc).  Membership in these groups is only granted temporarily in order to perform a specific task.   The Intruder Attack Surface of your Ad is minimized by reducing the time that this elevation of privileges exist. But what about abuse of privilege, or unauthorized role elevation? By monitoring and alerting on every logon and logoff on any computer of anyone with this group me...

See the following for step by step how to use active directory powersSell cmdlets against 2003 domain controllers http://blogs.technet.com/b/ashleymcglone/archive/2011/03/17/step-by-step-how-to-use-active-directory-powershell-cmdlets-against-2003-domain-controllers.aspx Also, in order to run RSAT on Windows 7, with 2003 or 2008 DC's: This is still untested, but it looks like the author has figured out how to add the Active Directory PowerShell modules to Windows 7. Why would you want to do this? Well, I am writing PowerShell script to document AD, and I would like to be able to run them in an older AD environment, such as an upgrade candidate, etc. With a Win 7 workstation, I am hoping that I can load it up and run the script against an old 2003 server. System Requirements: Windows 2003 SP2 server, with Active Directory Management Gateway Services (Active Directory Web Services for Windows Server 2003 and 2008) installed. ( http://www.microsoft.com/en-us/download/details.aspx?id=2...

The objective here is to create reports of objects that contain properties with multiple instances, or nested properties. Example is Get-DNSServer Get-DNSServer by itself, with no parameters, produces a very detailed, multiple-heading report with a ton of detail.   The internal code to produce this report will be the subject of another technote. For this exercise though, see the outout from the command PS C:\ > Get-DnsServer |gm -MemberType Property Name                       MemberType Definition ----                       ---------- ---------- PSComputerName             Property   string PSComputerName {get;} ServerCache           ...

How to expand parameterizedProperty Note if you issue the following command: Get-ADComputer -Filter * |Get-Member You will get the following result:   TypeName: Microsoft.ActiveDirectory.Management.ADComputer Name              MemberType            Definition ----              ----------            ---------- Contains          Method                bool Contains(string propertyName) Equals            Method                bool Equals(System.Object obj) GetEnumerator     Method...

With the following registry additions, you can create a new URL protocol handler for PowerShell: This allows me to do the following: Start -> Run: ps:3+5 Start -> Run: ps:get-process Start -> Run: ps: A new powershell window opens, parses and executes the command and leave the window open. Import the following to set it up: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS] @=" URL:Powershell Protocol" "URL Protocol"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\DefaultIcon] @="\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\",1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell\open] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell\open\command] @="\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoExit -command $ExecutionContext.InvokeCommand.InvokeScript('%1'.Substring(3))" Special thanks ...

Here is the command to output a formatted table with the Mailbox size formatted to be human readable.   [PS] C:\Users\adminpds>get-mailboxstatistics -server ex-002 |Sort-Object TotalItemSize -Descending |Select-Object Displayname,  itemcount, TotalItemSize, database |ft Displayname,itemcount,@{n="Total Size (MB)";e={"{0:N0}" -f $_.TotalItemSize.Value.ToMB()};a="right"}, database  

A "bug" in Windows 2012 is that the source files for .NET Framework are not installed with the default GUI install of Windows 2012. A quick review of Get-WindowsFeature in Powershell will show that [ ] .NET Framework 3.5 (NET-Framework-Core) has a status of "Removed". Documentation on the net indicates that this will "install on demand" from the source media or from Windows Update.   Not true.  Even though this is on the Win2012 Certification Exam, it actually does not work.     The command to get past this little "bug" is to run DISM. The command then to install this feature is: DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:d:\sources\sxs Your Welcome. For reference, see http://msdn.microsoft.com/en-ca/library/hh506443.aspx  

The following Script stub will query AD for all active Windows 2008 Servers (can be tweaked) and create a collection of those servers. # ###################################################################### # - Section for gathering Windows Server Information ... # -- Define Global Variables --   $strCategory = "computer"   $strOS = "*2008*"     # -- Get AD information --   $objDomain = New-Object System.DirectoryServices.DirectoryEntry     $objSearcher = New-Object System.DirectoryServices.DirectorySearcher   $objSearcher.SearchRoot = $objDomain   $objSearcher.Filter = "(&(objectCategory=$strCategory)(operatingSystem=$strOS)(name=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"     # - define Attributes to find -   $colProplist = "name"   foreach ($i in $colPropList){$return=$objSearcher.PropertiesToLoad.Add($i)}     # - Find all Computers that fit the Search profile   $colResults = $objSearcher.F...

Here is a great site to browse for tips and to subscribe to their Tip-of-the-Day. http://powershell.com/cs/blogs/tips/

1) How do I create a dynamic array $a = @() 2) How do I append an element to array $a += "a" $a += "b" 3) how do I do a UBOUND on an array .NET array indexes are zero-based, so ubound is length-1: $a.length - 1