25 May 2018

Find filesystem blocksize on windows with powershell

Get-WmiObject -Class Win32_Volume | Select-Object Name, Label, BlockSize

Get-CimInstance -ClassName Win32_Volume | Select-Object Name, Label, BlockSize

22 May 2018

Find exception full name

$Error[0] | Select-Object *

Exception  : Microsoft.ActiveDirectory.Management.ADIdentityAlreadyExistsException: The specified account already exists


14 March 2018

Exchange 2016 cmdlet help

help is broken in Exchange 2016 PowerShell console - the only way to make it work i found to be this:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchangeservername/PowerShell/?SerializationLevel=None

Invoke-Command –Session $Session –ScriptBlock {Get-Help Get-Mailbox}

but you will not be abble to import the exchange cmdles through this pssession because it will throw an error.

to import the cmdlest you need to have a different pssession without "SerializationLevel=None"

$Session2 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exton.office.orange.intra/PowerShell
Import-PSSession $Session2

02 March 2018

Get-WmiObject hangs

for some reason Get-WmiObject hangs on some of the computers that is queryes and the powershell console must be restarted.

in order to overcome this problem a used "-AsJob" parameter

$Job = Get-WmiObject -Class win32_computersystem -AsJob -ComputerName ServerName | Wait-Job -Timeout 30
$Result = $Job | Receive-Job

27 January 2018

Protect OU (Organizational Unit) in AD from accidental deletion

to verify if your OUs are protected from accidental deletion use:

Get-ADOrganizationalUnit -Filter * -Properties * |Select-Object DistinguishedName, ProtectedFromAccidentalDeletion

to protect all OUs in AD from accidental deletion use:

Get-ADOrganizationalUnit -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Find FSMO roles from powershell

Get-ADDomainController -Filter * | Select-Object Name, Site,  OperatingSystem, OperationMasterRoles

21 January 2018

Search eventlogs with xml filter

# 4625 bad password in client log
# 4771 bad password in DC log
# 4740 lockout in DC log
# <Select Path="Security">*[System[(EventID=4740 or EventID=4771)]]</Select>

[xml]$XMLFilter = @"
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4740)]]</Select>

$AllDomainControllers = Get-ADDomainController -Filter *

$AllEvents = @()

foreach($DC in $AllDomainControllers){
    $Events = @()
    $Events += Get-WinEvent -FilterXml $XMLFilter -ComputerName $DC.HostName -ErrorAction SilentlyContinue
    $AllEvents += $Events
    $DC.HostName + ' ' + $Events.Length

foreach($Event in $AllEvents){
    $EventXMLData = [xml]$Event.ToXml()
    for($i=0; $i -lt $EventXMLData.Event.EventData.Data.Count; $i++){
        $Name = $EventXMLData.Event.EventData.Data[$i].Name
        $Value = $EventXMLData.Event.EventData.Data[$i].'#text'
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $Name -Value $Value

$AllEvents |
Select-Object TargetUsername, MachineName, TimeCreated,IpAddress, ID |

Active directory domain user last logon date and time

"lastLogon" attribute is per domain controller - is not replicated to other domain controllers in the domain and each domain cotroller has his own information.

"lastLogonTimeStamp" is replicated in the domain (all domain controllers have the same updated information).

the date is stored in 100 miliseconds interval since 01.01.1601 (Juanuary 1, 1601)

to convert from System.Int64 we can use "FromFileTime" static method of DateTime class:



Active Directory Technical Specification

search the web for "MS-ADTS"


List active directory group membership changes

$ADGroup = Get-ADGroup -Identity 'Domain Admins'
Get-ADReplicationAttributeMetadata -Object $ADGroup.DistinguishedName -Server dc1 -ShowAllLinkedValues

in the output the "AttributeName" is the attribute that was changed - we should search for the "member" attribute.

"AttributeValue" is the value assigned to the attribute.
"FirstOriginatingCreateTime" is the time the value was added.
"LastOriginatingDeleteTime" is the time the value was deleted - but only if is different from "1/1/1601 2:00:00 AM"