Remko Weijnen's Blog (Remko's Blog) » PowerShell

Take ownership of a registry key in PowerShell

Remko — Mon, 16 Jan 2012 15:39:36 +0000

After reading Andy Morgan’s (excellent) blog post about Removing Screen Resolution and Personalize shell extensions from a users desktop session I couldn’t help it.

I had to write a PowerShell script to take ownership of the mentioned registry keys. So here goes:

The code is only quick to show we can do it (after all PowerShell has no limits) and could be improved error handling and so on. But it works!

$definition = @"
using System;
using System.Runtime.InteropServices;

namespace Win32Api
{

public class NtDll
{
[DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
}
}
"@

Add-Type -TypeDefinition $definition -PassThru

$bEnabled = $false

# Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("DesktopBackground\Shell\Display", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)

Read Maximum Password Age with PowerShell

Remko — Fri, 02 Dec 2011 12:47:44 +0000

I needed to read out the Maximum Password age with a PowerShell script in a Windows 2003 domain.

Reading out the maxPwdAge attribute is a trivial task in PowerShell (I am re-using the function AdsLargeIntegerToInt64):

# Read Maximum Password Age (from Domain Policy)
# Read maxPwdAge attribute and convert to Int64
$maxPwdAge = AdsLargeIntegerToIn64 $Domain.maxPwdAge.Value(

In my case this returns the value -78624000000000 but how do we interpret this?

The value is expressed in 100 nanosecond units which is the same unit as a windows FILETIME structure uses.

Knowing that we can use the FromTicks method from the .NET TimeSpan structure to convert it to the number of days:

$maxPwdDays = [System.TimeSpan]::FromTicks([System.Math]::ABS($maxPwdAge)).Days

And $maxPwdDays is 91 in my case.

Note that I am using ABS to make the value positive since maxPwdAge is always negative.

Embedding images in HTML

Remko — Fri, 02 Dec 2011 12:09:43 +0000

I was creating a small dialog in an .hta file and to make a little prettier for the user I included a company logo:

But I wanted to deploy the .hta as a single file.

And this can be done using data: followed by a base64 encoded png:

The Base64 encoding can easily be done with PowerShell:

function ConvertTo-Base64($path)
{
return [Convert]::ToBase64String((Get-Content $path -Encoding byte))
}

ConvertTo-Base64 "Picture.png"

Example:

Convert IADsLargeInteger to Int64 in PowerShell

Remko — Thu, 01 Dec 2011 15:03:46 +0000

Some Active Directory attributes return an 8 byte integer in the form of an IADsLargeInteger interface. An example is the pwdLastSet attribute from a user object.

Because the IADsLargeInteger object doesn’t provide type information PowerShell cannot read the HighPart and LowPart properties.

So I wrote the function below to get the Int64 value of an IADsLargeInteger:

function AdsLargeIntegerToIn64($adsLargeInteger)
{
[Int32]$highPart = $adsLargeInteger.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $adsLargeInteger, $null)
[Int32]$lowPart = $adsLargeInteger.GetType().InvokeMember("LowPart", [System.Reflection.BindingFlags]::GetProperty, $null, $adsLargeInteger, $null)
return [Int64]("0x{0:x8}{1:x8}" -f $highPart, $lowpart)
}

Set homefolder permissions with PowerShell

Remko — Tue, 08 Nov 2011 20:05:19 +0000

Today one of my collegues asked me to write a script that performs two actions for all users of a certain Organizational Unit:

Ensure that each user has modify permissions on their homefolder
Make each user visible in the Exchange Address List.

Sounds like a PowerShell job right?

I reused my function to set NTFS Permissions by SID:

# Inheritance This Folder, Subfolders and Files)
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"

# Retrieve the ACL
$aCL = Get-Acl $directory

# Create Ace
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sID, "Modify", $inherit, $propagation, "Allow")

# Add Ace to Acl
$aCL.AddAccessRule($accessrule)

# Set Acl to the directory
Set-Acl -aclobject $aCL -path $directory
}

And then I only needed to get the OU and do a foreach loop on it’s children:

$OU = [ADSI]"LDAP://OU=TheOU,OU=Employees,DC=contoso,DC=com"
foreach ($User in $OU.Children)
{
# Grant Modify Permissions to the user on his homedirectory as specified in AD
SetNTFSPermissionsBySid $User.HomeDirectory $User

# Unhide the user from the Exchange Address List
$User.msExchHideFromAddressLists = $false
$User.CommitChanges()
}

Construct AQS date range with PowerShell

Remko — Fri, 04 Nov 2011 15:05:25 +0000

For a script I needed to create an AQS (Advanced Query Syntax) Query that contained a date range.

An example of such is a range is: date:11/05/04..11/10/04

However we need to account for regional settings where for example the data seperator and the order of day and month may be different.

In my example I wanted to match any data that is 30 days or older so let’s do this in PowerShell:

First we define a variable for the minimum age:

# Minimum Age in Days
$MinAge = 30

Then we use the MinValue property to get the a minimum date value (1/1/0001). This is the From date:

# DateFrom is MinValue to catch all
$DateFrom = [System.DateTime]::MinValue.ToShortDateString()

And we use the ToShortDateString method to format the date in the current regional settings.

Now we can calculate the To Date:

# DateTo is the current date – $MinAge
$DateTo = [System.DateTime]::Now.Subtract([System.TimeSpan]::FromDays($MinAge)).ToShortDateString()

And the last step is to format the AQS Query String:

# Now Construct the AQL Query
$AQL = ‘date:{0}..{1}’ -f $DateFrom, $DateTo

In my case the result at the time of writing is:

date:1-1-0001..4-10-2011

Exchange Move Mailbox Experiences Part 3

Remko — Wed, 28 Sep 2011 09:08:21 +0000

In Part 2 I showed some details about Mailbox Rule corruptions that can disturb Mailbox Moves.

For this part the topic is Mailbox size, which can be an important factor in deciding which mailboxes you want to move first.

In my case the mailbox size was important because we agreed to move smaller mailboxes during the day but larger mailboxes only outside working hours.

For Exchange 2010 mailboxes it’s very easy to obtain the size using PowerShell.

Example:

Get-Mailbox "rweijnen" | Get-MailboxStatistics | select DisplayName, ItemCount, TotalItemSize

DisplayName	ItemCount	TotalItemSize
Remko Weijnen	313	34.87 MB (36,564,183 bytes

But how can we get the Mailbox Size for Exchange 2003 mailboxes?

Using OutlookSpy we can see where this information can be read programmatically.

Select the Inbox and click IMAPIFolder, then inspect the PR_MESSAGE_SIZE property:

There is one problem however, the type of this property is PT_LONG which is a 4 byte Integer. The maximum value it can hold is 2147483647 (2 GigaByte) after which it will overflow to -1.

With Outlook 2003 SP1 and higher we can use the PR_MESSAGE_SIZE_EXTENDED property which is a 64 bit Integer.

I wrote a PowerShell function (requires Redemption) that creates a dynamic MAPI profile, logs on to the desired Mailbox and returns the Mailbox Size:

function GetMailboxSize{
param(
[Parameter(
Position=0,
Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true)
]
[Alias(‘User or Mailbox object’)]
[Object]$Mbx
)

# -1 means Unknown
$result = -1

# Create RDOSession Object
if (!($rDOSession)) { $rDOSession = New-Object -ComObject "Redemption.RDOSession" }
try
{
   if ($rDOSession.LoggedOn) { $rDOSession.Logoff() }
   $rDOSession.LogonExchangeMailbox($Mbx.LegacyExchangeDn, $Mbx.Server)

   if ($rDOSession.LoggedOn)
   {
      # Get Mailbox Size, note that PR_MESSAGE_SIZE is max 2 GB therefore we
      # user PR_MESSAGE_SIZE_EXTENDED
      $result = ($rDOSession.Stores.DefaultStore.Fields($PR_MESSAGE_SIZE_EXTENDED))
      $rDOSession.Logoff()
   }
}
catch
{
   # Add your Exception handling code here
   # [system.exception]
   # "exception"
}
finally
{
   return $result
}
}

Inline arrays in PowerShell

Remko — Wed, 28 Sep 2011 08:34:18 +0000

Sometimes I want to process a list of “things” easily in PowerShell where the list is not in an external file but in the script itself.

Ideally this list would not be separated by e.g. a comma so it can be easily copy/pasted from external data sources.

Something like this:

$List = @("
John Doe
Jane Doe
James Bond
And so the list goes on
")

With a little trickery we can!

$List = @("
John Doe
Jane Doe
James Bond
And so the list goes on
") -split "`n" | where {[byte]$_[1] -ne 0×0}

foreach ($Entry in $List)
{
"Performing surgery on $Entry"
}

Settings NTFS Permissions by SID in PowerShell

Remko — Fri, 02 Sep 2011 15:21:42 +0000

I am currently creating a PowerShell script that creates a user with all needed Active Directory attributes, Exchange mailbox, (TS) Home- and Profile directories and so on.

In such a script you can easily get failures because of Active Directory replication.

Image that you create a new user account and later on you need set an additional attribute. What happens if the user was created while connected to Domain Controller A and you try to set an additional attribute while connected to Domain Controller B before replication has completed?

We can prevent this easily by performing all actions on the same domain controller. In my script I query for any Domain Controller that has the Global Catalog role:

# We will use a single domain controller for all operations to prevent
# replication issues
$DC = (Get-DomainController -GlobalCatalog )[0].DnsHostName

Insert the $DC variable in your ldap binding eg:

$User = [ADSI]("LDAP://{0}/CN=Administrator,CN=Users,DC=Contoso,DC=com" -f $DC)

Next problem is when you perform non ADSI operations such as setting NTFS permissions on a fileserver (eg homedirectory).

This server may not yet be able to resolve the username to it’s SID and thus the operation may fail!

We can solve this easily by giving permissions to the SID directory instead to the username. Example:

function SetNTFSPermissionsBySid([string]$directory, [System.DirectoryServices.DirectoryEntry]$objAD)
{
# Convert byte array sid to sid string
$sID = New-Object System.Security.Principal.SecurityIdentifier $objAD.objectsid[0],0

# Inheritance This Folder, Subfolders and Files)
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"

# Retrieve the ACL
$aCL = Get-Acl $directory

# Create Ace
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sID, "Modify", $inherit, $propagation, "Allow")

# Add Ace to Acl
$aCL.AddAccessRule($accessrule)

# Set Acl to the directory
Set-Acl -aclobject $aCL -path $directory
}

Check if a useraccount exists with PowerShell

Remko — Fri, 02 Sep 2011 09:51:37 +0000

Function below can be used to check if a given Username exists in Active Directory:

function UserExists([string]$Username)
{
$strFilter = "(&(objectCategory=person)(sAMAccountName=$Username))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colResults = $objSearcher.FindAll()
return [bool]($colResults -ne $null)
}