Query a remote computer registry key

Hello,

When you need to do something in PowerShell, there are a lot of way to do that, hereunder a way of querying a remote computer registry key :

$PSExecutionPolicy=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine","Computer1")
$PSExecutionPolicyKey=$PSExecutionPolicy.OpenSubKey("SOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell")
$PSExecutionPolicyKey.GetValue("ExecutionPolicy")

This example will retrieve the PowerShell execution policy of the computer “Computer1”.

Here the technical documentation of that class.

Convert System.Byte[] SID to readable SID

Hello,

Today, I’ll show you a nice trick for those who don’t have the pleasure of the Active Directory Web Services with the Active Directory PowerShell module.

To query a AD, without the module, you need to use [ADSI] or [ADSISeacher] object type like that :

[adsi]"LDAP://CN=Administrator,CN=Users,DC=D2K12R2,DC=local"

Now, imagine you need to retrieve the SID of that user :

ADSI-SID-System.Byte

It isn’t a readable SID. If you pipe that into “Get-Member”, you’ll find out why :

ADSI-SID-GetMember

To get a usable and readable SID, you need to to something like that :

ADSI-SID-Converted

(New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $(([adsi]"LDAP://CN=Administrator,CN=Users,DC=D2K12R2,DC=local").objectsid), 0).value

Here is the technical documentation for that type of object.

Write Eventlog with PowerShell

Hello,

Today we are talking about creating event in eventlog with PowerShell. You can use the built-in cmdlet “Write-EventLog” like that :

Write-EventLog -LogName System -Source Ntfs -EntryType Information -EventId 1234 -Message "Created by powerShell Write-EventLog"

Write-EventLog

But, like the help says, it requires a registered source, and the event is not as clean as we could expect.

Note : To get registered sources for an EventLog :

(Get-WmiObject win32_NTEventlogfile -Filter "LogFileName='System'").sources

Here is an other method :

$EventLog = New-Object System.Diagnostics.EventLog('System')
$EventLog.MachineName = "$env:computername"
$EventLog.Source = "It For Dummies"
$EventLog.WriteEntry("Event created by PowerShell, using a System.Diagostic.Eventlog object.",'Information',1234,2)

System.Diag.Eventlog

You’ll find a lot of details about that type of object here.

The event is clean, and you can use any kind of sources.

It can be useful if you put that code in all your scripts and using a monitoring solution to keep track of those events, to track your scripts usage, and prove to your boss that investing in scripts development can lead to maximize efficiency of your coworkers.

Check password replication on a RODC

Hello,

How can I check if a user account is really replicated on a RODC ? (In most cases, we do that to ensure we can still open a session on the RODC in case of a network failure)

You can use the GUI, “DSA.MSC”, open up the “Password replication Policy” tab on the RODC object, click on “Advanced”, and check if your user is in the list. That’s a lot of clicks, here is a PowerShell version :

try {
$obj = [adsisearcher]"cn=RODC-Name"
$obj.propertiesToLoad.Add('msds-revealedlist') | Out-Null
$comp = $obj.FindOne()
}
catch {"KO - ADSISearcher"}

$comp.properties.'msds-revealedlist' | ? {$_ -like "S:10:unicodePwd:CN=SamAccountNameOfYourUser*"}

Please note the “*” after the SamAccountName of the user.

Example :

Offline1

Please also note that we don’t use the “ActiveDirectory” PowerShell module, but if you have the module available, check this cmdlets : Get-ADDomainControllerPasswordReplicationPolicyUsage

Get-ADDomainControllerPasswordReplicationPolicyUsage -Identity 2K12R2RODC -RevealedAccounts

Offline1ADPSModule

Disk view in Task Manager

Hello,

A quick trick here to enable the disk performances view in the new task manager since Windows Server 2012.Indeed, in Windows 8/8.1, by default, you can see the disk’s performances, with usefull informations as read/write speeds.

In Windows Server 2012, by default you get :

TaskManager

To get the disk view, you have to enable it with that command :

Diskperf -y

Note : You need administrator permissions.

Once enabled :

TaskManagerWithDisks

You need to do this one time, it persists after reboots.