I'm working with an AD domain where i want to change pssword policy remotely via PowerShell.
I'm here:
$domain1 = New-Object System.DirectoryServices.DirectoryEntry("LDAP://test.com")
$domain |get-member
...
masteredBy Property System.DirectoryServices.PropertyValueCollection masteredBy {get;set;}
maxPwdAge Property System.DirectoryServices.PropertyValueCollection maxPwdAge {get;set;}
minPwdAge Property System.DirectoryServices.PropertyValueCollection minPwdAge {get;set;}
.....
--> At this point I see that there is {get;set;} in definition of these properties.
The question is: Does it means that you can set maxPwdAge in a way like:
$domain |set-property -name maxPwdAge -value XX
Please bear in mind that I can't use any cmdlet from active directory module because the remote domain doesn't have the Active Directory Web Services running.
This question is to understand the meaning of {get;set;} for properties and to find a PS way to set these values ;-)
In this case, those are read-only properties. You would need to edit the Group Policy or call legacy Net* APIs to programmatically change this.
Found it!!! ... in the easiest way :D
after defining $domain with:
$domain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://test.com")
i can READ:
$domain.maxPwdAge
I can SET:
$domain.maxPwdAge = 10
$domain.setinfo()
I only missed 'setinfo()' method.....after that it finally works!
Related
I'm currently working on Active Directory and I need to know when have certain accounts been disabled. There is the last_modified (a date) property but I'm not sure if enabling/disabling an account on AD triggers a change on last_modified. If yes, are there other properties that change it too when they are modified (which is probably the case...) ?
Is there a way to know for sure when an account has been disabled, either by checking a property or executing a cmd/powershell script ?
Thank you
Kind of. But it won't be 100% reliable.
To disable an account, the userAccountControl attribute is updated.
Yes, updating userAccountControl will trigger an update to the whenChanged attribute (the "last modified" date).
There is also a computed attribute called msDS-ReplAttributeMetaData that will tell you when attributes were changed, as long as that feature is enabled on your domain. With the help from this article, I put some code together to pull out the last time the userAccountControl attribute was changed (set $username to the name of the account you want to look at):
$username = "whatever"
$metaData = "<root>" + (Get-ADUser $username -Properties "msDS-ReplAttributeMetaData")."msDS-ReplAttributeMetaData".Replace([char]0," ") + "</root>"
$xmlmetaData = [XML]$metaData
$userAccountControlModified = ($xmlmetaData.root.DS_REPL_ATTR_META_DATA |
Where {$_.pszAttributeName -eq "userAccountControl" } |
Sort -Property ftimeLastOriginatingChange -Descending |
Select -First 1).ftimeLastOriginatingChange
However, as the documentation for userAccountControl shows, that attribute is a bit flag that turns on and off several options for the account, not just enabled/disabled.
So while you can get the date the last time userAccountControl was updated, you cannot guarantee that's the time the account was disabled. It's possible that any other of those options were set after it was disabled.
When I type in Get-IISAppPool the Status property is always empty.
Get-IISAppPool | Select-Object Status
The application pools are running, and the names are correct.
Does anyone know why?
I'm not the creator of the application pools, could that be the reason?
Status is not a property of the returned objects. This is a calculated property for the default table output. If you run this command:
Get-IISAppPool | Get-Member
You will see there is no Status property. There is, however, a State property, which, I guess, is where the default view gets it's value:
State Property Microsoft.Web.Administration.ObjectState State {get;}
In fact, if you look at the member information, apart from Name, none of the items in the default view appear as properties - well, they do, but under different names.
If you want to know the status of the particular application pool using the powershell command.
Open PowerShell as administrator.
Run below command:
Get-WebAppPoolState -Name sample1
Note:
Check the name of the application pool you used in command that is available or not.
Regards,
Jalpa
I would like to populate the Description property of Powershell functions I create in my $PROFILE. I would like to add a value to the Description property such as "Created in personal PROFILE". Is this possible?
Currently if I examine the Description of my Functions I find none are populated, for example:
Get-Command -Type Function -Name get-* | Select-Object -Property Name, Description -First 10
Name Description
---- -----------
Get-AlertLog
Get-AllColors
Get-AppBackgroundTask
Get-AppvVirtualProcess
Get-AppxLastError
Get-AppxLog
Get-AssignedAccess
Get-AutologgerConfig
Get-BCClientConfiguration
Get-BCContentServerConfiguration
Having the value populated would allow me to search for and quickly see where my functions were created, or what they do, etc.
Thank You.
+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~
Note:
I do not want to retrieve the information via Get-Help, but rather populate some of the properties of Type: System.Management.Automation.FunctionInfo:
Get-Command -Type Function -Name Get-AllColors | Get-Member
TypeName: System.Management.Automation.FunctionInfo
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ResolveParameter Method System.Management.Automation.ParameterMetadata ResolveParameter(string name)
ToString Method string ToString()
CmdletBinding Property bool CmdletBinding {get;}
CommandType Property System.Management.Automation.CommandTypes CommandType {get;}
DefaultParameterSet Property string DefaultParameterSet {get;}
Definition Property string Definition {get;}
Description Property string Description {get;set;}
HelpFile Property string HelpFile {get;}
Module Property psmoduleinfo Module {get;}
ModuleName Property string ModuleName {get;}
Name Property string Name {get;}
Noun Property string Noun {get;}
Options Property System.Management.Automation.ScopedItemOptions Options {get;set;}
OutputType Property System.Collections.ObjectModel.ReadOnlyCollection[System.Management.Automation.PS...
Parameters Property System.Collections.Generic.Dictionary[string,System.Management.Automation.Paramet...
ParameterSets Property System.Collections.ObjectModel.ReadOnlyCollection[System.Management.Automation.Co...
RemotingCapability Property System.Management.Automation.RemotingCapability RemotingCapability {get;}
ScriptBlock Property scriptblock ScriptBlock {get;}
Source Property string Source {get;}
Verb Property string Verb {get;}
Version Property version Version {get;}
Visibility Property System.Management.Automation.SessionStateEntryVisibility Visibility {get;set;}
HelpUri ScriptProperty System.Object HelpUri {get=$oldProgressPreference = $ProgressPreference...
Another way to ask is "Why is there such a Type if there is not way to populate the Properties with values and retrieve them via Select-Object -Property?"
Thank You.
You should use comment based help instead of usage functions. Comment based help will allow you to work with the build in help system of PowerShell. It isn't hard to write and you don't even need to use all the sections.
Here is the TechNet on about_Comment_Based_Help, with some examples:
The syntax for comment-based Help is as follows:
# .< help keyword>
# <help content>
-or -
<#
.< help keyword>
< help content>
#>
You do have to make sure the categories are spelled correctly, otherwise the whole help on your function won't show up and you won't get an error message. A simple example that just has a synopsis and a description:
.SYNOPSIS
A brief description of the function or script. This keyword can be used
only once in each topic.
.DESCRIPTION
A detailed description of the function or script. This keyword can be
used only once in each topic.
Read the linked article for all the keywords and their descriptions. Similar information can be found by running get-help about_comment_based_help
So far the responses do not answer the actual question as asked, and it is a good question as is, even though adding Help is a good and useful idea, whether it is Comment Based or full XML Help.
The problem is that Comment Based Help only provides the "Description" for the functions HELP, and not it's properties as shown when you run Get-Command.
Getting the Description with Get-Command is a very useful and separate idea.
However, only some properties of a function are (directly) settable and we can discover this with Get-Member -membertype Property as shown in the original question and whose output includes (part of) the answer:
Description Property string Description {get;set;}
Member property 'Description' is directly SETTABLE, as shown as the end of the definition for the property: {get;set;}:
ANSWER: So we can easily set the functions actual Definition property with a direct assignment:*
(Get-Command -Type Function -Name Get-AllColors).Description = 'Defined in $Profile'
# or
(Get-Command -Type Function -Name Get-AllColors).Description = "Defined in the $Profile"
We can find all properties which are directly settable quite easily.
gcm mypshost | get-member | findstr "set;"
# Typically only shows 3 properties unless the function was defined in a module
Description
Options
Visibility
Or perhaps even better would be setting the "Source" property which is now included in the default output from Get-Command (though that is not so trivially set with direct assignment.)
Creating the function within a Module with a proper "Module Manifest" does allow for setting most/all of these properties that are typically blank on functions defined directly.
The Source will be the "module" that defines the function and the version will be set as well if it is set in the module.
Unfortunately, the "Set-ItemProperty" command is not supported by the "Function" PSProvider (as it is by the Registry Provider and many others. The following fails (on Version 2.0 and 5.1):
Set-ItemProperty function:mypshost -Name Description -Value 'only testing'
While it works with similar syntax for a file:
Set-ItemProperty (dir ic.ps1) -Name LastWriteTime -Value (get-date)
Another example is the "OutputType" which can be set by using one of the options in the [CmdletBinding()] attribute of an advanced function parameter block:
You can use Comment-Based Help to add a description (and lots of other information) to your functions:
SYNTAX FOR COMMENT-BASED HELP
The syntax for comment-based help is as follows:
# .< help keyword>
# <help content>
-or -
<#
.< help keyword>
< help content>
#>
Example:
function Add-Extension
{
param ([string]$Name,[string]$Extension = "txt")
$name = $name + "." + $extension
$name
<#
.SYNOPSIS
Adds a file name extension to a supplied name.
.DESCRIPTION
Adds a file name extension to a supplied name.
Takes any strings for the file name or extension.
}
I think what HerbM is looking for is a quick reminder what a function does, not a replacement for help. There is a good case for both. For example,I have a function that displays a list of commands and then executes them. If I enter:
EXAMPLE
gcm na|select -property name,description,DisplayName
Name Description DisplayName
---- ----------- -----------
NA RB Do a command with no arguments. NA -> Do_Noarg
GCM lists a short description that I included when I created the alias NA.
It would be useful if GCM would also list the description on functions instead of blanks as follows:
EXAMPLE
gcm do_noarg|select -property name,description,Definition
Name Description Definition
---- ----------- ----------
Do_Noarg dr ~\PS1\No_Arg\*.ps1 Invoke-Expression
I believe HerbM isn’t looking for gcm or any other tool to replace help but Just wants a quick single line description of a function.
If Description is just a placeholder for future releases of “function”, then please let everyone know.
Hi I'm having some trouble getting the information on who joined the computer to the domain.
I can use this code but this is to be used by some non-administrative users that dont have access to the Powershell ActiveDirectory module.
Get-ADComputer myComputer -Properties ntSecurityDescriptor | Select ntSecurityDescriptor -ExpandProperty ntSecurityDescriptor
It's the owner property I am interested in here.
But now to the real deal
I need to make it work with ADSI
$Computer = [ADSI](([ADSISearcher]"(name=myComputer)").FindOne().Path)
$Computer.nTSecurityDescriptor
System.__ComObject
How do I "expand" the properties of the nTSecurityDescriptor using ADSI?
Powershell is smart enough that it will try to show you the best representation of an object with the most common properties it thinks you will need. Sometimes though you need to get the raw object underneath which you can do by using the PSBase property. Here's a link to Jeffrey Snover talking about it. Try this
$Computer = [ADSI](([ADSISearcher]"(name=myComputer)").FindOne().Path)
$Computer.PsBase.ObjectSecurity.Owner
All I am trying to accomplish is to return if an LDAP group has any members in it. So, I have a list of groups, and I want to query each one for a list of members to ensure there is at least 1 member in every group.
I am using powershell and this is NOT Active Directory.
This is currently what I am trying
$user = "username"
$pwd = "password"
$de = "LDAP://[SERVERNAME]/cn=user,ou=people,o=company"
$deObject = New-Object -TypeName System.DirectoryServices.DirectoryEntry($de,$user,$pwd,'FastBind')
This returns a DirectoryEntry object (at least as far as I can tell). I can't really see any attributes or anything except for if I do the following:
$deObject.Name
This returns the cn of "user" and that's it. Any suggestions?
I've tried:
$deObject.Properties
$deObject.Properties['member']
$deObject.Properties.Values['member']
Thanks in advance!
This will show you all the properties there are:
$deObject | Format-List * -force
And this will return you the number of members in a group:
$deObject.member.Count