powershell

This handy little script will pull all of the users from the specified AD group and then grab the LastLogon time from each specified DC (or you could use[DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers to get all of them in the current domain) as well as grabbing the LastLogonTimeStamp for good measure. You can also specify which attribute you want to sort the results on; I recommend samaccountname because it’s usually the most useful. Obviously it’s much quicker and simpler to do this with the ActiveDirectory cmdlets, but sometimes you’re stuck working with a bunch of 2003 DCs and have to make do with ADSI....

The following is the Powershell equivalent of unticking the box below for the folder “C:\temp”: $acl = get-acl "C:\temp" $acl.SetAccessRuleProtection($true,$true) $acl | set-acl Note that SetAccessRuleProtection takes two boolean arguments; the first turns inheritance on ($False) or off ($True) and the second determines whether the previously inherited permissions are retained ($True) or removed ($False).

If you need to change the drivers for a large number of printers, such as on a print server, then you can use the following Powershell to do it. Set $driver to the name of the driver you wish to set and $pattern to match for the printers you wish to affect (so you don’t change the driver on printers you don’t want to). Note: This script will run pretty quickly, but depending on the number of printers it may take upwards of 10 minutes for Windows to do all the background processing associated with the driver changes....

Powershell. Returns True or False. Simple. (New-Object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)

One of the most annoying things when working with Powershell and AD accounts is the UserAccountControl value. This value is what determines settings such as whether or not the account is locked out, disabled, requires a smartcard for authentication, uses reversible encryption for its password, etc. The default is 512 (NORMAL_ACCOUNT) but there are all kinds of weird and wonderful combinations that can turn up depending on how the account is configured and when you’re trying to (for example) find all the accounts that are set to USE_DES_KEY_ONLY then having so many different possible values (any number that could have 2097152 as part of its makeup) makes it a pain to work out....

Those of you who have used Safeguard will know that for reasons known only to the Germans, Utimaco decided not to provide any way to automatically sync Safeguard with your AD domain(s) without resorting to a rather buggy API. They provide some example code for VBScript and Sophos are rumoured to be adding an automatic sync function in 5.60, but if you’d rather do it in Powershell and have some decent error handling and reporting then look no further....

The following script will allow you to add or remove registered user accounts to/from Sophos Safeguard Enterprise clients on a large scale (OU, domain or even org-wide). Needs to be run from a machine with Safeguard Server installed (or have the authentication method changed, of course). Obviously you can’t add Local accounts, but you can remove them – it hasn’t been tested with Workgroups. Important bits are as follows; Vars to set are:...