Archive for August, 2010

Resolving external accounts in domain groups

You do not have to do anything to do that. If you group contains an account from a trusted domain, good old

Get-QADGroupMember MyGroup

will resolve foreign security principals and show them as regular users.

However, in some cases – for example for performance reasons – you might not want AD cmdlets to perform these look-ups in trusted domains. For that, you just need to use the KeepForeignSecurityPrincipals parameter that we added in AD cmdlets 1.4:

Get-QADGroupMember MyGroup -KeepForeignSecurityPrincipals

Resolving Foreign Security Principals

Starting with version 1.4 AD cmdlets can retrieve and provide detailed information on all properties for foreign security principals.

When you add a user from a trusted domain to a group in your domain, AD creates a local auxilliary object – foreign security principal – to represent this external account. You can essentially think about this object as a pointer to the actual account in a trusted domain. You can read more about them in the Security Principals section of this TechNet article.

Now QAD cmdlets can resolve these “pointers” and show you real accounts to which they point.

For example, this command will retrieve all foreign security principals which you have in your domain (i.e. all foreign accounts ever granted any rights) and try to resolve them to external accounts from original domains:

Get-QADObject -ResolveForeignSecurityPrincipals -Type foreignSecurityPrincipal

Remove disabled accounts from groups

Get-QADGroupMember now has Disabled and Enabled parameters which are very handy when it comes to tasks such as cleaning up a group from disabled accounts:

Get-QADGroupMember MyGroup -Disabled |
    Remove-QADGroupMember MyGroup

Or obviously helps when you need to do something with group members and need to make sure that they are all valid enabled accounts:

Get-QADGroupMember MyGroup -Enabled

Happy scripting! 🙂

Manage Email addresses without Exchange cmdlets

AD cmdlets 1.4 added new cmdlets and parameters which let you manage email addresses in your environment even if you do not have Exchange Management Shell. This is very handy if you are on Exchange 2003, do not have Exchange cmdlets installed, or just don’t want to switch between snapins.

Here’s the quick overview of what we have added:

Retrieving accounts by any proxy addresses:

Now Get-QADObject, Get-QADGroup, and Get-QADUser all have PrimaryProxyAddress, ProxyAddress and SecondaryProxyAddress parameters which can let you be more specific in your queries and thus retrieve objects much faster (compared to just supplying the address as identity parameter and relying on default resolution).

For example, you could do:

Get-QADUser -ProxyAddress 'x400:C=US;A= ;P=Quest Software;O=Aliso Viejo;S=Sotnikov;G=Dmitry;I=A;'


Get-QADUser -SecondaryProxyAddress '*'

Adding email addresses:

Just use Add-QADProxyAddress and specify various parameters for specifics (pair with Clear-QADProxyAddress to replace previous addresses):

Get-QADUser company\jsmith |
  Add-QADProxyAddress -Address '' |
  Add-QADProxyAddress -Type SMTP -Address '' -Primary |
  Add-QADProxyAddress -CustomType 'sip' -Address ''

Removing all addresses:

Did I mention Clear-QADProxyAddress?

Get-QADUser company\jsmith |
  Clear-QADProxyAddress |
  Add-QADProxyAddress -Address '' |
  Add-QADProxyAddress -Type SMTP -Address '' -Primary |
  Add-QADProxyAddress -CustomType 'sip' -Address ''

Removing individual addresses:

Use Remove-QADProxyAddress and it’s parameters to operate on a specific address or a set of addresses:

Get-QADUser |
  Remove-QADProxyAddress -Pattern '*'

Modifying addresses:

Set-QADProxyAddress lets you pick and replace specific addresses:

Get-QADUser |
  Set-QADProxyAddress -From '*' -MakePrimary


Get-QADUser |
  Set-QADProxyAddress -From '*' -To '*'

Enabling or disabling email address policy:

Enable-QADEmailAddressPolicy and Disable-QADEmailAddressPolicy are your respective friends and can be applied to individual objects. For example:

Get-QADUser DomainName\UserName | Disable-QADEmailAddressPolicy
Get-QADUser -City London | Enable-QADEmailAddressPolicy

Happy scripting!

Best PowerShell Editor & Debugger

PowerGUI seems to be it if I read Don’s recent roundup right. 🙂 Let me explain why I think so.

With any product comparisons, teams of the products being compared have bias and feeling that they are not being treated justly, that the criteria are not fair, that some of the features they are really proud of were not considered and so on. This is just the reality. We are passionate about what we are doing and everyone thinks that their However, independent comparisons are very important because they provide some common ground on which you can compare the solutions.

Don Jones reviewed 3 PowerShell script editors and debuggers: PrimalScript, PowerShell Plus, and PowerGUI Script Editor, and found PowerGUI Script Editor and PrimalScript to be the best.

Obviously, considering that this does not take into account PowerGUI Admin Console and MobileShell (in-browser mobile PowerShell command-line to your environment), and that most of PowerGUI Script Editor functionality (excet for source control) is available for free (where as being a for-money thing with competition) – sharing number one spot is a great honor and achievement!

However, if you start looking at details on how the scores were granted you would see that a lot of the features for which we did not get scores are actually present for PowerGUI Script Editor in forms of free add-ons easily available from (Add-ons among other things were out of scope of the review.)

So if you take the review and add the points for these features available as add-ons – PowerGUI ratings will absolutely sky rocket:

A few quotes which I could not help having here:

I was really taken with the maturity and sophistication of PowerGUI… PowerGUI’s snippets feature, in particular, is just seamless and awesome…

PowerGUI, frankly, is pretty complete – and almost everything I wrote about in my review of it comes in the free version. Given the availability of Quest- and community-developed add-ons, I suspect there’s very little you won’t be able to do in PowerGUI. And it’s free. It’s also being very actively developed, and I’ve seen bugs squashed pretty quickly… Frankly, that add-on architecture – and the price tag – has really put PowerGUI on my radar. Unless you need to work on VBScript or other languages, which would definitely push you to PrimalScript, I’m having a tough time seeing why you wouldn’t at least give PowerGUI a shot. In fact, I believe the other commercial editors need to not compete with the Microsoft ISE as much as they need to compete with PowerGUI, especially given the fact that you get such a rich editor for free. Again, I have to admit that PowerGUI hasn’t been on my radar much, but it’s going to be a lot more, now.

I am obviously taking just the quotes I like. 🙂 For full reviews, go to Don’s posts here.

For the record, we love what other companies are doing in the space. Competition is good for all of us and for the common mission we all have on making PowerShell the automation platform in the enterprise. But we love being the best too. 😉

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

August 2010

%d bloggers like this: