Archive for the 'cmdlets' Category

Group Membership Unions and Intersections

A friend of mine recently asked for one-liners for Active Directory group membership union and intersection.

These are the one-liners which I sent him:

Group Union – users present in either of the groups (he needed a list of DNs of direct members of two groups):

(Get-QADGroupMember GroupA –Type user) + (Get-QADGroupMember GroupB –Type user) | 
 Select-ExpandProperty DN
 Sort | Select-Unique

Group Intersection – users present in both groups at the same time:

Compare-Object (Get-QADGroupMember GroupA –Type user) `
 (Get-QADGroupMember GroupB –Type user) `
 -ExcludeDifferent -IncludeEqual | Select-ExpandProperty InputObject

You can obviously tweak them to add indirect users (with -indirect parameter) or enabled only (-enabled), etc. – see Get-QADGroupMember help for all options.

I am pretty sure that there are multiple ways to skin these cats – so if you have better alternatives – please post these in the comments.


PowerShell for Multi-Factor Authentication solution updated

Another plug to my fellow Questees who have gone PowerShell (that’s the deal we have here at Quest – you add PowerShell to your product and get a special blog mention and lots of happy customers!). Quest’s Defender (Two-Factor/Multi-Factor Authentication solution) team has just updated their PowerShell module and there’s quite a few useful cmdlets for user provisioning, de-provisioning and general Defender auditing / administration.

For example, for User provisioning, there’s ability to batch-assign tokens to users and provide either unique Personal Identification Numbers (PINs) or set a known PIN to expire on first use so that end users can then create their own:

To assist with the de-provisioning of users accounts from Active Directory when a user has left the company simple commands such as Remove-AllTokensFromUser could be used to ensure all tokens that have been assigned to a user are removed.

For auditing and general administration a number of cmdlets are available, for example, it may be useful for auditing purposes to know which users have authenticated using Defender at any time or for a given period:

Here’s full list of what we’ve got in this release:

As you can see this is a lot more than what we could previously provide with the AD cmdlets integration that we had.

You can get a free trial of Defender here.

Find everyone rolling up to me

Yesterday someone asked me to help create a distribution list for everyone reporting to a particular manager (directly or indirectly). Needless to say, that PowerShell makes getting a list of such user accounts a piece of cake!

Here’s the quick script (using AD cmdlets) which I emailed back:

function Get-QADIndirectReport {
param ($Identity)
  # Find all direct reports
  Get-QADUser -Manager $Identity | ForEach-Object {
      # Output direct report
    # Then recursively call this function for all
    # reports of this report
    Get-QADIndirectReport -Identity $_


# usage example
Get-QADIndirectReport 'Dmitry Sotnikov'

Basically, AD cmdlets natively can retrieve all direct reports, and I have created a function which keeps going deeper level-by-level getting everyone reporting indirectly as well.

You can then take this a few steps further. For example, say, you want to get a list of users you could then just copy/paste into Outlook. Simply select the Email property from the user objects and ask PowerShell to put semicolon between the addresses:

# get a list of addresses for an email message
(Get-QADIndirectReport 'Dmitry Sotnikov' | 
  Select-Object -ExpandProperty Email) -join '; '

Or you could indeed use the list to populate a group:

# add everyone to a group
Get-QADIndirectReport 'Dmitry Sotnikov' |
  Add-QADGroupMember DmitrysReports

Or you could further restrict the list by City, Department and so on by simply tweaking Get-QADUser parameters in the code above. PowerShell is super-flexible!

VDI and PowerShell

Here at Quest we strive to PowerShell-enable pretty much everything we see. 🙂 The newest Quest team to have gone PowerShell are our desktop virtualization folks – vWorkspace. They recently released a PowerShell module for vWorkspace that – as you could probably guess – adds great automation capabilities to the product.

(vWorkspace is a commercial product – so if you are not into desktop virtualization feel free to just consider this a commercial break – we will return to the free stuff in the next blog post. ;))

vWorkspace cmdlets include functionality such as:

  • Managing vWorkspace administrative accounts,
  • Turning on and off computers,
  • Remotely installing MSI’s, and
  • Setting a wide range of properties on the virtual machines and computers hosted by vWorkspace.

Additionally, vWorkspace offers a dynamic filtering syntax, much like Where-Object , that runs server-side rather than locally to speed up the query of large set s of objects. (As Don Jones put it in a session I once attended: “in PowerShell, keep your formatting as far to the right, and your filtering as far to the left as possible.”)

Get-QVWAdministrator –Filter { $QVWAdministrator.Name –like “mdivdi\*” –and  $QVWAdministrator.IsGroup –eq $true }

If you’re a vWorkspace customer, definitely check out the new module on the Quest Community site. They regularly make new versions available, adding more and more functionality each time. Often there’s also a beta of the new upcoming version of the vWorkspace PowerShell module available for anyone to test. In addition, there are some cool examples of how the vWorkspace PowerShell module can be used to ease day-to-day administration of vWorkspace.  Look for this kind of information in the Powershell section of the vWorkspace Community as well. I know the vWorkspace guys would love to hear some feedback on the module so please feel free to comment on their current release.

P.S. Thanks to Adam Driscoll from the vWorkspace team for helping me write this post. Also, if you have not checked out his interview at the recent PowerScripting podcast – you should. He is one of the smartest software engineers I know!

Clear AD attribute

Just yesterday a colleague of mine asked me how to undo an Active Directory object property change from the value he erroneously put back to <not set>. It turned out that I never actually blogged about that – so here you go. 🙂

Clearing AD attributes us actually as easy as just setting the value to $null. For example, here’s how you do it for properties which we have exposed in Set- cmdlets parameters:

Set-QADUser 'Amy Hardy' -City $null

Or for more internal attributes:

Set-QADUser 'Amy Hardy' -ObjectAttributes @{adminDescription=$null}

Hope that helps!

PowerShell Highlights of 2010

What were your key events of last year? Here’s my list:

PowerGUI Highlights

  • Reached 1,000,000 downloads (frankly, I still cannot fully comprehend that),
  • Released MobileShell – PowerShell server which gives you PowerShell command line (and scripts) to manage your IT in any computer browser or even mobile device: iPad, iPhone, Android, Blackberry, Windows Phone…
  • Script Editor is now extensible and has a rich set of add-ons adding almost any feature you could think of.

PowerShell for developers

PowerShell Projects

PowerShell Training



New cmdlets

A lot of companies and Microsoft product teams released cmdlets, modules, PowerPacks, etc.:


Oh, and NASA started to use PowerShell to control their space craft. Almost. OK, not really… This was an April 1 joke. But wouldn’t it be cool if they did?

I know that the list seems a bit biased including a lot of PowerShell projects in which I was involved one way or another. This is not by intent and is a simple consequence of how memory works. 🙂 This has been an amazing PowerShell year! Please add your PowerShell events of the year in the comments below!

Merry Christmas, Happy Holidays and a great New Year to all of you!

Managing Certificate Revocation Lists and Certificate Stores

Vadims has published a couple of articles with great examples of how to use PowerShell to manage CRLs (Certificate Revocation List) and local certificate stores.

CRL tasks include:

  • Importing CRL:
$crl = Import-QADCertificateRevocationList -File C:\pica-1.crl
  • Reviewing CRL details:
$crl | format-list *
  • Add CRL to local certificate store:
Add-QADCertificateRevocationList -CRL $crl -Store $store
  • CRL removal:
Get-QADCertificateRevocationList -Store $store |
  where-object {$_.IssuedBy -like "sysadmins*"} |
  Remove-QADCertificateRevocationList -Store $store
  • CRL export:
Export-QADCertificateRevocationList -CRL $crl -File c:\customcrl.crl
  • Publishing CRL:
Publish-QADCertificateRevocationList -CRL $crl -CAName CustomCAName
  • Unpublishing CRL:
Get-QADPKIObject CDP |
  Get-QADCertificateRevocationList |
  where-object {$_.IssuedBy -like "sysadmins*"} |
  Unpublish-QADCertificateRevocationList -CAName "CustomCAName"

For certificate store management, Vadims goes through:

  • Exploring certificate stores:
Get-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName My |
  • Adding certificate stores:
New-QADLocalCertificateStore -StoreLocation CurrentUser -StoreName CustomStoreNameToAdd
  • Removing certificate stores:
Remove-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName CustomStoreToDelete

For all these, Vadims is providing tons of details so I highly recommend checking those out:

Managing Certificate Revocation Lists (CRL) with PowerShell

Managing Certificate Stores with PowerShell

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

January 2018
« Aug    

%d bloggers like this: