Quick way to stand up a lab domain controller

The following is a quick way to stand up a domain controller.
I use this to create lab environments.

Rename-Computer DC1
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
import-Module ADDSDeployment
$param = @{'CreateDnsDelegation'=$false;
           'DatabasePath'="C:\Windows\NTDS";
           'DomainName'='company.pri';
           'DomainNetbiosName'='company';
           'forestmode'='win2012r2';
           'installdns'=$true;
           'logpath'="C:\Windows\NTDS";
           'NoRebootOnCompletion'=$true;
           'confirm'=$false
          }

Install-ADDSForest @param -SafeModeAdministratorPassword (convertTo-SecureString -AsPlainText "P@ssw0rd" -Force )
Restart-computer

Example of how to break an email address into its first name last name

<#
.SYNOPSIS
   This script breaks and email address into firstname lastname
.DESCRIPTION
   This script breaks and email address into firstname lastname

   If an emailaddress is in the form firstname.lastname@company.com
   This script will break it up into firstname lastname.
   The script is intended to illustrate a technique for doing this.
   It would need to be modified to serve an actual purpose.
.EXAMPLE
   Convert-EmailAddressToFirstnameLastName -EmailAddress company.user@company.pri

    The firstname is company
    The lastname is user
#>
Function Convert-EmailAddressToFirstnameLastName {
    [cmdletbinding()]
    param(
        [string]$EmailAddress
    )
    $Firstname = $EmailAddress.split(".")[0]
    $lastnameA = $EmailAddress.split(".")[1]
    $lastname = $lastnameA.Split("@")[0]
    Write-Output "The firstname is $Firstname"
    Write-Output "The lastname is $lastname"
}

Convert-EmailAddressToFirstnameLastName -EmailAddress company.user@company.pri

Script for reporting directory permissions

This Script lists the ACE’s from a given URL or Drive letter.
<# .SYNOPSIS This Script lists the ACE's from a given URL or Drive letter. .DESCRIPTION This Script lists the Access Control Entries from a given URL or Drive letter. When you provide the script a file location it recurses through that file structure finding directories. It then displays the permissions granted to each directory. This informationion is caputered an a text document called c:\temp\permissions.txt You can specify a depth by default the depth is 1 which is the folders under the folders in the specified directory. a depth of zero is the folders on the current level. .EXAMPLE Get-PDTFolderPermission -UNCPath "\\internal\Users\Central\" -Depth 0 This writes the permissions of the directories below central to c:\temp\permissions.txt .EXAMPLE Get-PDTFolderPermission -UNCPath c:\temp -TargetDirectoryOnly This displays only the permissions to the temp directory to the shell. #>
Function Get-PDTFolderPermission {
    [CmdLetbinding()]
    param(
        [parameter(mandatory=$true)]
        [string]$UNCPath,
        [int]$Depth = 1,
        $Directory,
        $Directories,
        [switch]$TargetDirectoryOnly
    )

    if($TargetDirectoryOnly){
        $UNCPath
        (get-acl $UNCPath ).Access | Format-Table IdentityReference,FileSystemRights
    }Else{
        if(Test-Path c:\temp\Permissions.txt){
            Remove-Item c:\temp\Permissions.txt -Force -Confirm:$false -Verbose
        }
        New-Item -Path c:\temp\Permissions.txt -ItemType File
        Write-Verbose "Collecting a list of directories"
        $Directories = (Get-ChildItem $UNCPath -Depth $Depth -Directory -ErrorAction SilentlyContinue -Verbose).FullName
        Write-Verbose "Processing each Directory in Directories"
        foreach($Directory in $Directories){
        Write-Verbose "Working on Directory $Directory"
        $Directory | out-file c:\temp\Permissions.txt -Append
        (get-acl $Directory -ErrorAction SilentlyContinue -Verbose).Access |Format-Table IdentityReference,FileSystemRights -ErrorAction SilentlyContinue | out-file c:\temp\Permissions.txt -Append

        }
    }#End else

}

Get-PDTFolderPermission -UNCPath "S:\Workgroup\Core_Infrastructure\Operations"  -Verbose

Function to find Enabled users and export them to a CSV

The Function can be used to report on the Enabled users you have in your company.

The script makes the assumption that users have a user principal name that matches the pattern Firstname.Lastname this helps to avoid service account being included in the results.

 

<# .SYNOPSIS This script finds users that are enabled 
.DESCRIPTION This script finds users that are enabled 
and have a user principal name that matches first name dot last name @ domain name 
This should exclude disabled users, service accounts and built in security principals. 
.EXAMPLE 
Get-PDTEnabledUsers .EXAMPLE Get-PDTEnabledUsers -limit 10 
Returns Fist 10 Enabled Users 
.EXAMPLE 
(Get-PDTEnabledUsers -limit 10).UserPrincipalName 
Returns Just the UserPrincipalNames of the first 10 users. 
#>
Function Get-PDTEnabledUsers {
    [cmdletbinding()]
    param(
        $limit = 1000000,
        $server = "DC1.company.pri"
    )
    Write-Verbose "Creating C:\temp if it does not already exist"
    if(Test-Path c:\Temp){
        Write-verbose "C:\temp exists"
    }
    else{Mkdir c:\Temp}
    Write-Verbose "Finding users who have a upn that is in the format name.name@ who are enabled."
    Get-ADUser -filter {enabled -eq $true -and UserPrincipalName -like "*.*@*"} -ResultSetSize $limit
}

Get-PDTEnabledUsers -Verbose | Export-csv c:\temp\EnabledUsers.csv  -NoTypeInformation

Script to add an Office 365 license with custom licensing options

<# .SYNOPSIS Adds Office 365 Licenses to selected users .DESCRIPTION Adds Office 365 Licenses to selected users This script can be executed on any machine that has the MSOnline module installed. .EXAMPLE Add-DOJO365License -EmailAddress Joe.User@company.com -licenses PDT:STANDARDPACK .EXAMPLE Add-DOJO365License -EmailAddress Joe.User@company.com -licenses PDT:ATP_ENTERPRISE,PDT:FLOW_FREE #>
Function Add-DOJO365License {

    [cmdletbinding()]
    param(
        [Parameter(mandatory=$true)]
        [string]$emailaddress,
        [string]$licenses = "PDT:STANDARDPACK"
        
    )

    Begin{    
    Import-Module MSonline    
    }
    Process{    
    Write-Verbose "$licenses"
    Write-Verbose $emailaddress    
    if((Get-MsolUser -UserPrincipalName $emailaddress).islicensed){
        Set-MsolUserLicense -UserPrincipalName $emailaddress -RemoveLicenses $licenses
    }
    if($licenses = "PDT:STANDARDPACK" ){
        $LO = New-MsolLicenseOptions -AccountSkuId $licenses -DisabledPlans  "YAMMER_ENTERPRISE" , "MCOSTANDARD" , "SHAREPOINTSTANDARD" , "SHAREPOINTWAC"
        Set-MsolUser -UsageLocation 'AU' -UserPrincipalName $emailaddress
        Set-MsolUserLicense -UserPrincipalName $emailaddress -LicenseOptions $LO -AddLicenses $licenses -Verbose
        }
    
    else{
        Set-MsolUser -UsageLocation 'AU' -UserPrincipalName $emailaddress
        Set-MsolUserLicense -UserPrincipalName $emailaddress -AddLicenses $licenses -Verbose
        }

    
    }
    End{}
}
$EmailAddress = "sample.user@company.com"
Connect-MsolService
Add-DOJO365License -EmailAddress $emailaddress 

Add Clear and Replace in Active directory with PowerShell

A lot of the common account attributes can be set with the syntax:

Set-ADUser -attributename <value>

However there are a lot of attributes in Active Directory that are not in one of the parameter sets. For these settings you need to use Add to add a new value, Clear to remove any value set and replace to replace to swap the current value with a new one.

In the first example the account cuser has the extensionAttribute4 set to A

Set-ADUser -Identity CUser -Add @{extensionAttribute4=”A”}

In the next example this attribute is set from A to B

Set-ADUser -Identity cuser -replace {extensionAttribute4=”A”;extensionAttribute4=”B”}

In the final example there is no value set for this attribute. It is now blank.

Set-ADUser -Identity cuser -clear extensionAttribute4