PowerShell: List everything on a OU in a one line

To list all users in a OU, we can get it using Get-ADUser cmdlet. See the example below. (replace OU path in LDAP format to your own stuff and “Import-Module ActiveDirectory” before you run it).

Get-ADUser -Filter * -SearchBase “cn=Users,dc=company,,dc=com” -properties title, department| Select-Object name,title,department

Now what if you want everything (Users, Groups, Contacts, etc.,) from an OU. To get everything from a OU, use Get-ADObject cmdlet. See example below.

Get-ADObject -Filter * -SearchBase “cn=Users,dc=company,dc=com” -properties description | Select-Object name, objectclass, description


PowerShell: How to return multiple values from a Function?

If you like to return multiple values from a function, simply populate a hash table variable in function and return the variable. See my example below. Feel free to use my example function and Enjoy.


Function Get-UserInfo($username)
    #Create an hashtable variable
    [hashtable]$Return = @{}
    Import-Module ActiveDirectory
    $ADUser = Get-ADUser -Identity $username -Properties Department, employeeNumber,l,Manager
    #Assign all return values in to hashtable
    $Return.Name = $ADUser.name
    $Return.EmployeeNo = $ADUser.employeeNumber
    $Return.Location = $ADUser.l
    $Return.Department = $ADUser.department
    $Return.Manager = ( Get-ADUser $ADUser.manager ).Name
    #Return the hashtable
    Return $Return

# Example usable of the Get-UserInfo function
# to show how to return multiple values

$User = Get-UserInfo(“JohnDoe”)

“Name: ” +$User.Name
“Manager: ” +$User.Manager
“Location: ” + $User.Location
“Department: ” + $User.Department
“Employee Number: ” + $User.EmployeeNo

PowerShell: Search User Accounts in Active Directory

Active Directory Module has many cmdlets to process many AD related tasks. BUT we don’t have simple search cmdlet.

I had a requirement to check a list of users in AD to see if they exist or not. Get-ADUser doesn’t cut it for my requirement. If a user doesn’t exist, Get-ADUser errors out. So I wrote my own function. It can be used in a script or pipe the user names (SAM Account Name). This function search active directory and returns the AD User object if exists. Otherwise it returns an null value.

Download the script here: http://1drv.ms/1fSd9PH

Feel free use it for you purpose.

# Function: Search-User
# Parameter: user’s SAM Account Name
# Description: Search Active Directory with given
# SAM Account Name. Return the AD User object if
# user exists, or return null value
# Written by: Anand Venkatachalapathy
Function Search-User

param([Parameter(ValueFromPipeline)] $User)

BEGIN {import-module activedirectory}


   $filter = “(&(ObjectClass=User)(sAMAccountName=$User))”
   $userobject = Get-ADObject -LDAPFilter $filter

   if ($userobject -eq $null)
        return $null

   return (Get-ADUser $userobject)



To use this function, call the function with a user’s SAM Account Name. E.g.,

$user = “JDoe”
$userobject = Search-User($user)
If ($userobject –eq $null)
{ “$user doesn’t exists in Active Directory” }
{ $userobject  }

Active Directory: Bulk User Password Reset by PowerShell

If you need to reset password for bulk number of user accounts, the following PowerShell scripts is for you.

This first script requires an file with usernames listed one per line. Check the UserList.txt file location in this file. Change your favorite password in ConvertTo-SecureString cmdlet in this script. Then you are good go.

# Script: ResetPwd.ps1
# Description: Reset the password for bulk number of users, and
# set the property to change passwrod required at next logon
# Written by: Anand Venkatachalapathy

Import-Module ActiveDirectory

# Set the default password
$password = ConvertTo-SecureString -AsPlainText “AwesomeP@ssw0rd” -Force
# Get the list of accounts from the file on file
# List the user names one per line
$users = Get-Content -Path c:\MyScripts\UserList.txt
ForEach ($user in $users)
    # Set the default password for the current account
    Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset
    #If you need to set the property “Change password at next logon”,
    #leave the next alone. If not, comment the next line
    Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true
    Write-Host “Password has been reset for the user: $user”

# ————- End ———–

This second script does bulk password changes for similar named user accounts. e.g., TestUser001 to Testuser100. Change your own password and user account name in the filter.

# Script: ResetPwd.ps1
# Description: Reset the password for bulk number of users, and 
# set the property to change password required at next logon
# Written by: Anand Venkatachalapathy

Import-Module ActiveDirectory

# Set the default password
$password = ConvertTo-SecureString -AsPlainText "AwesomeP@ssw0rd" -Force    # Set the default password for all users named TestUserXX 
# e.g.,TestUser001 to TestUser100
Get-ADUser -Filter { SAMAccountName -like "*TestUser*"} `
| Set-ADAccountPassword -NewPassword $password -Reset
#If you need to set the property "Change password at next logon", 
#leave the next alone. If not, comment the next line
Get-ADUser -Filter { SAMAccountName -like "*TestUser*"} `
| Set-AdUser -ChangePasswordAtLogon $true

# ------------- End -----------

LastLogonTimeStamp: How to parse the 18 digit number in PowerShell?

This command generates the following results:

PS H:\> Get-ADUser JohnD -Properties LastLogonTimeStamp | select Name,LastLogonTimeStamp | fl

Name               : John Doe
LastLogonTimeStamp : 130364862459391289

If you are wondering how to parse the 18 digit number of LastLogonTimeStamp property value. This LastLogonTimeStamp is expressed using Windows File Time.

A Windows file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 midnight, January 1, 1601 A.D. (C.E.) Coordinated Universal Time (UTC). Windows uses a file time to record when an application creates, accesses, or writes to a file. More info at HERE.

To convert to human readable date format, use .Net function FromFileTime and convert the output to [DateTime] format.


$u = Get-ADUser JohnD -Properties LastLogonTimeStamp

[DateTime]::FromFileTime([Int64] $u.LastLogonTimeStamp)

Displayed output: 02/09/2014 22:10:45

I wrote the following script to list all of my domain computers with OS and LastLogonTimeStamp vaule. This script also creates a TAB delimited output in text file.


Import-Module ActiveDirectory

$computers = Get-ADComputer -Filter * -Properties name,operatingsystem,lastlogontimestamp -ResultPageSize 0
“Computer Name`tOperating System`tLast Logon Date/Time” | Out-File -FilePath .\DomainComputers.txt
foreach ($computer in $computers)
   $computer.name + “`t” + $computer.OperatingSystem + “`t” + [DateTime]::FromFileTime([Int64] $computer.lastlogontimestamp)
    $computer.name + “`t” + $computer.OperatingSystem + “`t” + [DateTime]::FromFileTime([Int64] $computer.lastlogontimestamp) | Out-File -FilePath .\DomainComputers.txt -Append

PowerShell 4.0: “Get-ADUser : One or more properties are invalid”

This applies to Get-ADComputer cmdlet too. When I try to get all properties of an AD account like Get-ADUser JohnDoe –Properties * it gives following error.

Get-ADUser : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy

It used to work in older PowerShell versions (Windows 8 or Windows 7). Now my scripts are all stopped working.

Well I believe it is a bug in ActiveDirectory PowerShell module. But also on other hand we should NOT be using –Properties * in a script. That would be a bad scripting practice, it takes more time to process obviously. Right way is use it like –Properties <propertyname1>,<propertyname2>.

What if I don’t know the properties I want. What if I have to figure the correct property name. Do NOT worry, there is a workaround. Pipe the Get-ADUser or Get-ADComputer to a Get-ADObject cmdlet like below.

Get-ADuser JohnDoe | Get-ADObject –Properties *

Hopefully it will be fixed on next updates or MS don’t want us to use * in properties parameter. Enjoy. Open-mouthed smile

Citrix/RDS: Publish Internet Explorer without Address Bar

Publishing IE for a web application without address bar is easier than you think. Simply publish the following VBScript or PowerShell script to launch IE without address bar and go to specific intranet website.

Copy either one of the script into Notepad and save as LaunchIE.vbs for vbscript OR LaunchIE.PS1 for PowerShell. Change the website address in the script. Run the script to make sure it works as you expected. Publish the script in Citrix or RDS.

Here is the VBScript Code. You can download this script from here: http://sdrv.ms/1cijdke

‘ Script: LaunchIE.vbs
‘ Purpose: Launch IE without Address bar with the given website
‘ Written by: Anand Venkatachalapathy

‘ Note: Replace your own webstie below in 12th line

Dim objIE
Set objIE = WScript.CreateObject (“InternetExplorer.Application”)
objIE.Toolbar = false    ‘Turning off the tool/address bar
objIE.Navigate “
objIE.Visible = true

‘ End of Script

Here is the PowerShell Code. Download the script from here: http://sdrv.ms/1cijnYN

#    __                           __       __________
#   / /   ____ ___  ______  _____/ /_     /  _/ ____/
#  / /   / __ `/ / / / __ \/ ___/ __ \    / // __/
# / /___/ /_/ / /_/ / / / / /__/ / / /  _/ // /___
#/_____/\__,_/\__,_/_/ /_/\___/_/ /_/  /___/_____/
# Launch IE without Tool bar and Address bar
# Written by: Anand the Awesome Venkatachalapathy
# Replace your website on next line
$site = “

#Get IE Application object
$ie = New-Object -ComObject “InternetExplorer.Application”

#Hide Address Bar and Tool Bar
$ie.AddressBar = $false
$ie.ToolBar = $false

#Launch the IE with the specified website address

#-*-*-*-*-*-*-*-*-*-*- The End *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Windows Script: “WScript.CreateObject: Could not locate automation class named “WScript.Network”

When I run my VBScript Windows Script ActiveX libraries are not loading. I was getting “WScript.CreateObject: Could not locate automation class named “WScript.Network”.


for 32bit OS:

  1. Open command prompt
  2. Type regsvr32 c:\windows\system32\wshom.ocx
  3. Type regsvr32 c:\windows\system32\scrrun.dll

for 64bit OS:

  1. Open command prompt
  2. Type regsvr32 c:\windows\SysWOW64\wshom.ocx
  3. Type regsvr32 c:\windows\SysWow64\scrrun.dll

That’s all. Your script should now work.

PowerShell: List Active Computers from Active Directory

I had a requirement to get list of active computers from Active Directory with some stored properties in computer account like OS, OS version and OU name where the computer account exists. I have defined the active computer as if LastLogonDate is less than 60 days. Here is the script.

P.S. Your computer should be installed with Powershell ActiveDirectory module.

# Name : ListActiveComputers.ps1
# Purpose: Get active computer accounts from active directory by 
# checking the last logon date. Get the properties of computer
# account (name,OS,OSverion,lastlogondate and CanonicalName)
# and save it to ActiveComputers.csv file.
# Written by Anand Venkatachalapathy
# Date written: 03/28/2012

Import-Module ActiveDirectory

# get today's date
$today = Get-Date

#Get today - 60 days (2 month old)
$cutoffdate = $today.AddDays(-60)

#Get the computer accounts filtered by lastlogondate.
# Select only required properties of the computer account
# and export it to a file
Get-ADComputer  -Properties * -Filter {LastLogonDate -gt $cutoffdate} `
| Select Name,OperatingSystem,OperatingSystemVersion, `
LastLogonDate,CanonicalName | Export-Csv ./ActiveComputers.csv

Download the script here: ListActiveComputers.ps1

PowerShell Grid view is “sooo” much better than Exchange 2010 Tracking Log viewer in browser

Exchange 2010 tracking log viewer is great, but you can copy/export the results or even sort the results for different needs. So far Exchange admins are run the get-messegetrackinglog in power shell and export to CSV file using export-csv cmdlet. It’s great, but greater idea is grid view.

I found Power shell grid view is fantastic tool to view the tracking log results. The grid view results are sortable, filterable and copy/paste-able (to Excel).


To use the grid view simply pipe the get-messagetrackinglog results to out-gridview like this below.

get-messagetrackinglog –Recipient:xxx@company.com -Server “Exchange-HubTransport-Server” -Start “3/1/2012 7:40:00 PM” -End “3/4/2012 7:50:00 PM” | Out-GridView

Try it, you may end up liking it.