Thursday, October 25, 2018

How to retrieve DN of AD parent object in Powershell

Stumbling over I thought about how to do it correct AND fast:

$U = Get-ADUser $env:username -Properties cn
$uParent =$u.DistinguishedName.Substring( ( $ ).Length + 4 )

This way we can use the fast string method and we will always remove up to the correct position. Regardless of the parent object container type (OU, Container, whatever...)

Tuesday, July 25, 2017

Mirroring AD OU trees including GPOs - the PoSh way

Hello all.

In your AD, there might be an OU tree for production purposes. There might be a second tree for testing purposes. Now you need a third tree for evaluation purposes. That means copying all OUs from one of the existing trees and re-linking all GPOs linked to the source.

I recently had this requirement for an OU structure 6 levels deep with more than 100 linked GPOs. Hard to believe I would do this manually, so I fired up my ISE and came out with this module:


Since the description in the gallery is somewhat crispy, here's the full help:

Friday, June 23, 2017

Windows 10 Settings App - how to hide pages for user groups

Hi Readers :-)

With Win 10 1703, the settings app can be configured to hide or allow only certain pages. This is configured with But there's a drawback: This is a computer setting, so it will affect ALL users - even local administrators. Hey, MS - what did you think about when implementing this?

How can we configure the settings app differently for different groups of users?

The solution for this - as often - is "Group Policy Preferences" (GPP). With GPP Registry, we can write HKLM in the user part of a policy. Lets try - we create a GPP Registry to write the value we found at gpsearch:

And voila - it turns out that this value is not evaluated at boot time or at logon, but each time you open the settings app.

This enables us to configure the settings app based on users, although "officially" it is a computer setting :-)

Be aware that results might be unexpected if you use fast user switching. Consider the following scenario:

Admin logs on, gets unrestricted settings app. Switch user, default user logs on, gets restricted settings app. If you now switch back to Admin, he also will have restricted settings app because switching users does not trigger gpupdate. You can circumvent this if you create a scheduled task that runs "gpupdate /target:user" and triggers on Session reconnect.

Note: The IDs for the pages (about, privacy and so on) are not listed in the policy help. They can be found at or at

Saturday, December 10, 2016

LegalNoticeCaption and LegalNoticeText - the new way...


Have you ever been using the following settings?

These are designed to present a message to the user after he presses C-A-D. This message could be some legal stuff, some helpful hints or whatever you need.

But there's a drawback: If these settings are enabled, AutoAdminLogon will not work anymore. This would prevent automated software installations by scripts, running in the context of an admin user that logs on automatically.

How can we solve this?

Monday, November 07, 2016

Updating Gallery Modules - with a module, of course!

...after I dealt with module updates last week, I finally converted the stuff to a module and published it:

Have fun! :-)

Wednesday, November 02, 2016

Speed-updating powershell modules from the gallery

Hi all.

TL;DR: Update all your PoSH modules from within your ISE profile - and with lightning speed!

I recently received a IseSteroids License due to being an MVP - many thanks to Tobias Weltner for this valuable gift!

I then started to think about "how do I keep IseSteroids" up to date? It receives minor updates quite frequently, so I tried this simple command in my personal ISE profile:

Update-Module -Name IseSteroids

This was a "no brainer" - update-module is a slow running thing. So ok, lets go - google/bing/whatever. I finally came up with a solution that has "history":

Thursday, May 12, 2016

Configuring the recycle bin for redirected folders

Hi all.

Recently, we had the need to disable the recycle bin for all redirected folders. This was due to the fact that the recycle bin - by default - takes a percentage of the volume it is located on, and we redirect to really large volumes, which results in undesirable sizes of these bins... Especially because we charge the users the amount of space they use :-)

Lucky me found a AskDS post that explains the basic steps of managing the recycle bin:

What the AskDS post lacks:
a) What are the folder IDs?
b) How do I deploy the required values?