Getting all possible classes / attributes for a AD Object

So in the World of the AD everything is build by classes. Classes are stored in the Schema part of the AD.

So what does this mean?

The fast basics

  • Each AD object has a objectClass which matches to a class in the schema.
  • Each class has a parent (subClassof)
  • One class has itself as its parent (top)
  • Each class has available attributes which might or must be set on an AD object.
  • An AD object can use all attributes of its class and all above it.

There are 4 attributes defined for each class which says which attributes it carries:

  • MayContain
  • MustContain
  • systemMayContain
  • systemMustContain

Lets get all classes that is assigned to a AD Object

[Read more...]

Possible source fields for Azure Active Directory Sync Services transformations

So Microsoft has released the latest version of the directory sync tools between your on-premise directory and the Microsoft Azure AD. So there is a load of information about it written on MSDN, but the information I was looking for I couldn’t find.

With the new AAD Sync you can apply transformations, if a field is in the wrong place in your Active Directory you can let the sync tool take the data from another attribute in the AD. This is done by storing the data in the AAD Sync meteverse. The In rules populate the metaverse and the out rules polulate services.

Edit Outbould syncronization rule

And there is a big list of attributes to select from. Give the illusion that you can select just about any attribute. But no. There are some attributes missing. So I have completed a list of all attributes that are available under the source selection box.

Source Attributes

Default attributes in the DirSync Metaverse. [Read more...]

Upgrading DFS 2000 to DFS 2008 mode

So you have just been asked to enable ABE on the DFS. But you cant enable it because your namespace is in 2000 mode. So how do we upgrade it? The boring answer is that you don’t, Microsoft doesn’t have an upgrade. But it is quite simple anyway.

Backup your current DFS-Namespace

First lets make sure that we have a copy of your current namespace. This is so we don’t have to rebuild it by hand. This a simple XML file that is the entire configuration both root servers and all links. Just replace the \\<domain.fqdn>\<Namespace> with your DFS namespace information, the file doesn’t really matter. When it is complete just look into the file and see what you got.

Remove the old namespace

This part is quite simple usually, just start with one DFS namespace server and remove them one after another. If you get stuck because the server is no longer alive, don’t worry. Just remove it by force. Once all you delete the last namespace server, the namespace is no more.

Setting up the new environment

Well this is a good time to think about doing it right. For instance were you using FQDN for your namespace servers? I say enable fqdn and lets go.

Now just create a new namespace with the same name as before. Since we are talking about a Namespace which is a bunch of NTFS junctions points I see no point moving the DFS share from the default of %Systemroot%\DFSRoots\NamespaceName. Just remember that everyone should have only Read Only access.

Then add the other namespace servers one after another.

Restore the namespace

So where are my hundreds of links, I cant remember them all. Well importing is as easy as the export we did earlier.. You didn’t skip that step right?

Now for the boring part. You should really test it to make sure it works. Remember that domain based DFS is carried in the AD with all replication delays that could incur..


This entry has been on my waiting list for a long time, but since it was a good match for my solution for a question on social I completed it.

Standardize your verbose/debug messages

So my default verbose and debug messages might not really be good looking, so I needed to standardize how I wrote them. I wanted the time, function name and message to be printed and standardized. So I came up with this invoke way.

How do I execute a script block from a variable?

Well first we need to save the standard to a variable and then execute it when needed. Well that is easy in powershell.

That command first will save the script block to be run in the $command variable and then using the invoke operator runs it. If you run the later command again you will notice that the Get-Date is executed now to.

Building it from scratch

But we wanted to add the function name too. So lets look into that. I wrote an article before that talked about good constants in Powershell. These aren’t really constants but Powershell variables that powershell itself populates. Tada if you look in $MyInvocation.MyCommand.Name you will find the current functionname. So lets try that on the commandline:

Well I didn’t get any output.. Well I’m not running in a function am I? So lets  build a function and then throw it in.

Okey so that works. But remember that we will do another invoke later and that will get a new $MyInvocation. So lets add a message instead. That feels just like building a function, add a param and a variablename.

A pot hole

Hey.. why did I not get the correct output? Well you did.. In a way. MyInvocation does provide information about the current invocation, but you are invoking the script block right? So how do we get the MyInvocation from the function. We have to dig a little in powershell scoping. I can access the MyInvocation of the function by calling Get-Variable -Scope 1 MyInvocation -ValueOnly. So what is that scope 1? That tells the cmdlet to walk up 1 level in the invocation stack and get the variable there, in this case the calling function.

Now all at once

[Read more...]

Useful powershell “variables”

Sometimes when I code Powershell I find small trinkets I wish too remember, so I’m gonna save them here.

This is a well, small PS variable list for me, with links to articles about them.

Variable Description
$PSVersionTable.PSVersion Powershell version if it is missing then PS = 1.0
$PSCmdlet.ParameterSetName If using parameterSets with function this will have which set was used.
$MyInvocation.MyCommand.Name Returns the current functions name.
$PSBoundParameters['Verbose'] Will be true if function is called with -Verbose
$PSBoundParameters['Debug'] Will be true if function is called with -Debug

Useful functions from .NET

Function Description
[io.path]::GetTempFileName() Returns a temporaryfile name in the tempdirectory of the current user

Get random element of an array using Powershell

I needed to return a random element of an array using powershell. I have used this method while building simple wireless passwords for a company. This is a simplified version, first lets create the array with Blue and Green in it.

How do I access the array then, simple just do $array[$x] where $x is random. So how do we get a valid integer as $x?

Lets just make sure that we are working with an array and not just a string, cast the array variable as array. [array]$array.

The end result

Why complicate with [array]

Q: I simplified the command by removing the ([array]), and it still works. So why did you add that extra?

A: If you or your friends are running an older powershell version (2 or less), they you cant run .count on a string. If you try it, it will return nothing.


Move all FSMO roles to the local domain controller using Powershell

I upgraded one domain controller in my home active directory and needed to move all the FSMO the new domain controller. So since I’m really lazy and like quick solutions I check what powershell could help me with. And since I know it should live in the ActiveDirectory module I decided to list all move commands in that module.

[Read more...]

Tablet hardware keys cheatcard

So since I have a few tablets now I realized there are some differences to how you enter bios and such. So this is a list of mine and others I have played with.

Dell Venue Pro 8


  1. Power on the device
  2. Press and hold the volume up (+) button


  1. Power on the device
  2. Press and hold the volume down (-) button

Boot menu:

  1. Power on the device
  2. Press the volume up (+) button quickly and release

Surface Pro 2 (Probably most Microsoft Surfaces)

UEFI settings:

  1. Turn the machine off
  2. Press and hold the volume up (+) button
  3. Power on the device
  4. Just before the Surface logo appears release the volume up button

Boot from USB:

  1. Turn the machine off
  2. Insert the USB memory into the computer, make sure it UEFI bootable.
  3. Press and hold the volume down (-) button
  4. Power on the device
  5. Release the volume up button when the Surface logo appears

Screen capture:

  1. Press and hold Windows button. The button that takes you to the start menu.
  2. Press the volume down key on the left side of the surface
  3. The screen should dark flash for a second to show that it is done.

Getting a FSMO DC to start without replication

So you have just restored your domain controller so that you can do a recovery test or a real recovery. And you notice that the domain controller isn’t working. First you off you might even need to logon using the Directory Restore mode because well you just don’t get in. Then you notice all of those Event id 2092 in the Active Directory log.



This is a security measure implemented by Microsoft. To make sure that a domain controller that hosts a FSMO wont start the FSMO role, without checking if another domain controller has seized the role while the server was down. Consider the following:

  • We loose the current RID master (dc01)
  • We promote (seize) the dc02 to RID master
  • We fix the server dc01

If the check wasn’t done we could have two RID masters until the first replication was completed with dc01. Since having more than one of a FSMO role online at the same time is BAD. This check is good and works most of the time.

So now you are thinking, well my domain only has one domain controller. And it starts just fine, so?? Well Microsoft checks if there are any replication partners, if there aren’t well no need to check for replication.

[Read more...]

Adding RSAT without all features enabled (in Specops)

So knowing that we can add features to an install we decided to go and install the Remote Server Administration Tools (RSAT). Well funny thing here. I did as i described in my article A language is a language is a patch?. But Microsoft seems to have made a change with Windows 8. In windows 7 you needed to manually enable all the roles after you installed the update package, in Windows 8 everything is enabled. But that’s not what I wanted.

I wanted everything installed but not more than that. So lets use the knowledge of another of my late entrys about removing features during the install. So lets build a good image now. [Read more...]