Now on AskDS!

It is my sincere honor to inform you that you may now also find me waxing poetic on the AskDS blog, Microsoft's official enterprise support blog for AD DS and more. Special thanks to the superstars (*cough*Ned*cough*) that came before me and inspired me to get to where I've always wanted to be.

Check me out!

AD Is Full of Bitmasks, Decipher Them with Powershell

Active Directory uses bit masks, or bit fields, or bit flags or bit maps or whatever you want to call them.  Anyway, AD uses them, a lot.  Let's say you're digging deep into Active Directory internals, and you want to see all the attributes in your schema that are eligible for being made confidential.  We know that something called "base schema attributes" cannot be made confidential, and that we know whether an attribute is a base schema attribute or not based on a certain bit that is set in that attribute's systemFlags attribute.

Get-ADObject -LDAPFilter "(objectClass=attributeSchema)" `
             -SearchBase (Get-ADRootDSE).schemaNamingContext `
             -Properties SystemFlags

That'll give us all attributes (regardless to what type of object they apply) in the schema, including their systemFlags property.  Problem is, the systemFlags property is all condensed into an integer, and unless you're Rain Man and have no problems doing it all in your head, you might like it if that systemFlags property were translated into something more meaningful.

This is where the magic of enumerations comes in.

Add-Type -TypeDefinition @'
    public enum SystemFlagsAttr : uint
        FLAG_ATTR_NOT_REPLICATED         = 0x00000001,
        FLAG_ATTR_REQ_PARTIAL_SET_MEMBER = 0x00000002,
        FLAG_ATTR_IS_CONSTRUCTED         = 0x00000004,
        FLAG_ATTR_IS_OPERATIONAL         = 0x00000008,
        FLAG_SCHEMA_BASE_OBJECT          = 0x00000010,
        FLAG_ATTR_IS_RDN                 = 0x00000020,
        FLAG_DISALLOW_MOVE_ON_DELETE     = 0x02000000,
        FLAG_DOMAIN_DISALLOW_MOVE        = 0x04000000,
        FLAG_DOMAIN_DISALLOW_RENAME      = 0x08000000,
        FLAG_CONFIG_ALLOW_LIMITED_MOVE   = 0x10000000,
        FLAG_CONFIG_ALLOW_MOVE           = 0x20000000,
        FLAG_CONFIG_ALLOW_RENAME         = 0x40000000,
        FLAG_DISALLOW_DELETE             = 0x80000000

So a smart reader already knows that since we are looking for "base schema objects," which in the enum above equates to 0x10 hex, which is 16 decimal which is the fourth bit... then it becomes pretty easy to spot all the attributes that have a SystemFlags of 16 in our above Powershell command. But what about when bit 4 and bit 2 and bit 26 are all turned on?  This is why enums are our friends.  Let's retry our Powershell command using the enum now:

Get-ADObject -LDAPFilter "(objectClass=attributeSchema)" `
             -SearchBase (Get-ADRootDSE).schemaNamingContext `
             -Properties SystemFlags | `
             Select Name, `
             @{n='SystemFlags'; e={[Enum]::Parse('SystemFlagsAttr', $_.SystemFlags)}}

Now it's a lot more readable:

ms-DS-Assigned-AuthN-Policy      FLAG_SCHEMA_BASE_OBJECT

Pretty easy to filter those results and see which attributes are base schema attributes, and which are not.

Lastly, as an exercise I will leave to the reader, you can also use the SearchFlags (not SystemFlags) property of an attribute to determine whether the attribute is already set as confidential or not.

    public enum SearchFlags
        fATTINDEX              = 0x0001,
        fPDNTATTINDEX          = 0x0002,
        fANR                   = 0x0004,
        fPRESERVEONDELETE      = 0x0008,
        fCOPY                  = 0x0010,
        fTUPLEINDEX            = 0x0020,
        fSUBTREEATTINDEX       = 0x0040,
        fCONFIDENTIAL          = 0x0080,
        fNEVERVALUEAUDIT       = 0x0100,
        fRODCFilteredAttribute = 0x0200,
        fEXTENDEDLINKTRACKING  = 0x0400,
        fBASEONLY              = 0x0800,
        fPARTITIONSECRET       = 0x1000


Just a little Powershell I wrote when I had nothing better to do.  It's kinda' reminiscent of procdump's ability to wait until a certain threshold is crossed before it takes action.  That's what this Cmdlet does.  It just watches a performance counter (any performance counter, also works against remote computers,) and when the specified threshold is crossed, it executes whatever file you specified in the "Action" parameter.  I wrote it because it helps solve performance-related cases where a repro is hard to catch.

Watches a Windows performance counter, and executes the specified file
once the specified counter threshold is crossed.
Watches a Windows performance counter, and executes the specified file
once the specified counter threshold is crossed. You must know the 
name and path of the performance counter you're after. Use Get-Counter
if you want to explore the syntax of performance counter paths. You
may monitor performance counters on a remote machine as well. The
specified Action can be any executable file, an exe, a vbs, a bat file,
etc. You can also specify the PollFrequency, in seconds. Default is 5.
Use the Verbose switch for extra detail.
.PARAMETER CounterName
This is the full path of the performance counter that you want to monitor.
It may be from the local machine or from a remote machine.
.PARAMETER Threshold
When the performance counter crosses this threshold, the specified action will be triggered. 
It could be an absolute value or it could be a percentage, depending on the perf counter.
This can be any file that exists and is accessible - it will be executed when the performance
counter threshold is crossed.
.PARAMETER PollFrequency
The frequency, in seconds, that the performance counter will be polled. Default is 5 seconds.
C:\PS> Watch-PerfCounter -CounterName '\processor(_total)\% processor time' -Threshold 90 -Action 'C:\MyFile.bat' -PollFrequency 10 -Verbose
Polls the processer time performance counter every 10 seconds, and executes MyFile.bat once the CPU is over 90%. Outputs Verbose information.
C:\PS> Watch-PerfCounter -CounterName '\\host02\memory\% committed bytes in use' -Threshold 25 -Action 'C:\Compress.exe'
Polls the memory perf counter on remote computer HOST02, and executes a program once it crosses 25%.
Powershell written by Joseph Ryan Ries, but it was Justin Turner's idea.
Function Watch-PerfCounter
    #Version: 01.00 - September 17 2015 - Initial release.
    #Version: 01.01 - September 17 2015 - Added the word "seconds" to the sentence "Polling ever x seconds."
          [ValidateScript({Test-Path $_ -PathType Leaf})]
            [Int]$PollFrequency = 5)
        Set-StrictMode -Version Latest
        [Diagnostics.Stopwatch]$Stopwatch = [Diagnostics.Stopwatch]::StartNew()

        Write-Verbose "$($PSCmdlet.CommandRuntime) beginning on $(Get-Date)."

            Get-Counter $CounterName -ErrorAction Stop | Out-Null
            Write-Verbose "Performance counter $CounterName was found."
            Write-Error "Perfermance counter was not found or could not be read! `n`n $($_.Exception.Message)"

        Write-Verbose "Polling every $PollFrequency seconds."
        Write-Verbose "Use Ctrl+C to abort."

        [Bool]$ThresholdCrossed = $False

        While (-Not($ThresholdCrossed))
                $CookedValue = (Get-Counter $CounterName -ErrorAction Stop).CounterSamples.CookedValue

                Write-Verbose "$CounterName = $CookedValue"

                If ($CookedValue -GT $Threshold)
                    Write-Verbose "Performance counter $CounterName has crossed the threshold of $Threshold!"
                    $ThresholdCrossed = $True
                Write-Error "Error reading performance counter. This error may be transient. `n`n $($_.Exception.Message)"

            If (-Not($ThresholdCrossed))
                Start-Sleep -Seconds $PollFrequency

        Invoke-Expression $Action

        # Reminder: This code block still executes even if we return prematurely from the BEGIN block.
        Write-Verbose "$($PSCmdlet.CommandRuntime) completed in $([Math]::Round($Stopwatch.Elapsed.TotalSeconds, 2)) seconds."

Some DFS Diagnostics and How to Make Dfsutil.exe Portable

There was a question recently about whether DFS was setup and working properly.

Well, let me back up.  There was a problem where an application dumped a file into a file share, but for some reason, the users were unable to see that file for up to an hour after it had supposedly been dumped into the file share.  And that file share was part of a DFS replication group.  So maybe the users were having to wait on DFS replication for some reason.  DFS was suspected, but we were short on evidence and facts.

So the users were in another geographical location, in another Active Directory site.  I wanted to see which DFS replication partner was the active target from the perspective of those clients in the other site.  For example, think of when you look at the following dialog box:

All well and good, but I needed to do this through the command line... via remote administration.

And the client was Windows 7, and it did not have Powershell remoting enabled, nor did it have RSAT (Remote Server Admin Tools) installed.

So if I wanted to check this DFS information on my own machine, which does have RSAT installed, I'd simply type:

C:\> dfsutil /PktInfo

And that will dump out lots of historical DFS target info like so:

C:\> dfsutil /PktInfo
12 entries...
Entry: \Server01\SiteB\Files
ShortEntry: \Server01\SiteB\Files
Expires in 89 seconds
UseCount: 0 Type:0x1 ( DFS )
   0:[\Server02\Legacy] AccessStatus: 0 ( ACTIVE TARGETSET )
   1:[\Server03\DFSRoot\Accounting\SiteB\Files] ( TARGETSET )
Entry: \Server01\SiteB\Files ShortEntry: \Server01\SiteB\Files Expires in 97 seconds UseCount: 0 Type:0x1 ( DFS ) 0:[\Server02\Files] AccessStatus: 0 ( ACTIVE TARGETSET ) 1:[\Server03\DFSRoot\Accounting\SiteB\Files] ( TARGETSET )

And so on... but I need to see things from the perspective of a client at that other site.

So the first thing I will do is... use psexec to enable Powershell Remoting on one of the remote clients!

psexec \\pc01 powershell.exe -Command "Enable-PSRemoting -Force"

Why? Because I will bootstrap you into the new decade kicking and screaming if I have to, that's why!

Secondly, I need to transfer dfsutil.exe (and dependencies) to the destination PC.  I don't want to install the entire RSAT on the remote client just to run this single test. The only hitch here is that you must use the version of dfsutil.exe that comes from the Remote Server Administration Tools that was meant for that version of Windows. So for instance, I couldn't transfer my version of dfsutil.exe to the destination PC, because the destination PC was Windows 7 and my workstation was Windows 8.1. I had to find a Windows 7 workstation with RSAT already installed as the source.  Also, you need to transfer the language file, dfsutil.exe.mui, into System32\en-US\.  So:

dfsutil.exe     -> \\pc01\c$\windows\system32\dfsutil.exe
dfsutil.exe.mui -> \\pc01\c$\windows\system32\en-US\dfsutil.exe.mui

Now I was ready to use Enter-PSSession to start a remote session on the PC and use dfsutil to run the diagnostic test.


I'm back, and I brought along with me my newest creation: BausButton. (Pronounced Boss Button.)

This little Windows app sits innocuously in your notification tray.  When you hit the hotkey, whatever window has focus at that moment disappears.  The window disappears and the task bar icon (if any) also disappears. Hit the hotkey again and the window reappears.  See... a boss button... for when the boss walks in and you need to quickly hide whatever you were looking at.

But there's more. It's got password protection. If you have set a password previously, then BausButton will challenge you before it un-hides the hidden window.  Passwords are salted and then hashed with SHA256. (A new random salt is generated upon each new "installation" of the app.)

By default, the "boss button" is mapped to the "Scroll Lock" key, but you may customize the hotkey by editing the BausButton registry key.


The "HideKey" value corresponds to the virtual key-codes defined by Microsoft, which you can find right here. So for instance, if you wanted to change the hotkey to the space bar, you'd change the HideKey registry value to 0x20 (decimal 32.)

If you ever just want to reset everything, just close the app, delete the whole BausButton registry key, then restart the app.

Some screenshots:

When no window is hidden, the BausButton icon is colored in.

When a window is hidden, the BausButton icon is transparent.

If you click the icon, you get a very simple menu. If you exit the app, any hidden window will automatically be unhidden before the app exits, and if a password is set, you will be challenged for that password before the app exits, and if you get the password wrong, the app just won't exit.

Here's the signed binary. Let me know what you think.

(Update 8/14/2015: v1.0.1 - Fixed password dialog focus problem.) (144 KB)