PowerShell Archives - Page 4 of 5

Systems Admin

Disable Windows Firewall with PowerShell

When you legitimately need to turn the host firewall off (debugging, lab, migration window) and how to do it cleanly with PowerShell. Get-NetFirewallProfile reads the per-profile state; Set-NetFirewallProfile -Enabled False flips them off; the same cmdlet with True flips them back. Includes the targeted-single-rule alternative (Disable-NetFirewallRule), a try/finally cleanup pattern, the schedule-a-forcing-function-to-re-enable pattern, and the common pitfalls (forgot to re-enable, wrong profile, GPO override, trusted-the-wrong-tool).

Systems Admin

Enable Windows Firewall with PowerShell

Re-enable Windows Defender Firewall on a Windows Server with one cmdlet per profile. Get-NetFirewallProfile reads the per-profile state (Domain / Private / Public); Set-NetFirewallProfile -Enabled True flips them all on at once. Covers the three profiles, the read-then-set-then-verify pattern, the rest of the per-profile properties (default actions, logging, notifications), per-rule operations (New-NetFirewallRule, Get-NetFirewallRule, Enable/Disable), and the common pitfalls (turned off for testing, disabled only one profile, GPO override, block-all-outbound footgun).

Systems Admin

Active Directory Security Assessment with Purple Knight

Run Semperis Purple Knight Community against an Active Directory forest to surface Indicators of Exposure (weak crypto, print spooler on DCs, AdminSDHolder drift, kerberoastable accounts, etc.) and produce a graded HTML/PDF report. Walks the download, MotW Unblock-File pre-flight, the wizard's six indicator categories (AD Delegation, Account Security, AD Infra, Group Policy, Kerberos, Hybrid), the Zerologon-skip nuance, the score-grade scale, the remediation-then-rescan loop, and the common pitfalls (running as DA, running on a DC, skipping updates, mass-fixing without reading).

Systems Admin

Configure FSRM Quota

How to install File Server Resource Manager, build a reusable quota template (e.g. 500 MB hard quota with an 85% warning threshold), apply it to a folder, and test that hard enforcement returns the same not-enough-space error a full disk would. Includes the New-FsrmQuotaTemplate / New-FsrmQuota PowerShell equivalents for scripting many folders, the NTFS-quotas-vs-FSRM-quotas trade-off, and 6 common pitfalls (auto-apply at the wrong root, hard quota on an already-over folder, missing SMTP, edited-quota-not-matching-template, permission errors masquerading as quota issues, SrmSvc stopped).

Systems Admin

Remove (Demote) a Domain Controller

Two paths to remove a Domain Controller from Active Directory - graceful demotion via Server Manager (Remove Roles and Features wizard) for an online DC, and manual / forced removal via ADUC delete-from-Domain-Controllers-OU for an offline one. Walks both paths end to end with the actual screenshots. Includes the FSMO transfer pre-flight, the Test-ADDSDomainControllerUninstallation cmdlet, the post-demote AD Sites and Services cleanup, and a one-shot DNS scrub script that removes A/NS/SRV/CNAME records for the demoted DC across every Primary forward zone in one pass.

Systems Admin

Universal Group Membership Caching

How to enable Universal Group Membership Caching (UGMC) on a remote AD site so user logons no longer have to traverse a slow WAN to a Global Catalog. Walks the GUI three-click path (Sites and Services > site > NTDS Site Settings > Properties > Enable UGMC) with the actual screenshots, the Set-ADObject PowerShell equivalent (one bit on the NTDS Site Settings options attribute, 0x20), the design choice between UGMC and a local Global Catalog, the 8-hour cache refresh behaviour, and the common pitfalls (right-clicking the wrong node, first-logon needs the GC, stale cache after Universal Group changes).

Systems Admin

Configure a Domain Controller as a Global Catalog Server

How to add the Global Catalog flag to an existing Domain Controller in Active Directory Sites and Services, and the PowerShell equivalent (one bit on the NTDS Settings options attribute via Set-ADObject). Walks the GUI three-click path, the Set-ADObject cmdlet, post-change verification with Get-ADDomainController IsGlobalCatalog / dsquery server -isgc / repadmin /options / Test-NetConnection on port 3268, the partial-attribute-set replication timing caveat, and the common pitfalls (right-clicking the wrong tree node, leaving only one GC, demoting accidentally).

Systems Admin

Active Directory Health Check with PowerShell

One PowerShell script that wraps dcdiag, Test-Connection, Resolve-DnsName, w32tm, Get-Service, and CIM into a single colored HTML report — one row per Domain Controller, 35 columns of pass/warn/fail per cell. Includes the full Get-ADHealth.ps1 source, what each dcdiag test actually catches (Connectivity, SysVolCheck, KccEvent, FSMOCheck, NCSecDesc, etc.), how to schedule a daily SMTP-emailed run, the MotW / Unblock-File / ExecutionPolicy gotchas, and the green-DNS-red-everything-else fingerprint that means a DC is offline.

Systems Admin

Check Active Directory Forest and Domain Functional Level

How to read the current Active Directory forest functional level (FFL) and domain functional level (DFL), what each level unlocks, the pre-flight checklist before raising, and how to actually raise it with Set-ADForestMode / Set-ADDomainMode. Includes the schema-version-to-OS table, a decision flow for whether to raise, and the common pitfalls (forgotten DCs, Server 2019/2022 reporting Windows2016Forest, irreversibility).

Systems Admin

Export Active Directory Users to CSV with PowerShell

Export AD users to CSV using the three-cmdlet pipeline (Get-ADUser, Select-Object, Export-Csv). Covers scope selection (-Filter, -SearchBase, -SearchScope), the computed-property pattern for columns like Manager-DN-to-name and clean OU paths, a reusable function with parameters, and common variations (disabled accounts, stale logons, group membership exports).

Systems Admin

How to Install Windows Updates with PowerShell

Drive Windows Update from a single PowerShell window using the PSWindowsUpdate module. Covers installing the module from the PowerShell Gallery, querying and installing updates on local and remote machines, looping over a hard-coded computer list, and patching every member of an Active Directory OU dynamically with Get-ADComputer -SearchBase.

Systems Admin

Get Active Directory Information with a PowerShell Script

Get-ADInfo.ps1 is a single PowerShell script that prints ten Active Directory facts in one output: computer/workstation/server/user/group counts, forest and domain functional levels, schema version translated to a Windows Server release name, and all five FSMO role owners. The right script to run before a migration, an audit, or a tier-zero handover.

Tag: PowerShell