Sunday, July 2, 2017

AD: Simple way to remove all members of a group

No loops required, use the -clear parameter in set-aduser.

Set-adgroup -identity "name of group" -clear member

The time required to execute will vary depending on number of people in the group.

Saturday, May 6, 2017

Some of my coding on Github

1) From Columbia AI course assignment for search algorithms, n-puzzle solver in python 3.  My first attempt at python programming.
2) From Columbia AI course assignment in CSP's, suduko solver using AC3 and backtracking, written in Python3.
3) Arabic typing website code.  (Live site at:

Wednesday, April 19, 2017

Download all enterprise CA crl's from active directory

This script will look for all published crl's in the configuration partition, download them, and write them to binary files.  To further examine the files, you can open them up in windows (standard certificate viewing tools), or use the PSPKI module to dig into the data.

$debase = new-object directoryservices.directoryentry("LDAP://RootDSE")
$configpartition = $debase.configurationNamingContext[0]
$de = new-object directoryservices.directoryentry(` "LDAP://CN=CDP,CN=Public Key Services,CN=Services," + $configpartition)
$ds = new-object directoryservices.directorysearcher($de)
$ds.filter = "(objectclass=cRLDistributionPoint)"
$crls = $ds.findall()
foreach ($crl in $crls) {
$CAcert = $crl.path.replace("LDAP://CN=","")
$CAcert = $CAcert.substring(0,$CAcert.indexof(","))
$file = $CACert + ".crl"
set-content $file  ([byte[]]($[0])) ` -encoding Byte

Download all files from IIS web directory listing (non-recursive)

This simple code should be able to dig out all file names from inside the A HREF tags where the file name consists of letters, numbers, a few special characters, spaces, file path forward slashes and periods; and ends with an extension of 2-4 characters.  Each entry will be downloaded, however, take note that the A HREF data will contain a relative path to the item, including the directory structure.  The webclient downloadfile method's second parameter wants a path name, including file name, for the destination.  If the full path doesn't exist, the file may just get put in the current directory.

$wc = new-object net.webclient

$sitename = "http://somesite/somedirectory"

$weblisting = $wc.downloadstring($sitename)

$items = select-string '"[a-zA-Z0-9/._-() ]*\.[a-zA-Z0-9]{2,4}"' `
   -input $weblisting -allmatches|
   foreach {$_.matches.value.replace('"','')}

foreach ($item in $items) {

 $wc.downloadfile($sitename + $item, ".\" + $item)


Wednesday, March 29, 2017

Password change failed: Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied

This error was recently brought to my attention when a user was trying to change password after the expiration notice at logon. This was the first time I had seen it so I thought it was a bit odd. Based on the text of the error message alone, you would expect that the domain controller can't be contacted at all, there is some secure trust issue, or some weird issue on the domain controller. Typically when domain connectivity problems occur, you will get messages like domain controller unavailable or trust relation type problems. Searching around google comes up with some answers that don't seem to relevant, such as unjoin/rejoin the machine. One thing to look at is multi domain environments. Is the machine they are accessing on a different domain that the domain where the account exists? Is the trust one way or two way? Is the connectivity restricted between the two domains (dmz's)? In my particular case, the password change was being attempted on a trusting domain (one way) with limited access. Check this article to help determine possible connectivity requirements.