Bookmark and Share

In this post:

I Think You Guys Made a Mistake in This Article I Found

Hey, Scripting Guy! Question

Hey, Scripting Guy!

In reference to the Windows PowerShell Tip of the Week article, The String's the Thing, please note that there is a mistake in the fifth paragraph of the section, "Comparing Two String Values." The line should be, "The CompareTo method always does a case-sensitive comparison. To do a case-insensitive comparison, use this command instead:"

-- LK

 

Hey, Scripting Guy! AnswerHello LK,

Microsoft Scripting Guy Ed Wilson here. I appreciate your attentive reading of our article on comparing two strings. I have double-checked the article, and looked it up on MSDN, and as far as I can tell the article is actually correct. Note on MSDN in the remarks section it says: “This method performs a word (case-sensitive and culture-sensitive) comparison using the current culture.”

When I run the code, I obtain the same results as the article:

PS C:\> $a = "Scripting Guys"

PS C:\> $b = "scripting guys"

PS C:\> $a.CompareTo($b)

1

PS C:\>

 

The 1 indicates that $a will follow $b in the sort order.

The compare static method from the [string] class can be used to perform a case-insensitive comparison by specifying a Boolean third parameter. The compare static method is documented on MSDN. This is illustrated here:

PS C:\> $a = "Scripting Guys"

PS C:\> $b = "scripting guys"

PS C:\> [string]::compare($a,$b)

1

PS C:\> [string]::compare($a,$b,$true)

0

PS C:\>

 

Keep in mind the compare static method of the system.string .NET Framework class is heavily overloaded, and you need to read it very closely to figure out what each overload does. For example, we are using the overload that has <string, string, Boolean>. There is another overload that also accepts three parameters, but the third position is a stringcomparison enumeration value, and not a Boolean value.

Hope this helps.


Using Windows PowerShell to Set the "Managed By"
 Field

Hey, Scripting Guy! Question

Hey, Scripting Guy!

I have been working for a few weeks on creating a Windows PowerShell script for setting the "Managed By" field and the "Managers can update members list". I know the Managers must be granted WriteMembers Allow, but I cannot figure out how to do that. Setting WriteProperties Allow does not work because of the following:

1.) "Managers can update members list" does not get checked.

2.) They are granted too much access.

My script has been very lengthy (as this is only one small part of the script) and this is the only thing keeping me from saving my team literally hundreds of hours a month in creating and securing folders. Please help.

-- JB

 

Hey, Scripting Guy! AnswerHello JB,

I had Microsoft PowerShell MVP Brandon take a swipe at this one. Here is his answer:

Writing this script even spawned a blog entry. This should do the trick. This adds an ACE to the ACL for the Managing User. 

################################################################

function New-ADACE {
    Param([System.Security.Principal.IdentityReference]$identity,
        [System.DirectoryServices.ActiveDirectoryRights]$adRights,
        [System.Security.AccessControl.AccessControlType]$type,
        $Guid)
   
   
    $help = @"
    $identity
        System.Security.Principal.IdentityReference
       
http://msdn.microsoft.com/en-us/library/system.security.principal.ntaccount.aspx
   
    $adRights
        System.DirectoryServices.ActiveDirectoryRights
       
http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights.aspx
   
    $type
        System.Security.AccessControl.AccessControlType
       
http://msdn.microsoft.com/en-us/library/w4ds5h86(VS.80).aspx
   
    $Guid
        Object Type of the property
        The schema GUID of the object to which the access rule applies.
"@
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type,$guid)
    $ACE
}

 

# Some example code on how to use the New-ADACE function

# Create ACE to add to object

$myGuid = "bf9679c0-0de6-11d0-a285-00aa003049e2" #GUID for the Members property
$ID = Get-NTID "sAMAccountName of the user to give rights to"

$newAce = New-ADACE $ID "WriteProperty" "Allow" $myGuid

 

# Get Object
$DN = "<DN of the User object to be managed>"
$ADObject = [ADSI]"LDAP://$DN"

 

# Set Access Entry on Object
$ADObject.psbase.ObjectSecurity.SetAccessRule($newAce)

 

# DN for the Managed By Property
$MangedByDN = "<Manager DN Here>"

 

# Set the manageBy property
$ADObject.Put("managedBy",$MangedByDN)

 

# Commit changes to the backend

$ADObject.psbase.commitchanges()

###############################################################


 

How Can I Name Folders with Owners' User Names?

Hey, Scripting Guy! Question

Hey, Scripting Guy!

My company turned on My Documents redirection a long time ago. More than 6,000 users have their My Documents folders redirected to a single share. An old (now fired) administrator moved the entire directory to a new server. In doing so, he made the Administrators group the owner of every subdirectory. The permissions were also reset for whatever reason. As it currently stands, the "Everyone" group has Full Access to EVERY user's My Docs folder. Yeah, bad, I know.

My question is this: Is there a way to script changing the owner of every folder in this share (and subfolders) to the user name that each folder is named after? I need something to go through the whole /home directory and assign the name of each folder as the user account that owns said folder.

The amount of appreciation I would feel for you folks is unfathomable, if you can assist in any way!

-- LS

 

Hey, Scripting Guy! AnswerHello LS,

You can do this by using either Subinacl or Icacls. The latter is the preferred tool to do this. You can use either VBScript or Windows PowerShell or possibly even batch to read the folder names. Using Windows PowerShell, it would not be a horrible thing to try to accomplish.

Here is some documentation for icacls. Here is a short example of using it in a Windows PowerShell script:

ModifySecurityOfFoldersUsingIcacls.ps1

#ModifySecurityOfFoldersUsingIcacls.ps1

#ed wilson, msft, 11/23/2009

# uses icalcls and Get-ChildItem

# http://bit.ly/7FVysn

#

Get-ChildItem -Path C:\share |

Where-Object { $_.psiscontainer } |

ForEach-Object {

icacls $_.fullname /Grant Users:`(F`)

}


 

How Can I Tell If I Am Running Windows PowerShell 2.0? 

Hey, Scripting Guy! Question

Hey, Scripting Guy!

How do I know if I am running Windows PowerShell 2.0? The directory name still has 1.0 in it.

-- DS

 

Hey, Scripting Guy! AnswerHello DS,

The directory name was kept for application compatibility reasons with Windows PowerShell 1.0. If in doubt, you can use a new variable, $PSVersionTable, to check on the version of Windows PowerShell you are using:

Image of using $PSVersionTable

 

Is Windows PowerShell 2.0 Available for Windows 7 and Windows Server 2008 R2? 

Hey, Scripting Guy! Question

Hey, Scripting Guy!

I went to the Windows PowerShell 2.0 download page, and I see versions for Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP. When are you going to come out with a version of Windows PowerShell 2.0 for Windows 7 and for Windows Server 2008 R2?

-- AC

 

Hey, Scripting Guy! AnswerHello AC,

Windows PowerShell 2.0 ships with Windows 7 and with Windows Server 2008 R2. On Windows 7, you will find Windows PowerShell 2.0 in the Accessories folder: 

Image of location of Windows PowerShell 2.0 


 

Well, this concludes another edition of Quick-Hits Friday. It also concludes another exciting week on the Script Center. Join us this weekend and next week as we delve into the mysteries of…well, let’s leave a mystery for now.

If you want to know exactly what we will be looking at this weekend and next week, follow us on Twitter or Facebook. If you have any questions, send e-mail to us at scripter@microsoft.com or post your questions on the Official Scripting Guys Forum. See you tomorrow for the Weekend Scripter. Until then, have an awesome day.

 

Ed Wilson and Craig Liebendorfer, Scripting Guys