Active Directory Integrated DNS Wildcard Search

So NSLOOKUP is the typical way one may query DNS.  Ever wanted to just grab the results as objects while using a wildcard filtered search?  If your DNS is Active Directory integrated, then it’s really pretty simple.  After all, each DNS entry is essentially an AD Object.  Why not query AD like we do for so many other things?  Basically, you just need the Distinguished name for the DNS zone and tell Get-ChildItem to look at Active Directory.  For example, if you wanted to find all host records ending in “-DC” in

Get-ChildItem ",CN=MicrosoftDNS,CN=System,DC=example,DC=com" -Filter "name=*-dc"

By the way, if you get an error stating something similar to this:

Cannot find drive. A drive with the name 'ad' does not exist.

Then you may need to import the Active Directory module.

Import-Module ActiveDirectory

A quick test is to do a change directory to AD.

cd ad:

and the prompt should read “PS AD:\>”

Powershell timestamp for Excel

I needed Powershell to plug in a single value to a .csv file that Excel would naturally convert to a Date and Time.  Here’s the bit to create that value:

# Native Powershell date and time

$excelDate = ((Get-Date).AddDays(1) - (Get-Date "12/31/1899")).Days
$excelTime = ((Get-Date -Format HH)/24)+((Get-Date -Format mm)/1440)+((Get-Date -Format ss)/86400)
$excelTimeStamp = $excelDate + $excelTime


Disable TLS on Windows 2012 R2 (IIS 8)

A handy GUI tool to make this an easy one-off thing is IIS Crypto.

Here’s the actual registry change that is made if you need to script it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

A reboot is required for the change to apply.

Multiple KMS keys confusion

If you have access to a VLSC and can get KMS licenses, you may see keys for different Operating systems.  Intuitively, that suggests you would register each key to be able to activate a corresponding operating system.  Not so.  Get the highest level operating system KMS and subsequent operating systems are covered by the one key.  For example, Windows 2016 covers 2012, 2008, 10, and so on…

Check out this article for more detail: Windows Server 2016 Activation

Office 2016 KMS license in Windows 2012 is a bit goofy.  Intuitively, you’d think you would use the Volume Activation Tools to plug in your key.  Nope.

Download and run the Microsoft Office 2016 Volume License Pack.  It will launch the VAT GUI and then you can plug in your KMS license.

Why is it done that way?  I honestly don’t know.  I’m sure there’s a Microsoft explanation why but I don’t feel like digging through the Internet to find an obscure article with an unofficial explanation.  I’m just glad I finally got the KMS license thing set up.

Throttle PowerShell scripts to not kill CPU or RAM

Having fun deploying gobs of parallel processes when suddenly things start to slow as CPU and RAM are getting clobbered.  I came up with a way to help scripts be a little more polite to clear up the logjam.  Look for the top of loops or iterative processes to inject checking utilization before proceeding.  If thresholds are exceeded, then the script can pause a bit and check back to see if thresholds came down.  Essentially, it’s a call to a function to check utilization and a small loop to hang out in until utilization comes down.   I have CPU and RAM threshold dialed in at 80%.  One can change to suit.

The function:

function highCpuRam {
 $highCpuRam = $false
 $cpuUsed = [int](gwmi win32_processor).LoadPercentage
 $memUsed = [int]((((gwmi win32_OperatingSystem).FreePhysicalMemory) / ((gwmi win32_OperatingSystem).TotalVisibleMemorySize)) * 100)
 if ($cpuUsed -gt 80) {$highCpuRam = $true}
 if ($memUsed -gt 80) {$highCpuRam = $true}
 return $highCpuRam

The check:

 do {
 $busy = highCpuRam
 if ($busy) {"Throttling down. CPU/RAM busy."
 Start-Sleep -m 500}
 while ($busy)

Find the largest files modified today

If you’re not using fancy file auditing software to track things, it may be challenging to find out who just filled up your drive with a bunch of data.  Here’s a PowerShell script to brute force way, crawling through your network shared drive to find the largest files that were modified today.  It can take a while to run if you have many folders and files to crawl through.  Now you can have a list of your top 100 largest files and who owns them.

# Largest X files created today
$limit = 100
$filesToday = Get-Childitem $searchPath * -Recurse -File -ErrorAction "SilentlyContinue" | 
 Where-Object {($_.LastWriteTime -gt (Get-Date).Date)} 
$largestFiles = $filesToday | Sort-Object -Property length -Descending | Select-Object Name, @{Name="SizeInMB";Expression={$_.Length / 1MB}},@{Name="Path";Expression={$}}, @{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}} -First $limit
$largestFiles | Export-Csv (".\largestFilesToday_" + (Get-Date -Format "yyyy_MM_dd_hhmm") + ".csv")

JSON vs XML for PowerShell

It felt like XML was a bit dated for data transport.  It is/has been a bit cumbersome to parse and manage from PowerShell.  I’ve been seeing a lot more JSON everywhere and was curious to know if support for it was implemented in PowerShell.  It is.  As it turns out, it’s much easier to use.  Now to go back and update all my scripts to start using it.  Sigh…

Here’s an awesome article by June Blender on how to transition to start using it:


Get-WinEvent vs. Get-EventLog

So, these two appear to be very similar at first glance.  However, depending on the data one wants to filter in on, one is significantly better than the other.  For me, the bottom line is using Get-Eventlog for filtering the Security Event Log is much faster.  That’s what I needed to know.

An article by Mark Berry was very helpful:

PowerShell: Get-WinEvent vs. Get-EventLog


  1. If you’re writing a PowerShell script to handle events from Vista or Server 2008, avoid the Get-WinEvent –FilterHashtable parameter; use –FilterXML instead.
  2. Even on Vista and beyond, consider using Get-EventLog if you need to filter the Security log for Audit Failures.

Career and Professional Website