There have been several occasions while scripting in PowerShell that the script is dependent on a specific service in the running state. A good example is the need to wait for the WMI Service to startup prior to making a WMI call, or SQL Server where when you restart the services, you have to wait for the services to be in a running state before you can execute commands.

The following function solves this issue. It also displays the proper implementation of a PowerShell wait timer to wait for a service to become operational before continuing in the script.

PowerShell Code Waiting for Service

Download Code

   1: # This Function Will Query A Dependancy Service and wait until the timer expires OR for the service to start.

   2: function QueryService { param($Service,$timer1)

   3:     $success = ""

   4:     write-host "Waiting on $Service Service..."

   5:     

   6:     # Create a for loop to INC a timer Every Second

   7:     for ($b=1; $b -lt $timer1; $b++) {

   8:             $servicestat = get-service $Service

   9:             $status = $servicestat.status

  10:             $b2 = $timer1 - $b

  11:  

  12:             # Determine the Percent Complete for the seconds.

  13:             $percent = $b * (100 / $timer1)

  14:             

  15:             # Display the progress on the Screen

  16:             Write-Progress -Activity "Waiting on $Service Service..." -PercentComplete $percent -CurrentOperation "$b2 Seconds Remaining" -Status "Current WMI Status: $status"

  17:             

  18:             # Determine if the Process is Running. If not, reloop. If so exit loop.

  19:             if ($status -eq "Running") {

  20:                 write-host "$Service Service Started Successfully: $status in $b Seconds"

  21:                 [int]$b = $timer1    

  22:                     $success = "yes"

  23:                 

  24:                 # Tells the Loop to Stop Incrementing as the Service is running

  25:                 Write-Progress -Activity "Completed" -Status "Current $Service Status: $status in $b Seconds" -Completed 

  26:                 

  27:             }

  28:         

  29:         # Start-Sleep is available for the write-progress. Its value is in seconds.

  30:         start-sleep 1

  31:  

  32:     }

  33:     # The script will now stop as the above loop has meet its time criteria and the success is not set to yes.time has expired.

  34:     if ($success -ne "yes") { 

  35:         write-host "ERROR in Script: $Service Service Did Not Start In $timer1 Seconds. Status: $status"

  36:         # Stop the Script

  37:        BREAK

  38:     } 

  39: }

  40:  

  41: # The service must be the actual executible name, not the friendly name

  42: # The Below Examples are Querying SQL Services for startup waiting 120 seconds for a timeout.

  43: QueryService "SQLServerAgent" "120"

  44: QueryService "MSSQLSERVER" "120"

The implementation of the QueryService is pretty straight forward. The syntax is

QueryServices “EXENAME” “TIMEOUT_IN_SECONDS”

The exe name is what is found in the Services Management Console listed under the "Service Name”. Using the “Display Name” will not work with this function.

Please note: If a service is running, there will be approximately a second delay in the script while the system is verifying if the service is running. This is a small sacrifice for error handling in the instance that the service may not be running.

Happy Coding!

Thinking about transitioning your 3G service to Verizon Wireless’s 4G LTE bandwagon? Read the article below! It could save you a lot of money.

On December 5th, 2010, Verizon Wireless officially offered 4G LTE services for their customers. This new IP based technology, is noted to offer 10 times the speed from the 3G technology and be the most advanced 4G network yet. With new devices in the store to prove the speed, and truly a noticeable difference in the speeds, it would make any techy guy curious to upgrade to this new technology. Both devices released by Verizon Wireless run around $99.00 online and $149.00 with $50.00 mail-in rebate in the store. The cost is not significant enough to be afraid of and sparked my interest enough to purchase a device.

I had been using a Novatel Wireless USB760 3G device for VPN into my office and listening to Pandora. It did everything I needed including hosting Citrix sessions to DOORS (Dynamic Object-Oriented Requirements), submitting code changes to Rational Clear Case, and Remote Desktop Connections, all with VERY little lag. For businesses purposes, the 3G device works just fine in good coverage. I especially appreciated Verizon Wireless’s (almost) seamless network and traveling between the states, I almost never have an issue with coverage. I have been (and still very much am) a very happy customer with Verizon Wireless.

Since I recently moved to a place located in Eden Prairie, MN, and started work in Minneapolis, MN, it became an immediate no brainer to switch to the 4G service. That way I would completely avoid having to wait for Qwest or Comcast to deliver a cable modem to setup my new place with internet. I could really capitalize on my use of my broadband card since I barely hit the limit every month with the 3G services. After all, I was in the market for broadband service for my new place, and FiOS was not available in this market. I found my way into purchasing a Pantech UML 290 featuring Verizon’s 4G service. Through a bit of upgrading of my account, and keeping my 5GB data plan for $59.99, I became a proud father of the 4G device and services.

The second I got home, I whipped out the card, ignoring the “big red warning on the box”  (telling me to install the updated VZ Access Manager) and plugged in into my laptop to find a frustrating point. The Pantech UML 290, does not include in the driver updates on the device like my Novatel Wireless Device did. In the past, I would just plug the Novatel device into a computer and there was a sector on the Novatel device that had a version of the VZ Access Manager. With the Pantech device I had to install it from a CD; I can’t imagine if were to lose this CD. I’d say I’m most disappointed because the VZ Access Manager did not receive and update to have these drivers included by default, therefore, I had to install the updated software on two of my laptops and my workstation — I am NOT a fan of this.

After getting past the 2 minute installation – not that much of a pain point – I immediately logged into my NetFlix account and browsed for movies to test video streaming capabilities. This had been a pain point of my 3G card where steaming video could be challenging. Looking to unpack stuff and watch a movie I settled on the Bourne Identity and hit play. The video quality was great and there were absolutely NO hiccups with the service. To test the buffering, I decided to pause the video, fast forward it and resume play. Within a second or two, the video started to play again. From there I let the 119minute video play to the credits. After the Bourne Identity, I went on Hulu and found my guilty pleasure of Hells Kitchen, a 45 minute video stream. Again, a flawless stream. From that point, I was extremely excited to brag to all my co-workers about the new 4G toy that I got, certain all of them would transition their services over.

Where The Dollars Don’t Make Sense

Curious to see what type of bandwidth I was using streaming the video from NetFlix and Hulu, I took a look at my data usage keeping in mind, I already used 600MB of bandwidth. This is about where Verizon Wireless lost my interest to continue the 4G services.

In their “Your Guide” booklet shown above, the video streaming is rated at 260MB/hour standard definition (Bourne Identity is not available in HD streaming on NetFlix / and I can’t imagine Hells Kitchen is streamed in HD to a standard user). Since I was watching movies for about 164 minutes, or 2.73 hours, according to Verizon’s specifications, I would have racked up 780 MB of data usage. Instead, I found that my 600MB use that I already used got bumped up to 2,300MB. This means that 2.73 hours of video cost me 1700 MB which is a rate of 622.7MB/HR!!! Verizon Wireless missed their estimated use by almost 3 times their printed data rate.

Why such a difference from my 3G? Well, video sites such as Hulu, NetFlix, and YouTube have new bandwidth specific buffering technologies. In essence, if you have a slow connection, it will lower the quality of the video you see. This equates to a lower bandwidth requirement. So technically, the documentation is correct for 3G broadband cards. Likewise, for 4G Broadband Cards that can support higher bandwidth rates, the requirement will be greater. This also applies to audio streaming sites such as Pandora. The audio quality gets lowered and increased depending on what type of connection you have.

Warning! DO NOT WATCH VIDEO ON THE 4G NETWORK!! (until data plans change)

For any user that unchecked viewing the data usage, and would watch at least 2.73 hours of TV a night, they would reach their daily limit of 5GB in 3 days and 10GB in 6 days. Now, for 10GB customers that continue at that data usage rate for the whole month (lets say its February) for 28 days, they would use 47.6GB of data. The overage per GB / month rate is $10/GB, the unsuspecting Verizon Wireless Customer will rack up $380 access overage charges in addition to their $80.00 plan. One month of minor video use on the plan will run $460.00 for a month! I can’t even imagine if I were to fall asleep one night streaming Hulu or watching the notoriously long Lord of the Rings Video series, and 8 hours later have all my data plan used. It would cost more than 90% of the hotels I’ve been in for a night. Ouch.

This is a major oversight by the Verizon Wireless sales and marketing team. It goes in line of the age old saying of what Intel “Give-ith”, Microsoft “Take-ith”. Giving your customers more through-put will promote higher data utilization. I would personally be willing to pay $120/month for unlimited data usage on a 4G network with the ability to go to use the 3G markets where 4G is not supported (all the Verizon Wireless Cards are backwards compatible with 3G). It is, however, not the case, and I wrote this article to gain support from my community to ask Verizon Wireless to bump up their data usage.

The Final Verdict of 4G LTE

The Verizon Wireless 4G LTE service is amazing in both Eden Prairie, MN and Minneapolis, MN. When streaming video, the video buffer was almost immediately full and browsing from site to site was equally as impressive. This completely destroys the 3G technologies and the 4G LTE want-to-be companies like Sprint and US Cellular. I want to be clear that I LOVE the new Verizon Wireless 4G technology and what it has to offer, but I strongly dislike the 4G pricing structure. I see Verizon Wireless as the Mercedes and BMW of the cellular networks, and I am willing to pay for every feature as long as it provides value and isn’t insanely priced. I currently pay $249.00/ month in smart phone, and broadband charges. I’m having a really difficult time justifying the benefit of 4G over a DSL / Cable / FiOS network with its pricing structure and how much I am paying right now. I am a premium home user.

Why not stick with the 4G device? Well the problem is, you don’t get real time data usage notifications. You only get notified at the beginning of the data session of what your usage is. This means that if you are in a heavy data session, like getting carried away on YouTube, watching clips like Charlie Bite me, you might get a surprise in the mail at months end. Likewise if you’re a technician downloading an ISO, like to download music on iTunes, or need to restore your iTunes downloads; all data intensive items that would go quickly and would just as quickly take your money.

Final Verdict – After using the device for less than 24 hours and a $35.00 “restocking” fee, I am back to my 3G Novatell Wireless Card. While I may be out $35.00, it could have been much, much more than that! Qwest internet installation has been scheduled and I am back posting blog articles using my Verizon Wireless Novatel 3G device.

I strongly encourage comments.

Systems Administrators around the world have been baffled by security changes with SQL Server 2005/2008 and Active Directory Authentication. Even more so the issues with traversing through layers of security groups for Windows permissions within SQL Server 2008. For example, in the initial releases of SQL Server 2008, there was a frustrating bug in which adding new domain users or groups to SQL Server 2008, you MUST add these domain users and groups as the user that installed SQL Server 2008; be it a domain or a local user. Below are two SQL Server Windows Security caveats that we found were necessary to address to provide some level of sanity to our readers.

User Security Identifiers Now in the Sys.SysLogins

One item that Microsoft snuck into SQL Server 2005 and SQL Server 2008 are the use of Security Identifiers (SIDs) in the authentication model. In the typical model of SQL User Authentication, this becomes a non issue, however, with a Windows based authentication, this can cause HUGE headaches if not planned for properly.

Security Identifiers are identification GUIDs that are tied to users and groups in local security and active directory. These values are created to ensure that if a hacker tries to hijack a username such as “Brenton” in the “Geeks” group, it rejects the hijacked username as the security identifier is required in addition to the login name. This works as an excellent method to prevent hijacking attempts, however, if an administrator accidently deletes a User or Group, a new SID is created.

SIDs are secure but also are the key to the headache. Lets say a network consists of 1050 independent SQL Servers at a branch of retails stores, like American Eagle Outfitters (they really do have databases at each breach; and they really do have 1050+ stores). If the authentication credential on all 1050 stores is “Geek_User” and a systems administrator accidently deletes this user from Active Directory, all functionality under the “Geek_User” stops. When the systems administrator realizes that he deleted this user, he will add the user “Geek_User” back into Active Directory. The issue is that the ‘”Geek_User”, while named the same, has a new SID, and the authentication into SQL Server 2008 will still fail.

Further, this issue will be extremely difficult to figure out because the User will exists within active director/local security and SQL Server. However, the authentication into SQL Server will fail to work and the services assigned to the authentication will fail to start.

*NOTE: SQL Server 2008 will not allow a User to start its services  (E.G. SQL Server Agent), if the user does not have privileges within SQL Server 2008. The User or Group has to be added prior to the services starting.

One may experience an error message when starting the SQL Server Agent (being that the “Geeks_User” starts the service) :

“Windows Could not start the SQL Server Agent (MSSQLSERVER) service on the Local Computer.

Error 1069: The Service did not start due to a logon failure.”

In a panic, the Systems Administrator now goes into services and re-configures the SQL server credentials of the “Geek_User”. The system now provides the misleading message of granting the logon privilege to the “Geek_user”. Now that the Service Authentication has the correct SID the error message changes. When the systems administrator starts SQL Server Agent Service, the following message is splayed:

“The SQL Server Agent (MSSQLSERVER) service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.”

When the systems administrator checks the Windows Event Log it displays:

"Login failed for user ‘%’. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors"

Correcting SID Issues

All of the above error messages are examples of broken SID error messages. The only way to correct this issue is to remove and re-add the users and groups that have been accidently deleted in SQL Server 2008. This can be done in two different ways, one, a network script on all of the servers, that utilizes SQL Server Authentication or two, a remote Powershell script.

The way to prevent a global outage due to this issue on a global scale for the “large retailer” example, is to create individual Windows User credentials for each of their 1050 stores and place them within their respective SQL Server 2008 instance. This will provide the security of Active Directory (disabling a user account if the server is stolen), and the centralized management utilizing Active Directory. While adding a Group may seem like a more efficient methodology, and it is recommended by Microsoft, it still provides a single point of failure if the credentials are accidently deleted.

The following command can be executed to drop the “Geek_User” from SQL and re-creating the “Geek_User” with ‘sysadmin’ privileges:

   1:  

   2: DROP LOGIN [Geek_User]

   3: CREATE LOGIN [Geek_User] FROM WINDOWS WITH DEFAULT_DATABASE=[MASTER], DEFAULT_LANGUAGE=[us_english]

   4: EXEC sys.sp_addsrvrolemember @loginame = N'Geek_User', @rolename = N'sysadmin'

   5:  

   6:  

If Powershell is your flavor of scripting, assuming you know the computer names of each store, the Powershell Code below can be added the “Powershell Script to Determine NetBIOS – Powershell to Add SQL Server 2008 Users or Groups” code (below). Execute these commands on all of the servers affected by the issue.

Feel free to contact me if you would like me to create a looping mechanism with a CSV import.

   1: # Add the user into SQL. Be sure to change the SQL User of sa and password of my password.

   2: [string]$err = sqlcmd -Usa -Pmypassword -d 'master' -Q "DROP LOGON `[$user`]"

   3:  

   4: # This variable will become populated if an error occurred; else it will remain blank.

   5: if ($err) { write-host "ERROR! The following error occurred while Dropping SQL User from Master Database: $err " }

NetBIOS Based Windows Authentication Only

One of the issues that we worked with Microsoft to resolve is the authentication mechanisms for users and groups in SQL Server 2008. As of October 4th, 2010, Microsoft only supports NETBIOS based Windows authentication. This means that the credentials of “domain.root\Username” are NOT supported by the SQL Server 2008 authentication protocol stack. Further, in order to use complex domain structures such as “WinXPDevGrp.US.Microsoft.com”, it is required that an administrator resolves the NetBIOS name value of the domain prior to the addition of the User or Group.

Taking the above example, trying to resolve a group named “Geeks”, in the United States Windows XP Development Group at Microsoft, would fail if the administrator utilized the logon name of “WinXPDevGrp.US.Microsoft.com\Geeks”. The following error would appear:

“ Create Failed for Login ‘WINXPDEVGRP.US.MICROSOFT.COM\Geeks’. (Microsoft.SqlServer.Smo)

Additional Information:

|–> An Exception occurred while executing a Transact-SQL statement or Batch. (Microsoft.SqlServer.ConnectionInfo)

|———–> Windows NT user or group ‘WINXPDEVGRP.US.MICROSOFT.COM\Geeks’ not found. Check the name again. (Microsoft SQL Server, Error:15401)

Given the conversations with Microsoft, it unfortunately is the character of ‘period’ in the authentication string that is causing the error above. After research, I found that Microsoft addressed the ‘period’ issue in the column names as found in this knowledge base article: KB972856. SQL Server 2008 does not like the use of Periods. Even when using brackets around the name shown like “[WinXPDevGrp.US.Microsoft.com\Geeks]” or “[WinXPDevGrp.US.Microsoft.com]\[Geeks]”, SQL Server 2008 will still produce the above error message.

Workarounds for Domain Authentication

No worries my friends, there are workarounds to this issue. At this point, you typically go to your Systems Administrator asking how to convert domain names to NetBIOS names. Or perhaps ask do all domains have NetBIOS Names? – The simple answer is No. NetBIOS Names are NOT required to create a domain on certain domain controllers. In fact, some organizations disable the use of NetBIOS.

Do all Microsoft Domains have NetBIOS Names? This is a little bit more of a complicated answer. When configuring Active Directory on a Windows Server 2008 Domain Controller, in order to support domain trusts, and forest trusts, Domain NetBIOS names are required. This is our speculation, but we assume this is why SQL Server 2008 utilizes NetBIOS Names for authentication. If the Domain NetBIOS Name cannot be resolved, it assumes either the NetBIOS resolution is disabled or the domain / forest trusts are not configured correctly.  

Workaround #1 – Using the Login Name: “Search…” Feature

SQL Server provides a mechanism for searching the domain for users. There are a few prerequisites that are required on both the SQL Server 2008 system. The following services are required for network browsing on Windows Server 2008 that has SQL Server 2008 on it:

• Computer Browser Service – Service Name: “Browser”
• Function Discovery Provider Host – Service Name: “fdPHost”
• SSDP Discovery Service – Service Name: “SSDPSRV”
• UPnP Device Host Service – Service Name: “UPNPhost”
• The firewall rule for network discovery must be configured to enabled utilizing the following command:
  • netsh advfirewall firewall set rule group=”Network Discovery” new enable=yes

From there, you can search the Active Directory Structure to find the appropriate user or group using the SQL Server 2008 GUI.

Workaround #2 – Utilizing NBTSTAT to resolve Domain NetBIOS Names

The tool of choice for system administrators is NBTSTAT. Typing the following command will allow for Domain NetBIOS name Resolution of the current domain you are connected to on a system:

• nbtstat –n

Command Result:

NetBIOS Local Name Table

NAME…………………TYPE …………………STATUS

XPDEVGRP12…………UNIQUE …………………Registered

The NetBIOS name of “XPDEVGRP12\Geeks” would then be required to be manually entered into the “Login Name:” field of the SQL Server GUI, or manually placed into the CREATE LOGON command.

Workaround #3 – Automated Powershell Domain NetBIOS Name Resolution and User Creation

We couldn’t help with my utter (moo) frustration with not being able to come up with a command within a SQL Query to resolve the Domain NetBIOS name without using “sp_configure XP_cmdshell”; a major NO NO for the Department of Defense regulatory security requirements.

Instead we developed a Powershell script to perform the following:

• Resolve the Domain NetBIOS Name
• Create the User Syntax For the SQL CREATE LOGON Command
• Issue SQLCMD commands to create the logon

Powershell Script to Determine NetBIOS – Powershell to Add SQL Server 2008 Users or Groups

Download PS1 Code Here

   1: # This script will resolve the NetBios Name of a Domain then add a user with the netbios name.

   2: # Don't forget to execute: set-executionpolicy RemoteSigned

   3: # in powershell prior to the use of this script

   4: # Step 1: Import The Active Directory Module

   5: import-module activedirectory

   6:  

   7: # Step 2: Save the Current Directory Identity into a variable (Replace Domain.root with your domain)

   8: $ident = get-addomain -identity domain.root -ErrorVariable Err -ErrorAction SilentlyContinue

   9:  

  10: # If there is an Error Stop and Report it > Else Continue

  11: if ($err) { Write-Host "ERROR! The following error occurred while obtaining NetBIOS Name: $err" }

  12:  

  13: # Select the netbios name and put it into a string

  14: [string[$netbiosname = $ident.netbiosname

  15:  

  16: # Setup User Variable for the add. Change Geeks to the user or Group you'd desire.

  17: $user = $netbiosname + "\Geeks"

  18:  

  19: # Add the user into SQL. Be sure to change the SQL User of sa and password of my password.

  20: [string]$err = sqlcmd -Usa -Pmypassword -d 'master' -Q "CREATE LOGIN `[$user`] FROM WINDOWS WITH DEFAULT_DATABASE=`[MASTER`], DEFAULT_LANGUAGE=`[us_english`]"

  21:  

  22: # This variable will become populated if an error occurred; else it will remain blank.

  23: if ($err) { write-host "ERROR! The following error occurred while creating SQL User: $err " }

  24:  

  25: # The permission addition will execute if the above command was successful.

  26: Else {

  27:     # Add the credential of Sysadmin to the users. This can be changed to any role. 

  28:     [string]$err = sqlcmd -Usa -Pmypassword -d 'master' -Q "EXEC sys.sp_addsrvrolemember @loginame = N'$user', @rolename = N'sysadmin'"

  29:     if ($err) {

  30:         write-host "Error Assigning Permisssions to $user: $err"

  31:     }

  32: }

While Microsoft did document how to do resolve NetBIOS in the Microsoft Library, they forgot a major line of code; which you see in line 5. You have to Import the Active Directory Module into Powershell, or else the command will not be recognized. I thought I would repost this code and provide it to my readers.

This should be a very simple, but useful gem of knowledge.

Happy coding!

“Broken By Design”

UPDATED! After hours of conference calls with Microsoft, and multiple tiers of support, we come to the conclusion that Nested Local Groups in Built-in Groups are “broken by design”. What does this really mean? When you nest a Local Group into a Built-in Local Group, the effective permission set for the Users within that Local Group is reduced to Guest. This remains true unless the Users are specifically added into the Built-in Local Groups, which will result in proper permissions being passed to the Users.

Nesting Issue Explained

Lets take the above graphic, where we created a new local group called ‘Geeks’ which contains users named “Brenton B” and “Jason P”. From there, we added the ‘Geeks’ local to the Built-in ‘Administrators’ local group. From that hierarchy, we should assume any users in the ‘Geeks’ Local Group, should obtain Administrative privileges by traversing through the security pathway. Unfortunately, this is not the case.

Note: This issue is for all of the Built-in Groups on the system including, but not limited to, Administrators, Backup Operators, Power Users, and Users. I used the Administrators Group, as it’s easiest to work with.

The issue has to do with second level security traversing with Built-in Groups. While the first level traversing is a trusted security relationship in the operating system, the second security relationship is not trusted. This means that the ’Geeks’ Local Group object is effectively a member of the ‘Administrators’ Group and it also means that Brenton B. and Jason P. are members of the ‘Geeks’ Local Group. It will not, however, traverse to the second level and grant Brenton B. and Jason P. group membership to Administrators.

What About Restricted Groups in Group Policies?

This issue unfortunately is also present when you have Restricted Groups. Restricted Groups within Group Policies force group associations to the local groups in the Operating System. While you mandate the ‘TestAdmin’ Group as part of the Built-in Administrators Local Group, the permission lookup occurs on the Windows Operating System; thus the Nested Groups do not traverse.

Can You Still Add Groups To Built-in Groups?

Yes, as shown above! While the GUI of Windows does not provide a method to directly add Groups within Built-in Groups, you can execute two commands that would provide for adding Groups in Groups.

Method 1 – Powershell

   1: # Obtain the Current Computer Name

   2: $cmpName = [System.Net.DNS]::GetHostName()

   3:  

   4: # Make the ADSI Call into the Computer

   5: $adsiCall = [ADSI] ("WinNT://$cmpName,computer")

   6:  

   7: # Create the worker variable

   8: $objworker = $adsiCall.Create("group","Geeks")

   9: $objworker.put("description","Geeks Local Group")

  10:  

  11: # Create Object from worker variable

  12: $objworker.setinfo()

  13:  

  14: # Create the Group Association

  15: $adsistring = "$cmpName/Administrators,group"

  16:  

  17: # Create the worker variable

  18: $group = [adsi] ("WinNT://$adsistring")

  19:  

  20: # Add the group

  21: $group.add("WinNT://$cmpName/Geeks")

Method 2 – NET Commands in BAT File

   1: net localgroup "Geeks" /Add

   2: net localgroup "Administrators" "Geeks" /Add

* The above Methods add the ‘Geeks’ local Group, then add the ‘Geeks’ Local Group to the ‘Administrators’ Group

Resolution to the Issue

The following can be performed to resolve the issue:

#1 Add the Users of the Geeks Group directly to the Built-in Administrators Group.

#2 Create a Domain Global Group named ‘Geeks’ and place the Domain Global Group ‘Geeks’ in the Local Administrators Restricted Group.

Supporting documents: According to Microsoft’s knowledge Base articles

http://technet.microsoft.com/en-us/library/ee681621(WS.10).aspx … “This is the expected behavior of the Computer Management snap-in.”

and

http://support.microsoft.com/kb/974815 … where we can quote directly “This behavior is by design. Windows does not support the nesting of local groups on domain clients or on workgroup clients.”

UPDATED! Let me explain this one a bit more – I received an email From Microsoft that explained the nesting functionality as follows:

“The process of determining the security-groups a user belongs to is called group expansion, which is an integral part of user authentication. It is necessary that the group expansion accurately generates a list containing the groups that the user is a member of (directly or indirectly) in order to allow the user accesses to various resources. It is by design that group membership does not expand nested local groups.

Microsoft’s intention was to disallow nesting groups in group authoring experience (as in the case of the UI) to accurately reflect group expansion constraints. As your examples point out, there are several ways of nesting local groups, contrary to our intention. Our suggestion is to never nest local groups even when it is allowed by a group authoring tool like “net local group” because such nesting doesn’t reflect the group expansion constraints and the end results would be different from the expected results.”

What Microsoft is saying in a formal way – Their design for group expansion model does not include the ability to look through multiple levels of local Nested Groups. It only provides the ability to look one level deep due to the way it was developed by Microsoft. By not knowing how large of an impact it would be to add the ability to nest local groups, I can only assume that Microsoft does not think it is advantageous to add this functionality due to the number of users that will be using the system in this way – which makes sense.

We were able to get the Local Groups to Accept “Global” and “Domain Local”* active directory groups. While this doesn’t help a stand alone system for nesting of groups, it does provide a work around for authentication. This means that if you were to make the ‘Geeks’ Group, from the first example above, a Active Directory Group, the local system will pass the authentication query to Active Directory which then has the mechanisms to traverse through nested groups.

** Be cautious when adding Domain Local Groups to the system as if you have any forests, or trusts, the security will not traverse through the forest or any trusts. **

A special thanks to Jim Tan, Richard Leung, and Sunil Naik from Microsoft with their help on my issue!

This article is to aid those who are receiving the “Data is Invalid” error message in Powershell on Windows Server 2008 R2. This issue occurs while trying to import policies from one domain into their a different domain using a migration table. This issue has to do with the migration table editor referring to the “Pre-Windows 2000 Username” to migrate users instead of their Standard Username.

Syntax of Command Used for Error:

Import-GPO –BackupID {GUIDGOESHERE} –TargetName “Default_AccountingPolicy” –path “c:\scriptloc\” –MigrationTable “C:\scriptloc\DefaultMig.migtable” –CreateIfNeeded | Out-Null

Error:

“ Import-GPO : The Data is invalid. (Exception from HRESULT: 0x8007000D) “

Solution:

The issue has to do with creating Users and User Groups without the ‘SAMACCOUNTNAME’ field while coding with Powershell. Windows Server 2008 R2 generates a unique Pre-2000 username starting with ‘$’ and a series of numbers following. When using the ‘-migrationtable’ trigger, it causes import-gpo cmdlet to validate the “destination users” PRIOR to importing the group policy. If it cannot resolve the User or User group, it will cause the ‘’HRESULT error’.

The following lines were added to the Powershell Script for creating a User Group, which corrected this issue:

   1: # Where $objworker was the AD method and $ADobjname was the name of the user / group

   2: $objworker.put("sAMAccountName", "$ADobjname")

   3: $objworker.SetInfo()

Depending on your network, the fix can be done in two ways:

1. Ensure the “Pre-Windows 2000 name” is the same as the “Standard Windows Name”
2. Correct the Migration Table to Use the Pre-Windows 2000 Names for the ‘Destination’

Simple fix – just wish that the error would be more like “Errors in Migration Table”. The error message of “The Data Is Invalid “ is useless in my opinion.

Happy Coding!

The encryption and decryption of strings is essential when creating an enterprise product that has clear text passwords. This function displays how to encrypt and decrypt a string using Powershell using Richard’s code located at http://poshcode.org/116. While I found his code very useful, he didn’t explain the syntax and is why I am reposting this with the proper information.

I also decided to make this into an endless loop for an administrator to use to encrypt multiple passwords in a row. I found this to be useful as I never had to encrypt just one password.

Important for your security!!

In order to ensure your application is safe from an attacker be certain to perform each of the following:

1.  Change the $salt variable and $init variables. These variables should be at least 8 characters long but should be changed or your application is subject to a brute force attack if someone determines you are using my code!

   1: function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", [switch]$arrayOutput)

2.  Change the Passphrase that is passed into the function. I suggest a 12-18 character Passphrase to prevent the above brute force attack.

   1: $encrypted = Encrypt-String $string "MyStrongPassword"

3.  Be sure to pass the right Passphrase into the function for decryption. If you pass the wrong key into the function, you will not get the correct password returned from the function.

Function for Encrypting / Decrypting A String in PowerShell

Download PS1 Here

   1: #################

   2: # Powershell Allows The Loading of .NET Assemblies

   3: # Load the Security assembly to use with this script 

   4: #################

   5: [Reflection.Assembly]::LoadWithPartialName("System.Security")

   6:  

   7: #################

   8: # This function is to Encrypt A String.

   9: # $string is the string to encrypt, $passphrase is a second security "password" that has to be passed to decrypt.

  10: # $salt is used during the generation of the crypto password to prevent password guessing.

  11: # $init is used to compute the crypto hash -- a checksum of the encryption

  12: #################

  13: function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", [switch]$arrayOutput)

  14: {

  15:     # Create a COM Object for RijndaelManaged Cryptography

  16:     $r = new-Object System.Security.Cryptography.RijndaelManaged

  17:     # Convert the Passphrase to UTF8 Bytes

  18:     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)

  19:     # Convert the Salt to UTF Bytes

  20:     $salt = [Text.Encoding]::UTF8.GetBytes($salt)

  21:  

  22:     # Create the Encryption Key using the passphrase, salt and SHA1 algorithm at 256 bits

  23:     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8

  24:     # Create the Intersecting Vector Cryptology Hash with the init

  25:     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]

  26:     

  27:     # Starts the New Encryption using the Key and IV   

  28:     $c = $r.CreateEncryptor()

  29:     # Creates a MemoryStream to do the encryption in

  30:     $ms = new-Object IO.MemoryStream

  31:     # Creates the new Cryptology Stream --> Outputs to $MS or Memory Stream

  32:     $cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write"

  33:     # Starts the new Cryptology Stream

  34:     $sw = new-Object IO.StreamWriter $cs

  35:     # Writes the string in the Cryptology Stream

  36:     $sw.Write($String)

  37:     # Stops the stream writer

  38:     $sw.Close()

  39:     # Stops the Cryptology Stream

  40:     $cs.Close()

  41:     # Stops writing to Memory

  42:     $ms.Close()

  43:     # Clears the IV and HASH from memory to prevent memory read attacks

  44:     $r.Clear()

  45:     # Takes the MemoryStream and puts it to an array

  46:     [byte[]]$result = $ms.ToArray()

  47:     # Converts the array from Base 64 to a string and returns

  48:     return [Convert]::ToBase64String($result)

  49: }

  50:  

  51: function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")

  52: {

  53:     # If the value in the Encrypted is a string, convert it to Base64

  54:     if($Encrypted -is [string]){

  55:         $Encrypted = [Convert]::FromBase64String($Encrypted)

  56:        }

  57:  

  58:     # Create a COM Object for RijndaelManaged Cryptography

  59:     $r = new-Object System.Security.Cryptography.RijndaelManaged

  60:     # Convert the Passphrase to UTF8 Bytes

  61:     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)

  62:     # Convert the Salt to UTF Bytes

  63:     $salt = [Text.Encoding]::UTF8.GetBytes($salt)

  64:  

  65:     # Create the Encryption Key using the passphrase, salt and SHA1 algorithm at 256 bits

  66:     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8

  67:     # Create the Intersecting Vector Cryptology Hash with the init

  68:     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]

  69:  

  70:  

  71:     # Create a new Decryptor

  72:     $d = $r.CreateDecryptor()

  73:     # Create a New memory stream with the encrypted value.

  74:     $ms = new-Object IO.MemoryStream @(,$Encrypted)

  75:     # Read the new memory stream and read it in the cryptology stream

  76:     $cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"

  77:     # Read the new decrypted stream

  78:     $sr = new-Object IO.StreamReader $cs

  79:     # Return from the function the stream

  80:     Write-Output $sr.ReadToEnd()

  81:     # Stops the stream    

  82:     $sr.Close()

  83:     # Stops the crypology stream

  84:     $cs.Close()

  85:     # Stops the memory stream

  86:     $ms.Close()

  87:     # Clears the RijndaelManaged Cryptology IV and Key

  88:     $r.Clear()

  89: }

  90:  

  91: # This clears the screen of the output from the loading of the assembly.

  92: cls

  93:  

  94: # $me will never = 1, so It will run indefinately

  95: $me = 0

  96:     write-host "To End This Application, Close the Window"    

  97:     Write-host ""

  98: do

  99: {

 100:     # Prompt the user for the password    

 101:     $string = read-host "Please Enter User Password"

 102:     # Encrypt the string and store it into the $encrypted variable

 103:     $encrypted = Encrypt-String $string "MyStrongPassword"

 104:     # Write result to the screen

 105:     write-host "Encrypted Password is: $encrypted"

 106:     write-host ""

 107:  

 108:     write-host "Testing Decryption of Password..."

 109:     

 110:     # Decrypts the string and stores the decrypted value in $decrypted

 111:     $decrypted = Decrypt-String $encrypted "MyStrongPassword"

 112:     # Writes the decrpted value to the screen

 113:     write-host "Decrypted Password is: $decrypted"

 114:     write-host ""

 115: }

 116:  

 117: while ($me -ne 1)

To use this Function:

Start > Run > Type powershell.exe –noexit c:\location\EncryptDecryptString.ps1

** When you are done close the window.

Function for Encrypting Username and Passwords in PowerShell

Download PS1 Here

You will notice that I changed the Passphrase for both the username and the password. This is not necessary, however, it adds another layer of security. Try not to encrypt everything with the same passphrase. If one item gets compromised, everything encrypted under that passphrase is compromised.

   1: #################

   2: # Powershell Allows The Loading of .NET Assemblies

   3: # Load the Security assembly to use with this script 

   4: #################

   5: [Reflection.Assembly]::LoadWithPartialName("System.Security")

   6:  

   7: #################

   8: # This function is to Encrypt A String.

   9: # $string is the string to encrypt, $passphrase is a second security "password" that has to be passed to decrypt.

  10: # $salt is used during the generation of the crypto password to prevent password guessing.

  11: # $init is used to compute the crypto hash -- a checksum of the encryption

  12: #################

  13: function Encrypt-String($String, $Passphrase, $salt="SaltCrypto", $init="IV_Password", [switch]$arrayOutput)

  14: {

  15:     # Create a COM Object for RijndaelManaged Cryptography

  16:     $r = new-Object System.Security.Cryptography.RijndaelManaged

  17:     # Convert the Passphrase to UTF8 Bytes

  18:     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)

  19:     # Convert the Salt to UTF Bytes

  20:     $salt = [Text.Encoding]::UTF8.GetBytes($salt)

  21:  

  22:     # Create the Encryption Key using the passphrase, salt and SHA1 algorithm at 256 bits

  23:     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8

  24:     # Create the Intersecting Vector Cryptology Hash with the init

  25:     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]

  26:     

  27:     # Starts the New Encryption using the Key and IV   

  28:     $c = $r.CreateEncryptor()

  29:     # Creates a MemoryStream to do the encryption in

  30:     $ms = new-Object IO.MemoryStream

  31:     # Creates the new Cryptology Stream --> Outputs to $MS or Memory Stream

  32:     $cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write"

  33:     # Starts the new Cryptology Stream

  34:     $sw = new-Object IO.StreamWriter $cs

  35:     # Writes the string in the Cryptology Stream

  36:     $sw.Write($String)

  37:     # Stops the stream writer

  38:     $sw.Close()

  39:     # Stops the Cryptology Stream

  40:     $cs.Close()

  41:     # Stops writing to Memory

  42:     $ms.Close()

  43:     # Clears the IV and HASH from memory to prevent memory read attacks

  44:     $r.Clear()

  45:     # Takes the MemoryStream and puts it to an array

  46:     [byte[]]$result = $ms.ToArray()

  47:     # Converts the array from Base 64 to a string and returns

  48:     return [Convert]::ToBase64String($result)

  49: }

  50:  

  51: function Decrypt-String($Encrypted, $Passphrase, $salt="SaltCrypto", $init="IV_Password")

  52: {

  53:     # If the value in the Encrypted is a string, convert it to Base64

  54:     if($Encrypted -is [string]){

  55:         $Encrypted = [Convert]::FromBase64String($Encrypted)

  56:        }

  57:  

  58:     # Create a COM Object for RijndaelManaged Cryptography

  59:     $r = new-Object System.Security.Cryptography.RijndaelManaged

  60:     # Convert the Passphrase to UTF8 Bytes

  61:     $pass = [Text.Encoding]::UTF8.GetBytes($Passphrase)

  62:     # Convert the Salt to UTF Bytes

  63:     $salt = [Text.Encoding]::UTF8.GetBytes($salt)

  64:  

  65:     # Create the Encryption Key using the passphrase, salt and SHA1 algorithm at 256 bits

  66:     $r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, "SHA1", 5).GetBytes(32) #256/8

  67:     # Create the Intersecting Vector Cryptology Hash with the init

  68:     $r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($init) )[0..15]

  69:  

  70:  

  71:     # Create a new Decryptor

  72:     $d = $r.CreateDecryptor()

  73:     # Create a New memory stream with the encrypted value.

  74:     $ms = new-Object IO.MemoryStream @(,$Encrypted)

  75:     # Read the new memory stream and read it in the cryptology stream

  76:     $cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read"

  77:     # Read the new decrypted stream

  78:     $sr = new-Object IO.StreamReader $cs

  79:     # Return from the function the stream

  80:     Write-Output $sr.ReadToEnd()

  81:     # Stops the stream    

  82:     $sr.Close()

  83:     # Stops the crypology stream

  84:     $cs.Close()

  85:     # Stops the memory stream

  86:     $ms.Close()

  87:     # Clears the RijndaelManaged Cryptology IV and Key

  88:     $r.Clear()

  89: }

  90:  

  91: # This clears the screen of the output from the loading of the assembly.

  92: cls

  93:  

  94: # $me will never = 1, so It will run indefinately

  95: $me = 0

  96:     write-host "To End This Application, Close the Window"    

  97:     Write-host ""

  98: do

  99: {

 100:     # Prompt the user for the password    

 101:  

 102:     $ustring = read-host "(Case Sensitive) Please Enter Username"

 103:     $pstring = read-host "(Case Sensitive) Please Enter User Password"

 104:     # Encrypt the string and store it into the $encrypted variable

 105:     $uencrypted = Encrypt-String $ustring "U_MyStrongPassword"

 106:     $pencrypted = Encrypt-String $pstring "P_MyStrongPassword"

 107:  

 108:     # Write result to the screen

 109:     write-host "Encrypted Username is: $uencrypted"

 110:     write-host ""

 111:     write-host "Encrypted Password is: $pencrypted"

 112:     write-host ""

 113:  

 114:     write-host "Testing Decryption of Username / Password..."

 115:     write-host ""    

 116:     # Decrypts the string and stores the decrypted value in $decrypted

 117:     $udecrypted = Decrypt-String $uencrypted "U_MyStrongPassword"

 118:     $pdecrypted = Decrypt-String $pencrypted "P_MyStrongPassword"

 119:     

 120:     # Writes the decrpted value to the screen

 121:     write-host "Decrypted Password is: $udecrypted"

 122:     write-host ""

 123:     write-host "Decrypted Password is: $pdecrypted"

 124:  

 125: }

 126:  

 127: while ($me -ne 1)

To use this Function:

Start > Run > Type powershell.exe –noexit c:\location\EncryptDecryptStringUP.ps1

** When you are done close the window.

This article explains the the method by which one would be able to Search Active Directory for the distinguished name of a User or Group. This is helpful when trying to add an object to Active Directory or adding Users to Groups.

Function Find-DN Finding Distinguished Name: Download PS1 Here

   1: # Function Find Distinguished Name

   2: function find-dn { param([string]$adfindtype, [string]$cName)

   3:     # Create A New ADSI Call

   4:     $root = [ADSI]''

   5:     # Create a New DirectorySearcher Object

   6:     $searcher = new-object System.DirectoryServices.DirectorySearcher($root)

   7:     # Set the filter to search for a specific CNAME

   8:     $searcher.filter = "(&(objectClass=$adfindtype) (CN=$cName))"

   9:     # Set results in $adfind variable

  10:     $adfind = $searcher.findall()

  11:     

  12:     # If Search has Multiple Answers 

  13:     if ($adfind.count -gt 1) {

  14:         $count = 0 

  15:         foreach($i in $adfind)

  16:         {

  17:             # Write Answers On Screen

  18:             write-host $count ": " $i.path

  19:             $count += 1

  20:         }

  21:         # Prompt User For Selection

  22:         $selection = Read-Host "Please select item: "

  23:         # Return the Selection

  24:         return $adfind[$selection].path

  25:     }

  26:     # Return The Answer

  27:     return $adfind[0].path

  28: }

Using this Function:

   1: # To use the function to find a User:

   2: find-dn "user" "Blawat"

   3:  

   4: # To use the function to find a Group:

   5: find-dn "group" "IT Help Desk"

Originally Posted – February 23, 2010

UPDATED 9/21/2010 - OK… I was a bit harsh on my review, and honestly I was my first bitter impression of the vehicle when it was first released. I’ve had comments of “did you really drive this vehicle” and “worst car reviews that I have ever seen”. Well for starters, I did really drive 2 CC’s at Fox Valley Volkswagen, in Schaumburg, IL and another one at Hall Mazda and Volkswagen, in Brookfield, WI. Both dealerships are wonderful dealerships with very knowledgeable staff. My grip is directly with the Volkswagen CC. I’ve updated the entire article to display WHY I bashed the 2010 Volkswagen CC. So here we go again

——————–

This article is the first of many car reviews for 2009/2010 vehicles. I chose the Volkswagen CC as the first review as it was the most intriguing to write about out of the 20 or so vehicles I was able to test drive.

2010 Volkswagen CC 

In an effort to raise the ‘class’ bar for VW, the Volkswagen created the Passat CC to replace standard VW Passat. At a first glance, you see a Mercedes CLS-class but after closer inspection, you realize the branding on the front is Volkswagen. This immediately intrigued me, and a test drive was in the works for the vehicle. After the test drive(s), I thought, with such sleek exterior styling, how did Volkswagen get it SO wrong?!!

Interior – Is it really that Luxurious?

Can anyone tell me which vehicle is the CC and which is the Passat?

With interior reminiscent of its Passat sister, I was really hoping for more. The dashboard gauges and steering wheels are exactly the same, while the shifter and the seats are slightly different. To answer my question above, the image on the [left] is the Passat CC and the Image on the [right] is the Standard Passat. Scary how close the interiors are. If the CC is supposed to be a ‘luxury sedan’, above it’s sister Passat, can’t they do something different other than the fake wood trim? – That’s about all they changed.

Why is this such a big deal? The Washington Times raved the Passat CC as having “classy-looking interior”. The new slogan speaks of luxury – but is it really? The Touch Screen radio is more of a gadget than a luxury option like the i-Drive on the BMW. The stereo is good but is known for cutting off at the top end when you are blasting the stereo – not so cool. I also do not like the fact that navigation is such a costly upgrade ($2,640) for such a small component to add to the stereo.

The ride is what I would expect from a German car with low road noise and it passes the door closing test. The door closing test is one where when you shut your door it is a solid thud. It shouldn’t have any radiating vibrations or rattles coming from inside the door or in the cabin. While the frame and chassis of the vehicle are solid, the interior still needs some major work to make you feel like you are in a luxury car.

I still don’t like the cylindrical shifter. It really forces me to stay away from playing in manual sport mode. When I am driving a ‘luxury sedan’ that has 280hp, I’d like to be able to feel like I can play. I just feel like the sliding the shifter to and from the manual sport mode just doesn’t have the same effect; much like having a shifter on the tree.

While I can admit that the CC’s seats are comfortable, I get very close to the same support in the Passat. The rear seat has a cup holder as part of the seat making the vehicle a true four seat vehicle. There will be no cramming three kids in the back and any person with young children that requires a child seat, be disappointed with cleaning the grooves in the cup holder and its cover. What about putting a child seat in the center like most parents do to keep their children in rear view? Yet another WHAT?!? Volkswagen moment. My second concern with this center console is hauling any items in the back seat such as a large cooler (one which wouldn’t fit in the opening of the trunk). I would be afraid of cracking the plastic on the cover of this cup holder. Good thing there are talks by Volkswagen to have a five seat option; but why not on the first release?!

The second gripe I have with the Volkswagen CC has to do with the headroom – more appropriately the panoramic sunroof. Such a fancy name for a vent and obviously a mistake to not design it to retract. It comes off as an after thought of “Do you think people would like this feature? Crap!”. The sunroof doesn’t retract it only pops open to provide added cabin sunlight and ventilation. If you get a VW without the sunroof, your headroom is decreased by several inches and any six foot man would start to get a claustrophobic feeling inside the cabin. Also to mention, during the test drive, I was fortunate to have a friend with me, and she confirmed (with her being 5’9”) she felt as if the roof was collapsing on her as well. This is because we transitioned from a Passat to the CC which has one inch less head clearance. It seems anyone over 5’8” requires the panoramic sunroof which was only available on the luxury package – (at the time of posting) – another “really??” moment. Thank god they now offer this panoramic sun roof for the standard model. Talk about being out of touch with your market.

Engine Performance

Performance? Nothing new… nothing real exciting. They still have the same 2.0T and VR6 engines.

The first gripe I have with the Volkswagen CC has to do with the 2.0 liter turbocharged automatic. The dual clutch system (DCS) (or direct shift gearbox (DSG); same thing) in the vehicle gives the feeling that you are consistently missing the gear at take-off, and during mid-gear acceleration (like the Lancer Rally Sport). While the salesman insisted it was the turbo lag – any seasoned turbo driver (such as myself) – knows that it’s the gear not engaging smoothly in the vehicle. To know the difference — turbo lag dips the RPM prior to an explosive take-off. The feeling you will get is that you are riding the clutch before it engages. The result is feeling like you are going to break the transmission when driving it. The throttle response is thus affected, and takes the fun out of driving the vehicle. When switching to the VR6 version of the VW CC, you’re immediately engaged and the engine grunt makes you feel – this is cool. The numerous reported issues with the VR6 engines require a second thought which purchasing the vehicle for engine longevity over 90k. JD Power and associates rated the VR6 engine the LOWEST in it’s class.

Midsized Sedan Performance Comparison

Summary – If it’s a performance midsize sedan you’re looking for, the Passat CC doesn’t line up. In fact, the Pontiac G8 GT starts at $31,000 and has been compared to a reasonable BMW 5 series at Motor Trend. For starting $35,000, you can get into a 2010 Ford Taurus SHO which has 365hp/250tq at 1500 RPM to put you to 60mph in 5.5 seconds; or the Charger SRT8. I was being fair to leave these out of the above specs even though the VR6 is the fastest engine selection for the Volkswagens. So when you get yourself into an on ramp race to the top, be assured you can beat a Ford Taurus SE and a Honda Accord Ex.

Midsized Luxury Sedan Performance Comparison

Please note for this comparison I decided to increase the bottom line price of the CC to that of the VR6 Sport Package.

Summary – With all things considered, it doesn’t look like the Passat CC can keep up with these vehicles either from a performance standpoint. In this section, the BMW 3 series is known as the hands down segment leader by Motor Trend. I guess it’s not that impressive of a luxury sedan.

How did they miss the mark?

Well lets see what others are saying:

“In its highest trims, however, the CC is more expensive than some editions of the BMW 3-Series or Infiniti G37 – cars that run circles around VW’s effort on the track and carry luxury car cachet.“
http://usnews.rankingsandreviews.com/cars-trucks/Volkswagen_CC/

“We must conclude that despite its similarity to the far pricier CLS, the $42,630 CC is too expensive to be considered a value-even against a Benz.” — Car and Driver

“Volkswagen blurs the semantic distinction between coupe and sedan, but at $42,650 (almost) fully equipped, we call it overpriced…For the kind of money you could spend on a V6-powered CC, you could haggle your way into a pretty decent BMW, for instance, or drive off in a platinum-plated, mink-upholstered Cadillac CTS with enough left over to buy a Vespa.” — Los Angeles Times

“Not only one expensive Volkswagen, but an expensive sedan among its peers. The 6-cylinder model is priced well above a comparably equipped Mazda 6 or Nissan Maxima, and within sight of rear- or all-wheel-drive competitors from the market’s most highfalutin brands.” — New York Times

“Nevertheless, if a serious sport sedan is what you seek, the Subaru WRX will clobber the CC every time at roughly the same price point.” MotorTrend

 

My Final Thoughts:

I still firmly believe that the Volkswagen missed the mark with the Passat CC in many ways. If it were a two door vehicle the rear seat configuration might make a little more sense, but it’s not. If it had a retractable sunroof it would make the headroom issue go away, but it doesn’t. If it was priced like other midsized sedans I would have given it serious consideration, and it wasn’t. If it has an impressive supercharged VR6 engine like the S4, I would have paid $40,000+ to get it, but it didn’t.

I can’t begin to tell you how awesome the exterior looks on this vehicle, but its extremely disappointing on the inside. If I were Volkswagen, I would take a serious look at their placement in the market and realize that they need to stick to either a mid-size sedan or a luxury midsize sedan.

Midsize Market Failures:

- Lower the cost of the vehicle

- Add that fifth seat that is rumored

- Add the Panoramic Sunroof as a standard feature (done)

- Reduce the cost of the tech navigation package.

- Offer a STANDARD 100,000 mile Power Train Warranty

- Offer a STANDARD 50,000 mile Bumper to Bumper Warranty

Luxury Market Failures:

- Performance is needed to keep up with the 300+ HP engines. It would make this car competitive with the Ford Taurus SHO and other Performance Luxury Sedans.

- Increase top speed stability over 130MPH.

- Chrome everything should be Standard.

- Rear side airbag should be Standard.

- Bi-Xenon Headlamps should be Standard.

- Run flat tires should be Standard.

- Front and rear park distance Standard.

- Better Voice Command System.

- Motorized side-mirrors.

- Upgrade the interior with different shifting mechanism, leather dash, electronic rear temperature controls, rear media upgrades, cooled seats, etc etc (its this kind of stuff that someone with money and wants a luxury sedan likes. Its the features we can show our friends like look at what my car can do that yours can’t).

End Result: EPIC FAILURE.

Updated End Result: Still Fails all of my points.

While there are many posts that describe the code to do this function, there aren’t many posts that provide variables with meaning or actually describe the syntax. This post describes the method by which you can retrieve a Distinguished Name from a Fully Qualified Domain Name.

Quick Reference:

Fully Qualified Domain Name (FQDN): division.domain.root

Distinguished Name (DC): DC=division,DC=Domain,DC=root

Canonical Name(CN): division.domain.root/OrganizationalUnit/

If you are looking for a quick way to obtain a Distinguished Name or Fully Qualified Domain Name See this article.

Mr. Weaver’s Code

Mark A. Weaver’s post Powershell – Recursive Group Membership, he describes the methods by which you can convert to and from multiple variables. Here is how Mr. Weaver performs the conversion operation:

   1: function Convert-DNStoDN ($DNSName)

   2: {

   3:    #  Create an array of each item in the string separated by "."

   4:    $DNSArray = $DNSName.Split(".")

   5:   # Let's go through our new array and do something with each item

   6:    for ($x = 0; $x -lt $DNSArray.Length ; $x++)

   7:       {

   8:         #I don't want a comma after my last item, so check to see if I am on my last one and set

   9:         # $Separator equal to nothing.

  10:         # Remember that we need to go to Length-1 because arrays are "0 based indexes"

  11:          if ($x -eq ($DNSArray.Length - 1)){$Separator = ""}else{$Separator =","}

  12:          [string]$DN += "DC=" + $DNSArray[$x] + $Separator

  13:       }

  14:    return $DN

  15: }

My Code – Explained

While my code is almost identical to Mr. Weaver’s Code, my only criticism is not providing useful variables and describing the functions. I can state, however, Mr. Weaver’s code provided a platform for a function that I use in a large production environment. I took the liberty to optimize the code (slightly) to meet my needs (Thank you sir!).

My Function looks like: Download PS1 Here

   1: function Get-Domain {

   2:     

   3:     #Retrieve the Fully Qualified Domain Name if one is not supplied

   4:     # division.domain.root

   5:  

   6:     if ($FQDN -eq "") {

   7:         [String]$fqdn = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain()

   8:     }

   9:  

  10:     # Create a New Array 'Item' for each item in between the '.' characters

  11:     # Arrayitem1 division

  12:     # Arrayitem2 domain

  13:     # Arrayitem3 root

  14:     $FQDNArray = $FQDN.split(".")

  15:     

  16:     # Add A Separator of ','

  17:     $Separator = ","

  18:  

  19:     # For Each Item in the Array

  20:     # for (CreateVar; Condition; RepeatAction)

  21:     # for ($x is now equal to 0; while $x is less than total array length; add 1 to X

  22:     for ($x = 0; $x -lt $FQDNArray.Length ; $x++)

  23:         { 

  24:  

  25:         #If it's the last item in the array don't append a ','

  26:         if ($x -eq ($FQDNArray.Length - 1)) { $Separator = "" }

  27:         

  28:         # Append to $DN DC= plus the array item with a separator after

  29:         [string]$DN += "DC=" + $FQDNArray[$x] + $Separator

  30:         

  31:         # continue to next item in the array

  32:         }

  33:     

  34:     #return the Distinguished Name

  35:     return $DN

  36: }

To use the Function to get the Distinguished Name of the Domain:

   1: # Store the distinguished name in a variable named $objCrntDN.

   2: $objCrntDN = Get-Domain

To use the function to get the Distinguished Name From a Fully Qualified Domain Name:

   1: # Store the distinguished name in a variable named $objCrntDN

   2: # Pass the Fully Qualified Domain Name with call

   3: $objCrntDN = Get-Domain division.domain.root 

Note: This function also works if you place the division.domain.root in parentheses with quotations:

Get-Domain(“division.domain.root”)

What’s Different??

While the output is basically the same, I’ve made a few changes in the code:

1. “DNSname” is technically inaccurate, while I understand what he is meaning. He is referring to is the FQDN – a point of confusion for the readers.
2. I made the passing of a FQDN (optional) – as sometimes we don’t need to determine the FQDN (outside the function) before we get the Distinguished Name.
3. I named my function ‘Get-Domain’ . DNS-DN is a very specific function. Your will see that Marc has to call three different functions to convert between each of these. I chose to make a single function, and establish what the ultimate output will be. Name the function what you are getting or creating with the function. Get-Domain –> You already know what the output will be — the Domain.
4. I removed the Else { $separator } out of the loop. In batch processing such as PowerShell, the interpreter will replace the $separator variable each time it passes through the loop for the items in the array. To make the code more efficient, I set the variable outside the loop as it only gets changed for the last array evaluation.

By: Brenton Blawat

This article is designed to be short and sweet. This article displays the method by which one would retrieve the FQDN or Distinguished Name of the Domain. This is code is very useful for any operations in Active Directory. A must know for any scripter that needs to call the domain on a system without hard coding the value in the script.

Lets take a theoretical network that consists of ‘division’ subdomain, ‘domain’ as the domain, and ‘root’ as the domain root.

Root Distinguished name – Easy Method in PowerShell

   1: # Instantiate The ADSI Provider

   2: $root = [ADSI]''

   3: $CurrentDN = $root.DistinguishedName

Result:

The variable $CurrentDN will contain:

DN=division,DN=domain,DN=root

E.G. DN=bittangents,DN=com

Root Fully Qualified Domain Name (FQDN) – Easy Method In PowerShell

   1: # Retrieve the Fully Qualified Domain Name and store it in $FQDN Variable

   2: [String]$FQDN =  [System.DirectoryServices.ActiveDirectory.Domain]::getCurrentDomain()

   3:  

Result:

The variable $FQDN will contain:

division.domain.root

E.G. bittangents.com