PowerShell Function: make a Parameter dependent of the Value of another Parameter

I had the case where I needed to make sure that one switch parameter of a PowerShell function can only be used, if another parameter had a certain value.
For example: the switch parameter -MYSWITCH can only be used if the value of the parameter -Selection is set to “POSSIBLE”.

The following PowerShell function is written to do exactly that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
function myFunction() {
 
    [cmdletbinding(
        DefaultParameterSetName='Default'
    )]
    Param
    (
        [Parameter()]
        [String]$Selection,
 
        [Parameter(ParameterSetName='Selection')]
        [ValidateScript({ $Selection -eq 'POSSIBLE' })]
        [Switch]$MYSWITCH
    )
 
    # Print out current ParameterSet Selection
    $PSCmdlet.ParameterSetName
}
 
# Selection is POSSIBLE and therefore, the -MYSWITCH switch is allowed
myFunction -Selection POSSIBLE -MYSWITCH 
 
# Selection is IMPOSSIBLE and therefore, the -MYSWITCH switch is NOT allowed => throws an error
myFunction -Selection IMPOSSIBLE -MYSWITCH
 
# Selection is IMPOSSIBLE and therefore, the -MYSWITCH switch is NOT allowed => works well because -MYSWITCH is not used
myFunction -Selection IMPOSSIBLE

If the -Selection is set to anything different then “POSSIBLE”, using the switch -MYSWITCH just throws an error. This is the expected behavior in that case.

Active Directory PowerShell Delegate Permission to Reset User Passwords for a specific Organizational Unit

Is there an easy solution to allow Helpdesk Users to reset passwords for user accounts for a specific Active Directory Organizational Unit (OU) with PowerShell?

Yes, there is! Just use the script/function below to set the necessary Active Directory Delegation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
function Set-ResetPasswordDelegation(){
    param(
    [string]$OrganizationalUnit,
    [string]$DelegationGroupName
    )
 
    # Configuration Parameters
    $confADRight = "ExtendedRight"
    $confDelegatedObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2" # User Object Type GUID
    $confExtendedRight = "00299570-246d-11d0-a768-00aa006e0529" # Extended Right PasswordReset GUID
 
    # Collect and prepare Objects
    $delegationGroup = Get-ADGroup -Identity $DelegationGroupName
    $delegationGroupSID = [System.Security.Principal.SecurityIdentifier] $delegationGroup.SID
    $delegationGroupACL = Get-Acl -Path "AD:\$OrganizationalUnit"
 
    # Build Access Control Entry (ACE)
    $aceIdentity = [System.Security.Principal.IdentityReference] $delegationGroupSID
    $aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight
    $aceType = [System.Security.AccessControl.AccessControlType] "Allow"
    $aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confExtendedRight, $aceInheritanceType,$confDelegatedObjectType)
 
    # Apply ACL
    $delegationGroupACL.AddAccessRule($ace)
    Set-Acl -Path "AD:\$OrganizationalUnit" -AclObject $delegationGroupACL
}
 
# Calling the function
Set-ResetPasswordDelegation -OrganizationalUnit "OU=Users,DC=pwsh,DC=ch" -DelegationGroupName "ServiceDesk-PasswordReset-Allow"

Get-ADUser not returning all user attributes [solution]

Using the Active Directory PowerShell command Get-ADUser with the –properties * (asterisk) switch does not return all available user attributes.

Properties like “msDS-UserPasswordExpiryTimeComputed” will not show up like that and have to be explicitly specified to be returned:

1
Get-ADUser –Properties msDS-UserPasswordExpiryTimeComputed

The following code returns all values of the user object:

1
2
$properties = Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -Filter {name -eq "User"} -Properties MayContain,SystemMayContain | Select-Object @{name="Properties";expression={$_.maycontain+$_.systemmaycontain}} | Select-Object -ExpandProperty Properties
Get-ADUser -Identity username -Properties $properties | fl $properties

In the above example, all available properties of the Active Directory ObjectClass “user” are retrieved and stored in an array, which is then used to specify the wanted properties using the Get-ADUser cmdlet.