Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem

PowerShell: Testing if the Logged On User is Really Admin


Since the introduction of User Account Control (UAC) with Windows Vista/Server 2008, scripter have to deal with detecting if the user executing commands or scripts is effectively granted the necessary privileges, ie. is running with elevated privileges.

While you can find plenty of snippets and functions on the Internet to achieve this goal. The reasons why I use this one hereunder are the following:

  • It is compatible with all (decently recent) Windows versions
  • It works with all languages since no names are used
  • It is fairly fast: the speed directly depends on the user’s token size

Function IsCurrentUserElevated()
[bool]$IsElevated = $False
If ([System.Environment]::OSVersion.Version.Major -lt 6)
{$IsElevated = [bool]((whoami /groups /SID) -match “S-1-5-32-544”)}
{$IsElevated = [bool]((whoami /groups) -match “S-1-5-32-544”) -and [bool]((whoami /groups) -match “S-1-16-12288”)}
Return $IsElevated

Note:  If someone has a native PowerShell replacement for fetching a user token please let me know ;).

Additional information’s:

Leave a comment

SharePoint: PAL from the Field


Performance Analysis of Logs (PAL) is a free tool designed to analyze Windows Perfmon-based logs against predefined thresholds. The thresholds are defined in configuration files usually mapped to an MS technology (.Net, IIS…) or product (SQL Server, SharePoint. It produces reports in HTML or XML formats, the first one also including eye-candy charts.

In a nutshell, PAL almost completely removes the hassle of reading and interpreting performance logs.

However, making sense of PAL reports in real life may also require time for experimenting and unfortunately, very few guidance can be found on the web. Therefore I wanted to close the gap a little.

This post assumes you are minimally familiar with PAL. If this was not the case, there are many other blogs detailing the installing and the usage basics. The CodePlex project also includes useful introduction:

What to Expect from PAL

PAL is the perfect tool to be used when you investigate mostly infrastructure-related performance problems impacting Microsoft product and technologies.

It helps translating Perfmon logs into humanly readable reports with added value brought by charts, recommended thresholds and generic guidance. A report is roughly made of 2 sections: chronologically ordered alerts and statistical figures enhanced with their matching charts.

In my opinion, PAL is not designed to help you trending or building up your capacity planning in the long run. for this purpose, product such as SCOM should be preferred. Likewise, PAL should not be used as a performance monitoring tool. Finally, PAL will not help drilling down into the code and will not cover end-to-end performance monitoring or troubleshooting. For this purpose, a real APM or tracing tool should be preferred.


Make sure your performance counters are healthy, I can’t remember the number of times I had to fix broken counter before anything else could take place:

Practice a little with Perfmon capture and PAL in a test environment. It seems obvious but many organizations I worked for were directly in their production environment with a full counter set, a high capture frequency and this during abnormally long periods. This leads to loss of time for generating reports and lots of frustrations and confusions since the reports contains too many information’s to actually be helpful.

Decide if you will generate PAL report on a computer dedicated to this purpose or if you prefer to do it on the monitored server during off-peak hours. Keep in mind that while capturing counter has very little to no effect on performance, performing PAL analysis is extremely CPU and disk I/O intensive.

Although PAL does it for you, make sure you understand what each counter really means and what it means in your own environment.  Avg. Disk Queue Length/Current Disk Queue Length being a good example of misleading/misinterpreted counter.

Correctly identify your environment: what are the processes running (at least, the ones making sense), what are the physical/logical disks and their purpose, what are the memory sizing (physical and virtual) and of course the CPU characteristics.

In Perfmon/Perflogs, preferably identify processes by their PID instead of their instance ID. This is particularly useful with SharePoint and IIS where you can have multiple IIS Worker Processes (W3WP.exe)running, even in the most basic implementations

While some SharePoint counter will directly refer to SharePoint applications, others won’t. Therefore, it is always useful to have scripts at hand doing the job for you.

On Server 2003/IIS6 using a command-prompt:

cd %windir%System32
cscript.exe iisapp.vbs

From Server 2008/IIS7using a command-prompt:

cd %windir%System32inetsrv
appcmd list wp

Using PowerShell:

gwmi win32_process -filter “name=’w3wp.exe'”|Select ProcessId, CommandLine

Be watchful with process ID’s: they may evolve during the time of the capture since when a process crashes, a new one with its own ID is usually restarted. The same happens to a worker process if it recycles.

Take also time to benchmark PAL:

  • Estimate the storage used by captures
  • Estimate the time take for PAL to produce reports
  • Estimate the storage used by PAL report

While a 2-hours capture using the default SharePoint 2010 will generate from 30 to 50 MB of BLG file and take about 10 minutes for processing, things will start counting in larger amount.

Some counters (like the ones related to processes and SharePoint’s publishing cache) can boost the size and time to generate reports because they are multiplied by the number of running processes or existing Site Collections

And finally, download and install PAL on the computer you selected for this purpose. Remember, PAL will only be used to generate reports, not capture and reading reports. Therefore there is no strict requirement to install it on every SharePoint server.

Planning Performance Captures

To ease you life, generate the Perfmon configuration files directly from PAL: Start PAL, go to the tab Threshold File then select the Threshold file corresponding to the work load and finally click on the button Export to Perform Template File.

Select the format according to the operating system version captures will be taken from. LOGMAN format is the best choice if your goal is superior automation of the capture process.

Carefully plan the capture period. Usually, warm-up of ASP.Net/SharePoint application generate a lot of noise not really relevant to you performance troubleshooting, therefore, it is preferable to start capturing when your application is already in cruise mode. Unless of course if the performance problem occur at compilation time. The same applies to crawl performance troubleshooting: preferably start capturing when the crawl is effectively started, not when it is starting.

Keep the sampling interval between 5 and 15 seconds. While less than 5 does not help because it tends to make things look worse than what they actually are (very short CPU peak or intensive disk I/O…), more than 15 may make the capture inaccurate because some missing numbers. In most cases, 15 seconds will do fine.

Keep the format to binary (BLG): although not humanly readable, It’s way more compact and directly usable by PAL. Note: some tools can convert Perfmon logs whenever needed, I will discuss that at later time.

Finally, and if you run a multi-server farm (remote SQL for example), decide if you prefer to put capture from various servers into the same log file or if you which to use separate logs. Remember that in most cases, the footprint of Perform is usually negligible. if you chose for per-server capture, make sure you sufficient in control to run them simultaneously.

Happy performance troubleshooting!


Active Directory: Schema Versions and How to Retrieve it

Windows Logo


Since Windows Server 2012 RTM is publicly available, you might be busy upgrading your forest (or at least, planning to do so). I actually did the same in my lab environments and wanted, at the same time, to revisit the AD Schema’s possible version numbers and ways to retrieve it.

You will find all details in the article I just posted: Active Directory Schema Versions.


SharePoint 2010: The local farm is not accessible cmdlets with feature dependency are not registered Revisited

While this error has been around for a while, I recently discovered a new possible cause. An opportunity to pack up this post with all causes identified until now (Therefore a feeling of déjà may be experienced by the reader).

Incorrect Windows PowerShell Version


You recently upgrade to Powershell V3.0 as part of the Windows Management Framework 3.0, it’s likely you see the error message hereunder when starting the SharePoint 2010 Management Shell.

microsoft sharepoint is not supported with version 4.0.30319 of the microsoft .net runtime
the local farm is not accessible cmdlets with feature dependency are not registered


Powershell V3.0 makes use of the .Net Framework 4.0. This combination prevents SharePoint’s Management Shell from working.


Locate the SharePoint 2010 Management Shell shortcut from the Windows Start Menu then edit it

For the parameter Target, add the parameter -version and value 2 as described hereunder:

C:WindowsSystem32WindowsPowerShellv1.0PowerShell.exe –version 2 -NoExit  ” & ‘ C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14CONFIGPOWERSHELLRegistrationsharepoint.ps1 ‘ “

This will instruct PowerShell to behave like it would do with version 2.0 instead of 3.0.

Additional Information’s

To get the effective version of the PowerShell host running, simply use the $Host object:

The logged on user is not granted SharePoint_Shell_Access


Assuming you’re not granted high privileges on the SQL Server Instance hosting your SharePoint databases such as SYSADMIN role, using SharePoint 2010 Management Shell requires the logged on user to be granted SharePoint_Shell_Access on the Configuration database.


Use the command Add-SPShellAdmin cmdlet to grant the user the necessary role.

Additional Information’s

  • To retrieve the list of user granted SharePoint_Shell_Access, use the cmldet Get-SPShellAdmin
  • To remove a user from the SharePoint_Shell_Access role, use Remove-SPShellAdmin

The logged on user is not administrator of the SharePoint server or server has UAC enabled


Using the SharePoint 2010 Management Shell requires the logged on use to be effective administrator of the SharePoint server where it runs.

Therefore there are 2 possible causes:

  • The user is not member of the local administrators group at all
  • The User Account Control is on and the logged on user did not chose to start SharePoint 2010 Management Shell as Administrator


Always start SharePoint 2010 Management Shell with a domain user, logged on as administrator and chose the option “Run as Administrator” when right-clicking on the shortcut.

To make your life simpler,  you can also edit the shortcut of the SharePoint 2010 Management Shell, then click on the button Advanced and finally select the check bow corresponding to the option “Run as administrator”. This will not prevent the UAC prompt from popping up but at least, the shell will always start as admin.

Season’s greetings!


Leave a comment

Validating Domain, Local or AD LDS Credentials using PowerShell


Hi there. When automating installation and configuration using PowerShell, you may have to push configuration containing credentials. It can therefore be useful to make sure they are correct before actually setting them.

PowerShell 2.0 and .Net 3.5 to the rescue: The assembly System.DirectoryServices.AccountManagement hopefully exposes this functionality. Here is how to do:

Load the assembly:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

Create a context type. It can be a domain, a machine (local or remote) or an AD LDS (aka ADAM) instance:

$MyContextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain

Create a principal context. A context is actually the name of the context type you will validate credentials against. In this case, an AD domain:

$MyPrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($MyContextType, “massivedynamic.local”)

An finally, execute the ValidateCredentials method providing username and password. Note: in the case of domain credentials as as long you have the appropriate trust in place, you can validate credentials from a user belonging to domain A against domain B, you name it, B must trust A. In return you get a Boolean:

$ValidCredentials = $MyPrincipalContext.ValidateCredentials(”MASSIVEDYNAMICWBELL”, “Azerty1”)

Sure it also works with UPN’s:

$ValidCredentials = $MyPrincipalContext.ValidateCredentials(”william.bell@massivedynamic.local”, “Azerty1”)

A warning though: validating credentials is actually performed thanks to a network logon. If a user account is valid while it’s password is wrong, the bad password count at AD or local SAM DB will be incremented. You guess, if an account lockout policy is applicable, too many attempts will lock out the account…

My colleague Bert VL (kind of PoSh scripting goldsmith, check his blog) has tracked this using the good old Account Lockout Tools from the Windows Server 2003 Resource Kit

Bad Password Count

More info:


Leave a comment

PowerShell: Now in Native x64: Reading an Excel sheet using PowerShell and ADO.Net

Long ago I blogged about using PowerShell to read out an XLS(X) file using ADO.Net. Until recently, only the x86 version of the ODBC driver was available.

Fortunately, Microsoft recently release a x64 version of the drivers as part of the Microsoft Access Database Engine 2010 Redistributable Package. Download link:

Interestingly, while this package is labeled “Office 2010”, the provider’s names references “Office 12” (2007) –> this should have be released earlier 🙂


Leave a comment

SharePoint: Management PowerShell Scripts on CodePlex

I recently started contributing to the project lead by the SharePoint doctor MVP Fabrice Romelard on CodePlex: SharePoint Management PowerShell scripts.

I recommend the User Management section in particular, which includes comprehensive resources to manage users in SharePoint through the whole lifecycle (add, retire, detect orphans, update properties…):

I’ll try as much as I can to keep the script library on my own site in sync with the one on CodePlex.

And Cut!

Leave a comment

SharePoint: Extracting all Solutions from a Live SharePoint Farm

Lately this contribution from Barto Molina caught my attention in the TechNet Forums: His C# code iterates through the solutions stored in the local farm and saves them to the file system under the form of a standard WSP file.

You’ll find a “PowerShellized” version of it over here: I hope you’ll find it useful.

And cut!

Leave a comment

SharePoint: Yet another warm-up script

Slow start-up of ASP.Net applications after application pool recycle in general and SharePoint in particular, is a recurring issue reported by customers. Keeping the application “warm” thanks to a background job performing regular page processing is a quick and simple solution. While there are already a few scripts available on the Internet, I wanted to share my own, which is fully implemented in PowerShell. A few comment though:

  • This script, like (all or most of?) others, do not take care of having multiple WFE. when it resolves  the name of a web application, it will do it using DNS and therefore might point to another server… 8I’ll shortly publish another script that solves that limitation
  • To ease IIS log parsing for analytics, the script passes a specific user-agent string which eases exclusion of those requests in reports
  • The script triggers only the execution of default pages (default.aspx) which are located under the final / of the URL. Next version of the script will also solve that limitation

Feel free to download it from this location:

Have you seen Client Eastwood’s latest (and probably best?) movie Gran Torino? A perfect Drama/Comedy mix with great though less known actors.

Gran Torino poster

And cut!