Greetings!
I have been writing scripts for a while but I haven't been too concerned about the scripts do since I'm only gathering information and not changing anything. Then, I started creating scripts that create and update Active Directory accounts. I want to make sure that the scripts don't create havoc within AD or any other part of the server. To do this I looked to Execution Policies.
Execution policies are used to set the rules for Powershell scripts on a server. These policies will help scripts from violating the rules. There are six different policies:
Restricted
This policy is the default policy set when Powershell is activated.. With Restricted, you cannot run an entire script but can run individual commands. This policy also blocks the execution of module files (.psm1), configuration files (.ps1xml), and profile scripts (.ps1)
AllSigned
This policy allows scripts to run on a server. However, all scripts and configuration files need to be signed by a trusted publisher, like Verisign. If you run a script that hasn't been classified as trusted or untrusted, you will be prompted for credentials. This is more secure but there can be bad scripts written that have been signed.
RemoteSigned
This is the default policy in Windows Server 2012 R2. If you download a script from the Internet, you will need a digital signature from a trusted source. The benefit of RemoteSigned is that scripts created on local computers do not need a digital signature. Similar to AllSigned, dangerous scripts can still be signed.
Unrestricted
Unsigned scripts can run (this can be dangerous). You will be warned when you start an unsigned script from the Internet.
Bypass
This policy lets any script run and there are no warnings or prompts. Bypass is helpful if you are calling a script from a command line or from out of Task Scheduler. Do not use bypass when you are running an unverified script. Bad things can happen.
Personally, I try to never use Unrestructed, Unrestructed, or Bypass. However, you may find a need to use one of these settings. Just make sure you know risks of each one.
Monday, March 26, 2018
Monday, March 19, 2018
"Can you see if my account is locked out?"
Greetings!
Have you ever gotten a call or email or trouble ticket asking for help with a user whose AD account keeps getting locked out? At my current company, we had a rash of this happening. We found this occurred when people changed their Active Directory password. In these days of people being able to access work email or work Instant Messaging, it is important to make sure these folks are changing the passwords on their personal devices.
In some cases, we can look to the domain controllers to find out where the lock is occurring. I found this handy script from Mike F Robbins blog site (http://mikefrobbins.com/):
#Requires -Version 3.0
<#
.SYNOPSIS
Get-LockedOutUser.ps1 returns a list of users who were locked out in Active Directory.
.DESCRIPTION
Get-LockedOutUser.ps1 is an advanced script that returns a list of users who were locked out in Active Directory
by querying the event logs on the PDC emulator in the domain.
.PARAMETER UserName
The userid of the specific user you are looking for lockouts for. The default is all locked out users.
.PARAMETER StartTime
The datetime to start searching from. The default is all datetimes that exist in the event logs.
.EXAMPLE
Get-LockedOutUser.ps1
.EXAMPLE
Get-LockedOutUser.ps1 -UserName 'mikefrobbins'
.EXAMPLE
Get-LockedOutUser.ps1 -StartTime (Get-Date).AddDays(-1)
.EXAMPLE
Get-LockedOutUser.ps1 -UserName 'mikefrobbins' -StartTime (Get-Date).AddDays(-1)
#>
[CmdletBinding()]
param (
[ValidateNotNullOrEmpty()]
[string]$DomainName = $env:USERDOMAIN,
[ValidateNotNullOrEmpty()]
[string]$UserName = "*",
[ValidateNotNullOrEmpty()]
[datetime]$StartTime = (Get-Date).AddDays(-3)
)
Invoke-Command -ComputerName (
[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((
New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $DomainName))
).PdcRoleOwner.name
) {
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
Select-Object -Property TimeCreated,
@{Label='UserName';Expression={$_.Properties[0].Value}},
@{Label='ClientName';Expression={$_.Properties[1].Value}}
} -Credential (Get-Credential) |
Select-Object -Property TimeCreated, UserName, ClientName
When you run this script, you will be prompted for a user name and password. This user name must have access to the domain controllers.
.\Get-LockedOutUser.ps1 -UserName 'mike1'
Not only does this script look for individual accounts using the -UserName attribute but you can leave off all the parameters and you will get a list of all the accounts, on the domain, that are currently locked out.
.\Get-LockedOutUser.ps1
I want to thank Mike F Robbins for writing a terrific script that has helped me many time. I hope it can help you all, as well.
Mike
Have you ever gotten a call or email or trouble ticket asking for help with a user whose AD account keeps getting locked out? At my current company, we had a rash of this happening. We found this occurred when people changed their Active Directory password. In these days of people being able to access work email or work Instant Messaging, it is important to make sure these folks are changing the passwords on their personal devices.
In some cases, we can look to the domain controllers to find out where the lock is occurring. I found this handy script from Mike F Robbins blog site (http://mikefrobbins.com/):
#Requires -Version 3.0
<#
.SYNOPSIS
Get-LockedOutUser.ps1 returns a list of users who were locked out in Active Directory.
.DESCRIPTION
Get-LockedOutUser.ps1 is an advanced script that returns a list of users who were locked out in Active Directory
by querying the event logs on the PDC emulator in the domain.
.PARAMETER UserName
The userid of the specific user you are looking for lockouts for. The default is all locked out users.
.PARAMETER StartTime
The datetime to start searching from. The default is all datetimes that exist in the event logs.
.EXAMPLE
Get-LockedOutUser.ps1
.EXAMPLE
Get-LockedOutUser.ps1 -UserName 'mikefrobbins'
.EXAMPLE
Get-LockedOutUser.ps1 -StartTime (Get-Date).AddDays(-1)
.EXAMPLE
Get-LockedOutUser.ps1 -UserName 'mikefrobbins' -StartTime (Get-Date).AddDays(-1)
#>
[CmdletBinding()]
param (
[ValidateNotNullOrEmpty()]
[string]$DomainName = $env:USERDOMAIN,
[ValidateNotNullOrEmpty()]
[string]$UserName = "*",
[ValidateNotNullOrEmpty()]
[datetime]$StartTime = (Get-Date).AddDays(-3)
)
Invoke-Command -ComputerName (
[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((
New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $DomainName))
).PdcRoleOwner.name
) {
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
Select-Object -Property TimeCreated,
@{Label='UserName';Expression={$_.Properties[0].Value}},
@{Label='ClientName';Expression={$_.Properties[1].Value}}
} -Credential (Get-Credential) |
Select-Object -Property TimeCreated, UserName, ClientName
When you run this script, you will be prompted for a user name and password. This user name must have access to the domain controllers.
.\Get-LockedOutUser.ps1 -UserName 'mike1'
Not only does this script look for individual accounts using the -UserName attribute but you can leave off all the parameters and you will get a list of all the accounts, on the domain, that are currently locked out.
.\Get-LockedOutUser.ps1
I want to thank Mike F Robbins for writing a terrific script that has helped me many time. I hope it can help you all, as well.
Mike
Monday, March 12, 2018
What Version of Windows Server Am I Using?
Greetings!
I have had occasions where I wanted to inventory all my servers and what version of Windows Server is running on those servers. Larger companies can use System Center Operations Manager (SCOM) to get that information. However System Center can be expensive and overkill for small to medium businesses.
In order to get the list I wanted, I used the following PowerShell script:
Import-Module ActiveDirectory
Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemServicePack, OperatingSystemVersion | Where-Object {$_.OperatingSystem -like '*server*'} |
Select-Object -Property Name, OperatingSystem, OperatingSystemServicePack, OperatingSystemVersion
It is important to include the Import-Module command. If the command is missing the Get-ADComputer command will not work and you will get an error.
The output from the script will look like the following:
Name OperatingSystem OperatingSystemServicePack OperatingSystemVersion
----- --------------- -------------------------- ----------------------
Server1 Windows Server 2008 R2 Enterprise Service Pack 1 6.1 (7601)
Server2 Windows Server 2008 R2 Enterprise Service Pack 1 6.1 (7601)
Server3 Windows Server 2008 R2 Enterprise Service Pack 1 6.1 (7601)
This script displays the ease of using Powershell. By using just a couple commands, you can pull the information you want.
I hope you find this script helpful. Good luck and happy scripting.
Mike
I have had occasions where I wanted to inventory all my servers and what version of Windows Server is running on those servers. Larger companies can use System Center Operations Manager (SCOM) to get that information. However System Center can be expensive and overkill for small to medium businesses.
In order to get the list I wanted, I used the following PowerShell script:
Import-Module ActiveDirectory
Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemServicePack, OperatingSystemVersion | Where-Object {$_.OperatingSystem -like '*server*'} |
Select-Object -Property Name, OperatingSystem, OperatingSystemServicePack, OperatingSystemVersion
It is important to include the Import-Module command. If the command is missing the Get-ADComputer command will not work and you will get an error.
The output from the script will look like the following:
Name OperatingSystem OperatingSystemServicePack OperatingSystemVersion
----- --------------- -------------------------- ----------------------
Server1 Windows Server 2008 R2 Enterprise Service Pack 1 6.1 (7601)
Server2 Windows Server 2008 R2 Enterprise Service Pack 1 6.1 (7601)
Server3 Windows Server 2008 R2 Enterprise Service Pack 1 6.1 (7601)
This script displays the ease of using Powershell. By using just a couple commands, you can pull the information you want.
I hope you find this script helpful. Good luck and happy scripting.
Mike
Monday, March 5, 2018
Powershell Notes For Professionals
Greetings!
As a person who really enjoys scripting in Powershell, I am always looking for resources that focus on Powershell. The other day I got an email from GoalKicker.com offering a free document called "PowerShell Notes for Professionals." This is a great reference that contains explanation and examples on everything from getting started with Powershell to how to use hashtables to signing scripts...and much more.
Also, GoalKicker has many such documents on different programming languages. Like I said this is a tremendous resources for the scripter/programmer. I highly recommend them.
That's what I have for this week. Have fun!
Mike
As a person who really enjoys scripting in Powershell, I am always looking for resources that focus on Powershell. The other day I got an email from GoalKicker.com offering a free document called "PowerShell Notes for Professionals." This is a great reference that contains explanation and examples on everything from getting started with Powershell to how to use hashtables to signing scripts...and much more.
Also, GoalKicker has many such documents on different programming languages. Like I said this is a tremendous resources for the scripter/programmer. I highly recommend them.
That's what I have for this week. Have fun!
Mike
Subscribe to:
Posts (Atom)