Monday, March 26, 2018

What are these Execution Policies? And, how can they help me?

Greetings!

I have been writing scripts for a while but I haven't been too concerned about the scripts do since I'm only gathering information and not changing anything.  Then, I started creating scripts that create and update Active Directory accounts.  I want to make sure that the scripts don't create havoc within AD or any other part of the server.  To do this I looked to Execution Policies.

Execution policies are used to set the rules for Powershell scripts on a server.  These policies will help scripts from violating the rules.  There are six different policies:

Restricted
     This policy is the default policy set when Powershell is activated..  With Restricted, you cannot run an entire script but can run individual commands.  This policy also blocks the execution of module files (.psm1), configuration files (.ps1xml), and profile scripts (.ps1)

AllSigned
     This policy allows scripts to run on a server.  However, all scripts and configuration files need to be signed by a trusted publisher, like Verisign.  If you run a script that hasn't been classified as trusted or untrusted, you will be prompted for credentials.  This is more secure but there can be bad scripts written that have been signed.

RemoteSigned
     This is the default policy in Windows Server 2012 R2.  If you download a script from the Internet, you will need a digital signature from a trusted source.  The benefit of RemoteSigned is that scripts created on local computers do not need a digital signature.  Similar to AllSigned, dangerous scripts can still be signed.

Unrestricted
     Unsigned scripts can run (this can be dangerous).  You will be warned when you start an unsigned script from the Internet.

Bypass
     This policy lets any script run and there are no warnings or prompts.  Bypass is helpful if you are calling a script from a command line or from out of Task Scheduler.  Do not use bypass when you are running an unverified script.  Bad things can happen.


Personally, I try to never use Unrestructed, Unrestructed, or Bypass.  However, you may find a need to use one of these settings.  Just make sure you know risks of each one.

Monday, March 19, 2018

"Can you see if my account is locked out?"

Greetings!

Have you ever gotten a call or email or trouble ticket asking for help with a user whose AD account keeps getting locked out?  At my current company, we had a rash of this happening.  We found this occurred when people changed their Active Directory password.  In these days of people being able to access work email or work Instant Messaging, it is important to make sure these folks are changing the passwords on their personal devices.

In some cases, we can look to the domain controllers to find out where the lock is occurring.  I found this handy script from Mike F Robbins blog site (http://mikefrobbins.com/):


#Requires -Version 3.0



<#

.SYNOPSIS

Get-LockedOutUser.ps1 returns a list of users who were locked out in Active Directory.

.DESCRIPTION

Get-LockedOutUser.ps1 is an advanced script that returns a list of users who were locked out in Active Directory

by querying the event logs on the PDC emulator in the domain.

.PARAMETER UserName

The userid of the specific user you are looking for lockouts for. The default is all locked out users.

.PARAMETER StartTime

The datetime to start searching from. The default is all datetimes that exist in the event logs.

.EXAMPLE

Get-LockedOutUser.ps1

.EXAMPLE

Get-LockedOutUser.ps1 -UserName 'mikefrobbins'

.EXAMPLE

Get-LockedOutUser.ps1 -StartTime (Get-Date).AddDays(-1)

.EXAMPLE

Get-LockedOutUser.ps1 -UserName 'mikefrobbins' -StartTime (Get-Date).AddDays(-1)

#>
 
 
[CmdletBinding()]
param (
[ValidateNotNullOrEmpty()]
[string]$DomainName = $env:USERDOMAIN,
[ValidateNotNullOrEmpty()]
[string]$UserName = "*",
[ValidateNotNullOrEmpty()]
[datetime]$StartTime = (Get-Date).AddDays(-3)



)
 
Invoke-Command -ComputerName (
[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain((
New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $DomainName))
).PdcRoleOwner.name



) {
 
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
Select-Object -Property TimeCreated,
@{Label='UserName';Expression={$_.Properties[0].Value}},
@{Label='ClientName';Expression={$_.Properties[1].Value}}
} -Credential (Get-Credential) |
Select-Object -Property TimeCreated, UserName, ClientName


When you run this script, you will be prompted for a user name and password.  This user name must have access to the domain controllers.

.\Get-LockedOutUser.ps1 -UserName 'mike1'

Not only does this script look for individual accounts using the -UserName attribute but you can leave off all the parameters and you will get a list of all the accounts, on the domain, that are currently locked out.

.\Get-LockedOutUser.ps1

I want to thank Mike F Robbins for writing a terrific script that has helped me many time.  I hope it can help you all, as well.

Mike

Monday, March 12, 2018

What Version of Windows Server Am I Using?

Greetings!

I have had occasions where I wanted to inventory all my servers and what version of Windows Server is running on those servers.  Larger companies can use System Center Operations Manager (SCOM) to get that information.  However System Center can be expensive and overkill for small to medium businesses.

In order to get the list I wanted, I used the following PowerShell script:
Import-Module ActiveDirectory

Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemServicePack, OperatingSystemVersion | Where-Object {$_.OperatingSystem -like '*server*'} |

Select-Object -Property Name, OperatingSystem, OperatingSystemServicePack, OperatingSystemVersion



It is important to include the Import-Module command.  If the command is missing the Get-ADComputer command will not work and you will get an error. 

The output from the script will look like the following:



Name      OperatingSystem                    OperatingSystemServicePack           OperatingSystemVersion


-----     ---------------                    --------------------------            ----------------------

Server1   Windows Server 2008 R2 Enterprise   Service Pack 1                             6.1 (7601)

Server2   Windows Server 2008 R2 Enterprise   Service Pack 1                             6.1 (7601)

Server3   Windows Server 2008 R2 Enterprise   Service Pack 1                             6.1 (7601) 




This script displays the ease of using Powershell.  By using just a couple commands, you can pull the information you want.

I hope you find this script helpful.  Good luck and happy scripting.

Mike

Monday, March 5, 2018

Powershell Notes For Professionals

Greetings!

As a person who really enjoys scripting in Powershell, I am always looking for resources that focus on Powershell.  The other day I got an email from GoalKicker.com offering a free document called "PowerShell Notes for Professionals."  This is a great reference that contains explanation and examples on everything from getting started with Powershell to how to use hashtables to signing scripts...and much more.

Also, GoalKicker has many such documents on different programming languages.  Like I said this is a tremendous resources for the scripter/programmer.  I highly recommend them.

That's what I have for this week.  Have fun!

Mike