Thursday, 1 September 2016

Importing, looping and looping some more..

I've had some issues deploying PowerShell scripts recently via SCCM because some of our clients remain on old versions of the Windows Management Framework and PS2.0. To get around the issue I wrote a short script that makes the required changes from my own machine - or some other, logged on with the appropriate rights.

The example script imports the contents of a specified CSV file, loops through each computer, loops through each user profile on that computer and manipulates an ini file, if found, within any user profile on the device.

       


$Computers = Get-Content "\\server\some\share\computers.csv"

# Loop through computers

foreach ($computer in $computers)
{
 Write-Host "Connecting to $computer"
 $CheckComp = Test-Path "\\$computer\C$"
 
 #If computer is offline
 if ($CheckComp -eq $False)
 {
  Write-Host -fore Red "Can't contact $computer - is it online?"
  sleep 1
  #exit
 }
 
 #If computer is online
 if ($CheckComp -eq $True)
 {
  # Grab the remote contents of C:\Users
  $users = get-childitem "\\$computer\C$\Users\"
  
  # Loop through the remote users and manipulate the .ini file
  foreach ($user in $users)
  {
   $Path = "\\$computer\C$\Users\$user\AppData\Roaming\SomeApplication\LicenseDetails.ini"
   $PathExists = Test-Path $path
   if ($PathExists -eq $true)
   {
    (Get-Content $Path).replace('proxyUse=-1', 'proxyUse=-0') | set-content $Path
    (Get-Content $Path).replace('proxyHost=proxy.some.company.com', 'proxyHost=') | set-content $Path
    (Get-Content $Path).replace('proxyPort=8080', 'proxyPort=') | set-content $Path
    write-host "$user's license file changed"
   }
  }
  
  }
 }

       
 

Friday, 1 July 2016

PowerShell Disk Monitor

Added V1 of my PowerShell Disk Monitor to the TechNet Gallery today.

This is a script written in PowerShell to deliver HTML disk reports via email, based on customisable, per-disk thresholds. It is designed to work in conjunction with a scheduled task.

You can find it with usage notes here - https://gallery.technet.microsoft.com/PowerShell-Disk-Monitor-08b6d759

Monday, 27 June 2016

Lansweeper: Add 'Uptime' to your reports

Found a really useful post here on how to add system uptime to your Lansweeper reports. Add the following to your query to add an additional 'Uptime' column
       

Cast(DateDiff(d, 0, DateAdd(second, DateDiff(s, tblAssets.Lastseen, GetDate()) + 
tblAssets.Uptime, 0)) As VARCHAR(15)) + ' day(s) ' + Convert(VARCHAR(8),DateAdd(second, 
DateDiff(s, tblAssets.Lastseen, GetDate()) + tblAssets.Uptime, 0),108) As Uptime

       
 

Monday, 9 May 2016

Automated Report of Domain Admins using PowerShell

This is a short and simple PowerShell script to output all direct and indirect members of the default Active Directory, Domain Admins group to a CSV. 

To setup the process, take the code below, adjust accordingly and save to a computer with access to the Active Directory PowerShell module.

In the format below, the script will output the Name, Date account was created, Date password was last set, whether the user can change the password, if the account is enabled and finally, the SID.

The above information is outputted to the folder $Path and the default file name is DomainAdmins_dd-MM-yyyy.csv

Items in bold should be correctly configured.

       

Import-Module ActiveDirectory

$Today = Get-Date -Format dd-MM-yyyy
$Path = "\\some\path"
$File = "DomainAdmins" + "_" + $Today + ".csv"

Get-ADGroupMember "Domain Admins" -Recursive | Get-ADUser -Properties PasswordLastSet,CannotChangePassword,Enabled,SID,Created | Select-Object Name,Created,PasswordLastSet,CannotChangePassword,Enabled,SID | export-csv -path "$Path\$File.csv" -NoTypeInformation

       
 


To automate this task, save it to a machine where the AD PowerShell module is available and build a scheduled task suited to your requirements.


General
- Name: Domain Admins Report
- When running the task, use the following user account: domain\service-account
- Run whether user is logged on or not


Triggers
Begin the task: On a schedule
Settings - Weekly
Start *SomeDate* 22:00:00
   - Recur every: 1 weeks on Friday
Stop task if it runs longer than 1 hour (or 30mins for a small environment)
Enabled

Actions
Action: Start a program

Settings
Program/script: powershell.exe
Add arguments (optional): -nologo -File "C:\Scripts\ReportDomainAdmins.ps1"


Right click your newly created task and select 'Run' to test.


Tuesday, 3 May 2016

Account Lockout Notifications using PowerShell


This is a short and simple PowerShell script to alert an administrative mailbox, group mailbox or even the account in question that its account has locked out.

To setup the process, take the code below, adjust accordingly and save to your PDC, the DC your lockouts will always hit.

In the format below the script will send an email to $MailTo, from $MailFrom with a subject of $MailSubject via mail server $SMTPServer on port $SMTPPort.
The content of the email is held within $MailBody.

Items in bold should be correctly configured.

       

Import-Module ActiveDirectory

$AccountLockOutEvent=Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message

$ADUserDisplayName = (Get-ADUser $LockedAccount -Properties DisplayName).DisplayName

$MailFrom = "AccountLockout@company.co"
$MailTo = "SomeUser@company.co"
$SMTPServer = "mailserver.company.local"
$SMTPPort = "25"
$MailSubject = "User Account Locked Out: $LockedAccount / $ADUserDisplayName" 
$MailBody = "Account $LockedAccount was locked out on $AccountLockOutEventTime.`n`nEvent Details:`n`n$AccountLockOutEventMessage`n`nUser: $ADUserDisplayName"

$EmailMessage = New-Object System.Net.Mail.MailMessage($MailFrom , $MailTo)
$emailMessage.Subject = $Mailsubject
$emailMessage.Body = $Mailbody

$SmtpClient = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort)
$SmtpClient.Send($emailMessage)

       
 


The second and final step is to configure a scheduled task to run when a 4740 error (Account Locked Out) is logged to the security event log.

The parameters for my scheduled task are as follows:


General
- Name: Account Lockout Email
- Run whether user is logged on or not

Triggers
Begin the task: On an event
Settings - Basic
Log: Security 
Source: Microsoft Windows security audting.
Event ID: 4740
Enabled: True

Actions
Action: Start a program

Settings
Program/script: powershell.exe
Add arguments (optional): -nologo -File "C:\Scripts\EmailOnLockout.ps1"




Tuesday, 15 March 2016

Comparison of VMXNet3 vs. E1000E


I'm a big fan of VMWare and we utilise their products heavily day to day. I found the following post whilst looking for some detailed information on the various virtual network adapters available.

The results are fascinating and have prompted me to rethink existing adapter selection, as well as future.

Credit to Rickard Nobel for the post - 

http://rickardnobel.se/vmxnet3-vs-e1000e-and-e1000-part-1/

Pushing Lync phone updates to a test device


As we look to move away from SHA-1 internally, there is a need to once again update our Lync Phone edition devices, this time with the December 2015 phone edition cumulative update that provides support for SHA-2 based certificates ( https://support.microsoft.com/en-us/kb/3108721 )


The process is very simple to implement, though you'll need some patience...



First of all, you'll need to bring your updates into your Lync environment. You can't do this via the GUI so you'll need to jump into the Lync Management Shell.


The cmdlet you want is Import-CsDeviceUpdate (Technet page here)


The parameters you'll want to use are -identity , used to point the cmdlet to your pool and -FileName to point to your extracted UCUpdates.cab


Something like...


       

            Import-CsDeviceUpdate -Identity service:WebServer:lync.dshu.local -FileName C:\Updates\UCUpdates.cab

       
 
The cmdlet will take a few seconds to complete but once done, the updates should be visible within the Lync Server Control Panel > Clients > Device Update. Devices should now show a Pending Version


You can also confirm the import was successful by accessing the Lync File Share and looking inside the Device Update Store -


\\localhost\lyncshare\1-WebServices-1\DeviceUpdateStore\UCPhone\POLYCOM\CX600\Rev-6\ENU\4.0.7577.4487\CPE


Now that your updates are imported, you can configure your test device..




  1. Open the Lync Server Control Panel
  2. Go to Clients > Test Device
  3. New > Global / Site Test Device
  4. Give the device a name that makes sense and then add the phone’s MAC address or serial number in the "Unique identifier" field
  5. Now wait...or...
The theory goes that the device will check to see if there are updates available within a minute of going idle. Once this timer is hit, the device will wait for a further 10minutes before beginning the installation - the idea being that the device is truly idle and can be updated without impacting upon a user. However, if you reboot the phone it will sign itself back in (assuming it was signed in), lock and immediately start your inactivity timer.

Logs can be found in C:\inetpub\logs\LogFiles\W3SVC and will give you an idea as to what is going on throughout the process. 


The key to having your device update as quickly as possible is to leave it alone - resist the temptation to touch it!


FYI - Updates do not need to be approved to be installed by test devices

Tuesday, 1 March 2016

Deploying a Powershell script via SCCM 2012


Create your package as normal, in my example I created a package that will house all of my PS scripts. Make sure it's distributed to all of your DPs / Dist groups.

Once created, setup your package with the following program for each script - 

       

            powershell.exe -executionpolicy Bypass -nologo -noninteractive -file .\SomeScript.ps1

       
 

Et voilĂ !

Wednesday, 17 February 2016

Lync/SfB Federation Finder

This is a simple PowerShell script I wrote to assist in locating a 3rd party federated edge server.

The script takes user input to then use DNS to attempt to resolve _sipfederationtls._tcp.somedomain 

       
$Domain = Read-Host "Domain to find SIP Federation SRV record for?
$SRVRecord = Resolve-DnsName -Name ("_sipfederationtls._tcp." + $Domain) -Type SRV
$SRVRecord
       
 

PerfC Vaccination for ExPetr/Petya/NotPetya Wiper

This is a script I've written to 'vaccinate' our domain against the ExPetr/Petya/NotPetya Wiper. In short, it finds all comput...