Category Archives: PowerShell

How To: Powershell Get Local Administrators and Active Directory Nested Groups – SOX

For the past few years, I’ve been tasked with ensuring that our in-scope servers for Sarbanes-Oxley (SOX) have the correct users and groups in them. Before we would have to screen shot the members of the local admins and all the groups that are in the local admins. I decided to take the time to create a script that gets the local admins of the server and write the output to a transcript file.

Script to get Server Local Administrators:

I named the script Get-ServerLocalAdministrators:

The steps the PowerShell script goes through are:

  • Get domain and server
  • Import PowerShell Modules
  • Get Date and Time
  • Get the working directory
  • Convert the domain and computername to upper and lower for pattern matches
  • Start the transcript in the current directory and use some variables for naming the transcript
  • Get the server’s local administrators object using Get-WmiObject and a where cause for the group component
  • Get the members of the local admins and determine if it’s a user or group.
  • If user, put it in the transcript and tag the user as uer
  • If Group, put the group in a variable to loop through later
  • In the transcript, I’m doing a Write-Host to tag each group. If the group has a sub group, (nested group), then put that in another variable to loop through that as well

Since we have Group Memebers that are cross domain, I had to include the -Server paramater get the object’s distinguished Name and use that for -Server.
The only line you have to change in this script (because I was lazy) is to change line 32 to your domain. So, if your server FQDN is server.subdomain.domain.com you would call this “Domain.com” if it was simply “server.domain.com” then you would call this “com”.

Limitations: This script only loops through to levels of Active Directory groups on the server. So, if you have nested groups more than that, it won’t continue deeper. I’m going to rewrite this to do full recursion in a function so you can look for that post in the future.

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Adding Folder Permissions to IIS_IUSRS via Powershell

For you scripting guys that want to automate everything, For website deployments, you can modify your permissions using the NTFSSecurity Module. This is a simple way to modify ACL’s with powershell. Much easier to use the NTFSSecurity module…

First download the module from here: https://ntfssecurity.codeplex.com/

I would put it in your modules directory on the server. Then import the module with Get-Module -ListAvailable and Import-Module NTFSSecurity.

Now, on to the simple and easy code:

You can also use the following AccessRights. Actually, you should be able to get any name as the parameter but these are the most common:
Modify
Read

Also, as a note, IIS_IUSRS is a special internal group that you shouldn’t/can’t prefix with the computer or domain name.

For the Network Service or IUSR, you have to use “NT AUTHORITY\NETWORK SERVICE” OR “NT AUTHORITY\IUSR”

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How To: Modify Trusted Hosts to connect via Powershell

We have to connect to untrusted machines via PowerShell. To do this, you have to add the machines,

First, if you have settings in there run this command to get a backup:

Then to get them to modify:

copy that out, add your hosts to it with comma delimited and add it with powershell:

To use it in code (so it doesn’t ask you if you’re sure), you can force it by using the -Force switch

then check again:

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

PowerShell How To: Find all users where account is inactive

I was recently asked asked to find all the users in Active Directory where their account was inactive.

There is a PowerShell commandlet called Search-ADAccount that you can use to find if the account is inactive by using the parameter -AccountInactive.

This is kind of crude but works well. I couldn’t figure out how to get the headers into the csv so I simply did a write-output for the first section.

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How to change the Friendly Name on a certificate -Windows

I ran into the situation where someone created and applied a certificate in IIS and the friendlyName was wrong. During automatic deployments of the software, they would call into the cert store and select the certificate to use for their 443 bindings based on the friendly name. The certificate was named wrong and wouldn’t get applied during deployment or it would apply the wrong one.

Here is how to fix this using PowerShell without re-issuing the certificate.

Open up PowerShell with administrative rights and change your location to the certificate store.

We will change the certificate with the thumbprint named wrong_internal_wildcard to right_internal_wildcard

In the above example, I have done the following:

    1. Opened Powershell

 

    1. Set-Location to the certificate store by typing Set-Location cert:

 

    1. Listed out the certs by typing Get-ChildItem

 

    1. Located the cert I wanted to change the friendly name of

 

    1. Put that cert in a variable so I could view it’s properties

 

    1. Verified that the cert is the right one by typing $cert.friendlyname

 

    1. Then changed the friendlyname by typing $cert.FriendlyName = “right_internal_wildcard”

 

    lastly, I verifed the cert friendlyname by typing $cert.FriendlyName
  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Disable SSLv2, SSLv3 and Enable TLS 1.2 and pass Qualis SSL Test

I was tasked with securing one of our internet facing web servers against the POODLE SSL vulnerability and weaker old SSL technologies. After doing many searches online, I finally wrote a script to run against our Windows 2008 R2 server to disable the protocols in IIS via the registry. The following is a simple script that you can run to change the STUNNEL ciphers to make your server secure.

FIRST and most important, backup the registry hive that you will be changing. << You have been warned! Do this by going to the following hive and right clicking it and exporting the hive:

HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

Then simply run this script and reboot your server:

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

SSH with Powershell: Backup multiple Cisco devices

Today, I was asked to write a script to connect to all our Cisco devices and backup the configs to our fileserver. After a few hours of figuring it out, this is what I came up with

You ONLY need a READ ONLY account on the Cisco devices.

We run this every day at 2:00 AM and backup many Cisco devices.

I downloaded and use this SSH.NET Library: SSH With Powershell

You have to move it to your powershell modules directory and then import-module

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How To: Import AD Users from .csv file

I had a project that required me to make over 40 domain accounts. I decided that it was time to create all the domain accounts with a Powershell script. The script I came up with uses an import csv file with all the accounts and info I needed in it. Make sure you take the time to plan a naming convention for your AD accounts. In this case, they were a type of service account for many different environments. To keep it quick, I decided to not auto-gen the passwords so I simply put them in the csv file and removed them when I was done. Well, it took me a day or so to figure out my script to create ad accounts because I had problems…

My troubleshooting was a bit flawed but I didn’t know it until the very end (After running for all the users). I was having problems with the script ending in error . This is a very generic error. I knew that my accounts had spaces in them for $GivenName $Surname and $Name. So, I went through the trouble making sure that my variable properties with spaces had “” around them. Yes, that’s a pair of double quotes. My Display name I wanted to use had GivenName and Surname in it with a space. So it looks like this: Displayname = ($User.”GivenName”+” “+$User.”Surname”). The quotes around “GivenName” allowed me to use two names in the GivenName column of the .csv file and the same for “Surname”. This way I can create an account that looks like: First Second Third Forth. In other words, my “GivenName” in my CSV was First Second so I had to put “” around it in the script so it would read it as one word. What I missed is after everything was put together, the fields were over 20 characters. Well, the limit on Windows 2008 Account “Names” is 20 characters. Until I ran my script and found that it didn’t create about 1/2 of them, I started analyzing the .csv file to figure out why it didn’t work. I found out that the ones that didn’t get created are the ones that were over 20 characters.

Here is the script. You will notice that I’ve got a comment in the script for the .csv file’s header fields. You can add to them or remove as needed. I think it’s easier to view the powershell references on Microsoft’s site. Here is the link to Set-ADUser cmdlet: http://technet.microsoft.com/en-us/library/ee617215.aspx. For each property, you need it in the script and in the .csv file. If there are special characters or spaces. Remember to use the “” around it in the script. Also, make sure you are not exceeding the field length in AD for each property. The sAMAccountName (pre-Windows 2000 logon name) is limited to 20 characters for user objects. This is what got me a few times 🙁

Let me know if you need anything below explained! I’ll answer all comments on this the same day if I can.

I’m a seasoned Systems Administrator with experience starting in the early 90’s when 286 computers with 20 and 30 Mhz processors running Windows 3.1 which was the newest operating system.

…and that’s the way Ed does it 🙂 — Thanks Scott J. for that 🙂

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Connect remotely to a computer with powershell and get ipconfig /all from it

Are you looking to connect remotely to a computer and run powershell commands. Below is a simple one liner that will connect to a computer and get the ipconfig /all and display it on your computer.

If it doesn’t work, you may have to enable WinRM on the remote computer. This can be done with group policy or simply typing Winrm quickconfig at the command prompt on the computer you want to connect to. This has to be done before hand so there may be some prep involved but when you have Winrm enabled on all your computers, you can connect with powershell and run all sorts of commands.

Here is

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How to Get The Logged On User on a Remote Windows Machine

This one is super cool and you will amaze your boss. Many times, I’m asked if I can find who is logged into a machine.

As long as you have PSRemoting enabled across your network you can run this:

Also replace IP or name with the IP address or computer name of the computer

or you can do a | select * and it will give you more info.

  • Google Plus
  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS