Tag Archives: Powershell

How To: Powershell Get Local Administrators and Active Directory Nested Groups – SOX

For the past few years, I’ve been tasked with ensuring that our in-scope servers for Sarbanes-Oxley (SOX) have the correct users and groups in them. Before we would have to screen shot the members of the local admins and all the groups that are in the local admins. I decided to take the time to create a script that gets the local admins of the server and write the output to a transcript file.

Script to get Server Local Administrators:

I named the script Get-ServerLocalAdministrators:

The steps the PowerShell script goes through are:

  • Get domain and server
  • Import PowerShell Modules
  • Get Date and Time
  • Get the working directory
  • Convert the domain and computername to upper and lower for pattern matches
  • Start the transcript in the current directory and use some variables for naming the transcript
  • Get the server’s local administrators object using Get-WmiObject and a where cause for the group component
  • Get the members of the local admins and determine if it’s a user or group.
  • If user, put it in the transcript and tag the user as uer
  • If Group, put the group in a variable to loop through later
  • In the transcript, I’m doing a Write-Host to tag each group. If the group has a sub group, (nested group), then put that in another variable to loop through that as well

Since we have Group Memebers that are cross domain, I had to include the -Server paramater get the object’s distinguished Name and use that for -Server.
The only line you have to change in this script (because I was lazy) is to change line 32 to your domain. So, if your server FQDN is server.subdomain.domain.com you would call this “Domain.com” if it was simply “server.domain.com” then you would call this “com”.

Limitations: This script only loops through to levels of Active Directory groups on the server. So, if you have nested groups more than that, it won’t continue deeper. I’m going to rewrite this to do full recursion in a function so you can look for that post in the future.

Adding Folder Permissions to IIS_IUSRS via Powershell

For you scripting guys that want to automate everything, For website deployments, you can modify your permissions using the NTFSSecurity Module. This is a simple way to modify ACL’s with powershell. Much easier to use the NTFSSecurity module…

First download the module from here: https://ntfssecurity.codeplex.com/

I would put it in your modules directory on the server. Then import the module with Get-Module -ListAvailable and Import-Module NTFSSecurity.

Now, on to the simple and easy code:

You can also use the following AccessRights. Actually, you should be able to get any name as the parameter but these are the most common:

Also, as a note, IIS_IUSRS is a special internal group that you shouldn’t/can’t prefix with the computer or domain name.

For the Network Service or IUSR, you have to use “NT AUTHORITY\NETWORK SERVICE” OR “NT AUTHORITY\IUSR”

Install / Setup Docker on Windows Server 2016

I’ve been working on installing Docker on Server 2016. Here are the steps I’ve followed and some issues I ran into:

First, you have to have Windows Server 2016.

Run Powershell as Administrator (Right click on PowerShell and RunAs Administrator) – yes, you also have to be a local administrator of the box.

Commands in order:

Then you want to see what operating system container images are available:

This step wasn’t in the instructions I was following but is necessary and was raised on the GitHub site as well. The server will reboot after the below command is executed. After it reboots, you need to run the command again. Ugh. I thought it was done and tried to install Windows Server Core and it failed after about 30 minutes.

This is installing and then enabling the Docker Container feature on Windows

As stated above, run the command again. Once done, it will actually tell you that it’s Online and True:

Install Windows Server Core Container Image

Install the WindowsServerCore Container Image by typing the following command below. This does take a while as it downloads Windows Server Core Container Image:

I went to have a bite to eat, took a nap, Surfed Reddit for a while, went to the bathroom and then it was done!

You can check if the image was downloaded by running looking in the directory:

The output should look like this:


Now we’re going to install Docker in Windows Server 2016

First, you want to download the Update-ContainerHost.ps1 powershell script. Here is the command:

Run the command. I actually ran this to download the script while the above install of the Windows Server Core was running:

To be continued…


How To: Modify Trusted Hosts to connect via Powershell

We have to connect to untrusted machines via PowerShell. To do this, you have to add the machines,

First, if you have settings in there run this command to get a backup:

Then to get them to modify:

copy that out, add your hosts to it with comma delimited and add it with powershell:

To use it in code (so it doesn’t ask you if you’re sure), you can force it by using the -Force switch

then check again:

PowerShell How To: Find all users where account is inactive

I was recently asked asked to find all the users in Active Directory where their account was inactive.

There is a PowerShell commandlet called Search-ADAccount that you can use to find if the account is inactive by using the parameter -AccountInactive.

This is kind of crude but works well. I couldn’t figure out how to get the headers into the csv so I simply did a write-output for the first section.

How to change the Friendly Name on a certificate -Windows

I ran into the situation where someone created and applied a certificate in IIS and the friendlyName was wrong. During automatic deployments of the software, they would call into the cert store and select the certificate to use for their 443 bindings based on the friendly name. The certificate was named wrong and wouldn’t get applied during deployment or it would apply the wrong one.

Here is how to fix this using PowerShell without re-issuing the certificate.

Open up PowerShell with administrative rights and change your location to the certificate store.

We will change the certificate with the thumbprint named wrong_internal_wildcard to right_internal_wildcard

In the above example, I have done the following:

    1. Opened Powershell


    1. Set-Location to the certificate store by typing Set-Location cert:


    1. Listed out the certs by typing Get-ChildItem


    1. Located the cert I wanted to change the friendly name of


    1. Put that cert in a variable so I could view it’s properties


    1. Verified that the cert is the right one by typing $cert.friendlyname


    1. Then changed the friendlyname by typing $cert.FriendlyName = “right_internal_wildcard”


    lastly, I verifed the cert friendlyname by typing $cert.FriendlyName

SSH with Powershell: Backup multiple Cisco devices

Today, I was asked to write a script to connect to all our Cisco devices and backup the configs to our fileserver. After a few hours of figuring it out, this is what I came up with

You ONLY need a READ ONLY account on the Cisco devices.

We run this every day at 2:00 AM and backup many Cisco devices.

I downloaded and use this SSH.NET Library: SSH With Powershell

You have to move it to your powershell modules directory and then import-module

How To: Import AD Users from .csv file

I had a project that required me to make over 40 domain accounts. I decided that it was time to create all the domain accounts with a Powershell script. The script I came up with uses an import csv file with all the accounts and info I needed in it. Make sure you take the time to plan a naming convention for your AD accounts. In this case, they were a type of service account for many different environments. To keep it quick, I decided to not auto-gen the passwords so I simply put them in the csv file and removed them when I was done. Well, it took me a day or so to figure out my script to create ad accounts because I had problems…

My troubleshooting was a bit flawed but I didn’t know it until the very end (After running for all the users). I was having problems with the script ending in error . This is a very generic error. I knew that my accounts had spaces in them for $GivenName $Surname and $Name. So, I went through the trouble making sure that my variable properties with spaces had “” around them. Yes, that’s a pair of double quotes. My Display name I wanted to use had GivenName and Surname in it with a space. So it looks like this: Displayname = ($User.”GivenName”+” “+$User.”Surname”). The quotes around “GivenName” allowed me to use two names in the GivenName column of the .csv file and the same for “Surname”. This way I can create an account that looks like: First Second Third Forth. In other words, my “GivenName” in my CSV was First Second so I had to put “” around it in the script so it would read it as one word. What I missed is after everything was put together, the fields were over 20 characters. Well, the limit on Windows 2008 Account “Names” is 20 characters. Until I ran my script and found that it didn’t create about 1/2 of them, I started analyzing the .csv file to figure out why it didn’t work. I found out that the ones that didn’t get created are the ones that were over 20 characters.

Here is the script. You will notice that I’ve got a comment in the script for the .csv file’s header fields. You can add to them or remove as needed. I think it’s easier to view the powershell references on Microsoft’s site. Here is the link to Set-ADUser cmdlet: http://technet.microsoft.com/en-us/library/ee617215.aspx. For each property, you need it in the script and in the .csv file. If there are special characters or spaces. Remember to use the “” around it in the script. Also, make sure you are not exceeding the field length in AD for each property. The sAMAccountName (pre-Windows 2000 logon name) is limited to 20 characters for user objects. This is what got me a few times 🙁

Let me know if you need anything below explained! I’ll answer all comments on this the same day if I can.

I’m a seasoned Systems Administrator with experience starting in the early 90’s when 286 computers with 20 and 30 Mhz processors running Windows 3.1 which was the newest operating system.

…and that’s the way Ed does it 🙂 — Thanks Scott J. for that 🙂

Connect remotely to a computer with powershell and get ipconfig /all from it

Are you looking to connect remotely to a computer and run powershell commands. Below is a simple one liner that will connect to a computer and get the ipconfig /all and display it on your computer.

If it doesn’t work, you may have to enable WinRM on the remote computer. This can be done with group policy or simply typing Winrm quickconfig at the command prompt on the computer you want to connect to. This has to be done before hand so there may be some prep involved but when you have Winrm enabled on all your computers, you can connect with powershell and run all sorts of commands.

Here is

Script to get a distribution list membership easily

Throughout my years as a System Administrator, I’ve been asked repeatedly to produce a list for someone of the contents of a distribution list. I searched and found some scripts out there and ended up modifying one that now fits my needs.