Hi mates,
a customer asked me to do a quick operation on his Active Directory.
Practically the needs were :
1. add into a specific group a list of users retrieved from a TXT file
2. retrieve active directory users members from this group
3. for each user modify the description field for future usage maintaning the old value in case it exists
Thursday, December 3, 2015
Thursday, November 26, 2015
Sophos destination NAT
Hi mates,
I had, few days ago, a particular request : a customer asked me to NAT RDP connection to a custom/specific/non standard port.
This customer has a very good product named Sophos UTM Firewall (version 9.3XX).
I worked with Sophos when it was Astaro....for several years, and my 20-25 customers were fully satisfied.
Anyway......it's easy as you can imagine but I would like to share the steps....maybe tomorrow you have to replicate this and you are too tired to think....you want only to follow (someday could happen)
In particular the customer's IT Dept. decided to change the default RDP port (and also SSH) from 3389 to 33389.
I had, few days ago, a particular request : a customer asked me to NAT RDP connection to a custom/specific/non standard port.
This customer has a very good product named Sophos UTM Firewall (version 9.3XX).
I worked with Sophos when it was Astaro....for several years, and my 20-25 customers were fully satisfied.
Anyway......it's easy as you can imagine but I would like to share the steps....maybe tomorrow you have to replicate this and you are too tired to think....you want only to follow (someday could happen)
In particular the customer's IT Dept. decided to change the default RDP port (and also SSH) from 3389 to 33389.
Tuesday, November 3, 2015
Powershell manage local users and group, nest domain users with domain group and local computer admins
Hi mates,
few months ago one of my customer told me :
"I need to clean a lot of servers in terms of local administrators group. At the sametime I would like to change the method to manage local administrators.....is it possbile to create one group for each single server so I can manage members from AD ?
And what we can do for the current situation ? Is it possible to clean without creating issue ? "
Effectively there were a lot of external partner's account inside these local groups, additionally there were a lot of internal application guys username
Anyway what I needed to do is well explained inside the script.....so enjoy :
few months ago one of my customer told me :
"I need to clean a lot of servers in terms of local administrators group. At the sametime I would like to change the method to manage local administrators.....is it possbile to create one group for each single server so I can manage members from AD ?
And what we can do for the current situation ? Is it possible to clean without creating issue ? "
Effectively there were a lot of external partner's account inside these local groups, additionally there were a lot of internal application guys username
Anyway what I needed to do is well explained inside the script.....so enjoy :
Friday, October 23, 2015
Powershell delete files older than......
Hi mates,
how many times you asked to yourself : how can I delete files older than a specified date ? How can I clean a specific directory that preserve, for example, backup files from several sources ?
Quick and easy, skinny and essential.
Here below the script .....you can customize the number of days that you want preserve : older items will be deleted.
Obviously you have to customize the path too.
how many times you asked to yourself : how can I delete files older than a specified date ? How can I clean a specific directory that preserve, for example, backup files from several sources ?
Quick and easy, skinny and essential.
Here below the script .....you can customize the number of days that you want preserve : older items will be deleted.
Obviously you have to customize the path too.
Wednesday, October 21, 2015
Powershell report user list and their expiring date
Hi mates,
how many times you asked to yourself : how can I generate a report regarding active directory expiring users ?
I had, few months ago, the need to search in a specific OU, which users where active or not and which users have the expiration date configured.
This report was used for several purposes : check the status of interim users, consultant, partners and so on.
This report gives you a good visibility of the status of a specific set of users :
how many times you asked to yourself : how can I generate a report regarding active directory expiring users ?
I had, few months ago, the need to search in a specific OU, which users where active or not and which users have the expiration date configured.
This report was used for several purposes : check the status of interim users, consultant, partners and so on.
This report gives you a good visibility of the status of a specific set of users :
Thursday, October 15, 2015
Powershell quick clean to resigned users
Hi mates,
how many times you asked to yourself : how can I clean active directory from the group membership perspective ?
How can I clean resigned users ? few months ago we were discussing about the importance of group membership.
Sometimes the group membership could determine how many licenses I'm using for a specific product, how many sessions (Citrix for example) I'm potentially delivering to the end users.
Anyway independently of what is your usage and purpose of it, we were also discussing about to maintain "alive" (or zombified) the resigned users in a specific OU.
how many times you asked to yourself : how can I clean active directory from the group membership perspective ?
How can I clean resigned users ? few months ago we were discussing about the importance of group membership.
Sometimes the group membership could determine how many licenses I'm using for a specific product, how many sessions (Citrix for example) I'm potentially delivering to the end users.
Anyway independently of what is your usage and purpose of it, we were also discussing about to maintain "alive" (or zombified) the resigned users in a specific OU.
Powershell compare file contents
Hi mates,
how many times you asked to yourself : how can I compare file contents ?
I had some needs during the previous days....I know you too, maybe :-)
Anyway my last one was related to a complex script that should evaluate the password change of active directory users : if the user didn't change the password during the last 90 days we send him a first email. The week later another time : if the user of the first week didn't change the password yet we send him a second email, different from the first one, informing him that the week later we will disable his account. The last week another time : if the user is still persisting we lock the account.
The logic behind this script is complex enough, at least for me....I'm not a programmer.
I needed to compare several text files reporting the result of the queries done during the three weeks examined before.
I'll post this script later, during next weeks but in the meantime I would like to share some brief consideration regarding the file comparison.
how many times you asked to yourself : how can I compare file contents ?
I had some needs during the previous days....I know you too, maybe :-)
Anyway my last one was related to a complex script that should evaluate the password change of active directory users : if the user didn't change the password during the last 90 days we send him a first email. The week later another time : if the user of the first week didn't change the password yet we send him a second email, different from the first one, informing him that the week later we will disable his account. The last week another time : if the user is still persisting we lock the account.
The logic behind this script is complex enough, at least for me....I'm not a programmer.
I needed to compare several text files reporting the result of the queries done during the three weeks examined before.
I'll post this script later, during next weeks but in the meantime I would like to share some brief consideration regarding the file comparison.
Monday, September 7, 2015
Powershell delete active directory user account...a little bit better
Hi mates,
how many times you asked to yourself : how can I delete active directory users ?
How can I do it storing administrative credentials and converting the result in JSON format ?
A friend of mine asked me a simple script to should be executed in a mixed environment : Linux/PHP and Windows.
He has to delete an active directory user account having as a back result, a JSON converted string.
Additionally he asked me to capture eventual errors
Let's see what I've done....quickly :
how many times you asked to yourself : how can I delete active directory users ?
How can I do it storing administrative credentials and converting the result in JSON format ?
A friend of mine asked me a simple script to should be executed in a mixed environment : Linux/PHP and Windows.
He has to delete an active directory user account having as a back result, a JSON converted string.
Additionally he asked me to capture eventual errors
Let's see what I've done....quickly :
Friday, September 4, 2015
Import wildcard certificates on Citrix Netscaler VPX (from IIS)
Hi mates,
how many times you asked to yourself : how can I import wildcard certificates on my Citrix Netsclaer ? <br>
I had to add, to a friend's Netscaler, a wildcard certificate. The certificate request was done from an IIS (Windows 2008 R2) and then it was installed on it including the Intermediate Cert.
My Netscaler version is 10.1.
So let's try to describe briefly the steps to reach this goal :
1. Open MMC --> Add/Remove Snap-in...--> Certificates --> Computer Account. Here below you can see the certificate inside the Personal storage
how many times you asked to yourself : how can I import wildcard certificates on my Citrix Netsclaer ? <br>
I had to add, to a friend's Netscaler, a wildcard certificate. The certificate request was done from an IIS (Windows 2008 R2) and then it was installed on it including the Intermediate Cert.
My Netscaler version is 10.1.
So let's try to describe briefly the steps to reach this goal :
Export the main wildcard certficates from Windows server
1. Open MMC --> Add/Remove Snap-in...--> Certificates --> Computer Account. Here below you can see the certificate inside the Personal storage
Tuesday, September 1, 2015
Powershell verify and create a registry item
Hi mates,
how many times you asked to yourself : how can I create or check registry keys ?
I had the need to automate the check of a registry key for a customer SCCM clients.
This key was important for roadwarrior users as for internal ones.
If the key exists we have to overwrite it, if the key does not exists we have to inform our administrator about the exception triggered.
Friday, July 10, 2015
Outbound NAT on PFSense 2.2.X
Hi mates,
how many times you asked to yourself : how can I Outbound NAT internal hosts with PFSense ?
I had the need to create and Outbound NAT for a friend of mine.
The official documentation is quite clear but I would like to add some screenshot to make it more easy and, for this specific article, only for a specific situation : map an internal ip to a fixed external public IP (i.e. for the mail system or other internal services that you want to be known with a different address).
Here you have the link
In my specific situation I needed to Soruce NAT/Outbound NAT an internal Squid Proxy.
how many times you asked to yourself : how can I Outbound NAT internal hosts with PFSense ?
I had the need to create and Outbound NAT for a friend of mine.
The official documentation is quite clear but I would like to add some screenshot to make it more easy and, for this specific article, only for a specific situation : map an internal ip to a fixed external public IP (i.e. for the mail system or other internal services that you want to be known with a different address).
Here you have the link
In my specific situation I needed to Soruce NAT/Outbound NAT an internal Squid Proxy.
Wednesday, July 8, 2015
Powershell change local administrator account password for all computers in the domain
Hi mates,
how many times you asked to yourself : how can I change all pcs local administrator password ?
I had the need to change it for all computers in one of my customer domain.
The password was compromised and the old Microsoft GPO was no longer working (a patch disabled it for security reasons - MS14-025: Vulnerability in Group Policy Preferences could ... - https://support.microsoft.com/en-us/kb/2962486).
So what to do ?
how many times you asked to yourself : how can I change all pcs local administrator password ?
I had the need to change it for all computers in one of my customer domain.
The password was compromised and the old Microsoft GPO was no longer working (a patch disabled it for security reasons - MS14-025: Vulnerability in Group Policy Preferences could ... - https://support.microsoft.com/en-us/kb/2962486).
So what to do ?
Thursday, July 2, 2015
Powershell move computer account to a specific destination Organizational Unit
Hi mates,
how many times you asked to yourself : how can I move computer account in a specific OU ?
I had this need in our Active Directory test environment.
Since we were applying a particular Group Policy we needed to schedule, in a specific time windows, to move these computers.
Here below something that is simple to customize (only the OU where to find the computer account to move and the destination container need to be set).
how many times you asked to yourself : how can I move computer account in a specific OU ?
I had this need in our Active Directory test environment.
Since we were applying a particular Group Policy we needed to schedule, in a specific time windows, to move these computers.
Here below something that is simple to customize (only the OU where to find the computer account to move and the destination container need to be set).
Wednesday, July 1, 2015
Hamlet question : can everything be "Natted" ?
Hi mates,
few days ago , with some friends of mine, we started a discussion about service or application that could be behind a firewall (so "Natted") and services that can't.
First of all what's a NAT ? You can find a tons of articles on internet about the Network Address Translation (RFC 1631).
Anyway the primary purpose of it is to avoid the unconscionable usage of public internet IPs.
So the NAT permit to map IPs between different address realms, in particular when one of these is not routable (ex. private IP addresses).
As the same private ranges (RFC 1918) can be used by several companies/users, they become, for their intrinsic nature, not routable in a public/common infrastructure where ranges are unique and duplicates are not admissible.
Here you have NAT !
The devices that come in play to make this communication possible usually sit at the firewall level, on the frontier.
In this way when an external customer/packet sender wants to communicate with a service that resides in a private area will comes in touch with a NAT device that make the communication possible making the "sender" unaware of the trick.
few days ago , with some friends of mine, we started a discussion about service or application that could be behind a firewall (so "Natted") and services that can't.
First of all what's a NAT ? You can find a tons of articles on internet about the Network Address Translation (RFC 1631).
Anyway the primary purpose of it is to avoid the unconscionable usage of public internet IPs.
So the NAT permit to map IPs between different address realms, in particular when one of these is not routable (ex. private IP addresses).
As the same private ranges (RFC 1918) can be used by several companies/users, they become, for their intrinsic nature, not routable in a public/common infrastructure where ranges are unique and duplicates are not admissible.
Here you have NAT !
The devices that come in play to make this communication possible usually sit at the firewall level, on the frontier.
In this way when an external customer/packet sender wants to communicate with a service that resides in a private area will comes in touch with a NAT device that make the communication possible making the "sender" unaware of the trick.
Wednesday, June 24, 2015
Powershell disable users that don't login to domain for XX days
Hi mates,
I had the need to disable old/zombie users since my friend's active directory was not maintained in a clean state. Something easy : query AD with some exclusion, an email with an attachment to recap everything. More explanations later....in the meantime customize and enjoy.
I had the need to disable old/zombie users since my friend's active directory was not maintained in a clean state. Something easy : query AD with some exclusion, an email with an attachment to recap everything. More explanations later....in the meantime customize and enjoy.
Powershell retrieve info about SQL instances on our network
Hi mates,
for a big migration (from a server room to a new one) some asked me to retrieve all info about all SQL instances.
Since we had to backup and restore everything from tape we must know the most important details about every DB.
I found some good info about assembly on internet and I've created a custom script for my needs.
for a big migration (from a server room to a new one) some asked me to retrieve all info about all SQL instances.
Since we had to backup and restore everything from tape we must know the most important details about every DB.
I found some good info about assembly on internet and I've created a custom script for my needs.
Tuesday, June 23, 2015
Powershell backup Fortinet configuration through SSH with Powershell
Hi mate,
I had the need to backup some firewall configuration.
I know that there are several ways to do it last but not least FortiManager but..........
Had to do it periodically and for several devices.
I used one the several external module that you can find on the web
(http://www.powershellmagazine.com/2014/07/03/posh-ssh-open-source-ssh-powershell-module/)
(http://www.powershellmagazine.com/2014/07/03/posh-ssh-open-source-ssh-powershell-module/)
Monday, June 15, 2015
Powershell move computer account to specific OU....a little bit complex
Hi,
I had the need to move a list of computer account to specific OU(s). The situation became complicated when you could have different OU based on the type of computer : notebook, desktop, server and so on.
It feeds 3 different arrays and based on the result of the AD query (searching the destination OU) you can move their content on the destination container that you prefer.
Wednesday, June 10, 2015
Powershell verify service status restart it
Hi,
some days you receive several requests and you notice that some of them (maybe the 100%) are caused by an old server that is no longer working fine or to some custom application that cause service hangs.
Anyway every day the same actions to restart a service or reboot a server is wearisome so I decided to automate these checks.
Added some email item to receive a notification......added also some logging the check, rarely if you are lucky, what happened, when and if the script did its job.
Monday, June 8, 2015
Powershell automate file or directory copy
Hi,
I had the need to automate the copy of some directory during a specific time windows. On the other side of the world my colleagues were not working and we had to align the content of specific directories. Instead of configuring DFS and so on I would like to face up this need with Powershell.
Friday, June 5, 2015
Powershell monitor event log and in case of specific error restart the related service
Hi,
I had to monitor some service on some specific servers. In particular when a specific event appears on the event log I had to restart a service. Obviously before deciding how many events to analyze before undertake any action you have to check your event viewer and know how frequently it changes.
I had to monitor some service on some specific servers. In particular when a specific event appears on the event log I had to restart a service. Obviously before deciding how many events to analyze before undertake any action you have to check your event viewer and know how frequently it changes.
Tuesday, May 26, 2015
Active Directory automation : copy users from a group to another and modify attributes
I didn't know Powershell and someone asked me to copy users from a group to another. We are talking of about 300 users.......Impossible to do it manually.
They asked also to modify (I remember this was the wrong day for me), for those users, the "Dial-in tab" in Active Directory (for Radius authentication).
After some search I found dsmod, dsget and an interesting VBScript that I've adapted to my environment.
This is what I've done :
They asked also to modify (I remember this was the wrong day for me), for those users, the "Dial-in tab" in Active Directory (for Radius authentication).
After some search I found dsmod, dsget and an interesting VBScript that I've adapted to my environment.
This is what I've done :
Exchange 2003 & mailbox queries.....no powershell
We needed to query AD from Exchange 2003. We know that this version is not fully "queriable" by powershell.
I'd to understand how to retrieve some important information. We had for example an archiving system that use the group membership to "understand" if your mailbox is "storable" or not.
I took the opportunity also to grab other useful info .....let's see
Why don't use AD query tool ?
So let's do some queries to understand the structure.
I'd to understand how to retrieve some important information. We had for example an archiving system that use the group membership to "understand" if your mailbox is "storable" or not.
I took the opportunity also to grab other useful info .....let's see
Why don't use AD query tool ?
So let's do some queries to understand the structure.
Powershell associate users to pcs for the entire domain
Let's start saying that when I write a script I try not only to achieve the goal but I also try to test some specific cmdlets, even if in this specific script use this cmdlet is not the best way to do a task.
So for sure the series "Complex, improvable, optimizable" doesn't want to be the BEST SCRIPT ever written for the purpose, but something to do a task and, for sure, improvable.
This was a sort of introduction....let's go ahead with it.
We didn't have a software that make this association....I mean a software with an agent that communicates periodically all info about every single pc on the status, software or accounts.
We need to know, more or less, in real time which user is logged on a pc.
This is a time expensive operation to do with Powershell : for each single pc we need to wait for the WMI connection. Let's imagine for hundreds of them.
So since the users don't change pc every day (this could be a real hell) I decided to create an excel file that could periodically be refreshed, but till the refresh it will be available to be queried.
So the script asks you if you want to refresh the file. Obviously if the file doesn't exist you have to reply YES to create it the first time.
This is the long part of the task : the script will search in the entire directory and "scan" every single pc to retrieve computername and username.
If you don't want to scan and refresh the script asks you another question : if you want to search on the local file or a targeted search. The targeted search was something that I wrote because the Sites in our AD corresponds to a dedicated OU. So I can launch a search in a restricted environment and abbreviate the response time (and additionally make the search in "live mode" instead of query the "static" file)
So for sure the series "Complex, improvable, optimizable" doesn't want to be the BEST SCRIPT ever written for the purpose, but something to do a task and, for sure, improvable.
This was a sort of introduction....let's go ahead with it.
We didn't have a software that make this association....I mean a software with an agent that communicates periodically all info about every single pc on the status, software or accounts.
We need to know, more or less, in real time which user is logged on a pc.
This is a time expensive operation to do with Powershell : for each single pc we need to wait for the WMI connection. Let's imagine for hundreds of them.
So since the users don't change pc every day (this could be a real hell) I decided to create an excel file that could periodically be refreshed, but till the refresh it will be available to be queried.
So the script asks you if you want to refresh the file. Obviously if the file doesn't exist you have to reply YES to create it the first time.
This is the long part of the task : the script will search in the entire directory and "scan" every single pc to retrieve computername and username.
If you don't want to scan and refresh the script asks you another question : if you want to search on the local file or a targeted search. The targeted search was something that I wrote because the Sites in our AD corresponds to a dedicated OU. So I can launch a search in a restricted environment and abbreviate the response time (and additionally make the search in "live mode" instead of query the "static" file)
Monday, May 25, 2015
Powershell discover who's connected to a specific pc
Hi mate,
several times I needed to associate a username to a pc because having this info, in special in a little company, you can understand/remind the specific needs of this user and act consequently.
Here you have a quick response to your needs
several times I needed to associate a username to a pc because having this info, in special in a little company, you can understand/remind the specific needs of this user and act consequently.
Here you have a quick response to your needs
Powershell search and unlock AD accounts
sometimes during the week-end, in the factory, a user can be locked out. Maybe this is a big problem because they have to go ahead fastly (i.e. trucks are waiting for a document and they cannot print it due to this situation).
You are in the middle of the mountain without your mobile phone or maybe you are sleeping because last night ....... anyway I had the need to unlock the account automatically and take track of this.
Subscribe to:
Posts (Atom)