Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Wednesday, December 30, 2009

How to audit changes in AD Objects


Windows Server 2008 offeres the ability to record changes to AD objects. Both what the value of the object was, and what it is now. It also records who did it. Below is the procedure to set it up.
- Open Group Policy Manager
- Expand you forest until you get to the Default Domain Policy.
- Right click the Default Domain Policy and click Edit.
- Expand Computer Configuration --> Windows Settings -->Security Settings --> Local Policies and click Audit Policy.
- Set Audit directory services access to log both success and failures.
- Close Group Policy Manager.
- Open a command prompt.
- Type auditpol /set /subcategory:"directory service changes" /success:enable
You can verify the current settigns by using the following command: auditpol /get /category:"DS Access"
In the lab, the next step was to create and modify user account. What the lab did not do is tell us to enable auditing for the account being used.
- Open Active Directory Users and Computers.
- Click View and click Advanced Features.
- Right click the OU containing the objects that you want to audit and click Properties.
- Click the Security tab.
- Click Advanced.
- Click Auditing tab.
- Now you need to add the user or group that you want to audit directory changes for inside this OU.
To Audit for Account creation (Event 5137) or movement (Event 5139) of an object into this OU, audit for success on: Create User Objects
-To audit for modification (Event 5136) you will want to audit for sucess on: Write All Properties. In practice two events 5136 will appear. The first is the old setting. The second is the new setting.

Tuesday, December 29, 2009

Can you mark a variable as global and have it available in multiple shells.

After testing this, I am going to say no. My test was run on Windows Vista with PowerShell V2 CTP 2. I first created a global variable in one shell.

$Global:Var123 = “Hello World”

I then verified it by typing Get-Variable.

I opened a second PowerShell shell and typed $Var123....nothing. I then executed Get-Variableand confirmed that the variable was not present in the second shell.

Monday, December 28, 2009

How much does Server 2008 R2 cost?

Like all software, you need to purchase the product and pay for the licensing. Below is a like to help you determine what R2 will cost your organization. Talk with your Microsoft Licensing Specialist to iron out the details.

www.micrsoft.com/windowsserver2008/en/us/pricing.aspx

Wednesday, December 23, 2009

Find the FSMO role holders with DCDiag

DCDiag.exe is the Domain Controller diagnostic tool. It is designed to assist you in troubleshooting . You can utilize this tool to discover the current FSMO role holders by executing the command DCdiag /test:Knowsofroleholders /v. The output of this command is below with the role holders highlighted in red.

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

* Verifying that the local machine MCT-1, is a Directory Server.

Home Server = MCT-1

* Connecting to directory service on server MCT-1.

* Identified AD Forest.

Collecting AD specific global data

* Collecting site info.

Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=MCTNet,DC=com,

LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......

The previous call succeeded

Iterating through the sites

Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name

,CN=Sites,CN=Configuration,DC=MCTNet,DC=com

Getting ISTG and options for the site

* Identifying all servers.

Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=MCTNet,DC=com,

LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......

The previous call succeeded....

The previous call succeeded

Iterating through the list of servers

Getting information for the server CN=NTDS Settings,CN=MCT-1,CN=Servers,CN=De

fault-First-Site-Name,CN=Sites,CN=Configuration,DC=MCTNet,DC=com

objectGuid obtained

InvocationID obtained

dnsHostname obtained

site info obtained

All the info for the server collected

* Identifying all NC cross-refs.

* Found 1 DC(s). Testing 1 of them.

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\MCT-1

Starting test: Connectivity

* Active Directory LDAP Services Check

Determining IP4 connectivity

* Active Directory RPC Services Check

......................... MCT-1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\MCT-1

Test omitted by user request: Advertising

Test omitted by user request: CheckSecurityError

Test omitted by user request: CutoffServers

Test omitted by user request: FrsEvent

Test omitted by user request: DFSREvent

Test omitted by user request: SysVolCheck

Test omitted by user request: KccEvent

Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=NTDS Settings,CN=MCT-1,CN=Servers,CN=Default-Fir

st-Site-Name,CN=Sites,CN=Configuration,DC=MCTNet,DC=com

Role Domain Owner = CN=NTDS Settings,CN=MCT-1,CN=Servers,CN=Default-Fir

st-Site-Name,CN=Sites,CN=Configuration,DC=MCTNet,DC=com

Role PDC Owner = CN=NTDS Settings,CN=MCT-1,CN=Servers,CN=Default-First-

Site-Name,CN=Sites,CN=Configuration,DC=MCTNet,DC=com

Role Rid Owner = CN=NTDS Settings,CN=MCT-1,CN=Servers,CN=Default-First-

Site-Name,CN=Sites,CN=Configuration,DC=MCTNet,DC=com

Role Infrastructure Update Owner = CN=NTDS Settings,CN=MCT-1,CN=Servers

,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MCTNet,DC=com

......................... MCT-1 passed test KnowsOfRoleHolders

Test omitted by user request: MachineAccount

Test omitted by user request: NCSecDesc

Test omitted by user request: NetLogons

Test omitted by user request: ObjectsReplicated

Test omitted by user request: OutboundSecureChannels

Test omitted by user request: Replications

Test omitted by user request: RidManager

Test omitted by user request: Services

Test omitted by user request: SystemLog

Test omitted by user request: Topology

Test omitted by user request: VerifyEnterpriseReferences

Test omitted by user request: VerifyReferences

Test omitted by user request: VerifyReplicas

Test omitted by user request: DNS

Test omitted by user request: DNS

Running partition tests on : ForestDnsZones

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running partition tests on : DomainDnsZones

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running partition tests on : Schema

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running partition tests on : Configuration

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running partition tests on : MCTNet

Test omitted by user request: CheckSDRefDom

Test omitted by user request: CrossRefValidation

Running enterprise tests on : MCTNet.com

Test omitted by user request: DNS

Test omitted by user request: DNS

Test omitted by user request: LocatorCheck

Test omitted by user request: Intersite

Tuesday, December 22, 2009

How to Use Date/Time Information From Custom Logs in PowerShell. Part 2 of 2.

Last Tuesday in part I of this series, we looked at how to use the built in Date/Time methos to find how long ago an event was written in a Windows event log. But what about date/time information that we cannot receive in the correct format because it came from a third party product? No problem. We will work with what data is provided.

The Get-Time cmdlet returns an object of System.DateTime fortunatly, using the New-Object cmdlet, we can create a new System.DateTime object with information from our logs. Your first task will be to parse the data so you can extract as much date time information as possible.

Once you have done that, you need to create a DateTime object.

$MyDate = New-Object System.DateTime.

Now take a look at the contents of this object.

$MyDate


To view the information that we need to plug into this object, type $MyDate | FL.


By changing just one property of this object, we will get it to reflect our date. Type $MyDate | GM -MemberType ScriptProperty


The DateTime property accepts arguments in the form of Year, Month, Day, Hour, Minute, Second, The hour must be in 24 hour format. The month is an integer value. To set our date:

$MyDate = New-Object System.DateTime 2009, 3, 24, 15, 24, 00

Now Type $MyDate


Ok, we now have our object with the correct date/time form our log. We can now find the difference between these two dates.

(The $Today is left over from last week. To generate it, first type $Today = Get-Date)

$Today.Subtract($MyDate)


To Get the individual properties, assign this to a variable.

$DateDiff = $Today.Subtract($MyDate)

$DateDiff.Days

The only part that I cannot help you with is the extraction of the date/time info from your event logs. You need to come up with the code for that. I will suggest reading each line of code into a variable and using the Split method to extract what you need.

Monday, December 21, 2009

Does 2008 have ABE turned on by default?

Yes it does. Access Based Enumeration allows Windows Server to hide folders in shares that a user does not have permissions to open. For example, lets say that we have a share named Public. Both Jack and Jill have change permission on the share. There are 2 folders inside of the Public folder. Jack has read permission to both folder 1 and folder 2. Jill only has write permission to folder 2. Without Access Based Enumeration, when Jill accessed the Public share, she would see both folders. With Access Based Enumeration, Jill would see only folder 2, but Jack will see both folder 1 and folder2. This is because Jill does not have any NFTS permissions on folder 1.

In Server 2008, Access Based Enumeration is turned on by default on network shares. For it to work, the users must access the data through a share. It will not function for locally logged on users accessing the data directly.

To manually enable/disable ABE:

Click Start Administrative Tools

Share and Storage Management

Right mouse click the share and select Properties.

Click the Advanced button.

Be default, the Enable Access-based enumeration check box should be checked.

Wednesday, December 16, 2009

Lab Launcher Does not Display

A problem that I've seen with the new lab launcher is sometimes when a students starts it, the lab launcher will appear in the task bar, but not on the screen. Clicking the task bar does not work. Right clicking the lab launchers and selecting Restore does not help either. Try this:

- Right click the Lab Launcher in the tesk bar.
- Click Move.
- Press the left arrow button.
- now move the mouse.

The lab launcher app should appear on the screen.

Tuesday, December 15, 2009

How to Use Date/Time Information From Custom Logs in PowerShell. Part 1 of 2.

PowerShell offers us some neat tools to help reduce our coding. In Part I, we are going to look at how to extract date/time information from the Windows event logs and do date/time math. In part II, we will look at how to use date/information from a third party log and utilize the same date/time methods that PowerShell offers us from the Windows logs.

Let’s look at the format that time is given to us in PowerShell.

Get-Date


Now, let’s look at how date/time data is represented from using the Get-EventLog cmdlet. We will be gathering data from the Application log for the demonstration.


Notice that we are provided the month in a thee character format. The day is present but not the year. The hour and minutes are in a 24 hour format. Let’s put the output of the event log into a variable.

$A = Get-EventLog “Application”

Note, this may take a few minutes. Once completed, we are going to determine the last event in the log. Since the objects of the event log are now stored in the array $A we can use the Count property to determine the upper limit of the array.

$a.Count


This array has 45,948 records from the application log (Remember, arrays start at zero but the counter starts at 1). Since these are objects, they have properties that we can work with.

$A[45948] | GM –MemberType Property


Now take a look at the TimeGenerated Property.

$A[45948].TimeGenerated


It is already in the same format as the output of the Get-Time command. Now the question comes, how do we find the difference between the two dates? Easy, we use the built in methods of PowerShell. Execute this line:

$Today = GetDate

Now that the current date/time information is stored in a variable, we can take a look at the methods available to us.

$Today | GM –MemberType Methods


Of interest to us is the Subtract method. Since the TimeGenerated property of the log file is already of the correct format, we can simple execute the following line of code:

$Today.Subtract($a[45948].TimeGenerated)


We can see the Date/Time difference. This is telling us how long ago this log entry was generated.

Next Tuesday, we are going to take a look at how to due this when your date/time information is coming from a third party log.



Monday, December 14, 2009

Can you stop Server Core from rebooting with Auto Updates turned on?

Server Core can be configured via group policy to utilize your Windows Server Update Service (WSUS) environment. The problem is this. The server core will reboot. Unlike the GUI versions of Windows, you cannot receive little popup windows asking you to reboot the computer to complete the update installation. Server Core will reboot. To get around this will require you to manually update the server. To do this, you will need to download the .MSU files for the patches and install them using Windows Update Stand-alone Installed (Wusa.exe). In particular, you will want to add the /quite and the /norestart switches to the command line. This will prevent Server Core from reboot until you have installed all your updates and perform the reboot manually. Instructions for this procedure are in the link below.

http://Support.microsoft.com/kb/934307

Wednesday, December 9, 2009

Does BitLocker allow alpha numeric PINs?


With Windows 2008 R2 and Windows 7, you can allow for alpha numeric characters for your operating system drives. The Group Policies in Windows Server 2008 R2 have expanded from the R1 version. In the R2 version, you have the option of configuring BitLocker for fixed drives, operating system drives, and removable data drives.


Expand Operating System Drives and open Allow enhanced PINs for startup. Setting this policy will allow your BitLocker PINs to have both upper and lower case letters, symbols, and spaces.

Reference: http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx

Tuesday, December 8, 2009

Can you do ODBC connections in PowerShell?

Databases are not exactly in my realm of knowledge, but this was a good question. Below is a link to Michael Smiths blog. He appears to have more knowledge in this area than I do.

Wednesday, December 2, 2009

What do you do if you type Exit in server core.

As we found out in class, if you type Exit in server core and press enter, the command shell disappears. OK, so…now what. Click Control – Alt – Del and click on Task Manager. Click File à New Task (Run…). Now type CMD and press Enter. You should have your command prompt back.

Tuesday, December 1, 2009

Does PowerShell have CHR$() and STR$()?

Yes Powershell does.

$a = [char]34

34 is the ASCII code for a double quote. Type $a to retrieve the character.

To do the opposite and to retrieve the ASCII codes for a character, type this:

$b = [int][char]’A’

$b

You should have received the number 65.

Monday, November 30, 2009

How to configure TS Gateway and AD in a DMZ?

Remember from class that there are scenarios when the Remote Desktop Gateway server needs to be a member of the Active Directory environment:

· If you configure a TS Gateway authorization policy that requires that users be domain members to connect to the TS Gateway server.

· If you configure a TS Gateway authorization policy that requires that client computers be domain members to connect to the TS Gateway server.

· If you are deploying a load-balanced TS Gateway server farm.

The article below gives detailed information on what DMZ sceneries will work with Active Directory and Remote Desktop Gateway.

http://blogs.msdn.com/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

Wednesday, November 25, 2009

Shutdown switches for Server Core.

Below is a copy of the help file for the Shutdown Command.

Usage: shutdown [/i | /l | /s | /r | /g | /a | /p | /h | /e] [/f]

[/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]

No args Display help. This is the same as typing /?.

/? Display help. This is the same as not typing any options.

/i Display the graphical user interface (GUI).

This must be the first option.

/l Log off. This cannot be used with /m or /d options.

/s Shutdown the computer.

/r Shutdown and restart the computer.

/g Shutdown and restart the computer. After the system is

rebooted, restart any registered applications.

/a Abort a system shutdown.

This can only be used during the time-out period.

/p Turn off the local computer with no time-out or warning.

Can be used with /d and /f options.

/h Hibernate the local computer.

Can be used with the /f option.

/e Document the reason for an unexpected shutdown of a computer.

/m \\computer Specify the target computer.

/t xxx Set the time-out period before shutdown to xxx seconds.

The valid range is 0-600, with a default of 30.

Using /t xxx implies the /f option.

/c "comment" Comment on the reason for the restart or shutdown.

Maximum of 512 characters allowed.

/f Force running applications to close without forewarning users.

/f is automatically set when used in conjunction with /t xxx.

/d [p|u:]xx:yy Provide the reason for the restart or shutdown.

p indicates that the restart or shutdown is planned.

u indicates that the reason is user defined.

if neither p nor u is specified the restart or shutdown is unpl

anned.

xx is the major reason number (positive integer less than 256).

yy is the minor reason number (positive integer less than 65536).

Reasons on this computer:

(E = Expected U = Unexpected P = planned, C = customer defined)

Type Major Minor Title

U 0 0 Other (Unplanned)

E 0 0 Other (Unplanned)

E P 0 0 Other (Planned)

U 0 5 Other Failure: System Unresponsive

E 1 1 Hardware: Maintenance (Unplanned)

E P 1 1 Hardware: Maintenance (Planned)

E 1 2 Hardware: Installation (Unplanned)

E P 1 2 Hardware: Installation (Planned)

P 2 3 Operating System: Upgrade (Planned)

E 2 4 Operating System: Reconfiguration (Unplanned)

E P 2 4 Operating System: Reconfiguration (Planned)

P 2 16 Operating System: Service pack (Planned)

2 17 Operating System: Hot fix (Unplanned)

P 2 17 Operating System: Hot fix (Planned)

2 18 Operating System: Security fix (Unplanned)

P 2 18 Operating System: Security fix (Planned)

E 4 1 Application: Maintenance (Unplanned)

E P 4 1 Application: Maintenance (Planned)

E P 4 2 Application: Installation (Planned)

E 4 5 Application: Unresponsive

E 4 6 Application: Unstable

U 5 15 System Failure: Stop error

E 5 19 Security issue

U 5 19 Security issue

E P 5 19 Security issue

E 5 20 Loss of network connectivity (Unplanned)

U 6 11 Power Failure: Cord Unplugged

U 6 12 Power Failure: Environment

P 7 0 Legacy API shutdown

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/shutdown.mspx?mfr=true

Tuesday, November 24, 2009

Is there an ESCAPE key in Powershell?

Yes there is. In other programming languages, you may have encountered the backslash ( \ ) and the start of an escape sequence. It is a little different in PowerShell. We use the backtick character ( ` ). It is usually found on the key to the left of the number ( 1 ) key and shares the key with the tilde ( ~ ). Here are a few examples

Character Escape Code

Null `0

Alert `a

Backspace `b

Form Feed `f

New Line `n

Carriage Return `r

Tab `t

Vertical quote `v

Below is a script the will demonstrate a few of these.

# ======================================

# Script Name: EscapeCodeDemo.PS1

# Author: Jason A.Yoder, MCT

# Company: MCTExpert, Inc.

# Website: www.MCTExpert.com

# Blog: www.MCTExpert.blogspot.com

# Version: 1.0

# Created: September 14, 2009

# Purpose: To demonstrate the different

# escape sequences in PowerShell.

# ======================================

# ======================================

# Script Body

# --------------------------------------

Clear-Host

Write-Host " Each of the following" `

"lines will demonstrate a different" `

"Escape Code"

Write-Host " "

Write-Host "Demonstration of TAB and " `

Write-Host "Form Feed"

Write-host "Name `t IPAddress `t Location `n"

Write-host "Apple `t 1.1.1.1 `t Indianapolis" `n

Write-Host "Orange `t 2.2.2.2 `t Tampa"

Write-host "Banana `t 3.3.3.3 `t Ancorage"

Write-host "Pear `t 4.4.4.4 `t London `f"

Write-host "Peach `t 5.5.5.5 `t Paris"

# ======================================

# End of Script Body

# ======================================


Should you need to use the backtick for something else, I suggest you read the following article from Lee Desmond

http://www.leedesmond.com/weblog/?p=35

Monday, November 23, 2009

Can you specify the connection to reconnect to in Terminal Server?

You can utilize the TSCON command to connect to a active or disconnected session.

Reference: http://support.microsoft.com/kb/321703

I did find a warning about consoles being unlocked from this command so you may also want to look at this article: http://support.microsoft.com/kb/302801

I did notice that in testing, this transfers the connection to your console and ends the connection with the client that the user in logged in on.

Wednesday, November 18, 2009

Does MCP Certifications Expire?

Microsoft Certifications do not expire. They simple lose value with time. For example, an MCSE on Windows NT 4 was all the rage in 1998. In 2009, that certification will not go far in a job interview. Microsoft publishes "upgrade" exams to help keep you up to date in your certification. The upgrade exams test you thoroughly on the new features of the OS. If you were starting for scratch or with a very outdated MCSE, you will have to take all the exams. This will not only test your knowledge of the new features, but also the basics that the certification requires.

Here is a little Q and A I pulled from a Microsoft site:

Q. How long will the certification be valid?

A.

For our newest credentials, such as Microsoft Certified Technical Specialist (MCTS), Microsoft Certified IT Professional (MCITP), and Microsoft Certified Professional Developer (MCPD), the credential retires along with the product support for the technology being tested. The credential will still appear on your transcript but will be listed as retired. In most cases, an upgrade path (usually one exam) will be available for individuals who have that credential so that they can demonstrate their skills on the newest version of the technology without completing all exams associated with the new credential.

The legacy Microsoft credentials, such as Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Systems Administrator (MCSA) do not expire, but as Microsoft releases new versions of the associated technology, these credentials are likely to be valued less by the industry.

Q. Do hiring managers really value certification?

A.

During a recent poll of IT hiring managers, 55 percent said that they consider employee certification as a criterion for hiring, and 63 percent of hiring managers said that they believe certified employees are more productive than noncertified employees.

http://www.microsoft.com/learning/en/us/certification/cert-get-started.aspx