Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Wednesday, September 29, 2010

How to backup and restore WSUS



WSUS is a key technology in maintaining any Windows network. From servers to clients to major Microsoft software packages, WSUS will make life easier on you. The following instructions were taken from http://technet.microsoft.com/en-us/library/cc708546(WS.10).aspx.

To back up the update file storage folder

1. On your WSUS server, click Start, and then click Run.

2. In the Open box, type %systemdrive%\%windir%\system32\ntbackup.exe and then click OK.

3. In the Backup or Restore Wizard, click Next.

4. Verify that Back up files and settings is selected, and then click Next.

5. Click Let me choose what to back up, and then click Next.

6. Select the WSUSContent folder (under %systemdrive%\WSUS\), and then click Next.

7. Use the Browse button to choose a place to save your backup, type a name for the backup, and then click Next.

8. If you want to set additional specifications for your backup, including whether it will be an incremental backup, whether you want to verify the backup, set a recurring schedule for the backup, or other options, click Advanced, and then follow the instructions in the wizard.

9. When the wizard is finished, click Finish.

10. When the message appears that informs you that the backup is complete, click Close.

To back up the WSUS database

1. On your WSUS server, click Start, and then click Run.

2. In the Open box, type %systemdrive%\%windir%\system32\ntbackup.exe and then click OK.

3. In the Backup or Restore Wizard, click Next.

4. Verify that Back up files and settings is selected, and then click Next.

5. Click Let me choose what to back up, and then click Next.

6. Under %systemdrive%\WSUS\MSSQL$WSUS\, select the Data and LOG folders, and then click Next.

7. Use the Browse button to choose a place to save your backup, type a name for the backup, and then click Next.

8. If you want to set additional specifications for your backup, including whether it will be an incremental backup, whether you want to verify the backup, set a recurring schedule for the backup, or other options, click Advanced, and then follow the prompts that appear in the wizard.

9. When the wizard is finished, click Finish.

10. When the message appears that informs you that the backup is complete, click Close.

To restore the update file storage folder

1. On your WSUS server, click Start, and then click Run.

2. In the Open box, type %systemdrive%\%windir%\system32\ntbackup.exe and then click OK.

3. In the Backup or Restore Wizard, click Next.

4. Click Restore files and settings, and then click Next.

5. In the What to restore dialog box, under Items to restore, expand the file that contains the WSUSContent folder (under%systemdrive%\WSUS\), and then click Next.

Alternatively, you can select a subset of the %systemdrive%\WSUS\WSUSContent folder to restore. Within the%systemdrive%\WSUS\WSUSContent folder, you can restore one, all, or a combination of its subfolders and files.

6. If you want to set additional specifications for your restore, including whether you want to restore the files or folders to a different location, replace existing files, restore security settings, or specify other options, click Advanced, and then follow the instructions in the wizard.

7. When the wizard is finished, click Finish.

8. When the message appears that informs you that restoring is complete, click Close.

To restore the WSUS database

1. On your WSUS server, click Start, and then click Run.

2. In the Open box, type %systemdrive%\%windir%\system32\ntbackup.exe and then click OK.

3. In the Backup or Restore Wizard, click Next.

4. Click Restore files and settings, and then click Next.

5. In the What to restore dialog box, under Items to restore, expand the file that contains the Data and LOG folders (under%systemdrive%\WSUS\MSQL$WSUS), and then click Next.

Alternatively, you can select a subset of the %systemdrive%\WSUS\MSQL$WSUS\Data or%systemdrive%\WSUS\MSQL$WSUS\LOG folders to restore. Within the %systemdrive%\WSUS\MSQL$WSUS\Data and%systemdrive%\WSUS\MSQL$WSUS\LOG folders, you can restore one, all, or a combination of their subfolders and files.

6. If you want to set additional specifications for your restore, including whether you want to restore the files or folders to a different location, replace existing files, restore security settings, or specify other options, click Advanced, and then follow the instructions in the wizard.

Monday, September 27, 2010

How to prevent a client from updating from Windows Update

I did some casual testing on a Windows Vista machine for this one.
Create and edit a group policy.
Expand User Configuration / Policies / administrative Templates / Start Menu and Taskbar.
Double click Remove links and access to Windows Update.
Enabling this policy will remove the Windows Update links from your clients. In my test, I was not able to browse to the website.

Friday, September 24, 2010

Set default printers with Powershell

The original question from class is how to set the default printer for your users. I’ve been working through different types of PowerShell remoting with no success. The actual method in the WMI class Win32_Printer will not let you set the default printer from a remote client. I attempted to use both remote sessions and the invoke-command cmdlet.

I finally decided to do it via group policy. The code for the script dropped significantly when I went to this approach.

There are a few requirements to this process. You need to have a Windows Server 2008 R2 and this can only be applied to your Windows 7 clients. Below is the script:

<#

=============================================

Script Name: DefaultPrinter.ps1

Auther: Jason A. Yoder, MCT

MCTExpert, Inc.

Website: www.MCTExpert.com

Blog: www.MCTExpert.blogspot.com

Date: 2010AUG22

Script Purpose:

Set the default printer on clients.

Requirments:

This script is designed to be used as a logon

script in group policy.

You must have a Windows Server 2008 R2 DC.

This will only work on domain joined Window 7

Clients.

#>

# Global Variables ==========================

# Enter the name of the printer to be set as

# the default printer here.

$TargetPrinter = "Microsoft XPS Document Writer"

# Main Code =================================

# Set Error handling to allow for a client without the

# target printer installed.

$ErrorActionPreference = “SilentlyContinue”

$LocalPrinter = GWMI -class Win32_Printer |

Where {$_.Name -eq $TargetPrinter}

$LocalPrinter.SetDefaultPrinter()

$ErrorActionPreference = “Stop”

# Return Error handling to stop if error detected.

# End of Script ===============================

By setting the $TargetPrinter to the display name of the printer you want to set as the default, you can apply this to your Windows 7 clients. The $ErrorActionPreference will prevent clients that do not have the targeted printer installed from displaying an error message to the user.

Here is how to do it.

Copy this code over to notepad. The colors will disappear. The colors are used in the PowerShell ISE and will not change the performance of the script. In order for this script to be available to all clients and users, you need to save it in a special location. The location is in the SYSVOL folder of one of your Domain Controllers. You can find this location on a Domain Controller at C:\Windows\SYSVOL\SYSVOL\YourDomainName\Scripts. Make sure the extension on this script is .ps1.

Next you need to create a Group Policy on your Domain controller.

Click Start \ Administrative Tools \ Group Policy Managent

Expand Domains \ YourDomainName \ Group Policy Objects.

Right click Group Policy Objects and click New.

Give the GPO a name and click OK.

Right click the new GPO you just created and click Edit.

You need to decide if you want to apply this by computer, or user. For the rest of this instruction, we are going to apply this to a user.

Expand User Configuration \ Policies \ Windows Settings \ Scripts (Logon/Logoff)

Double click Logon.

Click the PowerShell Scripts tab.

Click Add.

Click Browse and surf to the location of the script that you saved in SYSVOL.

Click OK.

Click OK.

Close the Group Policy Management Editor window.

You now need to link this GPO to the OU that contains the user accounts that you want it to apply to. Remember, you cannot link a GPO to the default USERS container in Active Directory. You must move your user accounts to an OU and apply this policy to that OU. You can use Security Filtering to only apply the policy to a select group of users in an OU without affecting all of them.

Wednesday, September 22, 2010

How to prevent users from doing a Copy and Paste in AD RMS protected content.

AD RMS allows your users to establish rules to determine who in an organization can do what with the content the user generates. This in no way takes away the administrators control of network security. It simply allows the user to determine the appropriate level of access for other users with out the intervention of the IT staff. When dealing with compliancy or confidential material, AD RMS can allow you to meet stringent guidelines.

There are many different rights that can be assigned to content. Different applications may interpret the rights differently so testing is advisable prior to deploying to your organization. The AD RMS right that controls the copy / paste functionality is Extract. The list below summarizes the AD RMS rights.

  • Full Control – If granted, this right allows a user to exercise all rights in the license, whether or not the rights are specifically granted to that user.
  • View – If this right is granted, the AD RMS client allows protected content to be decrypted. Typically, when this right is granted, the application will allow the user to view protected content.
  • Edit - If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Save right.
  • Save - If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Edit right.
  • Export (Save As) - If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to use the “Save As” feature to save protected content to a new file.
  • Print - Typically, when this right is granted, the application will allow the user to print protected content.
  • Forward - Typically, when this right is granted, the application will allow an e-mail recipient to forward a protected message.
  • Reply - Typically, when this right is granted, the application will allow an e-mail recipient to reply to a protected message and include a copy of the original message.
  • Reply All - Typically, when this right is granted, the application will allow an e-mail recipient to reply to all recipients of a protected message and include a copy of the original message.
  • Extract - Typically, when this right is granted, the application will allow the user to copy and paste information from protected content.
  • Allow Macros - Typically, when this right is granted, the application will allow the user to run macros in the document or use an editor to modify macros in the document.
  • View Rights - If this right is granted, the AD RMS client allows a user to create a new publishing license from the existing license, but the content key is not preserved.
  • Edit Rights - If this right is granted, the AD RMS client allows a user to edit the user rights that are assigned by the license while keeping the same content key.

http://technet.microsoft.com/en-us/library/dd996658(WS.10).aspx

Monday, September 20, 2010

Can you have different Active Directory passwords on different Domain Controllers in the same domain?

To test this one out, I created to domain controllers in the same domain. Both origionally have the same ADRM password. I used the following procedure to change the ADRM password on DC2:
· Logged on DC2 and the domain administrator
· Opened a command prompt.
· Type ntdsutil and press Enter.
· Type set dsrm password and press Enter.
· Type reset password on server null and press Enter.
· I entered and confirmed the password or password123
· I then types Q and pressed Enter twice.
· Close the command prompt.
My next step is to see if DC 1 was using the new or old AD dsrm password or not.
· When the server reboots, press F8 to enter the Windows Advanced Options.
· Select Directory Services Restore Mode
· Once the server boots, log in with the local administrator account, using the dsrm password.
On DC1, the original password worked.
On DC2, the password worked.
SO the answer to this question is yes, you can have multiple dsrm passwords. They are simply the local administrator password for the domain controllers in Directory Services Restore Mode.

Friday, September 17, 2010

What is the Hostmaster.woodgrovebank.com in the DNS SOA record?

We had a question about and entry in the SOA (Start of Authority) field in the DNS record of our VMs. In the properties of the SOA record, you will notice an entry in the Responsible Person field. It is also visible in the Forward Lookup Zone in the Data filed of the SOA record. It is the email address of the person that problems should be reported to. The “@” symbol is not used because “@” is also used in the zone file. That is why it appears as hostmaster.domain.com.

Wednesday, September 15, 2010

What functional level does you network need to be at to allow for GlobalNames zone?

GlobalNames zone is used on Windows Server 2008 DNS servers to provide single name support for static resources that cannot utilize DNS. It is an upgrade mitigation strategy designed to help organizations move away from WINS. To allow for the GlobalNames zone to be functional, all authorative DNS servers must be running Windows Server 2008. Your domain controllers do not need to be running Windows Server 2008, only the DNS servers. For that reason, a funcation level of 2003 will allow the GlobalNames zone to be functional.

http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/8953820a-3f2f-4929-9a3e-2b0731b80e04

Monday, September 13, 2010

How to create a custom Windows PE Disk

Windows PE allows you to boot a PC into an operating system that is resident in RAM disk. This means you can do what you want to the hard drive. This includes formatting, creating, and imaging the disk. In class I demonstrated using a Windows PE disk that resided on a USB memory stick. With a large enough USB flash drive and volume licensing, you can actually use this setup to deploy an image of Windows Vista, Windows 7, or Windows 2008 should a network based image deployment not be an option.
The following link will guide you in creating a Windows PE image suitable for you needs. You will need to download and install the Windows Automated Installation Kit prior to proceeding.

Friday, September 10, 2010

How to determine the maximum page file usage in Windows 7?

In Widows XP, we could utilize the Task Manager to discover this. On the Performance tab, look under Commit Charge (K) and look at the Peak attribute.




On Vista and Windows 7, this information is no longer part of the Task Manager.





To discover the value of this attribute, I utilized PowerShell and WMI. On your client with Powershell installed:

- Click Start / All Programs / Accessories / Windows Powershell / Windows PowerShell ISE

- In the code pane at the top, enter this code:

$Computer = “LocaHost”

$Namespace = “Root\CIMv2”

Get-WMIObject –Class Win32_PageFileUsage –Computername $Computer –Namespace $Namespace | Select-Object PeakUsage

The value returned from this will be in MB and represent the largest amount of information the page file has stored since the client has been on.

Wednesday, September 8, 2010

How to control how long an object is recoverable in the AD Recycle Bin.

The active Directory Recycle Bin is your tool to recover a deleted object, and all it’s associated properties. An object is only recoverable for a certain length of time. You can configure this period of time to meet your organizations needs. First you need to turn on the AD Recycle Bin. The command below will do this:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Your forest root domain’ –Scope ForestOrConfigurationSet –Target ‘Your forest root domain

Once you have turned it on, any object delete after this point can be recovered. By default, the retention period is 180 days. To control the amount of time that you have to execute the recovery:

Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=" -Partition "CN=Configuration,DC=" -Replace:@{"msDS-DeletedObjectLifetime" = }

On a final note, remember that this is a Windows Server 2008 R2 feature.

http://blogs.technet.com/b/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx

Monday, September 6, 2010

Can a user read data if they have NTFS Write and not NTFS Read?

In class we had some confusion between some NTFS permissions. Here is the official word from Microsoft on the ones in question.

Modify - Users can view and modify files and file properties, including deleting and adding files to a directory or file properties to a file.

Write - Users can write to a file.

Read & Execute - Users can run executable files, including scripts.

Read - Users can view files and file properties.

After testing this, yes the user with only Write access to the folder and its files can also read them.

Another part of this question is what happens to a high level permission when you explicitly remove some of the lower level permissions.

With the Modify permission set, you are also given Read & Execute, List folder contents, Read, and Write. By removing Read permission, you also lose Modify and Read & Execute. If you remove Write you only lose Modify.

Pay close attention to what rights you are giving, and removing from your users.

http://technet.microsoft.com/en-us/library/bb742461.aspx