Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Friday, October 29, 2010

How to recover and object from the AD Recycle Bin

Once you have activated your AD Recycle Bin, you can recover any deleted object from that point forward.

To recover a deleted object, open the PowerShell Console with the AD modules. To do this on Server 2008 R2, Click Start \ Active Directory MOdule for Windows PowerShell.

image

First we need to verify that the object is still in the AD Recycle bin. The account we are looking for in this example is User3. Type the following line in the Windows PowerShell console:

Get_ADObject – Filter {DisplayName –like “User*”} – IncludeDeletedObjects

image

We can see the full name of the object that we need to recover, User3.

Now type:

Get_ADObject – Filter {DisplayName –eq “User3”} – IncludeDeletedObjects | Restore-ADObject

A quick check of Active Directory Users and Computers will show the restored object and all of its properties.

image

Wednesday, October 27, 2010

In a get-help –full, what does the Position parameter mean?

In PowerShell, you can get a wealth of information from using the Get-Help parameter. For example, if you type Get-Help Get-Command, you receive basic help information for the cmdlet Get-Command. For detailed information, type Get-Help Get-Command –full.

The first section of this expanded help file is the basic information for the cmdlet. It includes the syntax, a description, and in some cases, related commands. The next section list the parameters and the third examples. We will focus on the parameters section.

Below is the parameter Name from Get-Command.

-Name

Gets information only about the cmdlets or command elements with the specified name. represents all or part of the name of the cmdlet or command element. Wildcards are permitted.

To list commands with the same name in execution order, type the command name without wildcard characters. For more information, see the Notes section.

Required? false

Position? 1

Default value

Accept pipeline input? true (ByValue, ByPropertyName)

Accept wildcard characters? false

The Position value tells you if there is a specific order in which this parameter needs to be listed. In this case, it should be the first parameter for this cmdlet. Others that say Named can be placed anywhere after any required parameters.

http://wiki.poshcode.org/Cmdlet_Help/Microsoft.PowerShell.Core/Get-Help

Monday, October 25, 2010

What are the drive types enumerated by Win32_LogicalDrive

IN PowerShell, we can leverage the power of the WMI interface to enumerate the properties of the hardware inside of our clients. A simple PowerShell script to do that is:


$computer = "LocalHost"
$namespace = "root\CIMV2"
Get-WmiObject -class Win32_LogicalDisk -computername $computer -namespace $namespace

The information below is an example of the returned data. Remember, this script will return this set of data of all drives connected to the client at the time it was executed.

__GENUS : 2
__CLASS : Win32_LogicalDisk
__SUPERCLASS : CIM_LogicalDisk
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_LogicalDisk.DeviceID="E:"
__PROPERTY_COUNT : 40
__DERIVATION : {CIM_LogicalDisk, CIM_StorageExtent, CIM_Logical
Device, CIM_LogicalElement...}
__SERVER : FERRARI5X64
__NAMESPACE : root\CIMV2
__PATH : \\FERRARI5X64\root\CIMV2:Win32_LogicalDisk.Devic
eID="E:"
Access :
Availability :
BlockSize :
Caption : E:
Compressed :
ConfigManagerErrorCode :
ConfigManagerUserConfig :
CreationClassName : Win32_LogicalDisk
Description : CD-ROM Disc
DeviceID : E:
DriveType : 5
ErrorCleared :
ErrorDescription :
ErrorMethodology :
FileSystem :
FreeSpace :
InstallDate :
LastErrorCode :
MaximumComponentLength :
MediaType : 11
Name : E:
NumberOfBlocks :
PNPDeviceID :
PowerManagementCapabilities :
PowerManagementSupported :
ProviderName :
Purpose :
QuotasDisabled :
QuotasIncomplete :
QuotasRebuilding :
Size :
Status :
StatusInfo :
SupportsDiskQuotas :
SupportsFileBasedCompression :
SystemCreationClassName : Win32_ComputerSystem
SystemName : FERRARI5X64
VolumeDirty :
VolumeName :
VolumeSerialNumber :

IN the above example, the Drive Type is 5. We can utilize the drive type to filter the results to only include the drives that we want to work with. The valid drive types are:
1 - Drive could not be determined
2 - Removable drive
3 - Local hard disk
4 - Network disk
5 - Compact disk (CD)
6 - RAM disk


If you wanted to only returned the data for the local hard drives, the code can be modified as such:

$computer = "LocalHost"
$namespace = "root\CIMV2"
Get-WmiObject -class Win32_LogicalDisk -computername $computer -namespace $namespace | Where {$_.DriveType -eq 3}




Friday, October 22, 2010

How To Decrypt many files in AD RMS When You Do Not Have Access to Them

Active Directory Right Management Service (AD RMS) is a security tool that you can deploy to your users that allow them to determine what kind of access users or groups have to the content that a user generates. A very good question from class is how do you decrypt the data if you need to get access to it when you were not given AD RMS rights. The answer is with the AD RMS Bulk Protection Tool. You can download it from here (http://www.microsoft.com/downloads/details.aspx?FamilyID=F9FBE58F-C175-41D0-AFDC-6F160AB809CD&displaylang=ru&displaylang=en)

Once you download the .msi file, double click it to allow it to install.

img1

img2

Click Next

img3

Check I accept the terms in the License Agreement and click Next.

Click Next

Click Install

Click Finish when the installation completes.

To start using the AD RMS Bulk Protection Tool:

Click Start / All Programs / AD RMS Bulk Protection Tool / AD RMS Bulk Protection Tool

A special command prompt windows will open. Give it a few seconds to finish loading. We need to know the location where the files are that need to be decrypted. The syntax for this operation is:

RMSBulk.exe /decrypt \\ServerName\ShareName

Be aware that I was able to decrypt documents using a standard user account that did not have any AD RMS access rights on the documents to begin with. This is a very powerful tool.

One more note, This has to be ran on a Windows Vista, Windows 7, or Windows Serer 2008 R2 machine.

Wednesday, October 20, 2010

Use Group Policy to configure clients for Network Access Protection

Network Access Protection is another tool in your arsenal to protect your networks. With it, you have the ability to make sure your defenses are on, stay on, and are up to date. NAP also provides you the tools to help make remediation of any problems automatic.

Your clients needs to have several configuration changes made to the in order to respond to NAP. They are:

- Security Center must be turned on.

- The NAP Service must be running.

- The proper NAP Enforcement Client must be enabled.

You can achieve this using group policy. Just make sure this GPO is applied to all your clients.

Security Center: Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Security Center \ Turn on Security Center (Domain PCs Only). Set this object to Enabled.

NAP Service: Computer Configuration \ Policies \ Windows Settings \ System Services \ Network Access Protection Agent. Check Define the Policy and then select Automatic.

NAP Enforcement Client: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Network Access Protection \ NAP Configuration \ Enforcement Clients. Double Client the Enforcement Client you will be setting up and Enable it.

Monday, October 18, 2010

How to set up a security group to be email enabled

In an Exchange environment, only Universal Groups can be emailed enabled. To convert a Global or Domain Local group to a Universal Group:

- Open the properties of the group.

- In the Group Scope box, click Universal.

- Click OK.

To mail enable the group:

- Click Start à All Programs à Microsoft Exchange Server 2010 à Exchange Management Console

- Expand Microsoft Exchange à Microsoft Exchange On-Premises à Recipient Configuration

- Click Distribution Group.

- Click New Distribution Group in the Action pane.

- Select Existing Group and click Browse.

- Click the group and then click OK.

- Click Next

- Provide an Alias for the group and click Next

- Click New

- Click Finish

The group is now email enabled.

To email enable an existing universal group with powershell:

- Click Start à All Programs à Microsoft Exchange Server 2010 à Exchange Management Shell

- We will assume the name of the group is Group1 with an SMTP address of Contoso.com.

- Type Enable-DistributionGroup –Identity “Group1” –Alias “Group 1” –DisplayName “Group1” –PrimarySMTPAddress Group1@Contoso.com

Friday, October 15, 2010

DHCPv6 installation guide for Windows Server 2008 R2

This guide is intended to help network administrators deploy IPv6 using DHCPv6 server in Windows server 2008 R2.
This lab procedure is being produced on a Windows Server 2008 R2 Hyper-V server running two virtual machines. One is a Windows 2008 R2 server and the second is a Windows 7 Professional client. The server is a domain controller with DHCP service installed and the client is a member of the domain.
The DHCP server needs to be set up for IPv6 Stateful configuration.
Open Server Manager
Click Roles
Click Add Roles
Click Next
Check DHCP Server and click Next
Click Next
In the Select Network Connection Bindings window, select which network adapters that you would like to use for DHCP and then click Next.
In the Specify IPv4 DNS Server Settings, enter the correct information for your network and click Next
In the Specify IPv4 WINS Server Settings, give the information appropriate for your environment and click Next
In the Add or Edit DHCP Scopes window, click Next
In the Configure DHCPv6 Stateless Mode window, select Disable DHCPv6 Stateless mode for this server and click Next
In the Authorize DHCP Server windows, click Next
Click Install
Click Close when the installation completes.
Set the static IP address of the domain controller to FC00:0:0:1:: and the DNS server to FC00:0:0:1::. For the sake of this exercise, set the Default gateway to FC00:0:0:2::


Let’s start off by configuring the DHCP server to issue IPv6 address.
Click Start / Administrative Tools / DHCP.
Expand your network and then expand IPv6.


Right click IPv6 and then click New Scope
Click Next
Give this scope a distinctive name and a description.
Click Next.
In the Scope Prefix window, give the prefix of FC00:0:0:1:: and click Next
In the Add Exclusions window, provide an Exclusion range so you can set your static devices with IPv6 addresses that will not be issued by this DHCP server.
Start IPv6 Address: 0:0:0:1
End IPv6 Address: 0:0:0:2
Click Add and then Next


On the Scope Lease window, click Next
On the Completing the New Scope Wizard window, Select Activate Scope Now and then click Finish


The next step is to configure our Windows 7 client to receive IPv6 addresses from a DHCPv6 server.
Click Start / Control Panel / Network and Internet / Network and Sharing Center.
Click Change adapter settings in the upper left corner.
Right click your adapter and click Properties
Click Internet protocol version 4 (TCP/IPv4) and then Properties
Select Obtain an IP address automatically
Select Obtain DNS server address automatically
Click OK



Click Internet Protocol Version 6 (TCP/IPv6) and then Properties.
Select Obtain an IPv6 address automatically and Obtain DNS Server address automatically and then click OK.



Local Area Connection Properties dialog box.
Click Start, type CMD and press Enter.
This next step will enumerate the network interfaces installed on this client. We need to get the index number of the interface card we are going to configure to obtain IPv6 addresses automatically.
Type netsh int ipv6 show int and press Enter



From the results, we can see that we are using the interface on Idx 11. Of the two local area connections listed, only the NIC on index 11 is currently “connected.”
For these next several steps, when you are instructed to type a command with [index] as an instruction, type the Idx number. In this case, 11.
We now need to disable to default mode for IPv6, which is router discovery.
Type netsh int ipv6 set int [index] routerdiscovery=disable and press Enter.
Next we need to tell the interface that we are going to manage the IPv6 address.
Type Netsh int ipv6 set int [index] managedaddress=enable and press Enter.
We can confirm our settings by typing netsh int ipv6 show int [index] and press Enter.



In the above image, we can see that Router Discovery is disabled and Managed Address Configuration is enabled.
Now, type IPConfig /all to see that you have an IPv6 address from the DHCP server.

Wednesday, October 13, 2010

Comptia Network+ Now Availible

I thought that it is time to start using my Comptia certifications so I am now offering Network+ classes to all my clients. I am utilizing the Element K text for these classes. Please let me know if you are interested.

Monday, October 11, 2010

How to use Group Policy to Populate Remote Desktop Group on Clients

For many organizations, Group Policy is the option of choice for one-to-many administration. In particular, we are going to be looking at the GPO for Restricted Groups.

For this to work you need to make sure this policy setting applies only to the organizational unit that contains the clients the you want to set group membership on

Open Group Policy Management

Create a GPO and give it the name of your choice.

Edit the policy.

Expand Computer Configuration \ Windows Settings \ Security Settings \ Restricted Groups.

Right mouse click Restricted Groups and select New Group.

Click Browse.

Type Remote and click Check Names.

Click OK

Click OK. You should see the window below.



In the Members of this Group section, click Add.

Add the users or groups that you want to ensure they are a member of the Remote Desktop Users Group. Click Browse if you need help finding the users or groups.

This will also ensure that only these users and groups are the only accounts listed in this group. To add others later or to remove them, you will have to edit the list in this Group Policy.

Make sure you link the group policy to the OUs that hold the computer accounts of the clients that you want to populate with this data.

Friday, October 8, 2010

RDC client upgrade for Windows XP

The following link will take you to the Microsoft article concerning upgrading your XP RDC clients to the Windows 7/Server 2008 R2 compatible version. Take note of the known issues section.

Upgrading your RDC clients will allow you to take advantage of the following, should your OS support these options:

Web Single Sign-On (SSO) and Web forms-based authentication

Remote Desktop (RD) Web Access now uses forms-based authentication to improve the user experience. Web SSO makes sure that after a user is logged on, no additional passwords are required for RD Gateway, RD Session Host servers and RemoteApp programs.

For security, Web SSO requires remote applications to be signed using a certificate from a trusted issuer.

Access to personal virtual desktops by using RD Connection Broker

Users can access personal virtual desktops when they use the new Remote Desktop Virtualization Host in Windows Server 2008 R2. Personal desktops are assigned to users on a one-to-one basis and maintain state over time.

Access to virtual desktop pools by using RD Connection Broker

Users can access virtual desktop pools when they use the new Remote Desktop Virtualization Host in Windows Server 2008 R2. Pooled desktops are shared between multiple users, and all changes a user makes are typically rolled back when the user logs off.

Status & disconnect system tray icon

A single system tray icon enables users to see all of their remote connections. The user can disconnect all or individual connections that use this icon. The icon appears only when opening RDP connections which are associated with a RemoteApp and Desktop Connection feed.

RD Gateway-based device redirection enforcement

In Windows Server 2008, it was possible for non-Microsoft Remote Desktop clients to override the gateway device redirection controls. In Windows Server 2008 R2, device redirection settings are defined in RD Gateway and can be configured not to be overridden.

RD Gateway system and logon messages

System and logon messages can be added to RD Gateway and displayed to the remote desktop user. System messages can be used to inform users of server maintenance issues such as shutdowns and restarts. Logon messages can be used to display a logon notice to users before they gain access to remote resources.

RD Gateway background authorization & authentication

Background authentication and authorization requests are performed after a configured session timeout is reached. Sessions for users whose property information has not changed are not affected, and authentication and authorization requests are sent in the background.

RD Gateway idle & session time-outs

Configurable idle and session time-outs with RD Gateway provide better control of users who connect through RD Gateway. An idle time-out lets the user reclaim resources that are used by inactive user sessions without affecting the user's session or data. This helps free up resources on the RD Gateway server.

NAP remediation with RD Gateway

NAP remediation allows you to manage remote clients by updating them with the latest software updates and settings. This helps keep remote clients in compliance with network security policies.

Windows Media Player redirection

Windows Media Player Redirection enables content hosted in Windows Media Player to be redirected to the client for decoding on users’ computers. This improves the quality of the video and makes sure that video and audio are always in sync. This works for both full Windows Media Player and Windows Media Player controls hosted in Web pages.

Bidirectional audio

You can redirect audio recording devices such as microphones on the client computer. This is ideal for applications such as Windows 7 voice recognition, and applications that record audio.

Multiple monitor support

In Windows Vista and in Windows Server 2008, Terminal Services supported only monitor spanning. Remote Desktop Services now includes multiple monitor support for up to 16 monitors, and works for both Remote Desktop and RemoteApp programs.

Note For connections with multiple monitor support enabled, AeroGlass support is currently not supported and will be turned off.

Enhanced video playback

Bitmap acceleration improves the remote display of graphics-intensive applications such as PowerPoint, Flash, and Silverlight.

The download link for each version is at the bottom. As always, make sure you test before deploying to your clients.

http://support.microsoft.com/kb/969084

Wednesday, October 6, 2010

How to get Windows XP applications compatible with Windows 7

The simple truth is not all applications will be compatible with Windows 7. Since Windows Vista, parts of the OS and registry are not longer accessible to applications to modify. There are several methods to mitigate application compatibility issues. One of them is with Windows XP Mode for Windows 7. You must be running Window 7 Professional, Business, or Ultimate editions to be able to utilize Windows XP mode. You will also need to install virtual PC on Windows 7. Below are the links to download your copy of Windows XP Mode and the installation instructions.

Once you have Windows XP Mode installed, install you application in the XP mode and give it a try.

Windows XP Mode download: http://www.microsoft.com/windows/virtual-pc/download.aspx

Installation instructions: http://windows.microsoft.com/en-us/windows7/install-and-use-windows-xp-mode-in-windows-7

Monday, October 4, 2010

What is the maximum number of domains a forest can contain?

The answer to this question depends on the operating system of your forest.

- Windows 2000: 800 domains

- Windows 2003/2008: 1200 domains

These are Microsoft’s recommendations.

Another interesting note is that your domain controllers can only create 2,147,483,393 before they can no longer create any more new objects. I think it is safe to say that most organizations will not hit this limit in a domain controllers lifetime.

http://support.microsoft.com/kb/909264

http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx#BKMK_Forest

Friday, October 1, 2010

How to import the Active Directory modules into PowerShell.

In PowerShell V1, I was a bit disapointed with the lack of Active Directory support built into PowerShell. With V2 and the RSAT (Remote Server Administration Tools), you have much greater management capability of your AD environment with PowerShell.

The first step is to get your PowerShell configured for AD. On a Windows Server 2008 R2 domain controller, this is easy. Just click Start / Windows PowerShell Modules. That will bring up a PowerShell console with all the new goodies loaded up. Now, what about the ISE?

To load the AD Modules up in the ISE, I have a small script that I use. I just run it and I'm ready to go. You can also include this as a function in your own scripts to avoid having to run a supporting script.

<#

===========================================
Script Name: ImportAD.ps1
Author: Jason A. Yoder, MCT
Company: MCTExpert, Inc.
Website: www.MCTExpert.com
Blogsite: www.MCTExpert.blogspot.com

Date: 2010AUG24

Script Purpose:
install the Active Directory components of PowerShell.

Requirements:
- PowerShell V2
- Remote Server Administration Tools
- A Windows domain
#>

# Main Code ===================================

Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory

# End Script ===================================