Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Monday, May 28, 2012

Problems when modifying the Default User Profile in Windows 7

 

When a user logs on to Windows 7 for the first time, there are some tasks that need to run.  Be modifying the default profile, you may inhibit those actions from running.  Below is a list of potential problems.

  • Their list of most frequently run programs is not cleared
  • Whether the user has been introduced to the Start menu (will be set to TRUE for the source account, but should be FALSE for new users). Windows Explorer does some special things the first time you log on to introduce you to the Start menu and other new features.
  • Whether the user is an administrator (and should therefore see the Administrative Tools, etc).
  • The personalized name for “My Documents” will be incorrect. All users documents folders will be called “Administrator's Documents”.  This is documented in the Knowledge Base article “The Desktop.ini File Does Not Work Correctly When You Create a Custom Default Profile” (http://support.microsoft.com/?id=321281).
  • The default download directory for IE will be set to the Administrator's Desktop folder.
  • The default Save and Open locations for some application with point to the Administrator's documents folder.
  • Windows 7 Libraries are broken.

By manually modifying the default profile (or via a script) you are placing your Windows deployment into an unsupported state.  Not good.  Go to this article and take a look at option B.  Note, that there are drawbacks to Option B.  I support option F, Group Policy.

Friday, May 25, 2012

How to Prevent Users from Seeing the Security Key for a Wireless Access Point.

There are two ways of doing this.  First off, leave UAC turned on and not provide the user with local administrative privileges.  In the image below, the blue and yellow shield icon represents an action that UAC will ask for elevation of privilege before continuing.

image

In environments that have to turn off UAC or provide end users with administrative rights, we can use Group Policy. 

  • Crate a GPO and scope it based on the logged on user, not the computer.
  • Expand User Configuration / Policies / Administrative Templates / Network / Network Connections
  • Enable the policy called Prohibit access to properties of a LAN connection.

This will prevent the user from seeing the above screen.

Thursday, May 24, 2012

How to prevent Domain Users from Authenticating to a WDS Share

By default, authenticated users can connect to a WDS share and read the .wim files.  When a user performs a PXE boot using the boot image provided by WDS, their domain credentials can be used for authentication.  This is the default behavior for the share.

image

If this is not desirable in your environment, create a new security group that contains the users that you want to be able to access the share. Grant this group the ability (at minimum) to Read & Execute,  List Folder Contents, and Read. Then remove the Authenticated Users group.

Once this is completed, if a user attempts to authenticate to the WDS server, this is what they see:

image

The user will not be presented with any images.

 

If the user is in the correct security group, they will get a listing of the available images to select from.

 

image

Tuesday, May 22, 2012

How do I update the PowerShell V3 Help files for Servers that are not Connected to the Internet?

With the updateable help files in PowerShell V3, this can be a challenge.  Many servers are not made to be on the internet.  For one reason or another, they are isolated.  This is common practice in highly secured networks.  So the question still remains.  How do I update the PowerShell V3 help files?  We use the Save-Help cmdlet.

 

Save-Help will allow you to save the update files on media and then manually install them in PowerShell.

Save-Help –DestinationPath Destination

In this case, Destination is where you want to save the file to.

To install the help file, go to the server and type:

Update-Help –SourcePath Source

In this case, Source is where the update file is located at.

Monday, May 21, 2012

PowerShell V3 Help Files

As we continue our journey to Windows 2012, the beta version of PowerShell V3 is out.  You can download it from here.   Remember, the files market WINDOWS6.1 are the installation files for Windows 7.  One thing that I noticed is that the help files are not fully populated.  PowerShell V3 has updateable help files.  Here is how you update them.

 

Open PowerShell as an Administrator.

image

 

Now type Update-Help and press Enter

After a few minutes, Windows will need to restart.  After the restart, go ahead and ask for a help file and you will see the contents that you are interested in.

Thursday, May 17, 2012

Use PowerShell to see how much file space on the hard drive is unusable because of the block size.

Modern hard drives are divided into blocks.  These blocks can be of various sizes.  512K, 1024K.  The issue that can develop is that once a block contains the data of a file, the unused portion of that block cannot store an other data.  So for example, if you save a 768K file onto a hard drive containing 512K blocks, your file will consume 1024K.  256K will be unusable space.  This script will show you how much space is being wasted.

 

This script is a quick demo based on a question that popped up in class.  Utilizing FRSM quotas, I set a folder with a hard quota of 6KB.  I then copied a file of 2KB into the folder.  When I copied the same file in again, Windows stated that I exceeded my quota.  Well, logically 2 KB + 2 KB = 4 KB.  My quota was 6 KB.

Upon further analysis, we discovered that the file size was actually a few kilobytes larger than 2.5 K.  That means that on my hard drive with block sizes of 512K, we were using 6 blocks or 3 KB.  The second file fit the limit and we received an error.

 

This script is designed to be dot sourced into the shell environment of PowerShell.

  

<#
.SYNOPSIS
Returns the amount of space that is unused in the files blocks.

.DESCRIPTION
Returns the amount of space that is not available to be
used on the hard drive due to the blocki size on the hard drives.
If a file only uses part of a block, the rest of the block cannot
be used for another file.

.PARAMETER Recurse
Performs a recursive search using the current location
in the file system as the root.

.EXAMPLE
Get-WastedSpace -Recurse

Returns the wasted space on the hard drive based on the
current location in the file system as the root of the search.
#>

function Get-WastedDriveSpace
{
Param
(
[
Switch]$Recurse
)

# Get the Disk Partition information
$DiskPartition = Get-WmiObject Win32_DiskPArtition |
Select-Object -Property BlockSize

# Get the logical disk information
$LogicalDisk = Get-WmiObject Win32_LogicalDIsk |
Select-object -Property Name

If ($Recurse)
{
$Files = Get-ChildItem -Recurse |
Select-Object -Property length, PSDrive

}
Else
{
$Files = Get-ChildItem |
Select-Object -Property length, PSDrive
}


$DriveObj = @()
$Counter = 0
forEach ($Disk in $LogicalDisk)
{
$DriveInfo = New-Object PSObject
$DriveInfo | Add-Member NoteProperty -Name Name -Value ($Disk.Name).Replace(":","")
$DriveInfo | Add-Member NoteProperty -Name BlockSize $DiskPartition[$Counter].BlockSize
$DriveInfo | Add-Member NoteProperty -Name TotalFileSize -Value 0
$DriveInfo | Add-Member NoteProperty -Name TotalBlocksUsed -Value 0
$DriveInfo | Add-Member NoteProperty -Name SizeOfBlocks -value 0
$DriveInfo | Add-Member NoteProperty -Name WastedSpaceMB -Value 0

$DriveObj += $DriveInfo
$Counter++

}
# End: for Each ($File in $Files)

ForEach ($File in $Files)
{

ForEach ($Drive in $DriveObj)
{

If ($File.PSDrive -like $Drive.Name)
{
$Drive.TotalFileSize += $File.Length
$Drive.TotalBlocksUsed += [int]($File.Length/$Drive.BlockSize)
$Drive.SizeOfBlocks += ($Drive.TotalBlocksUsed * $Drive.BlockSize)


}
}
# End: ForEach ($Drive in $DriveObj)

}
# End: ForEach ($File in $Files)

# Calculate the Wasted Space.
ForEach ($Drive in $DriveObj)
{
$Drive.WastedSpaceMB = ($Drive.SizeOfBlocks - $Drive.TotalFileSize) / 1mb

}
# End: ForEach ($Drive in $DriveObj)

# Write the object to the pipline
Write-Output $DriveObj
}
# End: Get-WastedDriveSpace

Wednesday, May 16, 2012

Switching between Server 2012 Full Installation and Server Core

Over the past several years that I have been instructing Windows classes, I have had a lot of raised eye brows when it comes to the topic of Server Core.  Although my classes agrees with the principals of smaller attack foot print and less management, the whole text based interface do not settle well.  With the release of Server Core 2008 R2, we were given the sconfig tool to help make configuration of the server core a bit easier.  It also made it easier to configure the firewall to allow the core to be managed from a GUI machine.

With Windows Server 2012, we have another option.  We can install either Server Core or the Full installation and simply switch between the two of them.  The GUI is now an installable feature that can also be removed.  This will result in a reboot when making the switch and some delay while Windows reboots.  In this scenario, you can run Server Core for daily operations.  If you need to do some work that you would rather do in a GUI, you can add the GUI feature.  Once you have finished with the GUI, remove the GUI feature and reboot.  

Here is the process to convert from a GUI to Server Core.

Log in to Server 2012 as an Administrator.

In Server Manager, click Manage –> Remove Roles and Features

image

On the Before you Begin window, click Next.

image

Select the server that you want to change to a server core and click Next.

At the Remove servers roles window, click Next.

On the Remove Features window, clear the User Interfaces and Infrastructure check box and click Next.

Check the Restart the destination server automatically if required check box if you want to implement this change immediately.

 

Click Yes and then Next.

image

At the confirmation screen, you may have noticed that other roles and features are also removed.  For example, Windows Deployment Server cannot be installed on a Server Core.  If you have WDS installed on this GUI installation, it will be removed if your switch to the core installation.

 

During the shutdown and boot up, you will have to wait for the configuration changes to be made.

image

 

Once the reboot completed, you will be in Server Core implementation.  So, what do you do if you need the GUI back?

Type PowerShell and press Enter.

Type Add-WindowsFeature server-gui-shell and press Enter.

image

Next you need to reboot the server.  Type Shutdown –t 0 –r and press Enter.

This process will cause down time of several minutes for the server.  Also, remember that it may remove functionality from the server when converting to server core if that functionality is only available in the GUI installation.

Monday, May 7, 2012

Policy to Restrict USB Ports

You can restrict the type of USB drives that are allowed on your clients be using group policy. I would like to give a word of caution when implementing this. You should consider having a “Support Device List.” This will allow your organization to formally declare what can and cannot be plugged into your USB drives. Without such a list, a constant flow of requests will come in to add more and more devices. It is best to draw the line early and have a formal review process to make sure that the number of supported devices does not become unmanageable.

Settings to control USB Device Access:

Policy Location

Computer Configuration \ Administrative Templates \ System \ Device Installation \ Device Installation Restriction

Policy Name

Prevent installation of devices not described by other policy settings

Setting

Enable

Configuration

 

Description

Prevents other USB devices from being installed unless they are specifically allowed in a policy.

Procedure to get Plug and Play device IDs to allow devices to be used on the clients.

· Plug the device into a client that does not have a policy restricting devices.

· Click Start

· Type Device

· Click Device Manager from the list.

· Expand the category for the device you plugged in and then double click the device

image

· Click the Details tab.

image

From here, you need to decide if you are going to allow a class of devices to work on the client. An example of this would be for mice and keyboards. You can also specify a specific device like the USB hard Drive that we will be deploying images on.

For a specific device:

· In the drop down list, select Hardware IDs.

· Copy the information from the first entry. This is the exact hardware ID for this device.

image

· Browse to the section of the Local Policy below and enter that value in the Configuration of the policy.

· A reboot is required.

The policy below will specify a specific hardware device.

Policy Location

Computer Configuration \ Administrative Templates \ System \ Device Installation \ Device Installation Restriction

Policy Name

Allow installation of devices that match any of these device IDs

Setting

Enable

Configuration

USBSTOR\DiskWD_____My_Passport_07401003

Description

The configuration is the Hardware ID of the USB Device that you want to allow to connect to the client.

Note: This setting can be omitted. To use a USB device, log in as a local administrator and set the policy below labeled Allow administrators to override Device Installation Restriction Policies.

To allow a class of devices like mice and keyboards

image

· In the drop down list select Device Class Guid

· Record the guid (curly braces and all).

· Browse to the section of the Local Policy below and enter that value in the Configuration of the policy.

· A reboot is required.

The policy below will specify a specific hardware device.

Policy Location

Computer Configuration \ Administrative Templates \ System \ Device Installation \ Device Installation Restriction

Policy Name

Allow installation of devices that match these device setup classes

Setting

Enable

Configuration

{4d36e96f-e325-11ce-bfc1-08002be10318}

Description

The configuration is the Hardware ID of the USB Device that you want to allow to connect to the client.

GUID ID for Mouse and Keyboard: {4d36e96f-e325-11ce-bfc1-08002be10318}

Policy Location

Computer Configuration \ Administrative Templates \ System \ Device Installation \ Device Installation Restriction

Policy Name

Allow administrators to override Device Installation Restriction Policies.

Setting

Enable

Configuration

 

Description

This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.

If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.

Tuesday, May 1, 2012

How Many KMS Servers can a single KMS license activate.

Here is the official word from Microsoft:   In particular, this paragraph:

What is Key Management Service (KMS) and how does it work?

KMS is a lightweight service that does not require a dedicated system and can easily be co-hosted on a system that provides other services. With KMS, you can complete activations on your local network, eliminating the need for individual computers to connect to Microsoft for product activation.

A KMS host key is used only to activate the KMS host with a Microsoft activation server. A KMS host key can activate six KMS hosts with 10 activations per host. Each host can activate an unlimited number of computers. If you have an existing machine configured as Windows KMS* host, you will need to enter and activate the Office 2010 KMS host key before the KMS host can activate Office 2010, Project 2010, and Visio 2010. If you need additional KMS activations so you may activate more than 6 KMS hosts, find the telephone number for your Microsoft Activation Center to activate your KMS host.

KMS requires a minimum number of either physical or virtual computers in a network environment. These minimums, called activation thresholds, are set so that they are easily met by enterprise customers. For computers running:

  • Windows Server 2008 and Windows Server 2008 R2 you must have at least five (5) computers to activate.

  • Windows Vista or Windows 7 you must have at least twenty-five (25) computers to activate. These thresholds can be a mix of server and client machines to make up the threshold number.

  • Office 2010, Project 2010 and Visio 2010 you must have at least five (5) computers to activate. If you have deployed Microsoft Office 2010 products, including Project 2010 and Visio 2010, you must have at least five (5) computers running Office 2010, Project 2010 or Visio 2010.

Here are some more reference materials to assist you:

*Only Windows Server 2003, Windows 7 volume editions, and Windows Server 2008 R2 are supported as Office KMS hosts.

 

This one is a bit confusing.  Is it 6 KMS servers or 60???  Here is a bit more details from Sean Metcalf

 

A KMS key is used to activate only the KMS host with a Microsoft activation server. A KMS key can activate up to six KMS hosts with 10 activations per host. Each host can activate an unlimited number of computers. If you need to activate more than six KMS hosts, contact your Volume Licensing Service Center (http://go.microsoft.com/fwlink/p/?LinkId=184280), and state why you must increase the activation limit.

In other word, the answer is 6.