Wednesday, 6 November 2013

Find the NTP time source - where is my machine getting the time from?

 
To find out where your machine/server is sourcing its time from, use one or more of the following commands.
 
Open up the cmd prompt as Admin

w32tm /query /configuration
This command will give you the current time configuration you have set up on the network/for the machine

w32tm /query /status
This will give you information such as stratum, leap indicator, precision, last sync, NTP server, poll interval.

Time /T
This will simply output the current system time.

Wednesday, 23 October 2013

Upgrade Password Manager Pro

Upgrading PMP is fairly straightforward. The upgrade packs are applied through a tool named UpdateManager which is handily bundled within the PasswordManager Pro directory. To install the upgrade packs on an installation which doesn't have a full MS SQL Server backend just following the following steps:

1] In Windows, right-click the PMP tray icon and then click "Exit"

2] Shutdown the PasswordManager Pro Server service, if running. Check if mysql process is running. If it is, terminate that process

IMPORTANT: Take a copy of the entire Password Manager Pro installation folder before applying the upgrade pack and keep it in some other location. If something goes wrong with the PMP upgrade, you can rely on the copy. All your settings will remain intact.

3] Log onto the server as the Local Administrator (domain admin won't work for some reason). Open up an elevated cmd prompt, navigate to <PMP_Installation_Folder>/bin directory and execute UpdateManager.bat to start the Update Manager.

4] If you are applying multiple upgrade packs one-by-one, exit the Update Manager tool after applying one upgrade pack and make sure that the database process is not running. Then proceed with running the Update Manager tool to apply the next upgrade pack and so on

5] Click Browse and select .ppm file that you downloaded. Click Install to install the upgrade pack. Wait until the upgrade pack is fully installed. [Normally, it takes a few minutes for PPM installation]

6] Click Close and then click Exit to exit the Update Manager tool. If you are applying more than one upgradepack, apply them one-by-one and follow this step after applying each upgradepack 
 
7] After applying the upgrade pack, check if database process is running. If it is running, terminate that process

8] Start the PasswordManager Pro server / service

9] Once you upgrade to the latest version, the High Availability set up has to be reconfigured again. The old HA set up will not work. In addition, the existing secondary server has to be uninstalled and a new secondary server has to be installed. You may download a fresh, full build and install it as SECONDARY

Thursday, 29 August 2013

Manually Remove the SCCM Client

There is only one recommended way to uninstall the SCCM client and it's a pretty straight forward exercise. The only thing to watch out for is the location of the ccmsetup file varies depending on which o/s you're using....

1] From the CMD Prompt (32bit)

Open a cmd prompt as admin
Change (cd) to the directory where ccmsetup.exe can be found (chances are this'll be %windir%\system32\ccmsetup).
Then enter ccmsetup.exe /uninstall

2] From the CMD Prompt (64bit)

Open a cmd prompt as admin
Change (cd) to the directory where ccmsetup.exe can be found (chances are this'll be %windir%\Windows\ccmsetup).
Then enter ccmsetup.exe /uninstall

Wednesday, 28 August 2013

VBS Script to Discover Last Reboot Time of Multiple Machines/Servers

On occassion you may wish to find the last reboot time of any given number of machines/servers on your network (for example if you need to check how many have rebooted following a patch update). The following script, cribbed from a technet article, works well and spits out a text file listing all the servers, their last reboot time and how many hours the system has been up for.
 
1]
create a text file listing all the servers/computers you want info on and name it servers.txt
 
2]
copy the below text into notepad and save it as ServerReboot.vbs. Be sure to save it into the same folder as the servers.txt file.

    ' =====================================================================
Set objTextFile = objFSO.OpenTextFile("c:\scripts\servers.txt", ForReading)
Set outfile = objFSO.CreateTextFile("Report.txt")
Do Until objTextFile.AtEndOfStream
    strComputer = objTextFile.Readline
    ' ===============================================================================
    ' Code to get the Last Boot Time using LastBootupTime from Win32_Operating System
    ' ===============================================================================
Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery _
    ("Select * from Win32_OperatingSystem")
For Each objOS in colOperatingSystems
    dtmBootup = objOS.LastBootUpTime
    dtmLastBootupTime = WMIDateStringToDate(dtmBootup)
    'OutFile.WriteLine "=========================================="
    OutFile.WriteLine "Computer: " & strComputer
    OutFile.WriteLine "Last Reboot: " & dtmLastBootupTime
    dtmSystemUptime = DateDiff("h", dtmLastBootUpTime, Now)  
    OutFile.WriteLine "System is online since " & dtmSystemUptime & " hours"
    OutFile.WriteLine "=========================================="
   
   
Next
    ' =====================================================================
    ' End
    ' =====================================================================
Loop
objTextFile.Close
 ' ===============================================================================
 ' Displaying to the user that the script execution is completed
 ' ===============================================================================
MsgBox "Script Execution Completed. The Report is saved as Report.txt in the current directory"
 ' ===============================================================================
 ' Function to convert UNC time to readable format
 ' ===============================================================================
Function WMIDateStringToDate(dtmBootup)
    WMIDateStringToDate = CDate(Mid(dtmBootup, 5, 2) & "/" & _
         Mid(dtmBootup, 7, 2) & "/" & Left(dtmBootup, 4) _
         & " " & Mid (dtmBootup, 9, 2) & ":" & _
         Mid(dtmBootup, 11, 2) & ":" & Mid(dtmBootup, _
         13, 2))
End Function

3]
open up the cmd prompt and execute the vbs file.
 
4]
wait for the script to chug along and then spit out a report.txt file.

Low and behold a list of servers/computers has been generated along with their last reboot times.


For further info see the following page: http://blogs.technet.com/b/manojnair/archive/2010/03/30/vbscript-to-find-out-last-reboot-time-of-multiple-computers.aspx

Monday, 19 August 2013

Windows 7 and 2008R2 - Webpage displaying text only, no images in Internet Explorer

In cases such as this you may find that although text is generally present, things such as backgrounds, active buttons, text-entry boxes and animations are all missing. There are a number of possible reasons that this may be happenening and, as such, a number of different troubleshooting approaches you can utilise:

Possible Cause A:
The machine has the High Contrast setting enabled which is causing the webpage(s) to be only partially rendered.

1. Click on the Start button > Control Panel > Ease of Access > Ease of Access Center > Make the computer easier to see.

2. Under High Contrast, uncheck all the options listed under “High contrast”.



Possible Cause B:
IE is set to use No Style to view webpages, this may cause the browser to display the text only format.
 
1. Open IE. Go to View > Style > select Default Style


Possible Cause C:
Compatability mode isn't turned on and so the site isn't being processed correctly by IE. Although this feature should be turned on automatically, it's always worth double checking that it's actually on.
  1. See if the Compatibility View button Compatibility View button appears in the Address bar. (If you don't see the button, there's no need to turn on Compatibility View.)
  2. Tap or click the Compatibility View button Compatibility View button to display the site in Compatibility View.


Possible Cause D:
Some setting within Internet Explorer has either been changed or become corrupt. Try to restore IE to it's original state.

1. Open IE. Select Tools > Internet Options > Advanced > click on both Restore advance Settings and Reset

Thursday, 8 August 2013

Block Size on Disk

After a disk has been formatted with NTFS it can be slightly tricky to figure out what block size it has been formatted with. Although there are several ways to find this info, the most straightforward way is to use cmd line.
Enter the following command:
fsutil fsinfo ntfsinfo c:

 
 
This illustrates that the block size on the c: drive is currently set to 4K.
 
 
 
If you ever need to change the block size, the best way to do this is to open up Computer Management > Storage > Disk Management
Right click on the volume and choose Format
From the drop down list choose the block size you need
Tick the box for Quick Format and click OK
 
The disk should now be formatted with the block size that you require
 


Monday, 5 August 2013

Handy LDAP Queries - Active Directory and Quest Active Roles


                 Every now and again, you may need to use LDAP to query Active Directory or Quest in order to pull out some information. Below i've listed a couple of simple LDAP queries which can be used to source out various things:

all user accounts which currently have an Expired Password:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(|(userAccountControl:1.2.840.113556.1.4.803:=8388608)(pwdLastSet<=130123548000000000))(!pwdLastSet=0))

all user accounts which have a password set to Never Expire:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

all user accounts which have not logged on for 60 days:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(lastLogonTimestamp<=130149468000000000)(!lastLogonTimestamp=*)))

all user accounts which are enabled but locked out:
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(lockoutTime>=1))

all user accounts which are disabled:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

all user accounts which have a city set as London:
(l=London*)

all user accounts in which the last name starts with 'robot':
(sn=robot*)

          If you ever find yourself trying to convert an Active Directory Query into a LDAP Query, it's well worth opening the Active Directory Administrative Center. Here you can do a Global Search and choose all the categories/filters you're interested in and then, when you've got it working as you want it to, simply click on the 'Convert to LDAP' button and ADAC will convert your query into LDAP.

Tuesday, 30 July 2013

Fully Disable UAC in Windows 7 via Group Policy GPO


GPO can be a tricky beast. Even when you think you've disabled by moving the slider in the GUI down to zero, turns out it still runs. Although it's not best practice by any means, it is possible to totally disable UAC through the application of a Group Policy Preference to the Computer Configuration. It's worth noting that you best have a rock solid need to do this since fuilly disabling UAC can leave you much more open to malicious mischief.
 
>Open GPO
 
>Create a new GPO or Edit an exisiting one
 
>Drill down to
Computer Configuration > Preferences > Windows Settings > Registry
 
>RC on the Registry and choose New > Registry Item
 
>The New Registry Properties window will pop up

>Select the browse button next to the Key Path section (the small box with "...." in it)

>Drill down to the following locaiton:
HKLM\Software\Microsoft\Windows\Current Version\Policies\System
Select the EnableLUA key
Then set the Value Data to 0 (default setting is 1)
 
>OK the New Registry Properties dialogue box and then exit the Group Policy Editor
 
Your new/amended policy can then be linked to the OU containing the clients. If you only need to apply it to certain machines then you can add those machine names under the Security Filtering window by clicking on Add...

Monday, 29 July 2013

Windows Setup could not configure Windows on this computer’s hardware - Windows 7 Build Fail

When building a windows 7 machine you may encounter the following error message mid way through the execution of the Task Sequence:

"Windows Setup could not configure Windows on this computer’s hardware"

According to the good folk over at Microsoft, this error is a result of: "an issue with the Intel storage controller driver that's included in the released versions of Windows 7 and of Windows Server 2008 R2."

The most straight forward way to resolve this issue is to do the following:

A]
  • Change the BIOS hard disk drive setting to AHCI or IDE

If, for whatever reason, you are unable to change the BIOS setting, you can also download the actual driver for the hard disk and then incorporate it as part of the build process. The below steps were cribbed from the MS website:

B]
  • Go to another computer with an internet connection and click the following link to locate the driver for your hard disk drive (either 32-bit or 64-bit): http://www.intel.com/support/chipsets/imsm/sb/CS-031502.htm
  • Once downloaded, put the file onto a DVD or USB flash drive or an external hard drive that can be taken to the PC that you're installing Windows to.
  • Then start the installation of Windows 7 or Windows Server 2008 R2 and watch for the Load Driver option. You will see this option on the Where do you want to install Windows? screen in the lower right corner.
  • Connect the USB flash or external drive to the computerthat you're installing Windows or take the Windows DVD out of the drive and put the driver DVD into the drive. (You will put the Windows DVD back into that drive after the driver is loaded)
  • Click Load Driver, (clicking this option checks removable media for storage controller drivers)
  • Once the driver is loaded, continue with the Windows setup.

Tuesday, 23 July 2013

Cookies in Windows 7

In windows 7 Microsoft helpfully opted to stash cookies in a bit of an out-the-way location which can make hunting them all down rather tricky. The best places to look are as follows:

Quick Access
Type shell:cookies into start/search and hit Enter

File Path Approach
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Cookies

You'll need to enable 'view hidden folders' in the Control Panel in order to access the AppData folder.

Friday, 19 July 2013

Bulk import Users into AD from csv file

If you ever need to import a number of users into Active Directory, often the quickest and easiest way to do this is by using a csv file. If you can compile all the user's information into a csv file then importing that info into Active Directory is fairly straightforward if you use a bit of Powershell. This is a pretty basic example but it can always be tweaked to include more elements.

Part1:
Create a basic csv file which contains the info you need. In this example all we know about the users is their first and last name and what we want to set their password to. Thus our csv file looks like this:

name,firstname,Password
user1,robot,Passw0rd
user2,robot,Passw0rd
user3,robot,Passw0rd
user4,robot,Passw0rd
user5,robot,Passw0rd
user6,robot,Passw0rd
user7,robot,Passw0rd
user8,robot,Passw0rd
user9,robot,Passw0rd
user10,robot,Passw0rd

Be sure to save it as csv file and call it something simple, such as newusers.csv. Save it somewhere that is easy to access (C:\temp for example)

Part 2:
open notepad and paste the below info in.

Import-Module ActiveDirectory
$Users = Import-Csv -Delimiter "," -Path ".\newusers.csv"
foreach ($User in $Users)
{
$OU = "OU=RobotWorkers,OU=All Users,DC=rob,DC=local"
$Description = "Standard Robot User Account"
$Office = "Robotopolis City"
$Password = $User.password
$Detailedname = $User.name + "," + $User.firstname
$UserFirstname = $User.Firstname
$FirstLetterFirstname = $UserFirstname.substring(0,1)
$SAM = $FirstLetterFirstname + $User.name

New-ADUser -Name $Detailedname -SamAccountName $SAM -UserPrincipalName $SAM -DisplayName $Detailedname -Office $Office -Description $Description -GivenName $user.firstname -Surname $user.name -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path $OU
}

You need to check three things before you save the file,
1:that the delimiter is correct (open the csv file in notepad, are the words separated by commas?)
2:that the name of the .csv file is correct
3:that the OU it will create the user accounts in is correct

Once you've confirmed all of the above, click save. In the Save window navigate to the same folder as you saved the newusers.csv file (in this example that would be c:\temp), change the file type to All Files and call it something simple like newusersscript.ps1. Be sure to give it a PS1 extension!

Then open up Powershell, navgiate to the folder containing the files,

[PS] C:\users\adminbot> cd c:\temp <hit return>

Next you need to execute the script file but make sure to prefix it with .\

[PS] c:\temp> .\newusersscript.ps1 <hit return>

The powershell script should then run and populate AD with the new user accounts. With a bit of luck some new accounts will pop up in AD:




Monday, 15 July 2013

Change how long reports are kept for in NetBackup

Issue:
In Net Backup you need to change the retention period for reports in Net Backup. By default the logs are kept for 28 days but you can increase the based on your requirement.

Resolution:
GUI--> Host properties---> Master server ---> clean up
 
From the clean up dialogue box you can choose how long you want the retention period to be for the reports in Net Backup

Obviously it is worth noting that the longer you keep logs for the more potential there is for performance to be impacted. There is always the option of doing one of the following in the event that you find performance to be unacceptably slow:

1) archive the logs from master and restore and generate reports when ever required.

2) use a reporting tool

Friday, 5 July 2013

Remote Connection/Ping to Hyper-V Machines Keeps Dropping Out

Problem: a new virtual machine had been created in our virtual environment. After a day or so it suddenly stops accepting RDP connections. It cannot be pinged and the only way to log on is to log on as Local Admin via the Virtual Machine Manager console. To all intensive purposes it appears to be off the network. At the same time a much older VM also started experiencing the same issue.

Temporary Solution: Rebooting the machine apparently fixes\resolves the issue....for a while

Permanent Solution: Check the ip address/MAC address for conflicts with other VM machines. If there is a conflict in one of these areas, rebooting will work for a bit but as soon as the network detects that there is a conflict between two ip addresses or MAC address it will take down one of the machines.

After further investigation it turned out that both machines were built from the same template which in spite of having been set to Dynamically generate a MAC address had resulted in two machines getting the exact same MAC address. A small gotcha but one which can be a bit of a pain to troubleshoot.

Wednesday, 3 July 2013

Quick ways to Clear Up Space on Desktops/Servers

Running out of space is a fairly common problem, especially if the machine in question is running space intensive applications like Net Backup or SQL. If you ever need a quick way of freeing up some space, it's worth giving these a shot:

Delete Old MS Patch Ghost Files
Enable View Hidden Folders in Folder Options in Control Panel
Go to c:\windows
If you see a large number of ghost folders with names like $NTUninstallKB32451345$ then you can delete these folder to free up some space

Clear Down the Event Logs
Events Logs can fill up pretty quick since they're being written to almost non-stop. Each log can take up a couple of hundred MBs if it starts getting full so regularly clearing them down can help save space.
To clear down a log simply right click on it and select Clear Log...
You should be met with a message suggesting you save the log somewhere before clearing it out. This can be useful if you think you'll ever need to refer back to it in the future
Move the Page File
This is the area of space the machine will use if the RAM is full. If you need to free up some space on your C: drive moving it to another drive (if there's one avaiable) or simply setting it to "No Paging File" (though this can be risky). You can find the Page File info at the following locaiton:

My Computer à RC à Properties Ã  Advanced à Performance à Advanced à Virtual Memory:Change
 
Other Basic Things to Check
Empty Recycle Bin
Run a Disk Cleanup on the drive
Check the temp folder on C: drive
 
If none of this helps, it might be worth downloading a directory space analyist such as Treesize (http://www.jam-software.com/freeware/) which will trundle off and find out what files/folders are taking up what amount of space on the drive. 
 

 

Friday, 21 June 2013

Powershell Command to Extract ACL Information and Continue on Error

Sometimes it can be handy to have a drill down through a foldr structure and check who can access what. The following scripts will dig out the name of the owner and the type of Access available to them.

Powershell command to extract the Account Control List information from all the objects in a particular folder:

get-childitem "C:\robotfolders" | %{ get-acl $_.FullName }

Powershell command to extract the Account Control List information from all the objects in a particular folder and all the child items of that folder:

get-childitem "C:\robotfolders" -recurse | %{ get-acl $_.FullName }

Powershell command to extract the Account Control List information from all the objects in a particular folder and all the child items of that folder and then output the information into a CSV file:

get-childitem "C:\robotfolders" -recurse | %{ get-acl $_.FullName }| export-csv "C:\acl_p.csv"

Thursday, 20 June 2013

Powershell Script to Ping Machines or Servers and Email Out the Results

If you need to run a script to determine whether a particular server or set of servers are awake and repsonding to pings, then email out the results you can create a powershell script using the following code:

####Define the servers that need pinging####

$ServerName = "MS-Robot1","MS-Robot2","MS-DC2"

####Start the Script####

$body = @()
$body += "Attention Robots, best check these servers be running!"
$body += "................................................................................................"
$body +=  foreach ($Server in $ServerName) {
                    if (test-Connection -ComputerName $Server -Count 2 -Quiet ) { 
                        $body += write-output "$Server is alive and responding to ping `n" 

                            } else { $body += Write-output "$Server unresponsive and not responding to ping `n" 

                            }    
        
}


$body = $body | out-string

$email = @{
 From = "
systems@robot.com
"
 To =
helpdesk@robot.com
 Subject = "Robot Server Status - Morning Check"
 SMTPServer = "exchangehubexample.robot.com"
 Body = $body
 }

send-mailmessage @email



Assuming all is well, the good folks who monitor the helpdesk inbox should recieve an email which looks like this:


Attention Robots, best check these servers be running!
................................................................................................

na-robot1 is alive and responding to ping

na-robot2 is alive and responding to ping

ms-dc2 is alive and responding to ping

 

Wednesday, 19 June 2013

Remote Desktop Users cannot Connect to Machines even though they are in the Remote Desktop Users Group

If you've added a user/group into the remote desktop user group on a particular machine you may find that the user/group is still unable to log into it through RDP - they'll get an error message along the lines of "Access Denied. To log on to this remote computer, you must be granted the Allow log on through Terminal Services Right....". The fix for this can be applied in two ways:

On a specific machine/server
 
Log on to the machine/server using an account which has admin right
¬ Start , Run , type secpol.msc
¬ In the left side pane of the mmc, navigate to Security Settings>Local Policies>User Rights Assignment
¬ In the right side pane double-click on Allow log on through Remote Desktop Services
¬ Click on add users or groups
¬ Enter Remote Desktop Users
¬ Finally, click OK to save

Now any user who is a member of the Remote Desktop Users group will be able to successfully remote into the server/machine
 
 
On a number of machines via Group Policy
 
 
The above mentioned setting is one which can also be applied through Group Policy if there are multiple machines/servers you wish to allow certain users/security groups to RDP into. The setting which needs to be changed in the group policy is found here:
 
Computer Configuration>Policies>Windows Settings>Local Policies>User Rights Assignment>Allow Log on through Terminal Services
 
Double click on the Allow Log on through Terminal Services policy and then user the "Add User or Group..." button to add the Remote Desktop User group into the policy. Click Apply and then OK to save your settings.
 
Now any user/security group that is a member of the Remote Desktop Users group will be able to successfully remote into any of the servers/machines the group policy applies to

Allow a User/Security Group to access a Machine via Remote Desktop (RDP)

This is a pretty standard request but it can be useful to remember that there are two simple ways of doing this in the GPMC:

via Group Policies

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services

Double click on "Allow log on through Remote Desktop Services" and the utilise the Add User or Group... option.

 
via Group Preferences
 

Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
> Within this setting, right-click in the empty white area on the right and select "All Tasks" > "Add".
> Select Update from the "Action:" drop-down menu
> Select Remote Desktop Users (built-in) from the "Group name:" drop down list
> Under the Members select the "Add..." button.
> Add the user/security group to the Name field and select "Add to this group" from the "Action:" field


Both of these approaches should then add user/security group to the Remote Desktop Users group for any computer you apply the policy to. As a sidenote, there is also a third way of achieving this goal (detailed below) but it's preferable to try the above two first since this way can only be used with Groups and Built-in Security Principles.
 
via Restircted Groups

Navigate to: Computer Configuration > Windows Settings > Security Settings > Restricted Groups.

Right click in the white space, then choose add group, then click browse to find the security group, click ok, click add under This group is a member of... ,type in Remote Desktop Users, once this has been added click OK

Tuesday, 18 June 2013

Prevent a Group Policy from Applying to a Specific Group/User

In order to prevent a particular group policy from applying to a given user or security group, you'll need to make use of "Security Filtering" for the Group Policy.
  • In this case, a deny filter is needed.
  • Open up Group Policy Management Console
  • Drill down to where the Group Policy and highlight it
  • Switch to the Delegation tab of the GPO in the details window on the right hand side
  • Click on the Advanced button
  • Add the user account or security group you wish to be excluded from having the policy applied and, in the Permissions area, choose "Deny" for the permission "Apply Group Policy"
  • This user/group will now be excluded from this group policy

As a sidenote, if you want this change to take instant effect, you will need to either reboot the user's machine or open up the command prompt and enter "GPUpdate /Force" (without the quotation marks). Otherwise you will need to wait for the group policy to update of it's own valition which usually takes around 15 mins.

Thursday, 13 June 2013

Tips for Navigating Round Powershell

When using Powershell there are a few keys which can be used to help navigate around inside the powershell window. This is pretty basic stuff but can save a few uneccessary key presses on the keyboard.

  • Page Up – Skips to the first command stored in the history buffer.

  • Page Down – Skips to the last command stored in the history buffer.

  • Up Arrow – moves back one command in the history buffer.

  • Down Arrow – moves forward one command in the history buffer.

  • Home – Jumps to the beginning of the command line.

  • End – Jumps to the end of the command line.

  • Ctrl+LeftArrow – goes to the left, one word at a time.

  • Ctrl+RightArrow – goes to the right, one word at a time.

  • Tab – AutoCompletes input  (in the console type get-s and press tab, press tab again etc…).

  • F7 – Shows history buffer, i.e. the list of the commands you have entered in that session (use the up and down arrow keys to navigate the buffer).
  • Friday, 7 June 2013

    Powershell Command: Find the Password Expiration Date for a User and Email the results

    Requirement:

    Find out when specific user's passwords are expiring and then email the details out to a mailbox/user.

    Solution: 

    First: download the Quest ActiveRoles Managemnet Snap in and install it on whichever machine you're using for the job (http://www.quest.com/powershell/activeroles-server.aspx)

    Second: create a powershell script to poll Active Directory to find out when the specified user's passwords expire and then email the results to the specificed email addresses. This powershell script is shown below:


    #Region Requires QAD cmdlets

    if ((Get-PSSnapin "Quest.ActiveRoles.ADManagement" -ErrorAction SilentlyContinue) -eq $null)
    {
    Add-PSSnapin "Quest.ActiveRoles.ADManagement"
    }

    #EndRegion

    $body = @()

     $body += Get-QADUser "Adverb, Jon" |select Name,PasswordExpires
     $body += Get-QADUser "Beast, James" |select Name,PasswordExpires
     $body += Get-QADUser "Creeper, Rachel" |select Name,PasswordExpires
     $body += Get-QADUser "Death, Alan" |select Name,PasswordExpires
     $body += Get-QADUser "Danger, Steve" |select Name,PasswordExpires

    $body = $body | out-string

     $email = @{
     From = "big.robot@robot.com"
     To = "fat.robot@robot.com"
     CC = "bad.robot@robot.com"
     Subject = "Password Expiration Dates of Problem Robots"
     SMTPServer = "rb-exchhub.robot.loca"
     Body = $body
     }

    send-mailmessage @email



    How does it work?
     
    This script has three key parts. The first part loads the Quest ActiveRoles Snap In into power shell:


    #Region Requires QAD cmdlets
    if ((Get-PSSnapin "Quest.ActiveRoles.ADManagement" -ErrorAction SilentlyContinue) -eq $null)
    {
    Add-PSSnapin "Quest.ActiveRoles.ADManagement"
    }
    #EndRegion 
    The second part polls Active Directory to find out when the specified User's accounts expire:

     Get-QADUser "Adverb, Jon" |select Name,PasswordExpires
     Get-QADUser "Beast, James" |select Name,PasswordExpires
     Get-QADUser "Creeper, Rachel" |select Name,PasswordExpires
     Get-QADUser "Death, Alan" |select Name,PasswordExpires
     Get-QADUser "Danger, Steve" |select Name,PasswordExpires

    The third part involves creating the email and mailing it out:

    $body = @()

    $body +=
    $body +=
    $body +=
    $body +=
    $body +=

    $body = $body | out-string

    $email = @{
    From = "big.robot@robot.com"
    To = "fat.robot@robot.com"
    CC = "bad.robot@robot.com"
    Subject = "Password Expiration Dates of Problem Robots"
    SMTPServer = "rb-exchhub.robot.loca"
    Body = $body
    }

     

    Wednesday, 5 June 2013

    Why is the machine waking up?

    Use the command line to find what causes the PC to wake up

     
    Sometimes a machine will apparently decide to wake up for no reason, other than the fact it's had enough of being in sleep mode. Although not a big problem, this can be frustrating for users. The first port of call when looking into a wake up issue is to crack open the cmd line. Using elevated privilidges, open up the cmd prompt and enter:

    powercfg –lastwake
    This will return a result which will show which device, if any, was responsible for causing the last wake up.

    If you need to view the list of those devices capable of waking up a machine, enter the following:

    powercfg -devicequery wake_armed
    This will return a list of all those devices which currently have the power to wake up your machine.

    The powercfg line can be useful for troubleshooting other power related issues:

    powercfg /list
    This will show all the power policies which are currently being applied to your machine.

    For a complete list of commands which can be used see the MS list here - http://technet.microsoft.com/en-us/library/hh824902.aspx
     

    Prevent a particular device from waking your PC

    There are two easy ways to do this, either via the command line or through Device Manager.
     
    CMD Line
     
    powercfg /devicedisabledwake "Microsoft USB IntelliMouse Optical"This will prevent the device in quotation marks from waking up the machine.
     
    Device Manager
     
    
    Assuming it's not one of the peripheral devices which is somehow waking it up from sleep/power off mode, then the most likely suspect will be the Network card.
    1. Open Device Manager. A quick way to do this is to type “device” (without quotes) in the Start menu search bar and then click on “Device Manager”
    2. Expand the "Mice and other Pointing Devices" list
    3. Right-click the Microsoft USB InelliMouse optical and choose “Properties”.
    4. In the dialog that opens, click the tab “Power Management”
    5. Remove the tick next to “Allow this device to wake the computer”
    6. Click “OK” and exit Device Manager

     

    Wednesday, 29 May 2013

    Task Sequence Fail on Computer Rebuild

    The following instructions can be used when you are trying, and failing, to rebuild a machine by booting it from a cd/usb stick and then pushing a Task Sequence down from SCCM. In this case the machine is refusing to acknowledge the existence of said Task Sequence.

    Although this very rarely solves any major issues you may be having, it can be worth a shot once you've exhausted all the usual routes.

    If the machine is refusing to find the Task Sequence on the network and kicking back a Task Sequence Not Found/Located message, there's an outside chance it could be because some remnant of the old system is screwing things up. As such we need to wipe the hard drive of the machine.

    At the point where the failure message pops up, do the following:
     
    Press F8

    Type Diskpart at the dos prompt 

    Then type Select Disk 0

    Then type Clean

    Then type Exit
     
    Once this is done you can restart. Congratulations, you now stand a slightly improved chance of the machine picking up the Task Sequence from SCCM.

    Tuesday, 28 May 2013

    Batch File to Reboot Multiple Computers

    Part 1 - the command line:


    This is a pretty simple but can be quite handy. This is the basic command line:

    shutdown -r -m \\Computer_Name -t 30 -c "This computer is shutting down in 30 seconds. Best log off now"

    The above command, if entered into the cmd line utility, will:
    shutdown (shutdown),
    then restart (-r),
    a specific machine (-m \\ComputerName), 
    with a 30 second delay after the command is sent before shutdown command is initialised (-t 30),
    And it will also display a comment to whoever happens to be logged on (-c "I am now sentient and have decided to switch myself off in 30 seconds"). 


     
    Part 2 - creating the batch file:

    Open notepad and then paste the above command line in as many times as needed, tweaking the computer name each time

    shutdown -r -m \\ComputerNameA -t 30 -c "This computer is shutting down in 30 seconds. Best log off now"
    shutdown -r -m \\ComputerNameB -t 30 -c "This computer is shutting down in 30 seconds. Best log off now"
    shutdown -r -m \\ComputerNameC -t 30 -c "This computer is shutting down in 30 seconds. Best log off now"
    shutdown -r -m \\ComputerNameD -t 30 -c "This computer is shutting down in 30 seconds. Best log off now"

    Then if you Save As..., change the File Type to All Files and name it something useful like Multiple-reboot.bat, you'll have a shiny new batch file which can be run whenever you need or included as part of a scheduled task.

    Monday, 27 May 2013

    Cleaning Up Active Directory

    The following command line will trundle through Active Directory and pull out a list of any machine/computer accounts which have been inactive for more than 12 weeks:
     
    Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12

     If you want the command to then disable the accounts you can pipe the dsmod command onto the end of the line:
     


    Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12 | dsmod computer –disabled yes

     
    If you inadvertently disabled too many accounts or need to undo what you've done, you can run the above command but change the end from dsmod computer –disabled yes to dsmod computer –disabled no.

    Alternatively if you want the command to then delete the accounts you can change the end of the command to the following:

    Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12 | dsrm -c -noprompt

    NB: the Delete command should be used with caution. Since the last logon times (which inform the -inactive part of the query) are not replicated between Domain Controllers, it is always a good idea to first disable all the machine accounts, leave them for a few weeks and then delete them.

    You can paste any of these commands into notepad and save it as a batch file (add the suffix .bat onto the filename when you Save As...). The batch file can then be used as part of a Scheduled Task to automate the process and keep Active Directory tidy. You can also run these commands as Powershell commands.