Sometimes it can be handy to have a drill down through a foldr structure and check who can access what. The following scripts will dig out the name of the owner and the type of Access available to them.
Powershell command to extract the Account Control List information from all the objects in a particular folder:
get-childitem "C:\robotfolders" | %{ get-acl $_.FullName }
Powershell command to extract the Account Control List information from all the objects in a particular folder and all the child items of that folder:
get-childitem "C:\robotfolders" -recurse | %{ get-acl $_.FullName }
Powershell command to extract the Account Control List information from all the objects in a particular folder and all the child items of that folder and then output the information into a CSV file:
get-childitem "C:\robotfolders" -recurse | %{ get-acl $_.FullName }| export-csv "C:\acl_p.csv"
Friday, 21 June 2013
Thursday, 20 June 2013
Powershell Script to Ping Machines or Servers and Email Out the Results
If you need to run a script to determine whether a particular server or set of servers are awake and repsonding to pings, then email out the results you can create a powershell script using the following code:
####Define the servers that need pinging####
$ServerName = "MS-Robot1","MS-Robot2","MS-DC2"
####Start the Script####
$body = @()
$body += "Attention Robots, best check these servers be running!"
$body += "................................................................................................"
$body += foreach ($Server in $ServerName) {
if (test-Connection -ComputerName $Server -Count 2 -Quiet ) {
$body += write-output "$Server is alive and responding to ping `n"
} else { $body += Write-output "$Server unresponsive and not responding to ping `n"
}
}
$body = $body | out-string
$email = @{
From = "systems@robot.com"
To = helpdesk@robot.com Subject = "Robot Server Status - Morning Check"
SMTPServer = "exchangehubexample.robot.com"
Body = $body
}
send-mailmessage @email
Assuming all is well, the good folks who monitor the helpdesk inbox should recieve an email which looks like this:
####Define the servers that need pinging####
$ServerName = "MS-Robot1","MS-Robot2","MS-DC2"
####Start the Script####
$body = @()
$body += "Attention Robots, best check these servers be running!"
$body += "................................................................................................"
$body += foreach ($Server in $ServerName) {
if (test-Connection -ComputerName $Server -Count 2 -Quiet ) {
$body += write-output "$Server is alive and responding to ping `n"
} else { $body += Write-output "$Server unresponsive and not responding to ping `n"
}
}
$body = $body | out-string
$email = @{
From = "systems@robot.com"
To = helpdesk@robot.com Subject = "Robot Server Status - Morning Check"
SMTPServer = "exchangehubexample.robot.com"
Body = $body
}
send-mailmessage @email
Assuming all is well, the good folks who monitor the helpdesk inbox should recieve an email which looks like this:
Attention Robots, best check these servers be running!
................................................................................................
na-robot1 is alive and responding to ping
na-robot2 is alive and responding to ping
ms-dc2 is alive and responding to ping
Wednesday, 19 June 2013
Remote Desktop Users cannot Connect to Machines even though they are in the Remote Desktop Users Group
If you've added a user/group into the remote desktop user group on a particular machine you may find that the user/group is still unable to log into it through RDP - they'll get an error message along the lines of "Access Denied. To log on to this remote computer, you must be granted the Allow log on through Terminal Services Right....". The fix for this can be applied in two ways:
Log on to the machine/server using an account which has admin right
¬ Start , Run , type secpol.msc.
¬ In the left side pane of the mmc, navigate to Security Settings>Local Policies>User Rights Assignment
¬ In the right side pane double-click on Allow log on through Remote Desktop Services
¬ Click on add users or groups
¬ Enter Remote Desktop Users
¬ Finally, click OK to save
Now any user who is a member of the Remote Desktop Users group will be able to successfully remote into the server/machine
On a specific machine/server
¬ Start , Run , type secpol.msc.
¬ In the left side pane of the mmc, navigate to Security Settings>Local Policies>User Rights Assignment
¬ In the right side pane double-click on Allow log on through Remote Desktop Services
¬ Click on add users or groups
¬ Enter Remote Desktop Users
¬ Finally, click OK to save
Now any user who is a member of the Remote Desktop Users group will be able to successfully remote into the server/machine
On a number of machines via Group Policy
The above mentioned setting is one which can also be applied through Group Policy if there are multiple machines/servers you wish to allow certain users/security groups to RDP into. The setting which needs to be changed in the group policy is found here:
Computer Configuration>Policies>Windows Settings>Local Policies>User Rights Assignment>Allow Log on through Terminal Services
Double click on the Allow Log on through Terminal Services policy and then user the "Add User or Group..." button to add the Remote Desktop User group into the policy. Click Apply and then OK to save your settings.
Now any user/security group that is a member of the Remote Desktop Users group will be able to successfully remote into any of the servers/machines the group policy applies to
Allow a User/Security Group to access a Machine via Remote Desktop (RDP)
This is a pretty standard request but it can be useful to remember that there are two simple ways of doing this in the GPMC:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services
Double click on "Allow log on through Remote Desktop Services" and the utilise the Add User or Group... option.
> Select Update from the "Action:" drop-down menu
> Select Remote Desktop Users (built-in) from the "Group name:" drop down list
> Under the Members select the "Add..." button.
> Add the user/security group to the Name field and select "Add to this group" from the "Action:" field
Both of these approaches should then add user/security group to the Remote Desktop Users group for any computer you apply the policy to. As a sidenote, there is also a third way of achieving this goal (detailed below) but it's preferable to try the above two first since this way can only be used with Groups and Built-in Security Principles.
Navigate to: Computer Configuration > Windows Settings > Security Settings > Restricted Groups.
Right click in the white space, then choose add group, then click browse to find the security group, click ok, click add under This group is a member of... ,type in Remote Desktop Users, once this has been added click OK
via Group Policies
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services
Double click on "Allow log on through Remote Desktop Services" and the utilise the Add User or Group... option.
via Group Preferences
Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
> Within this setting, right-click in the empty white area on the right and select "All Tasks" > "Add". > Select Update from the "Action:" drop-down menu
> Select Remote Desktop Users (built-in) from the "Group name:" drop down list
> Under the Members select the "Add..." button.
> Add the user/security group to the Name field and select "Add to this group" from the "Action:" field
Both of these approaches should then add user/security group to the Remote Desktop Users group for any computer you apply the policy to. As a sidenote, there is also a third way of achieving this goal (detailed below) but it's preferable to try the above two first since this way can only be used with Groups and Built-in Security Principles.
via Restircted Groups
Navigate to: Computer Configuration > Windows Settings > Security Settings > Restricted Groups.
Right click in the white space, then choose add group, then click browse to find the security group, click ok, click add under This group is a member of... ,type in Remote Desktop Users, once this has been added click OK
Tuesday, 18 June 2013
Prevent a Group Policy from Applying to a Specific Group/User
In order to prevent a particular group policy from applying to a given user or security group, you'll need to make use of "Security Filtering" for the Group Policy.
As a sidenote, if you want this change to take instant effect, you will need to either reboot the user's machine or open up the command prompt and enter "GPUpdate /Force" (without the quotation marks). Otherwise you will need to wait for the group policy to update of it's own valition which usually takes around 15 mins.
- In this case, a deny filter is needed.
- Open up Group Policy Management Console
- Drill down to where the Group Policy and highlight it
- Switch to the Delegation tab of the GPO in the details window on the right hand side
- Click on the Advanced button
- Add the user account or security group you wish to be excluded from having the policy applied and, in the Permissions area, choose "Deny" for the permission "Apply Group Policy"
- This user/group will now be excluded from this group policy
As a sidenote, if you want this change to take instant effect, you will need to either reboot the user's machine or open up the command prompt and enter "GPUpdate /Force" (without the quotation marks). Otherwise you will need to wait for the group policy to update of it's own valition which usually takes around 15 mins.
Thursday, 13 June 2013
Tips for Navigating Round Powershell
When using Powershell there are a few keys which can be used to help navigate around inside the powershell window. This is pretty basic stuff but can save a few uneccessary key presses on the keyboard.
Page Up – Skips to the first command stored in the history buffer.
Page Down – Skips to the last command stored in the history buffer.
Up Arrow – moves back one command in the history buffer.
Down Arrow – moves forward one command in the history buffer.
Home – Jumps to the beginning of the command line.
End – Jumps to the end of the command line.
Ctrl+LeftArrow – goes to the left, one word at a time.
Ctrl+RightArrow – goes to the right, one word at a time.
Tab – AutoCompletes input (in the console type get-s and press tab, press tab again etc…).
F7 – Shows history buffer, i.e. the list of the commands you have entered in that session (use the up and down arrow keys to navigate the buffer).
Friday, 7 June 2013
Powershell Command: Find the Password Expiration Date for a User and Email the results
Requirement:
Find out when specific user's passwords are expiring and then email the details out to a mailbox/user.
Solution:
First: download the Quest ActiveRoles Managemnet Snap in and install it on whichever machine you're using for the job (http://www.quest.com/powershell/activeroles-server.aspx)
Second: create a powershell script to poll Active Directory to find out when the specified user's passwords expire and then email the results to the specificed email addresses. This powershell script is shown below:
#Region Requires QAD cmdlets
if ((Get-PSSnapin "Quest.ActiveRoles.ADManagement"
-ErrorAction SilentlyContinue) -eq $null)
{
Add-PSSnapin "Quest.ActiveRoles.ADManagement"
}
#EndRegion
$body = @()
$body += Get-QADUser
"Adverb, Jon" |select Name,PasswordExpires
$body += Get-QADUser
"Beast, James" |select Name,PasswordExpires
$body += Get-QADUser
"Creeper, Rachel" |select Name,PasswordExpires
$body += Get-QADUser
"Death, Alan" |select Name,PasswordExpires
$body += Get-QADUser
"Danger, Steve" |select Name,PasswordExpires
$body = $body | out-string
To = "fat.robot@robot.com
CC = "bad.robot@robot.com"
Subject = "Password Expiration Dates of Problem Robots"
SMTPServer = "rb-exchhub.robot.loca"
Body = $body
}
send-mailmessage @email
How does it work?
#Region Requires QAD cmdlets
if ((Get-PSSnapin "Quest.ActiveRoles.ADManagement" -ErrorAction SilentlyContinue) -eq $null)
{
Add-PSSnapin "Quest.ActiveRoles.ADManagement"
}
#EndRegion
The second part polls Active Directory to find out when the specified User's accounts expire:
Get-QADUser "Adverb, Jon" |select Name,PasswordExpires
Get-QADUser "Beast, James" |select Name,PasswordExpires
Get-QADUser "Creeper, Rachel" |select Name,PasswordExpires
Get-QADUser "Death, Alan" |select Name,PasswordExpires
Get-QADUser "Danger, Steve" |select Name,PasswordExpires
The third part involves creating the email and mailing it out:
$body = @()
$email = @{
From = "big.robot@robot.com"
To = "fat.robot@robot.com"
CC = "bad.robot@robot.com"
Subject = "Password Expiration Dates of Problem Robots"
SMTPServer = "rb-exchhub.robot.loca"
Body = $body
}
The third part involves creating the email and mailing it out:
$body = @()
$body +=
$body +=
$body +=
$body +=
$body +=
$body = $body | out-string
To = "fat.robot@robot.com
CC = "bad.robot@robot.com"
Subject = "Password Expiration Dates of Problem Robots"
SMTPServer = "rb-exchhub.robot.loca"
Body = $body
}
Wednesday, 5 June 2013
Why is the machine waking up?
Use the command line to find what causes the PC to wake up
powercfg –lastwake
This will return a result which will show which device, if any, was responsible for causing the last wake up.
If you need to view the list of those devices capable of waking up a machine, enter the following:
powercfg -devicequery wake_armed
This will return a list of all those devices which currently have the power to wake up your machine.
The powercfg line can be useful for troubleshooting other power related issues:
powercfg /list
This will show all the power policies which are currently being applied to your machine.
For a complete list of commands which can be used see the MS list here - http://technet.microsoft.com/en-us/library/hh824902.aspx
Prevent a particular device from waking your PC
There are two easy ways to do this, either via the command line or through Device Manager.
CMD Line
powercfg /devicedisabledwake "Microsoft USB IntelliMouse Optical"This will prevent the device in quotation marks from waking up the machine.
Device Manager
Assuming it's not one of the peripheral devices which is somehow waking it up from sleep/power off mode, then the most likely suspect will be the Network card. - Open Device Manager. A quick way to do this is to type “device” (without quotes) in the Start menu search bar and then click on “Device Manager”
- Expand the "Mice and other Pointing Devices" list
- Right-click the Microsoft USB InelliMouse optical and choose “Properties”.
- In the dialog that opens, click the tab “Power Management”
- Remove the tick next to “Allow this device to wake the computer”
- Click “OK” and exit Device Manager
Subscribe to:
Posts (Atom)