I started to write a script for my domain but not sure how to finish it.
I got a GPO to turn off Windows firewall without an option to turn it on for endpoint computers in the domain.
I want the new computers to be added to this GPO with the permission "deny all" I'm just not sure how to finish it, this is what I've got so far:
$Limit=(Get-Date).AddDays(-7)
$NewPC=Get-ADComputer -Filter {whenCreated -gt $limit} -Properties whenCreated
$NewPC | ForEach-Object Set-GPPermission -Name <GPO_Name> -TargetType Group -PermissionLevel PermissionLevel
the two 1st lines just to get the list of the computers which is working well, but I've some kind of trouble in the last line, actually getting the computers into the GPO and to set the permissions right, I tried a few methods but I can't get to work, what am I doing wrong here?
After several tries, I managed to figure out a solution to make it work, just keep in mind that, In my environment the PC's are redirected to a different location from the Computer container to an OU and and the principle name is no longer in use so I used the name only.
$NewPC | ForEach-Object {Set-GPPermission -Name <GPO> -TargetType Computer -TargetName $NewPC -PermissionLevel GpoApply}
Related
I am in the process of writing a PowerShell script that should check every machine on my domain and export the last logged on user to a csv file. I seem to be getting multiple errors which I can not figure out why this is.
Get-WinEvent : There are no more endpoints available from the endpoint mapper
Get-WinEvent : The RPC server is unavailable So far I have wrote this:
$computers=get-adcomputer -filter {operatingsystem -like '*server*'}|select -exp Name
$data=ForEach($computer in $computers)
{
#Who-loggedinLast -computer $computer -maxresults 2
Get-WinEvent -Computer $computer -FilterHashtable #{Logname='Security';ID=4672} -MaxEvents 1|
select #{N='User';E={$_.Properties[1].Value}}
}
$data |export-csv c:\path.csv -notype ```
first, i think that because you running on WinEvent on each computer in computers, perhaps the first computer it checks isnt online, hence it cant reach the first one and fails.
second, like you got in comment, maybe the RPC rule of inbound is disabled.
i did almost a similar script not too long ago, but to check specific user on all DC machines, and there i did a checkup with test-connection first, to see if the machines are on, and then loop for process of each online machine - maybe you can do something with that too
I have been looking at all the PowerShell commands like Select-WebConfiguration, Get-WmiObject, Get-IISAppPool to generate a list of the enabled App Pool authentication settings for all the app pools on my servers. We have like 10 servers and a dozen+ app pools on each and want to find a quick way to check settings. Checked a lot on the web and haven't been able to find a command to generate a nice neat listing.
If you want to get the iis application pool identity then you could try the below command:
Import-Module WebAdministration;Get-ChildItem -Path IIS:\AppPools\ |
Select-Object name, #{e={$_.processModel.username};l="username"}, <##{e={$_.processModel.password};l="password"}, #> #{e={$_.processModel.identityType};l="identityType"} |
format-table -AutoSize
I was able to piece this together below and it seemed to work. Once last thing I am trying to figure out is how to use this same command to query remote servers
Get-WebConfiguration system.webServer/security/authentication/* -Recurse | where {$_.enabled -eq $true} | Sort-Object location,itemxpath | Select location,itemxpath,enabled | format-table -AutoSize
I found out that to run this command on another machine you use the command enter-pssession and the server name. It does not provide any switches that allow you to run them on another server.
I have recently deployed LAPS (Local admin password service) on our domain, and would now like to create a script I can run to find machines that have not yet communicated with AD to install the group policy extension and update their local admin password.
I can see that if I run:
Get-AdComputer -Identity Computer_Name -Properties *
I am presented with a computer that has updated its password, and shows the two properties:
ms-Mcs-AdmPwd
ms-Mcs-AdmPwdExpirationTime
My powershell is not great, so I may have the syntax wrong, but when trying to run:
Get-AdComputer -Filter {ms-Mcs-AdmPwd -ne ''}
I get an error that says:
The search filter cannot be recognised
Can anyone advise how I can filter on these two properties? Do I have to pipe into a Where-Object or perhaps even use LDAP filters?
The most appropriate way to do this is with an LDAP filter rather than a PowerShell filter. LDAP filters can test for existence, rather than comparing to a value that could be there (even if it's only remotely possible).
To get a list of computers WITH a password:
Get-ADComputer -LDAPFilter "(ms-mcs-AdmPwd=*)"
And to find computers without one:
Get-ADComputer -LDAPFilter "(!(ms-mcs-AdmPwd=*))"
You can combine that with other parameters to Get-ADComputer if you want to search a specific OU etc.
Ok so I think my issue was to do with me looking for attributes that had not yet been set.
I suspect there may be an ever so slightly more elegant way to filter, but the below works just fine for me:
Get-ADComputer -Filter {ms-Mcs-AdmPwd -notlike "*"}
If I run the command
Get-ADComputer -Filter {ms-Mcs-AdmPwd -notlike '<not set>'}
on my 2016 DC I get a list with all the computers with a password set.
We are getting ready to merge our AD with another. We have about 300 computers that I'm trying to match up with who uses them so the accounts and home folders migrate correctly, and I'm trying to think of the most efficient way to get this information.
We have everyone in an inventory system (Filemaker) (and will be implementing SCCM once we migrate (thank god) ) but we had a few errors when we did our first test batch. Im looking for something I can push out through group policy (possibly?) that will give me the computer name, logged in account, and them email it to me.
So far this is what I have.
[System.Environment]::UserName
[System.Environment]::UserDomainName
[System.Environment]::MachineName
Out-File T:\TEST.txt
But the output is blank. Any idea what I'm doing wrong here? Also is there a way to have this run on multiple computers but write to the same file?
"$env:USERNAME,$env:USERDOMAIN,$env:COMPUTERNAME" | Out-File 'T:\test.txt'
will write the name and domain of the currently logged-in user as well as the hostname of the local computer to the file T:\test.txt.
Using a single file may cause conflicts due to concurrent write attempts, though. It's better to use one file per computer, like this:
"$env:USERDOMAIN\$env:USERNAME" | Out-File "T:\$env:COMPUTERNAME.txt"
Run it as a logon script (or from a logon script), e.g. like this:
powershell -ExecutionPolicy Bypass -File "\\%USERDNSDOMAIN\netlogon\your.ps1"
Get-ADComputer -Filter * -Property * | Select-Object Name | Out-File C:\outdir\machinelist.txt -NoTypeInformation -Encoding UTF8
will get you all machine names, unless you have them already. Either way, use your list of machines in
$MachineList = Get-Content -Path c:\outdir\machinelist.txt;
foreach ($Machine in $MachineList){
($Machine + ": " + #(Get-WmiObject -ComputerName $Machine -Namespace root\cimv2 -Class Win32_ComputerSystem)[0].UserName) | Out-File "C:\outdir\result.txt" -Append
}
If you change the destination directory to somewhere that all computers have access to, it can run on multiple computers. It won't email it to you but you can just grab it.
You'll need to pipe those properties into the file like..
[System.Environment]::UserName, [System.Environment]::UserDomainName, [System.Environment]::MachineName | Out-File T:\Test.txt
Maybe someone who has more experience with Active Directory can help me.
I need to get info such as OS, name, FQDN from a computer in a different domain.
I will explain what I mean.
I have root domain: example.com, with 2 subdomains: xxx.example.com and yyy.xxx.example.com
Each domain contain 1 computer. Both of them in one group, for example groupfoo, they also in different OU
I can get info about members in group, I try PowerShell and dsquery. Both of them return right list of computers in group. But I can get info only from computer in the same domain where I run PowerShell script and dsquery.
to be clear I have one more computer not in groupfoo, and this computer used for administrating Active Directory.
As I understand in Active Directory we have thing such as "referral chasing".
I read a lot and as I know Power Shell don't have an options such as "enable referral chasing". For dsquery I found option -r for recursive request.
What I have already tried:
PS> dsquery group -name goupfoo | dsget group -members
"CN=member01,OU=Domain Controllers,DC=xxx,DC=example,DC=com"
"CN=member02,OU=XXX,OU=Domain Controllers,DC=yyy,DC=xxx,DC=example,DC=com"
My computer in DC=yyy,DC=xxx,DC=example,DC=com I can get info from CN=member02,OU=XXX,OU=Domain Controllers,DC=yyy,DC=xxx,DC=example,DC=com
PS > dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(sAMAccountName=member02$))" -attr sAMAccountName operatingSystem
sAMAccountName operatingSystem
member02$ Windows Server 2008 R2 Standard
running the same command for member01 yielded no results :
PS > dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(sAMAccountName=member01$))" -attr sAMAccountName operatingSystem
PS >
I tried different variation of dsquery, I try -r key for recursive, but it's dosen't work.
Maybe important thing, in the settings of "DC=yyy,DC=xxx,DC=example,DC=com" I saw what "DC=xxx,DC=example,DC=com" it's a trusted parent for "DC=yyy,DC=xxx,DC=example,DC=com" maybe I can get info doing the same from parent domain?
The same I can get with Power Shell Get-ADGroup, Get-ADMember etc, I tried use all options, credentials, server etc. it's always return info only from one computer in the same domain as I am.
Try using a DirectorySearcher object:
$filter = "(&(objectCategory=Computer)(sAMAccountName=$computername))"
$properties = 'distinguishedName', 'sAMAccountName', ...
$search = New-Object DirectoryServices.DirectorySearcher
$search.SearchRoot = New-Object DirectoryServices.DirectoryEntry
$search.Filter = $filter
$search.SearchScope = 'Subtree'
$search.ReferralChasing = [DirectoryServices.ReferralChasingOption]::All
$properties | % { $search.PropertiesToLoad.Add($_) } | Out-Null
$search.FindAll()
I don't know if ActiveDirectory module cmdlets actually support referral chasing.