I'm trying to create bulk localusers with xml source file with all details in it using powershell scripting. Below is my sample xml file with code I'm using for creating the users. Can anyone help me out getting this to work?
# To run this script use: & "C:\Users\rLisdonk\Desktop\ToServer\Test.ps1"
$computerName = "USSECAVDSPDWK27"
$serviceAccountWebName = "saAsaWeb"
$serviceAccountWebPassword = "MyPassword123"
"Get computer info"
$computer = [ADSI]("WinNT://" + $computerName + ",computer")
"Determine if user [saAsaWeb] exists"
$serviceAccount = [ADSI]("WinNT://" + $computerName + "/$serviceAccountWebName" + ",user")
if(!$serviceAccount.Name)
{
"Create user [saAsaWeb]"
$user = $computer.Create("user", $serviceAccountWebName)
"Set password"
$user.SetPassword($serviceAccountWebPassword)
$user.SetInfo()
"Disable [User must change password at next logon]"
$user.PasswordExpired = 0
$user.SetInfo()
"Enable [Password never expires]"
$wmiuser = Get-WmiObject -class "Win32_UserAccount" -filter "name=’$serviceAccountWebName’"
$wmiuser.PasswordExpires = $false
$wmiuser.Put()
}
Powershell will only substitute the variable with the value inside double quotes, single quotes will return the literal value. You will want to escape the single quotes with a ` backtick character, so it would be:
$wmiuser = Get-WmiObject Win32_UserAccount -filter "LocalAccount=True AND name=`'$serviceAccountWebName`'"
When you run it, it needs to be ran with elevated permissions. If you are looking to do this on a remote machine, you need to do so via Remoting, or use WMI entirely. Without a specified error I assume it is this WMI query is most likely what is holding you up.
Related
I have created a user creation script using powershell and everything works except the attribute "ipPhone"
Can anyone tell my why i Can't add the following line?:
$Mobile = Read-Host " xxxx "
$ipPhone = Read-Host " xxx"
New-ADUser -ipPhone "$ipPhone"
It works for
-Mobile "$Mobile"
But it dosent work for ipPhone? Do I need to use Set-ADuser instead?
Help with Attribute
Cmdlet New-ADUser does not have a parameter called ipPhone.
You can set it, but then use
-OtherAttributes #{'ipPhone' = $ipPhone}
If you use Set-ADUSer, you will need to do
-replace #{'ipPhone' = $ipPhone}
I am trying to create local user on all servers and I want to schedule this as a scheduled task so that it can run continually capturing all new servers that are created.
I want to be able to check for the existence of an account and if true, skip; if false, create account.
I have imported a module called getlocalAccount.psm1 which allows me to return all local accounts on the server and another function called Add-LocaluserAccount
which allows me to add local accounts these work with no problems
when I try and run the script I have created the script runs but does not add accounts
Import-Module "H:\powershell scripts\GetLocalAccount.psm1"
Function Add-LocalUserAccount{
[CmdletBinding()]
param (
[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
[string[]]$ComputerName=$env:computername,
[parameter(Mandatory=$true)]
[string]$UserName,
[parameter(Mandatory=$true)]
[string]$Password,
[switch]$PasswordNeverExpires,
[string]$Description
)
foreach ($comp in $ComputerName){
[ADSI]$server="WinNT://$comp"
$user=$server.Create("User",$UserName)
$user.SetPassword($Password)
if ($Description){
$user.Put("Description",$Description)
}
if ($PasswordNeverExpires){
$flag=$User.UserFlags.value -bor 0x10000
$user.put("userflags",$flag)
}
$user.SetInfo()
}
}
$usr = "icec"
$rand = New-Object System.Random
$computers = "ServerA.","ServerB","Serverc","ServerD","ServerE"
Foreach ($Comp in $Computers){
if (Test-Connection -CN $comp -Count 1 -BufferSize 16 -Quiet){
$admin = $usr + [char]$rand.next(97,122) + [char]$rand.next(97,122) + [char]$rand.next(97,122) + [char]$rand.next(97,122)
Get-OSCLocalAccount -ComputerName $comp | select-Object {$_.name -like "icec*"}
if ($_.name -eq $false) {
Add-LocalUserAccount -ComputerName $comp -username $admin -Password "password" -PasswordNeverExpires
}
Write-Output "$comp online $admin"
} Else {
Write-Output "$comp Offline"
}
}
Why bother checking? You can't create an account that already exists; you will receive an error. And with the ubiquitous -ErrorAction parameter, you can determine how that ought to be dealt with, such as having the script Continue. Going beyond that, you can use a try-catch block to gracefully handle those exceptions and provide better output/logging options.
Regarding your specific script, please provide the actual error you receive. If it returns no error but performs no action check the following:
Event Logs on the target computer
Results of -Verbose or -Debug output from the cmdlets you employ in your script
ProcMon or so to see what system calls, if any, happen.
On a sidenote, please do not tag your post with v2 and v3. If you need a v2 compatible answer, then tag it with v2. Piling on all the tags with the word "powershell" in them will not get the question answered faster or more effectively.
You can do a quick check for a local account like so:
Get-WmiObject Win32_UserAccount -Filter "LocalAccount='true' and Name='Administrator'"
If they already exist, you can either output an error (Write-Error "User $UserName Already exists"), write a warning (Write-Warning "User $UserName Already exists"), or simply silently skip the option.
Please don't use -ErrorAction SilentlyContinue. Ever. It will hide future bugs and frustrate you when you go looking for them.
This can very easily be done in one line:
Get-LocalUser 'username'
Therefore, to do it as an if statement:
if((Get-LocalUser 'username').Enabled) { # do something }
If you're not sure what the local users are, you can list all of them:
Get-LocalUser *
If the user is not in that list, then the user is not a local user and you probably need to look somewhere else (e.g. Local Groups / AD Users / AD Groups
There are similar commands for looking those up, but I will not outline them here
I am trying to create a Web application/VirtualDirectory under a specific subfolder of a IIS 6 website using Powershell as show below:
IIS WebSite Structure <<<>>> Physical Directory Structure
Test (website) ----------------> c:\InetPub
SubDirectory ------------------> ..\Subdirectory
gadgets (Web App) -----------------> ..\Gadgets
Script
$WebSiteName = “Test”
$virtualDirName = “subdirectory\gadgets”
$appPoolName = “DefaultAppPool”
$VirtalDirHomePath = "c:\InetPub\Subdirectory\Gadgets"
$iisWebSite = Get-WmiObject "IISWebServerSetting" `
-Namespace "root\MicrosoftIISv2" `
-filter "ServerComment like '%$WebSiteName%'"
$virtualDirSettings = [wmiclass] "root\MicrosoftIISv2:IIsWebVirtualDirSetting"
$newVDir = $virtualDirSettings.CreateInstance()
$newVDir.Name = ($iisWebSite.Name + '/ROOT/' + $virtualDirName)
$newVDir.Path = $VirtalDirHomePath
$newVDir.Put();
$nvdir = $iisWebSite.Name + '/ROOT/' + $virtualDirName
$nvdir = $nvdir.Replace("\", "/")
$v = Get-WmiObject -Class IIsWebVirtualDir -Namespace root\microsoftiisv2 `
-filter "Name='$nvdir'"
#Create WebAppliction
$v.AppCreate3(2, $appPoolName, 1)
If I specify the $virtualDirName with forward slash path separator (subdirectory/gadgets) , $newVDir.Put() call throws following exception
Exception calling "Put" with "0"
argument(s): "Win32: The system cannot
find the path specified.
If I change the $virtualDirName with backslash path separator (subdirectory\gadgets) $newVDir.Put() call returns successfully.
I am not sure whether this is the right way.
Is there any better way to create Web Application/VirtualDirectory under a specific subfolder and How can I list VirtualDirectory/WebApplication created under a subfolder.
An alternative solution to create a virtual directory in IIS 6.0 through scripting, which doesn't involve PowerShell, is to use the iisvdir.vbs script:
SET webSiteName=Test
SET virtualDirName=subdirectory/gadgets
SET virtualDirHomePath=C:\InetPub\Subdirectory\Gadgets
cscript %SystemRoot%\system32\iisvdir.vbs /create %webSiteName% %virtualDirName% %virtualDirHomePath%
Note that the virtual directory path in virtualDirName is specified using forward slashes.
You can also list the virtual directories in a specific path using the same iisvdir.vbs script:
cscript %SystemRoot%\system32\iisvdir.vbs /query %webSiteName%/%virtualDirName%
Give this a try. It connects to the root of website 1 (Default Website). Creates a IIsWebDirectory object for the gadgets folder and assigns it an application pool.
$root = [adsi] "IIS://localhost/W3SVC/1/ROOT"
$vDir = $root.Create("IIsWebDirectory", "SubDirectory\Gadgets")
$vDir.AppCreate3(2, "DefaultAppPool", $false)
$vDir.AppFriendlyName = "Andy Test"
$vDir.SetInfo()
If you need to connect to a website other than the default web site you can get the ID of the website with this command:
([adsi] "IIS://localhost/W3SVC").psbase.Children | ? {$_.psbase.schemaclassname -eq "IIsWebServer" } | select Path, ServerComment
Output:
Path ServerComment
---- -------------
IIS://localhost/W3SVC/1 {Default Web Site}
IIS://localhost/W3SVC/2 {WHS site}
In Powershell, how do you set the Read/Write Service Principal Name AD user permissions?
Normally during my build process, I use ADSIedit to navigate to that object, and then go through all the security tabs to get down to put a checkmark next to:
Read Service Principal Name
Write Service Principal Name
But navigating through ADSIedit can take a long time so I'm trying to script the process. If I have a PowerShell LDAP bind with a new user created, how can I use PowerShell to set both of these properties for this user account?
The following is a hacked out code-snippet of the possible pertinent portions of my install script:
$strDomain = "dc=my,dc=com"
$objDomain = [ADSI] "LDAP://" + strDomain
$strSCCMSQLPW = Read-Host -assecurestring "Please enter a password for the " + $strSCCMSQL + " account: "
New-ADUser -SamAccountName $strSCCMSQL + -Name $strSCCMSQL -AccountPassword $strSCCMSQLPW -Enabled $true -Path $strUsersOU + "," + $strDomain -PasswordNeverExpires $true
You need to add an ActiveDirectoryAccessRule object to the ACL of the target object. For setting property specific rigths the trick is to pass in the schemaIDGUID to the attribute. So first we need to find the schemaIDGUID from the Service-Principal-Name schema entry. In the sample code i statically refer to the Service-Principal-Name, better yet would have been to search for the ldapDisplayname to find the entry but I'm sure you can sort that out. In any case this code should do the job:
Function Set-SpnPermission {
param(
[adsi]$TargetObject,
[Security.Principal.IdentityReference]$Identity,
[switch]$Write,
[switch]$Read
)
if(!$write -and !$read){
throw "Missing either -read or -write"
}
$rootDSE = [adsi]"LDAP://RootDSE"
$schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
$spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
$spnEntry = [adsi]$spnDN
$guidArg=#("")
$guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
$spnSecGuid = new-object GUID $guidArg
if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
$accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
$spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
$TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
$TargetObject.psbase.CommitChanges()
return $spnAce
}
Sample lines for calling the function...
$TargetObject = "LDAP://CN=User,OU=My User Org,DC=domain,DC=net"
$Identity = [security.principal.ntaccount]"domain\user"
Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -read
Here is an example using Quest to set the permissions on the service principal name attributes.
First, add Quest:
Add-PSSnapin Quest.ActiveRoles.ADManagement;
Set the permission (using Add-QADPermission):
Get-QADUser UserName | Add-QADPermission -Account 'SELF' -Rights 'ReadProperty,WriteProperty' -Property 'servicePrincipalName' -ApplyTo 'ThisObjectOnly';
You can use Quest AD cmdlets. It makes AD permission stuff very easy in PowerShell.
Read this blog for some examples on how to add AD permissions or even copy the AD permissions.
Just lookup Add-QADPermission and it should do your job.
Recently, I made a script to list all the installed applications in local & remote machine & give the output in a structured manner in an excelsheet.
It looks like this:
$a = Read-Host "Enter machine name" | Out-File -filepath C:\machine.txt
$computerName = Get-Content C:\machine.txt
$a = New-Object -comobject Excel.Application
$a.visible = $True
$b = $a.Workbooks.Add()
$c = $b.Worksheets.Item(1)
$c.Cells.Item(1,1) = "Name"
$c.Cells.Item(1,2) = "Publisher"
$c.Cells.Item(1,3) = "InstalledDate"
$c.Cells.Item(1,4) = "Version"
$c.Cells.Item(1,5) = "UninstallString"
$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True
$i = 2
function Get-InstalledAppReg ([string]$ComputerName) {
$RegPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
$BaseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine", $ComputerName)
$OpenSubKey = $BaseKey.OpenSubKey($RegPath)
$i =2
$OpenSubKey.GetSubKeyNames() | ForEach {
$Path = "$RegPath\$_"
$BaseKey.OpenSubKey($Path).GetValue("DisplayName")
$BaseKey.OpenSubKey($Path).GetValue("Publisher")
$BaseKey.OpenSubKey($Path).GetValue("InstalledDate")
$BaseKey.OpenSubKey($Path).GetValue("Version")
$BaseKey.OpenSubKey($Path).GetValue("UninstallString")
$c.Cells.Item($i,1) = $BaseKey.OpenSubKey($Path).GetValue("DisplayName")
$c.Cells.Item($i,2) = $BaseKey.OpenSubKey($Path).GetValue("Publisher")
$c.Cells.Item($i,3) = $BaseKey.OpenSubKey($Path).GetValue("InstalledDate")
$c.Cells.Item($i,4) = $BaseKey.OpenSubKey($Path).GetValue("Version")
$c.Cells.Item($i,5) = $BaseKey.OpenSubKey($Path).GetValue("UninstallString")
$i ++
}
}
Get-InstalledAppReg($computerName)
$d.EntireColumn.AutoFit()
$b.SaveAs("c:\softhive.xlsx")
$b.Close()
$a.Quit()
Get-Process | Where { $_.Name -Eq "Excel" } | Kill
This script ran perfectly for all remote machines which has XP as a OS.
Problem started when I started running it in windows & machines remotely.
Initially it gave wrong path error, when I realized that for windows 7, I probably have to use
"SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" instead of
"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall".
With this different path, when I run the same script again, I get an error:
Exception calling "OpenRemoteBaseKey" with "2" argument(s): "The network path was not found.
"
At :line:24 char:62
$BaseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey( <<<< "LocalMachine", $ComputerName)
Probably, I need to change other things too in the script?
My machine, from where I run the script, is a windows XP SP3 machine.
Unfortunately the WMI Win32_Product class does not report all apps found in Control Panel's "Add or Remove Programs"...
The registry walk seems to be unavoidable, see:
http://powergui.org/thread.jspa?threadID=17068
http://learningpcs.blogspot.fr/2011/10/powershell-get-installed-software.html
Rather than comb the registry, I would use WMI for this. See Win32_Product and friends e.g.:
Get-WmiObject Win32_Product
Note that if I run this on my Windows 7 x64 system in a 64bit PowerShell prompt it shows all installed apps (32-bit and 64-bit):
Get-WmiObject Win32_Product| sort Vendor | Format-Table Name,InstallDate,Vendor
To see all the properties available execute:
Get-WmiObject Win32_Product | Select -First 1 | Format-List *
I remember a while back I did something like this at an IT firm and we simply searched the C: directory for the names of all programs ending in .exe, in order to optimize we would hone in on specific apps that we were looking for. We set up a batch that would pass or fail based on if what we wanted. Keep in mind this is a batch file, however the idea is similar.
echo ================= >>Software_Scan.txt
echo Below is a list of all wireless networks. Saved networks will be found in the Wireless Profiles folder
set filePath=
for /R "C:\Program Files (x86)" /D %%a in (*) do if exist "%%a\YahooMessenger.exe" set filePath=%%a& goto continue
:continue
if defined filePath echo %COMPUTERNAME% FAIL Yahoo Messenger >> Software_Scan.txt
if NOT defined filePath echo %COMPUTERNAME% PASS Yahoo Messenger >> Software_Scan.txt