PowerShell for Windows Admins


June 2, 2015  7:44 AM

International module revisited

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell

A couple of years ago I wrote about the International module

https://richardspowershellblog.wordpress.com/2013/08/28/international-module/

I was recently asked about the availability of this module on Windows Server 2012 R2. I’ve found the module on all flavours of Windows 2012 r2 – server core and full GUI with and without the desktop experience

May 31, 2015  10:29 AM

Multiple expands

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell

PowerShell outputs objects but sometimes you need just the values. The –Expandproperty parameter of select-object can pull the values from a property.  Compare:

£> Get-VM | select Name

Name
—-
Arista
SphinxLx01
W12R2DSC
W12R2OD01
W12R2SCDC01
W12R2SUS
W12R2TGT
W12R2Web01
W12R2Web02

with

£> Get-VM | select -ExpandProperty Name
Arista
SphinxLx01
W12R2DSC
W12R2OD01
W12R2SCDC01
W12R2SUS
W12R2TGT
W12R2Web01
W12R2Web02

In the first you get an object with just a name property.  In the second you get just the name.

This is good BUT you can only expand a single property in one pipeline. If you need to expand multiple properties you need to do them individually and combine the results into a new object.  For instance to drill down into a 2012 r2 Hyper-V VM and get the IP addresses and the disk size

Get-VM |
foreach {
$props = [ordered]@{
Name = $($psitem.Name)
IPAddresses =  $psitem | select -ExpandProperty NetworkAdapters | select -ExpandProperty IPAddresses
DiskSize = [math]::Round((Get-ChildItem -Path ($psitem | select -ExpandProperty HardDrives | select -ExpandProperty path) | select -ExpandProperty Length) / 1GB, 2)
}
New-Object -TypeName PSObject -Property $props
}

The IP addresses are a simple double expansion.  The disk size you have to expand the harddrives, then the path  – get the file length and re-calculate the size to GB.

NOTE – I know all my VMs only have a single disk. If you have multiple disks you’ll need to build a loop to get all the sizes


May 31, 2015  8:23 AM

Finding users that can change their password

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Active Directory, Powershell

Way back in this post

https://richardspowershellblog.wordpress.com/2012/02/10/finding-users-who-cannot-change-password/

I showed how to discover those users who can’t change their passwords. I was recently asked how to find those users that can change their password.

Active Directory doesn’t store this information directly but the CannotChangePassowrd attribute is  false for those users that can change their password

£> Get-ADUser -Identity richard -Properties CannotChangePassword
CannotChangePassword : False
DistinguishedName    : CN=Richard,CN=Users,DC=Manticore,DC=org
Enabled              : True
GivenName            :
Name                 : Richard
ObjectClass          : user
ObjectGUID           : 7c42be70-c6b2-401f-8296-46de9ee7446c
SamAccountName       : Richard
SID                  : S-1-5-21-195014076-723736408-1406369008-1104
Surname              :
UserPrincipalName    : Richard@Manticore.org

So is you don’t mind using double negative logic you can find users that can change passwords like this:

Get-ADUser -Filter * -Properties CannotChangePassword |
where {-not $_.CannotChangePassword } |
Format-Table Name, DistinguishedName

I’ve restricted the properties brought back to the default ones plus CannotChangePassword

Use

-not $_.CannotChangePassword

as a filter to determine the users that have the attribute set to false

You could also use

! $_.CannotChangePassword

but I prefer using –not as its easier to read


May 29, 2015  10:42 AM

IPAM: 2 Reading data

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell

Once you have your IPAM server configured you can start to read the data its collected.

If you are working against a remote IPAM server than you need to create a CIM session to that machine before doing anything else.

$cs = New-CimSession -ComputerName W12R2SUS

You can discover the domain you’re working against

£> Get-IpamDiscoveryDomain -CimSession $cs | fl
Name           : manticore.org
DiscoverDc     : True
DiscoverDns    : True
DiscoverDhcp   : True
PSComputerName : W12R2SUS

The IPAM server configuration

£> Get-IpamConfiguration -CimSession $cs | fl
Version            : 6.3.0.1
Port               : 48885
ProvisioningMethod : Manual
GpoPrefix          :
HMACKey            : System.Security.SecureString
PSComputerName     : W12R2SUS

The servers – DHCP, DNS and DCs that IPAM is aware of:

£> Get-IpamServerInventory -CimSession $cs
RecommendedAction   : IPAM Access Unblocked
ManageabilityStatus : Managed
IPAMAccessStatus    : Unblocked
ServerType          : {DC, DNS, DHCP}
ServerName          : server02
Name                : server02.Manticore.org
DnsSuffix           : Manticore.org
DomainName          : manticore.org
ServerStatus        : NoChange
DataRetrievalStatus : Completed
IPv4Address         : {10.10.54.201}
IPv6Address         :
PSComputerName      : W12R2SUS

The address space

£> Get-IpamAddressSpace -CimSession $cs
Name                           : Default
Type                           : ProviderAddressSpace
Owner                          :
Description                    : Default Provider IP Address Space
AssociatedProviderAddressSpace :
Tenant                         :
VMNetwork                      :
IsolationMethod                :
Ipv4PercentageUtilized         : 3.44827586206896
Ipv6PercentageUtilized         : 0
CustomConfiguration            :
PSComputerName                 : W12R2SUS

Individual subnets

£> Get-IpamSubnet -CimSession $cs -AddressFamily IPv4
Name                 : 10.10.54.0/24
NetworkId            : 10.10.54.0/24
NetworkType          : NonVirtualized
Overlapping          : False
NetworkSite          :
VmmLogicalNetwork    :
ProviderAddressSpace : Default
CustomerAddressSpace :
VlanId               :
Owner                :
PSComputerName       : W12R2SUS

and the address ranges for those subnets

£> Get-IpamRange -CimSession $cs -AddressFamily IPv4
Overlapping      : False
NetworkID        : 10.10.54.0/24
StartIPAddress   : 10.10.54.2
EndIPAddress     : 10.10.54.30
ManagedByService : MS DHCP
ServiceInstance  : server02.Manticore.org
NetworkType      : NonVirtualized
Owner            :
PSComputerName   : W12R2SUS

 

 


May 28, 2015  1:39 PM

Copy files over PS remoting sessions

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell

One neat feature of the April 2015 WMF 5.0 preview is that you can copy files over a remoting session.

First create a session to a remote machine

$cs = New-PSSession -ComputerName W12R2SUS

 

Define the source and destination for the copy.  Use –ToSession to determine the remoting session you will use to determine the remote machine

Copy-Item -Path C:\Source\test.csv -Destination C:\Source\test.csv -ToSession $cs

 

You use –FromSession to copy from a remote machine

Copy-Item -Path C:\Source\srv.csv -Destination C:\Source\srv.csv -FromSession $cs

 

What you can’t do is copy from one session to another

$cs2 = New-PSSession -ComputerName server02

£> Copy-Item -Path C:\Source\*.csv -Destination C:\Source\ -FromSession $cs2 -ToSession $cs
Copy-Item : ‘-FromSession’ and ‘-ToSession’ are mutually exclusive and cannot be specified at the same time.


May 27, 2015  12:30 PM

PowerShell Summit Europe 2015 – – sold out

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell

The PowerShell Summit Europe 2015 is sold out.  Please be aware that we don’t maintain a waiting list as the Summit is a benefit of  PowerShell Association membership


May 21, 2015  1:30 PM

IPAM: 1 Installation and configuration

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

IPAM stands for IP Address Management. It’s a feature in Windows Server 2012 R2 that enables you manage your DHCP and DNS servers as a whole rather than at the individual service or server level.

Installation of IPAM follows the standard approach for any Windows feature. Note that you can install IPAM on a Domain Controller but it won’t configure. IPAM is designed to be installed on a member server.

Full details on deploying IPAM server are available from here https://technet.microsoft.com/en-us/library/hh831353.aspx

I’m not going to run through the full deployment and configuration – just point out some issues and where you can use PowerShell to make things easier.

Once the IPAM feature is installed you have to provision the IPAM server. There isn’t a separate MMC for IPAM admin – you use Server Manager.  Provisioning an IPAM server can be done manually or by GPO.  Manual seemed best for lab/experiment/initial set up as can’t swap from GPO to manual. You can use Windows Internal Database (WID) or SQL Server – I used WID.

You then need to configure your DHCP servers, DNS servers and domain controllers. This involves a number of group membership changes, firewall rule changes and a registry setting.

Create a group called IPAMUG and add the IPAN server into it.

New-ADGroup -Name IPAMUG -DisplayName IPAMUG -SamAccountName IPAMUG    -Description ‘IPAM management group’ -GroupCategory Security -GroupScope Universal

Add-ADGroupMember -Identity IPAMUG -Members (Get-ADComputer -Identity W12R2SUS)

Add IPAMUG to a number of groups

Add-ADGroupMember -Identity ‘Event Log Readers’ -Members (Get-ADGroup -Identity IPAMUG)

Add-ADGroupMember -Identity ‘DHCP Users’ -Members (Get-ADGroup -Identity IPAMUG)

Add-ADGroupMember -Identity ‘DNSAdmins’ -Members (Get-ADGroup -Identity IPAMUG)

I also found I had to add the IPAM server to the domain Administrators group to get the DNS data to come through.

Modify some firewall rules

$cs = New-CimSession -ComputerName W12R2SCDC01

Enable-NetFirewallRule  -DisplayName ‘Remote Service Management (RPC)’ -CimSession $cs -PassThru
Enable-NetFirewallRule  -DisplayName ‘Remote Service Management (NP-In)’ -CimSession $cs -PassThru
Enable-NetFirewallRule  -DisplayName ‘Remote Service Management (RPC-EPMAP)’ -CimSession $cs -PassThru

Get-NetFirewallRule -DisplayGroup ‘Remote Service Management’ -CimSession $cs |
ft  DisplayName, Enabled, Direction,Profile –a

There are a bunch of firewall rules that need setting. You can find the full list in the TechNet documentation.

For DHCP servers create an audit share

New-SmbShare -Name dhcpaudit -Path ‘C:\Windows\System32\dhcp’ -ReadAccess ‘manticore\IPAMUG’
Set-SmbShare -Name dhcpaudit -Description ‘DHCP audit share for IPAM’ -Force

## restart DHCP service
Get-Service -Name DHCPServer | Restart-Service -PassThru

Enable event log monitoring on the DNS servers

$csd = Get-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server’ -Name CustomSD |
select -ExpandProperty CustomSD
$ipamsid = (Get-ADComputer -Identity W12R2SUS | select -ExpandProperty SID).value
$csd = $csd + “(A;;0x1;;;$ipamsid)”
Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\DNS Server’ -Name CustomSD -Value $csd –PassThru

I also had to manually add the IPAMUG group into the security permissions for the DNS servers. Didin’t seem to be a way to automate that bit.

IPAM has a PowerShell module – IpamServer – which contains lots of cmdlets:

Add-IpamAddress
Add-IpamAddressSpace
Add-IpamBlock
Add-IpamCustomField
Add-IpamCustomFieldAssociation
Add-IpamCustomValue
Add-IpamDiscoveryDomain
Add-IpamRange
Add-IpamServerInventory
Add-IpamSubnet
Disable-IpamCapability
Enable-IpamCapability
Export-IpamAddress
Export-IpamRange
Export-IpamSubnet
Find-IpamFreeAddress
Get-IpamAddress
Get-IpamAddressSpace
Get-IpamAddressUtilizationThreshold
Get-IpamBlock
Get-IpamCapability
Get-IpamConfiguration
Get-IpamConfigurationEvent
Get-IpamCustomField
Get-IpamCustomFieldAssociation
Get-IpamDatabase
Get-IpamDhcpConfigurationEvent
Get-IpamDiscoveryDomain
Get-IpamIpAddressAuditEvent
Get-IpamRange
Get-IpamServerInventory
Get-IpamSubnet
Import-IpamAddress
Import-IpamRange
Import-IpamSubnet
Invoke-IpamGpoProvisioning
Invoke-IpamServerProvisioning
Move-IpamDatabase
Remove-IpamAddress
Remove-IpamAddressSpace
Remove-IpamBlock
Remove-IpamConfigurationEvent
Remove-IpamCustomField
Remove-IpamCustomFieldAssociation
Remove-IpamCustomValue
Remove-IpamDhcpConfigurationEvent
Remove-IpamDiscoveryDomain
Remove-IpamIpAddressAuditEvent
Remove-IpamRange
Remove-IpamServerInventory
Remove-IpamSubnet
Rename-IpamCustomField
Rename-IpamCustomValue
Set-IpamAddress
Set-IpamAddressSpace
Set-IpamAddressUtilizationThreshold
Set-IpamBlock
Set-IpamConfiguration
Set-IpamCustomFieldAssociation
Set-IpamDatabase
Set-IpamDiscoveryDomain
Set-IpamRange
Set-IpamServerInventory
Set-IpamSubnet
Update-IpamServer

Now I’ve got my IPAM server up and running its time to see what I can do with it

 

 


May 18, 2015  7:58 AM

PowerShell Summit Europe 2015–nearly sold out

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell

There are a handful of places left for the PowerShell Summit Europe 2015. If you want to secure a place I recommend that you book very soon as we can’t extend capacity any further.


May 15, 2015  11:56 AM

Playing with the range operator

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
Powershell

The range operator allows you to reference a range of numbers

1..10

is equivalent to

1,2,3,4,5,6,7,8,9,10

If you want anything other than numbers you’re stuck as the range operator only works with integers

though you can have a decrementing list

10..1

65..74 | foreach {[char]$psitem}

would be A – J

If you want A-Z

65..90 | foreach {[char]$psitem}

For lowercase letters (a – z)  use

97..122 | foreach {[char]$psitem}

You can even work from an array of values

$data = ‘value1′,’value2′,’value3′,’value4′,’value5′,’value6′,’value7′,’value8′,’value9′,’value10′

$data[3..6]
$data[6..3]


May 7, 2015  3:35 AM

PowerShell DSC for Linux

Richard Siddaway Richard Siddaway Profile: Richard Siddaway
CIM, Powershell

PowerShell DSC for Linux has moved out of CTP and v1 is available for download from http://www.microsoft.com/en-us/download/details.aspx?id=46919

You will find more details at http://blogs.msdn.com/b/powershell/archive/2015/05/06/powershell-dsc-for-linux-is-now-available.aspx

You will need to download OMI version 1.0.8-1 which is available from https://collaboration.opengroup.org/omi/documents.php?action=show&dcat=&gdid=32721

OMI has to be installed on the Linux box before the DSC package

A useful getting started guide is available https://technet.microsoft.com/en-us/library/mt126211.aspx

I demonstrated DSC for Linux at the recent PowerShell Summit NA 2015

https://www.youtube.com/watch?v=X5igUenOJiU&index=30&list=PLfeA8kIs7CochwcgX9zOWxh4IL3GoG05P

though things have changed a bit since I built that demo environment using the DSC for Linux CTP. I’m going to rebuild my Linux box with the new bits and give it a whirl.

Being able to manage Windows and Linux environments through the same techniques, and in some cases the same DSC configurations is a big step forward


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: