Technical posts about IT

Monthly archives for March, 2011

Powershell Code: Inventory Computers

Mar24
2011 Leave a Comment Written by Sean Metcalf

Recently I had to pull together a quick inventory of active workstations on the net, so after a quick google search pulled up Inventorying Computers with AD Powershell, I got a great start on the task.

Here’s what I pulled together:

import-module ActiveDirectory

# Get Domain Info
$ADInfo = Get-ADDomain
$ADDomainDNSRoot = $ADInfo.DNSRoot

Write-host “Configuring script options …” `r
[int] $ComputerAge = 90
$ComputerStaleDate = $DateTime.AddDays(-$ComputerAge)

# Set the ComputerAge to 90.  This defines the oldest date that a computer can be considered “active”
# Since Windows computers automatically update their AD account password every 30 days (by default), this should cover computers that were offline for a short while.

# Gather a list of all active workstations in AD including necessary attributes
Write-host “Discovering active workstations in $ADDomainDNSRoot …” `r
$AllActiveWorkstations = Get-ADComputer -filter {(OperatingSystem -notlike “*Server*”) -and (Enabled -eq $TRUE) -and (passwordLastSet -ge $ComputerStaleDate)} -property * | `
Select-Object Name,CanonicalName,Location,OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Modified,PasswordLastSet

# Set the filter to only return workstations (notlike Server) that are enabled (not disabled), and active (password changed in the last 90 days).
# Get the entire list of computer properties and then select which ones to show in the CSV file.  These properties can be identified after -property instead of “*” which reduces the amount of data gathered, but this method makes it easier to add more properties to the CSV by adding them after Select-Object

$AllActiveWorkstationsCount = $AllActiveWorkstations.Count
Write-host “”`r
Write-host “There were $AllActiveWorkstationsCount active workstations discovered in $ADDomainDNSRoot …” `r
Write-host “”`r
# Count number of workstations discovered and display.

# Do the same again for servers

# Gather a list of all active servers in AD including necessary attributes
Write-host “Discovering active servers in $ADDomainDNSRoot …” `r
$AllActiveServers = Get-ADComputer -filter {(OperatingSystem -like “*Server*”)    -and (Enabled -eq $TRUE) -and (passwordLastSet -ge $ComputerStaleDate)} -property * | `
Select-Object Name,CanonicalName,Location,OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,Modified,PasswordLastSet
$AllActiveServersCount = $AllActiveServers.Count
Write-host “”`r
Write-host “There were $AllActiveServersCount active servers discovered in $ADDomainDNSRoot …” `r
Write-host “”`r

Write-Host “Finished gathering workstation & server data…” `r
Write-host “”`r
Write-host “Writing data to files…”`r
$AllActiveWorkstations | Export-CSV c:\temp\ActiveWorkstations.csv -NoTypeInformation -Encoding UTF8
$AllActiveServers | Export-CSV c:\temp\ActiveServers.csv -NoTypeInformation -Encoding UTF8
Write-host “”`r
Write-host “Operations completed…”`r
Write-host “”`r

This works really well and is fairly lightweight since it only queries AD.  Combine this with WMI calls to get computer system data.

Cheers,
Sean

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , ,

PowerShell Code: Determine if a Computer is a Domain Controller

Mar22
2011 6 Comments Written by Sean Metcalf

Here is a quick way to determine if a computer is a Domain Controller for the AD Domain.

$Computer = “computerhostname”
Import-Module ActiveDirectory

$ComputerProperties = get-ADComputer $Computer -properties *
IF ($ComputerProperties.PrimaryGroupID -eq “516″)
{Write-Host “$Computer is a Domain Controller”`r ; $ISDC = $TRUE }

IF ($ISDC -eq $TRUE)
{ ## OPEN IF the Computer target is a DC
$DCInfo= Get-ADDomainController -identity $Computer
$DCInfoHN= $DCInfo.Hostname
$DCInfoIP= $DCInfo.IPv4Address
} ## CLOSE IF the Computer target is a DC

Testing for the Primary Group ID is a surefire way to determine if the computer is a Domain Controller.
All Domain Controllers are members of  the “Domain Controllers” group & that group is the primary group for the DC.
Computers that are not Domain Controllers are members of the “Domain Computers” group (PrimaryGroupID 515).

After setting the variable $ISDC to $True, we get additional information about the DC from the commandlet Get-ADDomainController.

Cheers,
Sean

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Powershell Code

Powershell Filter Operators

Mar16
2011 Leave a Comment Written by Sean Metcalf

Once you get used to Powershell, you will want to do more and more with it.  One of the keys to leveraging the power of PowerShell is filters.
PowerShell commandlets all support filters (well, most of them anyway).  This means you can drill down to resulting data subsets.
If you run into commandlets that don’t support the native -filter you can always pipe to where-object (aka “where”).

In other words you can do this: get-service | Where {$_.Status -eq “Running”}
This takes the results of a generic get-service request which returns a full list of system services and pares it down to only the running services.
Change “Running” to “Stopped” and you get, obviously a list of services that are stopped.

You can also pipe the service name into the get-service commandlet: “W32Time” | get-service

Here’s a great chart I found on the MSDN Blogs that describes what each filter operator does:

Logical Operator Description Equivalent LDAP operator/expression
-eq Equal to. This will not support wild card search. =
-ne Not equal to. This will not support wild card search. ! x = y
-like Similar to -eq and supports wildcard comparison. The only wildcard character supported is: * =
-notlike Not like. Supports wild card comparison. ! x = y
-approx Approximately equal to ~=
-le Lexicographically less than or equal to <=
-lt Lexicographically less than ! x >= y
-ge Lexicographically greater than or equal to >=
-gt Lexicographically greater than ! x <= y
-and AND &
-or OR |
-not NOT !
-bor Bitwise OR :1.2.840.113556.1.4.804:=
-band Bitwise AND :1.2.840.113556.1.4.803:=
-recursivematch Uses LDAP_MATCHING_RULE_IN_CHAIN (Win2k3 SP2 and above) :1.2.840.113556.1.4.1941:=

Using filters is extremely helpful is narrowing down the scope to fine-tune the data you need to work with and this chart is one I frequently reference.

Cheers,
Sean

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , ,

PowerShell Code: Active Directory Domain Controller Discovery

Mar15
2011 Leave a Comment Written by Sean Metcalf

Earlier I posted about discovering Domain Controllers in the domain and the site.  I have since updated my DC discovery Powershell code.  Now it also discovers the “closest” 2008 R2 DC and displays the DC name.

A recent customer had an issue when a 2008 R2 server is promoted to be a DC the other 2003 DC(s) in the site are resource starved and become non-responsive causing Exchange to fail.  This happened twice out of many, many promotions.  So, I wanted to add in the capability for someone to specify an explicit replication source DC versus having DCPromo select one in the site.  The result?  This blog post.

Basically, I added one more prompt toward the end of my DCBuild script “do you want to specify a replication source DC?”,  If yes, then I automatically discover the closest 2008 DC and when I prompt for the source DC name I default to the one that was discovered.  The user can change it or press enter to select the default.  Then I check the entered source DC name and display the DC version with a warning if they selected a 2003 DC.

Here’s the code from the DCBuild script that performs the autodiscover.

#########################################
# Specify DCPRomo Replication Source DC #
#########################################
# This enables override capability in the standard DCPromo process of replicting with a local DC
Write-Host “You can specify the replication source DC for use during DCPromo.”
Write-Host “This DC has to be available during the DCPromo process or DC promotion will fail.”
write-host “”

################################################
# Import Active Directory Powershell Elements  #
################################################
write-host “Configuring Powershell environment…” `r
import-module ActiveDirectory

# Prompt to specify explicit replication source DC
$Response = Read-Host -Prompt “Specify the replication source DC for use during DCPromo? <Yes / No> [Default: No]”
Switch ($Response)
{  ## OPEN Switch Response
Y   {$ExplicitSourceDC = “Yes”}
Yes {$ExplicitSourceDC = “Yes”}
DEFAULT   {$ExplicitSourceDC = “No”}
}  ## CLOSE Switch Response

IF ($ExplicitSourceDC -eq “Yes”)
{  ## OPEN IF ExplicitSourceDC Yes
Write-Host “By default, the script will autodiscover a 2008 R2 DC in the site.” `r
Write-Host “You can specify a different replication source DC by entering the DC’s FQDN.” `r
# Discover 2008 DC
$DiscoveredSourceDC = Get-ADDomainController -discover -forcediscover -nextclosestsite -service ADWS
$DefaultSourceDC = $DiscoveredSourceDC.HostName
$SourceDC = Get-ADDomainController -identity “$DefaultSourceDC”
$SourceDCOS = $SourceDC.OperatingSystem
$SourceDCRO = $SourceDC.IsReadOnly

IF ($SourceDCOS -like “*2003*”)
{  ## OPEN IF The discovered DC is running Windows Server 2003 *
Write-host “Native autodiscover found a 2003 DC: $DefaultSourceDC” `r
Write-host “Please manually specify a 2008 R2 DC.” `r
}  ## CLOSE IF The discovered DC is running Windows Server 2003 *

IF  ($SourceDCOS -like “*2008 R2*”)
{  ## OPEN IF The discovered DC is running Windows Server 2008 R2
Write-host “Native autodiscover found the 2008 R2 DC: $DefaultSourceDC” `r
}  ## CLOSE IF The discovered DC is running Windows Server 2008 R2

IF ($SourceDCRO -eq “True”)
{  ## OPEN IF The discovered DC is running Windows Server 2003 *
Write-host “Native autodiscover found a Read Only DC: $DefaultSourceDC” `r
Write-host “Please manually specify a 2008 R2 DC.” `r
}  ## CLOSE IF The discovered DC is running Windows Server 2003 *

# Specify explicit replication source DC
$RequestSN = “Please enter the hostname of the DC you want to use as the DCPromo replication source DC [Default: $DefaultSourceDC]”
$ReplSourceDC = read-host $RequestSN
$ReplSourceDC = $ReplSourceDC.Replace(” “, “”)
IF (!$ReplSourceDC ) {$ReplSourceDC = $DefaultSourceDC}

$ReplSourceDCInfo = Get-ADDomainController -identity “$ReplSourceDC”
$ReplSourceDCOS = $ReplSourceDCInfo.OperatingSystem

IF ($ReplSourceDCOS -like “*2003*”)
{  ## OPEN IF The discovered DC is running Windows Server 2003 *
Write-host “You have selected the DC $ReplSourceDC which is running Windows Server 2003.” `r
Write-host “This DC is now set as the replication source DC.” `r
}  ## CLOSE IF The discovered DC is running Windows Server 2003 *

IF  ($ReplSourceDCOS -like “*2008 R2*”)
{  ## OPEN IF The discovered DC is running Windows Server 2008 R2
Write-host “$ReplSourceDC is a 2008 R2 DC.  This DC is now set as the replication source DC. Continuing…” `r
}  ## CLOSE IF The discovered DC is running Windows Server 2008 R2

## Check for RODC?

}  ## CLOSE IF ExplicitSourceDC Yes

The discover a 2008 DC was tricky since the Get-ADDomainController powershell comandlet doesn’t allow one to use the discover options with a filter option which would have looked like this:
Get-ADDomainController -discover -forcediscover -nextclosestsite -filter {(OperatingSystem -like “*2008 R2*”)

That doesn’t work, so I finally figured out I can do this:
Get-ADDomainController -discover -forcediscover -nextclosestsite -service ADWS

The ADWS is a new service starting with Windows Server 2008 R2, therefore, only 2008 r2 DCs should be running it.  Remove “-service ADWS” from the end of the line to return any DC OS.
Problem solved.

My next mission is to figure out how to filter RODCs from this result.

# Get the current computer name, domain name, username, and some other variables I may use.
# Duplicated variables to ensure the correct one is set.
write-host “Gathering system information…” `r
write-host “” `r
$Computer = $env:ComputerName
$CurrentUserName = $env:UserName
$DomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
$ComputerInfo = get-wmiobject -class “Win32_NTDomain” -namespace “root\CIMV2″
$Domain = $ComputerInfo[1].DomainName
$ClientSite = $ComputerInfo[1].ClientSiteName
$DCSite = $ComputerInfo[1].DcSiteName
$ADSite = $ClientSite

################################################
# Import Active Directory Powershell Elements  #
################################################
write-host “Configuring Powershell environment…” `r
import-module ActiveDirectory

### DOMAIN DC DISCOVERY ###
write-host “” `r
Write-Host “Discovering all DCs in the domain $DomainDNS …” `r
$DomainControllers = Get-ADDomainController -Filter  { isGlobalCatalog -eq $true -or isGlobalCatalog -eq $false}
ForEach ($DC in $DomainControllers)
{
[array] $DomainDCs += $DC.HostName
}
$DCCount = $DomainDCs.Count
$DomainDCs = $DomainDCs | sort
IF (!$DCCount) {$DCCount = “0″}
Write-Host “Found $DCCount DCs in $DomainDNS. ” `r

write-host “” `r
Write-Host “Discovering all 2008 R2 DCs in the domain $DomainDNS …” `r
$2008Dcs = Get-ADDomainController -Filter  { OperatingSystem -eq “Windows Server 2008 R2 Enterprise”}
ForEach ($DC in $2008Dcs)
{
[array] $Domain2008DCs += $DC.HostName
}
$2008DCCount = $Domain2008DCs.Count
$Domain2008DCs = $Domain2008DCs | sort
IF (!$2008DCCount) {$2008DCCount = “0″}
Write-Host “Found $2008DCCount DCs in $DomainDNS.” `r

write-host “” `r
Write-Host “Discovering all NON 2008 R2 DCs in the domain $DomainDNS …” `r
$2003DCsInSiteArray = Get-ADDomainController -Filter  { OperatingSystem -eq “Windows Server 2003″}
ForEach ($DC in $2003DCsInSiteArray)
{
[array] $Domain2003DCs += $DC.HostName
}
$2003DcCount = $Domain2003DCs.Count
$Domain2003DCs = $Domain2003DCs | sort
IF (!$2003DcCount) {$2003DcCount = “0″}
Write-Host “Found $2003DcCount DCs in $DomainDNS. ” `r
write-host “” `r
write-host “Out of the $DCCount DCs in $DomainDNS, $2008DCCount are running 2008 R2, and $2003DcCount are running Windows Server 2003″ `r

### SITE DC DISCOVERY ###
write-host “” `r
Write-Host “Discovering DCs in the site $ADSite in Domain $DomainDNS …” `r
$DCsInSiteArray = Get-ADDomainController -Filter  { Site -eq “$ADSite”}
$DCsInsiteCount = $DCsInSiteArray.Count
ForEach ($DC in $DCsInSiteArray)
{
[array] $DCsInSite += $DC.HostName
}
$DCsInSite = $DCsInSite | sort
IF (!$DCsInsiteCount) {$DCsInsiteCount = “0″}
Write-Host “There are $DCsInsiteCount DCs in the site $ADSite” `r

write-host “” `r
Write-Host “Discovering DCs running Windows Server 2008 R2 in the site $ADSite …” `r
$2008DCsInSiteArray = Get-ADDomainController -Filter  { Site -eq “$ADSite” -and OperatingSystem -eq “Windows Server 2008 R2 Enterprise”}
$2008DCsInsiteCount = $2008DCsInSiteArray.Count
ForEach ($DC in $2008DCsInSiteArray)
{
[array] $2008DCsInSite += $DC.HostName
}
$2008DCsInSite = $2008DCsInSite | sort
IF (!$DCsInsiteCount) {$DCsInsiteCount = “0″}
Write-Host “There are $DCsInsiteCount DCs running Windows Server 2008 R2 in the site $ADSite” `r

# Discover 2008 R2 DC
$DiscoveredSourceDC= Get-ADDomainController -discover -forcediscover -nextclosestsite -service ADWS
$DefaultSourceDC = $DiscoveredSourceDC.HostName
$SourceDC = Get-ADDomainController -identity “$DefaultSourceDC”
$SourceDCOS = $SourceDC.OperatingSystem
$SourceDCRO = $SourceDC.IsReadOnly

IF ($SourceDCOS -like “*2003*”)
{  ## OPEN IF The discovered DC is running Windows Server 2003 *
Write-host “Native autodiscover found a 2003 DC: $DefaultSourceDC” `r
}  ## CLOSE IF The discovered DC is running Windows Server 2003 *

IF  ($SourceDCOS -like “*2008 R2*”)
{  ## OPEN IF The discovered DC is running Windows Server 2008 R2
Write-host “Native autodiscover found the 2008 R2 DC: $DefaultSourceDC” `r
}  ## CLOSE IF The discovered DC is running Windows Server 2008 R2

IF ($SourceDCRO -eq “True”)
{  ## OPEN IF The discovered DC is running Windows Server 2003 *
Write-host “Native autodiscover found a Read Only DC: $DefaultSourceDC” `r
}  ## CLOSE IF The discovered DC is running Windows Server 2003 *

ADWS Note from Microsoft:
What does Active Directory Web Services do?

Active Directory Web Services (ADWS) in Windows Server 2008 R2 is a new Windows service that provides a Web service interface to Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) instances, and Active Directory Database Mounting Tool instances that are running on the same Windows Server 2008 R2 server as ADWS. If the ADWS service on a Windows Server 2008 R2 server is stopped or disabled, client applications, such as the Active Directory module for Windows PowerShell or the Active Directory Administrative Center will not be able to access or manage any directory service instances that are running on this server.

ADWS is installed automatically when you add the AD DS or AD LDS server roles to your Windows Server 2008 R2 server. ADWS is configured to run if you make this Windows Server 2008 R2 server a domain controller by running Dcpromo.exe or if you create an AD LDS instance on this Windows Server 2008 R2 server.

I’ll cover more from the DCBuild script later on…

Cheers,
Sean

Google+FacebookEmailPrintShare
Posted in Uncategorized

Powershell, A New Way to Manage Windows

Mar14
2011 Leave a Comment Written by Sean Metcalf

Powershell version 2.0 provides a number of compelling new features including:

  • Powershell remoting – send Powershell code to a remote host for processing with the results returned to the local Powershell console.
  • Improved management of remote systems – without using remoting, most commands now have the capability to connect to remote systems while running in the local console.
  • Native Active Directory Commandlets – AD commandlets make it far easier to get data from AD.
  • Background Jobs – send work to the background within Powershell scripts.
  • Script Debugging via breakpoints
  • More Efficient Network File Transfer leveraging BITS.
  • Exception Handling using Try Catch
  • Support for Block Comments.

Powershell is one of the simplest scripting environments to learn due to the verb-noun command structure and common options across most Powershell commands.

Example Powershell Command:  Get-Service

Starting with Windows Server 2008, a Powershell console shortcut is visible at the bottom of the desktop.  Ensure the Powershell console is run as Administrator or some commands will not be successful.

Running the command Get-Help Get-Service returns the following syntax:

Get-Service [[-Name] <string[]>] [-ComputerName <string[]>] [-DependentServices] [-Exclude <string[]>] [-Include <string[]>] [-RequiredServices] [<Com
monParameters>]

Running Get-Service returns a list of all Windows services running on the local system.  This is useful, but is far more useful in a list.  The great thing about Powershell is that Powershell treats all data as objects.  The benefit to this is that when propagating a variable with command result data, it is accessed at an object level for easy parsing.

The following command will populate the $Services variable with a list of all running services on the local system.

$Services = Get-Service

The benefit is obvious when working with the data in the $Services variable.  For example, displaying the first item in the list is as easy as entering the variable name with the item number in brackets (the first item in the list is #0).

PS C:\> $Services[0]

Status          Name                         DisplayName
——             —-                              ———–
Running     AeLookupSvc        Application Experience

Appending .Status to the end of the variable name and list item number displays the status of the first service.

PS C:\> $Services[0].Status

Running

How does this help?  Well, if it is necessary to display all the running services on a computer, it is simple to run the following command against the variable $Services.

PS C:\> $Services | where {$_.Status -eq “Running”}

Status        Name               DisplayName
——           —-                    ———–
Running  AeLookupSvc        Application Experience
Running  AudioEndpointBu… Windows Audio Endpoint Builder
Running  Audiosrv           Windows Audio
Running  BFE                Base Filtering Engine
Running  BITS               Background Intelligent Transfer Ser…
Running  Browser            Computer Browser
Running  CryptSvc           Cryptographic Services
Running  CscService         Offline Files
Running  DcomLaunch         DCOM Server Process Launcher
Running  Dhcp               DHCP Client
Running  Dnscache           DNS Client

Getting started with PowerShell?
Try using the free, included PowerShell ISE (installable in Windows 7 & Windows 2008 R2).

An even better option is the free Quest program called PowerGUI.  PowerGUI compares very well the much more expensive PrimalScript ($300) for Powershell scripting.  Obviously if you are doing more than just PowerShell coding, PrimalScript or VisualStudio may be a better option.  But, you can’t beat free!

Cheers,
Sean


Google+FacebookEmailPrintShare
Posted in Microsoft Products, Tech - Tagged ,
Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog do not represent the views of Metcorp Consulting, LLC or its partners. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2012