Technical posts about IT

Posts tagged Powershell Module

Powershell Code: Get Active Directory User Information

Oct22
2011 Leave a Comment Written by Sean Metcalf

I have had several requests from customers for AD User Counts, so I decided I would condense all this information into a single User Inventory script.

This includes the following information (leveraging AD Commandlets):

  • Number of Users in the AD Domain
  • Number of Enabled Users in the AD Domain
  • Number of Disabled Users in the AD Domain
  • Number of Inactive Users in the AD Domain (haven’t logged on in the last 180 days).
  • Number of Admin Accounts in the AD Domain
  • Number of Enabled Admin Accounts in the AD Domain
  • Number of Service Accounts in the AD Domain
  • Number of Accounts with an Exchange Mailbox in the AD Domain
  • Number of User Accounts that have logged on in the last 30 days
  • Number of User Accounts in the AD Domain that have never logged on
  • Number of User Accounts in the AD Domain that are currently locked out

Get Active Directory User Statistics (Inventory):

import-module ActiveDirectory
[int]$LastLoggedOnInDays = 365
[int]$PasswordLastSetInDays = 180

Write-Verbose "Generating AD User Statistics `r "
$LastLoggedOnDate = $DateTime - (New-TimeSpan -days $LastLoggedOnInDays)
$PasswordStaleDate = $DateTime - (New-TimeSpan -days $PasswordLastSetInDays)
$DateTime = Get-Date #Get date/time
$UserStaleDate = $DateTime.AddDays(-$Age)
$NeverLoggedOnDate = $DateTime.AddDays(-365) 
$Yesterday = $DateTime.AddDays(-1) 
$Yesterday = $Yesterday.ToShortDateString()
[string]$Yesterday = $Yesterday
$Today = $DateTime.ToShortDateString()
[string]$Today = $Today

[array] $AllUserInventory = @()
$1Days = $DateTime.AddDays(-1)
$2Days = $DateTime.AddDays(-2)
$3Days = $DateTime.AddDays(-3)
$4Days = $DateTime.AddDays(-4)
$5Days = $DateTime.AddDays(-5)
$6Days = $DateTime.AddDays(-6)
$7Days = $DateTime.AddDays(-7)
$30Days = $DateTime.AddDays(-30)
$45Days = $DateTime.AddDays(-45)
$60Days = $DateTime.AddDays(-60)
$90Days = $DateTime.AddDays(-90)
$120Days = $DateTime.AddDays(-120)
$180Days = $DateTime.AddDays(-180)

###################
# User Statistics # 20110919-13
###################
Write-Verbose "Generating AD User Statistics `r "
$LastLoggedOnDate = $DateTime - (New-TimeSpan -days $LastLoggedOnInDays)
$PasswordStaleDate = $DateTime - (New-TimeSpan -days $PasswordLastSetInDays)
$DateTime = Get-Date #Get date/time
$UserStaleDate = $DateTime.AddDays(-$Age)
$NeverLoggedOnDate = $DateTime.AddDays(-365) 
$Yesterday = $DateTime.AddDays(-1) 
$Yesterday = $Yesterday.ToShortDateString()
[string]$Yesterday = $Yesterday
$Today = $DateTime.ToShortDateString()
[string]$Today = $Today

Write-Output "Discovering all users in $ADDomainDNSRoot ... `r "
# Gather a list of all users in AD including necessary attributes
[array]$AllUsers = Get-ADUser -filter * -properties Name,DistinguishedName,Enabled,LastLogonDate,LastLogonTimeStamp,LockedOut,msExchHomeServerName,SAMAccountName
$AllUsersCount = $AllUsers.Count
Write-Output "There were $AllUsersCount stale user objects discovered in $ADDomainDNSRoot ... `r "
Write-Output " `r "

Write-Verbose "Count Disabled Users `r "
[array] $DisabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $False }
$DisabledUsersCount = $DisabledUsers.Count
[array] $EnabledUsers = $AllUsers | Where-Object { $_.Enabled -eq $True }
$EnabledUsersCount = $EnabledUsers.Count
Write-Output "There are $EnabledUsersCount Enabled users and there are $DisabledUsersCount Disabled users in $DomainDNS `r "

Write-Verbose "Count Inactive Users that are Enabled `r "
[array] $InactiveUsers = $AllUsers | Where-Object { ($_.PasswordLastSet -lt $UserStaleDate) -and ($_.Enabled -eq $True) }
$InactiveUsersCount = $InactiveUsers.Count
Write-Output "There are $InactiveUsersCount users identified as Inactive (with passwords older than $Age days in $DomainDNS `r "

Write-Verbose "Count Admin Accounts (accounts with _ad in the name) `r "
[array] $AllAdminAccounts = $AllUsers | Where-Object { ($_.SAMAccountName -like "*admin") -or ($_.Name -like "*_ad*") }
$AllAdminAccountsCount = $AllAdminAccounts.Count
#
[array] $EnabledAdminAccounts = $AllAdminAccounts | Where-Object { $_.Enabled -eq $True }
$EnabledAdminAccountsCount = $EnabledAdminAccounts.Count
Write-Output "There are $EnabledAdminAccountsCount Enabled Admin accounts in $DomainDNS (out of a total of $AllAdminAccountsCount Admin accounts) `r "
#
[array] $ActiveAdminAccounts = $EnabledAdminAccounts | Where-Object { ($_.LastLogonDate -ge $180Days) -and ($_.PasswordLastSet -gt $NeverLoggedOnDate) } 
$ActiveAdminAccountsCount = $ActiveAdminAccounts.Count
Write-Output "There are $ActiveAdminAccountsCount Active Admin accounts in $DomainDNS (Active accounts have logged on in the past 6 months and have current passwords) `r "

Write-Verbose "Count Service Accounts (accounts with SVC in the name) `r "
[array] $AllServiceAccounts = $AllUsers | Where-Object { $_.SAMAccountName -like "*SVC*" }
$AllServiceAccountsCount = $AllServiceAccounts.Count
[array] $EnabledServiceAccounts = $AllServiceAccounts | Where-Object { $_.Enabled -eq $True }
$EnabledServiceAccountsCount = $EnabledServiceAccounts.Count
Write-Output "There are $EnabledServiceAccountsCount Enabled Service accounts in $DomainDNS (out of a total $AllServiceAccountsCount Service accounts) `r "

Write-Verbose "Count users with an Exchange Mailbox `r "
[array] $MailboxUsers = $AllUsers | Where-Object { $_.msExchHomeServerName -notlike $NULL }
$MailboxUsersCount = $MailboxUsers.Count
[array] $MailboxEnabledUsers = $MailboxUsers | Where-Object { $_.msExchHomeServerName -notlike $NULL }
$MailboxEnabledUsersCount = $MailboxEnabledUsers.Count
Write-Output "There are $MailboxUsersCount users in $DomainDNS with an Exchange Mailbox. `r "
Write-Output "There are $MailboxEnabledUsersCount Enabled users in $DomainDNS with an Exchange Mailbox. `r "

Write-Verbose "Count Enabled users who have logged on in the last 30 days `r "
[array] $LastLogon30 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $30Days }
$LastLogon30Count = $LastLogon30.Count
Write-Output "Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon30Count have logged on in the last 30 days (there may be up to a 14 day margin of error for this count) `r "

Write-Verbose "Count Enabled users who have logged on in the last 45 days `r "
[array] $LastLogon45 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $45Days }
$LastLogon45Count = $LastLogon45.Count
Write-Output "Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon45Count have logged on in the last 45 days `r"

Write-Verbose "Count Enabled users who have logged on in the last 60 days `r "
[array] $LastLogon60 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $60Days }
$LastLogon60Count = $LastLogon60.Count
Write-Output "Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon60Count have logged on in the last 60 days `r"

Write-Verbose "Count Enabled users who have logged on in the last 90 days `r"
[array] $LastLogon90 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $90Days }
$LastLogon90Count = $LastLogon90.Count
Write-Output "Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon90Count have logged on in the last 90 days `r"

Write-Verbose "Count Enabled users who have logged on in the last 120 days `r"
[array] $LastLogon120 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $120Days }
$LastLogon120Count = $LastLogon120.Count
Write-Output "Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon120Count have logged on in the last 120 days `r"

Write-Verbose "Count Enabled users who have logged on in the last 180 days `r"
[array] $LastLogon180 = $EnabledUsers | Where-Object { $_.LastLogonDate -ge $180Days }
$LastLogon180Count = $LastLogon180.Count
Write-Output "Out of $EnabledUsersCount Enabled users in $DomainDNS only $LastLogon180Count have logged on in the last 180 days `r"

Write-Verbose "Count All users who have NEVER logged on `r"
[array] $LastLogonNever = $AllUsers | Where-Object { ($_.LastLogonDate -eq $NULL) -and ($_.PasswordLastSet -gt $NeverLoggedOnDate) }
$LastLogonNeverCount = $LastLogonNever.Count
Write-Output "Out of All $AllUsersCount users in $DomainDNS $LastLogonNeverCount have NEVER logged on (no logon date associated with account) `r"

Write-Verbose "Count users who logged in during the last week (Only useful if LastLogonTimeStamp replicates every <7 days) `r"
[array] $LastLogon1 = $EnabledUsers | Where-Object { $_.LastLogonDate -le $7days }
$LastLogon1Count = $LastLogon1.Count
Write-Output "$LastLogon1Count Enabled users logged in within the last week `r"

Write-Verbose "Count users who logged in yesterday (Only useful if LastLogonTimeStamp replicates every 1 day) `r" [array] $LastLogonYesterday = $EnabledUsers | Where-Object { $_.LastLogonDate -like "*$Yesterday*" }
$LastLogonYesterdayCount = $LastLogonYesterday.Count
Write-Output "$LastLogonYesterdayCount Enabled users logged in yesterday `r"

Write-Verbose "Count users who logged in today (Only useful if LastLogonTimeStamp replicates every 1 day -combine with yesterday logons to get semi-accurate count of recent logons) `r"
[array] $LastLogontoday = $EnabledUsers | Where-Object { $_.LastLogonDate -like "*$Today*" }
$LastLogontodayCount = $LastLogontoday.Count
Write-Output "$LastLogontodayCount Enabled users logged in today (so far) `r"

Write-Verbose "Count enabled users who have accounts locked out `r"
[array] $EnabledLockedUsers = $EnabledUsers | Where-Object { $_.LockedOut -eq $True }
$EnabledLockedUsersCount = $EnabledLockedUsers.Count
Write-Output "$EnabledLockedUsersCount Enabled users are currently locked out `r"

 

 

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , , , , , , ,

PowerShell Implicit Remoting over the Internet

Oct13
2011 Leave a Comment Written by Sean Metcalf

Mike Pfeiffer has a great post on implicit remoting of Exchange modules across the Internet via ISA/TMG publishing.

From the start of his post:

This post is inspired by a question asked during my presentation at the last Arizona PowerShell User Group (AZPOSH) meeting. After I demonstrated Exchange management via PowerShell implicit remoting, one of our members said, “Ok, so how do I do that over the internet?”. Due to time constraints, I didn’t go into it the process in great detail, so I’ve decided to do that here, in this post. To demonstrate this configuration, I’ll use a basic topology with a single Exchange 2010 server running the core roles (hub, cas, mailbox). I will be publishing the PowerShell virtual directory to the internet via HTTPS using Forefront Threat Management Gateway (TMG), as shown in the diagram below.

The key to this is configuring /powershell/ publishing via TMG…

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Security, Tech - Tagged , , ,

Installing Powershell v3

Oct12
2011 Leave a Comment Written by Sean Metcalf

With the betas of Windows Client & Server “8″, also comes the beta of Powershell version 3.0. I posted some of the benefits of Powershell 3.0 earlier.

Here are the steps to installing the Powershell 3 beta:

  1. Download the Microsoft .Net Framework 4 & install on the system before installing the Powershell 3 beta.
  2. Download the Powershell 3 beta to the c:\temp folder on a TEST Windows 7 SP1 or Windows Server 2008 R2 SP1 machine.
  3. Extract the cab files by running the following command:
    expand c:\temp\WMF3-CTP1-x64.cab  c:\temp\Powershell3Beta -F:*
    NOTE: Ensure the destination folder exists by creating it (Powershell3Beta in this example).
  4.  Run the c:\temp\Powershell3Beta\WINDOWS6.1-KB2506143 MSU file, select OK for the installer and then the system will reboot.
  5. Open a powershell command window and run”$host.version“. This should show the following:
    Major      Minor
    ——–     ———
    3                0

Note: Not all modules are updated with this install (there are still only 76 Active Directory commandlets).

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Tech - Tagged , , ,

Powershell Version 3.0

Oct07
2011 1 Comment Written by Sean Metcalf

Now that Microsoft has made Windows 8 (client & server) available for download via MSDN, information about Powershell v3.0 has flooded the net.

Here’s the direct download link for Powershell 3.0.

Some of the benefits of Powershell 3.0:

  • Automatic module importing when running commands interactively in the Powershell console (not via a script).
  • New & improved commandlets for getting data from the web (similar to wget).
  • Tons of new commandlets for managing just about every Windows component.
  • Sessions now can gracefully recover from network disconnects and delays.
  • Powershell ISE now includes IntelliSense (intelligent autocomplete)
  • Powershell Web Service
  • Workflow
  • Scheduled Jobs
  • and lots more!

I will be investigating Powershell 3.0 more over the coming months – especially all the new Active Directory commandlets!

Google+FacebookEmailPrintShare
Posted in Deployment, Microsoft Products, Tech - Tagged , , ,

Powershell Code: Using Exchange Powershell Modules from the CAS server in a script

Oct01
2011 Leave a Comment Written by Sean Metcalf

I have mostly written scripts that leverage the Active Directory commandlets by importing the ActiveDirectory powershell module. My customer requirements now have me branching out into Exchange territory which requires the use of the Exchange Powershell module and associated commandlets. I have learned that there is no simple way to “install” the Exchange Powershell module on a system without installing the Exchange Management Tools

There is no simple “import-module” method to get the Exchange commandlets from a Powershell remote session.  The following describes a method to discover an Exchange server and use that for Exchange Powershell commandlets in a script. First the script discovers all Exchange CAS Servers by finding servers that registered the “exchangeRFR” SPN and then attempts a Powershell connection to any Exchange server running Windows Server 2008. This ensures that the script connects to an Exchange 2007 or 2010 server.

NOTE: This may attempt a remote Exchange Powershell connection to Exchange servers that are not running Exchange 2007/2010.

UPDATED CODE:

Write-Verbose “Find Exchange servers `r ”
$SessionSuccess = $False
[array] $ExchangeCASServers = Get-ADComputer -filter { (operatingsystem -like “*Server*”) -and (ServicePrincipalNames -like “*exchangeRFR*”) } -properties *
$ExchangeCASServersCount = $ExchangeCASServers.Count
Write-Verbose “Found $ExchangeCASServersCount Exchange servers `r”
[array] $ExchangeServerList = @()

ForEach ($Server in $ExchangeCASServers)
{  ## OPEN ForEach Server in ExchangeCASServers
[array] $ExchangeServerList += $Server.Name
} ## OPEN ForEach Server in ExchangeCASServers

ForEach ($Server in $ExchangeServerList)
{  ## OPEN ForEach Server in ExchangeCASServers
$ServerInfo = Get-ADComputer -Identity $Server -Properties *
IF ( $ServerInfo.OperatingSystem -like “*2008*”)
{  ## OPEN IF Server OS is 2008
Write-Verbose “$Server is running 2008. Now checking for Exchange Powershell Remoting… `r ”
TRY
{  ## OPEN TRY Powershell Remote Session
Write-Verbose “Create a Powershell remote session to a server with the commandlets installed. `r ”
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$Server/PowerShell/ -Authentication Kerberos
Write-Verbose “Use the newly created remote Powershell session to send a command to that session `r ”
Import-PSSession $ExchangeSession
IF ($ExchangeSession.Availability -eq “Available”) {Write-Host “Exchange connection to $Server successful. `r ” ; $SessionSuccess = $True  ; break }
}  ## CLOSE TRY Powershell Remote Session

CATCH
{  Write-Verbose “The Exchange server $ServerHostName does not accept a remote Powershell session with currrent credentials. `r “  }
}  ## CLOSE IF Server OS is 2008
ELSE { Write-Output “$Server is Not running Windows Server 2008. Skipping… `r ” }
}  ## CLOSE ForEach Server in ExchangeCASServers

Here is the isolated script block code that pulls in the Exchange commandlets remotely.

Write-Verbose “Create a Powershell remote session to a server with the commandlets installed. `r “
                        $ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchangeCASServers[0]/PowerShell/ -Authentication Kerberos
                        Write-Verbose “Use the newly created remote Powershell session to send a command to that session `r “
                        Import-PSSession $ExchangeSession

This pulls in Exchange Powershell modules from a CAS server and makes them available to the local machine.

Microsoft includes a Powershell script on machines that the Exchange Management Tools are installed on. This script is automaticaly run when clicking on “Exchange Management Shell” since this is only a shortcut to the command:

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command “. ‘C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1‘; Connect-ExchangeServer -auto”

Note in the command above the script name I bolded named “RemoteExchange.ps1″. This script discovers an appropriate Exchange server, connects to it, and “imports” the Exchange powershell commandlets. It may be possible to copy this Powershell script to another machine and use it as part of a pseudo-Exchange Management Shell (though I haven’t tested this yet).

That was easy!

Isn’t Powershell fun?

 

Google+FacebookEmailPrintShare
Posted in Microsoft Products, Powershell Code, Tech - Tagged , , , , , ,
Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog do not represent the views of Metcorp Consulting, LLC or its partners. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2012