I have a (at least what I think) tricky problem with a Server 2008 R2 domain. I wrote a cleanup script for AD computer accounts. Beside the account in AD I want to delete SCCM and DNS accounts. But with DNS I have a problem. I need to log everything as my script will run timed as a job each day.
With the normal AD module cmdlets all work great by using something like this:
Remove-ADComputer -Identity $account -confirm:$false
if($?){
Write-Log -LogContent "Delete-OldADaccount: successfully deleted account `"$($account.name)`" with LastLogondate `"$($account.LastLogondate)`", full path `"$($account.distinguishedname)`"" -LogPath $logFile
} else {
Write-Log -LogContent "Delete-OldADaccount: failed to delete account `"$($account.name)`": $($error[0].Exception.Message)" -LogPath $logFile -Level 'Warn'
}
For deleting old DNS entries I found two solutions for Server 2008 R2 (I can't use those cool new Server 2012 DNS modules for ps):
dnscmd $DNSServer /RecordDelete $ZoneName $Computer A /f
and
Get-WmiObject -ComputerName $dnsserver -Namespace 'Root\MicrosoftDNS' -class MicrosoftDNS_AType -Filter "domainname = '$computer'" | Remove-WmiObject
But both commands (dnscmd and Remove-WmiObject) always return true, even if there were no records in DNS matching my computer account's name. So I cant use a similar construct as above.
So I tried something like this:
try{
[System.Net.DNS]::GetHostEntry($computer)
Get-WmiObject -ComputerName $dns -Namespace 'Root\MicrosoftDNS' -class MicrosoftDNS_AType -Filter "domainname = '$computer'" | Remove-WmiObject -whatif
Get-WmiObject -ComputerName $dns -Namespace 'Root\MicrosoftDNS' -class MicrosoftDNS_AAAAType -Filter "domainname = '$computer'" | Remove-WmiObject -whatif
Write-Log -LogContent "Delete-OldADaccount: successfully deleted DNS entry for `"$($computer)`"" -LogPath $logFile
}
catch {
Write-Log -LogContent "Delete-OldADaccount: failed to delete DNS entry for `"$($computer)`": $($error[0].Exception.Message)" -LogPath $logFile -Level 'Warn'
}
With the static function [System.Net.DNS]::GetHostEntry($computer) I test if there is at least an ipv4 entry (as ipv6 is deactivated on my system I would get an exception if there is only an ipv6 entry. If both ipv4 and ipv6 exist it works). If there is an entry it proceeds with the Remove-WmiObject cmdlet for ipv4 and ipv6.
If there is no such entry in DNS I get an exception and directly jump into the catch-block where I log the error.
But even with this method I have no clue later if the Remove-WmiObject was successful. I would have to do a ipconfig /flushdns and re-run the command [System.Net.DNS]::GetHostEntry($computer) to see if it now fails and interpret this as "entries deleted".
Please, is there another cmdlet or way for Server 2008 R2 to delete an entry from DNS and validate if the deletion was successful? Help ;)
I can't use those cool new Server 2012 DNS modules for ps
Yes you can, as long as you have at least one machine new enough to run them. They work just fine against a 2008 R2 domain controller. This would simplify things a lot!
Otherwise, you can still use CIM/WMI calls to retrieve the value of the record like you're already doing instead of using GetHostEntry.
Example, courtesy of Jon Dechiro
if (Get-WmiObject -ComputerName $dnsserver -Namespace 'Root\MicrosoftDNS' -class MicrosoftDNS_AType -Filter "domainname = '$computer'") {
Write-Log -LogContent "Delete-OldADaccount: failed to delete DNS entry for "$($computer)": Entry still exists on $dnsserver" -LogPath $logFile -Level 'Warn'
} else {
Write-Log -LogContent "Delete-OldADaccount: successfully deleted DNS entry for "$($computer)"" -LogPath $logFile
}
Related
I got a client who asked me to find all of his Dhcp and DNS servers with some additional info like DC servers and operationsystem
so i decided to try sharpen my powershell skills but im still new to this so i wrote this script but i guess something is still missing because it doesnt work
EDIT: i managed to find a way to get the info i want which is the OS but it gets me back ALL the servers in the company
$servers = get-dhcpserverindc
foreach($server in $Servers){
get-adcomputer -filter {Operatinsytem -like "*windows server*"} -properties
Operatingsystem | sort name | format-table name,Operatinsytem
}
This is not too tricky. First off, you connect to a machine with the RSAT Tools installed, like an admin server, jump box, or Domain Controller, and get a list of all DHCP Servers.
$DHCPServers = Get-DhcpServerInDC
Then we use PowerShell's built in looping logic to step through each server, and check for the OS info you need.
ForEach ($DHCPServer in $DHCPServers){
$OSInfo = Get-CIMInstance -ComputerName $DHCPServer.DnsName -ClassName Win32_OperatingSystem
}
Finally, we'll modify this above to return the info you're looking for, namely the IP Address, Name, and OS Version
ForEach ($DHCPServer in $DHCPServers){
$OSInfo = Get-CIMInstance -ComputerName $DHCPServer.DnsName -ClassName Win32_OperatingSystem
[pscustomobject]#{
ServerName = $DHCPServer.DnsName;
IPAddress=$DHCPServer.IpAddress;
OS=$OSInfo.Caption
}
}
ServerName IPAddress OS
---------- --------- --
dc2016 192.168.10.1 Microsoft Windows Server 2016 Standard
From there, you can store it in a variable, make it a spreadsheet, do whatever you need to do.
Hope this helps.
If this isn't working, make sure you have enabled PowerShell Remoting first.
After I clone an instance from an image, a few manual steps need to be carried out to get the report server working correctly. Among them is the deletion of all encrypted data, including symmetric key instances on the report server database.
This step requires me to RDP to the server in question, open the Reporting Services Configuration Manager and delete the encrypted data manually.
Without carrying out this step, I get the following error when I try to load up the report server interface of the new server:
The report server cannot open a connection to the report server
database. A connection to the database is required for all requests
and processing. (rsReportServerDatabaseUnavailable)
I'm trying to automate this step, so that it runs as part of a PowerShell script to remotely delete the encrypted data.
I am aware of 'rskeymgmt -d' but this prompts the user for input when run and has no force flag available to circumvent this additional input, rendering it unusable for running remotely as far as I can see:
C:\>rskeymgmt -d
All data will be lost. Are you sure you want to delete all encrypted data from
the report server database (Y/N)?
I've found a solutions to solving this problem. Calling RSKeyMgmt -d through a remote PowerShell session and piping the Y string to the call passes the parameter that RSKeyMgmt prompts the user for. This method is based on Som DT's post on backing up report server encryption keys
I've attached the full script I am using as part of my environment cloning process.
<#
.SYNOPSIS
Deletes encrypted content from a report server
.PARAMETER MachineName
The name of the machine that the report server resides on
.EXAMPLE
./Delete-EncryptedSsrsContent.ps1 -MachineName 'dev41pc123'
Deletes encrypted content from the 'dev41pc123' report server
#>
param([string]$MachineName = $(throw "MachineName parameter required, for command line usage of this script, type: 'get-help ./Delete-EncryptedSSRS.ps1 -examples'"))
trap [SystemException]{Write-Output "`n`nERROR: $_";exit 1}
Set-StrictMode -Version Latest
try
{
Write-Output "`nCreating remote session to the '$machineName' machine now..."
$session = New-PSsession -Computername $machineName
Invoke-Command -Session $Session -ScriptBlock {"Y" | RSKeyMgmt -d}
}
catch
{
Write-Output "`n`nERROR: $_"
}
finally
{
if ($Session)
{
Remove-PSSession $Session
}
}
This is a generalisation of ShaneC's solution, to support deletion of encrypted content on non default instances:
<#
.SYNOPSIS
Deletes encrypted content from a report server
.PARAMETER MachineName
The name of the machine that the report server resides on
.EXAMPLE
./Delete-EncryptedSsrsContent.ps1 -MachineName 'dev41pc123'
Deletes encrypted content from the default instance (MSSQLSERVER) of the 'dev41pc123' report server
.EXAMPLE
./Delete-EncryptedSsrsContent.ps1 -MachineName 'dev41pc123' -InstanceName 'NonDefault'
Deletes encrypted content from the specified non-default instance (e.g. NonDefault) of the 'dev41pc123' report server
#>
param(
[Parameter(Mandatory=$true)]
[string]$MachineName = $(throw "MachineName parameter required, for command line usage of this script, type: 'get-help ./Delete-EncryptedSSRS.ps1 -examples'"),
[Parameter(Mandatory=$false)]
[string]$InstanceName)
trap [SystemException]{Write-Output "`n`nERROR: $_";exit 1}
Set-StrictMode -Version Latest
try
{
Write-Output "`nCreating remote session to the '$MachineName' machine now..."
$session = New-PSsession -Computername $MachineName
if ([string]::IsNullOrEmpty($instanceName))
{
Invoke-Command -Session $Session -ScriptBlock {"Y" | RSKeyMgmt.exe -d}
}
else
{
Write-Output "`nDeleting all encrypted content from the $InstanceName instance on the $MachineName machine now...`n"
$command = """Y""| RSKeyMgmt.exe -d -i""" + $InstanceName + """"
Invoke-Command -Session $Session -ScriptBlock { Invoke-Expression $args[0] } -ArgumentList $command
Write-Output "`n"
}
}
catch
{
Write-Output "`n`nERROR: $_"
}
finally
{
if ($Session)
{
Remove-PSSession $Session
}
}
I'm trying to write a script that requires turning off the Internet entirely and then turning it back on. I'd like it to work in as many cases as possible...
support for Window 7 and up
if multiple Internet connections are on (like WiFi and LAN)
regardless of how these connections are named
limited user account, UAC?
ipconfig /release and ipconfig /renew, as suggested in this answer, do not work with 2 internet connections. /release disables the active connection (say WLAN) but the computer falls back on the LAN connection and you're still online.
$connectedAdapters = Get-WmiObject -Class Win32_NetworkAdapter -Filter "NetConnectionStatus = 2"
$connectedAdapters | Invoke-WmiMethod -Name disable
My questions are:
Is NetConnectionStatus = 2 a reliable proxy for internet access, and is it available on Windows 7 and up, regardless of the brand of your NIC?
Is this compatible with a limited user account with UAC on? I think so...
On my machine this query also catches VirtualBox Host-Only Ethernet Adapter. Is it a problem if I disable/enable it too?
Are Get-WmiObject and Invoke-WmiMethod are available on Windows 7 and up, right?
The questions are not entirely settled, but I've developed a script that works:
PowerShell Internet Connection helper functions: Go-Offline, Go-Online, Test-InternetAccess
#Requires -Version 2.0
function Test-InternetAccess {
<#
.SYNOPSIS
Tests connectivity by pinging Google DNS servers once
.DESCRIPTION
Uses Test-Connection to ping a host, with -Quiet for returning a boolean. The default is a highly available Google DNS server (8.8.4.4)
.EXAMPLE
Test-InternetAccess
.EXAMPLE
Test-InternetAccess example.com
.INPUTS
None.
.OUTPUTS
Boolean
#>
param (
[String]
$RemoteHost = "google-public-dns-b.google.com"
)
Test-Connection -Computer $RemoteHost -BufferSize 16 -Count 1 -Quiet
}
function Go-Offline {
<#
.SYNOPSIS
Disables your internet connection
.DESCRIPTION
Finds all network adapters that appear connected and disables them, taking you offline. Later on you can re-enable just those adapters, because they've been stored in an XML file. Connected adapters are detected through WMI. A NetConnectionStatus value of 2 means Connected. 7 means Media Disconnected.
.EXAMPLE
Go-Offline
.INPUTS
None.
.OUTPUTS
None.
.LINK
https://blogs.technet.microsoft.com/heyscriptingguy/2011/10/07/use-powershell-to-identify-your-real-network-adapter/
.LINK
https://msdn.microsoft.com/en-us/library/aa394216(v=vs.85).aspx
#>
[CmdletBinding(SupportsShouldProcess=$True)]
param()
$XMLLocation = "$env:TEMP\Disabled-NICs.xml"
if (Test-InternetAccess) {
$connectedAdapters = Get-WmiObject -Class Win32_NetworkAdapter -Filter "NetConnectionStatus = 2"
# Go offline
$connectedAdapters | Invoke-WMIMethod -Name disable 1>$null
# Save which adapters were connected at the time
$connectedAdapters | Select Name, DeviceID | Export-Clixml -Path $XMLLocation -Force
Write-Output "You've been taken offline!"
Sleep 1
} else {
Write-Output "Connection already down..."
Sleep 1
}
}
function Go-Online {
<#
.SYNOPSIS
Re-enables your internet connection
.DESCRIPTION
Finds all network adapters that were previously disabled by Go-Offline and enables them. This information is persisted in a temp file.
.EXAMPLE
Go-Online
.INPUTS
None.
.OUTPUTS
None.
.LINK
https://blogs.technet.microsoft.com/heyscriptingguy/2011/10/07/use-powershell-to-identify-your-real-network-adapter/
#>
[CmdletBinding(SupportsShouldProcess=$True)]
param()
$XMLLocation = "$env:TEMP\Disabled-NICs.xml"
if (!(Test-InternetAccess)) {
# Get the NICs that have been previously disabled
$connectedAdapters = Import-Clixml "$env:TEMP\Disabled-NICs.xml" | Select -ExpandProperty DeviceID | ForEach {Get-WMIObject -Class Win32_NetworkAdapter -Filter "DeviceID = $_"}
# Get back online
$connectedAdapters | Invoke-WMIMethod -Name enable | Out-Null
Write-Output "Internet access restored!" # Triggers early, before actual re-connection
Sleep 1
}
}
Tested on Windows 7.
To run powershell commands on a machine from a remote machine we have to add the remote machine to the trusted hosts list of the host machine.
I am adding machine A to machine B's trusted hosts using the following command :
winrm set winrm/config/client ‘#{TrustedHosts="machineA"}’
How to add more machines say machine C, machine D to trusted hosts list of machine B?
I prefer to work with the PSDrive WSMan:\.
Get TrustedHosts
Get-Item WSMan:\localhost\Client\TrustedHosts
Set TrustedHosts
provide a single, comma-separated, string of computer names
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'machineA,machineB'
or (dangerous) a wild-card
Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*'
to append to the list, the -Concatenate parameter can be used
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'machineC' -Concatenate
winrm set winrm/config/client '#{TrustedHosts="machineA,machineB"}'
The suggested answer by Loïc MICHEL blindly writes a new value to the TrustedHosts entry.
I believe, a better way would be to first query TrustedHosts.
As Jeffery Hicks posted in 2010, first query the TrustedHosts entry:
PS C:\> $current=(get-item WSMan:\localhost\Client\TrustedHosts).value
PS C:\> $current+=",testdsk23,alpha123"
PS C:\> set-item WSMan:\localhost\Client\TrustedHosts –value $current
I created a module to make dealing with trusted hosts slightly easier, psTrustedHosts. You can find the repo here on GitHub. It provides four functions that make working with trusted hosts easy: Add-TrustedHost, Clear-TrustedHost, Get-TrustedHost, and Remove-TrustedHost. You can install the module from PowerShell Gallery with the following command:
Install-Module psTrustedHosts -Force
In your example, if you wanted to append hosts 'machineC' and 'machineD' you would simply use the following command:
Add-TrustedHost 'machineC','machineD'
To be clear, this adds hosts 'machineC' and 'machineD' to any hosts that already exist, it does not overwrite existing hosts.
The Add-TrustedHost command supports pipeline processing as well (so does the Remove-TrustedHost command) so you could also do the following:
'machineC','machineD' | Add-TrustedHost
Same as #Altered-Ego but with txt.file:
Get-Content "C:\ServerList.txt"
machineA,machineB,machineC,machineD
$ServerList = Get-Content "C:\ServerList.txt"
$currentTrustHost=(get-item WSMan:\localhost\Client\TrustedHosts).value
if ( ($currentTrustHost).Length -gt "0" ) {
$currentTrustHost+= ,$ServerList
set-item WSMan:\localhost\Client\TrustedHosts –value $currentTrustHost -Force -ErrorAction SilentlyContinue
}
else {
$currentTrustHost+= $ServerList
set-item WSMan:\localhost\Client\TrustedHosts –value $currentTrustHost -Force -ErrorAction SilentlyContinue
}
The "-ErrorAction SilentlyContinue" is required in old PS version to avoid fake error message:
PS C:\Windows\system32> get-item WSMan:\localhost\Client\TrustedHosts
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String TrustedHosts machineA,machineB,machineC,machineD
winrm set winrm/config/client '#{TrustedHosts="ServerA"}'
Generates this error:
Syntax Error: input must be of the form {KEY="VALUE"[;KEY="VALUE"]}
This worked for me (Server 2016):
winrm set winrm/config/client #{TrustedHosts="ServerA"}
I am trying to check computer group membership through Powershell. I want to be able to specify a certain computer name and find which groups that computer is in but from a Powershell script. I am planning on running the script on a computer, grabbing the hostname, and then printing out what AD groups that computer is in. Is there an easy way to do this?
EDIT:
So the plan here is to have a computer check to see what groups it is in, then assign a printer based on which group it is in. We have many printers that only 3 to 4 people use but due to the spread out nature of the users cannot downsize the amount of printers. I was looking at group policy but did not want to create 20 different GPOs. I wanted to do this with a logon/startup script. I'm not sure if this is doable or feasible.
Edit #2:
This edit it really late to the party but I figured if anyone found this it could help. We ended up using item level targeting on User>Preferences>Control Panel>Printers objects. We made an account in AD for each group of users needing access to the printers. This worked although it did create a long logon process for the first logon of the computer. We also enabled Point-to-Print restrictions so the drivers were loaded from the servers quietly.
This will give you the group membership (group names) of the local computer (requires powershell 2.0):
([adsisearcher]"(&(objectCategory=computer)(cn=$env:COMPUTERNAME))").FindOne().Properties.memberof -replace '^CN=([^,]+).+$','$1'
Apologies if I'm a bit late to the party on this but I needed to find a computer's group membership as well. After a lot of trial and error, this worked for me.
Get-ADComputer "mycomp" -Properties MemberOf | %{if ($_.MemberOf -like "*group name*") {Write-Host "found"} }
I noticed that if the string comparison is on a separate line, I needed to do the following
$g=Get-ADGroupMember -Identity "CN=myADgroup,OU=myOU,DC=corp,DC=com" -server corp.com
foreach($mbr in $g) {if($name.MemberOf -like "*mycomp*" -eq $true) {Write-Host "found"}}
Not sure but I imagine that testing the computer might be faster and easier than testing the group depending on the number of members.
the gpresult method seems to be the only way I can find that is accurate. Querying AD is not accurate since the computer may have been added to groups but not rebooted. I am sure someone could condense this but it worked well enough for what I needed to see.
# Get all active domain servers
$staledate = (Get-Date).AddDays(-90)
$computers = Get-ADComputer -Filter {(OperatingSystem -Like "*Server*") -and (Enabled -eq $True) -and (LastLogonDate -ge $staledate) -and (Modified -ge $staledate) -and (PasswordLastSet -ge $staledate) -and (whenChanged -ge $staledate) -and (Name -notlike "PHXVSSA101A")} | Select name -expandproperty name
$computers = $computers | Where {(Resolve-DNSName $_.name -ea 0) -and (Test-Connection -ComputerName $_.Name -Count 1 -ea 0)} | Sort
# Loop through all active domain servers
Foreach ($computer in $computers)
{
# Pull the gpresult for the current server
$Lines = gpresult /s $computer /v /SCOPE COMPUTER
# Initialize arrays
$cgroups = #()
$dgroups = #()
# Out equals false by default
$Out = $False
# Define start and end lines for the section we want
$start = "The computer is a part of the following security groups"
$end = "Resultant Set Of Policies for Computer"
# Loop through the gpresult output looking for the computer security group section
ForEach ($Line In $Lines)
{
If ($Line -match $start) {$Out = $True}
If ($Out -eq $True) {$cgroups += $Line}
If ($Line -match $end) {Break}
}
# Loop through all the gathered groups and check for Active Directory groups
ForEach ($group in $cgroups)
{
Try {
$check = Get-ADgroup $group -ErrorAction Stop
If ($check) {
$dgroups += $group
}
}
Catch {}
}
# Output server name and any Active Directory groups it is in
$computer
$dgroups
# End of computers loop
}
try running gpresult /V and check under "security GROUPS"
You can also try gpresult /scope computer /v under a command prompt (elevated to admin) for more specific results
Heres an LDAP query to find if a computer is in a group recursively:
(((objectClass=computer)(sAMAccountName=COMPUTERNAME$))(memberof:1.2.840.113556.1.4.1941:=DistinguishedNameOfGroup))
More info: http://justanotheritblog.co.uk/2016/01/27/recursively-check-if-a-usercomputer-is-a-member-of-an-ad-group-with-powershell-2-0/
To check the computer's own view of group membership, you can run:
(New-Object System.Security.Principal.WindowsPrincipal("$env:computername$")).IsInRole('Example Group')
True
Taking the computer out of Example Group doesn't affect the output of the above until the computer is rebooted.
Try this DOS Command, this will return all the local groups this computer belong to :
net localgroup