Retrieving computers where specified user is in local admin group? - windows

I have windows domain network, i have about 3000 hosts in there. I would like to just check the info which of those hosts having specified technical user account in their local admin groups. I am not that great at power shell, though I know the base things.
I belive that I have to make a list of all hosts across several subnets I have and then run a script that will try to log on those hosts with looking account credentials.
What could be the best solution?

There is a very detailed post on TechNet about listing all computers in domain.
And here's the WMI query part (PowerShell, $aComputerList is a list of computer names):
foreach ($sComputerName in $aComputerList) {
$sUserPattern = 'Win32_UserAccount.Domain="domainname",Name="username"'
$sGroupPattern = 'Win32_Group.Domain="{0}",Name="Administrators"' -f $sComputerName
$oResult = Get-WmiObject -ComputerName $sComputerName -Class Win32_GroupUser | `
Where-Object {
($_.groupcomponent -match $sGroupPattern) -and `
($_.partcomponent -match $sUserPattern)
}
[Bool]$oResult
}
The hard part is that some computers probably won't be reachable (if they're turned off for instance). So you'll need to run your script several times and remove computers from the list as you get responses from them.

Related

Powershell - Checking # of files in a folder across a domain

So I'm trying to count the number of font files (that have different extensions) inside the local font folder of every computer in my domain at work to verify which computers have an up to date font installation using powershell.
So far I have
Write-Host ( Get-ChildItem c:\MyFolder | Measure-Object ).Count;
as a means of counting the files, I'm just at a loss on how exactly to replicate this and get a output that indicates the file count for the path for every computer on my domain (the file path is all the same for each)
How should I best proceed?
You will have to run the command against every computer. Assuming you have some sort of domain admin privelege and can access admin shares on all computers, you can use the c$ share.
The code below takes a list of computers in a single column CSV with no headers and runs the command against the admin share on each
$computers = Import-Csv -Path C:\computers.csv -Header Computer;
foreach($c in $computers)
{
Write-Host (Get-ChildItem "\\$($c.Computer)\c$\MyFolder" | Measure-Object).Count;
};

Preserve Active Directory trust relationships securely in AWS between VM's that start and stop

Developing Active Directory for a scalable and hackable student environment and I cannot manage to preserve the Domain Trust Relationship after the VM's restart. On first launch everything works, but after stopping/starting the AD Set, the trust relationship is broken.
Configuration Basics.
Three machines built and running in AWS (Windows Server 2012)
Domain Controller (Pre-Built Forest, Domains, Users, Computers, GPO's, etc)
Two "Targets" with varying permissions.
AMIs are built and domian joined before imaging.
Prior to imaging, Target Boxes are REMOVED from the domain, leaving a single DC and two un-joined Windows Server 2012 boxes.
Boxes are stopped without SysPrep to preserve SIDs and other variables like admin passwords, and an image is taken. User data is enabled
At this point, I can relaunch these boxes from AMI, re-join the domain, and I have no issues after restarting.
Here are the next steps.
The AMI's are run through a code pipeline that applies user data to the boxes to Domain Join and set the DNS to the IP of the DC.
Code exists to prevent the targets from crating until the DC is listening so they can join the domain.
On creation, things work flawlessly again.
After stopping and restarting, however, I start getting "NO_LOGON_SERVER" errors with tools, and cannot login with a domain user.
There are obvious solutions, but nearly all of them manual, and this must be automated. Furthermore, I must configure this in a way that no passwords are exposed on the box or retained as tickets or hashes in lsass that could ruin the exploint path.
If it helps, here is the User-Data that domain joins the targets.
<powershell>
# Checking for response from DC
do {
Start-Sleep 30
} until(Test-NetConnection -InformationLevel Quiet '{DC_IP_ADDR}')
# "true" if Domain Joined
$dCheck = (Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain
# Join domain if not already, skip if joined.
if ($dCheck -eq 'True') {
echo "I was domain joined after restarting." >> C:\Windows\Temp\log.txt
}
else {
# Allows 'rdesktop' by disabling NLA as a requirement
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 0
# Set DNS to DC IP address via custom variable
$adapterIndex = Get-NetAdapter | % { Process { If ( $_.Status -eq "up" ) { $_.ifIndex } }}
Set-DNSClientServerAddress –interfaceIndex $adapterIndex –ServerAddresses ('{DC_IP_ADDR}','8.8.8.8')
#Set DA Credential object and join domain
$username = 'MYDOMAIN\ADMINISTRATOR'; $password = ConvertTo-SecureString -AsPlainText 'NotTheActualPasswordButReallySecure' -Force; $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password
Add-Computer -Domain 'MYDOMAIN.LOCAL' -Credential $Credentials -Force -Restart
}
</powershell>
<persist>true</persist>
And here is the Domain Controller. It is scheduled to change it's DA Password after 4 minutes so that the password exposed in the user data above is no longer valid
<powershell>
# Enable Network Discovery
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
# Allows 'rdesktop' by disabling NLA as a requirement
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 0
Start-Sleep -Seconds 240
# Recycle DA Password
powershell.exe -C "C:\Windows\Temp\recycle.ps1"
echo "Done" > "C:\Users\Administrator\Desktop\done.txt"
</powershell>

Trying to back up my Bitlocker Key to ADDS Through Script

I'm trying to automatize the process of storing BitLocker Keys to ADDS.
I wanna be able to run the following script at logon, in order to do that, as the OS is deployed through WDS which already encrypts the drive:
$BitVolume = Get-BitLockerVolume -MountPoint $env:SystemDrive
$RecoveryKey = $BitVolume.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID
BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryKey.KeyProtectorID
I always get access denied as this has to run as admin...
Is there any command I can use prior the code to run it as admin?
I've googled but I found no useful info to actually do this...
As for the access denied part... as was already sated, you need to start your PowerShell session as an admin. However, as a point of note about your code, you are only targeting the system/os volume... which may not be the only volume that's encrypted. If you want to programmatically backup all of the encrypted volumes, may I suggest one of the two following options...
One-liner:
Get-BitLockerVolume | where {$_.VolumeStatus -like "FullyEncrypted"} | foreach {foreach($Key in $_.KeyProtector){if($Key -like "RecoveryPassword"){Backup-BitLockerKeyProtector -MountPoint $_.mountpoint -KeyProtectorId $key.KeyProtectorId}}}
Or, if you prefer something a little bit easier to read...
Script Block:
foreach ($BLV in Get-BitLockerVolume){
if ($BLV.VolumeStatus -like "FullyEncrypted"){
foreach ($Key in $BLV.KeyProtector) {
if ($Key -like "RecoveryPassword") {
Backup-BitLockerKeyProtector -MountPoint $BLV.MountPoint -KeyProtectorId $Key.KeyProtectorId
}#if
}#foreach
}#if
}#foreach
Neither is super eloquent... but, with this method it will grab all of the encrypted volumes on the system and add them to AD. You would need to modify the code slightly to add the AAD backup option you cited of course.
P.S. I'm only responding because I recently had to solve this problem of multi-volume backups as a one-liner solution and figured I would share it since your post was a top search result when I looked for a pre-canned solution. Cheers! :)

How can i find the DHCP server? [duplicate]

I got a client who asked me to find all of his Dhcp and DNS servers with some additional info like DC servers and operationsystem
so i decided to try sharpen my powershell skills but im still new to this so i wrote this script but i guess something is still missing because it doesnt work
EDIT: i managed to find a way to get the info i want which is the OS but it gets me back ALL the servers in the company
$servers = get-dhcpserverindc
foreach($server in $Servers){
get-adcomputer -filter {Operatinsytem -like "*windows server*"} -properties
Operatingsystem | sort name | format-table name,Operatinsytem
}
This is not too tricky. First off, you connect to a machine with the RSAT Tools installed, like an admin server, jump box, or Domain Controller, and get a list of all DHCP Servers.
$DHCPServers = Get-DhcpServerInDC
Then we use PowerShell's built in looping logic to step through each server, and check for the OS info you need.
ForEach ($DHCPServer in $DHCPServers){
$OSInfo = Get-CIMInstance -ComputerName $DHCPServer.DnsName -ClassName Win32_OperatingSystem
}
Finally, we'll modify this above to return the info you're looking for, namely the IP Address, Name, and OS Version
ForEach ($DHCPServer in $DHCPServers){
$OSInfo = Get-CIMInstance -ComputerName $DHCPServer.DnsName -ClassName Win32_OperatingSystem
[pscustomobject]#{
ServerName = $DHCPServer.DnsName;
IPAddress=$DHCPServer.IpAddress;
OS=$OSInfo.Caption
}
}
ServerName IPAddress OS
---------- --------- --
dc2016 192.168.10.1 Microsoft Windows Server 2016 Standard
From there, you can store it in a variable, make it a spreadsheet, do whatever you need to do.
Hope this helps.
If this isn't working, make sure you have enabled PowerShell Remoting first.

Powershell Win32_ServerConnection on TS Server 2012 no result

I'm trying to execute a simple command on one of a TS part of a RDS farm and I get no result. I just want to see every connection on the TS using:
Get-WmiObject Win32_ServerConnection -ComputerName MYTSSERVER
and I get no result at all. Any idea what could be the cause?
Thank you
Win32_ServerConnection shows active connections to network shares on the machine. If you do not have active network shares or connections to them there will be no results.
I assume since they're terminal servers in an RDS farm that you're looking for remote sessions in which case you want Win32_LoggedOnUser. That said, Win32_LoggedOnUser doesn't clear sessions that have been disconnected or even closed. It shows all sessions since the last computer reboot whether that information is still valid or not.
It's incredibly annoying but the best way to list real and active sessions is to list all copies of explorer.exe running on the machine and who they belong to or use the cmd application query.exe. There are ways in PowerShell to turn the output of query.exe into objects:
$Users = query user /server:TERMSERV01 2>&1
$Users = $Users | ForEach-Object { (($_.trim() -replace ">" -replace "(?m)^([A-Za-z0-9]{3,})\s+(\d{1,2}\s+\w+)", '$1 none $2' -replace "\s{2,}", "," -replace "none", $null)) } | ConvertFrom-Csv
$Users

Resources