Monday, November 23, 2015

PowerShell script to list all members of an Active Directory group.

Here's a script to finds all members that belong to a specific group within Active Directory. This example will be the Domain Admins Group.

PS >Get-ADGroupMember -identity "Domain Admins" -Recursive | Get-ADUser -Property DisplayName | Select Name,SAMAccountName,DisplayName
Posted by at No comments:

PowerShell Script to find all systems that have not logged on in the past 90 days. Not users but Workstations or servers.

$domain = "mydomain.com" 
$DaysInactive = 90 
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv -path c:\LastLogon_90_Days.csv -notypeinformation
Posted by at No comments:

Friday, November 13, 2015

PowerShell script to collect Windows 2008 Servers from AD

Get-ADComputer

The cmdlet of choice for inventorying computers through AD is Get-ADComputer. This command automatically searches for computer objects throughout a domain, returning all sorts of info.

Import the ActiveDirectory module:

image

Then if I want to see all the details about using this cmdlet, I run:

Get-Help Get-ADComputer -Full


As you get comfortable with AD PowerShell, I highly recommend that you start tuning for less data to be returned - the "filter left, format right" model described here by Ned Pyle.

Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap –Auto

image

This command is filtering all computers for all their properties. It then feeds the data (using that pipe symbol) into a formatted table. The only attributes that the table contains are the computer name, operating system description, service pack, and OS version. It also automatically sizes and wraps the data. When run, you see:

image

One Windows Server 2003 computer needs Service Pack 2 installed and there are still Windows 2000 servers running.

Server Filtering
Now break down the results with filters:

Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto
 You can change the filter to find all the computers that are running “Windows Server something”, using the –like filter. 

image

Now only servers are listed. Where did the Windows 2000 server go? Microsoft didn’t start calling OS’s “Windows Server” until 2003. Before that it was “Windows 2000 Server”. We need to change the filter a bit:

Get-ADComputer -Filter {OperatingSystem -Like "Windows *Server*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto
 Just added an extra asterisk to Server (*Server*).

image
 
As you can see, this environment has a variety of Windows server versions running. We are interested only in the ones that are running Windows Server 2008 or Windows Server 2008 R2. Once we get that, I might just want to see the R2 servers – We run these two sets of commands:

Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*2008*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto

Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*r2*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto
image

Only R2 Servers:

image


Workstation Filtering
Simply switch from -Like to -Notlike from my previous server query:

Get-ADComputer -Filter {OperatingSystem -NotLike "*server*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto

image
Family filtering
If you want to filter by the “family” of operating systems. This can be useful when trying to identify computers that started having a special capability in one OS release and all subsequent releases, or we don’t care about it being server or workstation. Example would be BitLocker – it only works on Windows Vista, Windows Server 2008, and later. run:

Get-ADComputer -Filter {OperatingSystemVersion -ge "6"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemVersion -Wrap -Auto
Filtering on operating system version needs to be equal to or greater than 6. This means that computers that have a kernel version of 6 (Vista and 2008) or higher will be returned:

image

For Windows Server 2008 R2 and Windows 7 family of computers, we change the filter slightly:

Get-ADComputer -Filter {OperatingSystemVersion -ge "6.1"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemVersion -Wrap -Auto

image

Getting it all into a file

This is where Export-CSV comes in. With the chaining of an additional pipeline I can find all the computers, select the attributes I find valuable for them, then send them into a comma-separated text file.

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion | Export-CSV AllWindows.csv -NoTypeInformation -Encoding UTF8
image
 
Open AllWindows.CSV file in Excel and:

image

Posted by at No comments:

Configure IE11 settings via Group Policy

I've recently upgraded IE from IE9 to IE11. Although the installation itself was simple, configuring the settings via group policy wasn't as straightforward...

I assumed that our existing GPO created for IE9 would continue to work, but quickly found out this was not the case. Proxy settings and security zone settings were some of the things that were now not working in IE11.

The first thing I did was download the IE11 Administration Templates (ADM file) from Microsoft. http://www.microsoft.com/en-gb/download/details.aspx?id=40905
I then created a new GPO specifically for Internet Explorer 11 settings. I added the ADM file by expanding User Configuration > right clicking on Administrative Templates > selecting 'Add/Remove Templates' > and selecting the ADM file to import it into the GPO. 
Picture
Configuring Internet SettingsTo configure Internet settings such as home page and security zone settings, in the GPO I expanded User Configuration > Control Panel Settings > Internet Settings.I right clicked in the main pane > New > and selected the version of IE I wished to manage. IE11 was not listed, but chose IE10 which works.
Picture
Here, I went through the tabs (same tabs as you would see if you went to IE's tools and options) and set as desired. However I found out that two things in particular would not work... 1) Proxy settings and also 2) when setting security zones, the 'Sites' option is greyed out, so you are unable to manually enter site addresses that should belong to a particular zone. These need to be configured elsewhere.

Proxy settingsSo, as tried above, I was unable to set the proxy server using the 'Internet Settings' GPO options. I also tried without success using the 'Internet Explorer Maintenance' settings, which is what I had always used in IE9 and previous versions.
I therefore had to set the proxy settings using the registry and Group Policy Preferences (GPP).

In the GPO, I expanded User Configuration > Preferences > Registry. I then created three new registry items for the following:

HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyEnable To enable, set the REG_DWORD to 00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyServer Set the REG_SZ to your proxy server’s IP or hostname:8080 (i.e proxy:8080 or 192.168.1.10:8080)
HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ProxyOverride
Set the REG_SZ to list all the sites which should bypass the proxy, separated by a semi-colon ‘;’. If  you need to enable the option ‘Do not use proxy server for local (Intranet) addresses’ then you will need to add ‘;<local> at the end of the ProxyOverride key. There is no separate key for this setting.
Picture
Adding sites to Security ZonesAs I earlier found out, although I could set security zone levels, the options for specifying sites was greyed out. To populate the sites for the different zones, I had to go somewhere else within the GPO. User Configuration > Policies > Administration Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.In here, I enabled 'Site to Zone Assignment list' and in the Value Name, entered the website address, and for Value, I entered the corresponding number for the zone I wanted to add the site into.

Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone.
Picture
That's the main settings for IE11 configured! I linked the GPO to an OU containing the users and at the next group policy refresh they received the new settings. At first, I applied this to just myself, then to a small group of users. Once all problems are ironed out (normally with security zone settings) I could safely deploy to all other users.

To Change the HomePage or Startup Page:

HKCU\Software\Microsoft\Internet Explorer\Main

Home Page = Start Page = REG_SZ, Value, http://www.google.co.uk
So in the box that appears select :
Action : Update
Hive : HKEY_CURRENT_USER
Key Path: Software\Microsoft\Internet Explorer\Main
Value name (default unticked) : Start Page
Value type : REG_SZ
Value data : http://www.google.co.uk
So for this example it would look like
ie7

If you want more than one tab to open at once then you can use the key Secondary Start Pages.
Action : Update
Hive : HKEY_CURRENT_USER
Key Path: Software\Microsoft\Internet Explorer\Main
Value name (default un ticked) : Secondary Start Pages
Value type : REG_MULTI_SZ
Value data : http://www.bbc.co.uk
Secondary
Posted by at No comments:

Wednesday, October 28, 2015

Inventorying Active Directory Computers with PowerShell

Get-ADComputer

The cmdlet of choice for inventorying computers through AD is Get-ADComputer. This command automatically searches for computer objects throughout a domain, returning all sorts of info.
The first step is to fire up PowerShell and import the ActiveDirectory module:

image

Then if I want to see all the details about using this cmdlet, I run:

Get-Help Get-ADComputer -Full

Getting OS information

Basics
Get-ADComputer -Filter * -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion -Wrap –Auto

image

This command is filtering all computers for all their properties. It then feeds the data (using that pipe symbol) into a formatted table. The only attributes that the table contains are the "computer name, operating system description, service pack, and OS version". It also automatically sizes and wraps the data. When run, I see:

image

A Windows Server 2003 computer needs Service Pack 2 installed and I still have a Windows 2000 server.

Server Filtering
Now we can start breaking down the results with filters. run:

Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto

I changed the filter to find all the computers that are running “Windows Server something”, using the –like filter.

image

Cool, now only servers are listed! But wait… where’d my Windows 2000 server go? Ahhhh… sneaky. We didn’t start calling OS’s “Windows Server” until 2003. Before that it was “Windows 2000 Server”. I need to massage my filter a bit:

Get-ADComputer -Filter {OperatingSystem -Like "Windows *Server*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto

See the difference? I just added an extra asterisk to surround “Server”.

image

This environment has a variety of Windows server versions running. I’m interested in the ones that are running Windows Server 2008 or Windows Server 2008 R2. And once I have that, I might just want to see the R2 servers.

I run these two sets of commands:

Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*2008*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto

Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*r2*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto

image
image


Workstation Filtering
Now, for all the workstations? I simply switch from -Like to -Notlike with my previous server query:

Get-ADComputer -Filter {OperatingSystem -NotLike "*server*"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto


image
Family filtering
Let’s say we want to filter by the “family” of OS's. This can be useful when trying to identify computers that started having a special capability in one OS release and all subsequent releases, and I don’t care about server or workstation platforms. An example of that would be BitLocker – it only works on Windows Vista, Windows Server 2008, and later. I run:

Get-ADComputer -Filter {OperatingSystemVersion -ge "6"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemVersion -Wrap -Auto

Now I'm filtering on operating system version, to be equal to or greater than 6. This means that any computers that have a kernel version of 6 (Vista and 2008) or higher will be returned:

image

For Windows Server 2008 R2 and Windows 7 family of computers only, I can change my filter slightly:

Get-ADComputer -Filter {OperatingSystemVersion -ge "6.1"} -Property * | Format-Table Name,OperatingSystem,OperatingSystemVersion -Wrap -Auto

image

Getting it all into a file

So what we’ve done ‘til now was just use PowerShell to send goo out to the screen and stare. In all but the smallest domains, though, this will soon get unreadable. I need a way to send all this out to a text file for easier sorting, filtering, and analysis.
This is where Export-CSV comes in. With the chaining of an additional pipeline I can find all the computers, select the attributes I find valuable for them, then send them into a comma-separated text file.

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion | Export-CSV AllWindows.csv -NoTypeInformation -Encoding UTF8

image

Then I just crack open the AllWindows.CSV file in Excel and:

image
Posted by at No comments:

Thursday, June 18, 2015

Windows KMS and MAK Volume License Activation

Introduction

If you have to administer a large number of PCs running Windows, you will end up creating an automated deployment platform for your Windows clients. You may implement something like Windows Deployment Services.
I used WDS to create a fully automated installation of PCs. WDS can also be used for creating images, but using images doesn't scale as you need too much manual intervention with the devices themselves and you need to update images constantly.
With WDS and some driver packs I can support as many different computer brands and models as I want with a single vanilla Windows 7 base image. All customization and automation is done with answer files using the Windows Automated Installation Kit.
When creating an automated deployment environment, one thing you definitely don't want to be doing is having to enter each individual Windows product key as found on the sticker somewhere on the chasis. You want a single key, embedded in the deployment image or script and run with that, or some other solution. Your goal must be to do away with manual product key input and activation.
This is not a problem, but here we have to introduce the topic of licences, especially client licences such as Windows 7. There are only two flavors of Windows:
  1. Retail - this licence is most expensive but allows you to transfer it from one computer to the other one.
  2. OEM - this licence cost you less but is tied to that particular computer.
The important thing for a system administrator to know is this: when buying OEM, you do not have rights to create disk images or do something similar with these computers. You cannot use Windows Deployment Services, You cannot use cloning tools or other solutions.

Volume licensing

Now it is time to talk about volume licensing. A volume licence is an upgrade of a Retail or OEM license. So one thing is sure: you must order every computer with an OEM Windows licence, regardless of your plans. In addition, the volume licence, you have to buy separately, you gain 'reimaging rights'.
Now comes the fun part. You only need one (1) Volume Licence for a specific product to be eligible to image or automatically deploy all PCs running that particular operating system (32 bit or 64 bit doesn't matter).

KMS or MAK activation

With a volume licence, client's don't need to activate with Microsoft through the internet. For larger organisations, that would cause too much internet traffic. Instead, you use a local activation service within your network. You can either deploy a KMS (Key Management Service) or use the Volume Actication Management Tool (VAMT).
Most people may want the KMS service. But a KMS service only starts to validate clients with 25 or more PCs. If you have less than that number of clients, you may resort to MAK validation.
When choosing KMS activation, you install a KMS service on one of your Windows servers and that host will then act as an activation server within your organisation. Systems activated through the KMS must periodically revalidate themselves (as like every 6 months / 180 days). but how do the clients know that they should validate against your KMS? And which product key do you use?
If you buy a volume licence, you will get access to a special ISO image of Windows 7, Vista Business or XP Professional. You also gain access to a special product key, a KMS product key. (Please note that you must by a volume licence for each operating system product version).
You use this special KMS product key to activate the KMS server. This happens only once. So this one time, you activate the KMS server with Microsoft, after that, no communication occurs with clients or the KMS service with Microsoft.
That special ISO image you got contains a special Windows version that does not require a product key. Once a client is installed, it just searches your network for a KMS server through DNS and tries to activate against it. Once validated, clients stay validated as long as they get in contact twice a year (180 days) with your KMS service.
If you have less than 25 PCs, you will use the MAK activation and the VAMT tool. Clients can either activate through Microsoft directly or through the VAMT tool. The VAMT tool collects activation requests within your network like a KMS, however, it does contact Microsoft to validate those activations. And there is a limited number of activations you are entitled to. This VAMT tool can cache activation requests so you can redeploy or re-image systems and reactivate them without seeing your activation limit getting reached.
Posted by at No comments:
Subscribe to: Comments (Atom)