PowerShell GPO Reporter

Posted on June 10, 2013 by Alan

Over the past few months I have been spending more and more time working with PowerShell. I have gone to Windows 8 on my personal laptop, and am impressed by PowerShell 3.0. I have joined the Charlotte PowerShell User’s Group which meets monthly at the Charlotte Microsoft Campus. The Scripting Guy, Ed Wilson, together with his Teresa are regular attendees of the meetings, and at last month’s meeting I won a signed copy of Ed’s latest book, PowerShell 3.0 Step by Step. I shared some struggles I was having with PowerShell, and Ed gave me some practical advice about how to proceed. It was something I already knew — focus on a real world problem and don’t be concerned about writing elegant code.

For some time, I have been getting traffic for my GPO Reporter HTA. Unfortunately, this requires a component that was last available in Windows XP. I quit using XP (even VMs) last month, and the loss of the GPO Reporter soon became a problem. Fortunately, this month’s POSH meeting was led by Microsoft PFE Jason Walker who covered Active Directory and PowerShell. I decided to take another look at a PowerShell GPO Reporter.

I think I have done some interesting things in the coding of the new script, GPOReports.ps1, but it is hard to tell as I am still a PowerShell beginner. I have commented the code to make things easier to understand. Note that you will need to install the Remote Server Administration Tools (RSAT) to get this to work, as it provides the ActiveDirectory PowerShell Module. It is available for Windows 7 and Windows 8. This is unsigned code, if you are a PowerShell noob, take a look at execution policy explanations about how to get it to run.

IT lessons I learned Last Weekend

Posted on April 22, 2013 by Alan

When ordering a case fan, do not rely on the picture. There are some case fans which are 4 inches square.

When ordering a CPU, note that a AMD 3+ CPU motherboard accepts AMD 3 and 3+ CPUs, but an AMD 3 motherboard only accepts AMD 3 sockets.

When re-using an HP Pentium 4 case for your new AMD motherboard, note that HP may not have followed conventions with wiring colors. In particular, note that you cannot turn a computer on and off with the red and black power switch wires connected to the speaker pins on these systems. Taking the time to look at the switch could save hours in troubleshooting.

The local administrator account password can become corrupted making the entire system looked hosed when it is not. Symptoms may include not being able to launch anything due to IE Security Zone restrictions, and yyyy appearing in the time field. Trying to fix the entire system when the problem is just a messed up profile is not a productive use of time.

If the secure channel is broken and the local administrator account is hosed, try logging in with cached administrative credentials. You only need to disconnect the system from the network to get past the warning of no account in AD. You can then delete the local administrator account profile, or create and elevate another local account.

Windows 8 changed the registry key for AHCI from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msahci to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\storahci\. This is important to know if are testing a script which automates the switch from IDE to AHCI for Windows 7 computers.

Finally, be humble. Even if you are an expert, remember that you, too, can make wrong assumptions and do some pretty stupid things.

Another User Export Script

Posted on April 1, 2013 by Alan

I have already written a script to dump user information into a spreadsheet here, so why do it again? User AD Export.vbs is different in that it uses the modern LDAP interface (instead of the lame WinNT interface I used earlier), and is therefore much faster. It was written for a user audit, so it does not export things like phone numbers and addresses, but you do get the user’s name, display name, description, mail address, whether a smart card is required, SamAccount name, UPN, whether the account is disabled, the date created, date password last set, last logon, password age, expiration date, and AD path.

It will allow you to navigate to the starting OU in any domain in your forest. It does not require elevated rights to run, and exports the data to Excel.

Get User Information

Posted on March 3, 2013 by Alan

NTUserInfo.vbs is a script based on Ralph Montgomery’s NTUser.wsf file. It gives a good summary about a user account, including user name, description, password status, and more. I have made a number of changes, including the ability to copy the results to the clipboard using IE. Rename from .txt to .vbs. New version 10/23/2009 allows entry of user name by samaccount name or UPN. This entry was originally posted on March 23, 2009. The new (3/3/13) alternative version, NTUserInfo_IE.vbs outputs to IE instead of a MSGBox. This way you can copy the information to your clipboard.

PowerShell:Start RDP After Reboot

Posted on March 3, 2013 by Alan

A lot of folks have been asking me why I haven’t written any PowerShell scripts. The answer is that I am pretty good at vbscript, and I couldn’t find anything that I wanted to do that I couldn’t do with vbscript.

Last week I spent some time waiting for a computer to reboot. I used ping -t to watch the replies, and then waited until I could use the Remote Desktop Connection (RDC) to connect using RDP. I thought to myself, “self — you sure have spent a lot of time waiting for systems to come up”. RDP2.ps1 is a PowerShell script that does the tedious watching for you. It will wait for both the system and the remote access interface to come up, and then will launch the RDC to the computer. You can run it interactively, or with the command line:

./rdp2.ps1 computername[:port] -WaitForReboot

The port is an option for nonstandard ports. -WaitForReboot does just that. If the system is still up when you launch the script, it will wait for it to reboot.

Like many first scripts, this is largely based on someone else’s work, see: http://poshtips.com/2013/02/12/check-rdp-availability-using-watch-rebootstatus-script/. I made a large number of changes in addition to launching the RDC. For those of you who have spent a lot of time with PowerShell, I am open to suggestions on how to make the code more elegant.

If you haven’t ever run a PowerShell script, you will find it is already installed on your Vista or later machine, and on Windows 2008/R2 servers. You must set the execution policy:

Set-ExecutionPolicy unrestricted

Revision note 3/4/2012: I have updated the script to make the MsgBox SystemModal — which is required for it to have focus.

LDAP Ping

Posted on February 14, 2013 by Alan

There are a lot of ways a Windows Domain Controller can act weird. Recently I had some which replied to a ping, replied to DNS requests, but failed to reply to LDAP. Since LDAP services are pretty high on my list of expectations for a Directory Services, I wanted a lightweight to monitor LDAP. DC LDAP Ping.vbs is a script which enumerates the list of domain controllers in a domain, then binds to each in turn, measuring the time it takes to do so. You can set audible alarms, and run continuously if you like.

Laptop Return Reminder

Posted on February 3, 2013 by Alan

We love our users, yes we do! Especially the ones who walk out the door with a laptop that they refuse to return. Having a computer off the corporate network for an extended period of time can create problems with Active Directory, some management software and some encryption software. MakeLaptopWarning.vbs is a script which the admin runs before the laptop goes out the door. It creates a reminder script on the laptop in the StartUp folder. The user gets a countdown in days for when the laptop needs to be returned.

Alan's Blog

"Yeah. I wrote a script that will do that."

Category Archives: Windows Administration