All posts by steven

Storingen

Users being disconnected randomly

Some users reported that their sessions where being disconnected. The warning that was stated was that the peer disconnected. On the The XenApp servers reported error 4105. The Terminal Server License server was member of the group Terminal Server License Server. There’s a KB article for this problem.

If you want to export the users that could expierence this problem you can run the script below. In order to export the right group you need to have the default SID for this built in group. This SID is: “S-1-5-32-561″. The right value that the user must have is:”5805bc62-bdc9-4428-a5e2-856a0f4c185e”.

 

Import-module ActiveDirectory
$List2 =@()
$File = ".\Export.csv"
$Header = "DN;ActiveDirectoryRights;InheritanceType;ObjectType;InheritedObjectType;ObjectFlags;AccessControlType;IdentityReference;IsInherited;InheritanceFlags;PropagationFlags"
Add-Content -Value $Header -path $file
$list = get-aduser -Filter * | select DistinguishedName
foreach ($item in $list){$list2 +=$item.DistinguishedName}
foreach ($item in $list2){
$ACLs =@((get-Acl "AD:\$item")| ForEach-Object {$_.Access} | Where {$_.Identityreference -eq "S-1-5-32-561"})
IF ($ACLs.count -gt "0"){
[int]$Count = 0
Foreach ($ACL in $ACLS){IF ($ACL.Objecttype -match "5805bc62-bdc9-4428-a5e2-856a0f4c185e"){$count++}}
IF ($Count -eq "0"){
Foreach ($ACL in $ACLs){
$OutInfo = $item  + ";" + $ACL.ActiveDirectoryRights  + ";" + $ACL.InheritanceType + ";" + $ACL.ObjectType + ";" + $ACL.InheritedObjectType + ";" + $ACL.ObjectFlags + ";" + $ACL.AccessControlType  + ";" + $ACL.IdentityReference   + ";" + $ACL.IsInherited   + ";" + $ACL.InheritanceFlags   + ";" + $ACL.PropagationFlags
Add-content -Value $outinfo -path $File}}}}
Overige

Back-up Databases in Plesk remotely

Some databases are more important then others. In some cases you want to back-up just a couple database more often. I have a Synology Diskstation DS413J at home. To have an off-site back-up for my most important databases is extremely important.  Some database must be retained for seven years for tax services here in the Netherlands. That is why I made a little shell script which exports databases and then, ftp explicit SSL, transfer it to the NAS device. First get the server ready transfer files over FTP(e)S.

sudo apt-get install lftp

The above code installs a lftp client on the in this case Ubuntu machine.

Next create a dir in which you want to dump the sql files in. I consider that you use Plesk 9+. In my case the folder is called /dumps. Create two .sh files with the corresponding code:

run.sh

	date=$(date +%x)
	exportdir="/dumps"
	while read database; do
	  filename="$exportdir/$database-$date.sql"
	  mysqldump -uadmin -p`cat /etc/psa/.psa.shadow` $database > $filename
	done </root/databases.txt
	lftp -f /root/ftps.sh

ftps.sh

debug 10
set ftp:ssl-auth TLS
set ssl:verify-certificate no
set ftp:ssl-protect-data yes
open USER:PASSWORD@SERVER.TLD:21/DATADIRECTORY
mput /dumps/*
close

In databases.txt you list the databases that will be back-upped. The FTPS script copies any file in the Dump directory.

Then make a cron job which runs this task.

Powershell

Sign your scripts

In some high security environments is it required to sign you scripts. To do so you need a code sign certificate. One of the cheapest around is the one of StartSSL costing you only $ 59,99 or roughly € 40 ~ € 45.

I requested a code sign certificate via their site. The advantage of signing scripts with a public certificate is obviously that the script is trusted and you won’t be prompted to approve the script.

To sign a script you need to have the code signing certificate installed and also you need the function Set-AuthenticodeSignature. It is highly recommended that you use a timestamp server. This will ensure that the code is signed when the certificate was valid. So if you certificate expired you won’t have to sign all you code again. StartSSL has a Timestamp Server, but you can use any timestamp server that you prefer. I were at the moment not able to sign my scripts using the StartSSL timestamp server. I use Globalsign at the moment. The certificate from this timestamp server is valid until 2024. If anyone uses your scripts by then, you’d done your job very well ;-).

$Cert=(dir cert:currentuser\my\ -CodeSigningCert)
Set-AuthenticodeSignature ".\Script.ps1" $Cert -IncludeChain All -TimestampServer "http://timestamp.globalsign.com/scripts/timstamp.dll"

Including the chain will ensure that any intermediate certificate authority will be trusted. Be sure to save you code in ANSI format and not the default Unicode:BigEndian that Powershell ISE uses. Notepad(++) will save in ANSI by default. You can use the regular Unicode if you have any diacritic stated.

Your script will be appended with some additional code with certificate information. Note that Powershell v3 will need SHA256 algorithm. Powershell v2 (if anyone still usses that) accepts scripts which are sign with anything up to SHA1. You can specify the algorithm you want to use by entering -HashAlgorithm SHA512. By default in v3 and up it is SHA256.

Microsoft, Powershell

Manage websites from local server

$list =@(Get-WmiObject -Namespace "root/Webadministration" -Query 'Select * from Site')
Foreach ($item in $list){write-host $item.name}

IIS6 compatiblity uses a different namespace root/MicrosoftIISv2

All you need to do is get cred en authenticate to a different server using either -ComputerName $Hostname or  -Authentication “6”.

Next you can create a remote job using the earlier cached credentials and create a script with the listed names like this:

Import-Module WebAdministration
Stop-Website "$name" 
$State = Get-website |Where {$_.Name -eq "$Name"} | Select State
If ($State -notmatch "Stopped"){Stop-Website $Name }

Of course you can also you the schtasks /create command (in Powershell) to add a job that deletes itself or enable-psremoting.

An entire different approach would be to connect using the servermanager via Powershell. You can load the servermanager and connect to a server. The advantage would be that one server is responsible. You do need access to that server. Some high secure environments block this kind of traffic. You can load any dll for IIS Web Administration

[System.Reflection.Assembly]::LoadFrom( "C:\windows\system32\inetsrv\Microsoft.Web.Administration.dll" )
$computer = "COMPUTERNAME"
$ServerManager = [Microsoft.Web.Administration.ServerManager]::OpenRemote($computer.ToLower())
[int]$ID="1"
Foreach ($item in $ServerManager.sites){
Write-host "$ID $item"
$ID++
}

while ($ID -gt $Servermanager.sites.count){
     $ID = read-host "Voer de site die u wilt stoppen"
      $ID--}


$ServerManager.Sites.Item($ID).stop()
Configuratie, Microsoft

Windows 8 and Windows 8.1 install dotnet Frameworks 3.5

To install dotnet framework 3.5 you’ll will have to do a couple of things. First of all you need to disable a task as soons as you have completed setup. Well this is actually optional. It is necessary to do this step if you want to deploy that image to other PC’s. Windows 8(.1) deletes install media to save disk space. Run the following command immediately after setup completed:

schtasks.exe /change /disable /tn "\Microsoft\Windows\AppxDeploymentclient\Pre-Staged App CleanUp"

To install the DotNet Framework 3.5 feature in Windows 8(.1) run the following command. Where D: is the installtion media

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:d:\sources\sxs

All of the above of course in an elevated Powershell window