Category Archives: Microsoft

Artikels die een relatie hebben met Microsoft producten

Storingen

Registry permissions of users by mistake overwritten

An administrator applied an GPO which overwrites the permissions on the registry of users by mistake.  This results in users who cannot login after they lost permissions on their ntuser.dat registry hive.

We had an immediate problem with the users so decided to restore the entire terminal profiles share. However you can choose to solve the problem. I’ve written a script really quite to at least know how big the problem really is.

We have PSremoting enabled on all terminal servers. Which gave us the posibility to run the script on the entire environment.

Import-Module ActiveDirectory
$Computers = Get-ADComputer -Filter * | Where {$_.Name -match "TERMINALSERVERPREFIX"}

Foreach ($Computer in $Computers){

Enter-Pssession $Computer
 
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
 Set-Location HKU:
 $list = GCI
 $Hostname = Hostname
 $Export = "C:\Permissions"+"_"+"$Hostname"+".csv"
 Foreach ($item in $list){$ACLs = Get-ACL $Item.PSChildName | Foreach-Object { $_.Access }
 Foreach ($ACL in $ACLs){
 If ($ACL.IdentityReference -match "ADGROUP Or User"){$Value = $Item.Name + ";" + $ACL.IdentityReference + ";" + $ACL.AccessControlType + ";" + $ACL.IsInherited + ";" + $ACL.InheritanceFlags + ";" + $ACL.PropagationFlags + ";" + $ACL.FileSystemRights
 Add-Content -Value $Value -Path $Export}}}
 Set-Location C:
 Copy-Item -Path $Export -Destination "\\Shared Location"

}

This writes back the SID on which an Active Directory Group had permissions on. You can of course use the information given but you have the compare the SID’s with your Active Directory SID.

Exporting the SID’s of your AD can be done by running the following code:

Import-Module ActiveDirectory
$Export = "C:\SIDS.csv"
$List = Get-ADUser -filter * | Select Name,SID
$Header = "Name;SID"
Add-Content -Value $Header -Path $Export
Foreach ($Item in $list){
$Outinfo = $item.Name + ";" + $Item.SID
Add-Content -Value $Outinfo -Path $Export}

Or

Import-Module ActiveDirectory
$Export = "C:\SIDS.csv"
$List = Get-ADUser -filter * | Select Name,SID
$list | Export-CSV -Path $Export -Delimiter ";" -NoTypeInformation
Storingen

Users being disconnected randomly

Some users reported that their sessions where being disconnected. The warning that was stated was that the peer disconnected. On the The XenApp servers reported error 4105. The Terminal Server License server was member of the group Terminal Server License Server. There’s a KB article for this problem.

If you want to export the users that could expierence this problem you can run the script below. In order to export the right group you need to have the default SID for this built in group. This SID is: “S-1-5-32-561″. The right value that the user must have is:”5805bc62-bdc9-4428-a5e2-856a0f4c185e”.

 

Import-module ActiveDirectory
$List2 =@()
$File = ".\Export.csv"
$Header = "DN;ActiveDirectoryRights;InheritanceType;ObjectType;InheritedObjectType;ObjectFlags;AccessControlType;IdentityReference;IsInherited;InheritanceFlags;PropagationFlags"
Add-Content -Value $Header -path $file
$list = get-aduser -Filter * | select DistinguishedName
foreach ($item in $list){$list2 +=$item.DistinguishedName}
foreach ($item in $list2){
$ACLs =@((get-Acl "AD:\$item")| ForEach-Object {$_.Access} | Where {$_.Identityreference -eq "S-1-5-32-561"})
IF ($ACLs.count -gt "0"){
[int]$Count = 0
Foreach ($ACL in $ACLS){IF ($ACL.Objecttype -match "5805bc62-bdc9-4428-a5e2-856a0f4c185e"){$count++}}
IF ($Count -eq "0"){
Foreach ($ACL in $ACLs){
$OutInfo = $item  + ";" + $ACL.ActiveDirectoryRights  + ";" + $ACL.InheritanceType + ";" + $ACL.ObjectType + ";" + $ACL.InheritedObjectType + ";" + $ACL.ObjectFlags + ";" + $ACL.AccessControlType  + ";" + $ACL.IdentityReference   + ";" + $ACL.IsInherited   + ";" + $ACL.InheritanceFlags   + ";" + $ACL.PropagationFlags
Add-content -Value $outinfo -path $File}}}}
Powershell

Sign your scripts

In some high security environments is it required to sign you scripts. To do so you need a code sign certificate. One of the cheapest around is the one of StartSSL costing you only $ 59,99 or roughly € 40 ~ € 45.

I requested a code sign certificate via their site. The advantage of signing scripts with a public certificate is obviously that the script is trusted and you won’t be prompted to approve the script.

To sign a script you need to have the code signing certificate installed and also you need the function Set-AuthenticodeSignature. It is highly recommended that you use a timestamp server. This will ensure that the code is signed when the certificate was valid. So if you certificate expired you won’t have to sign all you code again. StartSSL has a Timestamp Server, but you can use any timestamp server that you prefer. I were at the moment not able to sign my scripts using the StartSSL timestamp server. I use Globalsign at the moment. The certificate from this timestamp server is valid until 2024. If anyone uses your scripts by then, you’d done your job very well ;-).

$Cert=(dir cert:currentuser\my\ -CodeSigningCert)
Set-AuthenticodeSignature ".\Script.ps1" $Cert -IncludeChain All -TimestampServer "http://timestamp.globalsign.com/scripts/timstamp.dll"

Including the chain will ensure that any intermediate certificate authority will be trusted. Be sure to save you code in ANSI format and not the default Unicode:BigEndian that Powershell ISE uses. Notepad(++) will save in ANSI by default. You can use the regular Unicode if you have any diacritic stated.

Your script will be appended with some additional code with certificate information. Note that Powershell v3 will need SHA256 algorithm. Powershell v2 (if anyone still usses that) accepts scripts which are sign with anything up to SHA1. You can specify the algorithm you want to use by entering -HashAlgorithm SHA512. By default in v3 and up it is SHA256.

Microsoft, Powershell

Manage websites from local server

$list =@(Get-WmiObject -Namespace "root/Webadministration" -Query 'Select * from Site')
Foreach ($item in $list){write-host $item.name}

IIS6 compatiblity uses a different namespace root/MicrosoftIISv2

All you need to do is get cred en authenticate to a different server using either -ComputerName $Hostname or  -Authentication “6”.

Next you can create a remote job using the earlier cached credentials and create a script with the listed names like this:

Import-Module WebAdministration
Stop-Website "$name" 
$State = Get-website |Where {$_.Name -eq "$Name"} | Select State
If ($State -notmatch "Stopped"){Stop-Website $Name }

Of course you can also you the schtasks /create command (in Powershell) to add a job that deletes itself or enable-psremoting.

An entire different approach would be to connect using the servermanager via Powershell. You can load the servermanager and connect to a server. The advantage would be that one server is responsible. You do need access to that server. Some high secure environments block this kind of traffic. You can load any dll for IIS Web Administration

[System.Reflection.Assembly]::LoadFrom( "C:\windows\system32\inetsrv\Microsoft.Web.Administration.dll" )
$computer = "COMPUTERNAME"
$ServerManager = [Microsoft.Web.Administration.ServerManager]::OpenRemote($computer.ToLower())
[int]$ID="1"
Foreach ($item in $ServerManager.sites){
Write-host "$ID $item"
$ID++
}

while ($ID -gt $Servermanager.sites.count){
     $ID = read-host "Voer de site die u wilt stoppen"
      $ID--}


$ServerManager.Sites.Item($ID).stop()
Configuratie, Microsoft

Windows 8 and Windows 8.1 install dotnet Frameworks 3.5

To install dotnet framework 3.5 you’ll will have to do a couple of things. First of all you need to disable a task as soons as you have completed setup. Well this is actually optional. It is necessary to do this step if you want to deploy that image to other PC’s. Windows 8(.1) deletes install media to save disk space. Run the following command immediately after setup completed:

schtasks.exe /change /disable /tn "\Microsoft\Windows\AppxDeploymentclient\Pre-Staged App CleanUp"

To install the DotNet Framework 3.5 feature in Windows 8(.1) run the following command. Where D: is the installtion media

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:d:\sources\sxs

All of the above of course in an elevated Powershell window

Microsoft, Powershell

Using filters to find groups with mail address

You can export a list of all groups with the field mail enabled by running the following code:

$list = Get-ADGroup -Filter * -Properties * | Where {$_.mail -ne $null -and $_.GroupScope -match "Global"}
$list | export-csv -Path Globalmetmail.csv -Delimiter ";"

To find groups inside a certain OU for example if you have a distribution OU you may want to export certain Grouptypes:

$list2 = Get-ADGroup -Filter * -Properties * | Where {$_.CanonicalName -match "Distribution" -and $_.GroupScope -match "Global"}
$list2 |export-csv -Path GlobalEnInDistributionOU.csv -Delimiter ";"