Monday, April 10, 2017

SCCM Compliance Item Bitlocker Status

We recently implemented Health Attestation in SCCM 1610. That took care of reporting requirements for our Windows 10 clients. However, in order to completely eliminate MBAM from our environment we still needed to report on legacy clients. So, how to create a compliance item that queries for Bitlocker status;

The script;

  1. Verify that bitlocker is enabled (=1) and encryption cipher method is 256 (=4) 
  2. Return Compliant or Non-Compliant

$BitlockerStatus = Get-WmiObject -Namespace “root\CIMV2\Security\MicrosoftVolumeEncryption” -Class Win32_EncryptableVolume -ErrorAction Stop| ?{$_.DriveLetter -eq "C:"} | select EncryptionMethod,ProtectionStatus
  #Status (0 = disabled, 1 = enabled)
  #Method {0 = none, 1 = 128diffuser, 2 = 256 diffuser, 3 = 128(default), 4 = 256(desired)}
  #Verify that Bitlocker is enabled and AES 256 is used
  if($BitlockerStatus.ProtectionStatus -eq 1 -and $BitlockerStatus.EncryptionMethod -eq 4)
  {write-host "Compliant"}
  {write-host "Non-Compliant"}

The compliance item;

 View the deployment status under monitoring

Viewing the individual client report

Friday, February 17, 2017

Find Expiring Certificates in Local Computer Personal Store

I originally wrote this as a monitor for SolarWinds. I'm posting it here as it could also be used to do a foreach against an OU, csv, etc. Basically, search through the computer personal certificate store and return the certs that expire in X days.


Import-Module WebAdministration
$Certificates = dir Cert:\localmachine\my
$today = get-date
$expirationcounter = 0

foreach ($cert in $Certificates)
    $thumbprint = $Cert.Thumbprint;
    $certdetails = Get-ChildItem Cert:\LocalMachine\my\$thumbprint | Select NotAfter,Subject,Issuer;

    if($certdetails.notafter -lt $today.AddDays(60))
        $expiresin = $certdetails.NotAfter - $today
        Write-Host "Statistic:" $expiresin.days
        Write-Host 'Message: ' $certdetails.Subject

if($expirationcounter -eq 0)
    Write-Host 'Statistic: ' 0
    Write-Host 'Message: No Certificates Found'

Wednesday, May 11, 2016

Find Orphaned Home Drives for Deleted AD Accounts

This script will find all home drives and for each test if the AD user still exists. If it doesn't, it will gather the folder size and output that with the user ID to a text file. Good one for general housekeeping.


#Compare all H drive folders to AD user accounts.
#If no match is found output a file with the user name and folder size in MB.
#Add all folders found and output total at the end

$HomeDriveFolders = Get-ChildItem -path "H:\Users" | select -expandproperty Name

$totalsize = 0

foreach($folder in $HomeDriveFolders)
    $user = ""
    $user = $(try {get-aduser $folder | select -ExpandProperty SAMACCOUNTNAME} catch {$null})
    if ($user -ne $folder)
        $foldersize = (Get-Item "H:\Users\$folder").GetFiles() | Measure-Object -Sum Length
        $foldersize = [math]::Round($foldersize.sum / 1MB)
        $totalsize = $totalsize + $foldersize
        "$folder,$foldersize" | out-file H:\usercomparisonexport.txt -append

"---------------------((TOTAL))",$totalsize | out-file H:\usercomparisonexport.txt -append

Thursday, February 4, 2016

Disk Cleanup Missing Server 2008 and Later

There is plenty of info out there about how to go about getting to Disk Cleanup (cleanmgr.exe). This is just a quick little batch file to restore it. You do have the option of installing the Desktop Experience features through Server Manager. I personally don't like that option because of the junk that comes with it. Try this out instead...

Copy and Paste into notepad, save as "AddDiskCleanup.bat"
xcopy "C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe" "%systemroot%\System32"

xcopy "C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9cb6194b257cc63\cleanmgr.exe.mui" "%systemroot%\System32\en-US"


From this point on you can simply go to start > run > cleanmgr.exe

Wednesday, November 4, 2015

Active Directory: Find All Users with Specific UPN Suffix

$ou = "OU=Users,DC=mydomain,DC=local"
Get-ADUser -filter * -SearchBase $ou | Where-Object {$_.userprincipalname -like "*"} | Export-Csv C:\temp\UPN.csv

Thursday, October 22, 2015

Active Directory: Bulk Update User UPNs

#Bulk Update UPNs

Import-Module ActiveDirectory

$newSuffix = ''
$ou = "OU=Users,DC=mydomain,DC=local"

Get-ADUser -Filter * -SearchBase $ou | ForEach-Object {
$newUpn = $_.SamAccountName + $newSuffix
Set-ADUser -ID $_ -UserPrincipalName $newUpn

Wednesday, October 21, 2015

Find All Windows Servers Not in a Group in Active Directory

(&(objectCategory=computer)(operatingSystem=*Windows Server*)(!memberof:1.2.840.113556.1.4.1941:=CN=ServerHardening,OU=Groups,DC=mydomain,DC=local))

& = And the following conditions together
objectCategory = is it a user, computer, etc.
operatingSystem = what is found in the computer object operating system tab "name" field
! = Condition is "Not"
memberof = Find members of the group
1.2.840.113556.1.4.1941 = Tells the lookup to recurse the member groups of the super group

You must use the full distinguished name of the group in question.

Of course you can adjust this to specific OS versions or group names or even extend it to include additional references to more groups.

Find Inactive Systems to Clean UP Active Directory

Shows all computers that haven't contacted the domain in 8 weeks or more. You can also use this for user objects. Run in PowerShell with the "sort-object" to sort by the DN which starts with the name of the system so it helps if you have a computer naming convention.

dsquery computer -inactive 8 | sort-object

Wednesday, September 9, 2015

Get Useful Mailbox Information from Exchange Shell

Just a quick one-liner for exporting usable info about all mailboxes. Be sure to adjust your domain controller (or leave it out if in a single domain environment).

get-mailbox -ResultSize unlimited -DomainController ADC1 | Select-Object DisplayName,PrimarySmtpAddress,ExchangeUserAccountControl,RecipientTypeDetails,ServerName,Database,ProhibitSendQuota,ProhibitSendReceiveQuota,UseDatabaseQuotaDefaults,IssueWarningQuota,MaxSendSize,MaxReceiveSize,DeliverToMailboxAndForward,HiddenFromAddressListsEnabled,WhenChanged  | Export-CSV C:\mailboxes.csv

Returns some good info about mailbox size quotas, send/receive limits, mailbox type, forwarding and address book status.

Friday, June 19, 2015

Active Directory: Bulk Update Logon Script

Modification of my bulk update home drive script.

Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=Users,DC=contoso,DC=com" | Foreach-Object{
$sam = $_.SamAccountName
Set-ADuser -Identity $_ -ScriptPath "LOGON-NEW.bat"

Active Directory: Bulk Update Home Folder Path

Can't take any credit for this one. Just happened to stumble on it in a forum post. Just putting it here for future reference. Added a couple of checks for good measure.



Import-Module ActiveDirectory

#Search for all users in OU that are not disabled or with blank homedirectory
Get-ADUser -Filter * -SearchBase $SearchOU | where-object {$_.enabled -eq $true -AND $_.homedirectory -ne ""} | Foreach-Object
$sam = $_.SamAccountName
Set-ADuser -Identity $_ -HomeDrive "H:" -HomeDirectory \\SERVER02\Users\$sam

Tuesday, March 24, 2015

SBS + DirSync for Office365

Learned today that SBS still doesn't support DirSync. You can install it on a domain controller which didn't used to be the case. So the requirement remains 2008/2012, including DCs. No SBS 2011 (what I was trying in this case).

I haven't seen any information to suggest anyone has gotten it to work. Feel free to share your experience if you have. My assumption is that SBS being a different beast with its extra SQL Express and such just can't do it.

Wednesday, August 27, 2014

Cisco RADIUS Authentication w/ Active Directory and Network Policy Server

I'll try to keep this short and sweet. It took me a bit to find the exact commands I used. The configuration below has been validated to work on Cisco routers, switches, and voice gateways.

Part 1. RADIUS Server Configuration

Assuming you already have a Network Policy Server installed on a DC somewhere...

RADIUS Clients and Servers > RADIUS Clients > Right Click > New RADIUS Client
  • Add Friendly Name
  • IP
  • Vendor = Cisco
  • Shared Secret
    • Manual
    • Enter a key (same as used on the cisco device)
Policies > Network Policies > Right Click > New (use defaults unless specified)
  • Policy Name (I just called this the same as the client friendly name)
  • Conditions
    • Windows Groups: AD Group with network administrator accounts
    • Client Friendly Name: same as friendly from "RADIUS Clients" (prevents policies from inadvertently being applied to the wrong devices. Optional precaution)
  • Authentication Methods > Check "Unencrypted authentication"
  • "Configure Settings"
    • RADIUS Attributes
      • Standard > Remove Framed-Protocol PPP
      • Vendor Specific > Add (allows user to launch in to enable mode by default)
        • Vendor = Cisco
        • Attribute Name = Cisco-AV-Pair
        • Value = shell:priv-lvl=15

Part 2: SSH to Cisco Switch/Router

You'll need...
  • VLAN/IP that authentication will originate from
  • IP of your RADIUS Server
  • RADIUS Secret used in part 1.
Run the following from the command line... ​conf t
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
ip radius source-interface <<VLAN/IP>> Interface (e.g. Vlan1 or GigabitEthernet0/0)
radius-server host <<IP of RADIUS Server>> auth-port 1645 acct-port 1646
radius-server key <<RADIUS SECRET>>
service password-encryption

Part 3: Testing

  1. Ensure your admin account can log in
  2. Ensure that other accounts cannot log in. Especially if you have other RADIUS auth policies like we did.
  3. Validate that your local account no longer works by default.
  4. "Disable" your RADIUS client. Validate that your local account works as a fail safe.