Tag Archives: powershell

Credentials Management in PowerShell

This blog is plagiarized from the best article I’ve ever found on this subject.  Full credit to Kris Powell for this amazing article found here.

Here are my condensed notes for my use.  If you find it useful, give a shout out to Kris Powell.

We now know how to convert a SecureString to an encrypted standard string. We can take any method we like to get a SecureString, convert it to a standard string and then save it to a file. Here is an example of each:

Exporting SecureString from Plain text

"P@ssword1" | `
ConvertTo-SecureString -AsPlainText -Force | `
ConvertFrom-SecureString | `
Out-File "C:\Temp 2\Password.txt"

Exporting SecureString from Get-Credential

(Get-Credential).Password | `
ConvertFrom-SecureString | `
Out-File "C:\Temp 2\Password.txt"

Exporting SecureString from Read-Host

Read-Host "Enter Password" -AsSecureString |  `
ConvertFrom-SecureString | `
Out-File "C:\Temp 2\Password.txt"

Anyone of these examples should provide you with a Password.txt file that has an encrypted standard string the represents the password.

When you need to use this encrypted password, you simply reverse the process by importing the data from your file and use ConvertTo-SecureString. If all you need is a SecureString, you can stop there. You could even take it a step further and create a PSCredential object.

Creating SecureString object

$pass = Get-Content "C:\Temp 2\Password.txt" | ConvertTo-SecureString

Creating PSCredential object

$User = "MyUserName"
$File = "C:\Temp 2\Password.txt"
$MyCredential=New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList $User,
(Get-Content $File | ConvertTo-SecureString)

Throttle PowerShell scripts to not kill CPU or RAM

Having fun deploying gobs of parallel processes when suddenly things start to slow as CPU and RAM are getting clobbered.  I came up with a way to help scripts be a little more polite to clear up the logjam.  Look for the top of loops or iterative processes to inject checking utilization before proceeding.  If thresholds are exceeded, then the script can pause a bit and check back to see if thresholds came down.  Essentially, it’s a call to a function to check utilization and a small loop to hang out in until utilization comes down.   I have CPU and RAM threshold dialed in at 80%.  One can change to suit.

The function:

function highCpuRam {
 $highCpuRam = $false
 $cpuUsed = [int](gwmi win32_processor).LoadPercentage
 $memUsed = [int]((((gwmi win32_OperatingSystem).FreePhysicalMemory) / ((gwmi win32_OperatingSystem).TotalVisibleMemorySize)) * 100)
 if ($cpuUsed -gt 80) {$highCpuRam = $true}
 if ($memUsed -gt 80) {$highCpuRam = $true}
 return $highCpuRam
}

The check:

 do {
 $busy = highCpuRam
 if ($busy) {"Throttling down. CPU/RAM busy."
 Start-Sleep -m 500}
 }
 while ($busy)

Need to parse a remote Event Log for a specific Event ID and text in the description

My situation is that I need to go through all the System events and look for a particular service and account for when it started and stopped.  The one way I am able to identify the specific service from a specific vendor is that they identified their software in the description.  The Event ID for services starting and stopping is 7036.  Using this script, I’m able to get all those vendor specific service stop/start events:

Get-WinEvent -ComputerName <computer> -FilterHashtable @{logname='system'; id=7036} | Where-Object {$_.message -like "*<my text to find>*"}

This may also be helpful:

Get-EventLog -ComputerName <computer> -Log "Security" | where {($_.Message -like '*<search text>*') -and ($_.EntryType -eq 'FailureAudit')}

.

What processes are listening on HTTP/HTTPS related ports?

Working in a vacuum when initially looking at a server is par for course.  My one clue is that the server for a web application of sorts.   However, one does not know what the application is or what software may be serving up HTTP/HTTPS.  Standards are that the server would be serving up on ports 80 and/or 443, respectively.   Many applications will serve up this kind of traffic on variations like 8080 or, essentially, *80 and *443.  I needed a script to quickly see what processes may be listening on those ports.  This helps me gain insight to track down pieces and help the application owner/team investigate further.  Here’s the script:

# Look for listening ports on *80 and *443 with process ID
$Processes = @{}
Get-Process -IncludeUserName | ForEach-Object {
 $Processes[$_.Id] = $_
}

Get-NetTCPConnection | 
 Where-Object { ($_.State -eq "Listen") -and ($_.LocalPort -like '*80' -or $_.LocalPort -like '*443') } |
 Select-Object LocalAddress,
 LocalPort,
 @{Name="PID"; Expression={ $_.OwningProcess }},
 @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }}, 
 @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName }} |
 Sort-Object -Property ProcessName, UserName |
 Format-Table -AutoSize

Who initiated the reboot?

This Powershell one liner will check the event log of a remote computer to see what initiated the shutdown or reboot.  If the server just crashed or power was interrupted you can filter on a different Event ID.

Get-EventLog -ComputerName <servername> -LogName System | Where-Object {$_.EventID -eq 1074} | Select-Object -First 1 | FL *

Get-ADUser and Filtering out $null values

Are you having challenges with the Get-ADUser commandlet not pitching errors on a -Filter producing $null results?  Intuitively, it would make sense for the -Filter to filter those out with a -ne $null.  Well, it doesn’t work that way.  There is a Where-Object commandlet that one can pipe to  and filter out those things.  In my example, I chose to filter out $null User Principal Names.  Here’s the example:

$myNonNullUsers = Get-ADUser -Filter { enabled -eq $true } -Properties * | Where-Object {$_.userPrincipalName -ne $null}

Automatically Assign Licences to New Office 365 Accounts

Here’s the scenario: Users are created in Active Directory, on-premise.  The AD Sync Service then will sync up the user account to Office 365.  However, a license is not assigned.  The rule of thumb when assigning new licenses is that people in the call center get an E1 license and the rest of the employees get an E3 license.  The identifying characteristic for the call center users is that their email address is <someone>@mycallcenter.com and everyone else has a different domain for their email.  For your use case, you may have other specific identifiers to help determine the appropriate license.  If one size fits all, you can eliminate the the lines to change to an E1 license and leave the default.

I chose to use a security group to identify users that need a license assigned.  In this case it’s “ADGroup-UsersNeedingLicenses”  When the script runs it will iterate through all members of that security group  and check to see if the account has synchronized up with Office 365.  If the account is there, it will evaluate which license to assign and then assign it.  It will then get the user’s licenses from Office 365 and display them so you can validate that it was updated.  It then removes the user from the security group and we’re done.

If you like, you can set this on a scheduled task to automatically assign licenses to new users on an interval.  One would need to store credentials in a file in order for it to be automated.  I like it because it’s one less administrative task I need to deal with.  I can create the account in AD then go take care of other things.  I come back after a bit and then the user is synchronized and licensed.

<# Get credentials to connect to Office 365 using PowerShell#>
$Password = Get-Content j:\myscripts\ADCredentials.txt | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential("ServiceAccount@company.onmicrosoft.com",$password)

<# Connect to MSOL #>
Connect-MsolService -Credential $credential

<# Get AD Users designated for license assignment #>
$usersNeedingLicense = Get-ADGroupMember -Identity ADGroup-UsersNeedingLicenses

<# Iterate through the collection of AD users designated for license assignment #>
ForEach ($ADUser in $usersNeedingLicense){
 $ADUser = Get-ADUser -Identity $ADUser -Properties *
 "AD UPN: " + $ADUser.UserPrincipalName
 
 Try {
 $o365User = Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName -ErrorAction Stop
 $licenseType = "mycompany:ENTERPRISEPACK" <# set default to E3 #>
 If ( $ADUser.UserPrincipalName.Contains("@mycallcenter.com")){$licenseType="mycompany:STANDARDPACK"} <# Assign E1 #>

 "Assign: $licenseType"
 <# Locate and assign license using matching UPN #>
 Set-MsolUser -UserPrincipalName $ADUser.UserPrincipalName -UsageLocation "US" <# Set user licensing to Unites States #>
 Set-MsolUserLicense -UserPrincipalName $ADUser.UserPrincipalName -AddLicenses $licenseType
 <# view for validation #>
 Get-MsolUser -UserPrincipalName $ADUser.UserPrincipalName | fl UserPrincipalName, Licenses
 <# Remove AD user from ADGroup-UsersNeedingLicenses #>
 Remove-ADGroupMember -Identity ADGroup-UsersNeedingLicenses -Members $ADUser.SamAccountName -Confirm:$false
 }

 Catch [System.Exception]{
 $ADUser.UserPrincipalName + " is not in Office 365 yet."
 $error
 }
 Finally {$error.Clear() }
}

Use SCP to copy files from Linux using PowerShell

There’s a lot of different tools out there to essentially SSH to a Linux host.  They seem to come short when one needs to use secure copy.  WinSCP has been around forever and is a relatively mature tool for doing SCP on a Windows client.  My requirement is to copy files from a Linux server to a Windows client.  WinSCP seems to be the best fit for my one need.  Here are the general steps to getting it done:

  • First install WinSCP wrapper to enable use of SCP from PowerShell.  Windows Management Framework 5.0 is a prerequisite.
  • Run the WinSCP application to collect the key from the target Linux host.
  • Generate credentials to be used by a script to copy files.  Run a script to copy the files.
  • If needed, set up a scheduled task to run the copy script on an interval.

Download WinSCP .NET assembly for use with PowerShell: https://winscp.net/eng/docs/library_powershell#powershell_scripting

In PowerShell running as administrator, run the following:

Install-Module -Name WinSCP

Check the install by running the following:

Get-Command -Module WinSCP

Store credentials to be used in a later script.
Save Password to File
$credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content G:\scripts\PasswordFile.txt

Run a script the uses the password file to access the Linux server and copy over your files.
$session = New-WinSCPSession -Hostname <Linux Host> -Credential $credential -SshHostKeyFingerprint "ssh-rsa-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx"

Receive-WinSCPItem -WinSCPSession $session -Path “/…/somefile” -Destination “C:\folder\destination\etc\”

Remove-WinSCPSession -WinSCPSession $session

Setting permissions on home drive folders

Scenario: Home drives were initially shared out on a Linux based NAS appliance.  The device fails, but the data remains intact. The data is recovered using a file copy utility.  The data is recovered… Yay!  All the NTFS-like file permissions are gone… 🙁

By the way, here’s a really good blog that details the required NTFS permissions for user home drives:

https://blogs.technet.microsoft.com/askds/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders/

I get to fix these sorts of things!  Welcome to my world!

Now, I need to iterate through all of the folders and set them for each individual user.  Doing through the NTFS permissions GUI for each one is a Systems Administrator’s purgatory.  Needless to say, I’m not going to do that.  Wouldn’t it be better to script that?  I see a bunch of virtual heads nodding and I agree.

I’m going to do it using PowerShell module that was created by Raimund Andree.  Thank God for that cat!  You can get the module here: https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

More details on how to use the module to manage NTFS permissions can be found here: https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/22/weekend-scripter-use-powershell-to-get-add-and-remove-ntfs-permissions/

$userFolderPath = "E:\User\"
$folders = Get-ChildItem $userFolderPath
foreach ($folder in $folders)
{
    $ADUser = Get-ADUser -Filter {Enabled -eq  $true -and SamAccountName -eq $folder.Name} -Properties CanonicalName
    if (-Not ($ADUser -eq $null))
    {
        $domain = $ADUser.CanonicalName.Substring(0,$ADUser.CanonicalName.IndexOf("."))
        $userSecurityPrincipal = $domain + "\" + $ADUser.SamAccountName
        $userFolder = $userFolderPath + $folder
        $userSecurityPrincipal + " => " + $userFolder
        Add-NTFSAccess -Path $userFolder -Account $userSecurityPrincipal -AccessRights FullControl
    }
}

Creating home drive folders for users without one

Of course I know that one can use the “Home folder” option in the Profile of the user in Active Directory.  Due to certain constraints of a situation I inherited, that’s really not an option for now.

I need to do it in bulk, for a bunch of active user accounts within a specific OU.  Additionally, I don’t know if the user has a folder or not.  Nor do I feel like waiting for these users to login and then have the folder created.

Luckily for me, I have a ton of storage and a single location for user home folders.  I simply want to walk through all the users in a specific OU, like “…this\path\to\my\ou\…”  If the folder does not exist, then go ahead and create it.

$homePath = "Q:\UserHome\"
$userHome = get-aduser -filter {enabled -eq $true} -properties SamAccountName,CanonicalName
foreach ($ADUser in $userHome)
{
  if ($ADUser.CanonicalName -like '*/myOu/Path/*')
  {
    $userHomePath = $homePath + $ADUser.SamAccountName
    if (-Not (Test-Path $userHomePath))
    {
      New-Item $userHomePath -Type Directory
    }
  }
}