powershell

Set-ACL – Se file and folder permissions

Posted by robd on May 12, 2019
powershell, Server / No Comments

I wanted to add an AD group to all the files and folders in a share, the problem is inheritance had been turned off on lots of the folders so I couldn’t just add the AD group to the top and let it filter down. So the solution was to use PowerShell.
First I mapped a drive to the Share (x: in this case). Why didn’t I run this on the server? UAC is a pain in the bum.

You’ll need to change the path and the domain and AD group.

$folders = Get-ChildItem -Directory -Path X:\ -Recurse
foreach ($folder in $folders){
$acl = Get-Acl -path $folder.FullName
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule `
("DOMAIN\AD_GROUP", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl -path $folder.FullName
}

 

Tags: ,

Get-ACL – Report file and folder permissions

Posted by robd on May 11, 2019
powershell, Server / No Comments

If you need to report out file and folder permissions of a file share, see the below PowerShell.

First map the the share to a drive if it isnt already.  In my case X: drive.

Why didn’t I do this on the server hosting the files?  UAC gets in the way and is a pain the bum.

$FolderPath = dir -Directory -Path "x:\" -Recurse -Force
$Report = @()
Foreach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access)
{
$Properties = [ordered]@{'FolderName'=$Folder.FullName;'AD
Group or
User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}$Report += New-Object -TypeName PSObject -Property $Properties}
}
$Report | Export-Csv -path "C:\temp\Folder_Permissions.csv"

 

 

Tags: ,

icalcs – Backing up Permissions

Posted by robd on May 10, 2019
powershell, Server / No Comments

I wanted to make some changes to some permissions on mass today but decided it would be prudent to backup the permissions first.

So I used icals, to do this I first ran CMD as admin, then mapped the share drive with “Net Use“.

Why didn’t I do this on the server hosting the files?  UAC gets in the way and is a pain the bum.

To backup the permissions:

Swicthes:

/t – Performs the operation on all specified files in the current directory and its subdirectories.

/c – Continues the operation despite any file errors. Error messages will still be displayed.

icacls x:\ /save c:\temp\permissions.txt /t /c

Then to restore:

icacls y:\test /restore c:\temp\permissions.txt

 

Tags: , ,

Edit VMs using PowerShell and PowerCLI

Posted by robd on January 28, 2019
powershell, vmware / No Comments

To resize VMs using PowerShell with PowerCLI from a csv list, first install the software:

 

https://my.vmware.com/web/vmware/details?downloadGroup=PCLI650R1&productId=614

 

Then create a list of servers to resize and save it as a CSV file in C:\temp\VMs.csv:

 

Server01

Server02

Server03

 

Save the below as Something.PS1 and run from PowerCLI

Note: Change VCENTRE to your vCentre, this script will TURN THE SERVER OFF then give each VM two CPUs, one socket and 5GBs of RAM.

 

$me = Get-Credential

connect-viserver "VCENTRE" -User $me

$vms = get-content C:\Temp\VMs.csv

ForEach ($vm in $vms){

$vms | Shutdown-VMGuest –Confirm:$False

Sleep 60

$vms | Set-VM –MemoryGB 8 –NumCpu 2 –Confirm:$False

$vms | Start-VM

}

 

Tags: , ,

Install the Remote Server Administration Tools (RSAT) on Windows 10 1809 via PowerShell

Posted by robd on October 19, 2018
powershell / No Comments

Just a quick one, to install RSAT on Windows 10 1809 via PowerShell:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

then check:

Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State

 

Tags: , ,

Use PowerShell to Remotely Enable Firewall Exceptions

Posted by robd on October 18, 2018
powershell / No Comments

Got this today while connecting to Event viewer on a remote windows 10 machine:

“Computer ‘DC01.MIKEFROBBINS.COM’ cannot be connected. Verify
that the network path is correct, the computer is available on the
network, and that the appropriate Windows Firewall rules are enabled
on the target computer.
To enable the appropriate Windows Firewall rules on the remote
computer, open the Windows Firewall with Advanced Security snap-in
and enable the following inbound rules:
COM+ Network Access (DCOM-In)
All rules in the Remote Event Log Management group
You can also enable these rules by using Group Policy settings for
Windows Firewall with Advanced Security. For servers that are running
the Server Core installation option, run the Netsh AdvFirewall
command, or the Windows PowerShell NetSecurity module.”

To Fix remotely:

Invoke-Command -ComputerName COMPUTERNAME {
Set-NetFirewallRule -DisplayGroup 'Remote Event Log Management' -Enabled True -PassThru |
select DisplayName, Enabled
} -Credential (Get-Credential)

 

 

 

Tags:

Disable Dedup

Posted by robd on September 23, 2018
powershell, Server 2012 / No Comments

How to disable Dedup:

First an important point about disabling dedup (via GUI or PowerShell), when you disable it only stops further deduplication from occurring i.e data that has already been deduplicated will remain deduplicated

If you want to “move” the data back to the original files and out of the deduplication store (Chunk Store) you need to use powershell command

start-dedupjob -Volume <VolumeLetter> -Type Unoptimization

You can check the status on where this is at by using

get-dedupjob

Here’s another gotcha, chunk size (love that name) will not get smaller until you run two more commands, GarbageCollection and Scrubbing.  GargabeCollection will find and remove unreferenced chunks and scrubbing will perform an integrity check but this wont work unless dedup is on….so enable dedup:

Enable-DedupVolume -Volume <VolumeLetter>

Then run garage collection:

start-dedupjob -Volume <VolumeLetter> -Type GarbageCollection

start-dedupjob -Volume <VolumeLetter> –Type Scrubbin

Once your drive is small again then disable dedup:

Disable-DedupVolume -Volume <VolumeLetter>

Tags: , ,

Dedup and Chunk Store is Huge!

Posted by robd on September 21, 2018
powershell, Server 2012 / 4 Comments

Found a drive was running low on space today and on closer inspection with tree size I found that ChunkStore (brilliant name) was taking up the drive space:

Odd as it looks as dedup wasn’t working:

To fix it I ran the following PowerShell:

start-dedupjob -Volume <VolumeLetter> -Type GarbageCollection

start-dedupjob -Volume <VolumeLetter> -Type DataScrubbing

What does this do I hear you say, Garbage collection is the process to remove “data chunks” that are no longer referenced i.e. to remove references to deleted files and folders. This process deleted content to free up additional space. Data scrubbing checks integrity and validate the checksum data.

To monitor it I ran:

 Get-DedupJob

This seems to have fixed it for me:

Tags: ,

Ratio of Physical CPUs to Virtual CPUs in VMware

Posted by robd on August 06, 2018
powershell, vmware / 1 Comment

My colleague Welsh Dai made this sweet bit of PowerShell to see the ratio of physical CPUs to Virtual CPUs:

$allhosts = @()
$cluser2hosts = Get-VMHost | where {$_.Parent -LIKE "ClusterName"} 
foreach ($vmhost in $cluser2hosts)
{
   $vms = $vmhost | Get-VM | select name,numcpu | measure -Property numcpu -Sum
   $hostload = New-Object psobject -Property @{
            hostname = $vmhost.Name
            PhysicalCPUs = $vmhost.NumCpu
            vCPUs = $vms.Sum
            hostratio = $vms.sum / $vmhost.NumCpu
    }
    $allhosts += $hostload 
}

$allhosts  | select hostname,physicalCPUs,vCPUs,hostratio | sort hostratio

 

Here’s a picture

Tags: , , ,

Auditing Active Directory Password Quality

Posted by robd on April 24, 2018
Active Directory, powershell / No Comments

Hi All,

A chap called Michael Grafnetter has created a brilliant PowerShell script to check password hashes in Active Directory against a list of simple or common passwords.

This is great to encourage users not to use obvious passwords, for example if a company is called Contoso then you’d want to encourage users not to use Contoso1 etc.

Here’s how:

Download the software:

https://github.com/MichaelGrafnetter/DSInternals/releases/tag/v2.22

Copy the DSInternals directory to your PowerShell modules directory, e.g.

C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DSInternals
C:\Users\John\Documents\WindowsPowerShell\Modules\DSInternals.

Launch Windows PowerShell.
(Optional) If you copied the module to a different directory than advised in step 4, you have to manually import it using the Import-Module .\DSInternals\DSInternals.psd1 command.

Next create a text file called passwords.txt and fill it with passwords you’d like to scan for, example:

Password
Password1
Contoso1

Then here’s an example script:

First set the password txt file.

Then set the Domain Contoller, in this case DC1

Then set the distinguished name of the OU and sub OUs you can to scan:

Note ” and ‘ are not showing up properly,

$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary Get-ADReplAccount -All -Server DC1 -NamingContext ‘dc=adatum,dc=com’ | Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts

$dictionary = Get-Content passwords.txt | ConvertTo-NTHashDictionary
Get-ADReplAccount -All -Server DC1 -NamingContext 'dc=adatum,dc=com' |
Test-PasswordQuality -WeakPasswordHashes $dictionary -ShowPlainTextPasswords -IncludeDisabledAccounts

Here’s an output:

Active Directory Password Quality Report
----------------------------------------
 
Passwords of these accounts are stored using reversible encryption:
  April
  Brad
  Don
 
LM hashes of passwords of these accounts are present:
 
These accounts have no password set:
  Guest
  nolan
  test
 
Passwords of these accounts have been found in the dictionary:
  adam                Pa$$w0rd
  peter               July2016
 
Historical passwords of these accounts have been found in the dictionary:
  april               Pa$$w0rd
  brad                Pa$$w0rd
 
These groups of accounts have the same passwords:
  Group 1:
    Aidan
    John
  Group 2:
    Joe
    JoeAdmin
    JoeVPN
 
These computer accounts have default passwords:
  LON-CL2$
 
Kerberos AES keys are missing from these accounts:
  Julian
 
Kerberos pre-authentication is not required for these accounts:
  Holly
  Chad
 
Only DES encryption is allowed to be used with these accounts:
  Holly
  Jorgen
 
These administrative accounts are allowed to be delegated to a service:
  Administrator
  April
  krbtgt
 
Passwords of these accounts will never expire:
  Administrator
  Guest
 
These accounts are not required to have a password:
  Guest
  Magnus
  Maria

Tags: , ,