Active Directory Flexible Authentication Secure Tunneling (FAST)

Let’s discuss Flexible Authentication Secure Tunneling (FAST).

This new feature implemented in the Windows Server 2012 KDC, provides protection against password-based dictionary attacks. FAST is an extra level of security above password lockout policies and works at the Kerberos authentication level.

What is FAST and Kerberos Armoring?

Sometimes referred to as one in the same, FAST provides offline dictionary attack prevention, that work around Kerberos errors being spoofed. If the Kerberos authentication sequence fails, authentication falls back to NTLM authentication, a less secure method.

FAST is defined by RFC 6113 and RFC 4851, to prevent spoofing Kerberos errors. FAST is also referred to as Kerberos Armoring. FAST provides a secured and protected channel to provide a protected channel between a domain-joined client and DC and involves the LSA (Local Security Authority), the Netlogon Service, and the KDC. FAST protects Kerberos pre-authentication data for the “AS_REQ” by using the LSK (randomly generated logon session key) from the TGT (Ticket Granting Ticket during the Kerberos authentication sequence) as a shared secret to fully encrypt Kerberos messages and sign all possible Kerberos errors. The shared secret provides an additional “salt” in the Kerberos authentication process. This results in increased processing time, but it does not change the Kerberos service ticket size. The shared secret provides DCs the ability to return Kerberos authentication errors, which in turn, protects against spoofing, man-in-the middle, and other attacks.

FAST and Windows Server 2008

Although Windows Server 2012 and newer domain controllers are required to support this feature, there are no requirements for the domain or forest functional levels to be at Windows Server 2012. Therefore, you can have Windows Server 2008 and Windows Server 2008 R2 domain controllers, with forest functional level on Windows Server 2008.

The only exception is if you are implementing claims across a forest trust.

FAST requirements

  • Functional levels must be at least Windows Server 2008.
  • For full support, Domain and Forest Functional Levels must be at Windows Server 2012, which means that all domain controllers must be at least Windows Server 2012.
  • The Active Directory Domain must support Claims Based Access Control (CBAC) and Kerberos Armoring policy for all Windows Server 2012 domain controllers.
  • CBAC is an authorization method granting or denying access based on an arbitrary authorization decision algorithm using data in claims.

Additional Reading on CBAC:
Authorization in Claims-Aware Web Applications and Services
http://msdn.microsoft.com/en-us/library/windowsazure/gg185915.aspx

The domain can be configured either to require Kerberos armoring, or use it upon request. This allows backward support for legacy clients.This can be enabled by using two Group Policy settings:

  • “Support CBAC and Kerberos armoring”
  • “All DCs can support CBAC and Require Kerberos Armoring”

Additional Reading

What’s New in Kerberos Authentication?
http://technet.microsoft.com/en-us/library/hh831747.aspx

The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)
http://tools.ietf.org/html/rfc4851

A Generalized Framework for Kerberos Pre-Authentication
http://tools.ietf.org/html/rfc6113

==================================================================

Summary

Stay tuned. This is part of a release of previously unreleased documentation.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory DNS Single Label Names

Intro

Hey everyone, Ace again. Let’s discuss this issue. I hardly see this issue any more, because it was a previously prevalent when Active Directory was introduced, since there were some confusion about AD domain naming, and many IT admins used NT4’s domain naming guidelines. Man of us are now familiar with AD’s naming convention, and have more than likely renamed or rebuilt their AD domains. However, there are still some installations with this issue. 

How did it happen? Many reasons, such as lack of research on AD’s DNS requirements, assumptions, or a simple typo when originally upgrading from NT4 or promoting your new AD domain. It doesn’t matter now, because you were brought here to find out what to do with it.

I hope you find this blog informative on this issue and what to do about it.

First, let’s discuss a little background on the necessary components at play…

FQDN

First, let’s discuss the FQDN. What is an FQDN? It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:

domain.com
domain.net
domain.local
childdomainname.domain.local
etc

What is a Single Label DNS Domain name?
The name is reminiscent of the legacy style NT4 domain NetBIOS domain names, such as:

DOMAIN
CORP
COMPANYNAME
etc

Unfortunately, since this does not work with DNS, and Active Directory relies on DNS, therefore, it does not work with Active Directory. Stay with me. I’ll explain…

DNS

DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as microsoft.com, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately the old NT4 style names are not hierarchal because there is only one level.
 
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single label name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as domain.com, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.

How did it happen? As I said earlier, it doesn’t matter now, because you were brought here to find out what to do with it.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):
http://support.microsoft.com/kb/555040

Single Label Name Explanation

Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:

The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.

Period. Why? good question. It’s based on the fact DNS is hierarchal. Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc., names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in domain.com, etc.). If the name is a single label name, it thinks THAT name is the TLD.

Therefore it then hits the Internet Root servers to find how owns and is authoritative for that TLD.Such as when looking up Microsoft.com. It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for Microsoft.com zone.

If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.

How to fix it? Good question. Glad you’ve asked.

  1. The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.
  2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).
  3. As a temporary resort, you can use the patch or band aid registry fix to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.

Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:
http://support.microsoft.com/?id=300684

Single Label Names and being a better Internet Neighbor

The following was posted by Microsoft’s Alan Woods in 2004:

Single label names, from Alan Woods, [MSFT], posted:

—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,

We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.
child1.domainA
Child2.child1.domainA

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not
fun.

Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]

 

Related Articles – Even though they seem old, they STILL APPLY!!!

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain
http://support.microsoft.com/kb/555040

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:
http://support.microsoft.com/kb/825036

DNS and AD (Windows 2000 & 2003) FAQ:
http://support.microsoft.com/kb/291382

Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)
http://support.microsoft.com/kb/909264

============================================================

Summary

I hope this helps!

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Remote Server Administration for Windows 2012 R2

image

 

Prologue

Ace here again. This discusses remote administration. Simple, right? Maybe not!

Remote Server Administration for Windows 2012 R2

Server Manager in Windows Server® 2012 R2 can be used to perform various management tasks on remote servers. By default, remote management is enabled on Windows Server 2012 R2.You can add remote servers to the Server Manager Server pool in Windows Server 2012 R2 Server Manager.

Objectives

Discuss the following remote admin methods

  • What is Remote Management?
  • How to Enable and Disable Remote Management
  • Remote Management and Tools Commands
  • Server Manager
  • WinRM
  • PowerShell Remoting
  • Remote Desktop
  • Remote Server Administration Tools (RSAT)
  • SCONFIG

What is Remote Management?

Windows Server 2012 R2 provides the ability to remotely manage multiple servers with a number of methods. One of the newest features in Windows Server 2012 is the ability to use Server Manager for this task.

In addition to Windows Remote Management, you can also use Remote Shell and Remote Windows PowerShell to manage remote computers. This provides you the ability to locally load Windows PowerShell modules, such as Server Manager, and execute PowerShell cmdlets available in the loaded module on remote servers. This allows you the ability to run PowerShell commands and scripts. This works including when the script is only on the local server

Windows Remote Management (WinRM) is the Windows implementation of WS-Management, which is an industry standard, Web-based services based protocol. Windows runs the WinRM as a service under the same name, WinRM. WinRM provides secure local and remote communications for management applications and scripts.

In addition, Windows Remote Management is one of the components of the Windows Hardware Management features to allow secure local and remote Windows Server management across a firewall using standard Web service-based protocols.

If the server hardware has an optional, built-in Baseboard Management Controller (BMC) provided by the hardware vendor, you can also remotely manage a system even if the Windows operating system has not yet booted or has failed. This also allows access to the server’s BIOS.

A BMC is an option m provided by hardware vendors, that consists of a microcontroller and an independent network connection that you can communicate to if the server ever becomes offline.

When a server is not connected to a BMC, WinRM can still be used to connect to WMI remotely in situations where firewalls may block DCOM communications, because WinRM uses the secure web-based port, TCP 443.

Additional Reading on WinRM:

About Windows Remote Management
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx

Hardware Management Introduction (includes BMC information)
http://technet.microsoft.com/en-us/library/f550cac0-5344-41cb-8e89-6e5c93236886

.
 
How to Enable and Disable Remote Management

There are a number of methods to administer WinRM.

· Winrm.cmd – Command line tool that allows administrators to configure WinRM, get data, or manage resources. For syntax, you can run winrm /? for online help.

· Win-RM Scripting API – Allows you to create remote administration scripts that expose the WS-Management APIs and protocols.

· Winrs.exe –A command line tool to execute CMD commands on remote servers using WS-Management APIs. For example, to remotely get an ipconfig /all from a remote machine, you can run:
winrs –r:DC12.trimagna.com “ipconfig /all”;tasklist

You can also use the help command to see all possible options and syntax:
winrs –?

· IPMI and WMI Providers – The IPMI provider and drivers allow remote hardware management using BMC. These can be used programmatically.

· WMI Service – Using the WMI plug-in, WMI runs together with WinRM to provide data or control functions for remote management.

· WS-Management protocol – SOAP based protocol using XML messages. It is a web-based, firewall friendly protocol running across secure TCP 443 providing industry-standard interoperability to transfer and exchange management information.

Remote Management Tools and Commands

There are a number of ways to enable, disable and configure Remote Management.

Server Manager

To enable or disable Remote Management, in Server Manager Local Server node, click the text next to Remote Management icon.

WinRM Command

You can use the WinRM command to enable, disable, and configure Remote Management.

The syntax is:

WinRM OPERATION RESOURCE_URI [-SWITCH:VALUR [-SWITCH:VAKLUE] …] [@{KEY=VALUR [;KEP=VALUE]…}]

You can use the following to check the current Remote Management configuration and status:
winrm get winrm/config

Or you can run it remotely on another server using the WinRS command:
winrs –r:DC12-1.trimagna.com “winrm /config”;tasklist

To enable or disable Remote Management:
WinMR qc

When the WinRM qc command is run, it performs a number of steps to enable and configure the Remote Management service:

  1. Configures and changes the WinRM service from Manual to Automatic startup.
  2. Starts the WinRM service.
  3. Creates and configures a listener that will accept WinRM requests on any IP address.
  4. Creates a Windows Firewall exception for WS-Management traffic for the HTTP protocol.

If the Windows Firewall is disabled, you will see one of the following error messages:

  • WSManFault
  • Message
  • ProviderFault
  • WSManFault
  • Message = Unable to check the status of the firewall.
  • Error number: -2147023143 0x800706D9
  • There are no more endpoints available from the endpoint mapper.

To view the command syntax and options, you can run winrm -?

WinRM supports the following commands:

  • PUT
  • GET
  • ENUMERATION
  • INVOKE
WinRM Examples:

Start a service on a remote machine:
winrm invoke startservice wmicimv2/Win32_Service?name=w32time -r:DC12

Reboot a remote machine:
winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:FS1

Additional Reading on the WinRM commands:

An Introduction to WinRM Basics – From the EPS Windows Server Performance Team
http://blogs.technet.com/b/askperf/archive/2010/09/24/an-introduction-to-winrm-basics.aspx

.

PowerShell Remoting

There a number of cmdlets that use WMI for remote administration. The cmdlets invoke a temporary connection the remote computer using WMI, runs the command, then closes the session.

These cmdlets do not use WS-Management based remoting, therefore the computer does not require to be configured for WS-Management nor does it have to meet the system requirement for WS-Management. Because they are not WS-Management service related, you can use the ComputerName parameter in any of these cmdlets

You can run the Invoke-Command cmdlets to run commands on other computers.

For example, to get a list of all services on a remote computer that are either running or stopped, you can run the following command
Invoke-Command –computername DC12 –scriptblock {get-service)

Or to see the status of a single service:
Invoke-Command –computername DC12 –scriptblock {get-service WinRm)

Additional Reading on Remote PowerShell:

Windows PowerShell Remoting – Complete list of commands
http://msdn.microsoft.com/en-us/library/windows/desktop/ee706585(v=vs.85).aspx

.

 

Remote Server Administration Tools (RSAT) for Windows

Remote Server Administration Tools for Windows®  includes Server Manager, Microsoft Management Console (MMC) snap-ins, consoles, Windows PowerShell® cmdlets and providers, and some command-line tools for managing roles and features that run on Windows Server 2012 R2.

.

SCONFIG

For Server Core, you can use the SCONFIG command and choosing Option #4, then choosing Option #1 to Enable Remote Management, or Option #2 to Disable Remote Management.

image

Additional Reading on WinRM tools

About Windows Remote Management
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384291(v=vs.85).aspx

.

Remote Desktop

Remote Desktop has been used for a number of years, and it is the most common method to remotely administer a remote machine. To use Remote Desktop, it must be enabled first on the remote computer. To enable Remote Desktop on the full version of Windows Server 2012, perform the following steps”

  1. Open Server Manager
  2. Click the Local Server Node
  3. Click the “Disabled” status next to Remote Desktop.
  4. The System Properties page appears and is focused on the Remote tab.
  5. Under the Remote tab, select one of the following:
  1. Don’t allow connections to this computer – Default disabled.
  2. Allow connections only from Computers running:
  1. Checkbox: Allow Remote Desktop with Network Level Authentication – If you check this box, this setting enables and only allows secure connections from Remote Desktop clients that support network-level authentication.

image

You can also enable Remote Desktop on Sever Core using the SCONFIG command.

==================================================================

 

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023 clip_image0043 clip_image0063 clip_image0083 clip_image0103 clip_image0123 clip_image0143 clip_image0163

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Migrate Files to a new File Server using RoboCopy, IP addresses, and Relative Paths using the Administrative Shares

Prologue

Ace Fekay here again.

You might say to yourself this is some really simple stuff. Sure, it might be, for the pro. As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory.

Therefore with AD, Exchange, and Office 365, you will find that scripting comes into play more and more with your daily tasks.  The main reason I’m posting simple scripts is that to get the job done, I just needed an arsenal of simple quickie scripts when called upon a simple task, such as this one, when tasked to quickly get a list of users in a group.

I hope this, and my future scripts, especially with Office 365, help you out.

Scope

This is one method to migrate data from one file server to another. I have one method that I will post later, that does it by the share names. This is to just get the two closer to having the same data before I run the final script.

DFS

Keep in mind, we use DFS. I will already have created a new target to the new file server for the current share, but keep the new targets disabled until ready to cut over.

However, when we cut over the target to the new server, we would like to shut off the shares on the source (old) server, to prevent anyone from using it. Of course, we’ve already communicated to the user base the migration schedule.

Therefore, since the shares will be deleted, we must rely on running this by using IP addresses and relative paths from the default administrative shares (c$, d$, etc).

Share and NTFS Permissions Backup

Yes, absolutely! You definitely want to back up your Share and NTFS permissions on this server just in case something happens! The following link is a great article to show you how to do it:

How to Back Up and Restore NTFS and Share Permissions
http://blogs.technet.com/b/askds/archive/2008/11/24/how-to-back-up-and-restore-ntfs-and-share-permissions.aspx

Easy? Nah…

Many may say this is simple stuff. Sure, for the seasoned scripter, which I’m not, The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up. I’ve found various websites that provide how-tos, but when it comes to handling variables and piping, I’ve found there is no one place to get various examples and have found myself looking at multiple places to get this info, including my colleagues, who are extremely adept at scripting. With many place, I also see elaborate scripts that do more than what I need. They are fabulous blogs and websites, but sometimes I need the simple one-liners to perform day to day stuff.

Script:

/

# Uses relative paths
# Make sure you change directory to where your script is located on the computer you are running this before running
#
# =========================================================================================
#Function: Get the Total Size of Folder

function Get-Size
{
     param([string]$pth)
     “{0:n2}” -f ((gci -path $pth -recurse | measure-object -property length -sum).sum /1mb) + ” mb”
}
# =========================================================================================
#
cd “C:\PSScripts\OldServerName”

$SourceServerNetBIOSName =     “OldServerName”
$SourceServerIP =         “10.100.200.200”
$DestinationServerName =     “NewFileServer.contoso.com”

#**************************************************************************************
#Ignore this section
#Test files with only one share

#Note: This section was a test to see if I can get this script to work if there is only one share.
#I could not get it to work with one share. The reason is there must be two (2) or more shares for
#this to work, because I’m using an array. There is no such thing as a single array.

#$SourceServerPath =            @()
#$SourceServerShares =          @()
#$DestinationServerShareNames = @()

#$SourceServerPath =            Get-Content ‘.\OldServerName-Share-paths-test.txt’
#$SourceServerShares =          Get-Content ‘.\OldServerName-SourceSharesList-test.txt’
#$DestinationServerShareNames = Get-Content ‘.\OldServerName-DestinationSharesList-test.txt’

#Ignore this section
#**************************************************************************************

$SourceServerPath =            Get-Content ‘.\OldServerName-Share-paths.txt’
$SourceServerShares =          Get-Content ‘.\OldServerName-SourceSharesList.txt’
$DestinationServerShareNames = Get-Content ‘.\OldServerName-DestinationSharesList.txt’

$LogDestinationFolder = “.\Logs”
$LogfileName = $SourceServerNetBIOSName+”.txt”
$LogFileAndPath = $LogDestinationFolder+”\”+$LogfileName

# Checks for existence of a directory for log files if not, one gets created.
If (!(Test-Path -Path $LogDestinationFolder)){
    New-Item -ItemType directory -Path $LogDestinationFolder
}

write-host “Total Share count = ” $SourceServerShares.count

for ($i = 0; $i -lt $SourceServerShares.count; $i++){

    $srcpath = $SourceServerPath[$i] -replace ‘(.*):’,’$1$’
    #$srcpath = $SourceServerPath -replace ‘(.*):’,’$1$’
    $dstpath = $DestinationServerShareNames[$i]

    $FullSourcePath = “\\”+$SourceServerIP+”\”+$srcpath
    $FullDestPath = “\\”+$DestinationServerName+”\”+$dstpath

    write-host “”
   
    if ((Test-Path $FullSourcePath) -and (Test-Path $FullDestPath))
    {
        $log = $LogDestinationFolder + “\” + $SourceServerNetBIOSName + “-” + $SourceServerShares[$i] +”.txt”
        write-host “Current share’s log:” $Log
       
        robocopy $FullSourcePath $FullDestPath /E /R:1 /W:1 /TEE /log:$log | Out-String

    #This is trying different switches – Ignore
        #robocopy $FullSourcePath $FullDestPath /MIR /copy:DT /W:5 /R:1 /V /IT /FP /NFL /TS  /log:$log | Out-String

    #This was a local drive to drive attempt – Ignore
    #robocopy e:\users y: /copy:DATSO /E /R:1 /W5 /TEE /log:c:\robocopy.log

    write-host “Source path is: ” $srcpath
        write-host “Full Source Path is: ” $FullSourcePath
    write-host “Destination path is:” $dstpath
        write-host “Full Destination path is: ” $FullDestPath

        $SharesProcessedSoFar = $i + 1
        write-host “Shares processed so far =” $SharesProcessedSoFar ” out of a total share count of ” $SourceServerShares.count
        write-host “”
        Write-Host “”
    }

    else

    {
        write-host “Problem with: ”           $srcpath         “Destination sharename is:”     $dstpath
        write-host “Referencing full Source Path:” $FullSourcePath  “Destination Path:”         $FullDestPath
        $SharesProcessedSoFar = $i + 1
        write-host “Shares processed so far =” $SharesProcessedSoFar ” out of a total share count of ” $SourceServerShares.count
    }
}
write-host “Total Shares processed = ” $SourceServerShares.count

More to come…

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 10/3/2015

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002622[2][2] clip_image004622[2][2] clip_image006622[2][2] clip_image008622[2][2] clip_image010622[2][2] clip_image012622[2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Get-QADGroupMember to CSV

Prologue

Ace Fekay here again.

You might say to yourself this is some really simple stuff. Sure, it might be, for the pro. As many of you know, I’m an avid Active Directory and Exchange server engineer/architect, and an MVP in Active Directory.

Therefore with AD, Exchange, and Office 365, you will find that scripting comes into play more and more with your daily tasks.  The main reason I’m posting simple scripts is that to get the job done, I just needed an arsenal of simple quickie scripts when called upon a simple task, such as this one, when tasked to quickly get a list of users in a group.

I hope this, and my future scripts, especially with Office 365, help you out.

Scope

I needed to get a user membership list from a global group called, “Marketing Dept,” into a CSV. Group scope doesn’t matter. I just need a list of the members because the share owner that the group is controlling access, needed a list to ensure that it’s current and to clean up any disabled accounts from users that have left the company.

And yes, this is simple stuff. The main reason I’m posting this, and I will be posting much more, including Office 365 scripts, is that I had to look it up and there is no one place to get all of this at the simple level. All I see are elaborate scripts that do more than what I needed. Hence, my posts.

 

I usually kick it off with a get-credential because I run this from my workstation logged on with my non-admin account. And because I work in a multi-forest, multi domain environment, I must connect to the specific domain where the group exists.

Of course, we must add the PS Quest snap-in. In addition, I use the “-NoTypeInformation” switch to suppress the silly “Type” data that shows up in the output.

Code

get-credential
add-pssnapin Quest*
connect-qadservice domain2
Get-QADGroupMember “Marketing Dept” | Select-Object DisplayName,Name,AccountIsDisabled | Export-Csv c:\output\Domain2-MarketinDept.csv –NoTypeInformation

Comments are welcomed.

==================================================================

Summary

I hope this helps!

Published 8/17/2015

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262 clip_image00462 clip_image00662 clip_image00862 clip_image01062 clip_image01262 clip_image01462

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

PowerShell: Getting AD groups of one User and Add them to a List of Other Users

Prologue

Ace here again. Yep, me again. I’ve been on the sidelines lately with a big mail migration, then changed roles to the AD and Windows management side of things.

Part of what I do is perform necessary file maintenance (FSRM, DFS, fileserver migration, etc.), and of course, respond to tickets for requests or issues.

One request that came in was for 16 new users that are to have identical group memberships as a current user. I looked at the group membership of the user in question and saw he was part of 11 or 12 groups. Hmm, and he wants this done for 16 users? I could sit there and add group to each user one at a time. Nah, too much work.

So I thought to try to do it programmatically, because who knows when this will come up again.

Script

It’s pretty straight forward.

#===========================================================================================
# This was created for a ticket request to mimic one user, SomeSamAccountUsername, group membership to add to a list of user accounts.
# By Ace Fekay 7/15/2015
#
# First, get a memberOf for SomeSamAccountUsername and save it to a file called c:\PSScripts\SomeSamAccountUsername-grouplist.txt
#     Run Get-QADMemberOf SomeSamAccountUsername
#
#     Copy and paste the output from the screen to the file
#     In the file, keep the DN values and delete everything else.
#
# Second, get a list of the user accounts that you want adjusted from the ticket owner
#     Then save the list in another text file called c:\PSscripts\Usernames.txt
#     Prefix the user accounts with the domain name, such as philly\username
#
# Third, read the first user in the list, then add the groups to that user, then read the next user in the list, repeat.
#===========================================================================================

# The next line adds all of the Quest tools.

Add-PSSnapIn Quest *
Get-QADMemberOf SomeSamAccountUsername

#===========================================================================================
# Sample output from Get-QADMemberOf SomeSamAccountUsername:
#===========================================================================================
#
#Name                           Type            DN                                                                                                            
##
#Domain Users                   group           CN=Domain Users,OU=IT,DC=philly,DC=contoso,DC=com                                                       
#Deployment Technician          group           CN=Deployment Technician,OU=IT,DC=philly,DC=contoso,DC=com                                         
#Desktop-Technician             group           CN=Desktop-Technician,OU=IT,DC=philly,DC=contoso,DC=com                                                     
#AddComputerToDomain            group           CN=AddComputerToDomain,OU=IT,DC=philly,DC=contoso,DC=com                                               
#Vendor-A-contractors           group           CN=Vendor-A-contractors,OU=IT,DC=philly,DC=contoso,DC=com                                               
#General-Group                  group           CN=General-Group,OU=IT,DC=philly,DC=contoso,DC=com                                                            
#Wireless-Users                 group           CN=Wireless-Users,OU=IT,DC=philly,DC=contoso,DC=com                                                
#Group-B                        group           CN=Group-B,OU=IT,DC=philly,DC=contoso,DC=com                                                                
#IT-Staff                       group           CN=IT-Staff,OU=IT,DC=philly,DC=contoso,DC=com                                                      
#IT-Admins                      group           CN=IT-Admins,OU=IT,DC=philly,DC=contoso,DC=com                                                     
#IT-Technicians                 group           CN=IT-Technicianss,OU=IT,DC=philly,DC=contoso,DC=com                                                   
#Client-Support                 group           CN=Client-Support,OU=IT,DC=philly,DC=contoso,DC=com   

# #=================================================================================================
# Sample of what C:\PSScripts\groupmembership\SomeSamAccountUsername-grouplist.txt  will look like:
# #=================================================================================================
# CN=Domain Users,OU=IT,DC=philly,DC=contoso,DC=com                                                       
# CN=Deployment Technician,OU=IT,DC=philly,DC=contoso,DC=com                                         
# CN=Desktop-Technician,OU=IT,DC=philly,DC=contoso,DC=com                                                     
# CN=AddComputerToDomain,OU=IT,DC=philly,DC=contoso,DC=com                                               
# CN=Vendor-A-contractors,OU=IT,DC=philly,DC=contoso,DC=com                                               
# CN=General-Group,OU=IT,DC=philly,DC=contoso,DC=com                                                            
# CN=Wireless-Users,OU=IT,DC=philly,DC=contoso,DC=com                                                
# CN=Group-B,OU=IT,DC=philly,DC=contoso,DC=com                                                                
# CN=IT-Staff,OU=IT,DC=philly,DC=contoso,DC=com                                                      
# CN=IT-Admins,OU=IT,DC=philly,DC=contoso,DC=com                                                     
# CN=IT-Technicians,OU=IT,DC=philly,DC=contoso,DC=com                                                   
# CN=Client-Support,OU=IT,DC=philly,DC=contoso,DC=com  
#=================================================================================================

#===========================================================================================
# Sample of what C:\PSScripts\groupmembership\List-Of-Usernames.txt username list will look like:
#==========================================================================================
# philly\username1
# philly\username2
# philly\username3
# philly\username4
# philly\username5
# philly\username6
# philly\username7
# philly\username8
# philly\username9
# philly\username10
# philly\username11
# philly\username12
# philly\username13
# philly\username14
# philly\username15
# philly\username16
#==========================================================================================

$GroupList = get-content C:\PSScripts\groupmembership\SomeSamAccountUsername-grouplist.txt 
$UsernameList = get-content C:\PSScripts\groupmembership\List-Of-Usernames.txt

# Now pull in each user one a time:
Foreach ($Username in $UsernameList)
{
 
# Now pull in each group one at a time and add them to the user
   Foreach ($Group in $GroupList)
  
# Add the group to the user 
    {
    Add-QADGroupMember  -Identity $Group -Member $Username
   
# Write out on the screen what username is and what group they were added to:
    write-host $Username “has been added to ” $Group
   
# Repeat for next group until all groups are done.
   }
  
# Repeat for the next user
}
#===========================================================================================
# That’s it!
#===========================================================================================

 

 

Summary

I hope this helps!

Published 7/27/2015

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262 clip_image00462 clip_image00662 clip_image00862 clip_image01062 clip_image01262 clip_image01462

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.