Monthly Archive

Categories

Conference–time to book

Registration is open for the PowerShell Summit (USA) and PowerShell Conference (Europe). Now is an excellent time to decide which one you’re going to attend next year. If you’re serious about PowerSHell you should be at one of these events.

 

PowerShell Summit - https://eventloom.com/event/home/summit2017

 

PowerShell Conference - http://www.psconf.eu/

PowerShell finally the de facto shell

After 10 years PowerShell has become the de facto shell for Windows!

 

Windows Insider Preview build 14971 released yesterday uses PowerShell instead of cmd.exe as the default shell in Start Menu or File Explorer.

 

See https://blogs.windows.com/windowsexperience/2016/11/17/announcing-windows-10-insider-preview-build-14971-for-pc/#66Smq5KicvsTBzld.97

for this and other new features

Changing the samAccountName

I was recently asked how the samAccountName – also referred to as the login id – could be changed.

 

First lets look at an account:

PS C:\Scripts> Get-ADUser -Identity 'FredFox'
DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org
Enabled           : True
GivenName         :
Name              : FOX Fred
ObjectClass       : user
ObjectGUID        : db5a3975-980d-4749-b9c0-48aff9217b2a
SamAccountName    : FredFox
SID               : S-1-5-21-759617655-3516038109-1479587680-1314
Surname           :
UserPrincipalName : FredFox@manticore.org

Once you’ve confirmed you have the correct account then pipe it into Set-ADUser and use the –samAccountName parameter:

PS C:\Scripts> Get-ADUser -Identity 'FredFox' | Set-ADUser -SamAccountName 'foxfred' -PassThru
DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org
Enabled           : True
GivenName         :
Name              : FOX Fred
ObjectClass       : user
ObjectGUID        : db5a3975-980d-4749-b9c0-48aff9217b2a
SamAccountName    : foxfred
SID               : S-1-5-21-759617655-3516038109-1479587680-1314
Surname           :
UserPrincipalName : FredFox@manticore.org

 

I used the –Passthru parameter so the new account details are shown. Note that the User Principal Name (UPN) isn’t changed. Use the –UserPrincipalName parameter as well if you need to change the UPN at the same time

New PowerShell console on Server Core

Server Core is great for reducing the footprint of your VMs – Nano server is smaller but it can’t be a domain controller

 

One draw back to server core is that you only get a single console. If you hang that for any reason you have to either try and open another one (Hyper-V console greys out CTRL-DEL-ALT) or open a few when you logon to the machine.

 

You still get a cmd.exe console instead of PowerShell – that should be changed. Its 10 years since PowerShell came along! So run Powershell to open  Powershell in the default console.

 

"Start-Process -FilePath powershell.exe -Verb RunAS" > new-powershell.ps1

Will create a simple script to open a new elevated Powershell console .

 

Run it as many times as you want. Perform your work in the new Powershell console and if it hangs – just shut it down. Keep the default console for just opening new PowerShell consoles and then you’ll always be able to keep working.

Creating test accounts in Active Directory

There’s often a need to create test accounts in AD. You may want to create a a set of test accounts or if you have a demo/test lab you may need accounts in that.

Creating the names for the accounts is a pain unless you go down the test1, test2 etc route.

One way to real looking names is iuse a couple of loops like this

$fnames = @(
'Don'
'James'
'Jason'
'Jeff'
'Steve'
'Will'
'Dave'
'Bill'
'Mick'
'Fred'
)

$lnames = @(
'Jones'
'Smith'
'Brown'
'Black'
'White'
'Green'
'Wood'
'Bell'
'Harris'
'Fox'
)

$secpass = Read-Host -Prompt 'Password' -AsSecureString
$ou = "OU=UserAccounts,DC=Manticore,DC=org"

foreach ($fname in $fnames){
foreach ($lname in $lnames){
$name = $lname.TOUpper() + " $fname"
$sam = "$fname$lname"
$upn = "$sam@manticore.org"


New-ADUser -Name $name -SamAccountName $sam -UserPrincipalName $upn -AccountPassword $secpass -Path $ou -Enabled $true


}
}

First create an array of first names & another array of second names

 

Get a secure string for the Password – I’m using the same password for all as its my demo/test environment

 

Set the OU you want the accounts in.

 

Iterate over the set of first names and in that loop iterate over the last name. Within the inner loop create the name, samAccountName and UPN and call New-ADUser.

 

You end up with a set of new accounts where every first name is joined with every last name to create accounts. Names look a bit samey but for demo environment it works. Also, saves you having to think up individual names.

 

I’ve used   10 names in each of the first and last name arrays so end up with 100 new accounts.

Exploring PowerShell automation

My PowerShell books have all been published by Manning, A while back they asked me to put together a selection of extracts that show the depth and breadth of PowerShell. Its now available – for free - https://www.manning.com/books/exploring-powershell-automation

 

The book highlights PowerShell remoting and administering SQL Server, IIS and Active Directory through PowerShell. These are core skills these days and the book will give you a good introduction to these areas

PowerShell 10 year anniversary videos

Yesterday was the PowerShell 10 year anniversary event – broadcast live on channel 9

The session recordings are available

https://channel9.msdn.com/Events/PowerShell-Team/PowerShell-10-Year-Anniversary?sort=status&direction=desc

Hyper-V book

I’ve been working with Andy Syrewicze on Learn Hyper-V in a Month of Lunches.

 

Its now available in Manning’s Early Access program (MEAP) https://www.manning.com/books/learn-hyper-v-in-a-month-of-lunches

 

Until 14 November 2016 you can get the MEAP for half price using code mlsyrewicze

Creating a new AD forest

As I’ve completely rebuilt my demo/lab machine I need to re-create the Active Directory

This is now so simple even on a server core machine

 

First install the roles and features needed

Add-WindowsFeature -Name AD-Domain-Services, RSAT-AD-PowerShell, DNS, RSAT-DNS-Server, DHCP, RSAT-DHCP

 

This adds AD, DNS, DHCP and the appropriate admin tools – as its server core we’re really talking about the relevant PowerShell modules

Installing AD just gets you ready – it doesn’t create the forest

 

You get the ADDSDeployment module

PS C:\Scripts> Get-Command -Module ADDSDeployment

Name
----
Add-ADDSReadOnlyDomainControllerAccount
Install-ADDSDomain   
Install-ADDSDomainController 
Install-ADDSForest
Test-ADDSDomainControllerInstallation
Test-ADDSDomainControllerUninstallation
Test-ADDSDomainInstallation 
Test-ADDSForestInstallation 
Test-ADDSReadOnlyDomainControllerAccountCreation
Uninstall-ADDSDomainController

 

To create the forest and the first domain controller

PS C:\Scripts> Install-ADDSForest -DomainName 'Manticore.org' -ForestMode Default -DomainMode Default -InstallDns
SafeModeAdministratorPassword: ********

 

You’ll be asked to confirm the safe mode password

 

Default for forest and domain mode matches the Windows version

 

PS C:\Users\Administrator> Get-ADForest

ApplicationPartitions : {}
CrossForestReferences : {}
DomainNamingMaster    : W16DC01.Manticore.org
Domains               : {Manticore.org}
ForestMode            : Windows2016Forest
GlobalCatalogs        : {W16DC01.Manticore.org}
Name                  : Manticore.org
PartitionsContainer   : CN=Partitions,CN=Configuration,DC=Manticore,DC=org
RootDomain            : Manticore.org
SchemaMaster          : W16DC01.Manticore.org
Sites                 : {Default-First-Site-Name}
SPNSuffixes           : {}
UPNSuffixes           : {}

 

PS C:\Users\Administrator> Get-ADDomain

AllowedDNSSuffixes                 : {}
ChildDomains                       : {}
ComputersContainer                 : CN=Computers,DC=Manticore,DC=org
DeletedObjectsContainer            : CN=Deleted Objects,DC=Manticore,DC=org
DistinguishedName                  : DC=Manticore,DC=org
DNSRoot                            : Manticore.org
DomainControllersContainer         : OU=Domain Controllers,DC=Manticore,DC=org
DomainMode                         : Windows2016Domain
DomainSID                          : S-1-5-21-759617655-3516038109-1479587680
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=Manticore,DC=org
Forest                             : Manticore.org
InfrastructureMaster               : W16DC01.Manticore.org
LastLogonReplicationInterval       :
LinkedGroupPolicyObjects           : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Manticore,DC=o
                                     rg}
LostAndFoundContainer              : CN=LostAndFound,DC=Manticore,DC=org
ManagedBy                          :
Name                               : Manticore
NetBIOSName                        : MANTICORE
ObjectClass                        : domainDNS
ObjectGUID                         : 05d9aa61-d422-4728-9595-77754934b948
ParentDomain                       :
PDCEmulator                        : W16DC01.Manticore.org
PublicKeyRequiredPasswordRolling   : True
QuotasContainer                    : CN=NTDS Quotas,DC=Manticore,DC=org
ReadOnlyReplicaDirectoryServers    : {}
ReplicaDirectoryServers            : {W16DC01.Manticore.org}
RIDMaster                          : W16DC01.Manticore.org
SubordinateReferences              : {CN=Configuration,DC=Manticore,DC=org}
SystemsContainer                   : CN=System,DC=Manticore,DC=org
UsersContainer                     : CN=Users,DC=Manticore,DC=org

ComputerName parameters for CIM and WMI cmdlets

Accessing a remote system and running

Get-WmiObject -ClassName Win32_LogicalDisk -ComputerName $computer

or

Get-CimInstance -ClassName Win32_LogicalDisk -ComputerName $computer

is a standard approach.

 

If you’re creating a function with that code in you may put the local machine as a default parameter:

$computer = $env:COMPUTERNAME

 

Running Get-WmiObject locally will work quite happily because you’re using COM to access the local machine.

Get-CimInstance may well fail with this error

PS> Get-CimInstance -ClassName Win32_LogicalDisk -ComputerName $computer
Get-CimInstance : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs anddocumentation for the WS-Management service running on the destination, most commonly IIS or WinRM.
If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
At line:1 char:1
+ Get-CimInstance -ClassName Win32_LogicalDisk -ComputerName $computer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ConnectionError: (root\cimv2:Win32_LogicalDisk:String) [Get-CimInstanc
   e], CimException
    + FullyQualifiedErrorId : HRESULT 0x80338012,Microsoft.Management.Infrastructure.CimCmdlets.GetC
   imInstanceCommand
    + PSComputerName        : RSSURFACEPRO2

 

The CIM cmdlets use WSMAN to connect to remote machines. This is triggered by using the –ComputerName parameter. The error means you haven’t got the winrm service running on the local machine. On modern Windows remoting, and therefore winrm, are enable by default for servers but disable for client OS e.g. Windows 10.

 

Easiest way to get this to work is run Enable-PSremoting from and elevated prompt.