tag:blogger.com,1999:blog-40262854366581169292024-03-13T07:55:08.680-07:00TheAgreeableCowTheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-4026285436658116929.post-29594941749212692922016-05-17T05:45:00.000-07:002016-05-17T05:45:25.295-07:00Ransomware Mitigation Matrix<div style="text-align: center;">
<i><b>allofmyfiles.encrypted</b></i></div>
<br />
By now ransomware ought to have your attention. From a deployment perspective, it can be purchased cheaply and it comes with administrative consoles and installation packages that receive regular patches and updates that rival some commercial software. The malware infects you in new and changing ways, with network shares being discovered beyond mapped drives, RDP is becoming a 'Remote Distribution Protocol' and your backups are in a game of hide and seek.<br />
<br />
This is a practical guide to reducing your risk of being exposed to malware in general, with a specific focus on Ransomware. This is not a new phenomena in IT circles, but the changing landscape makes it a threat that deserves more than a cursory review.<br />
<br />
<div style="text-align: center;">
<i><b>Having layers of protection reduces your risk.</b></i></div>
<br />
The matrix below outlines three layers of risk mitigation, which is an important point to note; There is no silver bullet to preventing Ransomware and malware in general for that matter. You can have the best and most expensive email filtering in the world and still be exposed to staff downloading dodgy content from personal webmail. Throw in a top notch web proxy you say, only to find someone connecting a BYOD device or loading malware from a USB they found in the car park!<br />
<br />
Defend your environment in three ways;<br />
<ol>
<li>Perimeter - Prevent malware from entering your network</li>
<li>Runtime - Prevent Malware from running on your network</li>
<li>Damage Control - Reduce impact of an outbreak</li>
</ol>
<div>
Having a layered strategy also allows you to defend your network even if you can't afford or maintain a premium product in one layer or another. Firewalls and email/web gateways whilst very effective, can be expensive and complex for example. So as much as this post mentions specific solutions, it's also about strategies - there is a lot you can do that is free or low cost and achievable with low administrative overheads. Further, by spreading your protection, it allows you to set policies and practices that are not over zealous or (mis)designed in ways that cripple your staff's productivity.</div>
<div>
<br /></div>
<div style="text-align: center;">
<i><b>Which strategies should you apply?</b></i></div>
<div>
<br /></div>
<div>
The matrix below lists dozens of items to mitigate ransomware. Of these, the top three things you can do to protect your data are:</div>
<div>
<ol>
<li>Conduct regular backups and test restoration</li>
<li>Separate access control to your backup files</li>
<li>Make copies of your backups off network</li>
</ol>
As pessimistic as this seems, insuring your data really is your best line of defense. It doesn't matter how many attacks you brush aside, it only takes one to sneak through using a new vector and your data will be compromised. At this point, all recommendations are not to pay any ransom and simply restore from backup.</div>
<div>
<br /></div>
<div>
OK, so backup are solid, what next? Realistically, <b>mitigation is a balance between effectiveness and impact</b>. That is, IT administrative effort, financial costs and the productivity burdens placed on your staff. A quick note on effectiveness - the items below are viewed in terms of the contribution towards mitigating ransomeware. Some items (such as a strong password policy or email TLS), may be very good at servicing a particular technical requirement. However in context, they may score a low effectiveness as they don't really contribute greatly in the overall threat profile or solution deliverables.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-C09f9KiwJ80/Vzmv1hXTHtI/AAAAAAAAMMs/JrERFR9Y2vQhAJGMwHGKm5ZrE7YSS9hwwCLcB/s1600/Ransomware%2Bmitigation%2Beffectiveness.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="299" src="https://1.bp.blogspot.com/-C09f9KiwJ80/Vzmv1hXTHtI/AAAAAAAAMMs/JrERFR9Y2vQhAJGMwHGKm5ZrE7YSS9hwwCLcB/s640/Ransomware%2Bmitigation%2Beffectiveness.png" width="640" /></a></div>
Initially, look for the easy wins (highly effective items, with minimal impact). There is also a lot of reward in clever network design that won't cost you a cent. Then look for solutions that are effective over time with consistent return. Relegate solutions with a waning effectiveness, that requires constant IT attention and negatively impacts your staff productivity. As such, look for areas where effectiveness is steadily above both IT administration overheads and user impact.</div>
<div>
<br /></div>
<div style="text-align: center;">
<i><b><span style="font-size: large;">Ransomware Mitigation Matrix</span></b></i></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-TSO_qBZhZOg/Vzm1qPSu95I/AAAAAAAAMNA/GeZ_raQT-7IWVTZaMoUk7eOLhLy0-7AOACLcB/s1600/Ransomware%2Bmitigation%2Bmatrix.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-TSO_qBZhZOg/Vzm1qPSu95I/AAAAAAAAMNA/GeZ_raQT-7IWVTZaMoUk7eOLhLy0-7AOACLcB/s1600/Ransomware%2Bmitigation%2Bmatrix.png" /></a></div>
</div>
<div style="text-align: center;">
<br /></div>
<div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The second half of this post discusses these mitigation techniques in more detail.</div>
<div style="text-align: center;">
<i><br /></i></div>
</div>
<div>
<div style="text-align: left;">
<b>Email Gateways</b></div>
</div>
<div>
A strong email gateway is an excellent investment towards mitigating malware and assisting staff productivity through the reduction in illegitimate email traffic.<br />
<br />
<ul>
<li><b>Malware and malicious object scanning</b> should be automatic and thorough with dynamic updates for heuristic and signature based detection. Suspect items should be quarantined and fully separated from initial user access.</li>
<li><b>Greylists and Blacklists</b> are techniques to reduce spam and malware traffic by deferring unknown sender requests and blocking servers (IP addresses), with poor reputation.</li>
<li><b>Anti-spoofing technologies</b> such as <a href="http://blog.endpoint.com/2014/04/spf-dkim-and-dmarc-brief-explanation.html" target="_blank">DMARC, SPF and DKIM</a> provide a level of confidence towards emails that seemingly originate from your own company - those that users are likely to open and action without question. Advanced threat solutions from companies like <a href="https://www.mimecast.com/products/email-security/targeted-threat-protection/" target="_blank">Mimecast </a>take this further with strict anti-spoofing policies and even impersonation protection by quarantining email from domains or sender display names that match or are similar to those in your company's domain. </li>
<li><b>Attachment sandboxing</b> goes beyond signature based or heuristic scanning by preemptively opening attachments to analyse their behavior (such as automatically executing macros), before they reach your network.</li>
<li><b>URL scanning</b> works as a realtime proxy to re-write hyperlinks in emails that force the destination web page to be inspected when clicked. This is particularly useful for seemingly benign sites that may pass initial inspection, only to weaponise a payload a short while after delivery.</li>
<li><b>Attachment policies</b> allow an administrator to define specific files types that are outright unsuitable for email traffic and those which may be legitimate, but require further inspection. Typically any active content (scripts, executables etc), should be blocked, archives should be unpacked and inspected and even Office documents need to be treated with care if they contain macros. Enterprise solutions such as Mimecast block over 240 file types by default and there are a number of open source solutions such as <a href="http://www.decalage.info/exefilter" target="_blank">ExeFilter</a> that provide a good foundation.</li>
</ul>
</div>
<div>
<b><br /></b>
<b>Web Proxies</b></div>
<div>
In order for malware to run on your network, it must first be delivered to your network. A web proxy provides an intermediary hop between your users and the Internet at large.</div>
<div>
<ul>
<li><b>Malware and malicious object scanning</b> is a primary defense against direct and indirect downloading of unwanted active content. The <a href="http://www.crn.com/slide-shows/security/300077380/heres-who-made-gartners-2015-magic-quadrant-for-secure-web-gateways.htm" target="_blank">market </a>is very competitive, but well worth your time to research. Look for reputable signature and heuristic scanning technologies.</li>
<li><b>Categorisation and Blacklists</b> can impact users if over zealous, but they do provide administrators with a tool to identify and separate users from undesirable content. This could be anticipated (such as unscrupulous or antisocial sites, P2P networks etc) or known threats based on IP/DNS reputation subscription services.</li>
<li><b>Attachment policies</b> for web proxies are much like email gateways as they represent a managed layer of blocking or inspection of content. I highly suggest a policy of least access, where active content (including archives, executables, scripts, malformed files and Office files with embedded scripts or macros), are denied by default. Approved download sites can be whitelisted over time, which certainly makes for more work upfront, but can really pay off in the long term.</li>
</ul>
</div>
<div>
<b><br /></b>
<b>Firewalls</b></div>
<div>
Whilst traditionally seen as simple port/protocol filters, modern enterprise firewalls also provide a excellent investment towards intrusion prevention and application control.</div>
<div>
<br />
<ul>
<li><b>Application Control</b> allows an administrator to define access controls to Risk Categories (for example on a scale of 1-5), general Application Categories (such as TOR, P2P File Sharing or Webmail) and even Specific Applications (such as Dropbox or Facebook). It's important to note here that IT are not the "Internet Police". Our role is to advise and implement policy that best aligns with the business and risk profiles. These should generally be driven by other business units such as Human Resources and operational management.</li>
<li><b>Geo-blocking</b> involves restricting network communications from entire countries, primarily breaking the link between your network and payload delivery. Depending on your business requirements, this might be a simple and effective decision. However, it's a very broad brush and can greatly impact legitimate traffic and is easily diluted - especially considering a lot of malware originates from the United States.</li>
<li><b>Port and IPS Control</b> is essentially what most people think of when discussing firewalls. It's the traditional perimeter defense to keep the bad guys out by blocking illegitimate traffic. It's strength lies in good rule design and strong Intrusion Prevention signatures.</li>
<li><b>Prevent Access to 'Command and Control'</b> C<b>enters</b> by blocking traffic from known bad IP addresses, either through vendor subscription services or sites like <a href="https://ransomwaretracker.abuse.ch/" target="_blank">Ransomware Tracker</a>. The process is quite reactive and it can be hard to keep up with the constantly changing lists.</li>
</ul>
<div>
<b><br /></b></div>
<div>
<b>Users</b></div>
<div>
Irrespective of the number of technical processes you have in place, at some point the users are going to play an important role in protecting your company's digital assets.</div>
<div>
<ul>
<li><b>Security Awareness Training</b> is a very effective way to raise awareness of the risks of malware and give your users practical ways to identify and avoid infection (both in the office and at home). With a recent surge in phishing attempts, it's important to think about the human factor in this equation. Look for training that doesn't embarrass and alienate users. Rather one that provides continuous cycle of assessment and education such as <a href="https://www.wombatsecurity.com/" target="_blank">Wombat Security</a>.</li>
<li><b>Password Policies</b> help prevent the mis-use of legitimate accounts - why bother breaking down the door, when you have a key to open it! Length trumps complexity, but there is a good balance to find that matches your users and business profile.</li>
</ul>
</div>
<div>
<b><br /></b></div>
<div>
<b>Clients</b></div>
<div>
Client computer security if done properly, represents a great opportunity to mitigate ransomware at both the Perimeter and Runtime stages. If done poorly, it really puts a great burden on the rest of your strategies to perform flawlessly.</div>
<div>
<ul>
<li><b>Software Application Policies</b> such as SRP and Applocker are some of your strongest defense strategies, by preventing unknown or unwanted software from running on your computer. Earlier Software Restriction Polices whilst effective, were complex and hard to maintain. Applocker (for those on modern Windows Enterprise platforms), make the process much easier. Combining the default rules, generated rules (perhaps simplified to a handful of publisher whitelists), with some auditing, is an effective and low impact way to <a href="https://4sysops.com/archives/applocker-tutorial-part-1-planning/" target="_blank">get started</a>.</li>
<li><b>Macro Management</b> is becoming more important with the rise in phishing attacks, particularly if you are not able to provide in-line sandboxing of Office files. Group Policies such as Protected View can apply settings to warn or block macros from running automatically. In practice however, I've seen users become complacent and just habitually click their way though to an infection. If suitable, perhaps look to only allow macros that are signed and trusted.</li>
<li><b>Antivirus and anti-malware software</b> is another one of those default areas that you need to invest in. Unfortunately, their effectiveness is waning and so realistically they are just another tool in your toolkit - one that you want to have, but not one that you solely rely on.</li>
<li><b>Firewalls</b> also play an important role at the client level by restricting workstation to workstation propagation. Even if you don't enable within the domain, ensure to turn it on for mobile devices that roam to home or public networks.</li>
<li><b>Malware mitigation software</b> such as <a href="https://www.microsoft.com/en-us/download/details.aspx?id=50766" target="_blank">EMET</a>, DEP and <a href="http://infoprocess.com.au/" target="_blank">Antihook</a>, work much like antivirus, but focus on analysing software heuristics and behavior (as opposed to signature definitions).</li>
<li><b>Enforcing the UAC prompt</b> (as annoying as it can be), places a pause on the automated running of software with elevated access. Ideally you'll combine this with separated access control.</li>
<li><b>Disabling Windows Scripting Host or re-writing file associations for scripting files</b> (such as .js or .hta), will prevent these common vectors from triggering,. Unfortunately, they are often required for legitimate processes, so test appropriately.</li>
<li><b>Showing all file extensions</b> can help avoid masking tricks with files that use double extensions such as <i>yourfile.doc.exe</i>. To enable push out the registry key "<span style="font-family: "courier new" , "courier" , monospace;">HideFileExt</span>" to <span style="font-family: "courier new" , "courier" , monospace;">0</span>.</li>
<li><b>Enable web browser features</b> such Popup and Ad Blocking as well SmartScreen filters to reduce your attack surface. Particularly is you are unable to use a web proxy solution.</li>
<li><b>Sandboxing</b> can also be done client side using software such as <a href="http://www.sandboxie.com/" target="_blank">Sandboxie </a>or <a href="https://www.hybrid-analysis.com/" target="_blank">Hybrid Analysis</a>. They give your IT team and even users a way to test files securely before exposing them directly to your network.</li>
<li><b>Managing mobile media</b> such as USB thumb drives is still an important, albeit reducing vector for infection. This can be mitigated through user awareness training or technical prevention with Group Policy or endpoint security software.</li>
</ul>
</div>
<div>
<b><br /></b>
<b>Servers</b></div>
<div>
Securing your servers is an important measure across all three threat areas, but particularly important in Runtime and Reducing Impact of an Outbreak.</div>
<div>
<ul>
<li><b>Detecting and Actioning unusual behavior </b>is critical to alerting you to the fact that something nefarious is happening in your environment and gives you the opportunity to shut it down as soon as possible. This could be something simple like a custom <a href="https://www.reddit.com/r/sysadmin/comments/1qf7yi/cryptolocker_using_powershell_as_a_tripwire/" target="_blank">honeypot monitor</a> through to event log monitoring and high end IDS solutions. For example <a href="https://logrhythm.com/" target="_blank">LogRythym</a>, <a href="http://www.eventsentry.com/blog/2016/03/defeating-ransomware-with-eventsentry-auditing.html" target="_blank">EventSentry</a>, <a href="https://www.bro.org/" target="_blank">BroIDS</a>, <a href="https://www.pfsense.org/" target="_blank">pfSense</a>. They are particularly effective if responses are automated (as opposed to say just an email), although obviously this can be impacting with false positives.</li>
<li><b>Hide Network Shares</b> by creating them with an appended dollar sign, such as <span style="font-family: "courier new" , "courier" , monospace;">\\server\sharename$</span> for example. This will prevent malware from enumerating shares that are not mapped, but would otherwise be easily discoverable on the network.</li>
<li><b>Application hardening</b> is essential if your exposing servers to the internet at large. This primarily focuses on edge services such as websites, proxies, Remote Access gateways etc. Design with Best Practices in mind, implement a <a href="https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0ahUKEwi8uv3y_uDMAhWCqaYKHdFECZ8QFgg4MAQ&url=http%3A%2F%2Fwww.ausjournal.com%2Fausjournal.com%2FIssue_2015_files%2Faronee.pdf&usg=AFQjCNEP2ELG7tSkfPJ8f0PZCwWADlwL2Q&sig2=0lTcGuMHY3xcN2WM2Zxegg&bvm=bv.122129774,d.dGY" target="_blank">DMZ</a> and apply hardening tools such as <a href="https://www.nartac.com/Products/IISCrypto" target="_blank">IISCrypto</a>.</li>
<li><b>DNS Management</b> can compliment your other efforts by providing yet another layer of control to your Internet connections. Have a look at <a href="https://www.opendns.com/" target="_blank">OpenDNS</a>.</li>
<li><b>Document Management Systems</b> are a considerable financial investment, require significant administrative resources and will impact your users. However, they do provide an excellent layer of abstraction between your users and the underlying document stores. Examples include SharePoint, <a href="https://imanage.com/products-solutions/" target="_blank">iManage </a>or even cloud services such as <a href="https://www.netdocuments.com/en-us/" target="_blank">NetDocuments </a>and Office365.</li>
<li><b>File Screens</b> are Group Policy enforced rules that prevent certain types of files from being saved to your network. They can be useful to prevent downloading of executable content (for example if you're using Folder Redirection on My Downloads) and also to provide an <a href="http://jpelectron.com/stopcrypto" target="_blank">early warning system</a> of an outbreak.</li>
<li><b>Enforce Muti-Factor Authentication</b> to restrict password propagation, particularly for remote and privileged access. <a href="https://www.rsa.com/en-us/products-services/identity-access-management/securid" target="_blank">RSA SecurID</a>, <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en" target="_blank">Google Authenticator</a>.</li>
<li><b>Enforcing secure communications</b> for services such as websites (https) and email traffic (TLS) provides a way to mitigate traffic interception for phising bait</li>
<li><b>Enabling Shadow Copies</b> used to be a solid solution for quick file restoration. However, a simple one liner using <span style="font-family: "courier new" , "courier" , monospace;">vssadmin </span>can easily remove all shadow copies without a trace, now making this a rare option for recovery.</li>
</ul>
</div>
<div>
<br /></div>
<div>
<b>Permissions and Access Controls</b></div>
<div>
The principle of least privilege means giving a user account only those privileges which are essential to that user's work. It's a principal that should be fundamentally incorporated into every facet of your systems designs.</div>
<div>
<ul>
<li><b>Configure Access Control</b> by assigning local/RDP login and share access appropriately. Segment networks based on user roles and access requirements. Ransomeware cannot encrypt a file that the user does not have write access to. </li>
<li><b>Manage Privileged Accounts</b> by creating secondary administrative accounts for those users that need administrative access. Ideally, take this a step further and block these admin accounts from any access to the Internet (via a web proxy for example). All daily work and web access uses only the standard user account.</li>
</ul>
</div>
<br /></div>
<div>
<b>Patching</b><br />
Applying critical and security patches for your client and server operating systems, applications and device firmware is a fundamental part of IT operations. It is highly administrative and often impacting to users (when things go wrong). However, it is an important part of reducing your vulnerability to malware. Make the process as automated as possible (eg <a href="https://ninite.com/" target="_blank">Ninite</a>, <a href="http://www.adminarsenal.com/pdq-deploy/" target="_blank">PDQ Deploy</a>, WSUS) and reduce your disruption by deploying initially to test groups and devices before mass production deployment.<br />
<br />
<br />
<b>Further Reading</b><br />
There is a lot of information around to help reduce your risk of being infected by ransomware and malware. Do your research and find effective solutions that align with your IT resources, users and business profile.</div>
<div>
<ul>
<li><a href="http://www.thirdtier.net/ransomware-prevention-kit/">http://www.thirdtier.net/ransomware-prevention-kit/</a></li>
<li><a href="https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf">https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf</a></li>
<li><a href="http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm">http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm</a></li>
<li><a href="https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise">https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise</a></li>
<li><a href="http://www-03.ibm.com/security/xforce/downloads.html">http://www-03.ibm.com/security/xforce/downloads.html</a></li>
<li><a href="http://robert.penz.name/1252/stop-panicking-about-the-locky-ransomware/">http://robert.penz.name/1252/stop-panicking-about-the-locky-ransomware/</a></li>
</ul>
<div>
<br /></div>
</div>
Cheers,<br />
<span style="font-family: "courier new" , "courier" , monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span>
TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com5tag:blogger.com,1999:blog-4026285436658116929.post-22577589493840354972014-09-08T22:20:00.000-07:002014-09-09T16:48:43.110-07:00Set a Desktop Wallpaper using PowerShellThis script will apply a desktop wallpaper from a variety of sources and optionally overlay some text, using PowerShell.<br />
<br />
The wallpaper sources include:<br />
<ul>
<li>A solid colour (the "no wallpaper" option)</li>
<li>A specific or random picture from a directory</li>
<li>A Google Image search</li>
</ul>
<div>
<br />
The Text Overlay feature provides optional BGInfo style text directly onto the wallpaper image with control over the content, font, size, colour and position.</div>
<div>
<br /></div>
<div>
The script can be run manually, at logon or even repeatedly via a scheduled task to update the wallpaper regularly.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-g6B70R_yg0E/VA5-J9uVQMI/AAAAAAAABxI/sW1551NLAEg/s1600/Desktop.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-g6B70R_yg0E/VA5-J9uVQMI/AAAAAAAABxI/sW1551NLAEg/s1600/Desktop.jpg" height="360" width="640" /></a></div>
<div>
<br /></div>
<div style="text-align: center;">
<span style="font-size: x-small;">Wallpaper example showing the text overlay</span></div>
<div>
<b><br /></b></div>
<h3>
<b>Usage</b></h3>
The Shell syntax is very straight forward<br />
<div>
<div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> </span><br />
<div style="text-align: left;">
<span style="font-family: Courier New, Courier, monospace;"> Set-Wallpaper [Source]<colour eb="" ypics=""> [Selection]<string> </string></colour></span></div>
</div>
<div>
</div>
<div>
MyPics Examples</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> .\Set-Wallpaper.ps1 MyPics *</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> .\Set-Wallpaper.ps1 MyPics coolpic.jpg</span></div>
<div>
</div>
<div>
Web Example</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> .\Set-Wallpaper.ps1 Web 'Ayers Rock'</span></div>
<div>
<br /></div>
<div>
<div>
Colour Example</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> .\Set-Wallpaper.ps1 Colour Blue</span></div>
</div>
<div>
<br /></div>
<div>
Please note, Powershell v3 or later is required due to the invoke-webrequest cmdlet in the Web module.</div>
</div>
<div>
<br /></div>
<h3>
Setup Options</h3>
All of the options in the script can be set via the Wallpaper Variables section.<br />
<div>
<br /></div>
<div>
<div style="background-color: white;">
<pre style="background-attachment: initial; background-clip: initial; background-color: #f0f0f0; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 1px dashed rgb(204, 204, 204); height: auto; overflow: auto; padding: 0px; width: 646.46875px;"><span style="color: #222222;"><span style="font-size: 12px; line-height: 20px;"># MyPics Options
[STRING]$PicturesPath = [environment]::getfolderpath("MyPictures")+"\wallpaper"
[BOOLEAN]$ResizeMyPics = $False
# Web Options
[INT]$MaxResults = 10
[INT]$DaysBetweenSearches = 7
[BOOLEAN]$ResizeWebPics = $True
[STRING]$WebProxyServer = "proxy1.mydomain.com.au"
# Text Overlay Options
[BOOLEAN]$TextOverlay = $True
[STRING]$TextColour = "White"
[STRING]$FontName = "Arial"
[INT]$FontSize = 14
[BOOLEAN]$ApplyHeader = $True
[STRING]$TextAlign = "Right"
[STRING]$Position = "High"
# Wallpaper Style Options
[STRING]$Style = "Fit"
# Available Colours
$Grey = @(192,192,192)
$Black = @(0,0,0)
$White = @(255,255,255)
$Red = @(220,20,60)
$Green = @(0,128,0)
$Yellow = @(255,255,0)
$Blue = @(0,0,255)
$CornflourBlue = @(100,149,237)</span></span></pre>
<div style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.7900009155273px;">
<br /></div>
</div>
</div>
<h3>
My Pictures Wallaper</h3>
<div>
The 'MyPics' option will source pictures from a nominated folder ('My Pictures\Wallpaper' by default). You can either choose a specific picture or a wildcard *. Using the wildcard with a scheduled task allows the wallpaper to change regularly. </div>
<div>
<br /></div>
<div>
Pictures can optionally be re-sized proportionately to match the screen resolution.</div>
<div>
<br /></div>
<h3>
Google Images Wallpaper</h3>
<div>
The 'Web' option will perform a Google image search based on your search term and automatically download a number of high resolution pictures. These are then randomly chosen as the desktop wallpaper. Again the script can be run again manually or via a scheduled task to rotate between the downloaded pictures. </div>
<div>
<br /></div>
<div>
To avoid repeated downloads each time the script runs with the same search term, simply adjust the $DaysBetweenSearches variable. By default, the script will only repeat a search after a week.</div>
<div>
<br /></div>
<div>
As the images can vary greatly in size, using the re-size variable is recommended here as it will keep the image (and any text overlays) consistent.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-t_ncZ6UELPw/VA6HFz-3s0I/AAAAAAAABxY/R9Z3vwlAPr0/s1600/Mountains.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-t_ncZ6UELPw/VA6HFz-3s0I/AAAAAAAABxY/R9Z3vwlAPr0/s1600/Mountains.jpg" height="278" width="640" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;">Typical download results using the syntax: <span style="font-family: Courier New, Courier, monospace;">set-wallpaper Web 'mountains'</span></span></div>
<br />
<h3>
Colour Wallpaper</h3>
<div>
The solid colour wallpaper is the most straight forward and is essentially a "no wallpaper" option. The result is a plain background as the script simply draws a rectangle in the colour of your choice, at the same resolution of the screen. Extra colours can be added by updating a new variable with the relevant RGB values.</div>
<div>
<br />
<h3>
Text Overlay</h3>
</div>
<div>
Mudos for the <a href="http://p0w3rsh3ll.wordpress.com/2014/08/29/poc-tatoo-the-background-of-your-virtual-machines/" target="_blank">text overlay proof of concept found on this post</a>, which combines text and your chosen desktop. The text can be anything you like, including dynamic data sourced through powershell and wmi queries such as the computer name, OS or boot time.</div>
<div>
<br /></div>
<div>
There are a number of variables that control the font and where about's on the image the text is placed.</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-U3pR4BOSXhw/VA-RkYQK5sI/AAAAAAAAB5A/IJrdyuWNRj4/s1600/Text%2BOverlay.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-U3pR4BOSXhw/VA-RkYQK5sI/AAAAAAAAB5A/IJrdyuWNRj4/s1600/Text%2BOverlay.jpg" height="434" width="640" /></a></div>
<br />
<div style="text-align: center;">
<span style="font-size: x-small;">Example Text Overlay on a plain colour wallpaper</span></div>
</div>
<h3>
Functions</h3>
<div>
There are a number of included functions that tie all of this together. </div>
<div>
<ul>
<li>Get-MyImages chooses pictures for the 'MyPics' option</li>
<li>Set-WebProxy allows the Google search connection through a web proxy</li>
<li>Get-GoogleImages downloads and chooses pictures for the 'Web' option</li>
<li>Set-ImageSize optionally re-sizes pictures proportionately to match screen resolution</li>
<li>New-Wallpaper creates the actual bitmap (colour or picture) and combines the text overlay</li>
<li>Update-Wallpaper applies the actual wallpaper to your desktop</li>
<li>Set-Wallpaper validates the pipeline input and initiates all of the other sub-functions as required</li>
</ul>
<br />
Here's the full script as posted on Git Hub (select the 'Raw' option at the bottom to copy/paste)<br />
<br />
<script src="https://gist.github.com/theagreeablecow/580797ac061698a6e0af.js"></script>
Cheers,<br />
<span style="font-family: "Courier New",Courier,monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br /></div>
TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com9tag:blogger.com,1999:blog-4026285436658116929.post-50071274383330287932014-08-10T05:23:00.000-07:002014-08-21T14:14:32.738-07:00Password and Phrase Generator (using PowerShell GUI)Creating a good password is not as easy as it used to be. Regular English words as passwords are a terrible idea and simply adding a few numbers or characters doesn't help much. The trick to creating a good password is finding the right balance between length and complexity. Here's an article on <a href="http://arstechnica.com/security/2014/04/stanfords-password-policy-shuns-one-size-fits-all-security/" target="_blank">Stanford University's password policy</a>, which is a great example of getting that mix right.<br />
<br />
There are a bunch of password generators out there and even some phrase generators. The <b>TAC Password and Phrase Generator</b> will create both.<br />
<br />
<b>Creating Passwords</b><br />
<div>
<br /></div>
<div>
As soon as the script is run, a password is generated, based on the default settings. Simply increase or decrease the character count and select the complexity as required.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Yl6SJ8L8QKA/U-h07NllSkI/AAAAAAAAAQ0/s-BekeqigUI/s1600/Clipboard01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Yl6SJ8L8QKA/U-h07NllSkI/AAAAAAAAAQ0/s-BekeqigUI/s1600/Clipboard01.jpg" height="198" width="320" /></a></div>
</div>
<div>
<i><span style="font-size: x-small;"><br /></span></i></div>
<div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Random passwords of varying complexity from the ASCII table of acceptable password characters</span></i></div>
<br />
<b>Creating Phrases</b></div>
<div>
<br /></div>
<div>
Select the 'Words' radio button and increase or decrease the word count as required. By default, words are sourced from a random page on <a href="http://www.reddit.com/" target="_blank">Reddit</a>. You can of course experiment with any sub-reddit you like to theme your phrase.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-VSjXoePYRHQ/U-885884M1I/AAAAAAAAARc/XrscLmzWFdM/s1600/phrase%2Bexample.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-VSjXoePYRHQ/U-885884M1I/AAAAAAAAARc/XrscLmzWFdM/s1600/phrase%2Bexample.jpg" height="198" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
<div>
<div style="text-align: center;">
<i><span style="font-size: x-small;">Phrases from random words selected in real time from posts on Reddit</span></i>.</div>
<br /></div>
You might have heard about the <a href="http://preshing.com/20110811/xkcd-password-generator/" target="_blank">xkcd Password Generator</a>, which is a great insight into the use of password phrases (in this case based on a small static list of common words making them easy to remember, but also easier to crack).<br />
<br />
So why words from Reddit? Because it contains a vast and dynamic pool of words that represent the varied nature of the site itself. Once a pool of words has been randomly selected, it is then filtered to remove short words ( anything less than 4 characters), duplicates and common words.<br />
<br />
<b>Common Words Filter</b><br />
Using ongoing samples of words from Reddit, a collection of common words is maintained and used as an exclusion list when generating phrases.<br />
<br />
<blockquote class="tr_bq" style="text-align: center;">
<span style="background-color: #cfe2f3;"><b><i>TIP! Download the latest version of the <a href="https://dl.dropboxusercontent.com/u/103928771/ExcludedCommonWords.txt">ExcludedCommonWords.txt</a> </i></b></span></blockquote>
<blockquote class="tr_bq" style="text-align: center;">
<span style="background-color: #cfe2f3;"><b><i>and save it in the same location as your PowerShell script.</i></b></span></blockquote>
<div style="text-align: center;">
<br /></div>
The graph below shows a typical "Count of Unique Words" distribution. In this example, the common words account for around 40% of Total Words in a pool. However, as you can see they only account for a very small percentage of Unique Words. This means that phrases will be generated from uncommon words, making them harder to crack.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-CaeSPDoNxH4/U-866frPJuI/AAAAAAAAARQ/gBi0LOWWJOk/s1600/Count%2Bof%2BReddit%2BUnique%2BWords.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-CaeSPDoNxH4/U-866frPJuI/AAAAAAAAARQ/gBi0LOWWJOk/s1600/Count%2Bof%2BReddit%2BUnique%2BWords.jpg" height="70" width="320" /></a></div>
<br />
<div style="text-align: center;">
500 common words are automatically excluded from generated phrases</div>
<br /></div>
<div>
<b>Options</b></div>
<div>
<br /></div>
<div>
Every time you hit 'Generate' another password is created. Each time it is copied to your clipboard for easy pasting into another application. Use the Mask option to hide the password on screen. The Export feature is useful for bulk transfer of passwords to another application. Please do NOT keep saved passwords in a text file for any period of time!</div>
<div>
<br />
Please note that this tool simply provides random passwords and phrases in a novel manner. Be sensible with the passwords you choose and use them at your own risk. I am not responsible for anything that happens as a result of your password choice.<span style="background-color: white; color: #222222; font-family: 'PT Serif', Georgia, Times, 'Times New Roman', serif; font-size: 16px; line-height: 22.399999618530273px;"> </span><br />
<br /></div>
<div>
Here's the script to the latest version (v1.3).There may seem like a lot of code here, but most of it is for the generation of the form.<br />
<br />
<script src="https://gist.github.com/3cdbe888df2586b7109d.js">
</script>
Cheers,<br />
<span style="font-family: "Courier New",Courier,monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span></div>
TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-10006687908254350092014-07-22T05:06:00.000-07:002018-01-07T18:46:23.118-08:00Sysadmin Modular Report for SSL Certificates (now with check for key size of 1024 bits)The SysAdmin Modular Reporting framework provides a consistent, flexible data collection and reporting tool with 'traffic light' style alerts for your environment. Written in Powershell using an easy to follow style, the framework collates any number of user generated plugins (function scripts), into a single report for any Windows system supporting Powershell.<br />
<br />
<div style="text-align: center;">
<span style="background-color: white; font-size: large;">Learn about the framework in the new <a href="https://www.dropbox.com/s/dx5wscjw4phehxv/SAMReport%20Quick%20Start%20Guide.pdf?dl=0">Quick Start Guide (pdf)</a>.</span><br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Getting started</b></div>
</div>
<ol>
<li>Download modules from GitHub links below*</li>
<li>Save to a server with Active Directory Powershell Tools</li>
<li>Customise <i>Global_Variables.ps1</i> as required (variables apply to all modules)</li>
<li>Customise <i>Module_Variables.ps1</i> as required (variables apply to this module)</li>
<li>Review the plugins (reorder, remove, update thresholds etc)</li>
<li>Run the report <span class="Apple-style-span" style="background-color: #f6f5ea; font-family: "consolas" , "lucida console" , monospace; font-size: 13px; line-height: 19px; white-space: pre;">Get-SAMReport Certificates [Email/OnScreen]</span></li>
</ol>
Review the scripts on GitHub<br />
<ul>
<li><a href="https://gist.github.com/3682550" target="_blank">Core Components</a></li>
<li><a href="https://gist.github.com/theagreeablecow/21701aa7361fe7260cf5" target="_blank">Certificates Module</a></li>
</ul>
*I encourage you to review and understand any script downloaded from the internet. Also ensure to "unblock" each .ps1 files (Right click | Properties | Unblock), to avoid the <span class="Apple-style-span" style="background-color: #f6f5ea; font-family: "consolas" , "lucida console" , monospace; font-size: 13px; line-height: 19px; white-space: pre;">[D] Do not run [R] Run once [S] Suspend</span> security prompts.<br />
<br />
<b>Overview</b><br />
<div style="text-align: center;">
<br /></div>
SAMReports can provide a very detailed look into the health of your environment. You can view the relevant data that has been gathered and quickly see any Warnings or Alerts based on your thresholds. The overall title of the report will reflect the worst result, so for example if there were 6 sections and only one showed a Warning, the report title will be coloured as a Warning.<br />
<br />
The result is a rich report with clear status indicators giving you an instant overview and the details to back it up.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-xcKtWFrFAUI/U_WfX2mpB-I/AAAAAAAAASI/B-YAqMJhDiw/s1600/SSL%2BExample.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="https://1.bp.blogspot.com/-xcKtWFrFAUI/U_WfX2mpB-I/AAAAAAAAASI/B-YAqMJhDiw/s1600/SSL%2BExample.jpg" width="320" /></a></div>
<br />
<div style="text-align: center;">
<span style="color: #999999; font-size: xx-small;"> Picture 1. Sample Report showing plugins for the stores in a typical certificate chain</span></div>
<br />
<b>Plugins</b><br />
<br />
The independent plugin system is very flexible and provides an easy way to only report on information that you need. The template style provides a consistent output, but also makes it easy to adapt or add new plugins. The warnings or alerts are based on a failed test or data falling outside of thresholds that you can define.<br />
<br />
Each plugin can generate four types of output:<br />
<ul>
<li>Results Text (html formatted)</li>
<li>Results Data (html formatted table)</li>
<li>Results Status (Alert, Warning, Good colour codes)</li>
<li>A File (either saved to the \output folder or included as an email attachment)</li>
</ul>
<br />
<b>About the Certificates Module</b><br />
<div style="text-align: center;">
<span style="background-color: #cfe2f3;"><br /></span></div>
<div style="text-align: center;">
<span style="background-color: #cfe2f3;">UPDATE: The report now includes a check for a key length that is less than 2048 bits. </span></div>
<span style="background-color: #cfe2f3; text-align: center;"><br /></span>
The report will list details for all certificates in the relevant stores, for all of your servers. There is even an option to log and remove any expired certificates.<br />
<br />
This is a list of the current plugins for the Certificates module, which cover the certificate stores for a typical certificate chain:<br />
<ul>
<li>00 Module Variables.ps1 (loads AD snap-in, sets server scope, log file location etc)</li>
<li>01 List Personal Certificates.ps1</li>
<li>02 List Intermediate Certificates.ps1</li>
<li>03 List 3rd Party Root Certificates.ps1</li>
<li>04 List Trusted Root Certificates.ps1</li>
</ul>
There are a number of variables you can customise to change the scope of what is shown in the report, such as:<br />
<br />
<div>
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); height: auto; overflow: auto; padding: 0px; width: 646.46875px;"><span style="font-size: 12px; line-height: 20px;">#Reporting variables
$MaxDays = 1095
$WarnDays = 90
$AlertDays = 30
$WarnKeySize = 2048
#Certificate Store Properties
$StoreLocation = "LocalMachine" #"LocalMachine","CurrentUser"
$StoreName = "My" #"My","CA","AuthRoot","Root"
$OpenFlag = "ReadWrite" #"ReadOnly","ReadWrite"
#Purge Variable
$PurgeExpired = $False #$True or $False
$PurgeDays = -90</span></pre>
</div>
<br />
This is the core of each script, to show how it collects info from each store and builds it into the main report.<br />
<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">#Create an Array and run query
$ResultsData = @()
foreach ($Server in $Servers) {
if (Test-Connection -computername $Server -count 1 -quiet){
$stores = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$Server\$StoreName",$StoreLocation)
$stores.Open($OpenFlag)
$Certificates = $stores.Certificates | Select FriendlyName, serialNumber, Issuer, Subject, PublicKey, @{Label="Expires";Expression={($_.NotAfter)}}, @{Label="Days";Expression={($_.NotAfter - (Get-Date)).Days}}
Add-content -path $Logfile -value "Server: $Server"
Add-content -path $Logfile -value "Store: $StoreLocation\$StoreName"
Add-content -path $Logfile -value " "
foreach ($Certificate in $Certificates) {
#Build Report
if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $MaxDays){
$obj = New-Object PSobject
$obj | Add-Member -MemberType NoteProperty -name "Server" -value $Server
$obj | Add-Member -MemberType NoteProperty -name "Name" -value $Certificate.FriendlyName
$obj | Add-Member -MemberType NoteProperty -name "Issuer" -value $Certificate.Issuer
$obj | Add-Member -MemberType NoteProperty -name "Subject" -value $Certificate.Subject
$obj | Add-Member -MemberType NoteProperty -name "Key Size" -value $Certificate.PublicKey.key.KeySize
$obj | Add-Member -MemberType NoteProperty -name "Expires" -value $Certificate.Expires
$obj | Add-Member -MemberType NoteProperty -name "Days" -value $Certificate.Days
$ResultsData += $obj
# Update Text and Alert count based on your criteria
$Name = $Certificate.FriendlyName
$Days = $Certificate.Days
$Size = $Certificate.PublicKey.key.KeySize
if ($Days -lt 0){
$AlertText += "!RED!Alert: Certificate $Name on $Server has expired "
$AlertCount += $AlertCount.count + 1
}
elseif ($Days -lt $AlertDays){
$AlertText += "!RED!Alert: Certificate $Name on $Server is expiring in $Days days"
$AlertCount += $AlertCount.count + 1
}
elseif ($Days -lt $WarnDays){
$WarningText += "!ORANGE!Warning: Certificate $Name on $Server is expiring in $Days days"
$WarningCount += $WarningCount.count + 1
}
if ($Size -lt $WarnKeySize){
$WarningText += "!ORANGE!Warning: Certificate $Name on $Server does not meet minimum key size of $WarnKeySize"
$WarningCount += $WarningCount.count + 1
}
}
#Log and Purge Old Certs
If ($PurgeExpired -eq $True){
$Name = $Certificate.FriendlyName
$Issuer = $Certificate.Issuer
$Subject = $Certificate.Subject
$Expired = $Certificate.Expires
$Days = $Certificate.Days
$SerialNumber = $Certificate.serialNumber
if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $PurgeDays){
Add-content -path $Logfile -value "Name: $Name"
Add-content -path $Logfile -value "Issuer: $Issuer"
Add-content -path $Logfile -value "Subject: $Subject"
Add-content -path $Logfile -value "Expired: $Expired"
Add-content -path $Logfile -value "Days: $Days"
Add-content -path $Logfile -value " "
$PurgeCert = $stores.Certificates.Find("FindBySerialNumber",$SerialNumber,$FALSE)[0]
$stores.Remove($PurgeCert)
$ExpiredCount += $ExpiredCount.count + 1
}
}
}
Add-content -path $Logfile -value "$Server Completed (Purge = $PurgeExpired). $ExpiredCount expired certificates deleted."
Add-content -path $Logfile -value "-------------------------------------------------------------------"
Add-content -path $Logfile -value " "
$ExpiredCount = 0
$stores.Close()
}
}</code></pre>
<br />
<b>More Info</b><br />
<br />
This is a community driven project if you have any suggestion or module scripts you have created, I would love to include them here - with full mudos to you of course.<br />
<br />
See the main <a href="http://www.theagreeablecow.com/2012/09/sysadmin-modular-reporting-samreports.html" target="_blank">SysAdmin Modular Reports page</a> for more details, including working with Scheduled Tasks and downloads for other modules.<br />
<br />
Cheers,<br />
<span style="font-family: "courier new" , "courier" , monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com2tag:blogger.com,1999:blog-4026285436658116929.post-67006650976610339962014-02-01T18:30:00.000-08:002014-02-01T22:58:05.235-08:00Deploying and Customising Windows 8.1 using SCCM, Group Policy and PowershellIt was a bold direction Microsoft took with the interface changes in Windows 8. One that has has caused much discussion in the IT ranks. The changes in Windows 8.1 come a long way to resolve the technical limitations many people found with the original release. I don't want to delve into this argument as there are better forums for doing so. Suffice to say that some companies, like mine, are pushing ahead with Windows 8.1 and this article aims to capture some of the techniques, tips and tricks we used to do so.<br />
<br />
Any System Administrator worth their salt will know what will fly in their company and what won't. To ease the impact of change on our staff, I like to 'tick-tock' between Operating System and Core Application upgrades, when I do a new Standard Operating Environment (SOE). I had just finished a 'tock' cycle which was focusing on new core applications such as Office, Acrobat, Lync as well as upgrades to our specific Practice and Document Management software. So this environment upgrade was only going to focus on a change to the OS and more specifically, just for laptops and tablets where I feel that Windows 8.1 truly shines.<br />
<br />
<h3>
Systems Center Configuration Manager (SCCM) Task Sequence</h3>
<br />
I'll have to assume that my audience is somewhat proficient with SCCM, so I will just focus on some of the more specific techniques used with this SOE release. As a minimum, you'll need to ensure that your're pretty up to date with your SCCM version, ADK and <a href="http://blogs.technet.com/b/configurationmgr/archive/2013/10/28/hotfix-an-update-is-available-that-adds-support-for-windows-8-1-and-windows-server-2012-r2-to-system-center-configuration-manager-2007-service-pack-2.aspx" target="_blank">patches</a>.<br />
<br />
Our target devices were all Dell and included a Venue Pro 11 tablet as well as Latitude 12 and Latitude 14 laptops. It's well worth investing some time getting your driver libraries sorted, so if you're a Dell shop head on over to their <a href="http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-driver-cab-files-for-enterprise-client-os-deployment.aspx" target="_blank">Enterprise Client Wiki</a>.<br />
<br />
Here's a high level overview of the current task sequence we're using. Where possible, I avoid the use of a "Golden Image" and aim for a complete and flexible build from the original Windows 8.1 ISO.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-__70v1xDJXs/Uu2Qq-AQXNI/AAAAAAAAAL0/-Ep9PhSf6LE/s1600/TaskSequence.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-__70v1xDJXs/Uu2Qq-AQXNI/AAAAAAAAAL0/-Ep9PhSf6LE/s1600/TaskSequence.jpg" height="640" width="560" /></a></div>
<br />
<b>Copy SXS source files to local computer</b><br />
<br />
Having some OS source files available on your local hard disk makes updates, such as .NET 3.5 much easier. We simply created a Package which was the ISO's SXS directory. Then run the following command line sequence, linked to that package.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-xg-gX5AaCcA/Uu2VNUBgYjI/AAAAAAAAAMA/2Vl-rqV41RM/s1600/xcopy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-xg-gX5AaCcA/Uu2VNUBgYjI/AAAAAAAAAMA/2Vl-rqV41RM/s1600/xcopy.jpg" height="382" width="640" /></a></div>
<div>
<code style="word-wrap: normal;"><br /></code></div>
<div>
<code style="word-wrap: normal;"><br /></code></div>
<div>
<code style="word-wrap: normal;"></code><br />
<div style="font-family: 'Times New Roman';">
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;"><code style="word-wrap: normal;">xcopy ".\*.*" "C:\Windows\Support\" /D /E /C /I /Q /H /R /Y /S</code></code></pre>
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;"><code style="word-wrap: normal;">DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:c:\Windows\Support\sxs
</code></code></pre>
<div>
<code style="word-wrap: normal;"><code style="word-wrap: normal;"><br /></code></code></div>
<div>
<code style="word-wrap: normal;"><br /></code></div>
</div>
<code style="word-wrap: normal;">
</code></div>
<b>Removing default apps</b><br />
<br />
There are some apps that you just cannot remove from Windows 8.1 (such as the camera). However, there are quite a few that your can. We do this via a powershell script.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-30tOnexNUQI/Uu2XNbhDDuI/AAAAAAAAAMk/vi3O34zZuF0/s1600/removeapps.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-30tOnexNUQI/Uu2XNbhDDuI/AAAAAAAAAMk/vi3O34zZuF0/s1600/removeapps.jpg" height="346" width="640" /></a></div>
<br />
<br />
<div>
<div style="font-family: 'Times New Roman';">
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">$AppList = "Microsoft.BingFinance",
"Microsoft.BingFoodAndDrink",
"Microsoft.BingHealthAndFitness",
"Microsoft.BingMaps",
"Microsoft.BingNews",
"Microsoft.BingSports",
"Microsoft.BingTravel",
"Microsoft.BingWeather",
"Microsoft.HelpAndTips",
"Microsoft.Reader",
"Microsoft.SkypeApp",
"Microsoft.WindowsAlarms",
"Microsoft.WindowsCalculator",
"microsoft.windowscommunicationsapps",
"Microsoft.WindowsReadingList",
"Microsoft.WindowsScan",
"Microsoft.WindowsSoundRecorder",
"Microsoft.XboxLIVEGames",
"Microsoft.ZuneMusic",
"Microsoft.ZuneVideo",
"Microsoft.WindowsPhotos",
"Microsoft.MoCamera"
ForEach ($App in $AppList) {
$AppxPackage = Get-AppxProvisionedPackage -online | Where {$_.DisplayName -eq $App}
Remove-AppxProvisionedPackage -online -packagename ($AppxPackage.PackageName)
Remove-AppxPackage ($AppxPackage.PackageName)
}</code></pre>
<div>
<code style="word-wrap: normal;"><code style="word-wrap: normal;"><br /></code></code></div>
</div>
<code style="word-wrap: normal;">
</code></div>
<b><br /></b>
<b> Copy a Start Screen layout to the default user profile</b><br />
<br />
Using a test device, create the Start screen layout that you're looking for (grouping, naming etc). Then grab the <span style="font-family: Consolas, Courier, monospace; font-size: 13px; line-height: 17.549999237060547px;">%AppData%\Local\Microsoft\Windows\AppsFolderLayout.bin </span>file and drop it in a package for deployment to the default user profile.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-YdIfvQKix7E/Uu2XKjBxmqI/AAAAAAAAAMc/wMMshEvdO9A/s1600/copyfolderlayout.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-YdIfvQKix7E/Uu2XKjBxmqI/AAAAAAAAAMc/wMMshEvdO9A/s1600/copyfolderlayout.jpg" height="380" width="640" /></a></div>
<br />
<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">xcopy ".\*.*" "C:\Users\Default\AppData\Local\Microsoft\Windows" /D /E /C /I /Q /H /R /Y /S</code></pre>
<br />
<b><br /></b>
<b>Create and Import Customised Tiles</b><br />
<br />
We used a Windows 8 app called <i>Obly Tile</i> to create a series of new start screen tiles for our core company applications and intranet sites. Along with the previous two steps, the end results gives us a very streamlined Start Screen with familiar icons for users. Once you have created your titles, create a package out of the Obly Tile application, source folder structure it creates and an use a simple batch script to copy into the default Start Menu<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ZXdXqfaIRGA/Uu2f0dk4DfI/AAAAAAAAANM/Ez_y50utzdw/s1600/oblytile.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ZXdXqfaIRGA/Uu2f0dk4DfI/AAAAAAAAANM/Ez_y50utzdw/s1600/oblytile.jpg" height="144" width="640" /></a></div>
<br />
<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">if not exist "C:\Program Files\OblyTile" md "C:\Program Files\OblyTile"
xcopy "OblyTile\*.*" "C:\Program Files\OblyTile" /s /y
xcopy "Start Menu\*.*" "C:\ProgramData\Microsoft\Windows\Start Menu" /s /y</code></pre>
<div>
<code style="word-wrap: normal;"><br /></code></div>
<br />
<b>Application Association</b><br />
<br />
Some file types, such a JPEGs for example, may be associated with apps that you don't want to use. One way to update this is by updating the associations first on a test device, then exporting the AppAssoc.xml file. NB. This only works for new user profiles on that device.<br />
<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">"dism /online /Export-DefaultAppAssociations:C:\temp\AppAssoc.xml"</code></pre>
<div>
<br /></div>
Add the xml file and batch file to import it into to your package.<br />
<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">"dism /online /Import-DefaultAppAssociations:AppAssoc.xml"</code></pre>
<div>
<code style="word-wrap: normal;"><br /></code></div>
<br />
<h3>
Group Policy</h3>
Once the machine has been deployed we implement a number of Group Policy settings to customise our final image. Every company is different, so these are just what works for us.<br />
<br />
We typically have three Computer Policies; one for all SOE computers, then one each for the handful of special tweaks relating to either Windows 7 or Windows 8. Make sure you grab the latest Windows 8.1 ADMX files from a test build and import into Active Directory GP.<br />
<br />
<b>Separate Windows 7 and Windows 8 Profiles</b><br />
<br />
There can be some potential corruptions between the two profile version, plus we wanted new profiles to ensure we got a consistent Start Screen experience for new users. Most of the users items such as Desktop, Favorites, My Documents etc are taken care of with Folder redirection. So by using the technique below, we were able to create separate profiles for our users, allowing them to switch back and forth between Windows 7 desktops and Windows 8 tablets and laptops.<br />
<br />
In both the Windows 7 and Windows 8 Group Policies create a System Environment Variable (Preferences | Windows Settings | Environment Variables) and called in <i>OSVer</i>, with a Value of <i>Win7 </i>or <i>Win8</i> respectively.<br />
<br />
Then in Active Directly, set up their profile path to use the variable.<br />
<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">\\userfiles\home$\johnsmith\%OSVer%</code></pre>
<div>
<code style="word-wrap: normal;"><br /></code></div>
<b>Computer Policies</b><br />
<br />
Force Internet Explorer to open in Desktop mode<br />
<pre style="-webkit-text-stroke-width: 0px; background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; height: auto; letter-spacing: normal; line-height: 20px; margin: 0px; orphans: auto; overflow: auto; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; widows: auto; width: 646.46875px; word-spacing: 0px;"><code style="word-wrap: normal;">Windows Components/Internet Explorer/Internet Settings
Set how links are opened in Internet Explorer = Always in Internet Explorer</code></pre>
<br />
Disable SkyDrive<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">Windows Components/SkyDrive
Prevent the usage of SkyDrive for file storage = Enabled </code></pre>
<div>
<br />
Disable Windows Store</div>
<div>
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;"><code style="word-wrap: normal;">Windows Components/Store
Turn off the Store application = Enabled </code></code></pre>
<code style="word-wrap: normal;">
</code>
<br />
<div>
<br />
Allow local powershell scripts to run (eg logon.ps1 script)</div>
<div>
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;"><code style="word-wrap: normal;"><code style="word-wrap: normal;">Windows Components/Windows PowerShell
Turn on Script Execution = Enabled
Execution Policy Allow local scripts and remote signed scripts </code></code></code></pre>
<code style="word-wrap: normal;"><code style="word-wrap: normal;">
</code>
</code><br />
<div>
<code style="word-wrap: normal;"><code style="word-wrap: normal;"><br /></code></code></div>
<code style="word-wrap: normal;"><code style="word-wrap: normal;">
</code></code></div>
<code style="word-wrap: normal;">
</code></div>
<b>Computer Preferences</b><br />
<br />
Remove First Use Animation<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">EnableFirstLogonAnimation
Action Create
PropertiesHive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value name EnableFirstLogonAnimation
Value type REG_DWORD
Value data 0x0 (0) </code></pre>
<div>
<br /></div>
<b>User Policies</b><br />
<br />
Disable Edge Help Tips<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">Windows Components/Edge UIhide
Disable help tips Enabled</code></pre>
<div>
<code style="word-wrap: normal;"><br /></code>
<code style="word-wrap: normal;"><span style="font-family: 'Times New Roman';">Disable IE SPDY/3 network protocol</span></code></div>
<div>
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;"><code style="word-wrap: normal;">Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Allow Internet Explorer to use the SPDY/3 network protocol Disabled</code></code></pre>
<br /></div>
<b>User Preferences</b><br />
<br />
Boot to Desktop<br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;">OpenAtLogon
Action Replace
PropertiesHive HKEY_CURRENT_USER
Key path Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\
Value name OpenAtLogon
Value type REG_DWORD
Value data 0x0 (0) </code></pre>
<div>
<code style="word-wrap: normal;"><span style="font-family: 'Times New Roman';"><br /></span></code>
<code style="word-wrap: normal;"><span style="font-family: 'Times New Roman';">Disable DPI Scaling</span></code></div>
<div>
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;"><code style="word-wrap: normal;">Win8DpiScaling
Action Replace
PropertiesHive HKEY_CURRENT_USER
Key path Control Panel\Desktop
Value name Win8DpiScaling
Value type REG_DWORD
Value data 0x1 (1) </code></code></pre>
<code style="word-wrap: normal;">
</code>
<br />
<div>
<code style="word-wrap: normal;"><code style="word-wrap: normal;"><br /></code>
<code style="word-wrap: normal;"><span style="font-family: 'Times New Roman';">Set DPI pixels</span></code></code></div>
<code style="word-wrap: normal;">
</code>
<br />
<div>
<code style="word-wrap: normal;"><code style="word-wrap: normal;">
</code>
</code><br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.46875px;"><code style="word-wrap: normal;"><code style="word-wrap: normal;"><code style="word-wrap: normal;">LogPixels
Action Replace
PropertiesHive HKEY_CURRENT_USER
Key path Control Panel\Desktop
Value name LogPixels
Value type REG_DWORD
Value data 0x60 (96)</code></code></code></pre>
<code style="word-wrap: normal;"><code style="word-wrap: normal;">
</code>
</code><br />
<div>
<code style="word-wrap: normal;"><code style="word-wrap: normal;"><code style="word-wrap: normal;"><br /></code></code></code></div>
<code style="word-wrap: normal;"><code style="word-wrap: normal;">
</code></code></div>
<code style="word-wrap: normal;">
</code></div>
This is probably going to be an ongoing project and I'm sure others have some great tips, so I'l keep updating as they come in.<br />
<br />
Cheers,<br />
<span style="font-family: 'Courier New', Courier, monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<br />TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com4tag:blogger.com,1999:blog-4026285436658116929.post-86731741887346101482013-08-18T19:53:00.000-07:002013-08-18T19:53:17.936-07:00Creating SSL certificates for Exchange 2010 Edge serversI recently moved from an on-premise email security gateway to a cloud service. As such, I had to setup some new Exchange Edge roles and install SSL certificates on them to provide TLS encryption. As there is a limited GUI, all of this needs to be done via powershell. Here is a quick, high level overview of the steps taken.<br />
<div>
<br /></div>
<div>
<div>
<b>Generate Cert Request</b></div>
<div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=AU, o=IT Dept, cn=mail.mydomain.com.au" -PrivateKeyExportable $true
Set-Content -Path "c:\Temp\mailcert.req" -Value $Data
</code></pre>
</div>
<br />
<b>Submit Request to CA</b></div>
<div>
I recommend <a href="http://www.digicert.com/unified-communications-ssl-tls.htm">http://www.digicert.com/unified-communications-ssl-tls.htm</a></div>
<div>
<ul>
<li>Common name should be the public name eg. </li>
<ul>
<li>mail.mydomain.com.au</li>
</ul>
<li>Add in additional 'Subject Alternate Names' for the actual server names eg.</li>
<ul>
<li>exchedge1.mydomain.com.au</li>
<li>exchedge2.mydomain.com.au</li>
</ul>
</ul>
</div>
<div>
<b><br /></b>
<b>Complete Certificate Request</b></div>
<div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Temp\mail_mydomain_com_au.cer -Encoding Byte -ReadCount 0))
</code></pre>
</div>
<div>
<br />
Note the thumbprint that is shown when successfully imported.<br />
<br />
<b>Assign the certificate to SMTP service</b></div>
<div>
<div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Get-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD | Enable-ExchangeCertificate -Services SMTP
</code></pre>
</div>
<div>
<br /></div>
<div>
<b>Update the intermediate Certs</b></div>
<div>
<br />
<ul>
<li>Download and run the Digicert Certificate Utility (<a href="https://www.digicert.com/util/">https://www.digicert.com/util/</a>), on the edge server.</li>
<li>"Repair" the cert if it's showing any missing/misplaced intermediate certificates</li>
</ul>
</div>
<div>
<br /></div>
<div>
<b>Export the certificate (and repeat import on second server)</b></div>
<div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">$file = Export-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD -BinaryEncoded:$true -Password (Get-Credential).password
Set-Content -Path "c:\Temp\mailcert.pfx" -Value $file.FileData -Encoding Byte
</code></pre>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Temp\mailcert.pfx -Encoding Byte -ReadCount 0)) -Password (Get-Credential).password
Get-ExchangeCertificate -Thumbprint ABCD12345ABCD12345ABCD12345ABCD12345ABCD | Enable-ExchangeCertificate -Services SMTP
</code></pre>
<div>
<span class="Apple-tab-span" style="white-space: pre;"><br /></span>
Update intermediate cert via Digicert Certificate Utility as above</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span></div>
<div>
<b>Complete a synchronisation cycle (on an internal Hub Transport server)</b></div>
<div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Start-EdgeSynchronization
</code></pre>
<br />
Cheers,<br />
<span style="font-family: 'Courier New', Courier, monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br /></div>
</div>
</div>
TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-9438847457229766822013-08-07T00:36:00.002-07:002013-08-07T01:05:24.320-07:00Automatically re-size and import photos into Active Directory with PowershellThis script is a great example of how IT can hand back responsibility one of those trivial admin jobs to a non-IT department. You know the scenario; Marketing or HR get all of the staff photos together and send them to IT for posting to Active Directory for a bunch of relevant systems such as Outlook, Lync or a SharePoint corporate directory. Every time a photo changes, it's yet another request into IT. Well, if you implement this script, you'll never have to worry about manually re-sizing and importing these photos again!<br />
<br />
In summary, the script bulk imports photos into AD, by selecting them from a network share based on their age. It will even re-size the photos on the fly according to Microsoft's recommendations, whilst ensuring to keep the original proportions. The cool thing is, that you can launch it from a scheduled task, so all someone has to do is save any new photos to the nominated location and they will get imported automatically.<br />
<br />
During the import process the photos get checked against valid users in AD, so they need to be in the format of <i>username.jpg</i>. Everything is logged and if this test fails it will be added to the user friendly email output which can again become someone else's responsibility to receive and action. IT can get CC'd on this of course and step in as necessary.<br />
<br />
The syntax to use is as follows<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Set-ADPhotos SourcePath Days<sourcepath><days></days></sourcepath></span><br />
<br />
For example<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"> .\Set-ADPhotos '\\Server1\sharename' 1</span><br />
<br />
The 'Source Path' can be any local folder or network share that's accessible. The photos are then copied down to a local working path for the actual import. Both the original photo (if one exists) and the new photos are date stamped and backed up. So if you have to restore a photo, you can simply place a copy (as <i>username.jpg</i>), back into the working directory and do a manual run without having to wait for the next schedule.<br />
<br />
The 'Days' parameter is used to filter the import of photos based on the modified date. So for example '1' will only import photos modified in the last day. Assuming you run this as a scheduled task, it's important then to match the schedule with the the number of days entered.<br />
<br />
Finally, if you're a Lync shop, the script can trigger an update of the Address Book which gets the photos out to the clients pretty quickly.<br />
<br />
Here's the full script, or download it from <a href="https://gist.github.com/theagreeablecow/6171487#file-set-adphotos-ps1" target="_blank">GitHub</a>.<br />
<br />
<script src="https://gist.github.com/6171487.js">
</script>
Cheers,<br />
<span style="font-family: 'Courier New', Courier, monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com2tag:blogger.com,1999:blog-4026285436658116929.post-56612738116980476142013-06-29T18:32:00.000-07:002018-01-07T18:47:56.629-08:00SysAdmin Modular Report for ExchangeThe SysAdmin Modular Reporting framework provides a consistent, flexible data collection and reporting tool with 'traffic light' style alerts for your environment. Written in Powershell using an easy to follow style, the framework collates any number of user generated plugins (function scripts), into a single report for any Windows system supporting Powershell.<br />
<br />
<b>Quick Start</b><br />
<br />
For a full overview of the framework and information to help create your own scripts, please see the <a href="https://www.dropbox.com/s/dx5wscjw4phehxv/SAMReport%20Quick%20Start%20Guide.pdf?dl=0">Quick Start Guide </a>(pdf).<br />
<ol>
<li>Download modules from GitHub links below*</li>
<li>Save to a server with Exchange 2010/2013 Management Tools</li>
<li>Customise <i>Global_Variables.ps1</i> (with relevant server names, email addresses etc)</li>
<li>Review the plugins (reorder, remove, update thresholds etc)</li>
<li>Run the report <span class="Apple-style-span" style="background-color: #f6f5ea; font-family: "consolas" , "lucida console" , monospace; font-size: 13px; line-height: 19px; white-space: pre;">Get-SAMReport Exchange [Email/OnScreen]</span></li>
</ol>
Review the scripts on GitHub<br />
<ul>
<li><a href="https://gist.github.com/3682550" target="_blank">Core Components</a></li>
<li><a href="https://gist.github.com/theagreeablecow/5890371" target="_blank">Exchange Module</a></li>
</ul>
*I encourage you to review and understand any script downloaded from the internet. Also ensure to "unblock" each .ps1 files (Right click | Properties | Unblock), to avoid the <span class="Apple-style-span" style="background-color: #f6f5ea; font-family: "consolas" , "lucida console" , monospace; font-size: 13px; line-height: 19px; white-space: pre;">[D] Do not run [R] Run once [S] Suspend</span> security prompts.<br />
<br />
<b>Overview</b><br />
<br />
SAMReports can provide a very detailed look into the health of your environment. You can view the relevant data that has been gathered and quickly see any Warnings or Alerts based on your thresholds. The overall title of the report will reflect the worst result, so for example if there were 6 sections and only one showed a Warning, the report title will be coloured as a Warning.<br />
<br />
The result is a rich report with clear status indicators giving you an instant overview and the details to back it up.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-N3JhiAot_WY/Uc9-AFcqhiI/AAAAAAAAAJw/ISj8XmdzwCU/s1395/SAMReport_Exchange.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="636" src="https://4.bp.blogspot.com/-N3JhiAot_WY/Uc9-AFcqhiI/AAAAAAAAAJw/ISj8XmdzwCU/s640/SAMReport_Exchange.jpg" width="640" /></a></div>
<br />
<span style="color: #999999; font-size: xx-small;"> Picture 1. Sample Report showing just a few of the plugins</span><br />
<br />
<b>Plugins</b><br />
<br />
The independent plugin system is very flexible and provides an easy way to only report on information that you need. The template style provides a consistent output, but also makes it easy to adapt or add new plugins. The warnings or alerts are based on a failed test or data falling outside of thresholds that you can define.<br />
<br />
Each plugin can generate four types of output:<br />
<ul>
<li>Results Text (html formatted)</li>
<li>Results Data (html formatted table)</li>
<li>Results Status (Alert, Warning, Good colour codes)</li>
<li>A File (either saved to the \output folder or included as an email attachment)</li>
</ul>
<br />
This is a list of the current plugins for Exchange:<br />
<ul>
<li>Environment Summary.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Shows an overview of the Exchange environment</li>
<li>Services Check.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks that the appropriate services are running for each role</li>
<li>Transport Queues.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks for delayed messages in Transport Queues</li>
<li>Database Mount Status.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks the mount status of Public folder and Mailbox databases</li>
<li> DAG Database Health.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks the health status of the Databases which are part of a DAG</li>
<li>DAG Replication Health.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks the health status of the DAG replication</li>
<li>Backup Status.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks when each of the databases were last backed up</li>
<li>Database and Disk Statistics.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks database statistics and available disk space</li>
<li>Check Mail Flow.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks mail flow between each Mailbox server</li>
<li>Test MAPI Connectivity.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Verifies server functionality for MAPI and LDAP</li>
<li>Test OWA Connectivity.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Verifies server functionality for Outlook Web Access</li>
<li>Test Web Services.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Verifies server functionality for Outlook Anywhere</li>
<li>Test POP Connectivity.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Verifies server functionality for POP3</li>
<li>Test IMAP Connectivity.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Verifies server functionality for IMAP4</li>
<li>Test SMTP Connectivity.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Verifies server functionality for SMTP</li>
<li>Test System Health.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Analyses your environment according to best practices</li>
<li>Get Event Logs.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Event Log entries that match defined criteria</li>
<li>ActiveSync Device Count.ps1<span class="Apple-tab-span" style="white-space: pre;"> </span>Checks the number of EAS devices for each user</li>
</ul>
<br />
This is a community driven project if you have any suggestion or module scripts you have created, I would love to include them here - with full mudos to you of course.<br />
<br />
See the main <a href="http://www.theagreeablecow.com/2012/09/sysadmin-modular-reporting-samreports.html" target="_blank">SysAdmin Modular Reports page</a> for more details, including working with Scheduled Tasks and downloads for other modules.<br />
<br />
Cheers,<br />
<span style="font-family: "courier new" , "courier" , monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-48885707246777012942012-09-08T23:40:00.000-07:002018-01-07T18:49:02.411-08:00SysAdmin Modular Reporting (SAMReports)<b>What is it?</b><br />
The SysAdmin Modular Reporting framework provides a consistent, flexible data collection and reporting tool with 'traffic light' style alerts for your environment. Written in Powershell using an easy to follow style, the frameworks collates any number of user generated plugins (function scripts), into a single report for any Windows system supporting Powershell.<br />
<br />
<h2 style="text-align: center;">
For a full overview of the framework and information to help create your own scripts</h2>
<h2 style="text-align: center;">
Please see the <a href="https://www.dropbox.com/s/dx5wscjw4phehxv/SAMReport%20Quick%20Start%20Guide.pdf?dl=0">Quick Start Guide </a>(pdf)</h2>
<br />
Here's a quick extract from the Veeam report (see full example below).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-VpDvRtQoXIE/UEwxdH4rLeI/AAAAAAAAAI0/87DVoTr5OzA/s1600/SAMReport_sample.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://4.bp.blogspot.com/-VpDvRtQoXIE/UEwxdH4rLeI/AAAAAAAAAI0/87DVoTr5OzA/s400/SAMReport_sample.jpg" width="400" /></a></div>
<br />
<b>Download Latest Version</b><br />
The reporting framework consists of the Core Components and a collection of separate Modules which contain the individual functions that combine to create a final report.<br />
<br />
View the scripts on GitHub<br />
<ul>
<li><a href="https://gist.github.com/3682550" target="_blank">Core Components</a></li>
<li><a href="https://gist.github.com/3682559" target="_blank">Veeam Module</a></li>
<li><a href="https://gist.github.com/theagreeablecow/5890371" target="_blank">Exchange Module</a></li>
<li><a href="https://gist.github.com/theagreeablecow/5890562" target="_blank">PC Health Module</a></li>
<li><a href="https://gist.github.com/theagreeablecow/21701aa7361fe7260cf5">Certificates Module</a></li>
</ul>
*I encourage you to review and understand any script downloaded from the internet. Also ensure to "unblock" each .ps1 files (Right click | Properties | Unblock), to avoid the <span class="Apple-style-span" style="background-color: #f6f5ea; font-family: "consolas" , "lucida console" , monospace; font-size: 13px; line-height: 19px; white-space: pre;">[D] Do not run [R] Run once [S] Suspend</span> security prompts.<br />
<br />
<span class="Apple-style-span" style="background-color: #cfe2f3;">Please note; this is very much a community sourced project. </span><span style="background-color: #cfe2f3;">Please send any suggestions, ideas or plugins to theagreeablecow@gmail.com</span><br />
<br />
<br />
<b>Core Components</b><br />
There is one parent script called Get-SAMReport.ps1, which is the script that you launch (either manually or via a scheduled task). Typical syntax is like this:<br />
<br />
<i>Get-SAMReport [module]<string> [output]</string></i><br />
<br />
For example<br />
<br />
<i>Get-SAMReport Exchange OnScreen</i><br />
<br />
The first thing this script does is collect a number of user defined variables, a style sheet layout and global functions. These are all stored in the <i>_Assets</i> folder and are universally applicable to all reporting modules:<br />
<ul>
<li>Global_Variables.ps1*</li>
<ul>
<li>Contains all of your relevant server names, email contacts etc.</li>
<li>Primary report colours, headings etc</li>
</ul>
<li>Global_StyleSheet.ps1</li>
<ul>
<li>All of the HTML format coding</li>
</ul>
<li>Global_Functions.ps1</li>
<ul>
<li>A central location for any functions that need to be called</li>
</ul>
</ul>
<span class="Apple-style-span" style="background-color: #cfe2f3;">*As a minimum, you need to customise the Global_Variables.ps1 script.</span><br />
<br />
Then, depending on the module chosen, Get-SAMReport.ps1 will then parse all of the scripts in the relevant module's subfolder. These scripts are based on a standard template so the results can then be imported and aggregated to generate the final report. Any script in the specified module subfolder will be run, in the order listed. If you don't like a script, just remove it or rename the .ps1 extension.<br />
<br />
Example of the folder structure<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-JEh7UB9QYnk/UEwpgXpVLwI/AAAAAAAAAIc/r-cLsdvDTNg/s1600/FolderStructure.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://4.bp.blogspot.com/-JEh7UB9QYnk/UEwpgXpVLwI/AAAAAAAAAIc/r-cLsdvDTNg/s400/FolderStructure.jpg" width="400" /></a></div>
<br />
<br />
<b>Modules and Templates</b><br />
The framework is designed to work with any system that supports Powershell v3.0 or later.<br />
<ul>
</ul>
<div>
For each system module there is a subfolder for individual scripts. There is a high level 'Module Variables.ps1' script which acts like the 'Global Variables' script, but is limited just to that module. Each of the remaining scripts are called in order and produce a standardised output. This output is very specific and must be in the supplied format. Currently the parent script can accept up to four separate results per child script:</div>
<br />
<ul>
<li>Results Text (html formatted)</li>
<li>Results Data (html formatted table)</li>
<li>Results Alert (Alert, Warning, Good colour codes)</li>
<li>An attachment (found on any UNC path)</li>
</ul>
<div>
Each of these scripts contain further variables (such as servers or service names) and thresholds that you can customise. So feel free to tweak these to suit your environment. Have a look at some of the examples provided and you'll soon get a feel for the methodology.<br />
<span style="background-color: #cfe2f3;"><br /></span>
<span style="background-color: #cfe2f3;">NB. The scripts need to be stored and run from a server that contains the relevant management tools and Powershell plugins.</span></div>
<div>
<b><br /></b>
<b><br /></b>
<b>Scheduled Tasks</b><br />
<div>
The reports are best suited to being run as a scheduled task. The typical syntax for running is as follows:<br />
<br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span></i><i>Start a program: <span class="Apple-tab-span" style="white-space: pre;"> </span>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>Arguments:<span class="Apple-tab-span" style="white-space: pre;"> </span> <span class="Apple-tab-span" style="white-space: pre;"> </span>-NonInteractive c:\SAMReports\Get-SAMReport.ps1 Exchange</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>Start in:<span class="Apple-tab-span" style="white-space: pre;"> </span>c:\SAMReports\</i></div>
<b><br /></b>
There is a 'Scheduled Task Example.xml' file in the assets folder which can be imported to make this process easier.<br />
<b><br /></b>
Ensure the script is run manually at least once for each module you want to use. You will be prompted for your "Run As" credentials for that module. These will be saved using ConvertTo-SecureString for future use in a hashed 'ModuleCredentials.xml' file. To changed the saved credentials, remove this file and re-run script manually once more.<br />
<br />
<br />
<b>Example Plugin</b><br />
<div>
This is a simple example showing the typical framework for a module plugin.</div>
<b><br /></b>
<script src="https://gist.github.com/3682550.js?file=Example Template.ps1"></script>
<b><br /></b>
<b>Reporting</b></div>
<div>
Once the results have been aggregated into the final report, you will be able to view the relevant data that you have gathered and also quickly see any Warnings or Alerts based on your thresholds. Even specific text with each section can be highlighted accordingly. The overall title of the report will also reflect the worst result, so for example if there were 8 sections and only one showed a Alert, the report title will be coloured as a Alert.<br />
<br />
Here is an example of a full report<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Wt_wHSt7Wec/UEwvmsCl3mI/AAAAAAAAAIs/peulA1tLX6M/s1600/SAMReport.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://4.bp.blogspot.com/-Wt_wHSt7Wec/UEwvmsCl3mI/AAAAAAAAAIs/peulA1tLX6M/s640/SAMReport.jpg" width="347" /></a></div>
<br />
As I said earlier, this is a community driven project if you have any suggestion or module scripts you have created, I would love to include them here - with full mudos to you of course.<br />
<br />
Cheers,<br />
<span style="font-family: "courier new" , "courier" , monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<br /></div>
TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com14tag:blogger.com,1999:blog-4026285436658116929.post-74503152071353337962012-06-13T05:54:00.001-07:002012-06-13T05:54:17.129-07:00Preventing Password Expirations with Custom Emails and ReportsOne of the big sources of calls to the Helpdesk department is the fallout from expired passwords. Generally users will get a Windows message box at login warning about this, but I find that this basic prompt doesn't always work in practise. Firstly, by default it pops up way too early and is often more annoying for your users. Secondly, most people just tend to ignore it and often continue to do so until it is too late. Also, for environments that use Citrix published apps or terminal services sessions, there can be some delays in password replications and conflicts if users change their password at logon. This can lead to account lockouts and even more Helpdesk calls! Finally, if you happen to turn on some group policy features, this warning simply will not show up at all.<br />
<br />
So, this project is about contacting your users via email and advising them with your own clear message that their passwords are about to expire. At the same time generate a simple report for the administrator, giving them a heads up to potential issues. The original script was sourced some time ago, so if I find the originator, I'll be sure to pass on all mudos.<br />
<br />
Also note, that this script uses Quest's <a href="http://www.quest.com/powershell/activeroles-server.aspx" target="_blank">ActiveRoles</a>. You can of course easily customise and use the native AD module. Once you're happy, set it up as a daily scheduled task. Ideally do this late in the afternoon, to remind users just before they are about to log off. Also have a look at customising the messages within the emails. You do want to keep this simple but informative. Keep in mind that since passwords can be sensitive and phishing is so easy, you don't want to establish bad behaviours (such as clicking on a hyperlink).<br />
<br />
There are three broad sections in the script. The first is to email users whose passwords have expired. I find this a little counter intuitive, but some environments might find this handy. Perhaps they might still have Blackberry working or you might want simply want to send it as a record with information about how to avoid next time.<br />
<br />
The second section is where it sends an email to each user whose password is expiring within your designated time. Personally I set this as less than 5 days. This is enough to cover weekend and part timers, but not so repetitive that it becomes annoying. Additionally, you might also have system accounts, so in these cases (where their isn't a valid email recipient), it will send the email to the administrator.<br />
<br />
The final section is where it collects all of the users whose passwords are about to expire and all of the users whose passwords have expired, and wraps it up into a nice email report for the administrator. This can be handy, because you can see the people that are ignoring their emails as they just keep showing up in that report! A quick proactive phone call would be much appreciated by the user and the Helpdesk.<br />
<br />
Here's the full script.<br />
<br />
<script src="https://gist.github.com/2923712.js">
</script>
<br />
Cheers,<br />
<span style="font-family: 'Courier New', Courier, monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-64384590459948066182012-06-07T20:47:00.000-07:002012-06-07T21:00:56.451-07:00Discovering Client Connections with Lync 2010In this post we'll discuss a number of ways to discover information about your Lync clients. One of the great things about Lync 2010 is the detailed monitoring and reporting that comes out of the box. However, one thing that is difficult to find, is comprehensive information about the growing list of clients that are connecting to your Lync servers. <br />
<br />
So, what is a client exactly? Typically, this is going to be either a Lync enabled phone or the Lync software client running on your PC/Mac. But this could also be an Attendant console or something like a registered video conferencing endpoint. With the new Mobility functionality, this list grows dramatically with the inclusion of Blackberry, Windows Phone, iPhone/iPad and Android devices.<br />
<br />
Why is this important? Firstly, because Lync is relatively new, there are a lot of changes and updates to the client software. By reviewing the version information of the clients connecting, you can quickly see which ones are out of date and need patching. I also find it useful to understand the uptake of certain initiatives, such as Mobility.<br />
<br />
The Lync monitoring role does provide some insight into the client details. Amongst the number of standard reports is the <b>IP Phone Inventory Report</b>. This report is very detailed showing hardware, software and user activity. The only downside is that it is limited to phone agents.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-wO9fcU0niV8/T9Fs0gtoi7I/AAAAAAAAAHg/E4oBmKikZT0/s1600/PhoneReport.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="http://3.bp.blogspot.com/-wO9fcU0niV8/T9Fs0gtoi7I/AAAAAAAAAHg/E4oBmKikZT0/s640/PhoneReport.jpg" width="640" /></a></div>
<br />
Lync stores all of this information in SQL databases on the local Front End and SBA servers called <b>RTCLocal</b>. So, there is nothing stopping us doing a bit of querying ourselves right? Well, some people have already started doing this. Check out the neat bit of software from Stumper called <a href="http://www.stumper66.com/software/Lync.html" target="_blank">Find Lync Versions</a>. This utility does a basic SQL query to return the client connection information. It then parses the information against AD and DNS to give you a formatted table of all connected clients, usernames and computer names. For larger environments, this tool becomes a little limited because you need to run separate queries against every server in your environment that has client registrations.<br />
<br />
After mobility was released, I wanted to keep an eye on the uptake and offer some personalised training. So it was important to see what devices were being used. At the time I could not find any easy way of reporting on this. So I asked our SQL guys to put something together that we could use to query all servers at the same time and return a list of meaning information. We then added this to the reporting services, along with the other Lync reports on our central SQL server. There is a lot of data in there, so we ended up just including filters for the Username, Server, Client Version Keyword or Client Type. The later is presented as a dropdown list, performing a fixed keyword match on the client version string. <br />
<br />
<ul>
<li>Mobility (keywords contain “RTCC/”)</li>
<li>Video Conf (keywords contain “Polycom”)</li>
<li>Lync Client (keywords contain “UCCAPI/”)</li>
<li>Lync Phone (keywords contain “CPE/”)</li>
</ul>
<br />
The new report quickly allows us to do thing like "<i>Show all users on Server 1</i>", "<i>Show all phones in the enterprise that are running version x</i>", or "<i>Show all users connecting with iPads</i>" for example. Visibility is a wonderful thing!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-WEkcrio3834/T9FzJbmzFBI/AAAAAAAAAHs/NGZWjhwyIyo/s1600/LyncReport.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="http://4.bp.blogspot.com/-WEkcrio3834/T9FzJbmzFBI/AAAAAAAAAHs/NGZWjhwyIyo/s640/LyncReport.jpg" width="640" /></a></div>
<br />
Here is the base query code we used.<br />
<br />
<script src="https://gist.github.com/2893343.js">
</script>
<br />
Cheers,<br />
<span style="font-family: "Courier New",Courier,monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<br />TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-10693982298015264692012-06-06T04:45:00.000-07:002012-06-06T04:52:54.957-07:00Using multiple copy streams with RobocopyThis is a quick post to outline a technique I've used to migrate file servers using robocopy - or to be specific, lots of parallel robocopy streams. <br />
<br />
The script works best when you have multiple 2nd level sub-directories contained in the root directory. The VBS file below parses the directory names into seperate robocopy command line statements inside a new batch file. When the batch file(s) are run, a seperate robocopy stream is processed for <em>every</em> sub-directory at the same time.<br />
<br />
All of the usual robocopy command switches can be used of course. For one off jobs, these multiple parallel streams are much faster than a single stream. It's also great for syncronising file stores if run as a sheduled task. <br />
<br />
Here is the code.<br />
<br />
<script src="https://gist.github.com/2881377.js">
</script>
<br />
Cheers,<br />
<span style="font-family: "Courier New",Courier,monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<br />TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com5tag:blogger.com,1999:blog-4026285436658116929.post-9094518775544613082012-06-05T23:50:00.000-07:002012-06-07T20:48:17.756-07:00Getting Unassigned Numbers in Lync 2010So picture the scenario, you've got a new user starting tomorrow and you need to assign them a phone number. But which number? One of the complexities with any domain integrated VOIP system is keeping some sort of control over the allocation of phone numbers. You may very well have an up to date phone list, but Active Directory and Lync don't really care about your über Excel skills.<br />
<br />
Check out Ståle Hansen's <a href="http://msunified.net/lyncdownloads/script-list-unusednumbers-ps1/" target="_blank">blog post</a> for his original script that did a brilliant job solving this problem. The updated script below runs from your Windows 7 machine and presents a list of phone numbers that are either Assigned or Unassigned for your choosing.<br />
<br />
In large enviornments covering multiple sites, this could still be a complex result set. So rather than just throwing out a list of potentially hundreds of numbers, the script compares the numbers it finds against the "Unassigned Number Range" feature in Lync. This is primarily used to play a message or redirect a call if someone accidentally calls a number that has not been assigned to anyone. Here's a <a href="http://technet.microsoft.com/en-us/library/gg412748.aspx" target="_blank">Technet</a> article with more information.<br />
<br />
In our environment, we simply redirect these calls to reception. The ranges were setup for each site, corresponding to each contiguous block of numbers that we had been allocated by the phone company eg 1234 1200 to 1234 1299. We're not going to do any redirection with this script, just use the ranges to provide some measure of control for selecting and displaying results.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-GA8gULpQePw/T87wZWHditI/AAAAAAAAAHM/kIykhL9yWDA/s1600/Lync_UnassignedNumbers.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="http://1.bp.blogspot.com/-GA8gULpQePw/T87wZWHditI/AAAAAAAAAHM/kIykhL9yWDA/s640/Lync_UnassignedNumbers.jpg" width="640" /></a></div>
<br />
The script checks a series of phone number repositories using typical Lync shell cmdlets such as <span style="font-family: "Courier New",Courier,monospace;">Get-CsUser</span> and <span style="font-family: "Courier New",Courier,monospace;">Get-CsAnalogDevice</span>. All up this includes:<br />
<ul>
<li>User numbers (including Private Number)</li>
<li>Analogue Devices</li>
<li>Common Area Phones</li>
<li>AutoAttendant numbers</li>
<li>Dial In Access Numbers</li>
<li>Trusted Application Endpoints</li>
<li>Response Groups</li>
</ul>
As the script runs it queries each range, advises how many numbers are
in use and prompts for an action to either show the Unassigned Numbers, the Assigned Numbers or to skip that range and move on to the next one. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-rezceEmAAAU/T87waGv-msI/AAAAAAAAAHQ/UpXQE3trmU8/s1600/Lync_UnassignedScipt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="http://1.bp.blogspot.com/-rezceEmAAAU/T87waGv-msI/AAAAAAAAAHQ/UpXQE3trmU8/s640/Lync_UnassignedScipt.jpg" width="640" /></a></div>
<br />
<br />
Here is the complete code.<br />
<br />
<script src="https://gist.github.com/2880040.js">
</script>
<br />
Cheers,<br />
<span style="font-family: "Courier New",Courier,monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<br />TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-47794110793928474072012-06-01T19:29:00.001-07:002012-06-02T16:54:18.517-07:00Using Get-WinEvent and XML filters to query Event ViewerIn previous roles in IT support and network administration I quickly leaned the benefit of Windows Event Viewer. Fundamentally for me it served two purposes; a retrospective log where I would go and seek an answer to something that had just happened, or alternatively a proactive log where I could get a heads up on potential issues.<br />
<br />
Proactive is always good, right? The problem is there is only so much time in the day to spend scrolling through all of that noise. There needs to be a process of filtering and reporting, which allows you to get to important information efficiently. Now, there are a number of commercial programs around that manage this already, so if your scale and budget are so inclined it's a very valid solution. Event Subscriptions are also another method of collecting logs from dispersed machines. Combined them with tasks and you've got a nice little system for gathering and alerting.<br />
<br />
In this post however, I'm going to look at gathering event logs using powershell with the <span style="font-family: "Courier New",Courier,monospace;">get-winevent</span> cmdlet. More importantly, we're going to look at including an XML filter in your query to make the whole process much, much faster. Finally, I've added some code to export the logs to a CSV file or an email for reporting purposes.<br />
<br />
The example below is a mini project to collect print server job logs as it serves as a good example of the scenario above. By default the individual user job logs are not enabled. So the first thing we need to do is turn on <b>Print Services Operational</b> logging via <i>Event Viewer > Applications and Service Logs > Microsoft > Windows > Print Service > Operational > right click to Enable Log</i>.<br />
<br />
Hands up who loves the way you can doing something in a GUI and it produces the code for you in the background? Well, Windows Event Viewer has a neat way of doing GUI based filtering, which result in XML based queries that you can use in your coding.<br />
<br />
Open up event Viewer and create a basic filter on an EventID through <i>Actions > Filter Current Log.</i> Here's an example using EventID 307 (which is a successful print job).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-UnYM_BL49rM/T8lvZCsufII/AAAAAAAAAFo/JOo7PSXLvfg/s1600/FilterCurrentLog.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://1.bp.blogspot.com/-UnYM_BL49rM/T8lvZCsufII/AAAAAAAAAFo/JOo7PSXLvfg/s400/FilterCurrentLog.jpg" width="397" /></a></div>
<br />
<br />
If you then click on the XML tab at the top, you will see the XML query string that is being used. This is what we need to copy into the <span style="font-family: "Courier New",Courier,monospace;">get-winevent</span> cmdlet.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-bE2FXTmrWfc/T8lvauftphI/AAAAAAAAAFw/QWBhWXZ-NN4/s1600/FilterCurrentLogXML.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://2.bp.blogspot.com/-bE2FXTmrWfc/T8lvauftphI/AAAAAAAAAFw/QWBhWXZ-NN4/s400/FilterCurrentLogXML.jpg" width="397" /></a></div>
<br />
In your script, the string needs to simply be defined as a variable and enclosed with an apostrophe, for example:<br />
<script src="https://gist.github.com/2856224.js">
</script>
<br />
<br />
The second part of this process is working out what parameters are contained in the event, so you can define them as variables for manipulation in your script. So, going back to one of the events in the log simply click on the Details tab. Here you will see all of the parameters that can be retrieved in a Friendly View.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-sbxtvFjbKC0/T8lyiLVEepI/AAAAAAAAAF8/GjkdSg2KcVM/s1600/EventLogDetails.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="http://2.bp.blogspot.com/-sbxtvFjbKC0/T8lyiLVEepI/AAAAAAAAAF8/GjkdSg2KcVM/s400/EventLogDetails.jpg" width="400" /></a></div>
<br />
I've masked out some details in the above example,but you can easily see how it is laid out. The syntax for your script is also straight forward. Firstly a single line for the xml conversion, then simply call the parameters working through the levels of the xml tree. In this case <i>User Data > DocumentPrinted > Parameter.</i> For example:<br />
<br />
<script src="https://gist.github.com/2856232.js">
</script>
<br />
So, here is the complete code for this project, including writing the output to a CSV file and attaching it (or including it as the body), to an email<br />
<br />
<script src="https://gist.github.com/2856010.js">
</script>
<br />
Cheers,<br />
<span style="font-family: "Courier New",Courier,monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<br />TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com3tag:blogger.com,1999:blog-4026285436658116929.post-74783091060694890462012-05-27T21:22:00.002-07:002012-05-28T01:14:05.382-07:00Process List and KillIf you haven't used the awesome set of <a href="http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx" target="_blank">PsTools by Mark Russinovich</a>, stop reading this immediately and check them out. I'll wait.<br />
<br />
Two of my favourites are PsList and PsKill. The first lists running process information and the second kills a process (based on it's Process ID or PID). The really cool thing is that you can run the same commands against remote machines (assuming you have appropriate credentials).<br />
<br />
Combine the two in a user friendly script and you've got yourself an instant solution for identifying and stopping rogue processes. I've also added in some logging so you keep an eye on the history of troublesome machines.<br />
<br />
When you first launch the script it prompts you for the machine name (or IP address), that you want to investigate.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ua4T6yCu0kw/T8L4zy8BlwI/AAAAAAAAAFM/VA8bgCGJQJc/s1600/BadPC01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="http://4.bp.blogspot.com/-ua4T6yCu0kw/T8L4zy8BlwI/AAAAAAAAAFM/VA8bgCGJQJc/s400/BadPC01.jpg" width="400" /></a></div>
<br />
This is then passed into a command line execution of PsList. There are a bunch of switches available, in this example I run the capture for 10 seconds with a refresh every 2 seconds. It's good to get a few refreshes in there, to avoid a false positive. The resulting text file opens up and displays all of the running process with details such as the Name, Process ID, CPU, Memory and Page Faults.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-m_knTQsYzA0/T8L50BkJMLI/AAAAAAAAAFU/8_uWH4UqDok/s1600/ProcessList.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="390" src="http://1.bp.blogspot.com/-m_knTQsYzA0/T8L50BkJMLI/AAAAAAAAAFU/8_uWH4UqDok/s640/ProcessList.jpg" width="640" /></a></div>
<br />
In the example above you can see WINWORD Process ID 9924 is consuming 48% of the CPU resources. The server in question has 2 vCPUs, so this is definitely a rogue process consuming an entire core. Checking the other captures confirms this process is not going anywhere.<br />
<br />
The next prompt confirms if you want to kill a process and if so asks for the PID. This gets passed into a command execution of PsKill. Bang! That's it, the process will be killed immediately.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Np4WzKV55Hs/T8L7sujXVOI/AAAAAAAAAFc/QdSXSvRHLOE/s1600/ProcessKill.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="http://4.bp.blogspot.com/-Np4WzKV55Hs/T8L7sujXVOI/AAAAAAAAAFc/QdSXSvRHLOE/s400/ProcessKill.jpg" width="400" /></a></div>
Here's the script. <br />
<br />
<script src="https://gist.github.com/2817116.js">
</script>
<br />
Cheers,<br />
<span style="font-family: "Courier New",Courier,monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<br />
<br />TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-4668047801197676602012-05-26T16:27:00.000-07:002012-05-26T16:27:10.490-07:00Server Inventory from Active DirectoryThis is a very short and sweet litle script that is great for pulling information about your servers (or workstations for that matter), from Active Directory.<br />
<br />
The example below returns a number of properties including Server Name, Description, IP address, OS Level, When Created and Last Logon. There are heaps of properties available, so experiment and find what you need.<br />
<br />
<script src="https://gist.github.com/2795543.js">
</script><br />
<br />
Cheers,<br />
<span style="font-family: "Courier New", Courier, monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span><br />
<div>
</div>
<span style="font-family: "Courier New", Courier, monospace;"></span>TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-71369473343619027152012-05-26T00:50:00.002-07:002012-05-27T21:32:53.156-07:00Network Printers AppOver the years I went through various iterations of methods for deploying network printers to user's computers. The day in day out stuff was pretty straight forward, but occasionally you have to setup a new user, they would move locations or perhaps I'd install a new print server and cut a whole office over. I had a bunch of scripts and used delivery techniques from manual installs, links in emails, group policy deployment and even startup scripts that made intelligent updates based on the current setup (have to admit I did like that one ;)<br />
<br />
Each time though, it was a new mini project. I want to build something that would be more centrally managed and dynamically update based on the setup of the print servers. So I built a network printer application as a centrally stored HTA (VBS and HTML), and put a shortcut on every ones desktop.<span lang="EN-AU"> </span><br />
<br />
<span lang="EN-AU">It was sold to the users with the following benefits and was very well received: </span><br />
<span lang="EN-AU">
</span><br />
<ul dir="ltr"><span lang="EN-AU">
<li><div align="LEFT">
<b>Find a Printer</b> (based on feature or location)</div>
</li>
<li><div align="LEFT">
<b>Lookup your Printer</b> <b>Status</b> (print queues, paper jams, low toner etc)</div>
</li>
<li><div align="LEFT">
<b>Install a new printer</b> (in 2 clicks!)</div>
</li>
<li><div align="LEFT">
<b>Speed up your PC</b> (remove old printers, or printers from another office)</div>
</li>
</span></ul>
<span lang="EN-AU">
<div align="LEFT" dir="LTR">
This is what the app looks like:</div>
<div align="LEFT">
</div>
<div align="LEFT" dir="LTR">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-OKRfcn-cUd4/T8B7VIjE6OI/AAAAAAAAAFA/C7gWhUGLdfM/s1600/PrinterApp2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://4.bp.blogspot.com/-OKRfcn-cUd4/T8B7VIjE6OI/AAAAAAAAAFA/C7gWhUGLdfM/s640/PrinterApp2.jpg" width="501" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
1. The <b>Print Server</b> area automatically selects the print server in the user's office. It also has several Feature checkboxes, and a Keyword search. So you can do a lookup for say a Colour printer in the Melbourne "Marketing" department</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2. Depending on the print server selected above, a list of <b>Available Printers</b> appears (yes, we use movie star names - makes them easy to remember). Selectable check boxes only show next to any printers that match the filters used. Each name is also a hyperlink to that printer's web page to lookup status etc</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3. This section shows the current <b>Default Printer</b> and allow it to be changed</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
4. The first <b>Option</b> here determines whether the printer is just added or if the drivers are reinstalled on the user's PC. The second option is a Clean Up trigger, which removes any other (network printers), that are not selected above.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. The Information area kicks everything along, open the user's 'Devices and Printers' or resets the form. It also shows relevant information on the current install status, whether there are any printers attached to a legacy print server (handy for migrations), whether there are any printers attached to a print server in another site (slow!) and finally whether any of the currently installed printers have any status issues.</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
The script itself is a HTA, which is a self contained application built using a combination of VBS and HTML for the layout. Calls to the print servers are via a simple<span style="font-family: "Courier New",Courier,monospace;"> net view \\printserver </span>command line request, which is then parsed for relevant information. Of note here is the Comments section on each printer on the print server, as this is where the Feature and Keyword lookups refer to. Information on the local printers is sourced through WMI queries and actioned via VBS statements.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The example I have is for four sites and there is a fair bit of code around lookups of specific site information, loading the form and getting the checkboxes set correctly. As always tweak as needed in your environment.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<script src="https://gist.github.com/2792772.js">
</script>
</div>
<div class="separator" style="clear: both; text-align: left;">
Cheers,</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "Courier New",Courier,monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span></div>
<span style="font-family: "Courier New",Courier,monospace;">
</span></span>TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com4tag:blogger.com,1999:blog-4026285436658116929.post-39394680635405342362012-05-25T18:31:00.000-07:002012-05-25T18:41:40.695-07:00Departing User ScriptFollowing in the user management theme, this is a script that manages the workflow for a departing user.<br />
<br />
I found a need to standardise this process because it was all too easy to miss a step leaving an account open or email going unchecked. As always, mash it up to suit your environment.<br />
<br />
Like the earlier script, the info is loaded from a basic CSV file, with a focus on Active Directory, Exchange and Lync.<br />
<br />
Summary of steps:<br />
<ul>
<li>Import user info and yes/no triggers from a csv file</li>
<li>Move user Profile and Home directories to an archive share</li>
<li>Disable Enterprise Voice</li>
<ul>
<li>Removes Unified Messaging in Exchange</li>
<li>Removes user from Lync</li>
</ul>
<li>Manage email continuity</li>
<ul>
<li>Gives mailbox access to a nominated user and advises them via email</li>
<li>Adds an Out of Office auto reply, with redirection info to nominated user</li>
<li>Adds a calendar reminder to eventually disable the email address</li>
<li>Alternatively, can just disable email address immediately</li>
</ul>
<li>Archive Mailbox</li>
<ul>
<li>Removes user from Global Address Book</li>
<li>Moves the user's mailbox to an archive database</li>
</ul>
<li>Disable AD account</li>
<ul>
<li>Moves to an archive OU</li>
<li>Removes AD details (handy to clean org chart or free up IP phone number)</li>
<li>Removes from groups and distribution lists</li>
<li>Resets user's password</li>
</ul>
<li>Send a summary report and log file via email</li>
</ul>
<br />
<script src="https://gist.github.com/2791536.js">
</script>
<br />
Cheers,<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span>TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0tag:blogger.com,1999:blog-4026285436658116929.post-3786069199308935342012-05-24T04:19:00.000-07:002012-05-24T04:52:47.418-07:00New User Creation ScriptThis powershell script is very handy for setting up new users in AD, Exchange and Lync.<br />
<br />
It's customised to my environment and has saved us a ton of time. I'm sure many will have different requirements, so add, pull out and modify the bits you need.<br />
<br />
If you're running RSAT from Windows 7, ensure to load the Active Directory module for Windows Powershell and have appropriate credentials.<br />
<br />
The CSV file needs to be created up front with the at least the appropriate header info. As the script runs, it will open the CSV file to add/modify the user(s) details. I get our HR department to provide all of the required info in a table format, so a quick copy/paste/save is all that is needed. Also ensure to use samAccount names in the user lookup fields (manager etc).<br />
<br />
Here is a summary of what it does:<br />
<ul>
<li>Imports new user(s) info from a csv file</li>
<li>Creates new user account and mailbox in Exchange</li>
<li>Enables for Unified Messaging</li>
<li>Add mailbox access to thier manager's mailbox</li>
<li>Populates all AD fields</li>
<li>Adds to security/distribution groups (uses another similar user to copy memberships from)</li>
<li>Creates user profile and home directories, with permissions and ownership</li>
<li>Adds user to Lync, and setups features such as enterprise voice, policies etc</li>
<li>Creates a summary report and a log file and emails it to admin, HR etc</li>
</ul>
<br />
<script src="https://gist.github.com/2780747.js">
</script>
<br />
Cheers<br />
<br />
<span style="font-family: "Courier New", Courier, monospace;"> (__)<br /> (oo) ok<br /> /------\/ /<br /> / | ||<br /> * /\---/\<br /> ^^ ^^</span>TheAgreeableCowhttp://www.blogger.com/profile/09812333020695130356noreply@blogger.com0