Friday, November 20, 2015

PoSh Disable and Move AD Users

A quick and easy way to disable user accounts and move them into designated OU:

  1. Import-Csv "C:\TEMP\users.csv" | ForEach-Object { `  
  2.     $u=$_."sAMAccountName"; $l="Disabling and moving: " +$u; write-output $l; `  
  3.     Get-ADUser -Identity $u | `  
  4.     Disable-ADAccount -PassThru | `  
  5.     Move-ADObject -TargetPath "OU=Disabled Users,OU=Organization,DC=domain,DC=local"  

Input is provided via a CSV file:

users.csv (username)
  1. sAMAccountName  
  2. jdoe1  
  3. jdoe2  
  4. jdoe3  
  5. jdoe4  
  6. jdoe5  


To generate input file run something like this, review and edit as necessary:

  1. Search-ADAccount –UsersOnly –AccountInactive –TimeSpan 180.00:00:00 | `  
  2.     where {$_.enabled} | `  
  3.     Get-ADUser | `  
  4.     select sAMAccountName | `  
  5.     Export-Csv -Path "C:\TEMP\users.csv"  

WordPress displays weird characters

Sometimes after a database conversion (e.g. from MySQL to MariaDB) or due to encoding issues a situation might arise when WordPress is showing weird characters. A quick way of remedying the situation would involve examining the pages to discover a pattern (what characters are being substituted, in the example below the apostrophe was replaced by â€™) then running an queries against the database to reverse the effect. Here's a quick example (common tables that store content):



  • UPDATE wp_posts SET post_content = REPLACE(post_content, 'Â''')     
  • UPDATE wp_posts SET post_content = REPLACE(post_content, '’'"'")     
  • UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'Â''')     
  • UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, '’'"'")     

  • Please, keep in mind that to permanently resolve the issue you would need to get to the root of the problem and may need to adjust encoding, run a database conversion, or install a sanitizing plugin.

    Thursday, November 5, 2015

    Skype for Business and VTC Interoperability

    Skype for Business (SfB) has a very, very strong potential, I have written about it in my previous post. I can't think of any other platform that shows as much promise in terms of bridging personal and business communications as well as unifying different modes and mediums. And all of this may have started with a strategic acquisition of Skype by Microsoft in 2011.

    That said, the road ahead is not without challenges. For example, interoperability with other platforms. Making SfB work with existing Video TeleConferencing (VTC) systems, many of which represent significant capital investments in organizations' infrastructure, could be of a particular importance.

    After reading statements like Skype for Business is based on Session Initiation Protocol (SIP) standards and supports H.264 (MPEG-4 video coding standard) one can come to a quick conclusion that integration and/or interoperability with other VTC solutions is easy or nearly automatic. Unfortunately, the industry is not quite there yet, and there are a few obstacles to overcome. The following is not a guide, but a few notes on potential challenges and prospective solutions:

    • Both H.323 and SIP protocols are industry standards and represent different approaches to voice and video signaling over IP networks; H.323 was originally established by International Telecommunications Union (ITU); SIP is the work of Internet Engineering Task Force (IETF). More details are available here
    • SfB is based on SIP, but it also extends the standard in ways that require a gateway to handle the translation of Microsoft SIP to other standards-based signaling protocols which support video, like H.323 or SIP. There are also potential issues with media codecs and transport protocols. Signaling and media gateways are used to resolve compatibility issues. More details are available here
    • Skype for Business Server 2015 (on-premises) now provides for the integration with certain third-party VTC system solutions via a new server role called Video Interop Server (VIS). However, the interoperability is limited, both in terms of the types of devices as well as functionality. More details are available here
    • The following solutions seem very interesting - 
    • Cisco TelePresence Video Communication Servers (VCS-C/Control and VCS-E/Expressway) are popular solutions that support interoperability and large scale VTC. More details are available here

    Skype for Business

    Skype for Business (SfB), formerly known as Lync, has been steadily gaining in popularity. Partly, because of the robust set of features that has been implemented over the last few releases making the product truly Enterprise ready; partly, due to the rapid proliferation of Office 365, which includes SfB's cloud counterpart. With SfB and/or Skype client software available on a wide variety of hardware platforms (personal computers, tablets, mobile devices) and across multiple operating systems (Windows, Linux, iOS, Android) a possibility of establishing a ubiquitous multi-media communications platform seems firmly within reach. And best of all, when using SfB Online, without the need to invest into an expensive infrastructure. But wait, there's more! The cloud delivers on the promises of more innovation and continuous development cycle - Skype Meeting Broadcast, PSTN Conferencing, Cloud PBX with PSTN Calling are just a few examples. Read more at -

    Thursday, October 15, 2015

    Office 365 Service Trust Portal

    "To help with your assessment needs, we are announcing Office 365 Service Trust Portal (STP). STP is a service feature in Office 365 designed to provide deeper information on how Microsoft manages security, compliance and privacy." - for more information visit Office Blogs

    Service Trust Portal - https://trustportal.office.com/

    Friday, July 31, 2015

    Sample DS Command

    PowerShell is all the hype these days, and rightfully so - you can do just about anything with it; but, call me old-fashioned I still like to use ds commands every now and then, it's quick and dirty. Here are a few samples that query AD and to get some basic counts and other information:

    # Get a count of enabled and disabled user accounts in the domain
    dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
    dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " yes"

    # Get a count of enabled and disabled computer accounts in the domain
    dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"
    dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " yes"

    # Get a count of enabled, but inactive (at least 24 weeks) user and computer accounts in the domain
    dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no"
    dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no"

    # Get a count of security and distribution groups in the domain
    dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " no"
    dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find /c /i " yes"

    # Get a count of Organizational Units (OU) and subnets
    dsquery ou -limit 0 | dsget ou -dn | find /c /i "DC=GOV"
    dsquery subnet | dsget subnet -dn | find /c /i "Sites"

    # List disabled user and computer accounts in the domain (output to text file)
    dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /i " yes" > disabled-computers.txt
    dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /i " yes" > disabled-users.txt

    # List enabled, but inactive (at least 24 weeks) user and computer accounts in the domain (output to text file)
    dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /i " no" > inactive-users.txt
    dsquery computer -inactive 24 -limit 0 domainroot | dsget computer -dn -disabled | find /i " no" > inactive-computers.txt

    # List security groups, OUs, and subnets (output to text file)
    dsquery ou -limit 0 | dsget ou -dn | find /i "DC=GOV" > OUs.txt
    dsquery subnet | dsget subnet -dn | find /i "Sites" > subnets.txt
    dsquery group -uc -limit 0 domainroot | dsget group -uc -dn -secgrp | find " yes" > groups.txt

    Querying Active Directory to find recently created accounts (WhenCreated date format - YYYYMMDDHHMMSS):
    dsquery * domainroot -filter "&(objectClass=Computer)(objectCategory=Computer)(WhenCreated>=20150226000000.0Z)" -Limit 0
    dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(WhenCreated>=20150226000000.0Z)" -Limit 0
    dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)(WhenCreated>=20150226000000.0Z)" -Limit 0
    dsquery * domainroot -filter "&(objectClass=organizationalUnit)(objectCategory=Organizational-Unit)(WhenCreated>=20150226000000.0Z)" -Limit 0


    Querying AD user and group objects to find ones without sidHistory:
    dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)" -attr distinguishedname sidhistory -Limit 0 > users-sidhistory.txt
    dsquery * domainroot -filter "&(objectClass=Group)(objectCategory=Group)" -attr distinguishedname sidhistory -Limit 0 > groups-sidhistory.txt



    Querying AD user objects to find ones with/without HSPD-PID attribute set:
    dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(!HSPD-PID=*)" -Limit 0 > without-PIV.txt
    dsquery * domainroot -filter "&(objectClass=User)(objectCategory=Person)(HSPD-PID=*)" -Limit 0 > with-PIV.txt

    GPO and WMI Filters

    WMI Filters and GPOs are powerful when used in combination (though evaluating MWI filters may slow down policy processing). Just a few quick examples:

    For settings that may need to be applied to workstations, but not servers one could go with something like this -

    WMI queries for workstations vs. servers
     

    ​SELECT * FROM Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3")     ​- workstations
    ​SELECT * FROM Win32_OperatingSystem WHERE ProductType = "1"     ​- workstations

    ProductType 1 = Desktop OS
    ProductType 2 = Server OS – Domain Controller
    ProductType 3 = Server OS – Not a Domain Controller


    For things like Bitlocker policy that needs to be applied to laptops only one could go with something like this -

    WMI queries for laptops vs. desktops
    ​SELECT * FROM Win32_Battery WHERE (BatteryStatus <> 0)     ​- presence of a battery indicates laptop
    ​SELECT * FROM Win32_PhysicalMemory WHERE (FormFactor = 12)     ​- SODIMM memory indicates laptop

    If you want a quick test for certain WMI values on a computer – use WMI command line tool (wmic) -



    Here are some helpful links - 


    Wednesday, June 10, 2015

    PowerShell SQL Snapins


    Ran into an issue with SQL snapins not registering in PS x86 (needed to run ADMT related scripts). The following resolved the issue.


    Start PowerShell x86 (important - run as Administrator) execute the following sequence:
    cd "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn"
    $framework=$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())
    Set-Alias installutil "$($framework)installutil.exe"

    installutil Microsoft.SqlServer.Management.PSSnapins.dll
    installutil Microsoft.SqlServer.Management.PSProvider.dll

    Add-PSSnapin SqlServerCmdletSnapin100
    Add-PSSnapin SqlServerProviderSnapin100



    To verify that snapins registered correctly examine the output of the following command:
    get-pssnapin -registered