|
Okay, I'm still at regular OS level of learning stuff with powershell, but I just got tossed a task because I'm the only one who knows any PS in the office. I need the accounts of people in our AD's VPN group, but also a bunch of information on those accounts. I've got code:
|
# ? Mar 30, 2017 17:47 |
|
|
# ? May 28, 2024 15:54 |
|
I also have zero experience with the AD cmdlets. Is the information you need available from Get-ADUser? If so you can probably pipe the Get-ADGroupMember results into either Get-ADUser directly, or into a ForEach-Object with a scriptblock that grabs what you need.
|
# ? Mar 30, 2017 18:10 |
|
thebigcow posted:I also have zero experience with the AD cmdlets. Is the information you need available from Get-ADUser? If so you can probably pipe the Get-ADGroupMember results into either Get-ADUser directly, or into a ForEach-Object with a scriptblock that grabs what you need. Thanks! That gets me a hell of a lot closer than I was, and now I just need to mess with the properties part. For some reason in my head I thought all the info should still be in the groupmember results instead of in user.
|
# ? Mar 30, 2017 18:18 |
Yes, Get-ADGroupMember returns you sparsely populated generic AD objects, since groups can contain just about any kind of object as member. If you know only users are members of the group, you can safely pass the result of that straight into Get-ADUser to get all the details, optionally passing -Properties to Get-ADUser to get more than the default property set. For example:code:
|
|
# ? Mar 30, 2017 18:18 |
|
thebigcow posted:I also have zero experience with the AD cmdlets. Is the information you need available from Get-ADUser? If so you can probably pipe the Get-ADGroupMember results into either Get-ADUser directly, or into a ForEach-Object with a scriptblock that grabs what you need. Piping works. Ex: code:
|
# ? Mar 30, 2017 18:22 |
|
Avenging_Mikon posted:Okay, I'm still at regular OS level of learning stuff with powershell, but I just got tossed a task because I'm the only one who knows any PS in the office. I need the accounts of people in our AD's VPN group, but also a bunch of information on those accounts. code:
code:
code:
code:
|
# ? Mar 30, 2017 18:36 |
|
I piped to get-aduser and did the -properties * because it's for an audit and gently caress auditors (mostly not really). Hilariously it generates a 2MB xls file for the first group. If they come back annoyed, then I'll actually put effort in to get just the properties they wanted. What I really should have done is also find a way to make the command run against all 9 groups at once instead of modifying the script for each vpn group. I guess that will be my next lesson.
|
# ? Mar 30, 2017 20:11 |
|
Avenging_Mikon posted:I piped to get-aduser and did the -properties * because it's for an audit and gently caress auditors (mostly not really). Hilariously it generates a 2MB xls file for the first group. If they come back annoyed, then I'll actually put effort in to get just the properties they wanted. What I really should have done is also find a way to make the command run against all 9 groups at once instead of modifying the script for each vpn group. I guess that will be my next lesson. Create a list of the groups, then ForEach through it.
|
# ? Mar 30, 2017 20:56 |
|
Avenging_Mikon posted:I piped to get-aduser and did the -properties * because it's for an audit and gently caress auditors (mostly not really). Hilariously it generates a 2MB xls file for the first group. If they come back annoyed, then I'll actually put effort in to get just the properties they wanted. What I really should have done is also find a way to make the command run against all 9 groups at once instead of modifying the script for each vpn group. I guess that will be my next lesson. code:
code:
Collateral Damage fucked around with this message at 10:09 on Mar 31, 2017 |
# ? Mar 31, 2017 10:05 |
|
Geez, that looks baller. Is the recursive actually necessary if each group doesn't have groups within it, though? Just 9 groups all separate? I thought that was only if it was nested groups.
|
# ? Mar 31, 2017 19:57 |
|
Avenging_Mikon posted:Geez, that looks baller. Is the recursive actually necessary if each group doesn't have groups within it, though? Just 9 groups all separate? I thought that was only if it was nested groups.
|
# ? Mar 31, 2017 20:16 |
|
No, it's not strictly needed unless you have nested groups, but unless you explicitly don't want to traverse nested groups it's good practice to use it anyway.
|
# ? Mar 31, 2017 20:17 |
|
anthonypants posted:It's the same reason they did a Select-Object -Unique to get rid of users who are in multiple selected groups, whoops, didn't even notice that part. Well, I'm taking what I've learned and am now making a script to disable AD accounts and update their description with the date they were disabled. I've got everything set except I've forgotten how to pipe a file in to anything. And apparently get-file isn't recognized in the Active Directory Module. I'd really like to be able to point this at a file of user names and just have it go nuts, and then only need to change the file each time.
|
# ? Mar 31, 2017 21:42 |
|
Get-Content will get the contents of a file. Unless you want to actually manipulate a file, like rename it or something, in which case you'd use Get-Item.
|
# ? Mar 31, 2017 21:45 |
Avenging_Mikon posted:whoops, didn't even notice that part. Well, I'm taking what I've learned and am now making a script to disable AD accounts and update their description with the date they were disabled. Plain text: Get-Content -Path "c:\some\file.txt" -Encoding UTF8 CSV: Import-Csv -Path "C:\some\file.csv" -Header @("UserName","FirstName","LastName","Email")
|
|
# ? Mar 31, 2017 21:48 |
|
Avenging_Mikon posted:whoops, didn't even notice that part. Well, I'm taking what I've learned and am now making a script to disable AD accounts and update their description with the date they were disabled. As mentioned above, Get-Content will do this; structure the text file as one username per line: code:
code:
code:
|
# ? Apr 1, 2017 06:05 |
|
Use -WhatIf on the set and disable commands for a dry run
|
# ? Apr 1, 2017 06:11 |
|
Collateral Damage posted:Use -WhatIf on the set and disable commands for a dry run The status gets passed along automatically, so in some cases you don't even have to write code to have your own stuff work like this. Example: code:
If you can't directly rely on it being implicit (certain workflows wouldn't work well that way) then use $PSCmdlet.ShouldProcess() in an if block. For example if your code uses loops or expensive/long-running Get- calls (which pretty much never support -WhatIf since they don't change anything), you might want to avoid those when changes won't be made anyway. Also for patterns where you create something, then act on it. A call can still fail with -WhatIf if the object in question doesn't exist (because a previous call to create it never actually created it). code:
|
# ? Apr 3, 2017 17:44 |
|
Going to SANS Orlando Sunday through Friday for Securing Powershell. Didn't expect the approval, it was a throw away request, so this should be fun.
|
# ? Apr 4, 2017 18:48 |
|
NYC folks, come check out Techstravaganza on Fri, Apr 28. I'll be there, lots of PowerShell MVPs and hopefully some good talks (not just PowerShell stuff). Only costs so probably not getting reimbursed at work but hopefully they'll give you the day to go.
|
# ? Apr 7, 2017 17:15 |
|
I wrote a script! Inspired by a script someone else posted that inventories PCs by subnet, I wrote my own take on it that uses AD information instead. My first real script more than a few dozen lines, and definitely made for a great learning experience. Link It works by taking a list of all computers from Active Directory, then filtering out all non-desktop OSes. It then iterates through the list, running a bunch of WMI queries on every computer and kludging the results together into one big array, which is then saved to a .csv on disk. The bit that I'm particularly happy with is now it can save a master .csv and compare new results with it, overwriting old information or failed queries with more up to date results. In the future I plan to improve it by having it query more potentially useful information from PCs, figure out how to autorun it daily from one of our servers, and run the queries as jobs so that it doesn't take two hours to scan everything.
|
# ? Apr 7, 2017 17:33 |
|
Eschatos posted:I wrote a script! Inspired by a script someone else posted that inventories PCs by subnet, I wrote my own take on it that uses AD information instead. My first real script more than a few dozen lines, and definitely made for a great learning experience. There's a ton of overhead with powershell when using jobs in my experience, if you want it to run more quickly you probably really don't want to do it as each machine is a job. You can do your own testing, but the best way is probably to split up all the machines between a few jobs and run it that way. Runspaces may be a little better but I haven't played around with them too much, it gets complex pretty fast.
|
# ? Apr 8, 2017 00:53 |
|
Eschatos posted:I wrote a script! Inspired by a script someone else posted that inventories PCs by subnet, I wrote my own take on it that uses AD information instead. My first real script more than a few dozen lines, and definitely made for a great learning experience. To expand on what PBS has said, each PS job is spawned in a separate powershell.exe process which consumes 30-50MB of memory. You can very quickly consume all available memory on a system which will cause the calling PS instance to throw an exception. If you have a task which involves executing commands against a large number of remote systems and you want to run it in parallel then it is better to use remoting to run the commands on the remote systems themselves. If you do want to run the jobs locally then you'll have to implement a throttling routine which backs-off on spawning jobs until execution concurrency is below a certain threshold.
|
# ? Apr 8, 2017 11:19 |
|
cheese-cube posted:To expand on what PBS has said, each PS job is spawned in a separate powershell.exe process which consumes 30-50MB of memory. You can very quickly consume all available memory on a system which will cause the calling PS instance to throw an exception. I was actually ignoring resource usage since I assume someone would implement throttling anyway. (No one would try to query 200 machines at once right?) The real issue is how long it takes to start up, run, and close the job. If you do a single job per machine you're likely looking at at least 2x the amount of time to run as if you didn't use jobs. Again I could be wrong, so try it out on your own, just don't be surprised if it's slower than anticipated.
|
# ? Apr 8, 2017 13:35 |
|
Your assumptions are naive and I think you should rethink things and aim towards scalability if you want your script to be anything other than a pet project.
|
# ? Apr 8, 2017 14:05 |
|
cheese-cube posted:Your assumptions are naive and I think you should rethink things and aim towards scalability if you want your script to be anything other than a pet project. Not my script? Unsure what comment you're gooning about specifically. I'm not saying don't use jobs or parallelization, but jobs generally should not be used to spin up individual quick tasks. Most WMI queries will take less than 1s to run and return a result. I imagine you'd have to run quite a few jobs at once to outweigh the startup costs for a powershell job. He would need to do his own benchmarking to figure out if he can realistically run enough at once to outweigh those costs. Executing the command on the remote machine (assuming WinRM is setup) would offload resources at the likely cost of a slight increase in total time to receive a result. PBS fucked around with this message at 15:01 on Apr 8, 2017 |
# ? Apr 8, 2017 14:34 |
|
Please vote on this uservoice issue to fix glaring inconsistencies and bugs in the DnsServer module's handling of -Verbose, -WhatIf, and -ErrorAction.
|
# ? Apr 13, 2017 02:00 |
|
Eschatos posted:I wrote a script! Inspired by a script someone else posted that inventories PCs by subnet, I wrote my own take on it that uses AD information instead. My first real script more than a few dozen lines, and definitely made for a great learning experience. Here's my take at something similar if you want to steal anything: https://pastebin.com/YbPbacf8
|
# ? Apr 18, 2017 20:10 |
|
For anyone else who is trying to use DNS Policies and adhere to least privilege, behold: disappointment.
|
# ? Apr 24, 2017 18:12 |
|
I have a few scripts that I run from the right click menu because they have to be used by non-technical people if I'm out. Current execution policy is RemoteSigned. A recent Windows update installed PowerShell 5.1 and now I get a prompt after running these scripts:code:
|
# ? Apr 24, 2017 22:30 |
|
If you Unblock-File on the scripts does that resolve the issue? My first guess would be that after the update the scripts are now seen as coming from a remote source, thus won't run with a policy of RemoteSigned? e: Possibly dumb question, but have you checked you're not actually calling Set-ExecutionPolicy in your scripts somewhere?
|
# ? Apr 25, 2017 00:49 |
|
Tried Unblocking. Scripts aren't calling the execution policy anywhere. No matter what I select at the prompt it still runs the script. Just weird.
|
# ? Apr 25, 2017 16:38 |
|
Is your script calling another script?
|
# ? Apr 25, 2017 16:41 |
|
Briantist posted:NYC folks, come check out Techstravaganza on Fri, Apr 28. Reminder!
|
# ? Apr 25, 2017 21:53 |
|
Briantist posted:Reminder! Not sure if you saw, but Snover is going to be at a Powershell User Group in NYC in June.
|
# ? Apr 25, 2017 22:07 |
|
skipdogg posted:Not sure if you saw, but Snover is going to be at a Powershell User Group in NYC in June.
|
# ? Apr 25, 2017 22:24 |
|
Hopefully a quick one...I have an array of strings, which are machine names in our environment that can't be live migrated (all *euvb* are video bridges for example). I want to get the entire list of hosts in a hyper-v cluster, then iterate through and see if any of the VMs on the hypervisor match the list of strings. If they do match a string in the array, I don't want to echo the hostname of the hypervisor. If none of the VMs match on a host, it should echo the hostname of the hypervisor back Struggling with the logic a little bit - I'm comfortable with VMM but I don't know how I'd iterate against the list and say "if any of VMs these match any string in the array, do something." Untested code WIP below code:
Roargasm fucked around with this message at 17:12 on Apr 27, 2017 |
# ? Apr 27, 2017 16:48 |
|
Roargasm posted:Hopefully a quick one...I have an array of strings, which are machine names in our environment that can't be live migrated (all *euvb* are video bridges for example). I want to get the entire list of hosts in a hyper-v cluster, then iterate through and see if any of the VMs on the hypervisor match the list of strings. If they do match a string in the array, I don't want to echo the hostname of the hypervisor. If none of the VMs match on a host, it should echo the hostname of the hypervisor back code:
anthonypants fucked around with this message at 17:23 on Apr 27, 2017 |
# ? Apr 27, 2017 17:13 |
|
yeah my only real problem right now is this logic: $nodeVMs | % { if ($noLiveMigrateVM -match "$_.Name") { $canPatchHypervisor = 0 break } I can't find a comparison operator that will return true. Tried $noLiveMigrateVM -containts $_.Name, etc. Always seems to return false
|
# ? Apr 27, 2017 17:22 |
|
|
# ? May 28, 2024 15:54 |
|
Roargasm posted:yeah my only real problem right now is this logic: Why is $_.Name surrounded by "'s? edit: quite test seems to indicate that it doesn't matter, still looks weird. The Fool fucked around with this message at 17:30 on Apr 27, 2017 |
# ? Apr 27, 2017 17:27 |