Category: PowerShell

How to protect all existing Organizational Units (OUs) in your Active Directory domain from Accidental Deletion by using PowerShell

John Leave a comment

We recently took on a new hire, although I was confident in their ability in managing Active Directory I wanted to take an extra step in protecting Organizational units from deletion.  I was sure that I could do this quickly using PowerShell instead of right-clicking each of our 80 odd OUs and going into their properties.

To do this we need to open the Active Directory Module for Windows PowerShell as an administrator.  Since I began in my System Admin role, I was creating OUs that were protected, so I only really needed to do this to the ones that were already here.  So first we need to work out what OUs are not protected from this list using PowerShell I can easily pipe it into the command we need to issue to protect the OUs

The first command below will output a list of all OUs currently not protected.

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | 
where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft

This command does the above but also sets the ProtectedFromAccidtenalDeletion to True.

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | 
where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit 
-ProtectedFromAccidentalDeletion $true

Once this command is issued, all the Organizational Units in our Active Directory have become protected and should help prevent you from getting into those sticky situations where someone (could be you) from deleting one by mistake.

Remove all disabled user from an Active Directory Group with Power Shell using Quest Active Roles AD Management

John Leave a comment

The following code snippet which I ran through PowerShell ISE (learn how to get it on Windows Server) will remove all disabled users from a particular group.  Useful for the end of year / start of year clean up in a school environment.

You will need the ActiveRoles Management Shell for Active Directory, available by clicking here which were made by Quest Software, now DELL.

Add-PSSnapin Quest.ActiveRoles.ADManagement

Get-QADGroup -SearchRoot "" | Foreach-Object {
     $group = $_
     Get-QADGroupMember -Identity $group -Disabled -Type User | Foreach-Object{
         Write-Host "Removing '$($_.Name)' from group '$group'" -Foreground Green
         Remove-QADGroupMember -Identity $group -Member $_ 
     }
 }

Swap out with a distinguished name of the group you want to remove disabled users from.  Once you execute it, it will run through the group and remove any user objects that are disabled.

Getting Folder Sizes and number of items in a Mailbox for a particular user on Microsoft Exchange using PowerShell

John Leave a comment

Recently one of our high-end users was going over their mailbox limit. In helping them to cut down I like to let them know what folders are using up the most of their quota (generally it is their sent items folder, but sometimes not). Executing the below PowerShell command in an Exchange Administration Shell gave me a nice ordered list (see output below) of folders in their mailbox along with an associated size and number of items.

Get-MailboxFolderStatistics -Identity <username> | Sort-Object FolderSize 
-Descending | FT folderpath, foldersize, ItemsinFolder -autosize

After executing the above PowerShell you’ll get an output similar to the below

FolderPath                    FolderSize                  ItemsInFolder
----------                    ----------                  -------------
/Inbox                        32.89 MB (34,486,717 bytes)           158
/Carbon Copies                16.9 MB (17,725,567 bytes)            168
/Sent Items                   685.3 KB (701,797 bytes)               14
/Deleted Items                554.4 KB (567,723 bytes)              189
/Calendar                     27.6 KB (28,267 bytes)                  7
/Contacts                     1.492 KB (1,528 bytes)                  4
/Drafts                       138 B (138 bytes)                       1
/Sync Issues/Local Failures   0 B (0 bytes)                           0
/Sync Issues/Conflicts        0 B (0 bytes)                           0
/Sync Issues                  0 B (0 bytes)                           0
/Sync Issues/Server Failures  0 B (0 bytes)                           0

From this I can could then give to the user so they could clear out their mailbox. Hope that helps someone out.

An error occurred while attempting to start the selected virtual machine(s) The security ID structure is invalid (0x80070539)

John Leave a comment

So I was recently working with some really old Virtual machines in a development environment that came across from another organisation. One particular virtual machine gave me an error message when I tried to start it up “An error occurred while attempting to start the selected virtual machine(s)… The security ID structure is invalid (0x80070539)”.  When this happens, Hyper-V basically doesn’t have permission to start the selected virtual machines under the user.  A quick administrative PowerShell cmdlet will grant me or a user permission and allow us to start the VM up;

Grant-VMConnectAccess -VMName "Name of VM not starting" -UserName 
"DOMAIN\Username of current user"

Changing -VMName to match the virtual machine giving you the error and a DOMAIN\Username of the user you are now logged on as.

Once you issue this command the virtual machine will start without any issues.

Generate Mailbox Size and Usage Report using PowerShell for Exchange 2010 / 2013

John 1 Comment

So I recently wanted to create a report to show us who was using up the most space on our mailbox servers, previous administrators had either done away for limits for mailboxes or had set them to be very very generous and our users weren’t really the ones to either keep their mailbox tidy or archive items away.

I knew the quick and easy solution would be powershell and then getting the output to either a CSV file or HTML.  So a bit of a look around TechNet for Get-MailboxStatistics got me the commands I needed, but what else could I select out of that.  After a bit more digging I found a list on MSDN for MailboxStatistics members which allowed me to extract exactly what I was after.  After putting all that together, I cam up with the following

Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics | Select DisplayName,
TotalItemSize,ItemCount,Database,LastLogonTime,LastLoggedOnUserAccount | Sort 
TotalItemSize -Descending | ConvertTo-Html -Title "Mailbox Stats"| 
Out-file "C:\MailboxStatistics.html"

That gave me a nice HTML page output, you could easily improve on this with colours depending on outputs from StorageLimitStatus or LastLogonTime where we found that some mailboxes hadn’t even been used.

Allowing anonymous relay on Exchange 2007/2010 on connectors for programs to send via SMTP using your Mail servers and how to secure it for internal use only.

John Leave a comment

I was recently helping out a colleague at another school as they were having difficulty in a specialised application sending e-mails to external addresses.  After a bit of investigating we found that the send connector configured for internet e-mail wasn’t allowing anonymous connections to it (which is dangerous) but since this particular application didn’t allow us to specify authentication details we were forced to enable anonymous relay for this connector.

I will first show you the PowerShell command that we used to grant the anonymous permissions for the connector that you specify:

Get-ReceiveConnector “Default SBSSERVER” |
Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON”
-ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Now the above is really one command getting piped into another, so first of all we are specifying a particular receive connector, in this case Default SBSSERVER (change this to reflect the connector you want to modify).  We are then simply giving rights to anonymous logons (anyone) telling exchange to accept any recipient.

Now as for securing this connector, I would strongly suggest creating a separate one for this particular application (for example Sales App Connector).  We then add incoming IP restrictions, by editing the properties of the receive connector and adding entries to Receive mail from remote servers that have these IP addresses using either specific IP addresses or IP ranges in CIDR notation (so 10.1.0.0/16).

And there you have it, allowing anonymous connections / relay for internal applications to use.

Installing the PowerShell ISE (Integrated Scripting Environment) on Windows Server 2008 R2

John 1 Comment

I was recently looking at modifying our SharePoint warm-up script as we had found out that it wasn’t working as it should be.  So I went to fire up the small but useful PowerShell ISE and found that it wasn’t available.  So there are two ways to go about getting it installed.

First off is running the Windows Add Feature under Server Manager.  You will find the Windows PowerShell ISE and be able to tick and install the feature.  The other method which is quite easy is to use PowerShell.

First off we need to import the ServerManager module into PowerShell and then we can go ahead and add the ISE feature.  The following snippet will do it all for you via PowerShell.

Import-Module ServerManager
Add-Windowsfeature PowerShell-ISE

And that is all you have to do to get the wonderful PowerShell ISE going under Windows Server. Hope that helps.

Applying inherit rights (inheritable) for permissions to a large number of Active Directory objects

John 1 Comment

I was recently involved in a project to help secure a School’s Active Directory environment.  After sitting down and planning what we wanted to achieve in terms of account security we went to work.  After setting up all of the IT based security groups and assigning and delegating the appropriate rights and permissions we found that somethings wern’t working as they should.  The permissions gave us the rights to do what we needed on the Student user objects but not on the staff.  After taking a quick look we found that the majority of Staff didn’t have their inherit permissions from parent ticked, which prevented the delegation from flowing through to these user objects.

Looking at PowerShell there are Get-ADUser and Set-ADUser which allow us to get and set certain properties on user objects but still didn’t allow us to set inherit rights on objects.  I then happened to stumble upon a management pack of PowerShell scripts from Quest Software which are available from this link. The pack contains some useful scripts which extend on the original Microsoft provided scripts.  The pack also contains a PowerShell cmdlet dealing specifically with Object Security which is what we are after. So I went ahead and downloaded the 64 bit version to one of the domain controllers (after testing it out myself) and worked out we needed to filter for users who didn’t have the inherit permissions enable. The following is a snippet which will list all of the users in your AD environment with inherit permissions disabled (watch the word wrap):

Get-QADUser -SizeLimit 0 |
Where-Object {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}

If you are after a particular Organizational Unit simply replace -SizeLimit 0 with -SearchRoot ‘Distinguished name of OU’.

Now we are able to find the users, but what about setting the inherit right.  Using the ObjectSecurity cmdlet we can now set the Inheritance flag. So the following is the complete command to run on l (again, watch the word wrap):

get-QADUser -SearchRoot 'Distinguished Name of OU' |
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected} |
Set-QADObjectSecurity -UnLockInheritance

After running that cmdlet on the offending User Objects, we were then able to successfully do what the security groups allowed us to do. I still need to go back and check out what else the pack from Quest can do as I looked quite interesting so I will be sure to blog about my findings.

Exchange Management Console not setting Permissions for Receive Connectors, fixing 5.7.1 Client was not authenticated issues with inbound e-mails

John Leave a comment

I was recently helping out on a migration from Exchange 2003 to Exchange 2010. The organisation was moving from two servers, a front end and back end server to four with two Mailbox servers running in a DAG (Database Availability Group) configuration and two Client Access Servers in an array and along with Hub Transport roles on the two CAS Servers.  They had been running their Exchange 2003 server for a while with routing connectors setup so the 2003 machine was handling all of the external mail and it had finally come time to decommission the old server and tell the firewall to push e-mail to the two new Hub Transport servers.

By default, Exchange 2010 sets up two connectors, one Client SERVERNAME and Default SERVERNAME with the default connector handling your external e-mail. For external servers to connect to the connector we need to enable anonymous authentication for the connector. So we went ahead, opened up the connector and ensured the Anonymous was ticked, clicked apply for good measure and then Ok. After using telnet to remotely connect to the e-mail server (via 3G) we recieved a Client not autenticated message after giving it the mail from command. So it was clear to me that the EMC (Exchange Management Console) wasn’t saving the authentication settings. So we resorted to powershell to configure the connector. I opened up the Exchange Management Shell and issued the following command

Get-ReceiveConnector -identity "Default SERVERNAME" | list

The list contained everything that was ticked bar the Anonymous that we had just enabled. So we decided to run a Set command to update the permissions list for the Default connector. I issued the following command with SERVERNAME being the name of the Exchange Server hosting the connector

Set-ReceiveConnector "Default SERVERNAME" -PermissionGroups:
"ExchangeUsers, ExchangeServers, ExchangeLegacyServers, AnonymousUsers"

We then ran the Get command again and the Anonymous entry was listed. So after a few minutes we used 3G and telnet to connect back into the e-mail server and after getting passed the mail from command we were relieved that the issued was resolved and that the servers could now accept incomming external e-mail. Microsoft have a good article up on Tech Net regarding Exchange 2010 and the Receive connectors (as well as the defaults Exchange setup creates) at the following article Understanding Receive Connectors.

Note that you won’t recieve this issue if your transport server is an Edge transport server as Exchange setup automatically configures the connectors for external connections.

Thoroughly cleaning up a WSUS server

John 3 Comments

I was recently tasked with performing a clean-up of some of our servers, removing old files/software installations as well as a clean-up of our WSUS server.  After a quick look I could see that our previous administrator had set it to download Driver updates as well, which was taking up quite a large amount of space and something that we wern’t really looking at using (no driver updates were approved).

So I ran the WSUS clean-up wizard, which removed some old computers, but the driver updates remained. I wanted them gone.  So I quickly made sure that driver updates category wasn’t selected and ran the following PowerShell script on the WSUS machine.

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$cleanupScope = new-object Microsoft.UpdateServices.Administration.CleanupScope;
$cleanupScope.DeclineSupersededUpdates = $true
$cleanupScope.DeclineExpiredUpdates         = $true
$cleanupScope.CleanupObsoleteUpdates     = $true
$cleanupScope.CompressUpdates                  = $true
#$cleanupScope.CleanupObsoleteComputers = $true
$cleanupScope.CleanupUnneededContentFiles = $true
$cleanupManager = $wsus.GetCleanupManager();
$cleanupManager.PerformCleanup($cleanupScope);

This script took about an hour to run but worked like a charm. It basically cleaned up the whole WSUS database, removing old computers, obsolete and unneeded updates (including the drivers I no longer wanted) as well as removing the associated update files which cleaned up a lot of space. The script above is modified so as not to remove computers from the database but that can be simply uncommented and included in the script.

Let me know in the comments if you found this useful.