When writing PowerShell scripts for use in our Active Directory environment, I noticed that I use the same variables and information in every script. That’s all fine, but when something changes I had to update each and every script seperately. And you always forget to update 1 or 2 scripts which is annoying.
At one of my previous employers, they developed something they refered to as a provisioning script. This script not only contained these variables and information, but also a lot of commonly used functions. Among others, this script contained functions to create new user accounts and service accounts. Other scripts, outside of the provisioning script, could then ‘import’ the provisioning script using a technique called dot sourcing and be able to use the variables declared in the provisioning script as well as the functions from the provisioning script.
So when information changes, I only have to update 1 location.
Create Active Directory administration OU
At my company, the IT department consists of several teams like Microsoft, Network, Storage, Linux and VMware. To administer our environment we do not use our regular accounts (duh… 🙂 ), but instead use what we call admin accounts. Over the years, the security structure used to assign permissions to these admin accounts became poluted. Groups nested in groups nested in other groups, different group membership for team members, etc. As a result, we failed a security audit and I was tasked with cleaning this mess up using a role based access control (RBAC) like structure to achieve a transparent method of assigning permissions.
Continue reading Create Active Directory administration OUActive Directory user and computer account report
In this post, I will share with you a script I use to run a report on a number of special accounts in my environment. It reports on admin accounts, service accounts and computer accounts. It will collect information like the name of the account, enabled or disabled, last logon date, account expiration date, password expiration date, is the password expired, is Password Never Expires ticked, employeeIF (if used), location, etc. The collection information will be saved in a .html file and also sent by email.
To use the script, the variables below need to be set:
Monitor AD user account changes
At my company, the system administrators have separate admin accounts to administer our server infrastructure. These admin accounts are often highly privileged and powerful accounts. Therefore, I would like to receive an e-mail notification when a user account is added to or removed from a group (in my previous post I shared with you a script to monitor just that), but added to that I also would like to receive a notification when for example the Password Never Expires option is ticked. Other scenarios may include notification when an admin account is created or deleted. Or when the password of an admin account has been changed. And I would like to know who has made these changes and when. As and added benefit, you can also claim to any auditor that you have a log of all changed made to your admin accounts by simply saving the e-mails.
Continue reading Monitor AD user account changesMonitor AD group changes
Ever wanted to monitor group changes in AD? This is a script I came up with to do just that. It will collect the security log events from the last hour on all your domain controllers.
In order to use this script, just create a new scheduled task on a machine with the Active Directory module for Windows PowerShell installed and run this script every hour (or whatever you changed $time to). !! Note that the scheduled task needs to be run with an account which has domain admin privileges to be able to read from the security logs of all your domain controllers !!>
Inventory VMware virtual machines
For reporting purposes, I maintain an Excel sheet containing information on my server base. I update this sheet on a weekly basis. Part of the information displayed in this sheet comes from a PowerShell script I have created to extract the required data from our vCenters.
This script pulls the following information for every VM running the vCenter environment: VM Name, Hardware version, VMware tools status, guest OS, number of vCPU’s, amount of assigned RAM, the host the VM runs on, the cluster the VM is assigned to, the folder it lives in, the power status, number of NICs, the NIC types and the vCenter it runs on (in case you have more than 1).
Continue reading Inventory VMware virtual machines
Fix Windows Update error code 0x80244022, 0x8024401C and 0x80072EE2
WSUS is a great product from Microsoft to keep your servers up to date. In the past years, I have often used it at the companies I worked for. But it has it downsides as well. Sometimes the Windows Update client just won’t work. You’ll get errors like 0x80244022, 0x8024401C and 0x80072EE2 and just haven’t got a clue what is going on.
I have collected a number of solutions to fix these errors and put them in a PowerShell script. This script contains all the tricks I had to pull to get the Windows Update client running again.
Continue reading Fix Windows Update error code 0x80244022, 0x8024401C and 0x80072EE2