PowerShell Resources – Free and Otherwise

Haven’t had much time to work on our group policy module lately, I’ve been pretty busy getting my co-worker’s collective feet wet in PowerShell.  In the process I’ve been trying to find as many quality resources as I can for them to help them help themselves.  Since I don’t have much to share on the csb.grouppolicy module front, here are the resources that I can remember (haha) and use all the time:

Snippets for Comment Based Help and Advanced Function Parameters in Powershell v2

Been working quite a bit on the module for group policy, and almost have something I feel is worth sharing.  In the meantime, if you have a script editor that supports the concept of “snippets”, or saved re-usable bits of script code, you might find this little bit useful.  I’ve had a hard time remembering the syntax and all the options for some of the new cool stuff we can use in scripts and functions in Powershell v2, so I saved these little bits after scouring the output of Get-Help for comment based help and advanced functions for (hopefully) the last time, haha.

Using Powershell to search XML GPO Reports – Part II – Software Installation

In Part I of our series in querying group policy reports, we learned how to:

• Turn the XML output from Get-GPOReport into a System.XML.XMLDocument object
• Build a System.XML.XMLNamespaceManager from the information in the XMLDocument object
• Use XPath with the namespace manager and document to extract information from the report, including the Extension elements.

We left off with the Get-CGPOReportExtensionData filter, and some questions about it’s output.  This week we’ll look at the output from the filter, and then use that output in another filter to transform the XML report information into an object with the details of a Software Installation extension that can easily be worked with using Powershell’s standard comparison operators and formatting cmdlets.

Get the users that have logged on to a computer

Here’s a multi-line adaptation of a quick one-liner I threw together the other day.  I might have to turn this into a function and add it to my profile if I get asked this question too many more times.  To answer “Who used computer x between these dates?” we can use:

001 002 003 004 005 006 007

Get-EventLog -Before '01/26/2010' -after '01/25/2010' -ComputerName computername -LogName Security | `     where-object `     {         ($_.username -notmatch '^NT AUTHORITY\\(SYSTEM|NETWORK SERVICE|LOCAL SERVICE|ANONYMOUS LOGON)$') `         -and ($_.category -eq "Logon/Logoff")     } | `     select-object timegenerated,username,category,message | sort timegenerated | format-table -auto

Hope that can save some of you a little time :)

BackTrack 4 Final Now Available

I’m a little behind the curve here, as the final build was posted on the 11th of January.  Oh well.  For the security conscious administrator, the backtrack suite makes a great tool.  If you don’t know what it is, or taken the time to at least check it out, cut some time out to do so soon.  It will open your eyes a bit, I promise :)

The final build, available in either .ISO or VM-ware forms, can be downloaded from http://www.backtrack-linux.org/downloads/

If you can, use the torrent links.  Your download will most likely be much faster.

Using PowerShell to search Group Policy XML Reports

I was going to write about creating, editing, and saving XML files using the System.XML objects today but discovered it had been covered quite well already after a quick Google search.  So instead we’ll jump ahead a little bit and use PowerShell & .NET’s XML capabilities to dive into the GPO Reports that can be generated using Get-GPOReport from the grouppolicy module.

This will be the first in a small series of posts that should end up with us having a module capable of searching for any group policy setting that is recorded in the XML reports.  That’s the goal, but I’m posting as I get things 90% complete so hopefully all this proves useful and you’ll be willing to bear with me.

Quickly Discover Domain Joined Computers Available via Ping

Occasionally, well…often, I need to run a series of commands or queries against a set of computers on our network.  Sometimes it doesn’t really matter to me to hit 100% of that set.  For instance, the other day I wanted to know roughly how many computer had login script timeout warnings in the event log for the past week.
In the past I had done something like:

1. Get the list of computers I need to run against from Active Directory or a csv file.
2. For each computer, attempt to ping it and if it responds run ye’ commands.

That works quickly enough when there are only 10-20 computers, but when we’re talking a scale of 500-1000+ computers it doesn’t scale so well.  Using Powershell, PSCX, Quest’s AD cmdlets, and the following code I can get the list of all domain joined computers currently available on our network in roughly 30 seconds:

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025

$adComputers = Get-QADComputer -SearchRoot 'domain.com/OU/OU' `    -SizeLimit 0 `    -IncludedProperties lastlogontimestamp | Where-Object `    {       (($_.useraccountcontrol -band 0x2) -eq 0) `       -and ($_.lastlogontimestamp -ne $null) `       -and (($_.lastlogontimestamp).adddays(30) -gt (Get-Date))    } $compNames = $adComputers | % { $_.name } $pingResults = ping $compNames -Count 2 -Quiet `                -AllAddresses -Asynchronous -ErrorAction silentlycontinue $compDict = @{} foreach ($comp in $adComputers) {    $compDict.add($comp.name,$comp) } $upComps = @() foreach ($result in $pingResults) {    if ($result.received -gt 1)    {       $cName = $result.hostname -replace "\.domain\.com"       $upComps += $compDict[$cName]    } }

Replace the ‘domain.com/OU/OU’ with the searchroot for the workstation groups you’re after, as well as the “\.domain\.com” with the correct information for your domain and $upComps will contain a collection of QADComputer objects that responded to pings.
From there we can use PSRemoting or tools like psexec.exe with the –d switch to (relatively) quickly run a set of commands against our computers that are up and running!
Many thanks to Lee Holmes for the script that creates the above code block on the clipboard for pasting from any script, truly awesome.