September 20, 2015

Get-MsolGroupMember - Office 365 Group Membership (Extended)

This PowerShell script extends functionality of Get-MsolGroupMember cmdlet from Windows Azure Active Directory Module.
 
It adds GroupDisplayName, GroupEmail and GroupType to output for every group member. It allows to make a customized Office 365 group membership report and export data to CSV file. 
 
Included properties: GroupDisplayName, GroupEmail, GroupType, MemberDisplayName, MemberEmail, MemberType
 
Windows Azure Active Directory Module for PowerShell should be installed. Connection to Azure AD should be initialized before the script (Connect-MsolService).

Some use cases:
# Display in table Office 365 Group membership report
.\Get-MsolGroupMember.ps1 | ft -Wrap
# Show groups where user@contoso.com email is a member of, export results to csv file
.\Get-MsolGroupMember.ps1 | where {$_.MemberEmail -eq "user@contoso.com"} | export-csv file.csv
# Show only security groups
.\Get-MsolGroupMember.ps1 | where {$_.GroupType -eq "Security"} | ft -Wrap
 

September 14, 2015

Get-ADComputerServiceAccounts - AD Computer Service Accounts Report

This PowerShell script searches Active Directory domain joined computers and servers, gets information about services and provides a report about service accounts. It shows services that are run by any active directory account or by any local account.

The report includes System Name, Name of Service, service account that runs the service, StartMode and actual service State.
At the end of script you will see Script Summary. Script results can be exported to CSV file by -File parameter.

# Check all AD servers:
Get-ADComputerServiceAccounts.ps1


# Export results to CSV file:
Get-ADComputerServiceAccounts.ps1 -File Report.csv


# Check specific OU:
Get-ADComputerServiceAccounts.ps1 -OU "OU=MyOUname,DC=contoso,DC=com"


# Check specific OU and export data to Report.csv:
Get-ADComputerServiceAccounts.ps1 -OU "OU=MyOUname,DC=contoso,DC=com" -File Report.csv


# Get service accounts for one server/workstation and export results to CSV file:
Get-ADServiceAccounts.ps1 -ComputerName Server1 -File Report.csv


Script can be downloaded from TechNet here

September 8, 2015

Get-ADComputerNetConfig - Server Network Configuration Report

This PowerShell script provides network configuration report of Active Directory domain joined servers and workstations.
It contains information about server name (DNSHostName), network interface description (Description), IP Address, MAC Address, default gateway and DNS servers configuration.
The script searches Active Directory computers (it skips disabled objects) and queries network configuration.

Script usage scenarious:
# Searches all active directory servers/workstations and gets network information.
Get-ADComputerNetConfig

# Searches all servers and exports data to Report.csv file.
Get-ADComputerNetConfig -File "C:\Folder\Report.csv"

# Searches all computer objects in specific Active Directory Organizational Unit (including sub-ou's).
Get-ADComputerNetConfig -OU "OU=Servers,DC=contoso,DC=com"

# Export results to csv file.
Get-ADComputerNetConfig -OU "OU=Servers,DC=contoso,DC=com" -File "C:\Folder\Report.csv"

# Get network configuration of single server.
Get-ADComputerNetConfig -ComputerName Server1

# Single server network configuration to CSV file.
Get-ADComputerNetConfig -ComputerName Server1 -File "C:\Folder\Report.csv"

 
At the end of the script you will get Script Summary with success/errors counters.


Source: https://gallery.technet.microsoft.com/Get-ADComputerNetConfig-bc7da712

September 1, 2015

PowerShell - Active Directory - Windows 2003/2003R2/2008

Hello. Today I will cover interesting topic. I asked myself how to manage Active Directory using PowerShell in case if your AD role is installed on Windows Server 2003 (2003 R2) or even 2008 (any Service Pack but not R2).

You have to install Active Directory Web Services to manage AD using PowerShell in this case. Here the challenge comes up. Important hotfix (KB969166) is required but it is not available to download. As result it is not possible to deploy ADWS and you get following error message in KB968934.log during installation:

FileVersion of C:\WINDOWS\Assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll is Less Than 3.5.30729.4126

If you go to "C:\WINDOWS\Assembly" folder you will see that it is not possible to locate GAC_MSIL folder. It is another story and workaround I will describe a bit later. Let's check System.DirectoryServices.AccountManagement.dll version. It shows 3.5.30729.1. This component was installed by required  .NET Framework 3.5 SP1.

Workaround is actually to get access to GAC_MSIL folder and replace System.DirectoryServices.AccountManagement.dll file with never version to complete installation process. Obviously it is not supported way but it works. Supported and much more easiest way I will show at the end of this post.

To show folder structure under C:\WINDOWS\Assembly path you have to do following steps:
Go to %windows%\assembly folder in CMD.
Type "attrib -r -h -s desktop.ini"
Then "ren desktop.ini desktop.bak" (to revert back the changes run "ren desktop.bak desktop.ini")


When you are able to jump to dll file you can simply replace it with any newer version. I took it from my Windows 8.1 workstation (3.5.30729.70903). Then ADWS installation successfully completed and you can run Active Directory PowerShell module from any domain-joined workstation using RSAT.

I was really surprised when I downloaded Quest PowerShell module and could successfully run scripts against the same Active Directory without ADWS installed. One more great note that I was able to install Dell (Quest) AD PowerShell even on Windows Server 2003.

Here is PowerShell script that I actually wanted to run against Windows Server 2003 Domain Controller:

$Groups = get-qadgroup | where {$_.mail} |
  sort-object
& {
    foreach ($Group in $Groups) {
      $members = get-qadgroupmember -identity $Group |
select -expandproperty userprincipalname |
        sort-object
      foreach ($member in $members) {
          "" | select-object @{Name="Group"; Expr={$Group.mail}},
            @{Name="Member"; Expr={$member}}
      }
    }
} | export-csv GroupsAndMembers.csv -notypeinformation


It will query AD groups with mail attribute only and provide membership report. The results will be exported to CSV file.

9/9/2015 Update. KB969166 can be downloaded here. By the way Quest PowerShell tools can be virtualized as portable app via Cameyo I have it portable with 52MB in size.