|
Also, if you're planning on using the data in something else, make sure you don't use Format-Table, as the data won't be usable. For example, the output of Get-ADUser <example user> | ft | ConvertTo-CSV is:code:
|
# ? Jul 30, 2016 15:46 |
|
|
# ? Apr 26, 2024 00:55 |
|
I've been banging my head against this for a couple days. When I get to the line below, it says access denied.code:
$Computer is in the format computername.domain.local. I've tried a lot of variants on the command, I don't remember all of them.
|
# ? Aug 3, 2016 18:36 |
|
Are you passing credentials? Have you configured WinRM and WSMan for sending commands over the network? Also, try <DOMAIN>\<COMPUTERNAME>?
|
# ? Aug 3, 2016 18:57 |
|
22 Eargesplitten posted:I've been banging my head against this for a couple days. When I get to the line below, it says access denied. Do you have WinRM configured? Have you verified you have the rights for that PC?
|
# ? Aug 3, 2016 19:00 |
BaseballPCHiker posted:Do you have WinRM configured? Have you verified you have the rights for that PC? PSExec doesn't use WinRM.
|
|
# ? Aug 3, 2016 19:04 |
|
I'm not going to have WinRM configured, do I need to? The PSExec Copy-Item on the line before works, although it also throws the same error. I've tried passing credentials as -u $accountused.username -p $accountused.password. I've also run as the system account with -s. I also tried putting the username and password in quotes. When I have the -u and -p parameters it says unknown username or bad password. I am an administrator on the machine. When I do domain\computer it can't find the computer. Isn't it supposed to be that format for usernames?
|
# ? Aug 3, 2016 19:15 |
|
22 Eargesplitten posted:When I do domain\computer it can't find the computer. Isn't it supposed to be that format for usernames? You are absolutely right about that, my bad. Make sure your username is formatted as domain\user. I'm lead to agree that WinRM might not be required, but mark this important note: ss64.com posted:For PsExec to work, File and Printer sharing must be enabled on the remote computer.
|
# ? Aug 3, 2016 19:23 |
Specifically, for PSExec to work, you must have a user account that can connect to \\COMPUTER\ADMIN$ and write files there. You also need to be able to run "sc \\COMPUTER create <parameters>" to control the service control manager on it. PSExec uses those remote management tools to do its task.
|
|
# ? Aug 3, 2016 19:29 |
|
Just got a PowerShell script from a vendor who got it from BitTitan's MigrationWiz product and literally the first line of the function is code:
code:
code:
anthonypants fucked around with this message at 02:13 on Feb 16, 2018 |
# ? Aug 4, 2016 00:38 |
|
Not sure if this has been posted before, but I found a pretty fun PoSh war game the other day. If you're familiar with the games on overthewire, this is pretty similar. http://www.underthewire.tech/wargames.htm
|
# ? Aug 4, 2016 15:16 |
|
Back on the PSExec credentials topic. I have everything working if I just put the username and password into the script, but if I use a get-credential and do code:
It gives me an error saying Logon Failure: unknown user name or bad password. I've also tried assigning the username and password to new variables in case PSexec can't read off of a PSCredential object. I can write to the ADMIN$ folder on the remote computer. I'm having this same problem with multiple computers, but all of those computers also accept the plaintext password and username.
|
# ? Aug 9, 2016 17:37 |
|
22 Eargesplitten posted:Back on the PSExec credentials topic. I have everything working if I just put the username and password into the script, but if I use a get-credential and do The password is a securestring. To get the cleartext back out you need to use code:
|
# ? Aug 9, 2016 19:07 |
|
Well, that gives me the password in clear text, but it still gives the same error. Unrelated, if I were to start a script that deletes itself after completion, would that work or would it stop in it's tracks? I'm guessing it depends on whether the script is loaded all at once or one line at a time.
|
# ? Aug 9, 2016 20:23 |
I believe PowerShell loads the full script, then closes the script file, letting you delete the file without problems, even in the middle of execution. DOS-derived batch files traditionally execute line by line, with the result that you could, at least under true DOS, have a batch file that modifies itself while running. I don't know how cmd.exe does things, but you should be able to delete a running batch file, just don't expect it to be able to continue running afterwards.
|
|
# ? Aug 9, 2016 20:46 |
|
Yeah you can definitely run a PowerShell script which deletes itself. If you create a script with the following and run it then it will just delete itself without issues:code:
|
# ? Aug 10, 2016 01:37 |
|
Yep, it works. It works so well I nearly hosed myself accidentally running it on my own computer because it deleted the git repo as well. I made a backup now, I was lucky I had a copy on a different computer.
|
# ? Aug 10, 2016 16:55 |
|
For scripts that are designed to run in an unattended and non-interactive fashion what is the best way to handle logging? I've come up with a method but was wondering if anyone has anything better/can suggest improvements. First I'll add two non-mandatory parameters to the script for specifying the log filename and path ($LogFilePath defaults to the current working directory and $LogFileName defaults to "<SCRIPT_NAME>_LogFile_<DATE>-<TIME>.csv"): code:
code:
code:
code:
Does anyone do things differently? Is there a better way?
|
# ? Aug 16, 2016 10:25 |
|
cheese-cube posted:For scripts that are designed to run in an unattended and non-interactive fashion what is the best way to handle logging? I've come up with a method but was wondering if anyone has anything better/can suggest improvements. Depends on exactly what sort of logging I need, but I honestly usually just use start-transcript/stop-transcript. Anything that writes to the console will write to the txt file transcript, so if I want to have entries after specific events in the script one can simply Write-Host whatever they want written to the transcript file.
|
# ? Aug 16, 2016 14:55 |
|
Yeah Start/Stop-Transcript is great for ad-hoc stuff or when doing debug tracing. However the majority of the stuff I write is for automation so it runs unattended, sometimes against very large sets of objects (Usually triggered by Scheduled Tasks). This means I need timestamped log entries and the ability to control exception handling so that when item 7,845 of 10,000 fails I can write to log, continue execution and then investigate the error later.
|
# ? Aug 16, 2016 15:21 |
If you wrap your task with a function, or even a module, and then have a small runner script that invokes it, you can use standard redirection on that. Make sure to read Get-Help about_Redirection.
|
|
# ? Aug 16, 2016 17:30 |
|
cheese-cube posted:Yeah Start/Stop-Transcript is great for ad-hoc stuff or when doing debug tracing. However the majority of the stuff I write is for automation so it runs unattended, sometimes against very large sets of objects (Usually triggered by Scheduled Tasks). This means I need timestamped log entries and the ability to control exception handling so that when item 7,845 of 10,000 fails I can write to log, continue execution and then investigate the error later. Something like this within the code (say searching a few thousand text files that should all not have a given line of text and you want exceptions whenever they do because it's an error and shouldn't be there): code:
code:
Mo_Steel fucked around with this message at 13:39 on Aug 24, 2016 |
# ? Aug 24, 2016 05:04 |
|
Is there a way to tell if a computer is pulling automatic DNS addresses off the firewall or is manually configure? This is for Windows 7, all of the end cmdlets I see are only for 8.1.
|
# ? Aug 24, 2016 22:56 |
|
22 Eargesplitten posted:Is there a way to tell if a computer is pulling automatic DNS addresses off the firewall or is manually configure? This is for Windows 7, all of the end cmdlets I see are only for 8.1. e: To return an object: Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled} | Select-Object DNSServerSearchOrder To return a list of the DNS servers: Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled} | Select-Object -ExpandProperty DNSServerSearchOrder The Get-WmiObject cmdlet also takes a -ComputerName parameter if you want to look up remote computers. anthonypants fucked around with this message at 23:08 on Aug 24, 2016 |
# ? Aug 24, 2016 23:03 |
|
Sorry, I should have been clear. My lead thinks my predecessor might have hosed poo poo up by manually configuring clients to use Google DNS instead of the ones on the DCs. He says it's fine if a computer set to automatic has a public DNS server as a fallback, but if it's manually configured it should be private. I got all of the DNS servers for all the computers I need to know about, but I can't tell if they are automatic or manual.
|
# ? Aug 24, 2016 23:17 |
|
22 Eargesplitten posted:Sorry, I should have been clear. My lead thinks my predecessor might have hosed poo poo up by manually configuring clients to use Google DNS instead of the ones on the DCs. He says it's fine if a computer set to automatic has a public DNS server as a fallback, but if it's manually configured it should be private. I got all of the DNS servers for all the computers I need to know about, but I can't tell if they are automatic or manual. netsh interface ipv4 show config will output a list of all the interfaces' settings, and you'll either see "Statically Configured DNS Servers" or "DNS servers configured through DHCP" in the output.
|
# ? Aug 24, 2016 23:30 |
|
I don't think you can query WMI to see whether the client is using the DNS servers from DHCP or using manual ones. It's not specified in the documentation anyhow: https://msdn.microsoft.com/en-us/library/aa394217%28v=vs.85%29.aspx You could go old school and check it with "netsh interface ipv4 show dns".
|
# ? Aug 24, 2016 23:36 |
|
22 Eargesplitten posted:Sorry, I should have been clear. My lead thinks my predecessor might have hosed poo poo up by manually configuring clients to use Google DNS instead of the ones on the DCs. He says it's fine if a computer set to automatic has a public DNS server as a fallback, but if it's manually configured it should be private. I got all of the DNS servers for all the computers I need to know about, but I can't tell if they are automatic or manual. Nope. You'll have to do something like invoke-command -computer (get-content workstations.txt) -scriptblock { cmd /c "netsh interface ip set dns "Local Area Connection" dhcp" } Then make sure the dns option is set properly in dhcp. Nothing should be statically assigned except for DCs. Make dns set the primary as your DC and then do tertiary as secondary DCs and then finally 8.8.8.8 or whatever through dhcp I can't test it because for the first time ever I don't have a windows machine but it'll probably work. If it doesn't double check netsh identifies the interface as local area connection. Apparently it might not. Methanar fucked around with this message at 23:42 on Aug 24, 2016 |
# ? Aug 24, 2016 23:40 |
|
Is there an easy way to filter a list of objects by a second list? Something like: $AllVMs = Get-VM $Targets = Get-Content c:\list.txt $TargetVMs = $AllVMs ∩ $Targets
|
# ? Aug 26, 2016 22:12 |
|
Dr. Arbitrary posted:Is there an easy way to filter a list of objects by a second list?
|
# ? Aug 26, 2016 22:37 |
|
mystes posted:$AllVMs | ? {$Targets -contains $_} That is way better than what I was trying to write.
|
# ? Aug 26, 2016 22:39 |
|
Anyone familiar with granting "Full Control" of an AD object to another AD object? I had asked for help with this in HangOps and Stubblyhead helped out a bit (thanks!) but after that ran into some errors that showed I needed more understanding. Backed up from doing AD stuff to just generic file permission stuff and got that ok. I pulled from a technet article and hosed around to get a better understanding. :code:
code:
Cannot convert argument "rule", with value: "System.Security.AccessControl.FileSystemAccessRule", for "AddAccessRule" to type "System.DirectoryServices.ActiveDirectoryAccessRule": "Cannot convert the "System.Security.AccessControl.FileSystemAccessRule" value of type "System.Security.AccessControl.FileSystemAccessRule" to type "System.DirectoryServices.ActiveDirectoryAccessRule"." I had thought that the "FullControl" was a FileSystemRight but PS is trying to convert it to a System.DirectoryServices.whatever type and is failing. But under this DirectoryServices type there isn't a "FullControl" member. So my thinking so far has found 2 possibilities: 1) You can't do this (which seems unlikely) through PS 2) FullControl for ADobjects isn't actually a FileSystem member (which makes it Very Confusing :\) and instead exists in a different class, just not the class PS is throwing as the type convert failure. I've looked through the System.DirectoryServices Namespace and I haven't found a class that actually contains the member "FullControl', but its possible I missed it I guess. Can someone help me bridge whatever gap I've got in my understanding?
|
# ? Sep 6, 2016 17:14 |
|
Jowj posted:
code:
PS C:\Windows\System32\WindowsPowerShell\v1.0> $colRights | gm TypeName: System.Security.AccessControl.FileSystemRights Name MemberType Definition ---- ---------- ---------- etc If I decided to dig into the class further, I'd probably find out that was an enum.
|
# ? Sep 6, 2016 18:19 |
|
Pro-tip: always be Googling full type names, 99% of the time the first result is the relevant MSDN page: https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights(v=vs.110).aspx. As GPF mentioned, that class is an enum so remove those double-quotes. However I'd like to be a dick and question your motives: why do you need to apply full-control permissions on objects in AD and is there a reason why you can't just use inheritance? The primary reason I ask is that explicit object-level permissions rapidly become an administrative and security PITA.
|
# ? Sep 6, 2016 18:48 |
|
Thanks GPF, cheese-cube. I do not use .net *ever* so apologies for the fundamental mistakes. I think I'm gonna buy a .net book once this quarter is over; it seems that there's a bunch of functionality in Powershell that I just can't get at well because I'm stuck not understanding .net poo poo very well.quote:Pro-tip: always be Googling full type names quote:However I'd like to be a dick and question your motives: why do you need to apply full-control permissions on objects in AD and is there a reason why you can't just use inheritance? The primary reason I ask is that explicit object-level permissions rapidly become an administrative and security PITA. Naw, you're not being a dick, its a good question. For context, this is part of a set of scripts I'm making for DB cluster build automation. Security doesn't want to grant the DBAs/MSSQL account permission to create instance objects in this OU so each time a new cluster is built every instance has to be manually added and have the clusterobj associated with the instance granted fullcontrol. As to why we're not doing inheritance its because I don't have enough time to get approval to change our process and then implement the change before the project is due. Everything I've read makes it look so much easier if I have poo poo configured at the OU level instead of at the individual object level, just :\. So, no business justification really, just timelines from management.
|
# ? Sep 6, 2016 19:28 |
|
Jowj posted:Thanks GPF, cheese-cube. I do not use .net *ever* so apologies for the fundamental mistakes. I think I'm gonna buy a .net book once this quarter is over; it seems that there's a bunch of functionality in Powershell that I just can't get at well because I'm stuck not understanding .net poo poo very well. If you're only working with PowerShell then there's very little that you have to learn specifically about .NET outside of understanding OOP fundamentals. When you understand types, classes, methods, etc. you'll be able to take advantage of pretty much any .NET class in PowerShell (Using MSDN doco of course). Unfortunately I don't really have any recommendations regarding reading materials but others might. Jowj posted:Naw, you're not being a dick, its a good question. Hah, yeah I see what you're doing and I've been in that same situation. Goodluck.
|
# ? Sep 6, 2016 19:38 |
|
cheese-cube posted:If you're only working with PowerShell then there's very little that you have to learn specifically about .NET outside of understanding OOP fundamentals. When you understand types, classes, methods, etc. you'll be able to take advantage of pretty much any .NET class in PowerShell (Using MSDN doco of course). So, after flattening my skull against the desk and keyboard for a while, I went digging into MSDN and sample scripts that dealt with printing, print servers, queues and all that. What I found was a mixture of old tech (net view \\server), .NET types and classes regarding printing (System.Printing Namespace), and pure PowerShell to step through and deal with the returned objects, I was able to easily deal with that problem without being forced to change how I did it depending on the OS. So, I'm writing up a new class for the other techs. Class 1 will be what I consider the foundations of PowerShell to be, and that's objects and types. Class 2 will be loops and decision making. Not sure what it'll be after that. Gotta see how they react. Jowj, what actually helped me do better in PowerShell was learning C# in bits and pieces. That's when I started to get the idea of objects and types, and that's when I started understanding PowerShell better.
|
# ? Sep 7, 2016 03:11 |
|
GPF posted:Agreed. When I teach PowerShell to the guys at work, up until now, I've been staying with cmdlets since that's much more "PowerShell-y". But, these days, I've been thinking about PowerShell more like CommandLine.NET than cmdlets. The project that started it all was attempting to make a script that would hit all the print servers we have, pull queues that had jobs, and kill jobs that were older than 8 hours. As I developed it, I realized that we had a mix of 2008 R2 and 2012 R2 servers running as print servers. This was a huge deal since there are few if any printer cmdlets in 2008 R2, and the 2012 R2 cmdlets wouldn't work in a backwards compatible way against 2008 R2. WMI was as slow as Christmas, and I didn't want to just stop services, delete files, and restart services in the middle of the day. I wanted to be able to run this script at any time as many times as I wanted and not affect the users one single bit.
|
# ? Sep 7, 2016 18:20 |
|
anthonypants posted:A few jobs ago when I was on the helpdesk, I wrote a PowerShell script that leveraged net use \\printserver and .Net to make a GUI interface which would allow users to install the printer closest to them. I wouldn't recommend duplicating that effort, but I learned (and forgot) a lot. Here's the printer queue old job murder script (localized info removed). I essentially looked at each piece and tried to find the fastest way to do each thing. WMI was being the world's slowest dick when getting a list of queues, so I shortcut that with net view \\server. WMI is used, but only to check the server for ANY jobs. After that, it's .NET stepping through each queue. One thing that stumped me for a long time was that .NET would create an empty object when asking a PrintQueue for all its jobs. If you looked at it over time, it'd look like this: null variable, null, null, empty object, empty object, object with jobs, so just checking to see if the variable had something in it would grab an empty object even though the queue said it had jobs. That one took a while to figure out. Looking at it now, I can see a few places where I could have been more efficient or cut 5 lines down to 2 or less, but this runs at an acceptable speed and, most importantly, does what I need it to do. code:
|
# ? Sep 8, 2016 14:47 |
|
I wrote a 1-liner yesterday that I had some trouble with.code:
I also tried without specifying the path. It worked on a few folders, but I got an error saying access was denied on most of them. I ran it as an administrator, so I don't see why that should be. I even got it on some of my own user folders.
|
# ? Sep 8, 2016 20:42 |
|
|
# ? Apr 26, 2024 00:55 |
|
22 Eargesplitten posted:I wrote a 1-liner yesterday that I had some trouble with.
|
# ? Sep 8, 2016 23:18 |