Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
dragonshardz
May 2, 2017

Methanar posted:

Don't write or test it on your own time. Do it during work time because you're making a work problem better.

I don't have a way to test PowerShell scripts on work time. I'm not going to test in production and risk making a mistake that could literally cost me my job.

Write in work time? Yes, absolutely.

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

#essereFerrari


Throw commands at it but put -WhatIf at the end of them

https://techcommunity.microsoft.com/t5/itops-talk-blog/powershell-basics-don-t-fear-hitting-enter-with-whatif/ba-p/353579

dragonshardz
May 2, 2017


drat you, Ants! Now I have another project to work on!

Weedle
May 31, 2006




damnts

Submarine Sandpaper
May 27, 2007


The joy if lowly AD powershell is that you could make the same mistakes in the gui. It's the sysadmins issue tbqh. Just don't do something like pipe all uses into disabled.

Thanks Ants
May 21, 2004

#essereFerrari


dragonshardz posted:

drat you, Ants! Now I have another project to work on!

(Check your cmdlets support -whatif before you do this)

mllaneza
Apr 28, 2007

Veteran, Bermuda Triangle Expeditionary Force, 1993-1952




Submarine Sandpaper posted:

The joy if lowly AD powershell is that you could make the same mistakes in the gui. It's the sysadmins issue tbqh. Just don't do something like pipe all uses into disabled.

The way to start with PS and AD is to start using the command-line just to look stuff up. Get-ADComputer, Get-ADUser, Get-ADPrincipalGroupMemberships and so on. Then advance to Add-ADGroupMember. Then start using tab-complete and the up arrow to save typing.

Your first step into a larger world will be with the Get-Content/Foreach

It sounds like you're adding new hires to all their standard groups, so let's look at that. You can define variables in a PowerShell window and they'll persist until you close the window.

Put the list of groups to add new users to in a text file and save it.

Run PowerShell as your ADAdmin creds.

Now type:
code:
$user = Get-ADUser "SomeLuser" # their userID/SAMAccountName

$newbieGroups = Get-Content "~/Desktop/groups.txt" # or whatever the path is; the ~ means your home directory in c:\Users. You could also cd to where the file is and reference it by just the name

foreach ($group in $newbieGroups) {$g = Get-ADGroup $group; Add-ADGroupMember -identity $g -member $user -WhatIf}

PowerShell tells you what it would have done. If it's right, hit the up-arrow, take out the -WhatIf and go !

Now use the up arrow to go back to the $user = ... line, change the userID and hit return. This changes the content of $user to the second new user

Up-arrow again to the foreach line and just hit enter. The second user gets added to the same groups. Leave the window open and as new user setups come in, add them to their groups with a few keystrokes.

Turning that into a script that takes userID and department and adds them to the right groups is left as an exercise.

xsf421
Feb 17, 2011

Thanks Ants posted:

(Check your cmdlets support -whatif before you do this)

This is important, there used to be some that would run for real and just ignore the flag. Hopefully they fixed that.

SyNack Sassimov
May 4, 2006

Let the robot win.
            --Captain James T. Vader


mllaneza posted:

The way to start with PS and AD is to start using the command-line just to look stuff up. Get-ADComputer, Get-ADUser, Get-ADPrincipalGroupMemberships and so on. Then advance to Add-ADGroupMember. Then start using tab-complete and the up arrow to save typing.

Your first step into a larger world will be with the Get-Content/Foreach

It sounds like you're adding new hires to all their standard groups, so let's look at that. You can define variables in a PowerShell window and they'll persist until you close the window.

Put the list of groups to add new users to in a text file and save it.

Run PowerShell as your ADAdmin creds.

Now type:
code:
$user = Get-ADUser "SomeLuser" # their userID/SAMAccountName

$newbieGroups = Get-Content "~/Desktop/groups.txt" # or whatever the path is; the ~ means your home directory in c:\Users. You could also cd to where the file is and reference it by just the name

foreach ($group in $newbieGroups) {$g = Get-ADGroup $group; Add-ADGroupMember -identity $g -member $user -WhatIf}

PowerShell tells you what it would have done. If it's right, hit the up-arrow, take out the -WhatIf and go !

Now use the up arrow to go back to the $user = ... line, change the userID and hit return. This changes the content of $user to the second new user

Up-arrow again to the foreach line and just hit enter. The second user gets added to the same groups. Leave the window open and as new user setups come in, add them to their groups with a few keystrokes.

Turning that into a script that takes userID and department and adds them to the right groups is left as an exercise.

Yes but also always use |%{}

Nth Doctor
Sep 7, 2010

Darkrai used Dream Eater!
It's super effective!


Super Soaker Party! posted:

Yes but also always use |%{}

To save anyone else the trouble: it's syntactic sugar for ForEach-Object on the object in the pipeline.

dragonshardz
May 2, 2017

mllaneza posted:

The way to start with PS and AD is to start using the command-line just to look stuff up. Get-ADComputer, Get-ADUser, Get-ADPrincipalGroupMemberships and so on. Then advance to Add-ADGroupMember. Then start using tab-complete and the up arrow to save typing.

Your first step into a larger world will be with the Get-Content/Foreach

It sounds like you're adding new hires to all their standard groups, so let's look at that. You can define variables in a PowerShell window and they'll persist until you close the window.

Put the list of groups to add new users to in a text file and save it.

Run PowerShell as your ADAdmin creds.

Now type:
code:
$user = Get-ADUser "SomeLuser" # their userID/SAMAccountName

$newbieGroups = Get-Content "~/Desktop/groups.txt" # or whatever the path is; the ~ means your home directory in c:\Users. You could also cd to where the file is and reference it by just the name

foreach ($group in $newbieGroups) {$g = Get-ADGroup $group; Add-ADGroupMember -identity $g -member $user -WhatIf}

PowerShell tells you what it would have done. If it's right, hit the up-arrow, take out the -WhatIf and go !

Now use the up arrow to go back to the $user = ... line, change the userID and hit return. This changes the content of $user to the second new user

Up-arrow again to the foreach line and just hit enter. The second user gets added to the same groups. Leave the window open and as new user setups come in, add them to their groups with a few keystrokes.

Turning that into a script that takes userID and department and adds them to the right groups is left as an exercise.

Unfortunately, we don't have a set of groups that everyone gets added to when their account is created. Each branch has their own specific groups that everyone generally gets, but the tickets aren't even all for the same branch!

I do already use PowerShell for lookups and all, so head start there.

Right now the process for making new accounts is:

  1. Copy an existing user object
  2. Fill in the missing information from copying (description, office, telephone number, email, street, mailNickname, proxyAddress)
  3. Update any incorrect information that might have been carried over from the copied object (job title, manager, sometimes their home folder)
  4. Add any groups that are specifically requested in the ticket
  5. Wait for on-prem AD to sync to O365 admin panel
  6. Assign O365 licenses

So...working within the confines of an environment created in 2008 will be !!fun!!

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof
Holy gently caress so our email has been down for a shitton of users since yesterday around 8am.
This is following my manager's rather brash and unplanned decision to remove everyone but himself from Global Admin (and apparently any admin roles as well) in o365.
I wasted a good portion of my day yesterday on a conference call with him just repeatedly saying "I can't help you do poo poo. I have no admin. I can't even loving powershell. Call Microsoft or fix my privileges."

Back on the call first thing this morning. Repeating the same poo poo. "bruh there is literally nothing I can do to help you. I can't even get into the health reports page."

Today around 2 Microsoft finally acknowledged that there was an issue with Outlook being presented "multiple authentication" and not allowing users to connect. I finally got my admin privileges back around 4pm. Ran some connectivity analyzer tests, read up on the issue report and found that I could connect if I allowed "Modern Authentication" (we are still using Basic Auth.) Presented everything, and said, "this will fix it. All I have to do is hit enter to run this script I just finished and everything will magically work again."

I was told to hold off, 2 more hours go by and we are still on the call and I am pulling my hair out knowing that this poo poo could be fixed this very second.
Then he decides to call Microsoft.
...still on the conference call, and waiting for a call back from microsoft.
They finally answer like an hour after I should have already gone home and basically just said, "yeah we know poo poo is hosed. Just enable Modern Authentication and everything should work."
Manager, still doesn't want to do it, even after I explained it won't break anything and we can just disable it again whenever he wants.
So I just throw my hands up and gtfo.

I get home and see I have an email saying that "Modern Authentication has been enabled."


...okay whatever

Ghostlight
Sep 25, 2009

maybe for one second you can pause; try to step into another person's perspective, and understand that a watermelon is cursing me



dragonshardz posted:

Right now the process for making new accounts is:

  1. Copy an existing user object
  2. Fill in the missing information from copying (description, office, telephone number, email, street, mailNickname, proxyAddress)
  3. Update any incorrect information that might have been carried over from the copied object (job title, manager, sometimes their home folder)
  4. Add any groups that are specifically requested in the ticket
  5. Wait for on-prem AD to sync to O365 admin panel
  6. Assign O365 licenses

So...working within the confines of an environment created in 2008 will be !!fun!!
How I approached learning/writing a similar script without a testing environment was I first went through an existing user object and separated out all the parts that were default from the bits that we were copying it for, then wrote a script to create that essential AD account from scratch so that I didn't have to manually blank things off the existing one or replace information. Once I had a script that created the barebones AD account I then went through and gave it prompts to ask me for new information, like names, positions, etc rather than doing that through the GUI. Once I was confident that was working I then moved to reading those variables from a text file instead. At the moment that text file is being made by a Flow reading my email and I have to manually kick off the process and round out any weird corners, but it's essentially ready and waiting to be plugged into an automated onboarding process I've spent like the last six months wireframing and okaying with HR.

Depending on your system and admins, you can set up your O365 sync server to enable you to remotely trigger a sync through the same script so that it does that, waits for about ten minutes, then connects to O365 to assign standard licensing.

dragonshardz
May 2, 2017

Ghostlight posted:

How I approached learning/writing a similar script without a testing environment was I first went through an existing user object and separated out all the parts that were default from the bits that we were copying it for, then wrote a script to create that essential AD account from scratch so that I didn't have to manually blank things off the existing one or replace information. Once I had a script that created the barebones AD account I then went through and gave it prompts to ask me for new information, like names, positions, etc rather than doing that through the GUI. Once I was confident that was working I then moved to reading those variables from a text file instead. At the moment that text file is being made by a Flow reading my email and I have to manually kick off the process and round out any weird corners, but it's essentially ready and waiting to be plugged into an automated onboarding process I've spent like the last six months wireframing and okaying with HR.

Depending on your system and admins, you can set up your O365 sync server to enable you to remotely trigger a sync through the same script so that it does that, waits for about ten minutes, then connects to O365 to assign standard licensing.

I work for a state government department and am not a permanent employee so the likelihood of getting any changes made to the O365 sync server are pretty slim.

And I mean yes your method is good; I just have to, y'know. Actually work on it.

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady

GnarlyCharlie4u posted:

They finally answer like an hour after I should have already gone home and basically just said, "yeah we know poo poo is hosed. Just enable Modern Authentication and everything should work."
Manager, still doesn't want to do it, even after I explained it won't break anything and we can just disable it again whenever he wants.
I don't know how much you care, but not using it means that in the event that someone gets their password stolen it's easy to bypass 2FA and just stick their account into Thunderbird or whatever via POP3 and MS will give zero shits at all and allow full access to the mailbox.

ETA: assumng O365, haven't had the opportunity to test it with on-prem yet.

GnarlyCharlie4u
Sep 23, 2007

I have an unhealthy obsession with motorcycles.

Proof

Arquinsiel posted:

I don't know how much you care, but not using it means that in the event that someone gets their password stolen it's easy to bypass 2FA and just stick their account into Thunderbird or whatever via POP3 and MS will give zero shits at all and allow full access to the mailbox.

ETA: assumng O365, haven't had the opportunity to test it with on-prem yet.

We only allow MAPI and Activesync (not even OWA) and I have a shitton of rules for what specific devices are allowed so I'm not as worried, but I'm pro-enabling it.

Thanks Ants
May 21, 2004

#essereFerrari


Arquinsiel posted:

I don't know how much you care, but not using it means that in the event that someone gets their password stolen it's easy to bypass 2FA and just stick their account into Thunderbird or whatever via POP3 and MS will give zero shits at all and allow full access to the mailbox.

ETA: assumng O365, haven't had the opportunity to test it with on-prem yet.

Are you sure, my understanding was that basic auth and MFA meant you had to use the app-specific passwords.

Yes you'd have the same problem as the point of the app passwords is that they bypass MFA for applications that have no idea what the gently caress that is, but it's not the same thing as someone getting the password that they type in all the time stolen.

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady

Thanks Ants posted:

Are you sure, my understanding was that basic auth and MFA meant you had to use the app-specific passwords.

Yes you'd have the same problem as the point of the app passwords is that they bypass MFA for applications that have no idea what the gently caress that is, but it's not the same thing as someone getting the password that they type in all the time stolen.
Yeah, saw it exploited in the wild on client site, and another consultant who was there for some completely unrelated thing went "hey do you know you can?" and showed us how it was possible.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

GnarlyCharlie4u posted:

Manager, still doesn't want to do it, even after I explained it won't break anything and we can just disable it again whenever he wants.

If I ever become a manager so spineless I'm afraid to authorize changing anything because it might break something as time and entropy slooowly rots our systems, please slit my throat with a circuit board.

Thom and the Heads
Oct 27, 2010

Farscape is actually pretty cool.
Got passed over for a promotion. The guy who got it has zero prior IT experience and has been on the team for a shorter period of time than me. We were both told we would be getting promoted eventually but for some reason he got bumped up first. Weirdly enough, he sometimes hangs out with my boss after work and only got hired because he is a roommate of a friend of my boss. I'm sure it's a coincidence.

gently caress this poo poo I smell a :yotj:

Dirt Road Junglist
Oct 8, 2010

We will be cruel
And through our cruelty
They will know who we are

Thom and the Heads posted:

Got passed over for a promotion. The guy who got it has zero prior IT experience and has been on the team for a shorter period of time than me. We were both told we would be getting promoted eventually but for some reason he got bumped up first. Weirdly enough, he sometimes hangs out with my boss after work and only got hired because he is a roommate of a friend of my boss. I'm sure it's a coincidence.

gently caress this poo poo I smell a :yotj:

"You got fast tracked because you work in the same office as the boss and go out for smoke breaks with him every day."
"Nuh-uh! It's a meritocracy!"

sfwarlock
Aug 11, 2007
I'll just put the notes in here:

"Caller reports dropouts on video calls and frequent VPN disconnects."
"Ping testing to router shows severe packet loss and latency issues. Cx unable to use wireless, as parent insisted it be disabled on grounds it 'gives you the corvid'."
"Cx also advises that parent also cut network cable from living room to bedroom because it was "on stairs and a trip hazard", cx attempted repair with elec tape & wirenuts."
"Advised Cx to obtain replacement cable."

Thanks Ants
May 21, 2004

#essereFerrari


It's impressive that they managed to get that information about the cable out of the caller

LethalGeek
Nov 4, 2009

I'm impressed they got some signal through a long CAT cable with wirenuts

Darchangel
Feb 12, 2009

Tell him about the blower!


It must be maddening to have to stay home all day with a parent who is a moron.
I mean, jeeze, everyone knows it’s 5G that gives you the corona.

taqueso
Mar 8, 2004


:911:
:wookie: :thermidor: :wookie:
:dehumanize:

:pirate::hf::tinfoil:
yeah, but all the new routers come with 5G Hz support now!

I'm not quite sure about Hz, but my nephew says that means 'hurts' and I'm like "no poo poo Brindon"

Nth Doctor
Sep 7, 2010

Darkrai used Dream Eater!
It's super effective!


Darchangel posted:

It must be maddening to have to stay home all day with a parent who is a moron.
I mean, jeeze, everyone knows it’s 5G that gives you the corona.

Yes, but this was Wi-Fi giving "corvid" which we all know. 802.11 causes crows.

Data Graham
Dec 28, 2009

📈📊🍪😋



PYF covid-related wifi SSIDs for scaring the neighbors

Dirt Road Junglist
Oct 8, 2010

We will be cruel
And through our cruelty
They will know who we are

Data Graham posted:

PYF covid-related wifi SSIDs for scaring the neighbors

“5G SIGNAL BOOSTER”

Geemer
Nov 4, 2010



The Bat Signal (5G)

Proteus Jones
Feb 28, 2013



Mask Compliance Agency(Mobile)

Methylethylaldehyde
Oct 23, 2004

BAKA BAKA
FEMA COVID CASUALTY VAN 37

Darchangel
Feb 12, 2009

Tell him about the blower!


Not COVID-related, but I once spotted this SSID, at work:


edit: yes, that's Windows 7 (in 2015. They were *finally* rolling out Win 10 when I left in 2017.)

Darchangel fucked around with this message at 17:25 on May 12, 2020

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady
If you happen to be around Connolly Station in Dublin look out for "Hide yo kids hide yo wifi". It's not mine, but it always makes my commute a little bit less poo poo.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!
An SSID within range of my old apartment was "Kim's Pedobear Van"

My complex was literally next to a police station and it existed for years until I moved out

Nth Doctor
Sep 7, 2010

Darkrai used Dream Eater!
It's super effective!


Subnet Mask

mllaneza
Apr 28, 2007

Veteran, Bermuda Triangle Expeditionary Force, 1993-1952




Dirt Road Junglist posted:

"You got fast tracked because you work in the same office as the boss and go out for smoke breaks with him every day."
"Nuh-uh! It's a meritocracy!"

I got on the lab support team by taking smoke breaks with the team's tech lead. A year later I got his job after he got promoted offsite. :yotj:

Dirt Road Junglist
Oct 8, 2010

We will be cruel
And through our cruelty
They will know who we are
My favorite was a screenshot from a crowded apartment building.

One SSID read: “Give me back my flamingos”

Further down the list: “gently caress YOUR FLAMINGOS”

Thanks Ants
May 21, 2004

#essereFerrari


klosterdev posted:

An SSID within range of my old apartment was "Kim's Pedobear Van"

My complex was literally next to a police station and it existed for years until I moved out

So it was your SSID then?

Adbot
ADBOT LOVES YOU

sfwarlock
Aug 11, 2007
A coffeeshop across the street from a previous employer was in view of "Pretty Fly For A Wifi" and "Have You Stopped Beating Your Wifi".

  • 1
  • 2
  • 3
  • 4
  • 5