by David | Nov 22, 2020 | Help Desk, Information Technology, PowerShell
Do you have an admin account that needs to be hidden? Setting up this account among 2000 machines at different sites and different clients? Sounds like a nightmare right? Well, you can easily hide a user’s account from the login. This is done through the registry.
HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Inside here, we create a Dword with the username that we want to hide from the start menu and set it to 0 to hide the user and 1 to make it visible. So the code is a single liner. We create the Userlist, if it doesn’t exist, and make the new item property.
This code will make the user visable.
New-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList' -Force | New-ItemProperty -Name $Param1 -Value 1 -PropertyType DWord -Force
This code will make the user hidden.
New-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList' -Force | New-ItemProperty -Name $Param1 -Value 0 -PropertyType DWord -Force
Make sure to replace the Param1 with the username accordingly. After that you will need to reboot and should be good to go.
by David | Nov 22, 2020 | Help Desk, Information Technology, PowerShell
I hate it when I start up my PC and my number lock is turned off. Did you know you can set this to be automatic. Yep that’s right, automatic. Start up powershell as administrator and run the single line of code below. Then you should be set to go.
Set-Itemproperty -Path 'HKU:\.DEFAULT\Control Panel\Keyboard\' -Name 'InitialKeyboardIndicators' -Value '2'
Use wisely fellow admins.
by David | Nov 20, 2020 | Help Desk, Information Technology
A friend’s company turned on 2fa for their office 365. When people logged into office.com they were prompted to 2-factor authenticate with the system. Some choose to call in, some choose text, and others choose the app. It was doing good, but outlook gave them troubles. It turns out that office 2013 and office 2016 installs struggle with 2fa. However, there is salvation! A registry edit.
for office 2013:
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL
for Office 2016
HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL
Set this to a REG_DWORD of 1.
For more information, you can read all about it from the Microsoft documentation page:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016?view=o365-worldwide
by David | Oct 12, 2020 | Help Desk, Information Technology, PowerShell
Often times I am asked to give user a the same rights as user b. Since everything is setup with groups, this is easy to do. All I have to do is copy all the security groups to the new users. Normally I would use the command Get-ADPrincipalGroupMembership whoever, that has become less trust worthy over time for us. So I made a different approach.
$Groups = (Get-ADUser -Identity $SourceUser -Properties memberof).memberof -Replace '^cn=([^,]+).+$', '$1' | Sort-Object | ForEach-Object { (Get-ADGroup -Filter "name -like '$_'")}
The above command grabs the source users member of and filters it out for just the name. Then it loops through each and gets the group name. From here we can filter even farther to get the security and then loop those and added the single member making a one liner, but I want this thing to be bigger and better. A good function that can do distribution, security, universal, global and domain local groups to more than one single user with credentials or not. I want this thing to be nice. Here is the heart beat of the command:
foreach ($Target in $TargetUser) {
$Groups | ForEach-Object {
try {
if ($PSBoundParameters.ContainsKey('Credential')) {
Write-Verbose "Add $($_.Samaccountname) a $($_.GroupCategory.tostring()) a $($_.GroupScope.tostring()) to $Target"
Add-ADGroupMember -Identity $_.samaccountname -Members $Target -Credential $Credential
} else {
Write-Verbose "Add $($_.Samaccountname) a $($_.GroupCategory.tostring()) a $($_.GroupScope.tostring()) to $Target"
Add-ADGroupMember -Identity $_.samaccountname -Members $Target
}
} catch {
Write-Verbose "Failed to add $($_.Samaccountname) to $Target"
Write-Warning "$_ could not apply to $Target"
}
}
}
We target each user with this information. Then we add the group accordingly. So, how do you split the Security group vs Distribution group? We do this by using PSboundparameters and a Where-object group. So we declare a parameter in the parameter area and then ask if it is being used. If it is, we use the where object to search for the groupcategory.
$Groups = (Get-ADUser -Identity $SourceUser -Properties memberof).memberof -Replace '^cn=([^,]+).+$', '$1' | Sort-Object | ForEach-Object { (Get-ADGroup -Filter "name -like '$_'")}
if ($PSBoundParameters.ContainsKey('GroupCategory')) {$Groups = $Groups | Where-Object {$_.GroupCategory -like "$GroupCategory"}}
if ($PSBoundParameters.ContainsKey('GroupScope')) {$Groups = $Groups | Where-Object {$_.GroupScope -like "$GroupScope"}}
Lets put it all together shall we, so you can get back on with your day.
Function Copy-SHDUserGroupToUser {
[cmdletbinding()]
param (
[Parameter(
ValueFromPipeline = $True,
ValueFromPipelineByPropertyName = $True,
HelpMessage = "Enter a users Name",
Mandatory = $true)][String]$SourceUser,
[Parameter(HelpMessage = "Target User", Mandatory = $True)][string[]]$TargetUser,
[parameter(Helpmessage = "Group Category")][validateset("Security","Distribution")]$GroupCategory,
[parameter(Helpmessage = "Group Scope")][validateset("Universal","Global","DomainLocal")]$GroupScope,
[Parameter(HelpMessage = "Allows for custom Credential.")][System.Management.Automation.PSCredential]$Credential
)
$Groups = (Get-ADUser -Identity $SourceUser -Properties memberof).memberof -Replace '^cn=([^,]+).+$', '$1' | Sort-Object | ForEach-Object { (Get-ADGroup -Filter "name -like '$_'")}
if ($PSBoundParameters.ContainsKey('GroupCategory')) {$Groups = $Groups | Where-Object {$_.GroupCategory -like "$GroupCategory"}}
if ($PSBoundParameters.ContainsKey('GroupScope')) {$Groups = $Groups | Where-Object {$_.GroupScope -like "$GroupScope"}}
foreach ($Target in $TargetUser) {
$Groups | ForEach-Object {
try {
if ($PSBoundParameters.ContainsKey('Credential')) {
Write-Verbose "Add $($_.Samaccountname) a $($_.GroupCategory.tostring()) a $($_.GroupScope.tostring()) to $Target"
Add-ADGroupMember -Identity $_.samaccountname -Members $Target -Credential $Credential
} else {
Write-Verbose "Add $($_.Samaccountname) a $($_.GroupCategory.tostring()) a $($_.GroupScope.tostring()) to $Target"
Add-ADGroupMember -Identity $_.samaccountname -Members $Target
}
} catch {
Write-Verbose "Failed to add $($_.Samaccountname) to $Target"
Write-Warning "$_ could not apply to $Target"
}
}
}
}
Examples
Copy-SHDUserGroupToUser -SourceUser bobtheuser -TargetUser test1,test2,test3 -GroupCategory Security -GroupScope Global -Verbose
This will add all of bobtheuser’s global security groups to test1, test2, and test3 users and verbose the info out.
Copy-SHDUserGroupToUser -SourceUser bobtheuser -TargetUser test1,test2,test3
This will add all the bobtheuser’s groups to test1, test2, and test3.
by David | Oct 11, 2020 | Help Desk, Information Technology, PowerShell
Have you ever had trouble getting lockout information for a single user? The DCs have the logs, but getting them can be tough. The core idea is to use the Get-Winevent command to gather the logs needed. Doing this from a remote computer is time-consuming. However, using the Invoke-Command tends to speed things up. Inside this example, I am going to use something called Splatting. Splatting allows you to drop everything a command needs into a command quickly and easily by creating a hash table. Now, not all commands like splatting, so be aware of that. Here is the heart of the code:
$parameters = @{
ComputerName = $ComputerName
ScriptBlock = {
Param ($param1)
$FilterTable = @{
'StartTime' = $param1
'EndTime' = (Get-date)
'LogName' = 'Security'
'Id' = 4740
}
$Events = Get-WinEvent -FilterHashtable $FilterTable
foreach ($E in $Events) {
[pscustomobject]@{
Time = $E.TimeCreated
ID = $E.ID
DC = $E.Properties[4].value
SID = $E.Properties[2].value
Domain = $E.Properties[5].Value
Username = $E.Properties[0].value
Computer = $E.Properties[1].value
}
}
}
ArgumentList = $time
}
Invoke-command @Parameters
The first thing we are doing is creating the parameters that will be splatted. Just like a hashtable, it’s something = something. So the computer name is the Array computername. The computer name inside the Invoke-command can handle arrays. Making this much easier as we want the DCs.
Next is the script block. This is where the invoke-command will be executing everything from. We start off with a Param () block. It will get it’s input from the Argumentlist later. The Argumentlist is the variables we will be dropping into the command. In this case, it will be time. As in this script you can build your time based on how far back you want to search your logs.
Next is the filter table. The Get-winevent command likes hashtables. So we start off with our starttime, basically how far back we are going to go. Then the end time which is the time of execution. The Logname is the type, there is an application, security, system, and more. Since the lockouts are security, we choose security. Finally, we want the ID. For account lockouts, the ID is 4740. There is an online Encyclopedia for windows logs. (Link)
The Get-WinEvent command is followed by the FilterHashtable flag. We dump this into the events variable for sort throu. Now we search each Event in Events. We express this with an E because $event is a system variable and we don’t want to cause any issues. We want the time it was created. The ID, what DC it came from. The SID of the user. The Domain. The username of the user, and finally we want the calling workstation. Once all that is put together we splat it into the command Invoke-Command.
That is the heart, but not the power. This script allows you to call back from the day, hour, and minute back. If you don’t put in a input, it makes it a day for you. It also can target a single user or different computers. Finally it gives you the ability to use different credentials. Lets take a look at the parameters.
param (
[parameter(Helpmessage = "Username of target")][Alias('User', 'Samaccountname')][String[]]$Username,
[parameter(Helpmessage = "Days back")][int]$Day,
[parameter(Helpmessage = "Days back")][int]$Hour,
[parameter(Helpmessage = "Days back")][int]$Minute,
[parameter(Helpmessage = "Computers to target, default is domain controllers.")][Alias('Computer', 'PC')][String[]]$ComputerName = (Get-ADDomain).ReplicaDirectoryServers,
[Parameter(HelpMessage = "Allows for custom Credential.")][System.Management.Automation.PSCredential]$Credential
)
We first are looking for a list of usernames. Notice we don’t have to declare this variable. So, if we just want all the lockouts, we just don’t delcare it. This is done by using the PSBoundParameters.ContainsKey option. So, if the script sees the username is being used, it will follow this command.
if ($PSBoundParameters.ContainsKey('Username')) {
foreach ($user in $Username) {
$Return | Where-Object { $_.Username -like "$user" } | Sort-Object Time | Select-Object Username, Domain, SID, Time, Computer, PSComputerName
}
}
The next parameters are also optional. It is days, hour, and minutes back. So, you can state 1 day, 3 hours, and 2 minutes ago and it will find the times during starting at that moment forwarder. This is good if you plan to use this script as an auditor (what it was built for). How this is achived once again is the use of psboundparameters.containskey.
$time = Get-date
if ($PSBoundParameters.ContainsKey('Day')) { $time = ($time.AddDays( - ($day))) }
if ($PSBoundParameters.ContainsKey('Hour')) { $time = ($time.AddHours( - ($Hour))) }
if ($PSBoundParameters.ContainsKey('Minute')) { $time = ($time.AddMinutes( - ($Minute))) }
if (!($PSBoundParameters.ContainsKey('Day')) -and !($PSBoundParameters.ContainsKey('Hour')) -and !($PSBoundParameters.ContainsKey('Minute'))) {
$time = $time.AddDays( - (1))
}
We first declare the time with the current time/date. Then based on the input, we remove days, hours, or minutes from the current time. If there is no input, we tell time to remove 1 day. Depending on the size of your organization and how many logs you have, this can be useful. The $time will be used in the argumentlist.
Now we have the Computername parameter. If you have differentiating computers than your DCs that handles these logs, you can target them with this command. Otherwise, we grab the dc information with a single line of code.
(Get-ADDomain).ReplicaDirectoryServers
Finally we have the ability to add the credentials. Once you delcare the credentials, we add the credential flag to our splat. To do this we create a hashtable with a single item and add it to the parameter.
if ($PSBoundParameters.ContainsKey('Credential')) {
$parameters += @{Credential = $Credential }
}
Now, lets put all this together in a single script so you can copy it and move along with your day.
Function Get-SHDLockoutInfo {
[cmdletbinding()]
param (
[parameter(Helpmessage = "Username of target")][Alias('User', 'Samaccountname')][String[]]$Username,
[parameter(Helpmessage = "Days back")][int]$Day,
[parameter(Helpmessage = "Days back")][int]$Hour,
[parameter(Helpmessage = "Days back")][int]$Minute,
[parameter(Helpmessage = "Computers to target, default is domain controllers.")][Alias('Computer', 'PC')][String[]]$ComputerName = (Get-ADDomain).ReplicaDirectoryServers,
[Parameter(HelpMessage = "Allows for custom Credential.")][System.Management.Automation.PSCredential]$Credential
)
$time = Get-date
if ($PSBoundParameters.ContainsKey('Day')) { $time = ($time.AddDays( - ($day))) }
if ($PSBoundParameters.ContainsKey('Hour')) { $time = ($time.AddHours( - ($Hour))) }
if ($PSBoundParameters.ContainsKey('Minute')) { $time = ($time.AddMinutes( - ($Minute))) }
if (!($PSBoundParameters.ContainsKey('Day')) -and !($PSBoundParameters.ContainsKey('Hour')) -and !($PSBoundParameters.ContainsKey('Minute'))) {
$time = $time.AddDays( - (1))
}
$parameters = @{
ComputerName = $ComputerName
ScriptBlock = {
Param ($param1)
$FilterTable = @{
'StartTime' = $param1
'EndTime' = (Get-date)
'LogName' = 'Security'
'Id' = 4740
}
$Events = Get-WinEvent -FilterHashtable $FilterTable
foreach ($E in $Events) {
[pscustomobject]@{
Time = $E.TimeCreated
ID = $E.ID
DC = $E.Properties[4].value
SID = $E.Properties[2].value
Domain = $E.Properties[5].Value
Username = $E.Properties[0].value
Computer = $E.Properties[1].value
}
}
}
ArgumentList = $time
}
if ($PSBoundParameters.ContainsKey('Credential')) {
$parameters += @{Credential = $Credential }
}
$Return = Invoke-Command @parameters
if ($PSBoundParameters.ContainsKey('Username')) {
foreach ($user in $Username) {
$Return | Where-Object { $_.Username -like "$user" } | Sort-Object Time | Select-Object Username, Domain, SID, Time, Computer, PSComputerName
}
}
else {
$Return | Sort-Object UserName | Select-Object Username, Domain, SID, Time, Computer, PSComputerName
}
}
I hope you enjoy this little script and I hope it helps you grow your company. If you find any bugs, let me know. Thank you so much and have a great day!
by David | Sep 29, 2020 | Help Desk, Information Technology, PowerShell
We have multiple locations with backup hosted sites. These sites are designed to allow the end-user to access the information they need when the network is down. They are set up with a local database and some basic asp.net coding. However, the devices that communicate with the site must be able to go between multiple locations. This means no hard-coded links as the hosting device has a different name at each location. DNS might not be available as well. The chaos this brings! There is a solution though. Here are the requirements for the solution we created.
- The hosting server can be a different name, but the IP address must end in the same number. In our example, it is .5
- The IP address must be a /24 subnet.
- The /site.html must be the same across the board.
- For example, the site can be http://10.10.1.5/thissite.html at one location and be http://10.10.13.5/thissite.html at another.
lets look at the powershell script really quickly and break it down.
The Script
$IPaddress = (Get-NetIPConfiguration -Detailed | Where-Object {$null -ne $_.IPv4DefaultGateway})[0].ipv4address.ipaddress
Start-Process -FilePath 'C:\Program Files\Internet Explorer\iexplore.exe' -ArgumentList "https://$($IPaddress.split('.')[0]).$($IPaddress.split('.')[1]).$($IPaddress.split('.')[2]).5/login.aspx"
What we are doing with this script is grabbing a detailed report on all the network IP configurations on the local computer. By default, an active network will have a default gateway assigned to it. This can be statically assigned or it can be automatically assigned. Either way, it goes, it’s assigned.
To narrow down the results we use a where-object command to compare null to the IPv4DefaultGateway. If it is null, we don’t want it. If it isn’t, then we want it. After that, we ask for the first result using the [0]. Most companies use the first network as the main network and the second network as a backup. That’s what we do at our company. Also most of the time the second network is a wifi network.
Next, we Ask for the IPv4Address and ask for just the IP address with .IPv4Address.IpAddress. Once we have all that information, we place it into a variable.
Now it’s time to start IE. You can set the browser to whatever program you like, but for now, we are still using IE for grandpa’s coded sites. We do this using the Start-Process command. We tell start-process the file path. This is where you can set google chrome, a 64 bit, edge, etc… It doesn’t matter what the browser is, as long as you point to one.
The Argument List is an important factor here. We give the site information here. We start off with our “https:// Then we do magic. We $($IP.address.split(‘.’)[0]. The act of using two $ is very important inside a double-quoted string. The reason why is we are stating everything inside $() is it’s own thing. We can run different commands inside $() and the output will output at that point in the string. Thus we are breaking the IP address string down by the . and finding each array point. Then after we create that point, we finish it off with a . and start our next $(). We do this until we reach our last octet. Which will be whatever the default IP address is. Finally finishing off with the site name. In this example, login.aspx. Below is the start process part of the command. Take a close look at the argument list. Assume the IP address is 10.10.1.15. This would start a site looking at “https://10.10.1.5/login.aspx”.
Start-Process -FilePath 'C:\Program Files\Internet Explorer\iexplore.exe' -ArgumentList "https://$($IPaddress.split('.')[0]).$($IPaddress.split('.')[1]).$($IPaddress.split('.')[2]).5/login.aspx"
The final step is to set your lnk to open the PowerShell script with a -bypass flag. This way it will execute. Some companies do not allow PowerShell to execute. In that case, this script does not help. You can however use the match version of this script found below.
@echo off
for /f "usebackq tokens=2 delims=:" %%f in (`ipconfig ^| findstr /c:"IPv4 Address"`) do set "ip=%%f"
for /f "tokens=1-4 delims=. " %%a in ("%ip%") do (
set octetA=%%a
set octetB=%%b
set octetC=%%c
set octetD=%%d
)
start "CMD" /D "C:\Windows\System32\" /max "C:\Program Files\Internet Explorer\iexplore.exe" "https://%octetA%.%octetB%.%octetC%.5/login.aspx"
exit
Conclusion
The final idea is to have the link to point to an organic system that can read the current IP structure and point the link to the correct page. This will allow that single roaming device to find those local sites quickly assuming you have a pre-planned infrastructure in place.
