Topics created by Grey

@grey said in Powershell: I got something wrong.:

@jaredbusch said in Powershell: I got something wrong.:

@grey Specify PasswordLastSet after the -and also otherwise it has no idea what you are trying to -lt.

Get-ADUser -filter {PasswordNeverExpires -eq $false -and (PasswordLastSet -gt "8/16/2017" -and PasswordLastSet -lt "8/21/2017") -and enabled -eq $true} -Properties PasswordLastSet,Name,Description

You win at the Internet today. I should have caught that.

I did enough time in development. I know how it goes.

Cant you just use the wsus console to view this information? It will tell you how many computers and which computers need/have a specific update applied.
I suppose you could take that page, find the query it uses and copy it.
Or just use the console.

@reid-cooper said in XByte sale on R510s:

@grey said in XByte sale on R510s:

Just ordered an R510 from them with 32g ram, eight 3tb drives and a pair of 2.13ghz processors. This will replace my 2950 (still running!!) with 16g ram, six 1tb drives with a pair of processors that are dreadful.

Nice little lab system.

Which one? The 2950 or the R510?

@grey This might help get you started. There are 2 types of change tracking for MS SQL. Pick the one most appropriate for your scenario.

https://docs.microsoft.com/en-us/sql/relational-databases/track-changes/track-data-changes-sql-server

Anybody have any kleenex? I can't see, my eyes are bleeding.

ROFL.

Sorry for the late response and thanks for reporting it on our community.

Thanks!

Import-Module activedirectory $target = Get-ADOrganizationalUnit -Identity "OU=Disabled Computer Accounts,OU=Space,DC=Domain,DC=com" $computers = Get-ADComputer -filter {(enabled -eq "false")} foreach ($name in $computers) { Move-ADObject $name -TargetPath $target -verbose }

Followup to above... this section would move the disabled computers to a 'disabled' OU.

@coliver said in Tricksy Parking Garages:

@rojoloco said in Tricksy Parking Garages:

@coliver It's actually a pretty cool town if you're there when spiceworld is not happening. Assuming you like tacos and BBQ, of course.

I've got family there. The food is amazing and we listened to a decent band at a dive bar close to their house.

I suppose the best plan is to avoid flaming Dr. Peppers and parking garages...

I would recommend a shared mailbox which can be used by licensed users.

Cool. Thanks for the input!

@momurda said in Does the LDAP role require RODC?:

@Grey Also, your description sounds like youre doing some sort of SSO or interdomain trust.

Sort of. The goal is to allow a cloud service to authenticate in our domain using ldaps, and I want to limit exposure.

@Grey said in Printer clustering?:

@scottalanmiller said in Printer clustering?:

@Grey said in Printer clustering?:

Yes, I'm aware of the load balancing. It's really neat! I wish this were so simple. I just need fail tolerance, but your idea of location based printing is a great idea, too.

DFS is not like fault tolerance, I think that's the confusion. If you just want HA print serving, use CUPS as the print server and make it HA however you like. Normal OS HA, VM HA, whatever.

Not using Linux.

Well just fix that, then. Why not?

I bet Ansible or Salt have options for it too.

@scottalanmiller said in Nethserver for FTPS/SFTP:

@alefattorini said in Nethserver for FTPS/SFTP:

It should work flawlessly, do you have any issue?

I guess a big question is, with Nethserver is.. does it "just work" or is there a setting that needs to be selected? Not sure if this is the default behaviour or not.

Mostly this. I haven't done anything with it yet and before I invest the time, I'd like to know if it possible and/or how difficult it is, especially since a co-worker claims that it did not and he went with IIS to get the same task done (and then he sat there cursing the whole day because he doesn't like Microsoft products).

@JaredBusch said in ICYMI Starcraft is now free:

Poor tech had no idea wtf to do to connect my server.

This hasn't changed.

@JaredBusch said in Default Domain Policy:

@dafyre said in Default Domain Policy:

@scottalanmiller said in Default Domain Policy:

@dafyre said in Default Domain Policy:

@JaredBusch said in Default Domain Policy:

@dafyre said in Default Domain Policy:

Server 2016 Default Policies located here:
http://france.wellston.biz/DefaultPolicies_Server2016.zip
MD5 Checksum: 708c92da241ae1c7163125d7cdf96299

Why not on a github or something?

Hindsight is 20/20, lol.

Why not NOW though?

Link fixed.

https://github.com/dafyre/default_gpo_policies/blob/master/DefaultPolicies_Server2016.zip

MD5 checksum is the same.

Issue created

Issue fixed. See updated link, https://github.com/dafyre/default_gpo_policies

That is alot but with the recent patches by Microsoft I should not be surprised.

@NerdyDad said in Creating users:

Try this out. It pops up with a command prompt to ask you a few questions to get started. Once the questions are answered, it takes care of most everything else. When it is done, it should spit out a piece of paper for you to give to the new employee with the information that they need.

I sterilized it so that you could use it in your company.

#Imports the AD & NTFS Modules (Module 1.02) Import-Module activedirectory Import-Module MSOnline #Sets Variables (Module 1.03) $fn #First Name $ln #Last Name $title $dep #Department $loc #Location $man #Manager $un #Username $officePhone $streetAdd $city $ZIP $fi #First Name Initial, will be used to figure out Username #Getting information (Module 1.04) Write-Host "I need some information from you first. Answer the following questions to get started." $fn = read-host "First Name?" $ln = Read-Host "Last Name?" $title = Read-Host "Title?" $dep = Read-Host "Department?" $man = Read-Host "Manager (Username)?" $loc = Read-Host "<location>?" #Finding out the Username (Module 1.05) $fi = $fn.Substring(0,1) $un = -join ($ln, $fi) #Sets Location information (Module 1.06) if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07) $officePhone = "(999) 999-9999"; $streetAdd = "123 Anywhere Drive"; $city = "YourTown"; $ZIP = "12345"; } Else { #If the user is in Loc2 (Module 1.08) $officePhone = "(987) 654-3210"; $streetAdd = "987 Nothere Blvd"; $city = "Somewhere Else"; $ZIP = "98765"; } #Sets Password (Module 1.09) $passwd = (Read-Host -AsSecureString "Account Password") $password = ConvertFrom-SecureString -SecureString $passwd $userParams = @{ #(Module 1.10) 'Name' = $un; 'Enabled' = $true; 'AccountPassword' = $passwd; 'UserPrincipalName' = -join ($un, "@mycompany.com"); 'SamAccountName' = $un; 'ChangePasswordAtLogon' = $false; 'GivenName' = $fn; 'Surname' = $ln; 'DisplayName' = -join ($fn, " ", $ln); 'Description' = $title; 'OfficePhone' = $officePhone; 'StreetAddress' = $streetAdd; 'City' = $city; 'State' = "Texas"; 'PostalCode' = $ZIP; 'Title' = $title; 'Department' = $dep; 'Company' = 'MyCompany'; 'Manager' = $man; } #Creates the user in AD (Module 1.11) New-ADUser @userParams #Wait for the account to be created before doing anything else (Module 1.12) Start-Sleep -Seconds 10 #Makes the user's network drive, scan folder, and sets the permissions to their folders and files (Module 1.13) if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.14) New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive New-Item -Name scans -ItemType directory -Path "\\server\folder\$un\" #Creates users scan folder } Else { #If the user is in Loc2 (Module 1.15) New-Item -Name $un -ItemType directory -Path "\\server\folder\" #Creates users network drive New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder } #Adds the user to the correct Security Group for permissions and other network drives if ($dep -eq "Accounting"){ #(Module 1.16) Add-ADGroupMember -Identity 'Accounting' -Members $un #(Module 1.17) } #Adds the user to the Accounting Group Elseif ($dep -eq "Customer Service") { #(Module 1.18) Add-ADGroupMember -Identity 'Customer Service' -Members $un #(Module 1.19) } #Adds the user to the Customer Service Group Elseif ($dep -eq "Executives") { #(Module 1.20) Add-ADGroupMember -Identity 'Executives' -Members $un #(Module 1.21) } #Adds the user to the Executives Group Elseif ($dep -eq "HR") { #(Module 1.22) Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.23) } #Adds the user to the Human Resources Group Elseif ($dep -eq "Human Resources") { #(Module 1.24) Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.25) } #Adds the user to the Human Resources Group Elseif ($dep -eq "IT") { #(Module 1.26) Add-ADGroupMember -Identity 'Domain Admins' -Members $un #(Module 1.27) } #Adds the user to the Domain Admins Group for IT Elseif ($dep -eq "Maintenance") { #(Module 1.28) Add-ADGroupMember -Identity 'MaintGroup' -Members $un #(Module 1.29) } #Adds the user to the Maintenance Group Elseif ($dep -eq "Production") { #(Module 1.30) Add-ADGroupMember -Identity 'Production' -Members $un #(Module 1.31) } #Adds the user to the Production GroupHR Elseif ($dep -eq "QA") { #(Module 1.32) Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.33) } #Adds the user to the QA Group Elseif ($dep -eq "Quality Assurance") { #(Module 1.34) Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.35) } #Adds the user to the QA Group Elseif ($dep -eq "Shipping") { #(Module 1.36) Add-ADGroupMember -Identity 'SHIP' -Members $un #(Module 1.37) } #Adds the user to the Shipping Group Else { #(Module 1.38) Add-ADGroupMember -Identity 'Domain Users' -Members $un #(Module 1.39) } #Dumps the user to the Domain Users Group $manfn = Get-ADUser $man -Properties Name | select Name #Gets the manager's name (Module 1.40) #Creates a report of the User's information $report = "Hello $fn $ln, From the IT Department, welcome to <MyCompany>. We are here to help you connect to the resources that you need for your job. If you need assistance with technology, please feel free to contact us at either the help page, which is set as your home page in Internet Explorer, email us at helpdesk@<MyCompany>.com, or call us at extension 4357. Below you will find your information so that you can login to the network and get started: Your username is domain\$un Your password is Your email address is $fn$ln@<MyCompany>.com Your phone number is $officePhone Ext. It is suggested that you change your password to something that you can remember but difficult enough that somebody else cannot figure out. The requirement is only 6 characters, but we do advise on making it longer, throw some numbers and special characters in there as well to make it stronger. Best advice would be to use a pass-PHRASE instead of a pass-WORD. Your computer should already be setup with your email loaded and your network drives. At <MyCompany>, we use Microsoft Outlook as the email client. Depending on what department you are in will depend on what drives you have available. Generally, everybody will have an F: drive and a G: drive. The F: drive is your network folder. Place in there the documents that you feel you cannot do your job without. In the F: drive will be a scan folder. When you go to the Xerox to scan in documents, then you will find them in your scan folder. The G: drive is a company-wide shared folder. As for your department drives, it would be best to talk with $($manfn.name), your supervisor/manager, about the nature and uses of these drives. The use of the equipment and resources provided are a privilege to you for use and should not be taken advantage of. There are measures set in place that allows us to manage the network. Do not assume that there is any personal privacy on this network. The only privacy that you can assume is for the nature of your work. All information (including emails, documents, spreadsheets, pictures, etc.) contained on the equipment provided and on the network is the sole property of Standard Meat Company. If you have problems with your equipment or network resources, please feel free to ask. We do not mind helping, but we cannot help if we do not know, so please ask! Sincerely, Your IT Department" if ($loc -eq "Loc1") { #(Module 1.43) Write-Output $report | Out-Printer } Else { #(Module 1.44) Write-Output $report | Out-Printer \\server\'Xerox WorkCentre 4260' } #Waiting for AD & Azure to Synchronize, which synchronizes every 30 minutes (Module 1.45) Write-host "Waiting..." Start-Sleep -Seconds 1800 #Connect to O365 and licenses the user Connect-MsolService #(Module 1.46) Set-MsolUserLicense -UserPrincipalName (-join($un,'@<MyCompany>.com')) -AddLicenses #(Module 1.47) #Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box $mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -AllowRedirection -Authentication Basic -Credential $cred #(Module 1.48-Part 1) Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null #(Module 1.48-Part 2) enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox (Module 1.49) IF ($dep -eq "Executives") { #(Module 1.50) Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 19.5GB -ProhibitSendReceiveQuota 20GB -IssueWarningQuota 19GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.51) } #If they are an executive, then they get 20 GB of mailbox space elseif ($dep -eq "IT") { #(Module 1.52) Set-Mailbox (-join($un,'@<MyCompany>.com')) #(Module 1.53) } #IT gets the full mailbox, of course else { #(Module 1.54) Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 9.5GB -ProhibitSendReceiveQuota 10GB -IssueWarningQuota 9GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.55) } #Otherwise, everybody else gets 10 GB of mailbox space Remove-PSSession -Session $mail #Disconnects from the Exchange box (Module 1.56)

This is a great script, especially if you have users frequently cycling in and out of the company. Also a good base to expand from, or customize to make it fit many environments.

Something that stuck out in the script for me was that the homeDirectory AD attribute wasn't being used (unless I missed it). When you set that, AD automatically does permissions appropriately for the users home drive or home directory. It works well with DFS or DFSR.

Edit: I use the following format for "homeDirectory": \\DOMAIN\Namespace\HomeDrives\%username%
Path can be whatever works, above is just what happens to be for that case.