Category: Scripts

Using Powershell to install roles

So, you’ve got your server 2k8 R2 installed as a base installation and you want to install a few roles onto it. You can use powershell to do this.

I know your asking “why when I can go through a few menus and its done”, humour me and it may save you some time.

To work with roles and powershell you will need to open powershell (duh). Before you can actually start tapping out the commands for installing services you will need to enable the modules within powershell.

So to begin with you will need to type:

import-module Servermanager

After you have completed that you can then type:

Get-windowsfeature

Which will output a rather verbose list of roles and features that can be installed onto a server 2008 R2 box (already installed roles will be documented with an [X]). For a more sensible list that you can reference I would use the command:

Get-Windowsfeature > c:\features.txt

Which would write the contents of the output into the features file on the C drive which I find easier to work with.

now the important bit installing features with powershell. You can install roles and features listed in the output given in the above command by typing add-windowsfeature “Name” where the “Name” you should replace it with the Name (note not Display Name) of the feature you wish to install.

You can test the predicted result of an installation of a role or feature by using the -whatif command for example add-Windowsfeature “Name” -whatif would run a simulated installation and produce a hopefully positive outcome, Its also quite handy for finding out if the server will need a reboot for the role so you can find out beforehand what you need to schedule in.

Now all this is fairly academic until you maybe starting thinking about multiple servers what if you were in a large organisation or just somewhere that bought a few servers, clicking through menus X amount of times suddenly seems a bit of a drag. So what you have got above is the ability to script role and feature installs in your servers. So for instance if you wrote the below in a txt file and called it something.ps1 then you could push it out to the brand new servers and have the roles auto install for you.

import-module Servermanager
Add-Windowsfeature “Name”

 

You could also add -restart after the role to restart the computer if it needs to after the role has installed.

You could save yourself a good bit of time when you have set this up correctly. Because its powershell you will have to allow powershell scripts to run which you can do by typing “set-executionpolicy unrestricted” which of course I would recommend you change back after the scripts you want to run have completed.

With a combination of scripts and your favourite distribution method you could shorten the time it takes to install the roles quite considerably thus giving you more time for Angry Birds which of course is always appreciated!

Script to remove admin rights pt2

Its been a while since I had a play with this script but what I have discovered is the software that I used to find out who has admin rights seems to also detect power users as Administrators. Which I guess is actually a good thing, however I did not suspect to get quite as many hits as I did for power users.

 

I’ll link all my old posts on the subject below so you can compare notes but the script that I have created now needs to include:

 

net localgroup “power users” %username% /delete > “%userprofile%\pwrusr.txt”

 

and

 

Y:\BLAT\BLAT %userprofile%\pwrusr.TXT -to email@address.com -server <smtp server IP> -f mail@address.com

 

Of course if you don’t want to be notified when these scripts run then you wont need the blat portion of the script and if you really don’t care about knowing if the initial check script has run then I guess you could just push out a script in the order of:

 

@echo off

c:

cd “%userprofile%”

If exist delusr1.txt (exit) else goto :Script

:Script

rem for removing admin Privileges

net localgroup administrators %username% /delete > %userprofile%\delusr1.txt

net localgroup “power users” %username% /delete > %userprofile%\pwrusr.txt

exit

 

This would then run regardless and attempt to remove the locally logged in user from power users and administrators groups. This would need to be assigned to just standard users though as you do not want to assign the script to administrators in your directory (be it AD, ED or maybe OpenLDAP).

 

Again this script is just the way I have chosen to do it, I am no expert in script writing (I really do need to figure out Vbscript), so I’m sure there are better ways of doing this.

 

Admin Script pt1

Remove Admin Rights Scripts

We have been tightening up security at our place recently which has prompted me to do a couple of simple scripts to find out who has local admin rights and another one to take them away. I again have used a couple of tools to get the job done one is isadmin.exe by Bill Stewart which just checks that locally logged on users group access to see if they are members of the administrators group. The other is blat which is a utility for sending smtp emails by command line. I then pipe the output to a text file and get the contents emailed to me and then just use filters to filter the email into either a box for admin users or a box for non admin users.

That script is:

:script for discovering admin privledges

If exist c:\%nwusername%.txt (exit) else goto :check

:check

echo off

(drive letter):\admin\isadmin.exe > c:\%nwusername%.txt

{drive letter):\BLAT\BLAT C:\%nwusername%.txt -TO (emailadress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

The bits in () you will obviously need to personalise for your environment.

Once that has reported the results to me any users who have admin permissions then also get added to a script that removes them from the Administrators Group. Again its faily simplistic:

If exist c:\delusr.txt(exit) else goto :script for removing admin Privledges

:Script for removing admin Privledges

echo off

net localgroup administrators %username% /delete > c:\delusr.txt

echo %username% has been deleted from %nwusername% admin account >> c:\delusr.txt

(drive letter):\BLAT\BLAT C:\delusr.TXT -TO (emailaddress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

So hopefully that will complete the removal or admin rights, I shall wait a week or two then change the text file the first script looks for so that it runs again and hopefully will get no reports of people still with admin rights.

Now of course admin rights are generally given to users because of funky old applications that cant handle tightened permissions so I expect that may be a bit of running around trying to find ways of fixing broken apps.

One thing I must say again is how brilliant notepad++ is for creating and editing any kind of script file. If you need to write scripts I would recommend at least trying it out.

Novell username variable

Hi all,

 

just a quick blog about a variable I discovered whilst writing a login script. I’ve been looking around for ways to perform actions based on the user name. So I came across the %nwusername% variable which when tapped in gives you the name of the logged in novell user on a computer. Those of you who work with novell systems will know that the novell network user is separate from the workstation user so normally you get a login for the network then you are presented with the local user login as well.Which will give you a problem if you use the %username% variable as it will only tell you the workstation user and not the novell user.

 

Anyway I’ll blog again shortly and post up the script I’m working on, nothing fantastic but I think it would be good if I can get it to work with blat so the script emails me when it has been run inside a user account.

 

variable %nwusername%

Blat Link

Common ports for the 70-291 exam

Hi all,
Thought I would do a quick post about common ports for the 291 exams, these ones would be very useful to memorize in case questions come up about them in the exam, (ip filtering etc I suppose may ask about them).

So here’s a small list of ports, I’m sure I will add to them as I read through my books, All ports are TCP unless otherwise specified.

FTP 20 and 21
HTTP 80
HTTPS 443
DNS UDP 53
SMTP 25
POP3 110
PPTP 1723
L2TP UDP 500 + 1701 + 4500
Kerberos UDP 88

As you can see a lot of these ports you should already know from previous ms exams (client ones) so there’s not much else to memorize. But this may be a good starting point.

I would highly recommend creating your own list and printing them out and sticking them up in your office prior to taking the exam as it’s a great way of memorizing them (I used to do the same with min and recommended sys specs for the client and server exams).

TTFN

DHCP Relay Agent

Hi all,

 

Just thought I’d write a quick little ditty about the DHCP relay agent and some fun and games I’ve been having with it whilst studying.

My main network is 192.168.1.x/24, on it is my DC/DNS/DHCP server with a few other bits and bobs plus my ADSL modem/router. on that network is a server called "rras" who has 2 nics, one is 192.168.1.42 and the other is 172.16.10.2/16 which is connected to another virtual switch. the only thing connecting the 2 networks is the rras box. on the 172.16 side is one client PC. rras has been set up on the server and also the DHCP relay agent has been added to the 172.16 card and pointed to my DHCP server of 192.168.1.8 .
The DHCP server has 2 scopes for both subnet’s all working fine. my ADSL modem/router also has a static route added to direct traffic bound for 172.16 to the 192.168.1.42 card. The "RRAS" server has also been added to the "rras and ias" group in Active directory.

Now the thing that has been bugging me is that the client PC has not been picking up any IP addresses. When I ran network monitor on both network cards of the rras server I saw discover packets being sent by the client, and I saw them popping out the other side of my network and I also sensibly enough saw offer packets being sent back to the 192.168 card on rras. What I wasn’t seeing is the offer packets  popping out on the 172.16 subnet so that the DHCP process could continue.

 

This was really weird and I couldn’t figure out why it wasn’t working then all of a sudden it seemed to kick in and started working. I couldn’t tell you why it suddenly started working other than I added the 172.16 scope to the DHCP server about an hour previous so I don’t know whether there is naturally a delay in the relay agent working with the DHCP server.

 

The other thing that I found abit annoying in all my study material (3 books, mspress,exam cram and sybex) is that they don’t say specifically which network card you should add the DHCP relay agent too. I assumed that it would need to go on the card attached to the subnet without a DHCP server but it was not specified. So whilst I was having this trouble I was wondering if I needed to add the relay agent to both cards!? Luckily it started working before I had tried that out.

encryption Protocols

Just spotted this on the technet website which gives you a good brief summery of the encryption protocols which can be used with remote access (rras).

http://technet.microsoft.com/en-us/library/cc738300.aspx