Changing DNS IP Addresses on interfaces remotely

Hi,

After removing a domain controller from a Domain recently I had to remove the old DNS ip address from all the clients.

For DHCP clients this is fairly easy and just needs to be updated in the DHCP server however statically set IP settings are not so straight forward.

First lets get a list of computer objects we are interested in (You can customize to your requirements)…

$day = (Get-Date).AddDays(-14) $comps = get-adcomputer -Filter {OperatingSystem -like "*Server*" -AND Lastlogondate -gt $day}

This will list all server OS machines last logged in within 2 weeks. It will show their IP and their DNS server search scope. This is just used to gather information and can be customized as needed.

ForEach ($comp in $comps) { $comp.Name $temp = get-wmiobject -class Win32_NetworkAdapterConfiguration -filter "IPEnabled = 'True'" -ComputerName $comp.Name @PSBoundParameters $temp.ipaddress $temp.DNSServerSearchOrder }

I would recommend reviewing the list manually and confirming what servers you need to change. To change a single server you can do the following command,
First set your new DNS server list,

$ips = "192.168.1.1","192.168.1.2"

Then this line will change one computer.

(get-wmiobject -class Win32_NetworkAdapterConfiguration -filter "IPEnabled = 'True'" -ComputerName COMPUTER1 @PSBoundParameters).setDNSServerSearcdOrder($ips)

Alternatively you can simply change all machines (I would avoid changing domain controllers and any machines that are getting their DNS settings from DHCP)

ForEach ($comp in $comps) { (get-wmiobject -class Win32_NetworkAdapterConfiguration -filter "IPEnabled = 'True'" -ComputerName $comp.Name @PSBoundParameters).setDNSServerSearcdOrder($ips) }

If you have a list of names in an array of strings,

$comps="COMPUTER1","COMPUTER2","COMPUTER3"

Then change the command to remove the .Name like so,

ForEach ($comp in $comps) { (get-wmiobject -class Win32_NetworkAdapterConfiguration -filter "IPEnabled = 'True'" -ComputerName $comp @PSBoundParameters).setDNSServerSearcdOrder($ips) }

Hopefully that will help someone.

Advertisements

SCCM deploy files to user profiles when running as system

Work in progress

install.ps1

$loggedInUserName = get-wmiobject win32_computersystem | select username
$loggedInUserName = [string]$loggedInUserName
$loggedinUsername = $loggedInUserName.Split("=")
$loggedInUserName = $loggedInUserName[1]
$loggedInUserName = $loggedInUserName.Split("}")
$loggedInUserName = $loggedInUserName[0]
$loggedInUserName = $loggedInUserName.Split("\")
$loggedInUserName = $loggedInUserName[1]

New-Item -Force -ItemType Directory -Path "C:\Users\$loggedInUserName\AppData\Roaming\Makerbot\MakerbotPrint"
Copy-Item -Force -Path $PSScriptRoot\user_config.json -Destination "C:\Users\$loggedInUserName\AppData\Roaming\Makerbot\MakerbotPrint\user_config.json"

Disable MakerBot Print login prompt (Enterprise Deployment)

Copy this file to the user profile folder %appdata%\Makerbot\MakerbotPrint

Filename: user_config.json

{
  "converterConfig": {
    "no_structure_formats": [
      "stl",
      "wrl",
      "obj"
    ],
    "no_stl_formats": [
      "stl"
    ],
    "extension_units": {},
    "supported_representations": [
      "stl",
      "wrl"
    ]
  },
  "myPrinters": [],
  "lastSelectedPrinter": "",
  "isIntegratedCard": true,
  "appWinState": {
    "width": 1200,
    "height": 800,
    "maximized": false
  },
  "makerbot": {
    "requireLogin": false
  }
}

Search Active Directory for Delegated Access

Before starting this process you need to run the following lines,

Import-Module ActiveDirectory
Set-Location AD:

This command will find all ACLs in OUs where the account DOMAINNAME\ACCOUNTNAME is found. It will not show the actual permissions just where to look to modify/remove the access if required.

$OUs = Get-ADOrganizationalUnit -Filter * ForEach ($OU in $OUs) { IF ($Rights = (get-acl $OU).Access | Where {$_.IsInherited -eq $False -AND $_.IdentityReference -eq "DOMAINNAME\ACCOUNTNAME"}) { Write-Host $OU } }

This code will list list all objects from the domain that have delegated access on an OU.

$list = @() $OUs = Get-ADOrganizationalUnit -Filter * ForEach ($OU in $OUs) { $list += ("---$OU---") $list += ($Rights = (get-acl $OU).Access | Where {$_.IsInherited -eq $False -AND $_.IdentityReference -like "DOMAINNAME\*"} | Select IdentityReference) } $list

Or something that can be saved as a CSV.

$list = @() $OUs = Get-ADOrganizationalUnit -Filter * ForEach ($OU in $OUs) { $list += ($Rights = (get-acl $OU).Access | Where {$_.IsInherited -eq $False -AND $_.IdentityReference -like "DOMAINNAME\*"} | % {"""$OU.DistinguishedName"","+$_.IdentityReference}) } $list > C:\Temp\ADDelegation.csv

Use powershell to stop connections to stuck RDS server

When an RDS server in a cluster is partially running but not allowing the broker to remotely manage it the Server Manager console gets stuck in a situation where it waits for the server to respond and you cannot manage your cluster.

Use the following commands to disable connections to an RDS server that is not allowing logins to complete. (simple but handy to know in a hurry)

NOTE: you must run powershell as administrator or these commands do not function.

Import-Module RemoteDesktop
Set-RDSessionHost servername.domain.local -NewConnectionAllowed "No"

I have found that the Server Manager GUI has trouble displaying the new state of the server. Sometimes a refresh of the page helps and sometime I have to close and reopen the console to see the updated state.

Managing remote processes with Powershell

This is to manage remote processes on a server that is not allowing you to log in due to high CPU on a process.

Invoke-Command servername {Get-Process}
Example to look for chrome processes
Invoke-Command servername {Get-Process chrome}

Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ComputerName
------- ------ ----- ----- ----- ------ -- ----------- ------------
    254     39  93252 104076  852    12.97  21204 chrome servername
    238     24  38156  49512  759     1.17  21380 chrome servername
    223     20  23184  27044  731     0.25  22012 chrome servername
    399     48  87928 112292  382    11.02  22444 chrome servername
    544     80 293940 328044 1137 34509.08  22576 chrome servername

The last line with the large number for CPU is the cause of the issue.

This command will kill the offending process with ID 22576

Invoke-Command servername {Stop-Process -ID 22576 -Force}

This command will kill all chrome processes

Invoke-Command servername {Get-Process chrome | Stop-Process -Force}

After that the server was responsive again.

Powershell script to enable Allow New Connections for all RDS servers

This will enable “Allow New Connections” for all servers in all collections.  Handy when you disable logins for troubleshooting and forget to enable them again.  I have configured this to run at 5am each morning on our broker server.

Server Manager can sometimes not display the updated values until it is closed and reopened so keep that in mind. Generally it updates with a simple refresh.

Import-Module RemoteDesktop ForEach ($CollectionName in Get-RDSessionCollection) { ForEach ($HostToEnable in (get-rdsessionhost -collectionname $CollectionName.CollectionName | where {$_.NewConnectionAllowed -ne "Yes"})) { $HostToEnable Set-RDSessionHost $HostToEnable.SessionHost -NewConnectionAllowed "Yes" } }

If you would like to continue to block logins to a specific server that may be in long term diagnostics or maintenance you could either disable the script temporarily (as in change the start date in the scheduled task to some time in the future) or add a line to the end of the code such as,

Set-RDSessionHost servername.contoso.com -NewConnectionAllowed “No”

In a static environment a script such as the following would work,

Set-RDSessionHost servername1.contoso.com -NewConnectionAllowed "Yes" Set-RDSessionHost servername2.contoso.com -NewConnectionAllowed "Yes" Set-RDSessionHost servername3.contoso.com -NewConnectionAllowed "Yes" #The following server is in maintenance Set-RDSessionHost servername4.contoso.com -NewConnectionAllowed "No"

 
Updated version that sends an email message when a change has been made.

$MailSubject = "RDS Enable Login Script" $MailServer = "Mail.contoso.local" $MailTo = "support@contoso.com.au" $MailFrom = "support@contoso.com.au" $MailBody = "The following servers were detected as having their logins disabled and have been automatically set to allow logins again:" Import-Module RemoteDesktop ForEach ($CollectionName in Get-RDSessionCollection) { foreach ($HostToEnable in (get-rdsessionhost -collectionname $CollectionName.CollectionName | where {$_.NewConnectionAllowed -ne "Yes"})) { $Output += "
" + $HostToEnable.SessionHost Set-RDSessionHost $HostToEnable.SessionHost -NewConnectionAllowed "Yes" } } If ($Output -ne $null) { $MailBody += $Output + "


This script runs on server $($env:computername) under the credentials of $($env:UserName)" Send-Mailmessage -To $MailTo -From $MailFrom -Body $MailBody -Subject $MailSubject -SMTPServer $MailServer -BodyAsHtml }

 

 

 

Update Environment Tab in AD with Powershell

This code will go through the AD and find any users who have the tick boxes,

“Connect client drives at logon”
“Connect client printers at logon”
“Default to main client printer”

Unticked and set them to ticked on.

The value may not exist on every account if the settings have not been change so there will be errors for those accounts but these accounts will show these values as ticked on if checked manually.

Get-ADUser -Filter * -SearchBase “OU=Users,DC=Contoso,DC=Com” | Foreach {
$User = [adsi](“LDAP://” + $_.distinguishedname)
Write-Host $_.distinguishedname
If ($User.InvokeGet(“ConnectClientDrivesAtLogon”) -eq 0)
{Write-Host “Changing ConnectClientDrivesAtLogon for $($_.distinguishedname)”
$User.InvokeSet(“ConnectClientDrivesAtLogon”,1)
$User.setinfo()
}

If ($User.InvokeGet(“ConnectClientPrintersAtLogon”) -eq 0)
{Write-Host “Changing ConnectClientPrintersAtLogon for $($_.distinguishedname)”
$User.InvokeSet(“ConnectClientPrintersAtLogon”,1)
$User.setinfo()
}

If ($User.InvokeGet(“DefaultToMainPrinter”) -eq 0)
{Write-Host “Changing DefaultToMainPrinter for $($_.distinguishedname)”
$User.InvokeSet(“DefaultToMainPrinter”,1)
$User.setinfo()
}
}

List computers in AD with LastLoginTimestamp

List Workstation OS computers,

get-adcomputer -filter {OperatingSystem -notlike '*server*'} -Properties OperatingSystem,LastLogonTimestamp | Sort LastLogonTimestamp | Select Name,OperatingSystem,@{Name='LastLogonTimestamp'; Expression={[DateTime]::FromFileTime($_.LastLogonTimestamp).ToString("dd/MM/yyyy")}}

List Server OS computers,

get-adcomputer -filter {OperatingSystem -notlike '*server*'} -Properties OperatingSystem,LastLogonTimestamp | Sort LastLogonTimestamp | Select Name,OperatingSystem,@{Name='LastLogonTimestamp'; Expression={[DateTime]::FromFileTime($_.LastLogonTimestamp).ToString("dd/MM/yyyy")}}