Remember who you are in a powershell window

So sometimes you run the same command so many times that you want it run at every time you start a powershell windows.

There are several profiles that can be loaded depending on how powershell is started. And there are also global policies for all users of a computer.

Variable
$PROFILE.AllUsersAllHosts
$PROFILE.AllUsersCurrentHost
$PROFILE.CurrentUserAllHosts
$PROFILE.CurrentUserCurrentHost

AllHosts are run for all types of Powershell, both regular console and ISE sessions. CurrentHost runs just for that specific so you can have different settings for ISE and console sessions.

The basic structure for the profiles are:

  • Locations:
    • Current user:  “$([environment]::getfolderpath(“mydocuments”))\WindowsPowerShell”
    • All users: “$($env:systemroot)\System32\WindowsPowerShell\v1.0\”
  • Filenames:
    • All types: profile.ps1
    • Console: PowerShell_profile.ps1
    • ISE:  PowerShellISE_profile.ps1

Since I am usually have more than one powershell at a time running with alternative credentials I had a hard time remember which windows was which. Of course I could have just run “whoami”, but that is also more work than needed. So I decided that placing the Username in the title was the way to go. This is also a good place to place other functions that you have written and you call all the time.

powershell with domain-username  [Read more…]

Using certreq to create selfsigned certificates

So sometimes you need to create self-signed certificates in windows. Sometimes I have done it using Openssl software, Windows 2012 and later does include Powershell support using New-SelfSignedCertificate. But all versions of Windows does include all the binaries required to do it natively. It is a two part thing, first create the INF file and then run certreq using that file.

It will create and sign the certificate. Im not really sure why it is also asking where to store the CSR (Certificate Signing Request) so I just close that dialog.

A super simple self-signed certificate

It does not get any simpler than this. It will not limit the intended purposes of the certificate and not really good key size. Sure we can make it better by adding some intended purposes and cryptology

A better self-signed certificate

But now and then we need that the certificate need answer for multiple names a so called SAN certificate.

A SAN certificate

Sources

Technet – Certreq

Filter by installdate

I was once asked if you could apply a GPO to computers before a certain date. My first answer was the simple solution, create a group add all computers that exist at that time into the group and then filter on that group.

If possible always do it the simple way, but they asked what would happen if a computer was reinstalled. Since the computer account will be reused it will still be in the group, this was a problem. So at this time we have to decide where to complicate things.

Do we want to complicate the tasksequence and let it remove the computer from the group or do we want to use a WMI filter on the GPO.

WMI filter has limitation they require a working WMI on the client, they also require that the client is running Windows XP or Windows 2003 Server (who has that running anyway right?). Using WMI we can create a simple WMI filter that will allow us to only target computers that are installed or reinstalled after a certain date.

wmifilter - only olders installs

It is a simple as that.

An SQL deadlock while editing a AAD Connect Syncronization rule

I ran into this issue when I was editing a AAD Connect syncronization rule. If you edit a AAD syncronization rule and set the same precedence as an already existing syncronization rule you will get a SQL deadlock warning.

A deadlock occurred in SQL Server while trying to acquire an application lock.,Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncRuleCmdlet

When I did it I did a copy of the original rule and then disable the original and set the new duplicate to the same precedence as the original, that was a bad idea. So check with another precedence. And let this be a lesson.

Remove old domain from Exchange objects

Most companies have domains in their exchange that they aren’t actively using but keep for legacy reasons. One of my customers wanted to clear out an old domain from all objects since they started to get spam on those addresses. So there are to simple solutions:

  1. Remove the domain from AcceptedDomains
  2. Remove the domain from EmailAddressPolicy / All objects

They choose to go down road 2. They have very few EmailAddressPolicies we opted that they clean out the policies them self and I wrote a script to clean out the objects.

[Read more…]

Replace characters in Exchange [Nordic]

I have in a few smaller companies that the turn of the Automatically update e-mail addresses based on e-mail address policy. Most reasons are really bad reasons. I have heard that we want all email addresses in lowercase or that they think Microsoft shouldn’t translate the Swedish character Ö to OE. So there is a perfectly good solution to do this using the email address policy too.

Enter replacements

you can in the beginning of the row write what characters you want to be replaced. That you want all uppercase A should be lowercase. That you want a Ö to become a regular O. So how do we do this. Using the magic of %r<In><Out>. I have my default one I use, but I needed to update that one since I got a customer request that I thought was good for the future too. My default is now as follows: [Read more…]

Using Windows builtin “PortProxy” to forward ports

I found a question on the Microsoft Technet Forums, how can I forward connections to for instance Telnet (tcp/23) to a virtual machine.
So Brian Komar already did a correct answer but since I am not really sure that the original poster did really understand the subtle difference between a proxy and a forwarding of IP ports.

But I think it is important to also explain that you can use the PortProxy function built into Windows. It allows you to terminate the TCP session and open a new session to the endpoint. This allows an enduser to telnet to your machine and end up somewhere else.

Adding a portproxy to google

Required commands

[Read more…]

Avoid setting up a domain trust for a single users needs

I found a question on the Microsoft Technet Forums, how can I allow a users to use a ERP software in another domain without using his credentials.

So this solution does not really give a solution that allows the local user account any rights, but stores the remote domain username/password for the user so the user doesn’t get bugged for those all the time.

Using CMDKEY to add username-password for alternative domain

 

Find Netbios targets in a serverbased DFS

So a while ago I posted how to find NetBIOS in domain based DFS’s. So I wrote how to find NetBIOS targets on standalone DFS machines.

DFS-Standalone-Target-NetBIOS

Script

[Read more…]

Cleaning out NetBIOS Hostnames from your DFSs

So you have been using DFS for a while and is happy. But you still get some complaints. Smaller companies usually hear that employees have problems accessing the DFS from home on their own computers. In larger companies it is usually not allowed to use private computers anyway. But there we have the problem with partner or purchased companies having problems with the DFS. So what is up?

The common problem is that you still are using hostnames instead of FQDN. So what does that matter really? It works great on my workstation. Most commonly companies automatically tries with the domain that the computer is joined into. This works great for the employees computers but not others. So what is happening then? Suppose we have a company called Contoso with a domain called contoso.local (I know its bad to have a .local domain name). You request the DFS called \\contoso.local\dfs, you will then contact the domain controllers in contoso.local domain and get which file servers are working as the root servers. If the response only contains netbios names the clients will try to attach the domain suffix from DNS (Unless configured differently using GPOs).

So I was at a customers doing a brief DFS analysis. So these are the scripts I ran to check the domainbased DFS. So these are some screenshots from a non-production environment:

DFS-Domain-Target-Netbios

DFS-Domain-Root-Netbios

Scripts:

[Read more…]