the life of a System Administrator

As an administrator I would of course never forget to delete a computer account , but if someone else should forget it quite a lot of orphaned accounts would exist in the Active Directory over time. So how would one detect accounts that hasn’t been used for a while? Well, again the answer is PowerShell. With this simple, little script below you are able to choose the age of the accounts you want displayed. Of course you could easily edit the script so it deleted the accounts right away by using Remove-QADObject. You could also use the Get-QADUser cmdlet to search for user accounts instead of computer accounts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

Add-PSSnapin -name Quest.ActiveRoles.ADManagement
 
$searchRoot = "domain.local/Workstations"
$age = 60 # in days
 
$accounts = Get-QADComputer -IncludedProperties LastLogonTimeStamp -SearchRoot $searchRoot | Sort-Object -Property LastLogonTimeStamp -Descending
$today = Get-Date
 
foreach( $account in $accounts )
{
    if( $account.LastLogonTimeStamp -eq $null )
    {
        Write-Host $account.Name "last logon: Never"
    }
    else
    {
        $res = $today - $account.LastLogonTimeStamp
        $days = $res.Days
 
        if( $days -gt $age )
        {
            Write-Host $account.Name "last logon:" $days "days ago"
        }
    }
}

One thing is certain when you assign space to mailboxes. If the user is assigned 100MB she will use it, if the user is assigned 1000MB, she will use it. Unlike in Exchange Server 2003 you are not able to retrieve a list that displays the mailbox size from the Exchange Server 2007 management console. The script below displays the 50 largest mailboxes in your organization in descending order. Simply edit the script to reflect your needs.

1
2
3

Add-PSSnapin -name Microsoft.Exchange.Management.Powershell.Admin
 
Get-MailboxStatistics -Server "server"  | Sort-Object -Descending TotalItemSize | ft displayname,totalitemsize,ItemCount,StorageLimitStatus | Select-Object -first 50

Environment: The server is Windows Server 2008 Standard Edition x64 with WDS installed. Microsoft Deployment Toolkit 2010 is installed on the server and Windows Automated Installation KIT (AIK) aswell. MDT 2010 can be downloaded here.

If you are used to RIS or WDS, you know that these services gives you the opportunity to set a “New client naming policy” and also where to place the client account for the workstation during deployment. When you work with MDT things are a little different since you generate a Lite Touch WIM image and add that as a boot image in WDS. By doing this you only use WDS for PXE boot and download the WIM image. After that the client moves on and WDS is no longer needed by the client. At this stage deployment hasn’t really begun yet so setting a client naming policy and/or the OU in which you want the new computer account to be created does not have any affect at all. Chances are that if you have already tried to deploy a workstation using MDT, you are already familiar with the random computernames that are generated by MDT. I have googled quite a lot wihtout any luck finding a good solution. I wanted a solution which named the workstations automatically say WKS001, WKS002 etc. If a computeraccount would be removed from Active Directory the computername should be available for a new workstation.

The computernaming can be handled quite easily with a PowerShell script. However the default security configuration of PowerShell will not let you run the script from a network share. Also in order to be able to rename the workstation in question I would have to get around UAC.

To get around UAC during deployment I had to be a little creative. I created an Organizational Unit in Active Directory and blocked inheritance. Besides linking my WSUS policy to the OU (since I want to be able to install Microsoft patches during deployment), I also created a GPO that would deactivate UAC and lower the PowerShell security settings so I could easily execute my scripts and other commands/programs during the process. The following GPO settings were the ones I used:

GPO Settings

And just to visualize how it could look like in the Group Policy Management MMC:

So now that script and program execution is ready, the next step is to configure MDT to deploy the computers into the “Deploying” Organization Unit we just created. To do this open the ”Deployment Workbench” and open the Task Sequence you are using. Under the “OS Info” tab click  ”Edit Unattended.xml” button. This will open the answer file for your OS installation and here you will be able to configure which OU in which you want computer account to be created. In the “Answer File” windows browse to Unattend –> Components –> 4 specialize –> x86_Microsoft-Windows-UnattendedJoin_neutral –> Identification. In the “Identification Properties” window there is a setting called “MachineObjectOU”. Enter the “distinguishedName” of the Organizationl Unit. To find the “distinguishedName” just open “Active Directory Users and Computers” –> right clik the Organizational Unit and choose “Properties”. Next open the “Attribute Viewer” tab.

Now it is time to introduce the script that does all the work. I know it could be a bit more sofisticated, but it works. Remember to change the prefix of computer account and the OU to search in so it fits your needs. The script simply browses through the OU and looks for computer account with a specific prefix, in this case “PC”. Lets say 3 computer accounts are found: PC001, PC002, PC004. The script will discover that PC003 is not in use and will assign this name to the new computer. Of course this will be unsuccessfull if PC003 is located somewhere else in Active Directory. In that case you will have to modify the script. If the script doesn’t fine any available account names it will just select the next in line e.g. PC005. In this case I saved the script as “ComputerRename.ps1″ in the “Script” directory of my deployment share.

function GetComputerList($TargetDn)
{
# Locates all computer accounts that begins with "PC"
# Change the value for your needs
 ${tFilter} = ‘(&(objectClass=computer)(cn=PC*))’
 ${Searcher} = New-Object System.DirectoryServices.DirectorySearcher $tFilter
 ${Searcher}.SearchRoot = “LDAP://${TargetDn}”
 ${Searcher}.SearchScope = [System.DirectoryServices.SearchScope]::Subtree
 # Page size default in Active Directory is 1000
 ${Searcher}.PageSize = 1000
 $Results = $Searcher.FindAll()
 return $Results
}

# Change OU path for you needs
$computers = GetComputerList("OU=Workstations,DC=yourdomain,DC=local")
$current  = 0
$previous = 0
$new_name = $null

# Run through search result
foreach( $computer in $computers )
{
    $cn = "" + $computer.Properties['cn']
    $current = [int]$cn.Substring(6)

    # Check for avialable computername
    if( $current.CompareTo($previous+1).Equals( 1 ) )
    {
        $new_name = $previous+1
        break # no need to search anymore
    }

    $previous = $current
}

# If no available computername use next in line
if( !$new_name )
{
    $new_name = $current+1
}

# Prefix number with 0's if needed
if( $new_name.CompareTo(10).Equals(-1) )
{
    $new_name = "00" + $new_name
}
elseif( $new_name.CompareTo(100).Equals(-1) )
{
    $new_name = "0" + $new_name
}

# Prefix name with constant
# Change the constant "PC" for your needs
$new_name = "PC" + $new_name
$new_name

# Do rename
$oComputerSystem = Get-WmiObject win32_computersystem
$oComputerSystem.Rename( $new_name )

The last thing to do is to make sure the script will be executed as part of the Task Sequence. Again open the “Deployment Workbench” and the Task Sequence you are using. Click “Add” –> “General” –> “Run Command Line”. Give the task a name e.g. “Computer Rename”. In the “Command Line” textbox enter the following command and set it up so it runs under an account that has the appropiate rights to rename a computer account:

powershell.exe "%SCRIPTROOT%\RenameComputer.ps1"

Hope this was usefull.

OK, here’s the first funny story I want to publish.

In the summer 2009 I had prepared two new, great servers – HP DL380 G6 with 2 Xeon E5520 @ 2.26GHz, 32GB RAM and disk enclosure filled with 146GB 15K SAS disks for each server. They were going to run Exchange 2007 in a CCR configuration for high availability. Since the old configuration was a 32 bit environment with 2 DL380 G4 servers in an old Veritas cluster configuration I was expecting outstanding performance and that’s what I got but one of my users wasn’t so satisfied.

I spent more than 14 hours (no sleep) on migrating data and were quite satisfied when it was over. I didn’t get any errors or ran into any unexpected problems. Of course I instructed my users to contact me directly if they were experiencing any problems that would be related to the recent migration. Of course I got a few calls because OWA had changed etc., nothing big. However after a day or two a not so satisified user called me. Here’s the conversation.

User: Hi. Since you made those changes to our system my Internet is very slow.
Me: What changes are you referring to (surely he couldn’t be referring to the exchange migration).
User: Well, you made those changes to the e-mail system the other day. www.krak.dk is taking more than 7 minutes to load on my computer.
Me: OK, that sounds strange.
User: Yeah, it started right after you made the change so I’d like you to change it back as this is unacceptable.
Me: I’m pretty sure this has nothing to do with the changes I made to the e-mail system.
User (insisting): Well, I’m pretty sure that it has. You must admit that it is strange this happens right after you have made those changes.
Me: Yeah, you know what. I’m gonna have to look into this and we’ll call you back within the hour. OK?
User: OK, thank you.

I asked a supporter to call back and let him know the background of the call. We had a good laugh, but how should the user know any better? . I didn’t hear from the user again, so I guess they figured it out.

Prerequisites: ActiveRoles Management Shell for Active Directory must be installed on the host running this script.

As mentioned in my post “Detect Orphaned HomeDirectories and Roaming Profiles” I was given the task to migrate data from one file server to the other. Since the paths to homedirectories and roaming profiles would change I needed to come up with a solution to change the paths of hundreds of users. Of course the solution would be a powershell script.

First I want to load the snappin so I don’t have to open the ActiveRoles Management Shell everytime I want to run the script.

Add-PSSnapin -name Quest.ActiveRoles.ADManagement

Next I want to fetch the users from Active Directory. This is done with the ‘get-QADUser’ cmdlet.

$users = Get-QADuser -SearchRoot 'mydomain.local/Users' -SizeLimit 0 | Sort-Object Name

This will return an array of all the users in the searchroot (it also searches in subcontainers). I’m piping the result to the ‘Sort-Object’ cmdlet as I want to sort the array by the names of the users.

Now that the users have been fetched from Active Directory all that is left to do is to run through the array, change the different paths, and commit the changes to Active Directory.

for( $i = 0; $i -lt $users.length; $i++ )
{
    $oldHomeDirectory = ""
    $oldProfilePath = ""
    $oldTsHomeDirectory = ""
    $oldTsProfilePath = ""

    $user = $users[$i]

    if( $user.HomeDirectory -ne $null ) # only if HomeDirectory is filled in
    {
        $oldHomeDirectory = $user.HomeDirectory
        $user.HomeDirectory = $user.HomeDirectory -replace "\\\\server01\\homedirectories\$", \\server02\homedirectories$
    }
    if( $user.ProfilePath -ne $null ) # only if ProfilePath is filled in
    {
        $oldProfilePath = $user.ProfilePath
        $user.ProfilePath = $user.ProfilePath -replace "\\\\server01\\profiles\$", \\server02\profiles$
    }
    if( $user.TsHomeDirectory -ne $null ) # only if TsHomeDirectory is filled in
    {
        $oldTsHomeDirectory = $user.TsHomeDirectory
        $user.TsHomeDirectory = $user.TsHomeDirectory -replace "\\\\server01\\homedirectories\$", \\server02\homedirectories$
    }
    if( $user.TsProfilePath -ne $null ) # only if TsProfilePath is filled in
    {
        $oldTsProfilePath = $user.TsProfilePath
        $user.TsProfilePath = $user.TsProfilePath -replace "\\\\server01\\tsprofiles\$", \\server02\tsprofiles$
    }
    ...
}

The loop runs through the array and does a ‘search and replace’ on the user attributes I want to change. If you want to change anything else, here’s where you want to add it. Just type “get-QADUser -?” to see all the attributes you can change. Also I’m saving the paths in a new set of variables before I change them. The only reason for this is that I want to use them for output e.g. to a log file. The last thing to do is simply to commit the changes and write some output lines for logging purposes.

$user.commitchanges()
$user.DisplayName + " (" + $user.sAMAccountName + ") updated"
"HomeDir:`t"       + $oldHomeDirectory +   " >> " + $user.HomeDirectory
"ProfilePath:`t"   + $oldProfilePath +     " >> " + $user.ProfilePath
"TsHomeDir:`t"     + $oldTsHomeDirectory + " >> " + $user.TsHomeDirectory
"TsProfilePath:`t" + $oldTsProfilePath +   " >> " + $user.TsProfilePath
"----------------------------------------------"

Here’s the entire script: Bulk Attribute Change of Users in Active Directory