powershell

Telling somebody to “Use Powershell” is all fine and dandy.    Telling me it’s easy is wonderful too…

But… uh… where do I start?

As a Network Administrator there are tasks we perform on a regular basis.   The fine details overall change for each one of us, but I believe personally there are just some things we’re ALL asked to do.

Now I’m going to be referring to a set of tools from Quest software called the ActiveRoles Management Shell for Active Directory when working with Pre Server 2008R2 environments and the newer built in ones from Microsoft.  Which should you use?  The choice is obvious. 

If you have at least one Server 2008R2 controller in your Active Directory, I highly recommend the newer ones if you have the option.   All of the management is done through ports 80 / 443 since they leverage WS-Man (Web Services Management).  Failing that, the free Cmdlets from Quest will allow you to manage even a Server 2000 Domain from your workstation.

GET-HELP Obiwan

The most powerful Cmdlet in Windows Powershell (In my lowly opinion) is GET-HELP

Within Windows Powershell if you need Help on a Particular Cmdlet you need only key in

GET-HELP Cmdlet; # For basic help

You’ll also have three additional options to work with.

GET-HELP Cmdlet –detailed; # Detailed instructions about the Cmdlet

GET-HELP Cmdlet –examples; # Sample code of how to use the Cmdlet

GET-HELP Cmdlet –full; # the WHOLE uninhibited manual for the Cmdlet

GET-HELP Cmdlet –online; # Brings you DIRECTLY to the Technet site with the current docs and COMMUNITY support

Example

GET-HELP NEW-ADUSER –examples –online

Trying to learn “about” something in Powershell?  Here’s a built in list of manuals that go into programming, looping and some beefier (and sometimes not so beefy) goodies.

GET-HELP about-

In order to get a complete list of topics.   I highly recommend using the Windows Powershell ISE and key in F1 for help.  For new Windows Powershell users, it may be an easier way to find what you need… and print it Smile

What’s Available here?

Knowing what is available to your in a particular Windows Powershell session is key to knowing how to play and extend it.

GET-MODULE –listavailable

Will show you what modules are presently installed on your PC.   You can easily add ANY of them in using

IMPORT-MODULE ‘ModuleName’

GET-COMMAND

Will display all the available CmdLets, Functions, Aliases you can use.   But often we really need a more “controlled” list.  With that you can filter the list to more manageable chunks.   We can break it down to a list of Cmdlet, Function or Alias with this single line

GET-COMMAND –commandtype Cmdlet

GET-COMMAND –commandtype Function

GET-COMMAND –commandtype Alias

You can even break that list down by Module or Snapin

GET-COMMAND –commandtype Cmdlet –module ActiveDirectory

Or break the list down FURTHER showing only a particular type of Cmdlet

GET-COMMAND –commandtype Cmdlet –module ActiveDirectory GET*

or just find Cmdlets that match a particular word

GET-COMMAND –commandtype Cmdlet –module ActiveDirectory *USER*

Knowing what is available to you is sometimes half the trick.  NOW for the fun stuff Smile

Disabling Users

The head of HR comes bursting in your door screaming to quickly disable the VP in Division X because an Audit has tunrned up some nasty details about their new “Fund Management Scheme”.   No panic for you when you simply execute a

# Quest
DISABLE-QADUSER ‘Mister X’

# Microsoft
DISABLE-ADACCOUNT –identity ‘Mister X’

Or perhaps it’s that entire division at Contoso that needs to be disabled?

# Quest
GET-QADUSER –Searchroot ‘Contoso.local/Divisions/X/Users’ | DISABLE-QADUSER

# Microsoft
GET-ADUSER –filter ‘*’ –SearchBase ‘OU=Users,OU=X,OU=Divisions,DC=Contoso,DC=local’ | DISABLE-ADACCOUNT

Checking Group Membership

You’ve just taken over as the Administrator for a company and need to know who has Domain Admin access?  or any other group?

# Quest
GET-QADGROUPMEMBER ‘Domain Admins’

# Microsoft
GET-ADGROUPMEMBER ‘Domain Admins’

But you say, “Hey, I have auditors that need that information in their hands now!  Well then!  Just export that into a CSV (Comma Separated Value file)

# Quest
GET-QADGROUPMEMBER ‘Domain Admins’ | Export-CSV C:FoldernameDomainAdmins.csv

# Microsoft
GET-ADGROUPMEMBER ‘Domain Admins’ | Export-CSV C:FoldernameDomainAdmins.csv

Unlocking Users

You say your biggest challenge is the 5% of the people who tie up support with 98% of the lockouts and need to be resolved now? Ha! Piece of cake

# Quest
UNLOCK-QADUSER ‘John Smith’

# Microsoft
UNLOCK-ADACCOUNT –identity ‘John Smith’

But wait.  Did a whole division of users from Division X have a really big party at lunch and NEED to all be unlocked NOW?  Shame on them but, hey! No challenge!

# Quest
GET-QADUSER –Searchroot ‘Contoso.local/Divisions/X/Users’ | UNLOCK-QADUSER

# Microsoft
GET-ADUSER –filter ‘*’ –SearchBase ‘OU=Users,OU=X,OU=Divisions,DC=Contoso,DC=local’ | UNLOCK-ADACCOUNT

Reset Passwords

Fred Flintstone from accounting has locked himself out! It’s the end of his world (and your day) if he can’t log into his computer.

# Quest

$NEWPassword=READ-HOST ‘New Password:’ 
GET-QADUSER ‘Fred Flintstone’ | SET-QADUSER –USERPASSWORD $NEWPassword
–Usermustchangepassword $TRUE

# Microsoft
$NEWPassword=READ-HOST ‘New Password:’  -assecurestring
SET-ADAccountPassword –identity ‘Fred Flintstone’ –Reset –NewPassword $NEWPassword

Quickly Pull BIOS Information

Yes, I’m certain you have that new $50,000 inventory system that does everything…. What?  Everybody doesn’t?

Built into every Windows Powershell console is the ability to run WMI Queries EASILY.   Here’s a quick take away for you right now.  Need to know some BIOS details of a remote PC?

GET-WMIOBJECT win32-bios –computername ‘nameofcomputer’

Now how about if that computer is a DELL system?

(GET-WMIOBJECT win32-bios –computername ‘nameofcomputer’).SerialNumber

But did you need to get that information for a series of computers in your Active Directory?  Enter the Power of Shell to query All the service Tags in mysterious Division X

# Quest
GET-QADCOMPUTER –searchroot ‘Contoso.local/Division/X/Computers’ | FOREACH (GET-WMI-OBJECT win32-bios –computername $-.Name ).SerialNumber

# Microsoft
GET-ADCOMPUTER –filter ‘*’ –searchbase ‘OU=Computers,OU=X,OU=Division,DC=Contoso,DC=Local’ | FOREACH (GET-WMI-OBJECT win32-bios –computername $-.Name ).SerialNumber 

Check status of Drive Space Remotely

Here’s one I would have loved to have had in the field.   A Free utility to check the free space of a drive in Windows.  Thanks to Powershell and WMI, another free feature

GET-WMIOBJECT Win32-logicalDisk –computername ‘nameofcomputer’| Where { $-.DriveType -eq ‘3’ -and $-.Size -ne $NULL } | Select-Object Size,Freespace,DeviceID

Easily Search File Structures

Windows Powershell is not only great for managing users, but Files as well.    Been trying to quickly find all those silly “Lock” and Temp files in a file System?  Would you like a safe way to TRY removing them without damage? Windows Powershell has the GREATEST option of all.  Any “Destructive” Cmdlet can run the parameter “-WHATIF”.  “WHATIF” I do this “WHAT” will it do?  

With that option it’s a One line in Windows Powershell!

GET-CHILDITEM H: –recurse –include *.tmp,~*.* | REMOVE-ITEM -whatif

and if you’d like to automatically crush the garbage?  Now that you’re certain you did it right?

GET-CHILDITEM H: –recurse –include *.tmp ~*.* | REMOVE-ITEM

What’s installed on my computer?

Windows Powershell can directly read the Registry as easily as a Filesystem.   There are ways to even access remote registries (Provided you have the needed permissions of course) But with ONE LINE I can have Windows Powershell show me what’s installed on a computer

get-childitem Registry::HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall | foreach {(get-itemproperty -Path $-.PsPath -Name DisplayName -erroraction SilentlyContinue).DisplayName }

But who needs to key THAT in everytime?   In Windows Powershell I can define a NEW Cmdlet all my own!

function global:GET-APPLICATION {

get-childitem Registry::HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall | foreach {(get-itemproperty -Path $-.PsPath -Name DisplayName -erroraction SilentlyContinue).DisplayName }

}

And now that’s a new Cmdlet I can run

GET-APPLICATION

———————————————————

Now here’s the fun part. 

I have only TOUCHED on the TEENIEST bit of what’s available to do in Powershell.  These are lines I PERSONALLY find useful.  The true Power of Windows Powershell is always defined by YOU.  

There are Modules and Cmdlets defined for just about every key Microsoft Windows Server product from SQL Server, Exchange to Office 365 and Azure.   Windows Powershell is as well probably THE MOST COMMUNITY DRIVEN technology from Microsoft.  

This means that the COMMUNITY is helping Microsoft to tune and improve the product to better meet it’s customers’ needs as we are the best representation of what the Customer NEEDS and WANTS.   So feel free to take a drive on the “Highway to Powershell”.  Take these lines and make them useful for yourself in however they can.   Also take note of some amazing resources for Windows Powershell especially the BEST one of all, The Technet Script Center home of “Hey Scripting Guy” , Dr. Scripto, the Technet Script Repository and the Technet Scripting Forums !

Best of all?  Just search online with “Powershell” and what you’re trying to achieve!  Check out other amazing sites like the Powerscripting Podcast and PoshCode.  Tweet your questions with #powershell as a hashtag.

Most importantly, dive in and FEEL the Power of Shell with Powershell.   It’s all defined by YOU.

Sean
The Energized Tech