Archive

Archive for the ‘Active Directory’ Category

Information Gathering via PowerShell Script Pt. 1

May 13th, 2009
1 comment

Here is a simple PowerShell script I wrote to gather either computer, group, or user information depending on your choices. This could easily be done with much simpler scripts, but I wanted to use it as more of a learning process in order to better understand AD queries, variable expansion, functions, and other PowerShell features.

# Function Definition: fnPause
Function fnPause ($message="Press any key to continue...")
	{
		Write-Host -NoNewLine $Message
		$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
		Write-Host ""
		Main_Menu
	}
 
# Function Definition: fnADSearchMenu 
Function fnADSearchMenu
{
	# Display Welcome Message
	Clear-Host
	"Active Directory Search Script v1.0"
	"Created By: Richard Raseley (Richard@Raseley.com)"
	" "
 
	# Display Top Level Menu Question
	"What type of Active Directory object would you like to search for?"
 
	# Display Top Level Menu
	$MenuTopLevel = 
	'
	[1] User(s)
	[2] Group(s)
	[3] Computer(s)
	[4] Exit 
 
	Choice'
 
	# Define Logic for Top Level Menu
	switch (Read-Host $MenuTopLevel)
	{
		1 {fnUserSearchMenu}
		2 {fnGroupSearchMenu}
		3 {fnComputerSearchMenu}
		4 {Exit}
		default {"You have chosen an invalid option"; fnPause; fnADSearchMenu}
	}
}
 
# Function Definition: fnUserSearchMenu
Function fnUserSearchMenu
{
	# Display User Search Menu Question
	" "
	"What type of user information would you like?"
 
	# Display User Search Menu
	$MenuUserSearch =
	'
	[1] Summary of all users in the current domain
	[2] Return to the main menu
 
	Choice'
 
	# Define Logic for User Search Menu
	switch (Read-Host $MenuUserSearch)
	{
		1 {
		  	#Define LDAP Filter
			$LDAPFilter = "(objectCategory=User)"
 
		  	#Call fnADSearchExecute
		  	fnADSearchExecute
		  }
		2 {
	    	fnADSearchMenu
		  }
		default {"You have chosen an invalid option"; fnPause; fnADSearchMenu}
	}
}
 
# Function Definition: fnGroupSearchMenu
Function fnGroupSearchMenu
{
	# Display Group Search Menu Question
	" "
	"What type of group information would you like?"
 
	# Display Group Search Menu
	$MenuGoupSearch =
	'
	[1] Summary of all groups in the current domain
	[2] Return to main menu
 
	Choice'
 
	# Define Logic for Group Search Menu
	switch (Read-Host $MenuGoupSearch)
	{
		1 {
			# Define LDAP Filter
			$LDAPFilter = "(objectCategory=Group)"
 
			#Call fnADSearchExecute
			fnADSearchExecute
		  }
		2 {
			fnADSearchMenu
		  }
		default {"You have chosen an invalid option"; fnPause; fnADSearchMenu}
	}
}
 
# Function Definition: fnComputerSearchMenu
Function fnComputerSearchMenu
{
	# Display Computer Search Menu Question
	" "
	"What type of computer information would you like?"
 
	# Display Group Search Menu
	$MenuComputerSearch =
	'
	[1] Summary of all computers in the current domain
	[2] Return to main menu
 
	Choice'
 
	# Define Logic for Group Search Menu
	switch (Read-Host $MenuComputerSearch)
	{
		1 {
			# Define LDAP Filter
			$LDAPFilter = "(objectCategory=Computer)"
 
			#Call fnADSearchExecute
			fnADSearchExecute
		  }
		2 {
			fnADSearchMenu
		  }
		default {"You have chosen an invalid option"; fnPause; fnADSearchMenu}
	}
}
 
# Function Definition: fnADSearchExecute
Function fnADSearchExecute
{
	# Define AD Search Filter
	$strFilter = "$LDAPFilter"
 
	# Define AD Location for Search
	$objDomain = New-Object System.DirectoryServices.DirectoryEntry
 
	# Define AD Search Parameters
	$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
	$objSearcher.SearchRoot = $objDomain
	$objSearcher.PageSize = 1000
	$objSearcher.Filter = $strFilter
	$objSearcher.SearchScope = "Subtree"
 
	# Define AD Properties Returned by Search
	$colProplist = "name"
	foreach ($i in $colProplist){$objSearcher.PropertiesToLoad.Add($i)}
 
	# Execute AD Search
	$colResults = $objSearcher.FindAll()
 
	# Format AD Search Results
	foreach ($objResult in $colResults)
	{
		$objItem = $objResult.Properties
		"Name: " + $objItem.name
		" "
	}
}
 
# Call ADSearch Menu Function
fnADSearchMenu

Richard Active Directory, PowerShell , ,

Deny Logoff of an Administrator Logged in to the Console Session

April 21st, 2009
No comments

Here is a Group Policy setting you can apply in Active Directory to prevent an administrator or other user from logging you off from a machine that you have remotely logged into via the console session.

Policy Path: Administrative Templates\Windows Components\Terminal Services

Supported On: At least Microsoft Windows Server 2003

Help/Explain Text: Specifies whether to allow an administrator attempting to connect to the console of a server to log off an administrator currently logged on to the console. The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. If the status is set to Enabled, logging off the connected administrator is not allowed. If the status is set to Disabled, logging off the connected administrator is allowed. If the status is set to Not Configured, logging off the connected administrator is allowed but can be changed at the local computer policy level. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.

Registry Settings: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff

Richard Active Directory, System Administration ,