Category Archives: PowerShell

Introduction

In this post we will perform two configurations on our Active Directory Domain Services instance: We’ll define security tiers which later become cornerstones of our privilege delegation principles and we’ll tune domain-joining parameters. Also a quick tweak for the DNS service.

Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 1 — Installation

March 6, 2017 Kirill Nikolaev 3 Comments

Introduction

Up to this day, Active Directory Domain Services (AD DS) has been the core of the Windows infrastructure. With each release of Windows Server, AD DS receives new features while keeping great backward compatibility. Windows Server 2016 brings following enhancements to AD DS:

In this blog we shall install the corner stone of our future infrastructure: a highly-available AD DS instance of two domain controllers. Our AD DS layout is going to be quite simple: two writable domain controllers in a single site.

Building Highly-Available Windows Infrastructure: Command-line Style

March 6, 2017 Kirill Nikolaev Leave a comment

Several months ago Windows Server 2016 was released. With this release Microsoft has made two significant changes in Windows Server installation options:

Nano Server was introduced
Server with a GUI now includes desktop experience features (it is even called “Server with Desktop Experience”) and there is no supported way to remove them. This should force IT Administrators to deploy Server Core more broadly.

Looks like now is a good time to stop thinking about Windows Server as a GUI based system and pivot your management approach to be more command-line.
This post is the first in a series of how to build your own highly-available Windows infrastructure using just PowerShell and some other command-line tools. I plan to discuss the following components:

Active Directory Domain Services,
Active Directory Certificate Services,
Desired State Configuration,
Key Management Services,
DHCP,
SCDPM,
SCCM,
Exchange Server,
And, possibly, S4B Server, as well.

I am not able to deploy Hyper-V hosts yet, as all my infrastructure is purely virtual and the host machine, sadly, is running Windows Server 2012 R2 and currently it is impossible for me to upgrade it.

All PowerShell code will not use any hardcoded values. Instead, at the beginning of each post, I shall include a set of variables which will allow you to easily recreate the infrastructure in your environment w/o any change in the code.

The first part is already here! Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 1 — Installation

ADDS, PowerShell, Windows

Huge refactoring of Synchronize-DNSZones.ps1

February 10, 2017 Kirill Nikolaev Leave a comment

Today I finished huge refactoring of my Synchronize-DNSZones script (see more about it here). The main reason to refactor was to introduce a support to synchronize zone-level records. To efficiently achieve this, I converted a huge pile of code into several smaller functions. I also improved code readability by PS 3.0 standards (apparently, it is also StrictMode-compatible now).
I improved error handling by introducing 3 new error events:
55 – DNS-zone creation is not yet supported. (And I don’t think I’ll ever support it)
72 – Function New-DnsRecord failed.
82 – Cannot import DNSClient PowerShell module.

I finally replaces unapproved verbs in function names to approved ones (see Get-Verb). I shall change the name of the script itself later.
Fixed an issue when Receive-DnsData sometimes returns empty response and.
Fixed typos and incorrect error handling and slightly enhanced comments.
And I also added forgotten definition of $SMTPCc variable.

In the future I plan to add ShouldProcess support (WhatIf).

Pull-requests / issues are welcome!

ADDS, PowerShell, Security, Windows

Split-brain DNS Synchronizer

October 10, 2016 Kirill Nikolaev 2 Comments

The latest version of the script available at GitHub.

Many companies use the same domain name for both internal and external servers hosting. When an internal domain name is a name of AD DS domain, and internal users must access some of the servers by their external IP-addresses, the problem arises: somehow all these external names must exist in the internal zone and the record information in these internal records must be in correspondence with the external ones. There are several possible solutions to resolve such situation:

1. Blindly forward all external requests to AD DS controllers. In this case, domain controllers are the primary name servers for the zone.

Pros:

Single point of management.
No new software on domain controllers required.

Cons:

You cannot point internal and external users to different hosts for the same DNS-record.
Requires to allow external users access to internal servers, which might be impossible due to security policies. Possible exposure of internal infrastructure to an external malicious user.

2. Have two separated set of DNS-servers for internal and external zones.

Pros:

You can point internal and external users to different hosts for the same DNS-record.
External users do not access internal servers.
No new software on domain controllers required.

Cons:

Two different points of management. DNS-records may become outdated.

3. Use DNS policies – the new Windows Server 2016 functionality.

https://blogs.technet.microsoft.com/teamdhcp/2015/08/31/split-brain-dns-in-active-directory-environment-using-dns-policies/

Pros:

Single point of management.
You can point internal and external users to different hosts for the same DNS-record.

Cons:

Requires domain controllers migration to the latest software, which is not possible for some organizations.
Requires to allow external users access to internal servers, which might be impossible due to security policies. Possible exposure of internal infrastructure to an external malicious user.

Currently, I prefer the second method, with two sets of DNS servers. But in that case we have another challenge: How to ensure that all DNS-records, which must point to the same location for both external and internal users, are in sync?
Continue reading Split-brain DNS Synchronizer →

PowerShell

Moving to GitHub

October 10, 2016 Kirill Nikolaev Leave a comment

From now on, all my publicly available scripts will be published at GitHub — you are more than welcome to fork them, create issues and send pull-requests.

ADDS, PowerShell, Security, Windows

How to allow users to join their computers into AD domain

March 14, 2016 Kirill Nikolaev Leave a comment

Imagine, that half of your company users are local administrators at their machines. They pretty often reinstall operating systems and request IT Service Desk to join that newly installed OSes into corporate Active Directory domain. One usually has two options to help the users: either to come to the user’s workstation and use one’s credentials to join a PC into domain, or to recreate workstation’s computer account, at the same time allowing employee’s user account to join the computer into a domain by him-/herself. In the first case, ServiceDesk employee needs to walk to a user’s desk, which may be quite exhausting, especially for remote locations, in the second case, computer’s group membership will be probably lost and a new account must be added into all appropriate groups manually.
Is it possible to decrease time and effort put into resolution of such requests? Yes, absolutely!

The main trick is to assign a user with following permissions to his computer’s account:

Validated write to DNS host name
Validated write to service principal name
List the children of an object
Read
Read security information
List the object access
Control access right
Delete an object and all of its children
Delete
Write to the following properties:

sAMAccountName
displayName
description
Logon Information
Account Restrictions

User with abovementioned permissions will be able to join their PC into an AD domain without any assistance from Service Desk.

I made this little script to automate the permissions assigning. Please look into the help section (or use Get-Help cmdlet) to find out about its syntax and usage examples.

<# MIT License

    Copyright (c) 2016 Kirill Nikolaev

    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    SOFTWARE.
#>

#Requires -Version 3.0
#Requires -Modules ActiveDirectory

<#
.SYNOPSIS
Allows a user to join their computer into Active Directory domain.

.DESCRIPTION
Allows a user to join their computer into Active Directory domain w/o assistance of Service Desk engineer if the computer account is already pre-created. After executing that script a user can reinstall OS multiple times and still be able to join the machine into domain, while computer name will stay the same.
Right now the script works only for the domain where an account running the script resides.

.PARAMETER ComputerName
sAMAccountName of a computer.

.PARAMETER UserName
sAMAccountName of a user.

.PARAMETER ComputerDomain
FQDN of an AD domain where target computer is located.

.PARAMETER UserDomain
FQDN of an AD domain where target user is located.

.EXAMPLE
.\Allow-ADDomainJoin.ps1 -UserName ExampleUser -ComputerName ExampleComputer

.NOTES
NAME: Allow-ADDomainJoin
AUTHOR: Kirill Nikolaev
LASTEDIT: 03/11/2016 10:02:10
KEYWORDS: Active Directory, ADDS, self-service, service desk, workstations, end-users

.LINK
https://exchange12rocks.org/2016/03/14/how-to-allow-users-to-join-their-computers-into-ad-domain/
#>

Param(
	[Parameter(Mandatory,
	HelpMessage='sAMAccount name of a computer account at which you like to delegate domain-joining permissions')]
	[string]$ComputerName,
	[Parameter(Mandatory,
	HelpMessage='sAMAccount name of a user account to which you like to delegate domain-joining permissions')]
	[string]$UserName,
	[string]$ComputerDomain = 'example.com',
	[string]$UserDomain = 'example.com'
)

$ErrorActionPreference = 'Stop'

Import-Module -Name ActiveDirectory

[string]$ComputerWDC = (Get-ADDomainController -DomainName $ComputerDomain -Discover -Writable -NextClosestSite).HostName
[string]$UserWDC = (Get-ADDomainController -DomainName $UserDomain -Discover -Writable -NextClosestSite).HostName
[string]$ComputerDomainNB = (Get-ADDomain -Identity $ComputerDomain).NetBIOSName

Try {
	$ADObject = Get-ADComputer -Identity $ComputerName -Server $ComputerWDC
}
Catch {
	Write-Error -Message ("Cannot get computer {0} from AD DS @ {1}:`r`n{2}`r`n{3}" -f $ComputerName, $ComputerWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)
	Exit
}

Try {
    $null = New-PSDrive -Name $ComputerDomainNB -Root '' -PSProvider ActiveDirectory -Server $ComputerWDC
}
Catch {
    Write-Error -Message ("Cannot create new PSDrive for {0} AD domain @ {1}:`r`n{2}`r`n{3}" -f $ComputerDomain, $ComputerWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)
    Exit
}

Try { #TODO: Get-Acl desn't support ShouldProcess
	$DACL = Get-Acl -Path ('{0}:\{1}' -f $ComputerDomainNB, $ADObject.DistinguishedName)
}
Catch {
	Write-Error -Message ("Cannot get DACL for object {0} @ {1}:`r`n{2}`r`n{3}" -f $ADObject.DistinguishedName, $ComputerWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)
	Exit
}
Try {
	$UserSID = (Get-ADUser -Identity $UserName -Properties SID -Server $UserWDC).SID
}
Catch {
	Write-Error -Message ("Cannot get user {0} from AD DS @ {1}:`r`n{2}`r`n{3}" -f $UserName, $UserWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)
	Exit
}

Try {
	$ACEs = @()
}
Catch {
	Write-Error -Message ("Cannot initialize empty ACEs object:`r`n{0}`r`n{1}" -f $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)
	Exit
}

Try {
	$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'197076', 'Allow', [GUID]'00000000-0000-0000-0000-000000000000', 'None', [GUID]'00000000-0000-0000-0000-000000000000')
	$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'3e0abfd0-126a-11d0-a060-00aa006c33ed', 'None', [GUID]'00000000-0000-0000-0000-000000000000')
	$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'bf967953-0de6-11d0-a285-00aa003049e2', 'None', [GUID]'00000000-0000-0000-0000-000000000000')
	$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'bf967950-0de6-11d0-a285-00aa003049e2', 'None', [GUID]'00000000-0000-0000-0000-000000000000')
	$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'5f202010-79a5-11d0-9020-00c04fc2d4cf', 'None', [GUID]'00000000-0000-0000-0000-000000000000')
	$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'4c164200-20c0-11d0-a768-00aa006e0529', 'None', [GUID]'00000000-0000-0000-0000-000000000000')
	$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'Self', 'Allow', [GUID]'f3a64788-5306-11d1-a9c5-0000f80367c1', 'None', [GUID]'00000000-0000-0000-0000-000000000000')
	$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'Self', 'Allow', [GUID]'72e39547-7b18-11d1-adef-00c04fd8d5cd', 'None', [GUID]'00000000-0000-0000-0000-000000000000')
}
Catch {
	Write-Error -Message ("Error while creating ACE objects:`r`n{0}`r`n{1}" -f $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)
	Exit
}

Try {
	foreach ($ACE in $ACEs) {
		$DACL.AddAccessRule($ACE)
	}
}
Catch {
	Write-Error -Message ("Error while populating DACL with ACE objects:`r`n{0}`r`n{1}" -f $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)
	Exit
}
Try {
	Set-Acl -AclObject $DACL -Path ('{0}:\{1}' -f $ComputerDomainNB, $ADObject.DistinguishedName)
}
Catch {
	Write-Error -Message ("Error while writing DACL back to {0} @ {1}:`r`n{2}`n{3}" -f $ADObject.DistinguishedName, $ComputerWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)
	Exit
}

Write-Output -InputObject ('{0} is now allowed to join {1} to the domain {2}.' -f $UserName, $ComputerName, $ComputerDomain)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

<# MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

in the Software without restriction, including without limitation the rights

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

copies of the Software, and to permit persons to whom the Software is

furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all

copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

SOFTWARE.

#Requires -Version 3.0

#Requires -Modules ActiveDirectory

.SYNOPSIS

Allows a user to join their computer into Active Directory domain.

.DESCRIPTION

Allows a user to join their computer into Active Directory domain w/o assistance of Service Desk engineer if the computer account is already pre-created. After executing that script a user can reinstall OS multiple times and still be able to join the machine into domain, while computer name will stay the same.

Right now the script works only for the domain where an account running the script resides.

.PARAMETER ComputerName

sAMAccountName of a computer.

.PARAMETER UserName

sAMAccountName of a user.

.PARAMETER ComputerDomain

FQDN of an AD domain where target computer is located.

.PARAMETER UserDomain

FQDN of an AD domain where target user is located.

.EXAMPLE

.\Allow-ADDomainJoin.ps1 -UserName ExampleUser -ComputerName ExampleComputer

.NOTES

NAME: Allow-ADDomainJoin

AUTHOR: Kirill Nikolaev

LASTEDIT: 03/11/2016 10:02:10

KEYWORDS: Active Directory, ADDS, self-service, service desk, workstations, end-users

.LINK

https://exchange12rocks.org/2016/03/14/how-to-allow-users-to-join-their-computers-into-ad-domain/

Param(

[Parameter(Mandatory,

HelpMessage='sAMAccount name of a computer account at which you like to delegate domain-joining permissions')]

[string]$ComputerName,

[Parameter(Mandatory,

HelpMessage='sAMAccount name of a user account to which you like to delegate domain-joining permissions')]

[string]$UserName,

[string]$ComputerDomain = 'example.com',

[string]$UserDomain = 'example.com'

)

$ErrorActionPreference = 'Stop'

Import-Module -Name ActiveDirectory

[string]$ComputerWDC = (Get-ADDomainController -DomainName $ComputerDomain -Discover -Writable -NextClosestSite).HostName

[string]$UserWDC = (Get-ADDomainController -DomainName $UserDomain -Discover -Writable -NextClosestSite).HostName

[string]$ComputerDomainNB = (Get-ADDomain -Identity $ComputerDomain).NetBIOSName

Try {

$ADObject = Get-ADComputer -Identity $ComputerName -Server $ComputerWDC

}

Catch {

Write-Error -Message ("Cannot get computer {0} from AD DS @ {1}:`r`n{2}`r`n{3}" -f $ComputerName, $ComputerWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)

Exit

}

Try {

$null = New-PSDrive -Name $ComputerDomainNB -Root '' -PSProvider ActiveDirectory -Server $ComputerWDC

}

Catch {

Write-Error -Message ("Cannot create new PSDrive for {0} AD domain @ {1}:`r`n{2}`r`n{3}" -f $ComputerDomain, $ComputerWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)

Exit

}

Try { #TODO: Get-Acl desn't support ShouldProcess

$DACL = Get-Acl -Path ('{0}:\{1}' -f $ComputerDomainNB, $ADObject.DistinguishedName)

}

Catch {

Write-Error -Message ("Cannot get DACL for object {0} @ {1}:`r`n{2}`r`n{3}" -f $ADObject.DistinguishedName, $ComputerWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)

Exit

}

Try {

$UserSID = (Get-ADUser -Identity $UserName -Properties SID -Server $UserWDC).SID

}

Catch {

Write-Error -Message ("Cannot get user {0} from AD DS @ {1}:`r`n{2}`r`n{3}" -f $UserName, $UserWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)

Exit

}

Try {

$ACEs = @()

}

Catch {

Write-Error -Message ("Cannot initialize empty ACEs object:`r`n{0}`r`n{1}" -f $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)

Exit

}

Try {

$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'197076', 'Allow', [GUID]'00000000-0000-0000-0000-000000000000', 'None', [GUID]'00000000-0000-0000-0000-000000000000')

$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'3e0abfd0-126a-11d0-a060-00aa006c33ed', 'None', [GUID]'00000000-0000-0000-0000-000000000000')

$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'bf967953-0de6-11d0-a285-00aa003049e2', 'None', [GUID]'00000000-0000-0000-0000-000000000000')

$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'bf967950-0de6-11d0-a285-00aa003049e2', 'None', [GUID]'00000000-0000-0000-0000-000000000000')

$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'5f202010-79a5-11d0-9020-00c04fc2d4cf', 'None', [GUID]'00000000-0000-0000-0000-000000000000')

$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'WriteProperty', 'Allow', [GUID]'4c164200-20c0-11d0-a768-00aa006e0529', 'None', [GUID]'00000000-0000-0000-0000-000000000000')

$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'Self', 'Allow', [GUID]'f3a64788-5306-11d1-a9c5-0000f80367c1', 'None', [GUID]'00000000-0000-0000-0000-000000000000')

$ACEs += New-Object -TypeName System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList ($UserSID,'Self', 'Allow', [GUID]'72e39547-7b18-11d1-adef-00c04fd8d5cd', 'None', [GUID]'00000000-0000-0000-0000-000000000000')

}

Catch {

Write-Error -Message ("Error while creating ACE objects:`r`n{0}`r`n{1}" -f $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)

Exit

}

Try {

foreach ($ACE in $ACEs) {

$DACL.AddAccessRule($ACE)

}

Catch {

Write-Error -Message ("Error while populating DACL with ACE objects:`r`n{0}`r`n{1}" -f $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)

Exit

}

Try {

Set-Acl -AclObject $DACL -Path ('{0}:\{1}' -f $ComputerDomainNB, $ADObject.DistinguishedName)

}

Catch {

Write-Error -Message ("Error while writing DACL back to {0} @ {1}:`r`n{2}`n{3}" -f $ADObject.DistinguishedName, $ComputerWDC, $Error[0].Exception.Message, $Error[0].InvocationInfo.PositionMessage)

Exit

}

Write-Output -InputObject ('{0} is now allowed to join {1} to the domain {2}.' -f $UserName, $ComputerName, $ComputerDomain)

In case you use Windows 8.1/Server 2012 R2, you might need to install KB 3092002, either way, only member of the “Domain Admins” group will be able to execute the script. This is due to a bug in the Set-Acl cmdlet. The fix for Windows 10 is included in the latest RSAT package.

If you unsure how to use the script or experience any errors, please leave a comment below or contact me directly.

PowerShell, SCDPM

How to simplify SCDPM servers maintenance

August 14, 2015 Kirill Nikolaev 2 Comments

Every DPM administrator, ever tried to perform a regular maintenance onto a set of SCDPM servers (monthly updates, for example), knows that the only one way to do it correctly, i.e. without interruption of backup jobs, is to gracefully shutdown the server. To achieve this, you need to disable active SCDPM agents, connected to this server, and wait till every running job will be completed.

The only problem is — there is no quick way to get a list of every computer with an active agent connected to a SCDPM server. One may say, I’m wrong here and there IS a quick way — just use Get-DPMProductionServer cmdlet with “ServerProtectionState -eq ‘HasDatasourcesProtected'” filter. But you forgot about cluster nodes: If we protect clustered resource, but not cluster nodes themselves, we will not see them in an output of Get-DPMProductionServer (with abovementioned filter applied, of course). In addition, the output will contain clustered resources, which are useless in our task to stop every active protection agent.

That’s why I want to present you with a solution to quickly get a list of only real computers with an active SCDPM-agent installed. Just pass names of your SCDPM-servers to it (or don’t pass anything for localhost) and you’ll receive a collection of ProtectedServers in response. You may then pass that collection directly to Enable/Disable-DPMProductionServer cmdlets.

<# MIT License
 
Copyright (c) 2015 Kirill Nikolaev
 
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
 
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
 
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. #>

<#
.SYNOPSIS
Returns active protected agents connected to an SCDPM server.

.DESCRIPTION
Returns every computer with installed SCDPM agent, connected to the chosen SCDPM server and having protected any datasource at this SCDPM server.

.PARAMETER DPMServerName
A single name (FQDN ot NetBIOS) of an SCDPM server or a collection of such.

.EXAMPLE
C:\PS> .\Get-DPMProtectedAgents.ps1 -DPMServerName bckpsrv1.example.com
WARNING: Connecting to DPM server: bckpsrv1.example.com

ServerName                                      ClusterName                                     Domain                                          ServerProtectionState
----------                                      -----------                                     ------                                          ---------------------
SRV1                                                                                            example.net                                     HasDatasourcesProtected
SRV2                                            CL1.example.com                                 example.com                                     HasDatasourcesProtected

.EXAMPLE
C:\PS> 'bckpsrv1.example.com','bckpsrv2.example.com' | .\Get-DPMProtectedAgents.ps1
WARNING: Connecting to DPM server: bckpsrv1.example.com

ServerName                                      ClusterName                                     Domain                                          ServerProtectionState
----------                                      -----------                                     ------                                          ---------------------
SRV1                                                                                            example.net                                     HasDatasourcesProtected
SRV2                                            CL1.example.com                                 example.com                                     HasDatasourcesProtected
WARNING: Connecting to DPM server: bckpsrv2.example.com
SRV3                                                                                            example.net                                     HasDatasourcesProtected
SRV4                                            CL2.example.com                                 example.com                                     HasDatasourcesProtected
SRV5                                            CL2.example.com                                 example.com                                     HasDatasourcesProtected

.EXAMPLE
C:\PS> .\Get-DPMProtectedAgents.ps1 | %{ Disable-DPMProductionServer $_ -Confirm:$false }
C:\PS>

.INPUTS
System.String[]. An array of names of SCDPM servers.

.OUTPUTS
System.Object[]. A collection of Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.ProductionServer
#>

[CmdletBinding()]
[OutputType([System.Object[]])]
Param(
	[Parameter(Mandatory=$false,
	ValueFromPipeline=$true)]
	[string[]]$DPMServerName = 'localhost' #We need something in $DPMServerName for the cycle to work.
)

PROCESS {
    foreach ($Name in $DPMServerName) {
        Disconnect-DPMServer
        if ($Name -eq '' -or $Name -eq 'localhost') {
	        $ProductionServers = Get-DPMProductionServer #Execution of DPM cmdlets with given server name doesn't work in PSSessions. So, we have to use two branches of code here.
        }
        else {
	        $ProductionServers = Get-DPMProductionServer -DPMServerName $Name
        }

        $ProtectedServers = $ProductionServers | where {$_.ServerProtectionState -eq 'HasDatasourcesProtected'}
        Write-Debug "ProtectedServers at $Name"
        if ($ProtectedServers) {
            Write-Debug ([string]$ProtectedServers)
        }
        else {
            Write-Debug 'No ProtectedServers found'
        }

        $ProtectedServersStandAlone = $ProtectedServers | where {$_.ClusterName -eq ''}
        Write-Debug "ProtectedServersStandAlone at $Name"
        if ($ProtectedServersStandAlone) {
            Write-Debug ([string]$ProtectedServersStandAlone)
        }
        else {
            Write-Debug 'No ProtectedServersStandAlone found'
        }

        $ProtectedServersClustered = $ProtectedServers | where {$_.ClusterName -ne ''} #Need to split clustered resources and cluster nodes from stand-alone servers, because if we don't protect cluster node itself, it will not shows up in $ProtectedServers and we'll find it through properties of the clustered resource.
        Write-Debug "ProtectedServersClustered at $Name"
        if ($ProtectedServersClustered) {
            Write-Debug ([string]$ProtectedServersClustered)
        }
        else {
            Write-Debug 'No ProtectedServersClustered found'
        }

        $ClusteredResouces = $ProtectedServersClustered | where {$_.PossibleOwners} #Select only clustered resources, not nodes itself.
        Write-Debug "ClusteredResouces at $Name"
        if ($ClusteredResouces) {
            Write-Debug ([string]$ClusteredResouces)
        }
        else {
            Write-Debug 'No ClusteredResouces found'
        }

        $ClusterNodesDNSNames = @()
        $ClusteredResouces | %{$ClusterNodesDNSNames += $_.PossibleOwners}
        Write-Debug "ClusterNodesDNSNames at $Name"
        if ($ClusterNodesDNSNames) {
            Write-Debug ([string]$ClusterNodesDNSNames)
        }
        else {
            Write-Debug 'No ClusterNodesDNSNames found'
        }

        $ClusterNodesDNSNames = $ClusterNodesDNSNames | Select-Object -Unique
        Write-Debug "Unique ClusterNodesDNSNames at $Name"
        if ($ClusterNodesDNSNames) {
            Write-Debug ([string]$ClusterNodesDNSNames)
        }
        else {
            Write-Debug 'No ClusterNodesDNSNames found'
        }

        $ClusterNodesNames = @()
        $ClusterNodesDNSNames | %{$_ -match '(.+?)\..+' | Out-Null; $ClusterNodesNames += $Matches[1]} #Extract hostnames from DNS names to pass them to SCDPM cmdlets.
        Write-Debug "ClusterNodesNames at $Name"
        if ($ClusterNodesNames) {
            Write-Debug ([string]$ClusterNodesNames)
        }
        else {
            Write-Debug 'No ClusterNodesNames found'
        }

        $ClusterNodes = @()
        $ClusterNodes += $ProtectedServersClustered | where {$_ -notin $ClusteredResouces} #Select only clustered nodes.
        foreach ($NodeName in $ClusterNodesNames) {
	        $ClusterNodes += $ProductionServers | where {$_.ServerName -eq $NodeName}
        }
        Write-Debug "ClusterNodes at $Name"
        if ($ClusterNodes) {
            Write-Debug ([string]$ClusterNodes)
        }
        else {
            Write-Debug 'No ClusterNodes found'
        }

        $ProtectedAgents = $ProtectedServersStandAlone + $ClusterNodes | Select-Object -Unique
        Write-Debug "ProtectedAgents at $Name"
        if ($ProtectedAgents) {
            Write-Debug ([string]$ProtectedAgents)
        }
        else {
            Write-Debug 'No ProtectedAgents found'
        }

        Write-Output $ProtectedAgents
    }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

<# MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

in the Software without restriction, including without limitation the rights

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

copies of the Software, and to permit persons to whom the Software is

furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all

copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

SOFTWARE. #>

.SYNOPSIS

Returns active protected agents connected to an SCDPM server.

.DESCRIPTION

Returns every computer with installed SCDPM agent, connected to the chosen SCDPM server and having protected any datasource at this SCDPM server.

.PARAMETER DPMServerName

A single name (FQDN ot NetBIOS) of an SCDPM server or a collection of such.

.EXAMPLE

C:\PS> .\Get-DPMProtectedAgents.ps1 -DPMServerName bckpsrv1.example.com

WARNING: Connecting to DPM server: bckpsrv1.example.com

ServerName ClusterName Domain ServerProtectionState

---------- ----------- ------ ---------------------

SRV1 example.net HasDatasourcesProtected

SRV2 CL1.example.com example.com HasDatasourcesProtected

.EXAMPLE

C:\PS> 'bckpsrv1.example.com','bckpsrv2.example.com' | .\Get-DPMProtectedAgents.ps1

WARNING: Connecting to DPM server: bckpsrv1.example.com

ServerName ClusterName Domain ServerProtectionState

---------- ----------- ------ ---------------------

SRV1 example.net HasDatasourcesProtected

SRV2 CL1.example.com example.com HasDatasourcesProtected

WARNING: Connecting to DPM server: bckpsrv2.example.com

SRV3 example.net HasDatasourcesProtected

SRV4 CL2.example.com example.com HasDatasourcesProtected

SRV5 CL2.example.com example.com HasDatasourcesProtected

.EXAMPLE

C:\PS> .\Get-DPMProtectedAgents.ps1 | %{ Disable-DPMProductionServer $_ -Confirm:$false }

C:\PS>

.INPUTS

System.String[]. An array of names of SCDPM servers.

.OUTPUTS

System.Object[]. A collection of Microsoft.Internal.EnterpriseStorage.Dls.UI.ObjectModel.OMCommon.ProductionServer

[CmdletBinding()]

[OutputType([System.Object[]])]

Param(

[Parameter(Mandatory=$false,

ValueFromPipeline=$true)]

[string[]]$DPMServerName = 'localhost' #We need something in $DPMServerName for the cycle to work.

)

PROCESS {

foreach ($Name in $DPMServerName) {

Disconnect-DPMServer

if ($Name -eq '' -or $Name -eq 'localhost') {

$ProductionServers = Get-DPMProductionServer #Execution of DPM cmdlets with given server name doesn't work in PSSessions. So, we have to use two branches of code here.

}

else {

$ProductionServers = Get-DPMProductionServer -DPMServerName $Name

}

$ProtectedServers = $ProductionServers | where {$_.ServerProtectionState -eq 'HasDatasourcesProtected'}

Write-Debug "ProtectedServers at $Name"

if ($ProtectedServers) {

Write-Debug ([string]$ProtectedServers)

}

else {

Write-Debug 'No ProtectedServers found'

}

$ProtectedServersStandAlone = $ProtectedServers | where {$_.ClusterName -eq ''}

Write-Debug "ProtectedServersStandAlone at $Name"

if ($ProtectedServersStandAlone) {

Write-Debug ([string]$ProtectedServersStandAlone)

}

else {

Write-Debug 'No ProtectedServersStandAlone found'

}

$ProtectedServersClustered = $ProtectedServers | where {$_.ClusterName -ne ''} #Need to split clustered resources and cluster nodes from stand-alone servers, because if we don't protect cluster node itself, it will not shows up in $ProtectedServers and we'll find it through properties of the clustered resource.

Write-Debug "ProtectedServersClustered at $Name"

if ($ProtectedServersClustered) {

Write-Debug ([string]$ProtectedServersClustered)

}

else {

Write-Debug 'No ProtectedServersClustered found'

}

$ClusteredResouces = $ProtectedServersClustered | where {$_.PossibleOwners} #Select only clustered resources, not nodes itself.

Write-Debug "ClusteredResouces at $Name"

if ($ClusteredResouces) {

Write-Debug ([string]$ClusteredResouces)

}

else {

Write-Debug 'No ClusteredResouces found'

}

$ClusterNodesDNSNames = @()

$ClusteredResouces | %{$ClusterNodesDNSNames += $_.PossibleOwners}

Write-Debug "ClusterNodesDNSNames at $Name"

if ($ClusterNodesDNSNames) {

Write-Debug ([string]$ClusterNodesDNSNames)

}

else {

Write-Debug 'No ClusterNodesDNSNames found'

}

$ClusterNodesDNSNames = $ClusterNodesDNSNames | Select-Object -Unique

Write-Debug "Unique ClusterNodesDNSNames at $Name"

if ($ClusterNodesDNSNames) {

Write-Debug ([string]$ClusterNodesDNSNames)

}

else {

Write-Debug 'No ClusterNodesDNSNames found'

}

$ClusterNodesNames = @()

$ClusterNodesDNSNames | %{$_ -match '(.+?)\..+' | Out-Null; $ClusterNodesNames += $Matches[1]} #Extract hostnames from DNS names to pass them to SCDPM cmdlets.

Write-Debug "ClusterNodesNames at $Name"

if ($ClusterNodesNames) {

Write-Debug ([string]$ClusterNodesNames)

}

else {

Write-Debug 'No ClusterNodesNames found'

}

$ClusterNodes = @()

$ClusterNodes += $ProtectedServersClustered | where {$_ -notin $ClusteredResouces} #Select only clustered nodes.

foreach ($NodeName in $ClusterNodesNames) {

$ClusterNodes += $ProductionServers | where {$_.ServerName -eq $NodeName}

}

Write-Debug "ClusterNodes at $Name"

if ($ClusterNodes) {

Write-Debug ([string]$ClusterNodes)

}

else {

Write-Debug 'No ClusterNodes found'

}

$ProtectedAgents = $ProtectedServersStandAlone + $ClusterNodes | Select-Object -Unique

Write-Debug "ProtectedAgents at $Name"

if ($ProtectedAgents) {

Write-Debug ([string]$ProtectedAgents)

}

else {

Write-Debug 'No ProtectedAgents found'

}

Write-Output $ProtectedAgents

}

PowerShell

How to limit a number of PowerShell Jobs running simultaneously

May 24, 2015 Kirill Nikolaev 7 Comments

Recently, I received a task which required me to run a particular command on a several thousands of servers. Since execution of this command takes some time, it is just logical to run them in a parallel mode. And PowerShell Background Jobs are the first thing comes in mind.
But resources of my PC are limited — it cannot run more than a 100 jobs simultaneously. Unfortunately, PowerShell doesn’t have a built-in functionality for limiting background jobs yet.

Though, I’m not the first one who stuck with the same problem: official “Hey, Scripting Guy!” blog has introduced us a queue based on .NET Framework objects. But I couldn’t manage this solution to work and needed something simpler. After all, all we need are:

a loop
a counter, for how much jobs are active and running
a variable, allowing next job in queue to start

Eventually, I came up with a piece of code like this:

$maxConcurrentJobs = 100 #Max. number of simultaneously running jobs
 
foreach($Object in $Objects) { #Where $Objects is a collection of objects to process. It may be a computers list, for example.
    $Check = $false #Variable to allow endless looping until the number of running jobs will be less than $maxConcurrentJobs.
    while ($Check -eq $false) {
        if ((Get-Job -State 'Running').Count -lt $maxConcurrentJobs) {
            $ScriptBlock = {
                #Insert the code of your workload here
            }
            Start-Job -ScriptBlock $ScriptBlock
            $Check = $true #To stop endless looping and proceed to the next object in the list.
        }
    }
}

$maxConcurrentJobs = 100 #Max. number of simultaneously running jobs

foreach($Object in $Objects) { #Where $Objects is a collection of objects to process. It may be a computers list, for example.

$Check = $false #Variable to allow endless looping until the number of running jobs will be less than $maxConcurrentJobs.

while ($Check -eq $false) {

if ((Get-Job -State 'Running').Count -lt $maxConcurrentJobs) {

$ScriptBlock = {

#Insert the code of your workload here

}

Start-Job -ScriptBlock $ScriptBlock

$Check = $true #To stop endless looping and proceed to the next object in the list.

}

Whereas my version is similar to a solution proposed at StackOverflow (which I only found AFTER completing my own version, of course), the SO version suffers from a bug where some items in queue may be skipped.

While PS Jobs are so easy to play with, Boe Prox claims that runspaces work much and much faster. Go, check it out, how you can use them to accelerate your job queue in his blog.

Some other queueing technics in PowerShell:

ADDS, PowerShell, SCCM

SCCM: Device Collection Based On a Local Group Membership

August 18, 2014 Kirill Nikolaev 2 Comments

New task came up recently – I need to separate in SCCM self-managed workstations from IT-managed ones. We define following criteria for IT-managed workstations: no other accounts are in local Administrators group except for built-in Administrator, Domain Admins group and a group for Service Desk administrators. All workstations are located in the same OU, so I cannot use OU-based collections.

As you may know, SCCM 2012 doesn’t have built-in tools to get local groups membership. Thanks to Sherry Kissinger who solved this problem for us using Compliance Settings. After you install her package, you’ll get a new Configuration Baseline and Configuration Item in SCCM console named as “WMI Framework For Local Groups with Logging” and “Local Group Members into WMI with Logging”. This package also creates 2 new tables and 1 view into SCCM database: LocalGroupMembers_DATA, LocalGroupMembers_HIST and v_GS_LocalGroupMembers0.

After creating and deploying baseline, you can use v_GS_LocalGroupMembers0 view to create reports based on local groups membership.
Don’t forget: you must not deploy that baseline to domain controllers! For example, you can create a collection which includes all your systems except domain controllers: create new device collection using All Systems as limiting collection and add it with include rule, then add All Domain Controllers collection with exclude rule. You can download MOF-file for such collection here.

Unfortunately, neither LocalGroupMembers_DATA, nor v_GS_LocalGroupMembers0 can be used in WQL-queries when you create a collection.
Am I stuck? Let’s review what do I had for now:

I have all data about local groups membership in custom table.
I can create any reports using that data.
I can create collections using data from standard tables in SCCM DB.
But I cannot create collections based on a data from custom SQL-tables.

I need a way to put data from table LocalGroupMembers_DATA into standard SCCM tables and PowerShell is here to save the day.
There are at least two ways to get data from SQL with PowerShell:

Connect to DB directly and use T-SQL queries with SQL cmdlets.
Connect to SQL Server Reporting Services using New-WebServiceProxy cmdlet. Stefan Stranger and Jin Chen wrote an example script to achieve it.

With PowerShell we can do anything with that SQL-data. Our goal is to populate device collections with workstations and here we go again with two different options:

We can add computers into group in AD DS and then create a device collection using this group. For this method to work you need to activate Active Directory Group Discovery discovery method for site and domain where AD group will reside.
Add computers into collection directly using Add-CMDeviceCollectionDirectMembershipRule cmdlet.

Since both group and a report will be useful for me in the future, I’m stick with them.

Now our scenario looks like this:

Activate Active Directory Group Discovery.
Collect local group membership using Compliance Settings.
Create a report with gathered data an any SSRS.
Get names of computers from this report with New-WebServiceProxy cmdlet.
Add these computers into an AD group.
Create a device collection by that AD group.

I build a report where I list all computers don’t comply with conditions discussed earlier.
Here is what first DataSet query looks like:

SELECT distinct
  Computer.Name0 AS [Computer Name]
FROM
  v_GS_LocalGroupMembers0 AS LGMs
  INNER JOIN v_R_System AS Computer
    ON LGMs.ResourceID = Computer.ResourceID
INNER JOIN v_RA_System_SystemOUName AS OUs ON Computer.ResourceID = OUs.ResourceID
WHERE (
(OUs.System_OU_Name0 IN (@CompOU))

AND	(LGMs.Name0 = N'Administrators')
	AND NOT (
		LGMs.Account0 = N'Domain Admins' AND LGMs.Category0 = N'Group' AND LGMs.Type0 = N'Domain'
	)
	AND NOT (
		LGMs.Account0 = N'Administrator' AND LGMs.Category0 = N'UserAccount' AND LGMs.Type0 = N'Local' AND LGMs.Name0 = N'Administrators'
	)
	AND NOT (
		LGMs.Account0 = N'ServiceDesk Workstations Administrators' AND LGMs.Category0 = N'Group' AND LGMs.Type0 = N'Domain' AND LGMs.Domain0 = N'EXAMPLE'
	)
  )

SELECT distinct

Computer.Name0 AS [Computer Name]

FROM

v_GS_LocalGroupMembers0 AS LGMs

INNER JOIN v_R_System AS Computer

ON LGMs.ResourceID = Computer.ResourceID

INNER JOIN v_RA_System_SystemOUName AS OUs ON Computer.ResourceID = OUs.ResourceID

WHERE (

(OUs.System_OU_Name0 IN (@CompOU))

AND (LGMs.Name0 = N'Administrators')

AND NOT (

LGMs.Account0 = N'Domain Admins' AND LGMs.Category0 = N'Group' AND LGMs.Type0 = N'Domain'

)

AND NOT (

LGMs.Account0 = N'Administrator' AND LGMs.Category0 = N'UserAccount' AND LGMs.Type0 = N'Local' AND LGMs.Name0 = N'Administrators'

)

AND NOT (

LGMs.Account0 = N'ServiceDesk Workstations Administrators' AND LGMs.Category0 = N'Group' AND LGMs.Type0 = N'Domain' AND LGMs.Domain0 = N'EXAMPLE'

)

It can be easily expanded to include another set of groups to ignore.
Mind CompOU parameter: in web-interface you can select multiple OUs where to search computers.
To get a full list of OUs from a forest, you can use another query:

SELECT DISTINCT
v_RA_System_SystemOUName.System_OU_Name0
FROM
  v_RA_System_SystemOUName
ORDER BY v_RA_System_SystemOUName.System_OU_Name0 ASC

SELECT DISTINCT

v_RA_System_SystemOUName.System_OU_Name0

FROM

v_RA_System_SystemOUName

ORDER BY v_RA_System_SystemOUName.System_OU_Name0 ASC

I modified RenderSQLReportFromPosh.v1.000.ps1 so it could populate AD DS group in addition to get data from reports. Here’s its code:

#requires -version 2.0
###############################################################################
# Render SQL Reports using PowerShell
# This script is using the new Posh v 2.0 cmdlet New-WebServiceProxy
# FileName: RenderSQLReportFromPosh.v1.000.ps1
# Authors: Stefan Stranger (Microsoft)
# Help from: Jin Chen (Microsoft)
# Example of Rendering the OpsMgr Licenses Report from the Generic Report Library
#
# v1.000 – 15/05/2010 - stefstr - initial sstranger's release
# 10/29/2013 - Modified by Kirill 'kf' Nikolaev to satisfy SCCM needs
###############################################################################

#Log file path
$ScriptPath = Split-Path $MyInvocation.MyCommand.Path
$ScriptName = ($MyInvocation.MyCommand.Name).Substring(0,($MyInvocation.MyCommand.Name).Length-4)
$Log = Join-Path $ScriptPath "$ScriptName.txt"

Add-Content $Log (Get-Date)

#Clear-Content $Log -ErrorAction SilentlyContinue
$Error.Clear()
			
#Define Variables            
#Enter URI to asmx file on Report Server            
$URI  = 'https://reportserver.example.com//ReportServer//ReportExecution2005.asmx?wsdl'
#Enter Report Path
$ReportPath = '/ConfigMgr_CAS/Compliance and Settings Management/Workstations with non-default local administrators'
#Enter group name to fill with workstations
$GroupName = 'Self-Managed Workstations'

$format = 'csv'
$deviceinfo = ''
$extention = ''
$mimeType = ''
$Result = ''
$render = ''
$encoding = 'UTF-8'
$warnings = $null            
$streamIDs = $null            
$Reports = New-WebServiceProxy -Uri $URI -UseDefaultCredential -namespace 'ReportExecution2005'
            
            
$rsExec = new-object ReportExecution2005.ReportExecutionService            
$rsExec.Credentials = [System.Net.CredentialCache]::DefaultCredentials             

$execInfo = @($ReportPath, $null)             

#Load the selected report.            
$rsExec.GetType().GetMethod('LoadReport').Invoke($rsExec, $execInfo) | out-null              

#Report Parameters            
#Depending on the number of Parameters being used in the Report you need to add more Parameters.            
#Search the rdl file for the correct parameter names.
$param1 = new-object ReportExecution2005.ParameterValue
$param1.Name = 'CompOU'
$param1.Value = 'EXAMPLE.COM/WORKSTATIONS'

$param2 = new-object ReportExecution2005.ParameterValue
$param2.Name = 'CompOU'
$param2.Value = 'EXAMPLE.COM/WORKSTATIONS-OLD'

$parameters = [ReportExecution2005.ParameterValue[]] ($param1, $param2)             
$ExecParams = $rsExec.SetExecutionParameters($parameters, 'en-us');
$render = $rsExec.Render($format, $deviceInfo,[ref] $extention, [ref] $mimeType,[ref] $encoding, [ref] $warnings, [ref] $streamIDs)             
$Result = [text.encoding]::ascii.getString($render)             

$ComputerNames = @()
$SplittedResult = $Result.Split("`n")
for ($i = 1; $i -le $SplittedResult.Count-3) { #For unknown reason, last 3 rows of SSRS answer are blank, so we have to cut them and a title too.
	$ComputerNames += ($SplittedResult[$i]).Substring(0,($SplittedResult[$i]).Length-1) #Again, for unknown reason, there is an invisible line-feed symbol, we remove it.
	$i++
}
$ComputerObjects = @()
foreach ($Computer in $ComputerNames) {
	$ComputerObjects += Get-ADComputer $Computer
}
$CurrentMembers = @()
$CurrentMembers = Get-ADGroupMember -Identity $GroupName

$ToAdd = @()
$ToRemove = @()
if ($CurrentMembers) {
	if ($ComputerObjects) {
		$CompareResult = Compare-Object -ReferenceObject $ComputerObjects -DifferenceObject $CurrentMembers
		foreach ($Item in $CompareResult) {
			$DN = $Item.InputObject.DistinguishedName
			if ($Item.SideIndicator -eq '<=') {
				$ToAdd += $Item.InputObject
				Add-Content $Log "$DN - ToAdd"
			}
			elseif ($Item.SideIndicator -eq '=>') {
				$ToRemove += $Item.InputObject
				Add-Content $Log "$DN - ToRemove"
			}
		}
	}
	else {
		foreach ($Item in $CompareResult) {
			$DN = $Item.DistinguishedName
			$ToRemove += $Item.DistinguishedName
			Add-Content $Log "$DN - ToRemove"
		}
	}
}
else {
	foreach ($Item in $ComputerObjects) {
		$DN = $Item.DistinguishedName
		$ToAdd += $Item.DistinguishedName
		Add-Content $Log "$DN - ToAdd"
	}
}
if ($ToAdd) {
	try {
		Add-ADGroupMember -Identity $GroupName -Members $ToAdd -ErrorAction SilentlyContinue
	}
	catch {
		Add-Content $Log 'Cannot add'
		Add-Content $Log $Error[0]
	}
}
if ($ToRemove) {
	try {
		Remove-ADGroupMember -Identity $GroupName -Members $ToRemove -ErrorAction SilentlyContinue -Confirm:$false
		}
	catch {
		Add-Content $Log 'Cannot remove'
		Add-Content $Log $Error[0]
	}
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

#requires -version 2.0

###############################################################################

# Render SQL Reports using PowerShell

# This script is using the new Posh v 2.0 cmdlet New-WebServiceProxy

# FileName: RenderSQLReportFromPosh.v1.000.ps1

# Authors: Stefan Stranger (Microsoft)

# Help from: Jin Chen (Microsoft)

# Example of Rendering the OpsMgr Licenses Report from the Generic Report Library

# v1.000 – 15/05/2010 - stefstr - initial sstranger's release

# 10/29/2013 - Modified by Kirill 'kf' Nikolaev to satisfy SCCM needs

###############################################################################

#Log file path

$ScriptPath = Split-Path $MyInvocation.MyCommand.Path

$ScriptName = ($MyInvocation.MyCommand.Name).Substring(0,($MyInvocation.MyCommand.Name).Length-4)

$Log = Join-Path $ScriptPath "$ScriptName.txt"

Add-Content $Log (Get-Date)

#Clear-Content $Log -ErrorAction SilentlyContinue

$Error.Clear()

#Define Variables

#Enter URI to asmx file on Report Server

$URI = 'https://reportserver.example.com//ReportServer//ReportExecution2005.asmx?wsdl'

#Enter Report Path

$ReportPath = '/ConfigMgr_CAS/Compliance and Settings Management/Workstations with non-default local administrators'

#Enter group name to fill with workstations

$GroupName = 'Self-Managed Workstations'

$format = 'csv'

$deviceinfo = ''

$extention = ''

$mimeType = ''

$Result = ''

$render = ''

$encoding = 'UTF-8'

$warnings = $null

$streamIDs = $null

$Reports = New-WebServiceProxy -Uri $URI -UseDefaultCredential -namespace 'ReportExecution2005'

$rsExec = new-object ReportExecution2005.ReportExecutionService

$rsExec.Credentials = [System.Net.CredentialCache]::DefaultCredentials

$execInfo = @($ReportPath, $null)

#Load the selected report.

$rsExec.GetType().GetMethod('LoadReport').Invoke($rsExec, $execInfo) | out-null

#Report Parameters

#Depending on the number of Parameters being used in the Report you need to add more Parameters.

#Search the rdl file for the correct parameter names.

$param1 = new-object ReportExecution2005.ParameterValue

$param1.Name = 'CompOU'

$param1.Value = 'EXAMPLE.COM/WORKSTATIONS'

$param2 = new-object ReportExecution2005.ParameterValue

$param2.Name = 'CompOU'

$param2.Value = 'EXAMPLE.COM/WORKSTATIONS-OLD'

$parameters = [ReportExecution2005.ParameterValue[]] ($param1, $param2)

$ExecParams = $rsExec.SetExecutionParameters($parameters, 'en-us');

$render = $rsExec.Render($format, $deviceInfo,[ref] $extention, [ref] $mimeType,[ref] $encoding, [ref] $warnings, [ref] $streamIDs)

$Result = [text.encoding]::ascii.getString($render)

$ComputerNames = @()

$SplittedResult = $Result.Split("`n")

for ($i = 1; $i -le $SplittedResult.Count-3) { #For unknown reason, last 3 rows of SSRS answer are blank, so we have to cut them and a title too.

$ComputerNames += ($SplittedResult[$i]).Substring(0,($SplittedResult[$i]).Length-1) #Again, for unknown reason, there is an invisible line-feed symbol, we remove it.

$i++

}

$ComputerObjects = @()

foreach ($Computer in $ComputerNames) {

$ComputerObjects += Get-ADComputer $Computer

}

$CurrentMembers = @()

$CurrentMembers = Get-ADGroupMember -Identity $GroupName

$ToAdd = @()

$ToRemove = @()

if ($CurrentMembers) {

if ($ComputerObjects) {

$CompareResult = Compare-Object -ReferenceObject $ComputerObjects -DifferenceObject $CurrentMembers

foreach ($Item in $CompareResult) {

$DN = $Item.InputObject.DistinguishedName

if ($Item.SideIndicator -eq '<=') {

$ToAdd += $Item.InputObject

Add-Content $Log "$DN - ToAdd"

}

elseif ($Item.SideIndicator -eq '=>') {

$ToRemove += $Item.InputObject

Add-Content $Log "$DN - ToRemove"

}

else {

foreach ($Item in $CompareResult) {

$DN = $Item.DistinguishedName

$ToRemove += $Item.DistinguishedName

Add-Content $Log "$DN - ToRemove"

}

else {

foreach ($Item in $ComputerObjects) {

$DN = $Item.DistinguishedName

$ToAdd += $Item.DistinguishedName

Add-Content $Log "$DN - ToAdd"

}

if ($ToAdd) {

try {

Add-ADGroupMember -Identity $GroupName -Members $ToAdd -ErrorAction SilentlyContinue

}

catch {

Add-Content $Log 'Cannot add'

Add-Content $Log $Error[0]

}

if ($ToRemove) {

try {

Remove-ADGroupMember -Identity $GroupName -Members $ToRemove -ErrorAction SilentlyContinue -Confirm:$false

}

catch {

Add-Content $Log 'Cannot remove'

Add-Content $Log $Error[0]

}

My modified script receives a report from $URL and $ReportPath locations, compares a list from it with members of $GroupName AD DS group and adds/removes computers from that group until it and the report would be the same.
You can find a path for log of actions in $Log variable. Here, script records all computers which were added or removed from the group.
OUs to search are defined into $param1 and $param2 variables. If you need more OUs, create a new parameter variables and do not forget to add them into $parameters.

As last, I created standard device collection based on AD group $GroupName.

You can download report as an RDL-file and a script here. Do not forget to create DataSource in the report to connect to your SSRS instance.

Microsoft Technologies and Stuff

Category Archives: PowerShell

Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 2 — Post-Config

Introduction

In this article:

Building Highly-Available Windows Infrastructure: Command-line Style. AD DS. Part 1 — Installation

Introduction

In this article:

Building Highly-Available Windows Infrastructure: Command-line Style

Huge refactoring of Synchronize-DNSZones.ps1

Split-brain DNS Synchronizer

1. Blindly forward all external requests to AD DS controllers. In this case, domain controllers are the primary name servers for the zone.

2. Have two separated set of DNS-servers for internal and external zones.

3. Use DNS policies – the new Windows Server 2016 functionality.

Moving to GitHub

How to allow users to join their computers into AD domain

How to simplify SCDPM servers maintenance

How to limit a number of PowerShell Jobs running simultaneously

Some other queueing technics in PowerShell:

SCCM: Device Collection Based On a Local Group Membership