Get-Scripting Guys Take Over the March UK Powershell User Group

Myself and Alan Renouf from the Get-Scripting Podcast will be presenting this month at the UK Powershell User Group on Thursday 26th March at Microsoft in Reading.

First up on the night will be Richard Siddaway talking to us about using Regular Expressions in Powershell. This was requested at a previous event and I know that Richard is really looking forward to talking about that subject

Then the Get-Scripting guys will take over:

I will be talking about some of the features that are part of Active Directory in Server 2008 R2 , currently in beta, in particular the native AD Powershell cmdlets which will ship as part of that product and what I have learned about them so far.

vExpert Alan Renouf will then tell us about the VI toolkit, which for those of you not in the know are the cmdlets shipped by VMware to enable you to manage their ESX product.

A good mixture I think of general scripting skills, third-party added value to your Powershell learning and future technologies.

If you can’t make the event in person then as usual it will be broadcast by LiveMeeting (details here). It wouldn’t be a UK Powershell event if the LiveMeeting part doesn’t go 100% to plan, but we will endeavour to ensure we avoid the usual trick of the microphone going on mute.

If you wish to attend the event in person you should contact Richard via his blog so that he can have a badge for you at the welcome desk. If the prospect of us presenting isn’t enough to attract you then as always there will be pizza at half-time

UK Active Directory User Group – 6pm GMT Wednesday 11th March

This is the second meeting of the newly formed UK Active Directory User Group:

The second [ADUG] UK Active Directory User Group meeting will be on the evening of the 11th March at Microsoft’s London (Victoria) Offices. The meeting will co-hosted with the Windows Server User Group.

The draft agenda is:

• 18:00 for 18:25 Arrival and registration
• 18:25-18:30 Welcome and introductions
• 18:30-19:45 James O’Neill takes a quick tour through the new features in Windows Server 2008 R2 (just to whet your appetite).
• 19:45-20:00 Refreshments
• 20:00-21:15 Amish Lukka (also from Microsoft) will be presenting an insight into new Active Directory features in Windows Server 2008 R2.
• 21:15-21:30 Wrap-up.
• 21:20 Adjourn to a nearby public house where Mark Parris will be happy to share his experiences of the Microsoft Certified Masters: Windows Server 2008: Directory class that he attended last November.

If you are interested in attending – please send an email to registration@adug.co.uk with your name and see you there. The confirmed times will be in the confirmation email.

For those who can’t make it in person, we will set up a Live Meeting session (which will be recorded) and details will be made available closer to the event.

Modifying AD accounts with Powershell after an Exchange 2003 dial-tone restore

Recently I’ve been testing out some different disaster recovery scenarios for Exchange 2003, one of which involved a dial-tone method – i.e. create some new mailbox servers with blank databases to get users up and running quickly and then merge the restored data back in later. One of the types of dial tone method we used was to create new server names rather than re-use existing Exchange server names.

So for example to re-create a four node (3 active, 1 passive) cluster with new names, instead of

ExchangeServer1
ExchangeServer2
ExchangeServer3

you would now use something like

ExchangeServer1New
ExchangeServer2New
ExchangeServer3New

Then you would need to amend the AD user accounts for users on those Exchange Servers to point to the new locations – the following properties need to be changed.

homemdb
msexchhomeservername
homemta

None of these properties can be changed through ADUC, you would need to use ADSIEdit if you wanted to use a GUI. Of course those smart people among you would choose to user Powershell anyway.

So naturally I turned to my trusty friend the Quest AD cmdlets to help me out.

First of all we get all the users who have a mailbox based on one of the original servers; depending on your naming convention you may need to adjust this filter to make sure you are matching the correct people. The three properties mentioned are not returned by default from Get-QADUser so we have to specify them.

We then loop through each user and using the Switch statement if we match ExchangeServer1, 2 or 3 we amend the text of each variable to be the new Exchange servername (note: homemta will be the same for all of these users) and then user the Set-QADUser cmdlet to change these properties on the account.

$users = Get-QADUser -ldapFilter '(msExchHomeServerName=*ExchangeServer*)' -IncludedProperties homemdb,msexchhomeservername,homemta -sizelimit 0

foreach($user in $users){

$homemdb = $user.homemdb$msexchhomeservername = $user.msexchhomeservername$newhomemta = 'CN=Microsoft MTA,CN=ExchangeServer1New,CN=Servers,CN=Exchange,CN=Administrative Groups,CN=Springfield,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=springfield,DC=local'

switch -wildcard ($homemdb)

{"*ExchangeServer1*" {$newhomemdblocation = $homemdb.replace("ExchangeServer1","ExchangeServer1New"); $newmsexchhomeservername = $msexchhomeservername.replace("ExchangeServer1","ExchangeServer1New");  Set-QADUser $user -objectAttributes @{homemdb=$newhomemdblocation;msexchhomeservername=$newmsexchhomeservername;homemta=$newhomemta}; break}"*ExchangeServer2*" {$newhomemdblocation = $homemdb.replace("ExchangeServer2","ExchangeServer2New"); $newmsexchhomeservername = $msexchhomeservername.replace("ExchangeServer2","ExchangeServer2New");  Set-QADUser $user -objectAttributes @{homemdb=$newhomemdblocation;msexchhomeservername=$newmsexchhomeservername;homemta=$newhomemta}; break}"*ExchangeServer3*" {$newhomemdblocation = $homemdb.replace("ExchangeServer3","ExchangeServer3New"); $newmsexchhomeservername = $msexchhomeservername.replace("ExchangeServer3","ExchangeServer3New");  Set-QADUser $user -objectAttributes @{homemdb=$newhomemdblocation;msexchhomeservername=$newmsexchhomeservername;homemta=$newhomemta}; break}default {"Nothing for this user"}}

}

I was also interested to see the resulting performance of this script and was pleasantly surprised to see it change 6000+ accounts in only 10 mins.

A sidenote to this method is that you won’t actually see the mailboxes appear in Exchange System Manager until either they receive an email or a user logs on to them. To prove that this method had worked I created a quick Distribution Group, used the below one-liner to populate it with all of the above users and then sent an email to this group.

Get-QADUser -ldapFilter '(msExchHomeServerName=*ExchangeServer*)' -sizelimit 0 | Add-QADGroupMember TestGroup

There are of course many different ways to carry out Exchange DR, but this proved a useful exercise.

Powershell Active Directory One-Liners

Recently I blogged about some scripts I left behind in my previous employment for managing AD – really a lot of them were just quick one liners. Not that that is necessarily a bad thing, one of the best things for me about Powershell is the way you can get great information with very little effort. Of course I am using my good friend the Quest AD cmdlets.

I thought I’d share a few of them:

Find Expired Users:

On the theme of cleaning out AD, find user accounts which have expired.

Get-QADUser -searchroot ‘domain.local/resources/users‘ -SizeLimit 0 -ldapFilter ‘(pwdlastset=0)‘ | ft name,passwordlastset

Find Users Not Logged in Since X Days:

On the same theme, supply X ‘how many days to go back’ and find users who haven’t logged in during that time. (OK I cheated on the one line a bit on this one)

$now=get-date; $daysSinceLastLogon = X; Get-QADUser -sizeLimit 0 -SearchRoot ‘domain.local/resources/users‘ | where {$_.lastlogontimestamp.value -and (($now-$_.lastlogontimestamp.value).days -gt $daysSinceLastLogon)} | ft name,lastlogontimestamp

Note: X needs to be more than 14 days to allow for the lastlogontimestamp attribute to have replicated.

Find Users Whose Password is set to Not Expire:

Keep tabs on those naughty administrators who think they can exempt themselves from the corporate password policy – you know who you are!

Get-QADUser -Sizelimit 0 -SearchRoot ‘domain.local/resources/users‘ -PasswordNeverExpires $True | ft name

How Many Users in Active Directory?

Need to keep track on an expanding user population? Need to figure out how many CAL’s you need? Easy.

Get-QADUser -DontUseDefaultIncludedProperties -SearchRoot ‘domain.local/resources/users‘ -SizeLimit 0 | Measure-Object

Enjoy!