Thursday, July 13, 2017

Get All Windows Services account that are configured to use a domain account in the trusted network

Hi
This small script will get all the services that are configured with a RunAs account
The service will be using several possible accounts like LocalSystem , Network Services.. and also a domain account.
The common thing is the service that will be using a domain account should have the UPN (FQDN) or SamAccountName (NetBIOS)

$Netbios=(Get-ADDomain).NetBIOSName #Get the Domain NetBIOS Name
$fqdn=(Get-ADDomain).dnsroot #Get the Domain FQDN Name

#The WMI Query that will be used
$WMIQuery="select * from Win32_Service where startname like '$Netbios%' or startname like '%$fqdn'"

#Getting computer list from AD, you can use the filter that fit your criteria, in my case, I have used a computer name as my filter criteria, you can use the search base.
Then I am executing the gwmi Get-WMIObject on the computer I got from the pipeline 
Get-ADComputer -Filter {name -like "*MyServers*"} | foreach {gwmi -ea SilentlyContinue -ComputerName $_.DNSHostName -Query$WMIQuery}  |ft -AutoSize SystemName,caption,startname 

The result should be something like this.

SystemName                       caption                                         startname        
----------                               -------                                             ---------        

HQ-SRV-N1       SQL Server Reporting Services                  Domain\report

Friday, January 13, 2017

Microsoft Direct Access Failed After Migration, V2V,P2V or changing nic adapter

To make long story short.
This happense because the Network Adapter (NIC) GUID in the GPO is not exist in the server.
Backup the DirectAccess Server GPO.
Edit the registry.pol (using 3rd party software)
Import it again to the server.
Enjoy your weekend

Full Story.
You are using MS DA (Microsoft Direct Access) and users are happy (as well as you hopefully).
But in some cases were you have to perform V2V or P2V or what ever kind of migration from one server to another, or from one hypervisor to anohter.
After the a successful VM migration, you start with the hypervisor tools install/upgrade.
Add the IP address to the nics and the server seems to be OK.
But DA failed and client are stucked in Connecting... state. 

So whats going on.
- DA Store its configuration as a GPO and link it with the top level domain, and use Security Filter to apply the settings to the DA Server.
All DA settings are stored in the GPO and so the IP Addresses and GUID for the network interface used.
As new drivers are presented to the server DA Server, a new Network Drivers are also presented with new GUID, which simply dont match the one in the GPO.
The Server will try to apply the GPO setting and will find a mismatch and will failed to apply the policy.
So if you open DA console > Operations Status

Click on DirectAccess and VPN

Click on Remote Access Server
You may find the configuration mismatching with the correct configuration and also you cannot change any option, its all grayed out.


Continuing the wizard and trying to apply the policy will failed.

How to Fix
As I mention earlier, the Network GUID stored in the GPO are for the old NIC which are no longer exist.
Open the DA GPO > Settings > Policies > Administrative Templates > Extra Registry Settings.
and write down the following 

This is the GUID for the old NIC and we need to update these value with GUID for the new NIC 
To Get the Current GUID that are assigned with each network interface, use the following powershell command

Get-WmiObject -Query "select * from win32_networkadapter" | select GUID,NetConnectionID | where {$_.GUID -notlike $null} | ft -AutoSize

The return result are something like:
GUID                                   NetConnectionID
----                                           ---------------
{3DD2D838-35A2-4E05-8A4A-364F8801FCA5} External (The External Interface)
{5D946A6A-63A5-4FFA-951D-A7421EA2068D} Internal (The Internal Interface)

These GUID should be updated in the GPO, and as I did not find a way to directly edit (Extra Registry Settings), I backup DA GPO, and save it some where.
To update these value we need to download and install the following application Registry Workshop
Run the application and open the location you stored the backup GUID\ Domainsysvol\GPO\Machine\Registry.pol
Expand the tree to the following directory


double click on InternalInterface and replace it with the new GUID you get from the powershell script, and same for the InternetInterface, save the file and close the application.
make sure that the replication is finished.
Run Gpupdate /force /target:computer
Open again Remote Access Management (DA Console) > DirectAccess and VPN > Remote Access Server and you will see the configuration are now correct
Click next and update with the correct values



reboot
happy working Direct Access
You may get a DNS Warning, just simple remove the DNS Servers from the Infrastructure Server and re-add them.



Wednesday, October 26, 2016

A File I/O error occurred while accessing ". VMWare Converter



I like VMWare converter as it save a lot of time when it come to P2V or V2V.
Recently I faced a strange error
 
I checked that I ran the application as Administrator and have full permission on the machine and on the vCenter.
To make long story short.
It was a DNS Settings on the nic interface Issue
even I used vCenter IP address insted of name, but it seems that the converter is doing a reverse lookup for a reason, maybe some certificate validation.
anyway.
once I updated the DNS settings on the nic, the converter continue normal and was sucess

Monday, October 24, 2016

Enter Maintenance Move For ESXi Standard using PowerCLI

I dont know why ESXi Standard Edition had some dummy limitation.
Like when i wana place a server in maintenance mode, I have to manually move all the VM to another server and then it can go to maintenance mode.
its really something silly, as its a very basic feature. anyway
I made a quick script that can migrate all VMHost to another and place the server in maintenance mode.
the script also will do basic check to see if the destination server can handle the load

param(
[parameter(mandatory=$True)]$FromVMHostName,
[parameter(mandatory=$True)]$ToVMHostName
)

try{
    if ($global:DefaultVIServer.count -eq 0){
        write-host "Please Connect to vCenter using Connect-VIServer first" -ForegroundColor Green
       }

    write-host "Performing Server Basic Readiness"
    [int]$FreeRAMOnDestServer=(Get-VMHost -Name $ToVMHostName -ErrorAction Stop).MemoryTotalGB - (Get-VMHost -Name $ToVMHostName -ErrorAction Stop).MemoryUsageGB
    [int]$UsedRAMOnSourceServer=(Get-VMHost -Name $FromVMHostName -ErrorAction Stop).MemoryUsageGB
    if ($FreeRAMOnDestServer -le $UsedRAMOnSourceServer){
    Write-Host "No enough memory on the destination server for migration to complete" -ForegroundColor Red
    Break
    }


    $VmOnHost=Get-VM -ErrorAction Stop| where{$_.host -like $FromVMHostName}
    $I=0
        foreach ($sVM in $VmOnHost){
   
        Write-Progress -Activity "Migrating VM... Please Wait" -Status "Moving $sVM To $ToVMHostName" -PercentComplete ($I/$VmOnHost.Count*100
        Move-VM -VM $sVM.Name -Destination $ToVMHostName
        $I++
        }


    }

    Catch [exception]{
        Write-Host $_.Exception.message
    }


Finally{

if ((Get-VM | where{$_.host -like $FromVMHostName}).count -eq 0){Set-VMHost $FromVMHostName -State Maintenance}

}


If you have any comment or update for this. let me know in the comment
also give a thumb up if you like :)

Monday, May 2, 2016

VMWare PowerCLI - Connecting to Esxi Server and get ESXi hosts Part 2

In part 1 Getting command and remote connection, I write about how to import PowerCLI modules to be able to execute commands.
Now I will write about how to connect, and where.
Depend on the requirement, you may want to connect to ESXi host or vCenter in order to perform an operation.
Most of the operation can be executed direct after connecting to vCenter, but incase and for a reason vCenter is not available you might connect direct with ESXi Host insted of connecting to vCenter.
Lets assume that we want connect to vCenter and get all the host in all the clusters.
We can use the following commands

#Import Vmware Module
Add-PSSnapin VMware.VimAutomation.Core
#We Will ask the user to write the username and password for vSphere, you can comment this line if your
#vCetner is joined to the domain and you are connected to a domain joined computer
$viCredential = Get-Credential -Message "Please Write your vCenter username and password"
#This command will be used to connect to Esxi Server or vCenter
#You can remote the -Credential $viCredential, if your using domain joined computer and your vCenter is
#Joined to the domain
Connect-VIServer MyvCenterServer -Credential $viCredential
#Get all the Servers in the vCenter in all clustered
Get-VMHost | Format-Table -AutoSize name, NumCpu, ConnectionState
#Close the remote connection
Disconnect-VIServer * 

As you can see the main steps are
1- Make sure that you have the module or import then as I explained in part 1
2- Connect-VIServer is used to connect with ESXi host or with the vCenter, in my case I will connect with vCenter
you can remove the -Credential $viCredential if your Esxi hosts and vCenter are joined to the domain and the computer you are using is domain joined computer.
Get-VMHost can be used to get Esxi hosts piping this command to Format-Table it mean that we want to have custom properties in the returned table.
-Autosize will make the columns close to each other.
name, NumCpu, ConnectionState, are properties we want show in the table.
The output will be something like this

Name              NumCpu ConnectionState
----              ------ ---------------
esxi01.lab.local     32       Connected
esxi02.lab.local     32       Connected
esxi03.lab.local     32       Connected
esxi04.lab.local     32       Connected
esxi05.lab.local     32       Connected
esxi06.lab.local     32       Connected
esxi07.lab.local     32       Connected
esxi08.lab.local     32       Connected
esxi09.lab.local     32       Connected
esxi10.lab.local     32       Connected
esxi11.lab.local     32       Connected
esxi12.lab.local     32       Connected
esxi13.lab.local     32       Connected
esxi14.lab.local     32       Connected
esxi15.lab.local     32       Connected
esxi16.lab.local     32       Connected

Disconnect-viserver * will disconnect all the open session to all VI Servers (ESXi host or vCenter).

If you want to show different properties in the table, you can Pipe Get-VMHost to get-member
so the command will be like Get-VMHost | get-member
Just Run the command above after you connect to vCetner, the result will be like the following

Name                  MemberType
----                  ----------
ConvertToVersion          Method
Equals                    Method
GetHashCode               Method
GetType                   Method
IsConvertableTo           Method
LockUpdates               Method
ToString                  Method
UnlockUpdates             Method
ApiVersion              Property
Build                   Property
Client                  Property
ConnectionState         Property
CpuTotalMhz             Property
CpuUsageMhz             Property
CustomFields            Property
DatastoreIdList         Property
DiagnosticPartition     Property
ExtensionData           Property
FirewallDefaultPolicy   Property
HyperthreadingActive    Property
Id                      Property
IsStandalone            Property
LicenseKey              Property
Manufacturer            Property
MaxEVCMode              Property
MemoryTotalGB           Property
MemoryTotalMB           Property
MemoryUsageGB           Property
MemoryUsageMB           Property
Model                   Property
Name                    Property
NetworkInfo             Property
NumCpu                  Property
Parent                  Property
ParentId                Property
PowerState              Property
ProcessorType           Property
State                   Property
StorageInfo             Property
TimeZone                Property
Uid                     Property
Version                 Property
VMSwapfileDatastore     Property
VMSwapfileDatastoreId   Property
VMSwapfilePolicy      Property

You can add any Property value to the pipe, lets assume u wana get a list of VMHost in a table and view only PowerState,Name,ProcessorType        

#Import Vmware Module
Add-PSSnapin VMware.VimAutomation.Core
#We Will ask the user to write the username and password for vSphere, you can comment this line if your
#vCetner is joined to the domain and you are connected to a domain joined computer
$viCredential = Get-Credential -Message "Please Write your vCenter username and password"
#This command will be used to connect to Esxi Server or vCenter
#You can remote the -Credential $viCredential, if your using domain joined computer and your vCenter is
#Joined to the domain
Connect-VIServer MyvCenterServer -Credential $viCredential
#Get all the Servers in the vCenter in all clustered
Get-VMHost | Format-Table -AutoSize PowerState, Name, ProcessorType
#Close the remote connection
Disconnect-VIServer * 


VMWare PowerCLI - Getting command and remote connection Part 1

Recently we purchase VMware ESXi 6.0 Standard Edition, we did not go for Enterprise Plus edition which have the DRS and other nice feature due to budgets issue.
In my environment we have 16 ESXi host configured as 3 cluster
- Production
- DMZ
- MGMT (vCenter - SRM - vOps)
After installing ESXi, it come the boring part which is doing the configuration 16 time for each host as we dont have DRS
The Configuration include the following:
  • vSwitch
    • NIC Teaming Policy
    • VMKernel
    • Security Profiles
  • Virtual PortGroup
    • I have a lot.. 
  • NTP Configuration
  • Start and stop services
And other details, doing this on server by server is a real time wasting, luckily VMWare have PowerCLI which is a Powershell module for ESXi, you can download and read about it here
As any other module or new module I have to work with the first thing to do is to import the module and discover its commands.
Run the following command on the computer were you install PowerCLI

    Get-Module -ListAvailable -Name vmware* | select name


The result will return the following modules


Name
----
VMware.VimAutomation.Cis.Core
VMware.VimAutomation.Cloud
VMware.VimAutomation.Core
VMware.VimAutomation.HA
VMware.VimAutomation.License
VMware.VimAutomation.PCloud
VMware.VimAutomation.SDK
VMware.VimAutomation.Storage
VMware.VimAutomation.Vds
VMware.VimAutomation.vROps
VMware.VumAutomation


The main module we will use it VMware.VimAutomation.Core, which include almost everything we need
you can import the module using PowerShell_ISE 

Once you import the module you will be able to see the module name in the module list, by selecting it all the command will appear in the list which will make your life easier.
Or if you want you can use the PowerCLI itself to access the ESXi Command and list them by using
get-command -Module VMware.VimAutomation.Core

Now you are ready to go :)

If you dont have PowerCLI installing in your computer and u wana import the command from remote server that have ESXi modules installed, you can use the following script

$RemoteCLI = New-PSSession -ComputerName PowerCLIServer
Invoke-Command -Session $RemoteCLI -ScriptBlock { Import-Module VMware.VimAutomation.Core }
Import-PSSession $RemoteCLI

Now you have ESXi Powershell modules and you can use then to execute and ESXi command

In My Next Post I will write about also basic understanding for PowerCLI and how to start using its commands

Hope this help

Like it, Share it, or comment on what you want
Hope this help as a start yet more interesting information are coming.
 

Friday, April 17, 2015

You need to type your username and password when browsing website directly from the IIS Server, but from another client computer it work normally

You are in your office, you login to Windows Server that host IIS, and browse a hosted website which is Windows Authentication Enabled using the configured host header "Lets say the website Host Header is CompanyProtal".
You are prompted to type your username and password.
You open your client computer and try to access the same site by using the configured host header, and the site work correctly without having to write your username and password.

In a close look to Windows Security Event Log you will see a failed login event recorded
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number

If you try to bind the site with IP address (Not loopback address)it will work as expected.

So whats going on?
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

So do you need it?
The recommendation is yes, but for some reason you may need to turn it off, maybe some websites are communicating on the server using the some custom host header.

How to Disable it.
Like most of Microsoft tweaks, its a registry value that you change.

There are 2 type to workaround:
1- Recommended which to specify the host names
2- Totally disable the loopback check (Not recommended).

So Lets start
Method 1: Specify host names (Preferred method if NTLM authentication is desired)
https://support.microsoft.com/en-us/kb/896861

  1. Go to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
  2. Right-click MSV1_0 and select New->Multi-String Value.
  3. Type “BackConnectionHostNames” as the name and press Enter.
  4. Right-click the newly created entry and select Modify.
  5. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK
  6. Quit Registry Editor, and then restart the IISAdmin service.



Method 2:
This method will totally disable the loopback back and its not recommended in your production, you may use it in development or testing environment 
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  4. Right-click Lsa, point to New, and then click DWORD Value.
  5. Type DisableLoopbackCheck, and then press ENTER.
  6. Right-click DisableLoopbackCheck, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Quit Registry Editor, and then restart your computer
Or use Powershell Command 

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -value "1" -PropertyType dword


Hope that help


Wednesday, February 4, 2015

Read and Export Folder ACL using Powershell

Good day
I have a small old file server with 2 TB of users data and I dont which users have which permission on the folder structure.
There are some tools but most of them are paid, but even in some paid tools I wont be able to do some filtering like exclude Inherided Folder or do not include some certain account like "System or Creator Owner...", so why to buy anything when there is PowerShell
I wrote a script that will read all the folder tree and then export it to csv file
This script have 4 Parameters

.PARAMETER $PathToScan Write the Folder Path you want to scan

.PARAMETER $PathToSaveResult
After Finish scanning the Script will save result to CSV, Please write the full path to store the result

.PARAMETER $IncludeInheritedFolder
Whether or not to include Inherited Objects, Accpted values $True or $False

.PARAMETER $SysBuiltin
Whether to include System account "NT Authority and Builtin" accounts, Accpted values $True or $False

To use the Script:

GetACL.ps1 -PathToScan C:\FolderToScan -PathToSaveResult C:\MyOutput.csv -IncludeInheritedFolder $TRUE or $FALSE -SysBuiltin $TRUE or $FALSE


Always make sure you are running the lastest version of PowerShell and .Net Framework

param
    (
        [Parameter(Mandatory = $true,
             HelpMessage = 'Write the Folder Path you want to scan')]
             [ValidateNotNullOrEmpty()]
        [string]
        $PathToScan,
        [Parameter(Mandatory = $true,
             HelpMessage = 'After Finish scanning the Script will save result to CSV, Please write the full path to store the result')]
             [ValidateNotNullOrEmpty()]
        [string]
        $PathToSaveResult,
        [Parameter(Mandatory = $true,
             HelpMessage = 'Whether or not to include Inherited Objects, Accpted values $True or $False ')]
             [ValidateNotNullOrEmpty()]
        [bool]
        $IncludeInheritedFolder,
        [Parameter(Mandatory = $true,
             HelpMessage = 'Whether to include System account "NT Authority and Builtin" accounts, Accpted values $True or $False')]
            [ValidateNotNullOrEmpty()]
        [bool]
        $SysBuiltin
    )
    
$Folderslist = Get-ChildItem $PathToScan -Recurse -Directory #Read all the folder details with the subtree
$Myobj = New-Object -TypeName PSObject #Create an object to save the returned result

Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Username -Value $null 
Add-Member -InputObject $Myobj -MemberType NoteProperty -Name AccessType -Value $null
Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Righttype -Value $null
Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Path -Value $null
Add-Member -InputObject $Myobj -MemberType NoteProperty -Name Inherited -Value $null

foreach ($singleFolder in $Folderslist) #To read Each Folder Details from $Folderslist
{
    try
    {
        
        $Access = Get-Acl -Path $singleFolder.PSPath | select $singleFolder.PSPath -ExpandProperty access #Read the Access property which hold the users ACL
        
        foreach ($single in $access) #As $Access are array, we need to read objects 1 by 1 and store them in $MyObj
        {
            
            $Myobj.Path = Convert-Path $singleFolder.PSPath 
            
            If ($SysBuiltin -like "True") { $Myobj.Username = $single.IdentityReference } #If $SysBuiltin Param was $True then Include all the value in the $access.IdentityReference "IdentityReference is the user object"
            if (($SysBuiltin -like "False") -and (($single.IdentityReference -like "NT AUTHORITY*") -or ($single.IdentityReference -like "BUILTIN\*") -or ($single.IdentityReference -like "*CREATOR OWNER*"))) { continue } #if SysBuiltin Param was $False then do not include these users or group
            
            $Myobj.AccessType = $single.FileSystemRights #What Kind of Access IdentityReference "User / Group Have"
            $Myobj.Inherited = $single.IsInherited #Store the Inheritance value
            
            If ($IncludeInheritedFolder -like $true) { $Myobj.Inherited = $single.IsInherited } 
            if (($IncludeInheritedFolder -like $false) -and ($single.IsInherited -like $true)) { continue } #If $IncludeInheritedFolder was $False, Do not parse retured result with Inherited items
            $Myobj.Righttype = $single.AccessControlType
            $Myobj.Username = $single.IdentityReference
            
            Export-Csv -InputObject $Myobj -Append -Path $PathToSaveResult -NoTypeInformation -Encoding UTF8 #Save the result to the Path as in $PathToSaveResult
        }
    }
    Catch #Catch Any Error and write it
    {
        Write-Host $Error[-1].Exception
        
    }
    
}

Saturday, January 31, 2015

Notepad++ Send a message to the world #JeSuisCharlie

Good day
Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. Running in the MS Windows environment, its use is governed by GPL License.
Today I updated my Notepad++, Once I open the installation finished, and I ran Notepad++ I got a message written on Notepad++ that says

Freedom of expression is like the air we breathe, we don't feel it, until people take it away from us.

For this reason, Je suis Charlie, not because I endorse everything they published, but because I cherish the right to speak out freely without risk even when it offends others.
And no, you cannot just take someone's life for whatever he/she expressed.

Hence this "Je suis Charlie" edition.
- #JeSuisCharlie

This version of Notepad++ have Je suis Charlie in the about


One more thing about Notepad++ is, you will see Notepad++ in windows 10 as a replacement for Windows Notepad.

Sunday, November 30, 2014

Block Outlook from connecting to Public Folder

In some cases, you may need to prevent outlook to connect to Exchange Public Folder.
I had a case where Outlook 2010/2013 is connecting to a remote exchange server, connecting to public folder cause some connection delay.
These client dont need to use Exchange Public Folder, so its better to disable Public Folder Connection.

Now you have 2 options:
1- Delete Public Folder.
2- Prevent Outlook from connecting to public folder

Today I will talk about how to prevent outlook 2010/2013 from connecting to Public Folder.

To do so you will need to create/edit a small registry value called
Name: HasPublicFolders
Value: 0
Type: DWORD

The Path for this value is HKEY_CURRENT_USER\Software\Microsoft\Exchange\Setup
If the Setup Key is not exist, then simply create it and then create the DWORD value


You can automatically create the key and the value using the following CMD line

reg add HKCU\Software\Microsoft\Exchange\Setup /f /v HasPublicFolders /t REG_DWORD /d 0 

The line is explained as the following
REG: is the cmd registry controling tool 
ADD: parameter to tell the reg tool that you are adding / creating a key or a value
HKCU...: The path of the key you want to create the value under, if the key is not exist then it will be created
/f : To force overwrite the value if exist
/v: Value Name
/t: Type of the value
/d: parameter after the /d is the value of the entry, in this case it is 0

for more information about REG tool you click here (http://technet.microsoft.com/en-us/library/cc732643.aspx)


Hope you like it, feel free to leave you comment below and share it with your friend to support me :)