Get Zerlologons CVE-2020-1472 using PowerShell

Find attached a script to get all systems that using zerologon (event 5829) described in CVE-2020-1472. I want to upload this script to my technet gallery, but MS changed it all so I cant acces it...

More infos about this topic and how to handle the update process:

https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e

You can change the event to find other objects like trusts etc.

# --------------------------------------------------------------------------------------------------------
# Author: Tim Buntrock
# Script: Get_ZeroLogons5829.ps1
# Description: Get all machinesamaccountnames that appear in Event 5829, to find systems using zerologon!
# --------------------------------------------------------------------------------------------------------


# Prepare Variables
Param (
        [parameter(Mandatory=$false,Position=0)][String]$DCName = "localhost",
        [parameter(Mandatory=$false,Position=1)][Int]$Minutes = 15)

# Create an Array to hold the values
$InsecureNetLogons = @()

# Grab the appropriate events
$Events = Get-WinEvent -ComputerName $DCName -FilterHashtable @{Logname='System';Id=5829; StartTime=(get-date).AddMinutes("-$Minutes")}

# Loop through each event
ForEach ($Event in $Events) {
    $eventXML = [xml]$Event.ToXml()
    $Client = ($eventXML.event.EventData.Data[0]) #get Machinesamaccountname
    # Add Them To a Row in our Array
    $Row = "" | select Client
    $Row.Client =$Client
    # Add the row to our Array
    $InsecureNetLogons += $Row    
}

# Dump it all out to a CSV and open gridview
Write-Host $InsecureNetLogons.Count "records found ... saving unique entries to .\InsecureNetLogons.csv for DC" $ComputerName -ForegroundColor DarkYellow
$InsecureNetLogons | Sort-Object -Unique -Property Client| Export-CSV -NoTypeInformation .\InsecureNetLogons.csv
$InsecureNetLogons | Sort-Object -Unique -Property Client| Out-GridView

PowerShell Get LDAP limits / Default Query Policy

Hi guys,

to get the LDAP limits, defined in the Default Query Policy just run the PowerShell snippet. Before you do so replace DC=DOMAIN,DC=ZZ with your domain!

Get-ADObject -Filter 'ObjectClass -eq "querypolicy"' -SearchBase 'CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=ZZ' -Properties lDAPAdminLimits | foreach {$_.lDAPAdminLimits}

PowerShell Get Domain Controller OS and hardware infos

You can use the following Script to recieve the following information:

ComputerName
OperatingSystem
Memory in GB
CPU


$DCs = Get-ADDomainController -Filter *

foreach ($DC in $DCs) {
if (-not (Test-Connection -ComputerName $DC -Quiet -Count 1)) {
        Write-Verbose -Message "The DC [$DC] is offline."
    } else {
        $os = Get-CimInstance -ComputerName $DC -ClassName Win32_OperatingSystem
        $mem = [math]::Round((Get-WmiObject -Class Win32_ComputerSystem  -computer $DC).TotalPhysicalMemory/1GB)
        $cpu = Get-CimInstance -ComputerName $DC -ClassName Win32_Processor
        [pscustomobject]@{
            ComputerName = $DC
            OperatingSystem = $os.Caption
            Memory = $mem
            CPU = $cpu.Name
        }
    }
}

Get all DFS Folder targets of a DFS path

Find attached the script to get the DFS folder targets. The targets will be saved to c:\temp\DFSFolderTargets.csv. Just change the variable $DFSPath = "\\Domainfqdn\Folder\*" to your DFS path.

$DFSPath = "\\Domainfqdn\Folder\*"
$DFSPath
$DFSNFolders = Get-DfsnFolder $DFSPath
foreach($DFSNFolder in $DFSNFolders )
    {
    $DFSTarget = Get-DfsnFolderTarget $DFSNFolder.Path | Select Path,TargetPath
    $DFSTarget | Export-Csv "c:\temp\DFSFolderTargets.csv" -NoTypeInformation -Append
    }

PowerShell Get a list of IPs from DNS Names

Requirements:

You need a file C:\temp\server.csv. This file have all names in it.

server1
server2
server3
server4

And the script to get all IPs.

$names = Get-Content C:\temp\names.csv
foreach ($name in $names )
    {
    [System.Net.Dns]::GetHostAddresses("$name") | select -ExpandProperty IPAddressToString
    }

Get and copy LAPS generated Admin password to clipboard

Just a PowerShell script to get and copy LAPS generated Admin password to your clipboard

Check it out on TechNet

PowerShell 7 coming soon

In the following post Steve Lee explaining why Powershell 7 and not 6.3.
https://devblogs.microsoft.com/powershell/the-next-release-of-powershell-powershell-7/

They will remove Core from the name... It makes sense if you check the .net Core Version 3.0, that would be used for PS 7, it should have all the underlying APIs and a high compatibility with Windows PowerShell 5.1. So you don´t have to struggle with compatibility issues, like in previous PS Core versions. Sounds like it would be the perfect mix from Windows PowerShell and PowerShell Core.

Microsoft said that PowerShell 7 should be available May 2019!

Start Windows PowerShell using Keyboard shortcuts

Start Windows PowerShell using Keyboard shortcuts

Run as User:  WIN + x in the menu press i

Run as Admin: WIN + x in the menu press a

Start Azure VMs using PowerShell workflow

Today I provide you two scripts to start your Azure VMs in a specified Subscription. The first script will start some VMs and the second will start all VMs of your Subscription.

Get number of most common Microsoft Exchange resources using PowerShell

Get number of most common Microsoft Exchange resources using PowerShell.

SCRIPT:
# get number of resources and save it into variables
$Mailboxes = (Get-Mailbox -ResultSize Unlimited).count
$UserMailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox).count
$RoomMailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails RoomMailbox).count
$SharedMailboxes = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails SharedMailbox).count
$Contacts = (Get-Contact -ResultSize Unlimited).count

Learn PowerShell Core 6.0

Folks,

a new book about PowerShell Core 6.0 released. If you are interested in PS, you should check it out...

https://www.packtpub.com/networking-and-servers/learn-powershell-core-60#

What You Will Learn:
– Get to grips with Powershell Core 6.0
– Explore basic and advanced PowerShell scripting techniques
– Get to grips with Windows PowerShell Security
– Work with centralization and DevOps with PowerShell
– Implement PowerShell in your organization through real-life examples
– Learn to create GUIs and use DSC in production

BR
Tim

PowerShell: Get Files on your SYSVOL that are greater than 1 MB

Folks,

you can use the following script, to get files on your SYSVOL that are greater than 1 MB and save the output to CSV and XLSX. ADM Files will be excluded.

Download my script on SPICEWORKS

Have a nice day.

Cheers,
Tim

lastLogon vs lastLogonTimestamp vs lastLogonDate - explained

Today I want to write about this "last Logon attributes"... This could be a little bit confusing if you check it on the internet. So with my post I will try to explain it easily.

lastLogon 
The lastLogon is only updated on the Domain Controller where login has actually happened and it wouldn´t be replicated. It´s being updated each time after each interactive logon. 
An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services, in which case the logon is further qualified as remote interactive.

PowerShell Get and copy LAPS generated Admin password to clipboard V2

My new script just get the Administrator password generated by LAPS and save it to clipboard.

You just have to enter the computer name.

The password will be shown in your PS Console and copied to your clipboard.

https://gallery.technet.microsoft.com/Get-and-copy-LAPS-0a9bb700?redir=0

Get all Site-Linked GPOs using PowerShell

You can download my new script to get all Site-Linked GPOs on Technet.

https://gallery.technet.microsoft.com/Get-all-Linked-GPOs-using-4086b1f3?redir=0

It´s based on Ashley MCGlone´s Get-GPO-Report. Link -> https://tinyurl.com/jpbzmuu

How to find largest files using Powershell

If your hard drive is running out of space, you need to know which files causing this issue!

To establish this we will use Get-ChildItem.

Use the following command to get the top three files.

Get-ChildItem -r| sort -descending -property length | select -first 3 name, Length

The Length will be displayed in Bytes, if you have large files it´s better to display it in Mega Bytes, so let´s calculate the responding property length into MB.

Get-ChildItem -r|sort -descending -property length | select -first 3 name, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}

Now we get all files, where are these files located? Just select DirectoryName as well, to get it.

Get-ChildItem -r|sort -descending -property length | select -first 3 name, DirectoryName, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}

Install Forest DC on Azure using Powershell

Folks,

I published a script on TechNet to install a DC on Azure using PowerShell.

Check it out:
https://gallery.technet.microsoft.com/Install-Forest-DC-on-Azure-33f2c9e8

Cheers,
Tim

How to find all AD Users with a specidfic profilepath or homeDirectory

If you try to search for a specific homeDirectory or profilepath that are assigned to users, you have to filter on this path.

Therefore, let´s assume you have a DFS share named \\domain.com\DFSShare\User and in this share you have all homeDirectories. To find all users using this path you could expect that you can use a query like this:

Get-ADUser -Filter "homedirectory -like '\\domain.com\DFSShare\User*'" -Properties homedirectory | select samaccountname, homedirectory

If you run this line, the output will be empty, even if some users using this share as homeDirectory.

Why? A network path has backslashes and a backslash „\” is a special character. Therefore, if you filter on those paths, you have to replace every \ with \5c.

For more information check out the following MS article:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx

If we do that our PowerShell query looks like this:

Get-ADUser -Filter "homedirectory -like '\5c\5cdomain.com\5cDFSShare\5cUser*'" -Properties homedirectory | select samaccountname, homedirectory

Now we see all users that have a homeDirectory located in \\domain.com\DFSShare\User

Syncing NPS Settings between two servers

If you want to be redundant, you need a second server running NPS with all the settings you need to handle requests of your Radius Clients. Network devices typically allow you to specify multiple Radius Servers in their configuration using a shell or web interface. If you have two servers, you have to define a "Master Radius Server", so you can use this server to do all configuration changes and these changes have to be imported to a second server. You can sync your NPS configuration, manually via GUI or using a PowerShell script that running in a schedule task. Find attached a picture that show this process.

The following script could be used to sync your NPS configuration between two servers. This path C:\admin\NPS\Backup\ must be available on both servers. Just create them or add it to the sript.


# Get date
$date = get-date -Format yyyy_MM_dd
# Export NPS config
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig_$date.xml
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig.xml
# Destination Server
$NPSDestServer = "SecondRadius"
# Copy config to destination server
Copy-Item -path C:\admin\NPS\Backup\NPSConfig.xml -destination \\$NPSDestServer\C$\admin\NPS\NPSConfig.xml
# Export current config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Export-NPSConfiguration -Path C:\admin\NPS\BackupNPSConfig.xml}
# Import new config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Import-NPSConfiguration -Path C:\admin\NPS\NPSConfig.xml}


Just copy this script to your Master Radius, change $NPSDestServer = "SecondRadius" to match to your second NPS server name and create a schedule task that execute this script.

Chapter 1 of the PowerShell Cookbook

Want a free, 90-page intro to PowerShell? 
Here you go - Chapter 1 of the PowerShell Cookbook:
http://cdn.oreilly.com/oreilly/booksamplers/9781449320683_sampler.pdf