PowerShell Script Repositoy

This post really has little to do with security or hacking but I'm throwing it up here because I'm really enjoying playing with powershell and learning loads of new ways of doing things.

This page is really going to be a bit of a repository for scripts and one-liners that I have found useful and I want a place to keep them for reference. If anyone else finds a use for them then thats great too. If anyone has any question or comments about them then please ask and i'll try to help.


Active Directory Admin

#To connect to an alternate DC:

Connect-QADService -service 'server.company.com'


#To export user details to track down stale accounts:

get-qaduser -sizelimit 0 -IncludedProperties altRecipient | select name,altRecipient,accountexpires,pass*,accountisdisabled,lastlog*,canonicalname | export-csv -path d:\logon-details.csv


# once user accounts are identified as stale and a list is made in a text file called:

$users = (c:\users.txt)

foreach ($user in $users) { Disable-QADUser "$user" }


# To move accounts to a new OU

foreach ($user in $Users) { Move-QADObject "$user" -NewParentContainer 'domainname.co.uk/leavers/disabled' }


# To remove group membership (all but domain users) from selected user:

foreach($user in (gc c:\users.txt)){
(Get-QADUser $user).memberOf | Get-QADGroup | where {$_.name -notmatch '^users|domain users}


# To validate selected accounts for properties rather than the whole of AD:

$users | foreach { get-qaduser $_ -IncludedProperties altRecipient | select name,altRecipient,accountexpires,pass*,accountisdisabled,lastlog*,canonicalname} | export-csv -path d:\Leaver-Validation.csv



#To set one user as hidden from the address book:

Set-QADUser "Test User" -oa @{'msExchHideFromAddressLists'=$True}



# To set many users to be hidden from the Address Book:

foreach ($user in $users) { Set-QADUser "$user" -oa @{'msExchHideFromAddressLists'=$True}}



# To validate selected accounts for properties rather than the whole of AD:

$users | foreach { get-qaduser $_ -IncludedProperties altRecipient | select name,altRecipient,accountexpires,pass*,accountisdisabled,lastlog*,canonicalname} | export-csv -path d:\Leaver-Validation.csv




Server Administration

### 3 Event log queries:

# Using WMI

Get-WmiObject Win32_NTLogEvent -ComputerName server01 | where {$_.logfile -eq "System" -AND $_.type -EQ "Error”} | Select TimeGenerated, Message | Format-Table –Auto


Get-WmiObject -query " Select Logfile, Eventcode, TimeGenerated, Message from Win32_NTLogEvent where LogFile='Application' AND EventCode='1054'" | Select TimeGenerated, Message | Format-List


# Using .Net

$server = "server01"
$log = New-Object Diagnostics.Eventlog "Application","$server"
$log.entries | where {$_.EventID -eq "1054"}



# Check diskspace on selected servers:

gwmi -query "SELECT SystemName,Caption,VolumeName,Size,Freespace FROM win32_logicaldisk WHERE DriveType=3" -computer (gc c:\servers.txt) | Select-Object SystemName,Caption,VolumeName,@{Name="Size(GB)"; Expression={"{0:N2}" -f ($_.Size/1GB)}},@{Name="Freespace(GB)"; Expression={"{0:N2}" -f ($_.Freespace/1GB)}}, @{n="% Free";e={"{0:P2}" -f ([long]$_.FreeSpace/[long]$_.Size)}} | sort "% Free" | export-csv c:\Disk-GB.csv


# To Find the who logged onto servers last.

$target=("server")
Get-ChildItem -path "\\$target\C$\Documents and Settings" | Sort-Object LastWriteTime -descending | select Name,LastWriteTime

# To restart a service on a list of computers

$service = Read-Host "enter service name"

$ServerList = gc (Read-Host "Enter server list file")

function StopService {

$ServerList | % { gwmi win32_service -ComputerName $_ -Filter "name='$Service'" | % { $_.stopservice() }}

}

Function StartService {

$ServerList | % { gwmi win32_service -ComputerName $_ -Filter "name='$Service'" | % { $_.startservice() }}

}

stopservice

startservice

#To locate services that are stopped but should be running on a list of servers.

gc (Read-Host "serverlist or servername") |

% { gwmi win32_service -ComputerName $_ -Filter "startmode='auto'"} |

where { $_.state -eq "stopped" } |

select SystemName,Name,StartMode,State,Caption,PathName |

ft -AutoSize -GroupBy SystemName

#To set a new password on a service

gc Q:\servers.txt | % { gwmi win32_service -ComputerName $_ -Filter "name='alerter'" | % { $_.change(,,,,,,"newpassword") }}

#To reboot a list of computers

gc q:\servers.txt | ForEach-Object { gwmi win32_operatingsystem -ComputerName $_ | ForEach-Object { $_.reboot() }}

Exchange 2003 Administration

# list remote Exchange classes

gwmi -namespace root\microsoftexchangev2 -list -comp server01


# get exchange mailboxes from a server and sort:

gwmi -namespace root\microsoftexchangev2 Exchange_Mailbox -comp server01 | select mailboxdisplayname,size | sort size -Descending


# logged on users to exchange, filtering out system accounts:

gwmi -namespace root\microsoftexchangev2 -class Exchange_logon -comp server01 | where { $_.LoggedonUserAccount -notmatch "NT AUTHORITY*" } | select ServerName,ClientIP,LoggedonUserAccount,MailboxDisplayName | ft -auto



Archived Files

# To retrieve archived files from directory and subdirectory

Get-ChildItem -recurse "*" | where { $_.attributes -match "offline" } | select-string "test" -simple


# To list archived files with file paths

Get-ChildItem | where { $_.attributes -match "offline" } | select fullname