added AD scripts and cleaned propriety information

PaulHCode · Mar 26, 2016 · 0e58b43 · 0e58b43
1 parent a442fab
commit 0e58b43
Show file tree

Hide file tree

Showing 25 changed files with 695 additions and 12 deletions.
diff --git a/ActiveDirectory/Add user to local group.ps1 b/ActiveDirectory/Add user to local group.ps1
@@ -0,0 +1,2 @@
+$de = [ADSI]"WinNT://a-xp-2/administrators,group"
+$de.psbase.Invoke("Add",([ADSI]"WinNT://apollo/support").path)
diff --git a/ActiveDirectory/Bulk-AD-User-Creation.ps1 b/ActiveDirectory/Bulk-AD-User-Creation.ps1
@@ -0,0 +1,16 @@
+$aPcs = Get-Content dddd.txt | where 
+foreach ($oPc in $aPcs) {
+	$sUser = $oPc.ToLower();
+	if ($sUser -eq 'isspare23') {
+		$sLName = 'spare23'
+		$sLName = "spare23"
+		$sDisplayName = "spare23 spare23";
+		$sDesc = 'med cart laptop autologin';
+	} else {
+		$sLName = $sUser.substring($sUser.length - 4, 4);
+		$sLName = "Cart $sLName"
+		$sDisplayName = "Medication Cart $sLName";
+		$sDesc = $sDisplayName;
+	}
+	New-AdUser $sUser -Path "<OUDNHere>" -accountpassword (ConvertTo-SecureString -AsPlainText "password" -Force) -Enabled $true -GivenName 'Medication' -Surname $sLName -DisplayName $sDisplayName -PasswordNeverExpires $true -CannotChangePassword $true -Description $sDesc;
+}
diff --git a/ActiveDirectory/CompareIEGPO.ps1 b/ActiveDirectory/CompareIEGPO.ps1
@@ -0,0 +1,53 @@
+#requires -version 3
+
+[xml]$golden_gpo = gc '.\IE Settings.xml'
+$gpos = Get-GPOReport -All -ReportType XML
+
+$golden_gpo_computer_registry_settings = ($golden_gpo.GPO.Computer.ExtensionData | ? {$_.Name -eq 'Registry'}).childNodes.Policy | select name,state
+$golden_gpo_user_ie_pref_settings = ($golden_gpo.GPO.User.ExtensionData | ? {$_.Name -eq 'Internet Options'}).childNodes.InternetOptions.IE8.Properties.Reg
+$golden_computer_ie_settings = ($golden_gpo.GPO.Computer.ExtensionData | ? { $_.Name -eq 'Registry' }).childNodes.Policy | ? {$_.Category -like 'Windows Components/Internet Explorer*'} | select name,state
+
+foreach ($gpo in $gpos){
+   [xml]$gpo = $gpo
+
+   $gpo_computer_registry_settings = ($gpo.GPO.Computer.ExtensionData | ? {$_.Name -eq 'Registry'}).childNodes.Policy | select name,state
+   $gpo_user_ie_pref_settings = ($gpo.GPO.User.ExtensionData | ? {$_.Name -eq 'Internet Options'}).childNodes.InternetOptions.IE8.Properties.Reg
+   if ($gpo_computer_registry_settings) {
+        $Compare = Compare-Object -ReferenceObject $gpo_computer_registry_settings -DifferenceObject $golden_gpo_computer_registry_settings -Property Name -IncludeEqual -PassThru | ? {$_.SideIndicator -eq '=='}
+        if ($Compare) {
+            $Compare | % {
+                $properties = @{'MatchingGPO' = $gpo.GPO.Name; 'GPOSetting' = 'Computer'; 'CompareType' = 'Match'; 'Setting' = "$($_.Name) = $($_.State)"}
+                New-Object -TypeName PSObject -Property $properties    
+            } | Export-Csv Matching-IE-GPO-Settings.txt -NoTypeInformation -Append
+        }
+
+    }
+    if ($gpo_user_ie_pref_settings) {
+       $Compare = Compare-Object -ReferenceObject $gpo_user_ie_pref_settings -DifferenceObject $golden_gpo_user_ie_pref_settings -Property Name -IncludeEqual -PassThru | ? {$_.SideIndicator -eq '=='}
+        if ($Compare) {
+            $Compare | % {
+                $properties = @{'MatchingGPO' = $gpo.GPO.Name; 'GPOSetting' = 'User'; 'CompareType' = 'Match'; 'Setting' = "$($_.Key)\$($_.Name)"}
+                New-Object -TypeName PSObject -Property $properties    
+            } | Export-Csv Matching-IE-GPO-Settings.txt -NoTypeInformation -Append
+        }
+
+        $Compare = Compare-Object -ReferenceObject $gpo_user_ie_pref_settings -DifferenceObject $golden_gpo_user_ie_pref_settings -Property Name -PassThru | ? {$_.SideIndicator -eq '=>'}
+        if ($Compare) {
+            $Compare | % {
+                $properties = @{'MatchingGPO' = $gpo.GPO.Name; 'GPOSetting' = 'User'; 'CompareType' = 'Difference'; 'Setting' = "$($_.Key)\$($_.Name)"}
+                New-Object -TypeName PSObject -Property $properties    
+            } | Export-Csv Matching-IE-GPO-Settings.txt -NoTypeInformation -Append
+        } 
+    }
+
+    $diff_computer_ie_settings = ($gpo.GPO.Computer.ExtensionData | ? { $_.Name -eq 'Registry' }).childNodes.Policy | ? {$_.Category -like 'Windows Components/Internet Explorer*'} | select name,state
+    if ($diff_computer_ie_settings) {
+        $Compare = Compare-Object -ReferenceObject $golden_computer_ie_settings -DifferenceObject $diff_computer_ie_settings -Property name -PassThru | ? {$_.SideIndicator -eq '=>'}
+        if ($Compare) {
+            $Compare | % {
+                $properties = @{'MatchingGPO' = $gpo.GPO.Name; 'GPOSetting' = 'Computer'; 'CompareType' = 'Difference'; 'Setting' = "$($_.Name) = $($_.State)"}
+                New-Object -TypeName PSObject -Property $properties    
+            } | Export-Csv Matching-IE-GPO-Settings.txt -NoTypeInformation -Append
+        }  
+    }
+}
diff --git a/ActiveDirectory/Copy-AD-User-Account.ps1 b/ActiveDirectory/Copy-AD-User-Account.ps1
@@ -0,0 +1,38 @@
+$samaccount_to_copy = 'abertram'
+$new_samaccountname = 'aaaa'
+$new_displayname = 'displayname'
+$new_firstname = 'firstname'
+$new_lastname = 'lastname'
+$new_name = 'namehere'
+$new_user_logon_name = 'logonname'
+$new_password = 'password'
+$new_description = 'description'
+$new_ou_DN = ''
+$enable_user_after_creation = $true
+$password_never_expires = $false
+$cannot_change_password = $false
+
+
+$ad_account_to_copy = Get-Aduser $samaccount_to_copy -Properties memberOf
+
+$params = @{'SamAccountName' = $new_samaccountname;
+            'Instance' = $ad_account_to_copy;
+            'DisplayName' = $new_displayname;
+            'GivenName' = $new_firstname;
+            'SurName' = $new_lastname;
+            'PasswordNeverExpires' = $password_never_expires;
+            'CannotChangePassword' = $cannot_change_password;
+            'Description' = $new_description;
+            'Enabled' = $enable_user_after_creation;
+            'UserPrincipalName' = $new_user_logon_name;
+            'AccountPassword' = (ConvertTo-SecureString -AsPlainText $new_password -Force);
+            }
+
+## Create the new user account
+New-ADUser -Name $new_name @params
+
+## Mirror all the groups the original account was a member of
+$ad_account_to_copy.Memberof | % {Add-ADGroupMember $_ $new_samaccountname }
+
+## Move the new user account into the assigned OU
+Get-ADUser $new_samaccountname| Move-ADObject -TargetPath $new_ou_DN
diff --git a/ActiveDirectory/FindUnusedUserAccounts.ps1 b/ActiveDirectory/FindUnusedUserAccounts.ps1
@@ -0,0 +1,48 @@
+## Set a variable to give control over the script where to just find the users
+## or find and also remove them.
+$remove_users_found = $false
+
+## Set today's date as a variable now since this will not change (today)
+## If this were in the Where-Object scriptblock the Get-Date cmdlet would be executed
+## once for every user object that's retrieved
+$today_object = Get-Date
+
+## Find the date in a string to write to the log
+$today_string = get-date -Format 'MM-dd-yyyy hh:mm tt'
+
+## Create the Where-Object scriptblock ahead of time.  This is done for easy reading
+## The AD Filter is not used due to the complexity of the conditions
+$unused_conditions_met = {
+    ## Ensure no built-in AD user objects are removed inadvertantly
+    !$_.isCriticalSystemObject -and
+    ## The account is disabled (account cannot be used)
+    (!$_.Enabled -or
+    ## The password is expired (account cannot be used)
+    $_.PasswordExpired -or
+    ## The account has never been used
+    !$_.LastLogonDate -or
+    ## The account hasn't been used for 60 days
+    ($_.LastLogonDate.AddDays(60) -lt $today_object))
+}
+
+## Query all Active Directory user accounts with all of the conditions we defined above
+$unused_accounts = Get-ADUser -Filter * -Properties passwordexpired,lastlogondate,isCriticalSystemobject | Where-Object $unused_conditions_met |
+    Select-Object @{Name='Username';Expression={$_.samAccountName}},
+        @{Name='FirstName';Expression={$_.givenName}},
+        @{Name='LastName';Expression={$_.surName}},
+        @{Name='Enabled';Expression={$_.Enabled}},
+        @{Name='PasswordExpired';Expression={$_.PasswordExpired}},
+        @{Name='LastLoggedOnDaysAgo';Expression={if (!$_.LastLogonDate) { 'Never' } else { ($today_object - $_.LastLogonDate).Days}}},
+        @{Name='Operation';Expression={'Found'}},
+        @{Name='On';Expression={$today_string}}
+
+## Create the log file of what the script found
+$unused_accounts | Export-Csv -Path unused_user_accounts.csv -NoTypeInformation
+
+## If set, remove all of the accounts found and append to the log
+if ($remove_users_found) {
+    foreach ($account in $unused_accounts) {
+        Remove-ADUser $account.Username -Confirm:$false
+        Add-Content -Value "$($account.UserName),,,,,,Removed,$today_string" -Path unused_user_accounts.csv
+    }
+}
diff --git a/ActiveDirectory/Get-All-Docs-Password-Age.ps1 b/ActiveDirectory/Get-All-Docs-Password-Age.ps1
@@ -0,0 +1,21 @@
+Import-Module ActiveDirectory
+try {
+    $uap_docs = Import-Csv C:\scripts\All-Doc-2013-Password-Policy\all-docs-2013-password-policy.csv
+    $ad_pw_ages = @();
+    foreach ($user in $uap_docs) {
+        $ad_pw_ages += Get-AdUser $user.Username -Properties passwordlastset | % {"$($_.Givenname) $($_.Surname), $($_.PasswordLastSet)`n"}
+    }
+
+    ## Email
+    $oFrom = New-Object system.net.Mail.MailAddress '[email protected]','Adam Bertram';
+    $oTo = New-Object system.net.Mail.MailAddress '[email protected]', 'John Doe'
+    $oMsg = New-Object System.Net.Mail.MailMessage $oFrom, $oTo
+    $oMsg.Subject = 'Daily Doc Password Changes'
+    $oMsg.Body = "Here is the most recent list of docs and their password ages.`n`n$ad_pw_ages"
+    $sSmtpServer = 'smtp.email.com';
+    $oSmtpClient = new-object Net.Mail.SmtpClient($sSmtpServer);
+
+	$oSmtpClient.Send($oMsg);
+} catch [System.Exception] {
+	return $_.Exception.Message;
+}##endtry
diff --git a/ActiveDirectory/Get-Empty-Groups.ps1 b/ActiveDirectory/Get-Empty-Groups.ps1
@@ -0,0 +1,31 @@
+$aExclude = @('Cryptographic Operators',
+'Distributed COM Users',
+'Domain Computers',
+'Domain Controllers',
+'Domain Guests',
+'Enterprise Read-only Domain Controllers',
+'Event Log Readers',
+'Incoming Forest Trust Builders',
+'Network Configuration Operators',
+'Performance Log Users',
+'Performance Monitor Users',
+'Print Operators',
+'Replicator',
+'Read-only Domain Controllers',
+'Allowed RODC Password Replication Group',
+'RAS and IAS Servers',
+'Certificate Service DCOM Access');
+
+
+$aEmpty = Get-ADGroup -Filter * -Properties * | where { $_.Members.Count -eq 0 -and $_.Name -notlike 'KAV*' -and $_.Name -notlike 'KL*' -and $_.Name -notlike 'vpn.*' -and $_.Name -ne 'CTX ISU EMR' };
+$i = 0;
+$aRemove = @();
+foreach ($oGroup in $aEmpty) {
+	if ($aExclude -notcontains $oGroup.Name) {
+		#$aRemove += $oGroup;
+		$oGroup.Name
+		$i++
+	}
+}
+$i
+#$aRemove | Remove-ADGroup
diff --git a/ActiveDirectory/Get-Empty-OUs.ps1 b/ActiveDirectory/Get-Empty-OUs.ps1
@@ -0,0 +1,35 @@
+$remove_ous = $false
+
+$ous_to_keep = @('UAP - PEAP TLS','UAP - PEAP TLS Only','Disabled Users');
+
+$ad_objects = Get-ADObject -Filter "ObjectClass -eq 'user' -or ObjectClass -eq 'computer' -or ObjectClass -eq 'group' -or ObjectClass -eq 'organizationalUnit'";
+
+$aOuDns = @();
+foreach ($o in $ad_objects) {
+	$sDn = $o.DistinguishedName;
+	if ($sDn -like '*OU=*' -and $sDn -notlike '*LostAndFound*') {
+		$sOuDn = $sDn.Substring($sDn.IndexOf('OU='));
+		$aOuDns += $sOuDn;
+	}##endif
+}##endforeach
+
+$a0CountOus = $aOuDns | Group-Object | Where-Object { $_.Count -eq 1 } | % { $_.Name };
+$empty_ous = 0;
+$ous_removed = 0;
+foreach ($sOu in $a0CountOus) {
+	if (!(Get-ADObject -Filter "ObjectClass -eq 'organizationalUnit'" | where { $_.DistinguishedName -like "*$sOu*" -and $_.DistinguishedName -ne $sOu })) {
+		$ou = Get-AdObject -Filter { DistinguishedName -eq $sOu };
+		if ($ous_to_keep -notcontains $ou.Name) {
+			if ($remove_ous) {
+				Set-ADOrganizationalUnit -Identity $ou.DistinguishedName -ProtectedFromAccidentalDeletion $false -confirm:$false;
+				Remove-AdOrganizationalUnit -Identity $ou.DistinguishedName -confirm:$false
+				$ous_removed++
+			}##endif
+			$ou
+			$empty_ous++;
+		}##endif
+	}##endif
+}##endforeach
+echo '-------------------'
+echo "Total Empty OUs Removed: $ous_removed"
+echo "Total Empty OUs: $empty_ous"
diff --git a/ActiveDirectory/Get-GPO-Reg-Settings.ps1 b/ActiveDirectory/Get-GPO-Reg-Settings.ps1
@@ -0,0 +1,44 @@
+#$ErrorActionPreference = "SilentlyContinue"
+$error.PSBase.Clear()
+
+$aRegRoots = @('HKCU\Software','HKLM\System','HKLM\Software');
+$aGpos = Get-Gpo -All;
+$aUniqueSettings = @();
+$aUniqueDups = @();
+
+function findRegValues($sName,$sId,$sKeyPath,$aKeyPathHistory = $null) {
+	$aPath = Get-GPRegistryValue -GUID $sId -Key $sKeyPath -ErrorAction 'silentlycontinue'
+	$aKeyPathHistory = @();
+	foreach ($oKeyPath in $aPath) {
+		if ($oKeyPath) {
+			if (Test-Member $oKeyPath Value) {
+				if ($aKeyPathHistory -notcontains $oKeyPath.FullKeyPath) {
+					$o = New-Object System.Object;
+					$o | Add-Member -type NoteProperty -Name 'GUID' -Value $sId;
+					$o | Add-Member -type NoteProperty -Name 'Name' -Value $sName;
+					$o | Add-Member -type NoteProperty -Name 'Key' -Value $sKeyPath;
+					$o | Add-Member -type NoteProperty -Name 'Value' -Value $oKeyPath.Value;
+					if ($aUniqueSettings -notcontains "$sKeyPath|$($oKeyPath.Value)") {
+						$aUniqueSettings += "$sKeyPath|$($oKeyPath.Value)";
+					} elseif ($aUniqueDups -notcontains "$sKeyPath|$($oKeyPath.Value)") {
+						"$sName|$sKeyPath|$($oKeyPath.Value)";
+						$aUniqueDups += "$sKeyPath|$($oKeyPath.Value)";
+					}
+				}
+			} elseif (Test-Member $oKeyPath FullKeyPath) {
+				$aKeyPathHistory += $oKeyPath.FullKeyPath;
+				findRegValues $sName $sId $oKeyPath.FullKeyPath $aKeyPathHistory
+			}
+		}
+	}
+}
+
+$aRegValues = @();
+
+foreach ($oGpo in $aGpos) {
+	$sGuid = $oGpo.Id;
+	$sName = $oGpo.DisplayName;
+	foreach ($sRegRoot in $aRegRoots) {
+		findRegValues $sName $sGuid $sRegRoot
+	}
+}
diff --git a/ActiveDirectory/Get-GPOs-Linked-To-Empty-OUs.ps1 b/ActiveDirectory/Get-GPOs-Linked-To-Empty-OUs.ps1
@@ -0,0 +1,51 @@
+function convertDsnToPathFormat($sDsn) {
+	$sDsn = $sDsn.Replace(',<domainDNhere>','');
+	$sDsn = $sDsn.Replace('OU=','');
+	$aDsn = $sDsn.Split(',');
+	[array]::Reverse($aDsn);
+	$sPath = $aDsn -join '/';
+	return '<domain name>/' + $sPath;
+}##endfunction
+
+$aAllGpos = Get-GPOReport -all -ReportType XML;
+$aFilteredGpos = @();
+$aLinkedOuGPos = @();
+foreach ($xGpo in $aAllGpos) {
+	$xGpo = ([xml]$xGpo).GPO;
+	if (Test-Member $xGpo 'LinksTo') {  ## GPO links to at least one OU
+		$sGpoName = $xGpo.Name;
+		if ($xGpo.LinksTo -is [array]) { ## Links to more than on OU
+			$aLinkedOus = $xGpo.LinksTo | Select-Object SOMPath | % { $_.SOMPath }
+		} else {
+			$aLinkedOus = , @($xGpo.LinksTo.SOMPath);
+		}##endif
+		$aLinkedOuGPos += , @($sGpoName,$aLinkedOus);
+	}##endif
+}##endforeach
+
+$aObjects = Get-ADObject -Filter "ObjectClass -eq 'user' -or ObjectClass -eq 'computer' -or ObjectClass -eq 'group' -or ObjectClass -eq 'organizationalUnit'";
+
+$aOuDns = @();
+foreach ($o in $aObjects) {
+	$sDn = $o.DistinguishedName;
+	if ($sDn -like '*OU=*') {
+		$sOuDn = $sDn.Substring($sDn.IndexOf('OU='));
+		$aOuDns += $sOuDn;
+	}##endif
+}##endforeach
+
+$a0CountOus = $aOuDns | Group-Object | Where-Object { $_.Count -eq 1 } | % { $_.Name };
+$aFiltered0CountOUs = @();
+foreach ($sOu in $a0CountOus) {
+	if (!(Get-ADObject -Filter "ObjectClass -eq 'organizationalUnit'" | where { $_.DistinguishedName -like "*$sOu*" -and $_.DistinguishedName -ne $sOu })) {
+		$aFiltered0CountOUs += convertDsnToPathFormat $sOu;
+	}##endif
+}##endforeach
+
+foreach ($aGpo in $aLinkedOuGpos) {
+	foreach ($i in $aFiltered0CountOUs) {
+		if (($aGpo[1] -contains $i) -and ($aGpo[1] -notcontains '<domain name>')) {
+			$aGpo[0];
+		}
+	}
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		$de = [ADSI]"WinNT://a-xp-2/administrators,group"
		$de.psbase.Invoke("Add",([ADSI]"WinNT://apollo/support").path)