Archive for the ‘PowerShell’ Category

I’ve had a need to reset password’s for accounts on an automated basis more so recently than before, so not knowing where to start, I took a look around the internet and found some pieces of code here and there that would start to fulfill my needs.

Basically, I was setting up an 802.11x authenticated wireless network, and had a requirement to automate the password change of a RADIUS authenticated Guest account that was sat in a locked down OU in the domain. This then needed to be random, secure and e-mailed to a public folder so that the employees could give their guests access to the guest network. The script just needs to be added to a scheduled task to run monthly. So I eventually ended up with this:

import-module activedirectory

[int] $len = 12
[string] $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
$bytes = new-object "System.Byte[]" $len
$rng = new-object System.Security.Cryptography.RNGCryptoServiceProvider
$result = ""
for( $i=0; $i -lt $len; $i++ )
$result += $chars[ $bytes[$i] % $chars.Length ] 

$securestring = ConvertTo-securestring $result -asplaintext -force

get-aduser "GuestUserName" | set-adaccountpassword -newpassword $securestring

$month= get-date -format MMMM

###Sets the mail values
$FromAddress = ""
$ToAddress = ""
$MessageSubject = "New Wireless Guest Details for $month"
$MessageBody = "Username: GuestUserName          Password: $result"
$SendingServer = ""

###Create the mail message and add the statistics text file as an attachment
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress, $MessageSubject, $MessageBody

###Send the message
$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer

In short:

Line 3: Specifies the number of characters in the generated password.
Line 4: The characters that can be used to generate the password.
Line 17: Reset’s the password on the AD account.
Line 19: Generates the month in long format to add to the e-mail Subject.
Line 22-26: Variables used for sending the e-mail.
Line 29: Generates the e-mail.
Lines 32 & 33: Sends the e-mail.

Having some sites recently migrating from older SBS platforms to the latest 2011 release I found a need for a script to alter the login script settings for all users.

Whilst these days I’m primarily setting login scripts via Group Policy Objects there’s still a need to clean-up and remove the login script path from the user objects in Active Directory.

All of the below scripts need you to run this either on your Domain Controller, or via a machine with the Remote Server Admin Tools (RSAT) installed.

This little 2 liner will remove the currently configured script path for all users:

import-module activedirectory
get-aduser -filter * | set-aduser -scriptpath $null

This one will remove it dependant on user name (which you’ll input within PowerShell):

$username = read-host
import-module activedirectory
get-aduser $username | set-aduser -scriptpath $null

Finally, if you want to change the login script path, you’ll need to replace $null on the last line as per this example:

$username = read-host
import-module activedirectory
get-aduser $username | set-aduser -scriptpath '\\ServerName\Netlogon\script.vbs'

OK, this is something I’ve been using for a while and wanted to share with you, as I’ve been asked for it a couple of times now.

I’ve got a pair of Cisco ASA’s at the perimeter of our network, and I needed a way some time ago to edit it’s configuration in a scripted manner, so, I started looking at PowerShell and SSH connections, and this didn’t get me anywhere, so I started to look at PLINK.exe. PLINK is almost a spin-off from PuTTY, a free remote connection tool that supports SSH. PLINK is scriptable, in that you can pass it a text file, and it’ll run each line of that file as seperate commands. Simply enough, the powershell script below will echo out to a file any commands you need, then start PLINK and run the code. If it’s a system that you’ve not connected to before, and don’t have the key saved in your registry, you’ll be prompted to accept it.

$ASApw = "MyPassword"
$ASAIP = "MyASAIPAddress"
$ASAUser = "MySSHUserName"
$ASAEnablepw = $ASApw

#Modifies the ASA firewall
#Starts by writing a "commands" file#
echo en >>unicode.txt
echo $ASAEnablepw >>unicode.txt
echo "conf t" >>unicode.txt
echo "show run access-group"
echo exit >>unicode.txt
echo exit >>unicode.txt

#Converts the file to ASCII format (separate file)#
$lines = gc "unicode.txt"
$lines | out-file -encoding Ascii -filepath commands.txt

#Using the command file and plink.exe connects and runs the commands #
./plink.exe -ssh -l $ASAUser -pw $ASApw $ASAIP -m commands.txt

#removes the files it created earlier#
del unicode.txt
del commands.txt

In the above example, the ASA will be asked to show it’s running config’s access-group configuration. You’ll need to modify the echo lines to get this to perform other actions (I use this script to modify static mapping entries and access-lists for example). You’ll also need to modify “$ASAIP”,”$ASAUSer” and “$ASApw” with your IP address, SSH Username and SSH password. The script assumes that the enable password matches this, but if not, edit the “$ASAEnablepw”, and add your enable password there. If you don’t like storing password this way (I don’t particularly) then you can always change these to “read-host” to request the entry from the Powershell command line.

%d bloggers like this: