UPDATED Disable AD Accounts with Powershell

As a followup to the disabling AD accounts post earlier this month, I’ve updated the Power Shell (requires the Exchange Management Shell) script some to add some additional functionality.

New features:

• The username of the the administrator running the script is recorded in the text file that lists all of the groups the account was removed from.
• An email is automatically created and sent to the configured recipients (such as the AD Administrators group and/or Information Security…), which is fantastic from an end-to-end accountability and auditing point of view (who did it, when did they do it and why…)

Just find the following variables in the script and change them accordingly:

• $EmailReportFile = “\\YOUR_SERVER_PATH_HERE\Account_Disables_Report.txt”
  • This is the full UNC path to where you want the report saved (this is what is emailed out)
• $domain = “LDAP://dc=DOMAIN,dc=local”
  • The LDAP bind URL for your domain…
• $To = “someone@yourcompany.com”
  • SMTP addresses, comma seperated, of who you want the report emailed to
• $SmtpClient.host = “smtp.yourcompany.com”
  • The SMTP host name to handle your email report (your Exchagne 2007 Hub Transport server(s) or Exchange 2003/2000 front-end server(s) typically, make sure you can perform anonymous relay internally though….)

 Download the script here…

  Disable-ADAccountsSingle.zip (2.9 KiB, 1,087 hits)

Quickly Grant Send As Permissions on a Distribution Group

Every now and then I get a request to grant someone “Send As” permissions on an Exchange Server 2007 distribution group.  It’s not that difficult, but perhaps just not very evident at first glance.  You can go about it quickly from the Exchange Management Shell (or just plain old Power Shell) like this:

Add-ADPermission -Identity “Group Name” -User “UserName” -AccessRights extendedright -ExtendedRights “send as”

You can use the alias or display name for the user and the display name for the group.

Of course, you could always use Active Directory Users and Computers and set the Send As attribute, which you’ll notice is set for the indicated user after using the Power Shell method.

Read all about the Add-ADPermission cmdlet here.

EASY HP iLO Integration with Active Directory

After fumbling around for a while, and looking over a good number of “Help!  How do I get iLO working with Active Directory without extending the schema” threads on the HP ITRC (IT Resource Center), I’ve gotten Active Directory login working with iLO2 in about 5 minutes.  It’s all really about the ActiveX settings on the client PC you’re using!  Pretty anti-climatic actually.

NOTE:  These steps have been tested in IE 7 on Windows XP SP3 and Windows Vista SP1…IE 6 and older may be a bit different.

NOTE:  Steps 1 - 3 not absolutely required, but I consider them to be good security practice since we’ll be weakening the default ActiveX security policy later…better to do it for the local network and not the Internet or other non-classified locations IMO).

To get things working in five minutes, just follow these steps:

1. In Internet Explorer, open Internet Options and go the Security tab.  Select Local intranet.



2.  Click the Sites button to open the Local intranet dialog box.



3. Click the Advanced button to open the Local intranet (again) dialog box and enter the subnets on your LAN that contain your iLO hosts leaving the last octet as a wild card.  Add all of the subnets you have.



4. Click Close and then Click OK to return to the Internet Options dialog box.  Click the Custom Level button to open the Security Settings - Local Intranet Zone dialog box.



5. Change the option “Initialize and script ActiveX controls not marked as safe for scripting” to Prompt.  Click OK to close this dialog box.
6. Click OK when prompted to change the zone settings.



7. Now go into the iLO settings for your server (logging in with the default local Admin account on the tag came with the server).  The Directory settings location varies slightly by iLO version, but you want to find something that looks like this.



8. You need to select “Use Directory Default Schema” and then enter in a IP list or FQDN list of Domain Controllers separated by a comma.  If you have S-LDAP available, leave port 636 (highly recommended) or change to 389 if you don’t have certificates on your Domain Controllers.  Lastly, put the search base LDAP string in Directory User Context 1.  It seems to work well with a higher level search base, but you might find you want multiple search bases.
9. Save your settings by clicking the Apply Settings button and then click the Administer Groups button go to the group administrator settings.
10. Select the Administrators group (note you can repeat this step for lower level access groups as well) and click the View/Modify button.
11. Supply the full LDAP path to the Active Directory security group that contains your iLO users (full administrators in this case) and then enable the features you wish the members of that group to have.  Click the Save Group Information button when you’re done. 



12. Log out of the iLO as the default Admin and login to the iLO Web page using your Active Directory credentials.



13. Since you changed the “Initialize and script ActiveX controls not marked as safe for scripting” option to Prompt, you’re asked if you want the ActiveX control to run.  Click OK and you’ve just completed integration of Active Directory and iLO.

You can download a PDF file from HP that discusses this process also (nothing about ActiveX mind you), including some items I’ve not discussed here.   There is also available for download a tool, HP Directories Support for Management Processors, that can supposedly be used to configure the iLO settings on multiple servers over the network.  I know it doesn’t run on Windows Vista, but I’ve not tried it out yet to see if can help with getting the rest of the server’s iLO settings configured. 

See, that was easy…right? 

FREE Ops Mgr Management Pack Utility

Add another great tool to your Ops Mgr toolbox (in addition to the mandatory MP Viewer by Boris) with Silect’s MP Studio 2007 Lite.   From their Website:

MP Studio 2007 Lite helps organizations quickly develop a clear understanding of Management Packs, a key component of System Center Operations Manager 2007. MP Studio Lite combines rich Management Pack content analysis capabilities with predefined out-of-the-box Management Pack reports giving System Center Operations Manager 2007 users a comprehensive view of all Management Pack components.

MP Studio Lite allows users to work with either installed Management Packs or file-based Management Packs. Users can view the relationships between Management Packs as well as view all Management Pack content including rules, monitors, overrides, modules, views, tasks and more. MP Studio Lite provides rich, customizable analysis tools to quickly turn Management Pack details into an understanding of exactly what the Management Pack does.

Download and register for your free license key here.

Updated Windows Server and Terminal Services Ops Mgr MPs

New Management Packs for Windows Servers (2000, 2003 and 2008) and Terminal Services (2000, 2003 and 2008) were also released in late July.

Update your Windows Server MP first, get it here, which is version 6.0.6278.22. 

What’s New

The following features are new in this release of the Windows Server Operating System Management Pack:

• Introduced support for Windows Server 2008.
• Added version specific notations to the names of the performance collection rules to reduce ambiguity, specifically when search for rules by name.
• Added a new task to leverage the new “Admin” switch of the remote desktop connection tool.  More detail is provided in the “Troubleshooting” section.

Changes in This Update

The update to the June 2008 version of the Windows Server Operating System Management Pack includes the following changes:

• Updated the logical drive discoveries to omit mapped network drives.
• Addressed an issue with the Logical Disk Free Space to prevent it from looking like the thresholds were set incorrectly.
• The state of the configuration of a server now reflects the state of its operating system as well.
• Fixed an issue with the Server Service Configuration Health monitor which prevented it from ever generating an alert.

You can get the Terminal Services updated MP here, which is also version 6.0.6278.22.  No “fixes” listed in this MP, but it does add support for 2008 based Terminal Servers.

What’s New

The following features are new in this release of the Terminal Services Management Pack specific to Terminal Services in Windows Server 2008:

• TS Gateway
• TS Session Broker
• TS Web Access

Exchange 2007 Ops Mgr MP Updated

Version 6.0.6363.0 of the Exchange 2007 MP was released in late July (with no fanfare that I noticed).

You can download it here.

Oddly though, the only fix reported in the update is listed as being for Exchange Server 2003?

Fixed an issue where clustered Exchange 2003 mailbox servers were discovered as being of type Ex.Common. Please see the Known Issues section for more information on how to resolve this issue.

Disabling Active Directory User Accounts, Part 1

For a few years now I’ve been using a custom VBScript to disable AD accounts when employees leave the organization.  The script was pieced together from some things I knew how to do and others I was able to find elsewhere.  The script performed the following tasks:

• Disabled the specified AD account
• Hid the mailbox from the Global Address List
• Removed the account from all groups it was a member of
• Created a text file log of all groups the account was a member of
• Set the password to be changed at the next login
• Set the disable date in the “Title” field (an unused field in my organization)
• Set the RAS settings to disabled

After our upgrade to Exchange Server 2007 earlier this year I noticed that the script was not functioning fully the way it should have.  Specifically, the hiding of the mailbox from the GAL was not occurring.  Sure, if you looked at the mailbox of an account that had been disabled using the script in the Exchange Management Console, the check box to hide the mailbox from the GAL was checked, but just the same the mailbox was not really hidden from the GAL.

So to correct this issue, I wrote a new script in Powershell (requires the Exchange Management Shell snapin) script that would perform all of the same actions except setting the RAS attribute to disabled.

Both scripts are attached, and annotated where I remembered where certain portions of the script or ideas came from.  The VBScript should be able to be run without any changes unless you want to change what it does.  The Powershell (Exchange Management Shell) script should only require one change in the variable $domain as shown here:  $domain = LDAP://dc=mydomain,dc=local.

VBScript version: 

  disable_accounts_single.zip (1.7 KiB, 1,408 hits)

Powershell (Exchange Management Shell) version: 

  Disable-ADAccounts.zip (1.8 KiB, 1,200 hits)

• 

• Translator

• Categories

  • Active Directory (13)
  • Certification (2)
  • Data Protection Manager 2007 (7)
  • Exchange Server 2007 (26)
  • Microsoft Office Communications Server 2007 (1)
  • Networking (3)
  • Operations Manager (24)
  • PKI & Certificate Services (2)
  • Powershell (10)
  • Server Hardware (5)
  • Storage (4)
  • Visual Basic Script (3)
  • Windows Server 2003 (6)
  • Windows Server 2008 (4)

• Tag Cloud

  • Active Directory | AD LDS | ADAM | Agents | Alerts | antivirus | bug | C-Class Blades | CCR | Certification | Cisco | Cluster | Clustering | Data Protection Manager 2007 | Data Warehouse | DBCreateWizard | dbdsutil | DHCP | DNS | Doh! | Error 5 | EVA | Event Logs | Exchange | Exchange Server 2007 | Fibre Channel | ForeFront | HBA | Health Service | HP | iLo | IMAP | Management | Management Pack | MOSS | Operations Manager | Overrides | PKI & Certificate Services | Powershell | Printers | Reboot | Recipients | Registry | robocopy | Root Server | SAN | Scripting | SDDL | secedit | Self Tuning Threshold | Servers | Sharepoint | SMTP | SSL | strange | Terminal Services | Tools | Updates | Virtualization | VPN | VSS | Whitepaper | Windows Server 2008 |

• Blogroll

  • Ramblings of the Mad Cow

• Archives

  • September 2009
  • August 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008

• Users Online

  • 5 Users Online