2011/02/16

Active Directory - List and Set/Fix AD users not inheriting permissions

updated: 2013/03/29

Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.

If the Allow and Deny permission check boxes in the various parts of the access control user interface are shaded when you view the permissions of an object, the object has inherited permissions from a parent object. You can set these inherited permissions by using the Permissions tab of the Advanced Security Settings properties page.

Check Technet for more information

Here is the PowerShell way to check which users does not have Inheriting Permission and How to Enabling it for all your users. You will need to user Quest Active Directory Snapin

List Users without Inheriting Permission
# This Command will list the user not inheriting Permission
Get-QADUser -SizeLimit 0 | `
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected}


Enabling Inheriting Permission for all Users
# This Command will enable inheriting Permission for all the accounts
Get-QADUser -SizeLimit 0 | `
Where-Object {$_.DirectoryEntry.PSBase.ObjectSecurity.AreAccessRulesProtected} | `
Set-QADObjectSecurity -UnLockInheritance

2011/02/15

How to find running processes and their port number


Source

The netstat command line utility displays protocol statistics and current TCP/IP network connections. If we want to display the associated process identifier (PID) of each process we add the -o parameter.

image
To filter the result we need to pipe to the Find utility and again, the result is text!. In PowerShell we can get the same information with the following command, however the process PID is missing and the connections in LISTENING state are not included by default.
PS > [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections()
With the Get-NetworkStatistics function we can get the same information but each returned connection is an objectGet-NetworkStatistics parses only TCP/UDP connections (entries that starts with '[::' are ignored). Each connection is divided into two columns. For example, if the 'Local Address' column has a value of '0.0.0.0:80' the IP address will be shown in the LocalAddress property (e.g 0.0.0.0)  and the port number in the LocalPort property (e.g 80). The name of each process is also added to the result. This should make filtering much more easier when we pipe the result to the Where-Object cmdlet, allowing us to filter on any property of a connection.
UPDATE: Added support for IPv6 connections. @xcud and surveyor, thanks for the input!


function Get-NetworkStatistics
{
    $properties = 'Protocol','LocalAddress','LocalPort'
    $properties += 'RemoteAddress','RemotePort','State','ProcessName','PID'

    netstat -ano | Select-String -Pattern '\s+(TCP|UDP)' | ForEach-Object {

        $item = $_.line.split(" ",[System.StringSplitOptions]::RemoveEmptyEntries)

        if($item[1] -notmatch '^\[::')
        {           
            if (($la = $item[1] -as [ipaddress]).AddressFamily -eq 'InterNetworkV6')
            {
               $localAddress = $la.IPAddressToString
               $localPort = $item[1].split('\]:')[-1]
            }
            else
            {
                $localAddress = $item[1].split(':')[0]
                $localPort = $item[1].split(':')[-1]
            } 

            if (($ra = $item[2] -as [ipaddress]).AddressFamily -eq 'InterNetworkV6')
            {
               $remoteAddress = $ra.IPAddressToString
               $remotePort = $item[2].split('\]:')[-1]
            }
            else
            {
               $remoteAddress = $item[2].split(':')[0]
               $remotePort = $item[2].split(':')[-1]
            } 

            New-Object PSObject -Property @{
                PID = $item[-1]
                ProcessName = (Get-Process -Id $item[-1] -ErrorAction SilentlyContinue).Name
                Protocol = $item[0]
                LocalAddress = $localAddress
                LocalPort = $localPort
                RemoteAddress =$remoteAddress
                RemotePort = $remotePort
                State = if($item[0] -eq 'tcp') {$item[3]} else {$null}
            } | Select-Object -Property $properties
        }
    }
}
Get-NetworkStatistics | Format-Table 
image
To get all processes running on a local port 80:
image
Or find a connection information by filtering on ProcessName:
image

Working with SID

technet more info

Account Name to SID

#
#Get "fabrikam, kenmyer" to SID
$objUser = New-Object System.Security.Principal.NTAccount("fabrikam", "kenmyer")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value


SID to Account Name

#
# translate "S-1-5-21-1454471165-1004335555-1606985555-5555" to Account Name
$objSID = New-Object System.Security.Principal.SecurityIdentifier `
    ("S-1-5-21-1454471165-1004335555-1606985555-5555")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

2011/02/08

Microsoft Windows 7 and Windows Server 2008 R2 Online Videos

Windows 7 Feature Overview

http://go.microsoft.com/?linkid=9670048&clcid=0x409
Demo 1: Introducing DirectAccess
http://go.microsoft.com/?linkid=9670126&clcid=0x409
Demo 2: Using Search Federation
http://go.microsoft.com/?linkid=9670127&clcid=0x409
Demo 3: Using Windows PowerShell 2.0
http://go.microsoft.com/?linkid=9670128&clcid=0x409
Demo 4: Configuring AppLocker
http://go.microsoft.com/?linkid=9670129&clcid=0x409
Demo 5: Troubleshooting Windows 7
http://go.microsoft.com/?linkid=9670130&clcid=0x409

Windows 7 Deployment Enhancements


http://go.microsoft.com/?linkid=9670049&clcid=0x409
Demo 1: Modifying Windows 7 Operating Systems with DISM
http://go.microsoft.com/?linkid=9670131&clcid=0x409
Demo 2: Automating Deployment Using Windows Deployment Services
http://go.microsoft.com/?linkid=9670132&clcid=0x409
Demo 3: Provisioning Virtual Machines
http://go.microsoft.com/?linkid=9670133&clcid=0x409

Windows 7 Manageability Solutions


http://go.microsoft.com/?linkid=9670050&clcid=0x409
Demo 1: Configuring Group Policy
http://go.microsoft.com/?linkid=9670134&clcid=0x409
Demo 2: Using Windows PowerShell 2.0
http://go.microsoft.com/?linkid=9670135&clcid=0x409
Demo 3: Using Support Tools
http://go.microsoft.com/?linkid=9670136&clcid=0x409
Demo 4: Exploring System Recovery Options
http://go.microsoft.com/?linkid=9670137&clcid=0x409

Technical Overview of Windows Server 2008 R2 Part 1


http://go.microsoft.com/?linkid=9670051&clcid=0x409
Demo 1: Using Hyper-V™ Live Migration
http://go.microsoft.com/?linkid=9670138&clcid=0x409
Demo 2: Booting from Virtual Hard Disk (VHD)
http://go.microsoft.com/?linkid=9670139&clcid=0x409
Demo 3: Administering Windows PowerShell™ Remotely
http://go.microsoft.com/?linkid=9670140&clcid=0x409
Demo 4: Using Active Directory® Management Enhancements
http://go.microsoft.com/?linkid=9670141&clcid=0x409

Technical Overview of Windows Server 2008 R2 Part 2


http://go.microsoft.com/?linkid=9670052&clcid=0x409
Demo 1: Improving Availability and Scalability with Server Core
http://go.microsoft.com/?linkid=9670142&clcid=0x409
Demo 2: Managing Web Applications with the Configuration Editor
http://go.microsoft.com/?linkid=9670143&clcid=0x409
Demo 3: Installing and Using the Windows PowerShell™ Snap-In for IIS 7.5
http://go.microsoft.com/?linkid=9670144&clcid=0x409
Demo 4: Configuring an FTP Server with the New Administration Interface
http://go.microsoft.com/?linkid=9670145&clcid=0x409
Demo 5: Connecting to Windows 7 Clients Using DirectAccess
http://go.microsoft.com/?linkid=9670146&clcid=0x409

Using the Windows Server 2008 R2 Migration Tools


http://go.microsoft.com/?linkid=9670053&clcid=0x409
Demo 1: Installing Windows Server Migration Tools
http://go.microsoft.com/?linkid=9670147&clcid=0x409
Demo 2: Migrating Active Directory®
http://go.microsoft.com/?linkid=9670148&clcid=0x409
Demo 3: Migrating DNS Servers
http://go.microsoft.com/?linkid=9670149&clcid=0x409
Demo 4: Migrating IP Settings
http://go.microsoft.com/?linkid=9670150&clcid=0x409
Demo 5: Migrating DHCP Servers
http://go.microsoft.com/?linkid=9670151&clcid=0x409
Demo 6: Migrating Local Users and Groups
http://go.microsoft.com/?linkid=9670152&clcid=0x409
Demo 7: Migrating File Servers
http://go.microsoft.com/?linkid=9670153&clcid=0x409
Demo 8: Migrating Print Servers
http://go.microsoft.com/?linkid=9670154&clcid=0x409

2011/02/02

Generating Passwords with Powershell

Source

#
#######################################################################
# FUNCTION NAME: New-Password
#   
# See USAGE() function for docs.
#
# WRITTEN BY: Derek Mangrum
#
# REVISION HISTORY:
#     2008-10-23 : Initial version
#######################################################################
function New-Password
{
    param 
    (
        [int]$length,
        [switch]$lowerCase,
        [switch]$upperCase,
        [switch]$numbers,
        [switch]$specialChars
    )

    BEGIN
    {
        # Usage Instructions
        function Usage() 
        {
            Write-Host ''
            Write-Host 'FUNCTION NAME: New-Password' -ForegroundColor White
            Write-Host ''
            Write-Host 'USAGE'
            Write-Host '    New-Password -length 10 -upperCase -lowerCase -numbers'
            Write-Host '    New-Password -length 10 -specialChars'
            Write-Host '    New-Password -le 10 -lo -u -n -s'
            Write-Host '    New-Password'
            Write-Host ''
            Write-Host 'DESCRIPTION:'
            Write-Host ' Generates a random password of a given length (-length parameter)'
            Write-Host ' comprised of at least one character from each subset provided'
            Write-Host ' as a switch parameter.'
            Write-Host ''
            Write-Host 'AVAILABLE SWITCHES:'
            Write-Host ' -lowerCase    : include all lower case letters'
            Write-Host ' -upperCase    : include all upper case letters'
            Write-Host ' -numbers      : include 0-9'
            Write-Host ' -specialChars : include the following- [email protected]#$%^&*()_+-={}[]<>'
            Write-Host ''
            Write-Host 'REQUIREMENTS:'
            Write-Host ' You must provide the -length (four or greater) and at least one character switch'
            Write-Host ''
        }
        
        function generate_password
        {
            if ($lowerCase)    
            { 
                $charsToUse += $lCase
                $regexExp += "(?=.*[$lCase])"
            }
            if ($upperCase)        
            { 
                $charsToUse += $uCase 
                $regexExp += "(?=.*[$uCase])"
            }
            if ($numbers)
            { 
                $charsToUse += $nums 
                $regexExp += "(?=.*[$nums])"
            }
            if ($specialChars)    
            { 
                $charsToUse += $specChars
                $regexExp += "(?=.*[\W])"
            }
            
            $test = [regex]$regexExp
            $rnd = New-Object System.Random
            
            do 
            {
                $pw = $null
                for ($i = 0 ; $i -lt $length ; $i++)
                {
                    $pw += $charsToUse[($rnd.Next(0,$charsToUse.Length))]
                    Start-Sleep -milliseconds 20
                }
            }
            until ($pw -match $test)
            
            return $pw
        }

        # Displays help
        if (($Args[0] -eq "-?") -or ($Args[0] -eq "-help")) 
        {
            Usage
            break
        }
        else
        {
            $lCase = 'abcdefghijklmnopqrstuvwxyz'
            $uCase = $lCase.ToUpper()
            $nums = '1234567890'
            $specChars = '[email protected]#$%^&*()_+-={}[]<>'
        }
    }
    
    PROCESS
    {
        if (($length -ge 4) -and ($lowerCase -or $upperCase -or $numbers -or $specialChars))
        {
            $newPassword = generate_password
        }
        else
        {
            Usage
            break
        }
        
        $newPassword
    }
    
    END
    {
    }
}




Use the script like this:

New-Password -length 7 -lowerCase -upperCase -numbers -specialChars