Importing AD powershell module into Windows PE and then using encrypted creds

Powershell makes life much easier than vbscript…. however it does have its downsides…  signing policy can sometimes be a bit of pain and the modules you need have to be available…. which is an issue in particular for Windows PE.

Mick (good aussie name there) was nice enough to write a blog on how to import powershell into PE – without having to add it statically to the boot wim – http://mickitblog.blogspot.com.au/2016/04/import-active-directory-module-into.html

I was a little lazy here and copied both x86 and x64 required directories via robocopy rather than determining the version via powershell like Mick did.

The next step however is the more important one…. a task sequence doesn’t allow us to run a powershell command in PE with credentials, we need a secure way of running the command. In my case, I want to delete a computer object….

Step 1 – Generate a key file (perform on any full OS)

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.key

$Key = New-Object Byte[] 16

[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)

$Key | out-file $KeyFile

 

Step 2 – Encrypt a password using the key

$PasswordFile = “\\sccm\PSource$\OSD.DeleteComputer\DeleteComputer.txt

$KeyFile = “\\sccm\PSource$\OSD.DeleteComputer\\DeleteComputer.key

$Key = Get-Content $KeyFile

$Password = “Your password here” | ConvertTo-SecureString -AsPlainText -Force

$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

 

Step 3 – Create your script utilising the creds – (Below is the one I use to delete a computer object)

Import-module ActiveDirectory

#SCCM TS Object
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

#SCCM Variables
$CompName = $tsenv.Value(“_SMSTSMachineName”)

# Get current path in order to get encrypted password
$MyDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition)
$User = “Domain\Account”
$PasswordFile = “$MyDir\DeleteComputer.txt”
$KeyFile = “$MyDir\DeleteComputer.key”
$key = Get-Content $KeyFile
$MyCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)

# Remove the computer from AD
Remove-ADComputer -Identity $CompName -server <DC name required> -Credential $MyCredential -confirm:$false

 

Now before you say it…. yes, this is not very secure. It will stop a random snooper type person from seeing a plain text password…. but it will not stop someone who has 1/2 an idea about pressing F8 to get into the running TS (if you have it enabled) and then grabbing the key and txt and being able to use them…. so use (or don’t use) appropriately for your environment.

Making your software product too hard to obtain….

A client has recently merged and are looking at doing a merging into a single forest/domain structure – but up until that happens, they are keen to get the basics, immediately – such as file, calendar and address book sharing – all of which is fair enough.

It had been a while since I looked at GALsync-type solutions – so I did a bit of a search to find what was current.

One of the solutions I came across was Quest Quick Connect Express for Active Directory via http://www.open-a-socket.com/index.php/2010/12/23/gal-sync-with-quest-quick-connect-express-for-active-directory/

I’ve never been a huge fan of the quest products – they seem to get sold pretty hard by Dell consultants who don’t care if the product actually meets the needs of the client – and they are fucking expensive, however, when used for the right job – they actually do work pretty well.

In this case, I found the dell download link (https://support.software.dell.com/download-install-detail/5556386) and proceeded to try and obtain this free product. Two account sign ups later – I’m not entitled to the software…. so does that mean its now paid software when it previously free? Fair enough – might be worth mentioning that by having a licensing link on the page, or pricing etc… something to indicate it isn’t free anymore.

Is there a trial available ? Doesn’t look like it.

In short Dell – that fucking sucks. I don’t care that its not free anymore – I care that you made me jump through hoops to find out that it wasn’t free anymore – and also gave me no indication as to what the price is, where I can find out what the price is, what (if any) trial/demo’s are available etc. Absolutely zero useful information.

 

Group Policy – Disabled SOM – ?

I implemented SCCM 2012 for a client a last week and, as per our usual process, implemented an SCCM client health check script which runs as part of a computer start up script in a group policy object.

Came back after a few days – nothing had updated…. “odd” I thought…. but this client had some APPV clients that were still RTM, not SP1 as required for SCCM 2012 and also had disabled vbscript via an archaic method previously…. but the fixed for them seemed to be working.

After running RSOP (server side) and gpresult (client side) – I was getting “disabled SOM” as the reason my GPO was being denied…. never heard of that one before….

turned out, disabled SOM means “Disabled scope of management” and is commonly caused by using block inheritance in group policy…. as regular readers may know – I hate block inheritance… I think it is generally used poorly.

In this case, I was applying a site based policy – and someone had enable block inheritance at the domain level…. (which i’d never seen before)…. because sites are considered to be “above” the domain…. it meant site-linked policies were blocked.. got rid of the block – all was good.

Anyhoo – I thought that was both an odd and interesting one…. one that i’d never seen before and probably never will again!

Microsoft and management interfaces….

Consistency…. its what we spend a great deal of time fixing for clients…. sure, they see us writing standardisation documents for AD/Exchange/Group Policy/Logon scripts etc….. but really, what we are doing is trying to delivery consistency – simply because the more things that are consistent within an environment, the more logical it is – and the easier it is to support.

Take for example the very simple case of mapped drives….. some clients have the whacky situation where S: is mapped to \server1common for some people and \server7finance for others…. this ofcourse makes the job the the helpdesk much harder – as users dont know (nor should they need to) what a unc is…. they just cant find the file on their S: drive. A consistent naming standard for user accounts, email addresses etc are commonly used by the majority of places we deal with – as it just makes sense.

Anyhoo – onto the point of the post – Microsoft products and their management interfaces.

A while ago, the NT 4 option pack to be exact, MMC was introduced, with talk about MS products standardising on using MMC’s for management…. this kind of took off…. AD tools, computer management, event viewer, services etc etc all were (and still are) available as mmc snap-ins….. very handy for standardised management and also creating your own snap in. Other products such as Exchange, ISA/TMG, OCS and SCCM used an MMC-like management console….

Some of these weren’t necessarily the best….SCCM 2007 was universally panned for its shit interface (but it still did the job)…. OCS 2007 i didnt think was that bad, but the devs apparently did…. and exchange 2010 EMC was fucking awesome (a bit slow… but functionality and layout wise it was great)

On the upside, the SCCM 2012 interface is not an MMC at all, and its awesome… well laid out, relatively easy to find stuff, responsive etc….

The we have Lync 2010 with the silverlight interface…. for some of the admin tasks, but an MMC for the topology tasks and powershell for all taks, but some must be completed via powershell. While i find it usable – and dont mind it, its a bit dis-jointed.

Then we have the slight shift to the side – in powershell. Basically the only was to do all the tasks required in exchange 2007/2010 and Lync was to use powershell…. this was a little annoying for clients, but offered an absolute crapload of scripting power… so it was, on the whole, awesome.

Now, we have the wave 15….. SCCM 2012 interface is awesome…. Lync 2013 interface is the same a 2010…. a bit of a (oddly ok) thrown together mees…. Exchange 2013 has thrown out the awesome 2010 EMC and replaced it with a web interface, which is ok… but not as good as the interface it replaced!

So, whats the point of this article… give us some consistency!

1) Having a powershell interface for products is awesome…. keep doing it – and keep exapnding the number of features it covers. The commandlets however need to keep consistency as well… which so far, has been reasonable (i have a vague memory of a few of the Lync commandlets not quite fitting wtih the get/set/new/remove nomenclature)

2) A web interface for certain admin tasks as an option is fine – but a web interface should never be the primary interface in my opinion…. sure the silverlight ones are slightly less painful – but they still suck compared to a GUI

3) Give us a consistent GUI interface…. i get that the teams internally at MS might not see eye to eye a lot of the time and that the interface has to be right for the product…. but FFS… the reason that the OCS 2007 interface sucked, wasnt because mmc sucks, its because the OCS interface sucked. The SCCM 2012 interface is awesome – and even though its not an MMC, I think that same type of interface would also fit well for exchange/lync/AD etc….

4) i’d be disappointed if MS went all web with every interface, but if they did it for every product – at least it would be consistent!

In short MS – please give us some consistency with your management interfaces across product lines….

August 15th – Win 2012 and Win 8 available for DL

http://www.bink.nu/windows-8-has-reached-the-rtm-milestone

I’ve made the (fair) assumption that server will become available at the same time as the client.

Im not convinced that many people (in the corporate space) actually care about Win 8…. part of that is because Win7 is a bloody good OS…. if Win-7-to-go existed… i think there would be even less interest in Win 8.

Server 2012 is a bit of a different matter…. while many features are a bit ho-hum, Hyper-V replica’s… there is some big cash savings to be made by swapping from VMWare and SRM… so will be interesting to see how that plays out.

Oh – and the rest of the Wave 15 products that have previews – Exchange, Lync and office 2013… well, im also quite “meh” about them too…. dont get me wrong – its not as if they are terrible – but there is just nothing particuarly exciting about any of them.

The exchange 2013 web management interface, after a few days of using it, i no longer dislike…. i fucking hate it…. moving to that after using the very good exchange 2010 management console is a huge step backwards…. i can only assume the manager that made that decision had smoked something or was busy crapping on about how great “the cloud” was to some sales idiot… or both.

With Lync, its cool to have the web client back – outside of that, while there are improvements, im a bit meh….. annoyed at the lack of authenticated sip trunk – still.

Office…. well, its office… i can imagine its hard for those guys to come up with anything new… it would be nice if they worked with the exchange team to achieve true, no impact exchange failovers… (which they well may have, but im not setting up test DAG’s and CAS arrays to find out until RTM)

On the up side, the more i use SCCM 2012 – the more it rocks. Sure, there are still improvements that could be made….. but holy shit it has come a long way since 2007, its so much more usable, responsive and quick compared to 2007. Now theres a team that got their shit together – well done.

Active Directory in Windows 2012 – domain alias ?

So – ive been reading up on the features of Windows 2012, particularly around AD (dont get me wrong, the hyperV stuff looks awesome – but so much of our recent work has been around AD cleanup, migration and re-design, its kind of a focus right now)

The AD changes seem fairly minor, not bad, just minor. So, here is my, never to be heard plea to the AD development team:

Give me a way to present a netbios domain name alias.

So many of our clients have shitty domain names such as domain or local, or have been acquired/changed business names – and for their own reasons (reasons i dont necessarily agree with) want to present a different domain name to users. So much so, that we end up doing domain migrations that actually have no technical benefit for smaller/midsize places and for the larger places, it just gets put in the “too hard” basket.

I’m obviosuly not across all the complexities of implementing something like this, but its something that would address customer requests…. so if it turned up, it would be awesome. UPN suffixes – while a nice idea, i dont think ive run into a place yet that uses UPN’s to sign in.

Keeping along the same lines – forest root domains….. the fucking cancer that they are…. give us a way of collapsing these down into the resource domain instead of having to migrate up into the forest root.

Both of these aren’t going to happen – and i realise this… but these are realistically (now that AD recycle bin has a GUI) the last couple of major features missing from AD that we get asked for frequently.

Things i was really hoping for in Windows 8 server… or a future version ?

Windows “8” server beta got released the other day, as im sure every nerd-type person knows…

There are some cool features in the beta release, around Hyper-V in particular…. as usual (for me) – i always focus on the other stuff that could be in there…. (its not a good personaility trait – i am aware of this!)

Anyhoo – incase anyone out there is listening…. (unlikely i know)

– The biggest thing i want is either a tool or supported method of collapsing forest-root domains. These are everywhere thanks to Microsofts poor documentation around this area and over-confident, under-skilled consultants back in the Windows 2000 days. Forest root domains are a fucking cancer – and serve no purpose in many organisations than being a pain in the arse. Having to perform a domain migration for this isnt necessarily an option in a number of places… and while ive done more inter-forest migrations than i count these days… they;re never nice.

– Group policy consilidation – give us a tool to consolidate muitple GPO’s… a lack of understanding of how to effectively use group policies means that many times, companies have hundreds of GPO’s when they only need 10-20.

– DAG everything. Exchange 2010 DAG’s are fucking awesome. (i like them a little) – giving us fault tolerance without the need for shared storage… just brilliant. Do it with everything you can… i’ve read it supposedly on the way for SQL 2012 (but we dont really do SQL)… but hey, even file services…. for some locations, that structure will be preferable to a file cluster

– RDS… RDS is good, but geez the config of it sucks. Requiring TMG for RSA (via OTP) auth is just silly… while i love TMG (and on that, wheres TMG 201x ? – there’s bucket-loads more features to be done there!) – should you really be forcing it upon corporations that dont already have it? (to be answered by techs, not salespeople… give us a CAG equiv) Anyhoo, RDS, getting better every version…. but how about a bit more focus on making it easily usable as opposed to remoteFX stuff. (ok, i’d prefer both)

i did start an article like this for SCCM 2012 – but it just got too long…. 🙂

Exchange & AD migration – oddities

Hi all,

 long time no post… been busy moving house (yay) and dealing with all the hassle and things that aren’y done around building a new house (boo)

Anyhoo – recently i assisted a client to move from exchange 2007 to exchange 2010…. the client had completed the install and come configuration, but wanted us to finish off due to time constraints – and also as a check over.

1st interesting bit – This client, for whatever reason, always has lotfs of whacky, non-standard settings. Im not sure what it is, but the lead tech seems to like to tinker a bit and make things non-standard…. and it always causes issues. In this case, he has 3 DC’s. The DC holding the FSMO roles is not a GC, by his doing. Most of you will be familiar with this – http://support.microsoft.com/kb/223346 – basically the only reason to have a non GC for the IM is in a multi-domain forest under certain conditions… outside of that, especially in a single domain & forest of this size (1000 users), just make your own and everyone elses life simple and make every DC a GC.

Anyhoo the schema master, as one of the FSMO roles, was on the DC that wasnt a GC…. so the Exchange 2010 SP2 schema prep just kept on running, doing the same thing over and over again (according to the logs). after it took a little while longer than normal (i.e. an hour!) i started investigating…. moved the schema master FSMO role to a DC that was a GC… worked. (and i have recommended to the guy that he makes the DC a GC etc)

2nd interesting bit – In order not to update the SMTP relay, he wanted to swap over IP’s…. fair enough. He did this overnight once the migration of mailboxes was finished. I remoted back in the next morning and found the databases on the 2007 box dismounted…. and they would not mount with error

Couldn’t mount the database that you specified. Specified database: x; Error code: An Active Manager operation failed. Error: The database action failed. Error: Operation failed with message: MapiExceptionNoAccess: Unable to mount database. (hr=0x80070005, ec=-2147024891

I ended up pulling my hair out over this for around 2 hours…. checking adsiedit permissions, file permissions, running the BPA, turning up IS logging etc…. and after all that… there was a hosts file specifying the name and IP of the local machine…. got rid of that, let the server re-register in DNS with its new IP, voila… all good.

hosts and lmhosts are things that should only ever be used in test enviornments for emulating a namespace etc…. they really have no place in production. There are always better ways of managing name registration etc than static files.

3rd interesting bit – Quite a while back i noticed on SCCM that if the Windows firewall service is disabled, SCCM has difficulty communicating… and ever since i have ensured the service is enabled and then the firewall state is set to allow SCCM traffic or disabled within control panel (but the service is still running) depending on the client preference.

Last week i moved a place to 2008 R2 DC’s from 2003 DC’s…. pretty simple affair…. apart from some odd errors showing up in DCDiag…. as if communication with other DC’s was problemsome. Sure enough, firewall service was disabled…. set that to automatic and started it, disabled the firewall through group policy – all good. Fairly obvious moral of the story…. fair enough if you want the firewall off…. but dont disable the service, disable it via group policy or control panel… but leave the service started.

AD restores

So i got an email from a client this morning saying “dont ask – but i have lost all of our staff users in AD – Help”

to cut a long story short, the guys had gone into exchange 2010 EMC – and tried to remove staff mailboxes (for another reason i wont go into) and actually removed everything, including the AD account. They claim the exchange right-click isnt clear – and i agree to an extent…. instead of “disable” and “remove” – which need to be interpreted…. how about “remove mailbox” and “remove user + mailbox” – much clearer…. anyhoo – thats off topic – and its not going to change anyway.

On to AD…. so these guys had done most of the right things – they had located a system state restore for a DC from the night before – a DC that wasn’t a CA or anything else that might be intefered with from a restore – and they had run a restore – but had no success.

Anyhoo – here is an official MS article that helps you out – http://support.microsoft.com/kb/840001

For the abridged version specifically for this client (they asked for this blog post)

First – Try ADRestore.Net and/or ADRestore…… nice article about those here…. – http://www.petri.co.il/recovering-deleted-items-active-directory.htm

At this client site – we found that using either of these tools bought the object back – but no group memerbships, or other details such as department, address etc. So that was really no good…. next option, an auth restore….

Restart your DC of choice in directory services restore mode (press F8 on boot up to see this option)

Run windows server backup…..select as appropriate…. now this screen is the one that got these guys confused

For some reason “perform an authortive restore of active directory files” does not perform an auth restore…. hey, maybe were doing something wrong – or maybe its just bad terminology again by MS and it means something else….. but i dont really care in this situation – so lets move on…

once the restore is complete – do not reboot

Open a command prompt and use ntdsutil….

ntdsutil

activate server ntds

authoritative restore

if its a specific object you want to restore: restore object <object DN path>

if its an entire OU you want tro restore: restore object <OU DN path>

Reboot – done.