{"id":56,"date":"2018-01-21T06:02:01","date_gmt":"2018-01-21T06:02:01","guid":{"rendered":"http:\/\/107.181.191.134\/?page_id=18"},"modified":"2021-02-15T03:45:27","modified_gmt":"2021-02-15T03:45:27","slug":"powershell","status":"publish","type":"page","link":"https:\/\/certcent.io\/index.php\/powershell\/","title":{"rendered":"PowerShell"},"content":{"rendered":"

Snippets that are useful for small business administrating Windows:<\/span><\/p>\n

Find user that matches like expression with successful logins on a Windows 7 computer.\nGet-WinEvent -FilterHashtable @{ id='4624' ; logname='security' } | where-object {$_.Properties[5].value -like \"*jeffrey*\" } | select TimeCreated, @{Label=\"User\"; Expression={ $_.Properties[5].value} } , @{Label=\"Computer\"; Expression={ $_.Properties[18].value} }<\/span><\/pre>\n
<#\n.DESCRIPTION\nFIND USERS LAST LOGIN\n#>\nfunction last-logon { param($username) get-aduser $username -properties * | select-object name, @{name=\u201dlastlogon\u201d;expression={[datetime]::fromfiletime($_.lastlogon)}} | s\nort-object lastlogon\n<#\n.DESCRIPTION\nGet logon failures or success\n#>\nfunction GetLogonFailures {\n     Get-WinEvent -FilterHashTable @{ logname='security'; id=4625 } |\n     select-object TimeCreated,\n     @{Label=\"Username\"; Expression={ $_.Properties[5].Value } } ,\n     @{ Label = \"Domain\" ; Expression={ $_.Properties[6].Value } }  ,\n     @{ Label = \"Source IP Address\"; Expression={ $_.Properties[19].Value } }\n        }\nfunction GetLogonSuccesses {\n     Get-WinEvent -FilterHashTable @{ logname='security'; id=4624 } |\n     select-object TimeCreated,\n     @{Label=\"Username\"; Expression={ $_.Properties[5].Value } },\n     @{ Label = \"Domain\" ; Expression={ $_.Properties[6].Value } } ,\n     @{ Label = \"Source IP Address\"; Expression={ $_.Properties[18].Value } }\n        }\nAnother quick and dirty ADSI users and logon time sorted.\nget-aduser -properties * -filter *| select Name, @{name = \"lastlogon\";expression={[datetime]::fromfiletime($_.lastlogon)}} |sort-object lastlogon\n<#\n.DESCRIPTION\nGet group membership\n#>\nfunction group-membership {\nparam($name)\n$adsi = new-object system.directoryservices.directorysearcher\n$adsi.filter = \"(&(objectCategory=user)(samAccountname=$name)) \"\n$groups = $adsi.findone().properties.memberof\nforeach ($strGroup in $groups) {\n$strGroup = $strGroup.split(',')[0]\n$strGroup = $strGroup.split('=')[1]\n$strGroup\n\t}\n}\n<#\n.DESCRIPTION\nObtain metadata for username\n#>\nfunction get-adminmetadata { param($username) get-aduser $username | get-adreplicationattributemetadata -server localhost | ft LastOriginatingChangeTime,LocalChangeUsn, LastOriginatingChangeDirectoryServerIdentity, LastOriginatingChangeUsn,AttributeName,Version}\n<#\n.DESCRIPTION\nFind history of users added to groups.\n#>\nfunction get-usergrouphistory { param($username) $userobj = get-aduser $username ; get-aduser itadmin -Properties memberof |  select-object -ExpandProperty memberof | foreach-object { Get-ADReplicationAttributeMetadata $_ -ShowAllLinkedValues -server localhost | where-object {$_.AttributeName -eq \"member\" -and $_.AttributeValue -eq  $userobj }  | select-object FirstOriginatingCreateTime,Object,AttributeValue  | sort-object FirstOriginatingCreateTime -Descending }  | ft  }\n<#\n.DESCRIPTION\nSample of xml query from security logs\n#>\nfunction queryEventlog {\n[XML]$query = @\"\n<QueryList>\n  <Query Id=\"0\" Path=\"Security\">\n    <Select Path=\"Security\">*[System[(EventID=4624)]]<\/Select>\n  <\/Query>\n<\/QueryList>\n\"@\nGet-WinEvent -filterxml $query\n}\n<#\n.DESCRIPTION\nSample using Gridview PassThru on Windows Logs\n#>\nfunction PassThru { { Get-EventLog -list | Out-GridView -PassThru | foreach { $_.Log; Get-EventLog -LogName $_.Log -Newest 10 } }\n<\/span><\/pre>\n
<#\n.DESCRIPTION\nEnable the recycle bin (restore AD object)\nlogontime: [datetime]::findtimestamp\nFind Stale Groups\nMove account to org, disable after 30-days, delete after 90-days\nComputer delete A, AAAA, and PTR records.\n#>\n<#\n.DESCRIPTION\nFind ADGroups, display member counts, and when last changed.\n#>\nfunction stale-groups { get-adgroup -filter * -properties Name , whencreated, whenchanged, member, memberof | select-object name, whencreated, member, whenchanged, memberof, description, @{name ='membercount'; expression={$_.member.count}}}\n<#\n.DESCRIPTION\nFind Stale Users\n#>\nfunction findlastlogon { param($username) get-aduser $username -properties * | select-object name, @{name=\u201dlastlogon\u201d;expression={[datetime]::fromfiletime($_.lastlogon)}} | sort-object lastlogon }\n<#\n.DESCRIPTION\nFind all computers based on XP\n#>\n function oldxpcomputers {get-adcomputer -filter {OperatingSystem -like \"*XP*\"}  -properties WhenChanged,lastlogontimestamp | select-object name, whenchanged, @{name='lasttime';expression={[datetime]::FromFileTimeUTC($_.LastLogonTimeSTamp)}}}\n<\/span><\/pre>\n
\u00a0<\/span>
\nEnabled AD Recycle Bin (Forest and Domain 2012+) in Powershell:<\/span><\/p>\n
# Pull the full name and path to recycle bin (can be very long)\n$name = Get-ADOptionalFeature -filter *\nEnable-ADOptionalFeature -Identity \"$name.DistinguishedName\"\n-Target domain.com -Scope ForestOrConfigurationSet<\/span><\/pre>\n
Find files older then days:<\/span><\/p>\n
# This scripts will identify old files in backup directories and remove them\n#\n$date = get-date\n$directories = \"Production\",\"JBSettings\",\"UniPoint_Live\",\"UniPoint_unidx\"\nforeach ($oldfiles in $directories)\n{ gci $oldfiles | where-object {$_.LastWriteTime.AddDays(3) -lt $date }  }<\/span><\/pre>\n
Find 10 largest files in directory e:\\Library:<\/span><\/p>\n
invoke-command -ComputerName 192.168.1.1 -Credential $cred -ScriptBlock { gci e:\\library -Recurse | Sort-Object -Descending Length | select -First 10 }\n<\/span><\/pre>\n
Here’s a simple, but very powerful and useful script to parse your Windows logs. Beginning in Windows 2008 Get-WinEvent replaced Get-EventLog.<\/span><\/p>\n
function GetLogonFailures {\n     Get-WinEvent -FilterHashTable @{ logname='security'; id=4625 } |\n     select-object TimeCreated,\n     @{Label=\"Username\"; Expression={ $_.Properties[5].Value } } ,\n     @{ Label = \"Domain\" ; Expression={ $_.Properties[6].Value } }  ,\n     @{ Label = \"Source IP Address\"; Expression={ $_.Properties[19].Value } }\n        }\nfunction GetLogonSuccesses {\n     Get-WinEvent -FilterHashTable @{ logname='security'; id=4624 } |\n     select-object TimeCreated,\n     @{Label=\"Username\"; Expression={ $_.Properties[5].Value } },\n     @{ Label = \"Domain\" ; Expression={ $_.Properties[6].Value } } ,\n     @{ Label = \"Source IP Address\"; Expression={ $_.Properties[18].Value } }\n        }\n<\/span><\/pre>\n
This function can be used to extract a Active Directory user’s group memberships and copy them to an array.<\/span><\/p>\n
function group-membership {\nparam($name)\n$adsi = new-object system.directoryservices.directorysearcher\n$adsi.filter = \"(&(objectCategory=user)(samAccountname=$name)) \"\n$groups = $adsi.findone().properties.memberof\nforeach ($strGroup in $groups) {\n$strGroup = $strGroup.split(',')[0]\n$strGroup = $strGroup.split('=')[1]\n$strGroup\n\t}\n}<\/span><\/pre>\n
A fun function to avoid spammers with encoding your e-mail address.<\/span><\/p>\n
function EncodeEmail { param($string)\n$encode = $string;\n$bytes=[System.Text.Encoding]::Unicode.GetBytes($encode);\n$EncodedText=[Convert]::ToBase64String($bytes);\n$EncodedText }\nfunction DecodeEMail { param($string)\n$decode = $string;\n$decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($decode))\n$decoded;\n}<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"
Snippets that are useful for small business administrating Windows: Find user that matches like expression with successful logins on a Windows 7 computer. Get-WinEvent -FilterHashtable @{ id=’4624′ ; logname=’security’ } | where-object {$_.Properties[5].value -like “*jeffrey*” } | select TimeCreated, @{Label=”User”; Expression={ $_.Properties[5].value} } , @{Label=”Computer”; Expression={ $_.Properties[18].value} } <# .DESCRIPTION FIND USERS LAST LOGIN #>… Continue reading PowerShell<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/pages\/56"}],"collection":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/comments?post=56"}],"version-history":[{"count":1,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/pages\/56\/revisions"}],"predecessor-version":[{"id":384,"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/pages\/56\/revisions\/384"}],"wp:attachment":[{"href":"https:\/\/certcent.io\/index.php\/wp-json\/wp\/v2\/media?parent=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}