PowerShell – Page 2 – Just Another IT Guy

Restore a Deleted Office 365 Group with PowerShell

Posted on November 3, 2017August 23, 2018 by Scott Shelton

Oops…So I accidentally deleted a few O365 groups last week. Happens to everyone at some point right? Luckily, as long as it has been less that 30 days since you deleted it, you are in the clear and can restore it! Note: If you were a try hard and used Remove-MsolGroup to delete the group, you’re screwed. Full disclosure the very detailed walk through I followed can be found here, but I am going to do my own quick write up for future reference. With all that being said, strap in!

We need to start by installing the AzureADPreview PowerShell module. Yeah, it’s in preview (haha). So pop open a PowerShell window as administrator and run the following. If you have a previous version of the module you will need to uninstall it and install the most up to date version.

#Uninstall previously installed version
Uninstall-Module AzureADPreview

#Install up to date version
Install-Module AzureADPreview

#Uninstall previously installed version

Uninstall-Module AzureADPreview

#Install up to date version

Install-Module AzureADPreview

Tough stuff. You may receive the following prompts to download the repository and that it is untrusted. Accept them, they’re not super hackers or anything.

#Add necessary provider prompt
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
'C:\Users\scotts\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import
the NuGet provider now?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y

#Untrusted repository prompt
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy
value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y

#Add necessary provider prompt

PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet

provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or

'C:\Users\scotts\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running

'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import

the NuGet provider now?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

#Untrusted repository prompt

You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy

value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y

Now we are all prepped and ready to go. If you closed that PowerShell window get it open again as administrator. Run the following to restore your group (further instructions below).

#Import the module
Import-Module AzureADPreview

#Connect to Azure AD
Connect-AzureAD
#Insert O365 credentials as prompted for desired tenant.

#List all deleted groups in past 30 days
Get-AzureADMSDeletedGroup

#Restore the deleted group
Restore-AzureADMSDeletedDirectoryObject -Id <Paste Group ID Here>

#Import the module

Import-Module AzureADPreview

#Connect to Azure AD

Connect-AzureAD

#Insert O365 credentials as prompted for desired tenant.

#List all deleted groups in past 30 days

Get-AzureADMSDeletedGroup

#Restore the deleted group

Restore-AzureADMSDeletedDirectoryObject -Id <Paste Group ID Here>

It’ll take a few seconds but you will now have your group restored and can go back to normal.

Convert Federated Domain to Standard with PowerShell

Posted on October 24, 2017August 23, 2018 by Scott Shelton

This is a rather unique scenario that I found myself in recently. I must admit, tearing down domain federation is infinitely easier than getting it set up! Anywho, the following details the steps involved in converting a federated Office 365 domain to a managed domain and removing DirSync from Office 365.

1.) Open a PowerShell window as Administrator on a box with the msol cmdlets and connect to your Office 365 tenant

Connect-MsolService
#Insert Office 365 Global Administrator credentials

1 2	Connect-MsolService #Insert Office 365 Global Administrator credentials

2.) Run the following command to convert the domain to a standard domain

Convert-MsolDomainToStandard -DomainName anotheritguy.com -PasswordFile "C:\UserPasswords" -SkipUserConversion $false

1	Convert-MsolDomainToStandard -DomainName anotheritguy.com -PasswordFile "C:\UserPasswords" -SkipUserConversion $false

3.) Run the following command to remove DirSync from Office 365

Set-MsolDirSyncEnabled -EnableDirSync $false

1	Set-MsolDirSyncEnabled -EnableDirSync $false

Monitor Membership of Domain Groups with PowerShell

Posted on September 30, 2017August 23, 2018 by Scott Shelton

Let me start this one off by saying this is not an optimal solution, but in a pinch it gets the job done. Also, I kind of rushed this so there is a lot of code and it could definitely be shortened up if so desired.

Now that that is out of the way, the following script monitors groups that you wish monitor on a white list basis. This means it requires a lot of upkeep if you are in a rapidly changing environment, but luckily I am not. It is quite simple to add groups should you need to so that’s a plus. In the event of someone being added to one of the groups that isn’t on the corresponding white list, you will get an email notification. I just deploy the script as a scheduled task that runs every hour. Simple but effective.

################
#SMTP Variables#
################

$strSMTPServer = "SMTPSERVER"
$strSMTPTo = "AnotherITGuy <anotheritguy@domain.com>"
$strSMTPFrom = "ALERT - DOMAIN GROUP MEMBERSHIP <alerts@domain.com>"

############################
#More Variables & Functions#
############################

#Domain Controller
$strDomainController = "DC01.DOMAIN.COM"

#Monitored Groups
$arrDomainAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Domain Admins"
$arrEnterpriseAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Enterprise Admins"
$arrSchemaAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Schema Admins"
$arrvCenterAdmins = Get-ADGroupMember -Server $strDomainController -Identity "VCenter Admins"

#Monitored Groups Member Names
$arrDomainAdminsNames = $arrDomainAdmins.Name
$arrEnterpriseAdminsNames = $arrEnterpriseAdmins.Name
$arrSchemaAdminsNames = $arrSchemaAdmins.Name
$arrvCenterAdminsNames = $arrvCenterAdmins.Name

#Monitored Groups White Lists
$arrWLDomainAdmins = Get-Content E:\WLs\arrDomainAdmins.txt
$arrWLEnterpriseAdmins = Get-Content E:\WLs\arrEnterpriseAdmins.txt
$arrWLSchemaAdmins = Get-Content E:\WLs\arrSchemaAdmins.txt
$arrWLvCenterAdmins = Get-Content E:\WLs\arrVCenterAdmins.txt

#Domain Admins Eval
function Eval-DomainAdmins($Username)
{
    foreach($tmpUsername in $arrWLDomainAdmins)
    {
        if($tmpUsername -eq $Username)
        {
            return $true
        }
    }
    return $false
}

#Enterprise Admins Eval
function Eval-EnterpriseAdmins($Username)
{
    foreach($tmpUsername in $arrWLEnterpriseAdmins)
    {
        if($tmpUsername -eq $Username)
        {
            return $true
        }
    }
    return $false
}

#Schema Admins Eval
function Eval-SchemaAdmins($Username)
{
    foreach($tmpUsername in $arrWLSchemaAdmins)
    {
        if($tmpUsername -eq $Username)
        {
            return $true
        }
    }
    return $false
}


#vCenter Admins Eval
function Eval-vCenterAdmins($Username)
{
    foreach($tmpUsername in $arrWLvCenterAdmins)
    {
        if($tmpUsername -eq $Username)
        {
            return $true
        }
    }
    return $false
}

################
#Let's Do Stuff#
################

#Domain Admins
foreach($tmpUsername in $arrDomainAdminsNames)
{
    if((Eval-DomainAdmins -Username $tmpUsername) -eq $false)
    {
        Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Domain Admins" -Body "$tmpUsername has not been authorized for Domain Admins membership on the domain.com domain.  Remove this user/group or add to appropriate whitelist ASAP."
    }
}

#Enterprise Admins
foreach($tmpUsername in $arrEnterpriseAdminsNames)
{
    if((Eval-EnterpriseAdmins -Username $tmpUsername) -eq $false)
    {
        Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Enterprise Admins" -Body "$tmpUsername has not been authorized for Enterprise Admins membership on the domain.com domain.  Remove this user/group or add to appropriate whitelist ASAP."
    }
}


#Schema Admins
foreach($tmpUsername in $arrSchemaAdminsNames)
{
    if((Eval-SchemaAdmins -Username $tmpUsername) -eq $false)
    {
        Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Schema Admins" -Body "$tmpUsername has not been authorized for Schema Admins membership on the domain.com domain.  Remove this user/group or add to appropriate whitelist ASAP."
    }
}

#vCenter Admins
foreach($tmpUsername in $arrvCenterAdminsNames)
{
    if((Eval-vCenterAdmins -Username $tmpUsername) -eq $false)
    {
        Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in vCenter Admins" -Body "$tmpUsername has not been authorized for VCenter Admins membership on the domain.com domain.  Remove this user/group or add to appropriate whitelist ASAP."
    }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

################

#SMTP Variables#

################

$strSMTPServer = "SMTPSERVER"

$strSMTPTo = "AnotherITGuy <anotheritguy@domain.com>"

$strSMTPFrom = "ALERT - DOMAIN GROUP MEMBERSHIP <alerts@domain.com>"

############################

#More Variables & Functions#

############################

#Domain Controller

$strDomainController = "DC01.DOMAIN.COM"

#Monitored Groups

$arrDomainAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Domain Admins"

$arrEnterpriseAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Enterprise Admins"

$arrSchemaAdmins = Get-ADGroupMember -Server $strDomainController -Identity "Schema Admins"

$arrvCenterAdmins = Get-ADGroupMember -Server $strDomainController -Identity "VCenter Admins"

#Monitored Groups Member Names

$arrDomainAdminsNames = $arrDomainAdmins.Name

$arrEnterpriseAdminsNames = $arrEnterpriseAdmins.Name

$arrSchemaAdminsNames = $arrSchemaAdmins.Name

$arrvCenterAdminsNames = $arrvCenterAdmins.Name

#Monitored Groups White Lists

$arrWLDomainAdmins = Get-Content E:\WLs\arrDomainAdmins.txt

$arrWLEnterpriseAdmins = Get-Content E:\WLs\arrEnterpriseAdmins.txt

$arrWLSchemaAdmins = Get-Content E:\WLs\arrSchemaAdmins.txt

$arrWLvCenterAdmins = Get-Content E:\WLs\arrVCenterAdmins.txt

#Domain Admins Eval

function Eval-DomainAdmins($Username)

{

foreach($tmpUsername in $arrWLDomainAdmins)

{

if($tmpUsername -eq $Username)

{

return $true

}

return $false

}

#Enterprise Admins Eval

function Eval-EnterpriseAdmins($Username)

{

foreach($tmpUsername in $arrWLEnterpriseAdmins)

{

if($tmpUsername -eq $Username)

{

return $true

}

return $false

}

#Schema Admins Eval

function Eval-SchemaAdmins($Username)

{

foreach($tmpUsername in $arrWLSchemaAdmins)

{

if($tmpUsername -eq $Username)

{

return $true

}

return $false

}

#vCenter Admins Eval

function Eval-vCenterAdmins($Username)

{

foreach($tmpUsername in $arrWLvCenterAdmins)

{

if($tmpUsername -eq $Username)

{

return $true

}

return $false

}

################

#Let's Do Stuff#

################

#Domain Admins

foreach($tmpUsername in $arrDomainAdminsNames)

{

if((Eval-DomainAdmins -Username $tmpUsername) -eq $false)

{

Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Domain Admins" -Body "$tmpUsername has not been authorized for Domain Admins membership on the domain.com domain. Remove this user/group or add to appropriate whitelist ASAP."

}

#Enterprise Admins

foreach($tmpUsername in $arrEnterpriseAdminsNames)

{

if((Eval-EnterpriseAdmins -Username $tmpUsername) -eq $false)

{

Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Enterprise Admins" -Body "$tmpUsername has not been authorized for Enterprise Admins membership on the domain.com domain. Remove this user/group or add to appropriate whitelist ASAP."

}

#Schema Admins

foreach($tmpUsername in $arrSchemaAdminsNames)

{

if((Eval-SchemaAdmins -Username $tmpUsername) -eq $false)

{

Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in Schema Admins" -Body "$tmpUsername has not been authorized for Schema Admins membership on the domain.com domain. Remove this user/group or add to appropriate whitelist ASAP."

}

#vCenter Admins

foreach($tmpUsername in $arrvCenterAdminsNames)

{

if((Eval-vCenterAdmins -Username $tmpUsername) -eq $false)

{

Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject "Unauthorized Account Found in vCenter Admins" -Body "$tmpUsername has not been authorized for VCenter Admins membership on the domain.com domain. Remove this user/group or add to appropriate whitelist ASAP."

}

Disable/Delete Computer Accounts Where LastLogon Older Than 6 Months/1 Year

Posted on September 24, 2017August 23, 2018 by Scott Shelton

Been doing some AD clean up lately and I wanted to automate the process for stagnant computer accounts. To do so I wrote two PowerShell scripts that I run once a month as a scheduled task. As you’ll see below, I did need to exclude a few machines that have a certain naming standard.

Disable Computer Account with LastLogon Older Than 6 Months:

###########
#Variables#
###########

#SMTP variables
$strSMTPServer = "SMTPSERVERNAME"
$strSMTPTo = "All Techs <alltechs@domain.com>"
$strSMTPFrom = "Domain Automation <alerts@domain.com>"
$strSMTPSubj = "Computer Accounts Have Been Disabled"
$strSMTPBodyDescription = "The following computer accounts have been disabled because they have not been seen by AD in over 6 months: `n"
$strSMTPBody = ""


#Domain distinguished name
$strDomainDN = "DC=DOMAIN,DC=LOCAL"

#How far back to look
$dtDateThreshold = [DateTime]::Today.AddDays(-180)

#Array of enabled computers that have not checked in with AD in over six months
$arrOldComputers = Get-ADComputer -SearchBase $strDomainDN -Filter {LastLogonDate -le $dtDateThreshold -and Enabled -eq "True"} -Properties LastLogonDate,modifyTimeStamp,OperatingSystem,DistinguishedName

################
#Let's Do Stuff#
################

foreach($tmpComputer in $arrOldComputers)
{
    if($tmpComputer.Name -notlike 'XCOMPUTER*')
    {
        if($tmpComputer.Name -notlike 'YCOMPUTER*')
        {
            Disable-ADAccount -Identity $tmpComputer
            $strSMTPBody += $tmpComputer.Name + "`n"
        }
    }
}

#Send email notifications
if($strSMTPBody -ne "")
{
    $strSMTPBodyFull = $strSMTPBodyDescription + $strSMTPBody
    Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject $strSMTPSubj -Body $strSMTPBodyFull
}

###########

#Variables#

###########

#SMTP variables

$strSMTPServer = "SMTPSERVERNAME"

$strSMTPTo = "All Techs <alltechs@domain.com>"

$strSMTPFrom = "Domain Automation <alerts@domain.com>"

$strSMTPSubj = "Computer Accounts Have Been Disabled"

$strSMTPBodyDescription = "The following computer accounts have been disabled because they have not been seen by AD in over 6 months: `n"

$strSMTPBody = ""

#Domain distinguished name

$strDomainDN = "DC=DOMAIN,DC=LOCAL"

#How far back to look

$dtDateThreshold = [DateTime]::Today.AddDays(-180)

#Array of enabled computers that have not checked in with AD in over six months

$arrOldComputers = Get-ADComputer -SearchBase $strDomainDN -Filter {LastLogonDate -le $dtDateThreshold -and Enabled -eq "True"} -Properties LastLogonDate,modifyTimeStamp,OperatingSystem,DistinguishedName

################

#Let's Do Stuff#

################

foreach($tmpComputer in $arrOldComputers)

{

if($tmpComputer.Name -notlike 'XCOMPUTER*')

{

if($tmpComputer.Name -notlike 'YCOMPUTER*')

{

Disable-ADAccount -Identity $tmpComputer

$strSMTPBody += $tmpComputer.Name + "`n"

}

#Send email notifications

if($strSMTPBody -ne "")

{

$strSMTPBodyFull = $strSMTPBodyDescription + $strSMTPBody

Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject $strSMTPSubj -Body $strSMTPBodyFull

}

Delete Computer Account with LastLogon Older Than 1 Year:

###########
#Variables#
###########

#SMTP variables
$strSMTPServer = "SMTPSERVERNAME"
$strSMTPTo = "All Techs <alltechs@domain.com>"
$strSMTPFrom = "Domain Automation <alerts@domain.com>"
$strSMTPSubj = "Computer Accounts Have Been Deleted"
$strSMTPBodyDescription = "The following computer accounts have been deleted because they have not been seen by AD in over one year: `n"
$strSMTPBody = ""


#Domain distinguished name
$strDomainDN = "DC=DOMAIN,DC=LOCAL"

#How far back to look
$dtDateThreshold = [DateTime]::Today.AddDays(-365)

#Array of computers that have not checked in with AD in over one year
$arrOldComputers = Get-ADComputer -SearchBase $strDomainDN -Filter {LastLogonDate -le $dtDateThreshold} -Properties LastLogonDate,modifyTimeStamp,OperatingSystem,DistinguishedName

################
#Let's Do Stuff#
################

foreach($tmpComputer in $arrOldComputers)
{
    if($tmpComputer.Name -notlike 'XCOMPUTER*')
    {
        if($tmpComputer.Name -notlike 'YCOMPUTER*')
        {
            Remove-ADComputer -Identity $tmpComputer -Confirm:$false
            $strSMTPBody += $tmpComputer.Name + "`n"
        }
    }
}

#Send email notifications
if($strSMTPBody -ne "")
{
    $strSMTPBodyFull = $strSMTPBodyDescription + $strSMTPBody
    Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject $strSMTPSubj -Body $strSMTPBodyFull
}

###########

#Variables#

###########

#SMTP variables

$strSMTPServer = "SMTPSERVERNAME"

$strSMTPTo = "All Techs <alltechs@domain.com>"

$strSMTPFrom = "Domain Automation <alerts@domain.com>"

$strSMTPSubj = "Computer Accounts Have Been Deleted"

$strSMTPBodyDescription = "The following computer accounts have been deleted because they have not been seen by AD in over one year: `n"

$strSMTPBody = ""

#Domain distinguished name

$strDomainDN = "DC=DOMAIN,DC=LOCAL"

#How far back to look

$dtDateThreshold = [DateTime]::Today.AddDays(-365)

#Array of computers that have not checked in with AD in over one year

$arrOldComputers = Get-ADComputer -SearchBase $strDomainDN -Filter {LastLogonDate -le $dtDateThreshold} -Properties LastLogonDate,modifyTimeStamp,OperatingSystem,DistinguishedName

################

#Let's Do Stuff#

################

foreach($tmpComputer in $arrOldComputers)

{

if($tmpComputer.Name -notlike 'XCOMPUTER*')

{

if($tmpComputer.Name -notlike 'YCOMPUTER*')

{

Remove-ADComputer -Identity $tmpComputer -Confirm:$false

$strSMTPBody += $tmpComputer.Name + "`n"

}

#Send email notifications

if($strSMTPBody -ne "")

{

$strSMTPBodyFull = $strSMTPBodyDescription + $strSMTPBody

Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject $strSMTPSubj -Body $strSMTPBodyFull

}

List Group Members Whose User Accounts are in a Specific OU

Posted on September 19, 2017August 23, 2018 by Scott Shelton

Wanted to pull a list of users who were a part of a certain group last week, but I only wanted the group members that were located in a particular OU in AD. I accomplished this with the following script:

$strOUDN = "OU=Users,DC=DOMAIN,DC=LOCAL"
$arrGroupMembers = Get-ADGroupMember -Identity "GroupName"
$arrOUUsers = Get-ADUser -SearchBase $strOUDN -Filter *
$arrGroupMemberNames = $arrGroupMembers.Name
$arrOUNames = $arrOUUsers.Name
foreach($tmpUser in $arrOUNames)
{
    if($arrGroupMemberNames -contains $tmpUser)
    {
        Write-Host $tmpUser
    }
}

Read-Host "Press Enter to continue"

$strOUDN = "OU=Users,DC=DOMAIN,DC=LOCAL"

$arrGroupMembers = Get-ADGroupMember -Identity "GroupName"

$arrOUUsers = Get-ADUser -SearchBase $strOUDN -Filter *

$arrGroupMemberNames = $arrGroupMembers.Name

$arrOUNames = $arrOUUsers.Name

foreach($tmpUser in $arrOUNames)

{

if($arrGroupMemberNames -contains $tmpUser)

{

Write-Host $tmpUser

}

Read-Host "Press Enter to continue"

Monitor DHCP Scope Available Addresses with PowerShell

Posted on September 18, 2017August 23, 2018 by Scott Shelton

Had an influx of folks come into the office last week and one of our DHCP Scopes actually almost ran out of available addresses (which I found out after the fact by chance). This inspired me to make a quick PowerShell script deployed as a scheduled task to notify me when a scope is low on available addresses, as seen below:

#SMTP Variables
$strSMTPServer = "smtp@domain.com"
$strSMTPTo = "AnotherITGuy <email@domain.com>"
$strSMTPFrom = "DHCP Alerts <alerts@domain.com>"
$strSMTPSubject = "Available Addresses for XScope Low"
$strSMTPBody = "XScope has less that 10 available addresses left"

#Pull Scope Lease info into an array
$arrXScopeDHCPLeases = Get-DhcpServerv4Lease -ScopeId "10.0.0.0" -AllLeases

#Total assignable addresses in scope
$intXScopeTotalAddresses = 95

#Number of available addresses left
$intXScopeFreeAddresses = $intXScopeTotalAddresses - $arrXScopeDHCPLeases.Count

################
#Let's Do Stuff#
################

#Send email if less than or equal to 10 free addresses
if($intXScopeFreeAddresses -le 10)
{
    Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject $strSMTPSubject -Body $strSMTPBody
}

#SMTP Variables

$strSMTPServer = "smtp@domain.com"

$strSMTPTo = "AnotherITGuy <email@domain.com>"

$strSMTPFrom = "DHCP Alerts <alerts@domain.com>"

$strSMTPSubject = "Available Addresses for XScope Low"

$strSMTPBody = "XScope has less that 10 available addresses left"

#Pull Scope Lease info into an array

$arrXScopeDHCPLeases = Get-DhcpServerv4Lease -ScopeId "10.0.0.0" -AllLeases

#Total assignable addresses in scope

$intXScopeTotalAddresses = 95

#Number of available addresses left

$intXScopeFreeAddresses = $intXScopeTotalAddresses - $arrXScopeDHCPLeases.Count

################

#Let's Do Stuff#

################

#Send email if less than or equal to 10 free addresses

if($intXScopeFreeAddresses -le 10)

{

Send-MailMessage -SmtpServer $strSMTPServer -To $strSMTPTo -From $strSMTPFrom -Priority High -Subject $strSMTPSubject -Body $strSMTPBody

}

Azure AD Identity Synchronization Error 105: UserPrincipalName is not valid

Posted on August 1, 2017August 23, 2018 by Scott Shelton

Had a request to change the UPN from one Federated Domain to another today and it gave me a bit of trouble. I made all the appropriate changes in AD thinking it would be that simple, but alas I began getting the following error on my DirSync to O365:

Unable to update this object in Azure Active Directory, because the attribute [FederatedUser.UserPrincipalName], is not valid. Update the value in your local directory services.

Looking at the synchronization service I got the same error with the error number of 105 (I was really hoping for more information). I did some digging on the internet and came across this article that contained the answer to my problem.

Turns out that when switching a local AD account from one federated domain to another, Azure AD/O365 doesn’t like that too much and doesn’t make the change for you. Lame. So I used the following bit of PowerShell to resolve that:

#################
#Connect to O365#
#################

Connect-MsolService

########################
#Input O365 Admin Creds#
########################

##################################################################
#I like to confirm this is actually the problem before proceeding#
##################################################################

Get-MsolUser -UserPrincipalName <UPN of user prior to AD change>

################
#Change the UPN#
################

Set-MsolUserPrincipalName -UserPrincipalName <Old UPN> -NewUserPrincipalName <New UPN desired>

#################

#Connect to O365#

#################

Connect-MsolService

########################

#Input O365 Admin Creds#

########################

##################################################################

#I like to confirm this is actually the problem before proceeding#

##################################################################

Get-MsolUser -UserPrincipalName <UPN of user prior to AD change>

################

#Change the UPN#

################

Set-MsolUserPrincipalName -UserPrincipalName <Old UPN> -NewUserPrincipalName <New UPN desired>

Then kick off a Full Sync on your DirSync box, let it finish, and you’re good to go.

#################
#Start Full Sync#
#################

Start-ADSyncSyncCycle -PolicyType Initial

#################

#Start Full Sync#

#################

Start-ADSyncSyncCycle -PolicyType Initial

Controlling Windows 10 “Bloatware” Apps

Posted on July 12, 2017August 15, 2018 by Scott Shelton

It is no secret that Windows 10 has a nasty habit of installing software that we do not want installed in our environments, and this seems to be something that Microsoft has no intention of changing in the near future. The only “easy” solution is to get your hands on Enterprise LTSB, but then you do not get feature updates. Anywho, presented with this issue and the fact that my customers only pay for Windows 10 Pro (shocker) I came up with a PowerShell script to only keep the apps that I dictate installed, with a little help from the Obi-Wan you all hear about so frequently.

A quick run-down for those who are not yet familiar with Windows 10 there are two types of packages that we are concerned with today; AppxPackages and AppxProvisionedPackages. AppxPackages are the packages of the currently installed Microsoft apps for a particular Windows User Profile on the machine. AppxProvisionedPackages are the pesky devils that install the apps upon new user profile creation on the machine. Naturally, the latter are the ones we are most concerned with, but we want to ditch any of the AppxPackages that may linger on.

Also, I have included a quick check to make sure the PowerShell script will only run on Windows 10 1703 or lower. This way I have time to test on the next version and make sure this script doesn’t screw anything up before I allow it to run on client machines.

##################
#Config Variables#
##################

$strLogFile = "C:\Automated\Logs\NukeW10Apps.log"

$boolWinVersionMajor = [environment]::OSVersion.Version.Major.Equals(10) #Calls Windows Major value.  Windows 10 returns $true, any other returns $false
$intWinVersionBuild = [environment]::OSVersion.Version.Build #Calls Windows build number (ex. Windows 10 version 1703 build number is 15063)


########
#Arrays#
########

$arrAppxPackages = Get-AppxPackage | Select Name #Array of all AppxPackage names
$arrProvisionedPackages = Get-AppxProvisionedPackage -Online | Select PackageName #Array of all AppxProvisionedPackage names
$arrAppxBlacklist = @("twitter", "candycrushsodasaga", "microsoftsolitairecollection") #Array of AppxPackages to be removed first

#Array of AppxPackages to keep
$arrAppxPackageWL = @("Microsoft.BioEnrollment", 
"Microsoft.AAD.BrokerPlugin", 
"Microsoft.Windows.CloudExperienceHost", 
"windows.immersivecontrolpanel", 
"Microsoft.LockApp", 
"Microsoft.MicrosoftEdge", 
"Microsoft.PPIProjection", 
"Microsoft.Windows.Apprep.ChxApp", 
"Microsoft.Windows.AssignedAccessLockApp", 
"Microsoft.Windows.ContentDeliveryManager", 
"Microsoft.Windows.ParentalControls", 
"Microsoft.Windows.SecondaryTileExperience", 
"Microsoft.Windows.SecureAssessmentBrowser", 
"Windows.MiracastView", 
"Windows.PrintDialog", 
"Microsoft.DesktopAppInstaller", 
"Microsoft.NET.Native.Runtime.1.3", 
"Microsoft.Windows.Photos", 
"Microsoft.NET.Native.Framework.1.3", 
"Microsoft.VCLibs.140.00", 
"Microsoft.NET.Native.Runtime.1.4", 
"Microsoft.WindowsCalculator", 
"Microsoft.VCLibs.120.00", 
"Microsoft.Windows.ShellExperienceHost", 
"Microsoft.NET.Native.Runtime.1.1", 
"Microsoft.NET.Native.Framework.1.2", 
"Microsoft.XboxGameCallableUI", 
"Windows.ContactSupport", 
"Microsoft.Windows.Cortana", 
"Microsoft.AccountsControl")

#Array of AppxProvisionedPackages to keep
$arrProvisionedPackageWL = @("Microsoft.DesktopAppInstaller", 
"Microsoft.WindowsAlarms", 
"Microsoft.WindowsCamera", 
"Microsoft.Windows.Photos", 
"Microsoft.WindowsStore", 
"Microsoft.WindowsCalculator")


###########
#Functions#
###########

#Export string to log
function WriteToLog
{
    Param([string]$strLogString)
    Add-Content $strLogFile -Value $strLogString
}

#Compare AppxBlacklist array against another array and return $true if there is a match
function RemoveBlacklist($tmpBlacklistName)
{
    foreach($strBlacklistApp in $arrAppxBlacklist)
    {
        $strSelect = Select-String -InputObject $tmpBlacklistName.ToLower() -Pattern $strBlacklistApp.ToLower()
        if($strSelect -ne $null)
        {
            return $true
        }
    }
    return $false
}

#Compare AppxPackageWL array against another array and return $false if there is a match
function RemoveAppxPackage($tmpAppxName)
{
    foreach($strWLAppxPackage in $arrAppxPackageWL)
    {
        if($strWLAppxPackage -eq $tmpAppxName)
        {
        return $false
        }
    }
    return $true
}

#Compare ProvisionedPackageWL array against another array and return $false if there is a match
function RemoveProvisionedPackage($tmpProvisionedName)
{
    foreach($strWLProvisionedPackage in $arrProvisionedPackageWL)
    {
        if($strWLProvisionedPackage -eq $tmpProvisionedName)
        {
            return $false
        }
    }
    return $true
}

################
#Let's do stuff#
################

if($boolWinVersionMajor -eq $true) #Only continue if Windows major version equals 10
{
    if($intWinVersionBuild -le 15063) #Only continue if Windows is less or equal to build 15063 (version 1703...aka Creator)
    {
        #Blacklist Packages
        foreach($strBlacklistItem in $arrAppxPackages)
        {
            if((RemoveBlackList -tmpBlacklistName $strBlacklistItem.Name) -eq $true)
            {
                WriteToLog "Remove Blacklist AppxPackage", $strBlacklistItem.Name #Write removed package names to log
                Get-AppxPackage $strBlacklistItem.Name | Remove-AppxPackage #Remove the AppxPackage
            }
        }
        #AppxProvisionedPackages
        foreach($strProvisionedPackage in $arrProvisionedPackages)
        {
            $strProvisionedSplit = $strProvisionedPackage.PackageName.Split("_") #Split PackageName into array
            if((RemoveProvisionedPackage -tmpProvisionedName $strProvisionedSplit[0]) -eq $true)
            {
                WriteToLog "Remove ProvisionedPackage", $strProvisionedPackage.PackageName #Write removed package names to log
                Remove-AppxProvisionedPackage -Online -PackageName $strProvisionedPackage.PackageName #Removes the ProvisionedPackage
            }
        }
        #AppxPackages
        foreach($strAppxPackage in $arrAppxPackages)
        {
            if((RemoveAppxPackage -tmpAppxName $strAppxPackage.Name) -eq $true)
            {
                WriteToLog "Remove AppxPackage", $strAppxPackage.Name #Write removed package names to log
                Get-AppxPackage $strAppxPackage.Name | Remove-AppxPackage #Removes the AppxPackage
            }
        }
    }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

##################

#Config Variables#

##################

$strLogFile = "C:\Automated\Logs\NukeW10Apps.log"

$boolWinVersionMajor = [environment]::OSVersion.Version.Major.Equals(10) #Calls Windows Major value. Windows 10 returns $true, any other returns $false

$intWinVersionBuild = [environment]::OSVersion.Version.Build #Calls Windows build number (ex. Windows 10 version 1703 build number is 15063)

########

#Arrays#

########

$arrAppxPackages = Get-AppxPackage | Select Name #Array of all AppxPackage names

$arrProvisionedPackages = Get-AppxProvisionedPackage -Online | Select PackageName #Array of all AppxProvisionedPackage names

$arrAppxBlacklist = @("twitter", "candycrushsodasaga", "microsoftsolitairecollection") #Array of AppxPackages to be removed first

#Array of AppxPackages to keep

$arrAppxPackageWL = @("Microsoft.BioEnrollment",

"Microsoft.AAD.BrokerPlugin",

"Microsoft.Windows.CloudExperienceHost",

"windows.immersivecontrolpanel",

"Microsoft.LockApp",

"Microsoft.MicrosoftEdge",

"Microsoft.PPIProjection",

"Microsoft.Windows.Apprep.ChxApp",

"Microsoft.Windows.AssignedAccessLockApp",

"Microsoft.Windows.ContentDeliveryManager",

"Microsoft.Windows.ParentalControls",

"Microsoft.Windows.SecondaryTileExperience",

"Microsoft.Windows.SecureAssessmentBrowser",

"Windows.MiracastView",

"Windows.PrintDialog",

"Microsoft.DesktopAppInstaller",

"Microsoft.NET.Native.Runtime.1.3",

"Microsoft.Windows.Photos",

"Microsoft.NET.Native.Framework.1.3",

"Microsoft.VCLibs.140.00",

"Microsoft.NET.Native.Runtime.1.4",

"Microsoft.WindowsCalculator",

"Microsoft.VCLibs.120.00",

"Microsoft.Windows.ShellExperienceHost",

"Microsoft.NET.Native.Runtime.1.1",

"Microsoft.NET.Native.Framework.1.2",

"Microsoft.XboxGameCallableUI",

"Windows.ContactSupport",

"Microsoft.Windows.Cortana",

"Microsoft.AccountsControl")

#Array of AppxProvisionedPackages to keep

$arrProvisionedPackageWL = @("Microsoft.DesktopAppInstaller",

"Microsoft.WindowsAlarms",

"Microsoft.WindowsCamera",

"Microsoft.Windows.Photos",

"Microsoft.WindowsStore",

"Microsoft.WindowsCalculator")

###########

#Functions#

###########

#Export string to log

function WriteToLog

{

Param([string]$strLogString)

Add-Content $strLogFile -Value $strLogString

}

#Compare AppxBlacklist array against another array and return $true if there is a match

function RemoveBlacklist($tmpBlacklistName)

{

foreach($strBlacklistApp in $arrAppxBlacklist)

{

$strSelect = Select-String -InputObject $tmpBlacklistName.ToLower() -Pattern $strBlacklistApp.ToLower()

if($strSelect -ne $null)

{

return $true

}

return $false

}

#Compare AppxPackageWL array against another array and return $false if there is a match

function RemoveAppxPackage($tmpAppxName)

{

foreach($strWLAppxPackage in $arrAppxPackageWL)

{

if($strWLAppxPackage -eq $tmpAppxName)

{

return $false

}

return $true

}

#Compare ProvisionedPackageWL array against another array and return $false if there is a match

function RemoveProvisionedPackage($tmpProvisionedName)

{

foreach($strWLProvisionedPackage in $arrProvisionedPackageWL)

{

if($strWLProvisionedPackage -eq $tmpProvisionedName)

{

return $false

}

return $true

}

################

#Let's do stuff#

################

if($boolWinVersionMajor -eq $true) #Only continue if Windows major version equals 10

{

if($intWinVersionBuild -le 15063) #Only continue if Windows is less or equal to build 15063 (version 1703...aka Creator)

{

#Blacklist Packages

foreach($strBlacklistItem in $arrAppxPackages)

{

if((RemoveBlackList -tmpBlacklistName $strBlacklistItem.Name) -eq $true)

{

WriteToLog "Remove Blacklist AppxPackage", $strBlacklistItem.Name #Write removed package names to log

Get-AppxPackage $strBlacklistItem.Name | Remove-AppxPackage #Remove the AppxPackage

}

#AppxProvisionedPackages

foreach($strProvisionedPackage in $arrProvisionedPackages)

{

$strProvisionedSplit = $strProvisionedPackage.PackageName.Split("_") #Split PackageName into array

if((RemoveProvisionedPackage -tmpProvisionedName $strProvisionedSplit[0]) -eq $true)

{

WriteToLog "Remove ProvisionedPackage", $strProvisionedPackage.PackageName #Write removed package names to log

Remove-AppxProvisionedPackage -Online -PackageName $strProvisionedPackage.PackageName #Removes the ProvisionedPackage

}

#AppxPackages

foreach($strAppxPackage in $arrAppxPackages)

{

if((RemoveAppxPackage -tmpAppxName $strAppxPackage.Name) -eq $true)

{

WriteToLog "Remove AppxPackage", $strAppxPackage.Name #Write removed package names to log

Get-AppxPackage $strAppxPackage.Name | Remove-AppxPackage #Removes the AppxPackage

}

When it comes to deployment I push with GPO and run the script at computer startup, but I run a batch script that copies the .ps1 file down to a restricted folder on the local machine first. I do this because this script needs to run as system to be fully effective. I also add the following arguments when running the script to hide the PowerShell window while it’s running.

-WindowStyle Hidden -NoProfile -File <FilePath>

1	-WindowStyle Hidden -NoProfile -File <FilePath>

Office 365 “Mailbox hasn’t been migrated to Exchange Online” Error

Posted on July 3, 2017August 15, 2018 by Scott Shelton

When working with an on-prem AD synced with O365 via Azure AD Connect (DirSync), I have been coming across this error from time to time with accounts that used to be connected with an on-prem Exchange server.

Error message received in Office 365:

To resolve this issue, follow the steps below. As a general disclaimer, this will remove any existing mailbox.

Remove the AD account from the DirSync group and any groups that may apply licenses (essentially anything to do with O365).
Run either a Delta or Full sync via Azure AD Connect

##################
#Start Delta Sync#
##################

Start-ADSyncSyncCycle -PolicyType Delta

#################
#Start Full Sync#
#################

Start-ADSyncSyncCycle -PolicyType Initial

##################

#Start Delta Sync#

##################

Start-ADSyncSyncCycle -PolicyType Delta

#################

#Start Full Sync#

#################

Start-ADSyncSyncCycle -PolicyType Initial

Open PowerShell as administrator and run the following command:

#######################
#Connect to Office 365#
#######################

Connect-MsolService

################################################################# 
#Insert Office 365 credentials for the tenant you wish to manage#
#################################################################

#########################
#Remove the user account#
#########################

Remove-MsolUser -UserPrincipalName example@domain.com -RemoveFromRecycleBin

#######################

#Connect to Office 365#

#######################

Connect-MsolService

#################################################################

#Insert Office 365 credentials for the tenant you wish to manage#

#################################################################

#########################

#Remove the user account#

#########################

Remove-MsolUser -UserPrincipalName example@domain.com -RemoveFromRecycleBin

Clear all of the AD User attributes beginning with msExch
Re-add the user account to all appropriate groups and run another Delta/Full Sync
Apply license in O365 and confirm mailbox creates successfully

Export sAMAccountName’s from AD OU

Posted on July 2, 2017August 15, 2018 by Scott Shelton

This is most easily accomplished (at least I’ve found) using PowerShell. The following will do the trick:

##################
#Config Variables#
##################

$strOUDN = "OU=OUName,DC=DOMAIN,DC=LOCAL" #DN of OU
$strFilePath = "C:\Usernames.csv" #Path to where results will be exported

#####################################
#Export all usernames from domain/OU#
#####################################

Import-Module ActiveDirectory
Get-ADUser -SearchBase $strOUDN -Properties samaccountname -Filter * | 
Export-Csv -Path $strFilePath
 
#####################################################
#Export usernames of all disabled users in domain/OU#
#####################################################

Import-Module ActiveDirectory
Search-ADAccount -SearchBase $strOUDN -AccountDisabled -UsersOnly | 
Select -Property samaccountname | 
Export-Csv -Path $strFilePath

##################

#Config Variables#

##################

$strOUDN = "OU=OUName,DC=DOMAIN,DC=LOCAL" #DN of OU

$strFilePath = "C:\Usernames.csv" #Path to where results will be exported

#####################################

#Export all usernames from domain/OU#

#####################################

Import-Module ActiveDirectory

Get-ADUser -SearchBase $strOUDN -Properties samaccountname -Filter * |

Export-Csv -Path $strFilePath

#####################################################

#Export usernames of all disabled users in domain/OU#

#####################################################

Import-Module ActiveDirectory

Search-ADAccount -SearchBase $strOUDN -AccountDisabled -UsersOnly |

Select -Property samaccountname |

Export-Csv -Path $strFilePath

The Mad Ramblings of an Abnormal SysAdmin

Tag: PowerShell

Restore a Deleted Office 365 Group with PowerShell

Convert Federated Domain to Standard with PowerShell

Monitor Membership of Domain Groups with PowerShell

Disable/Delete Computer Accounts Where LastLogon Older Than 6 Months/1 Year

List Group Members Whose User Accounts are in a Specific OU

Monitor DHCP Scope Available Addresses with PowerShell

Azure AD Identity Synchronization Error 105: UserPrincipalName is not valid

Office 365 “Mailbox hasn’t been migrated to Exchange Online” Error

Export sAMAccountName’s from AD OU