Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Monday, December 24, 2012

Sometimes, Powershell ISN'T the answer!

We're looking around at SAN's, because our SAN is just out of headroom performance-wise. We have oodles of space but not enough IO. One idea put forth was to shut down VMs when they aren't doing anything and then power them on well before they're needed again. "I can totally handle this", I thought, with the command shutdown-vmguest already bouncing around in my head. Shutdown-vmguest is a VMware PowerCLI command that.... shuts down guest VMs. I love how command names are so intuitive. The verb-noun system is really great.

So the next issue with creating a PowerCLI script that accomplishes this is passing credentials. I hate working with credentials in Powershell, I really do. Then, I remember that vCenter can schedule tasks on its own! I poke around in the interface, because I pretty much hang out in Hosts and Clusters all the time, with only a brief foray into the Datastores section. Lo and Behold, there are Scheduled Tasks! And setting it up was stupid easy!

The moral of the story is that sure, Powershell can do everything (yes, including your dishes). It's easy to go to it for everything, but even with its seemingly unlimited OneRing-like power, you STILL need to step back and evaluate the best tool for the job.

Happy Holidays everyone!

Saturday, December 22, 2012

Restore Deleted Items from a Public Folder

An employee exiting the organization decided to "clean up" some files they thought that no one was using. So they deleted a bunch of stuff in some public folders. Yes, we are running Exchange 2010 SP1 with fricking public folders still. Maybe next year we'll get a new fax solution that works differently, but for now we have what we have.

I found a great utility to restore files deleted from public folders and it worked great. The program is stupid easy to use, but after extraction you must follow the instructions in the readme.txt to get it to work. I'm not even going to explain how to use it.

It's called ExFolders and can be downloaded from Microsoft Technet here. You can read some in-depth analysis regarding it at the Exchange Team Blog here.

Thursday, December 20, 2012

Failed Login Attempts - The Second Half

So I got all giddy regarding my creation of a script that would email me the previous day's failed logins, and blogged about it before real world testing had occurred  The results were that ElDump only works with Windows 2003. I tried to get a good get-eventlog dump out of my 2008R2 domain controllers for quite some time. A couple of observations: Why does it take so long to get-eventlog remotely? Also, why don't they split up sections in an event's message property to be more accessible? Perhaps every hard-return in the message field could be delineate another element in an array? But, I digress.....

In the end, it was a post I found on the Spiceworks Community (GREAT resource by the way) that gave me what I needed. The following script builds on what I found in the original post. So, a big shout-out to B-Rad2011. Ninety percent of this is his, but I will take credit for adding a column to the output telling which hostname the user failed to log in from instead of only giving the IP address. I learned how to do reverse DNS lookups here.

#Here we flesh out some variables
$Date= Get-date      
$DC= ""
$Report= "c:\temp\report.html"

#Here we create a web template
<title>Event Logs Report</title>
BODY{background-color :#FFFFF}
TABLE{Border-width:thin;border-style: solid;border-color:Black;border-collapse: collapse;}
TH{border-width: 1px;padding: 1px;border-style: solid;border-color: black;background-color: ThreeDShadow}
TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: Transparent}

#Get the event log, then extract some properties
$eventsDC = Get-Eventlog security -Computer $DC -InstanceId 4771 -After (Get-Date).AddDays(-1) |
   Select TimeGenerated,ReplacementStrings |
   % {
   $IPAddress = (($_.ReplacementStrings[6]).Remove(0,7))
   $Hostname = ([System.Net.Dns]::GetHostByAddress($IPAddress) | select Hostname)
   $hostname = (($Hostname.hostname).replace("",""))
   New-Object PSObject -Property @{
     UserName = $_.ReplacementStrings[0]
            Source_Computer = $hostname
            IP_Address = (($_.ReplacementStrings[6]).Remove(0,7))
            Date = $_.TimeGenerated
    } #End NewObject -Property
   } #End Foreach

#Inject the object created above into an HTML page
$eventsDC | ConvertTo-Html -Property Date,Source_Computer,IP_Address,UserName -head $HTML -body "<H2>Generated On $Date</H2>"| Out-File $Report -Append

#Mail the page, and then delete the original
$Text = "Password Failures from $DC"
Send-Mailmessage -from "" -to -subject $Text -smtpserver MailServer01 -body $Text -attachments $Report
del $report

Sunday, December 16, 2012

WSUS - Who approved THAT update?

Stumbled across a neat little tool last week. This tools goes through your WSUS log file to tell you who approved a certain update. It's called the WSUS Approval History Log.

Friday, December 14, 2012

Checking for Failed Login Attempts Due to Incorrect Passwords


 So we got hit with some virus this week, and it really put security at the top of our list again. A couple of things happened as a result of this. First and foremost, the virus spread because someone hadn't rolled out a patch from the WSUS server. I ran Microsoft's Baseline Security Analyzer against the machines in our site and it came up clean after I rolled out that patch.

We had been toying with the idea of what to do about Java, Adobe Reader, and Adobe Flash patches for some time, and I ran across a really nice product by Dameware (now owned by Solarwinds) called Dameware Patch Manager, and since we had some money to spend before the end of the year I was able to buy it. The nice thing about this is that it pushes patches out using your existing WSUS infrastructure, so we'll be getting the (seemingly) hundreds of different versions of Java et al patched up to current. That'll negate some other nasty attack vectors. It also ties into WSUS to give you a lot more reporting options. WSUS reports have always irritated me, and I hope that when I get this deployed early next year that I'll be able to clean that up. I'll keep you up to date. I looked at Ninite Pro, but it didn't give me the side-benefit of advanced WSUS reporting.

One of the actions of the virus was that it was trying to brute force a few accounts. I was able to trace the infection using the security log on our domain controllers, but there's got to be a better way! The best way is buying a SEIM device (Security Event and Incident Manager, which monitors logs and other things for security incidents and notifies you automatically) or software to monitor all of our logs. Since I really don't have the cash to get SEIM  up and running, I decided to write a Powershell script that would comb through the security logs on our domain controllers and report any bad password attempts.

I tried to pull this off entirely with Powershell, but working with the Windows event logs remotely from within Powershell was proving tedious and slow. I found an app called ElDump that will import the logs into a text file. The download like from the main site for ElDump (here) is broken, so I had to scour Google for it, but I found it. It's a marvelous little thing, really! Also, I tried to get one block of script working for all 4 of my domain controllers, but in the end I just copied and pasted the block I had working and changed the name of the target server and output file names because I had better things to do than write beautiful script.

Here it is. My explanations are in the comment lines (comment begin with a # symbol):

#Use ElDump to export and events in the security log with ID 675 in the past 24 hours from dc1 and redirect output to junk.txt
C:\eldump\eldump.exe -l security -e 675 -O dts -m Security -A 24 -s \\dc1 -M >> junk.txt

#Create Output file variable
$File = "C:\badlogins-DC1.txt"

#Grab the content, whittle it down to include only lines containing "0x18" (bad password) and output to file. I had to change the width so it wouldn't wrap.
Get-Content junk.txt | select-string -pattern "0x18" | out-file -width 140 $File

#Delete the first file, set a string variable for use with the email subject and body, email the file, and delete the output file
del junk.txt
$Text = "Password Failures from DC1"
Send-Mailmessage -from "" -to -subject $Text -smtpserver mailserver1 -body $Text -attachments $File
del $File

A side benefit to this script was that I found a long-forgotten scheduled task that couldn't run because the stored password was bad. Good times.

EDIT: For Windows 2008 (and up) servers, you need to change the ElDump command to return event 4771 instead of 675.

Tuesday, December 11, 2012

You put 15GB of files on my Fileserver yesterday. Really?

So one of the first things I implemented in this job was system monitoring. I absolutely love Paessler PRTG. Not only does it alert me when my stuff is down, but it tracks historical things, like disk use, for instance (I should also give props to Paessler for giving me an Android and IPhone app!).

Well, last week the free space threshold was broken on one of my servers. I loaded up the historical data and saw that 15GB worth of space disappeared in a very short amount of time. In my experience, when that much space goes away all of a sudden, it's always been something silly, like a DBA backing up an entire SQL database to their home drive, or someone downloading seasons of TV shows. I needed to identify what files were created so I could see whether the files were legit and who uploaded them so that I could read them the riot act. Powershell to the rescue!

get-childitem -recurse | where {$_.CreationTime -like "*11/20/2012*"} | select name, length, fullname | out-file c:\temp\15GBReally.txt

So here, I'm getting all files that were created on 11/20/2012, and I'm returning their names and their paths, which I'm then outputting to a text file.

I'm sad to report that the files were indeed legit, and I had to bottle my deep, deep sysadmin rage.

Tuesday, December 4, 2012

Changing the Edition of your Windows Install (DATACENTER LICENSES! WOOT!!)

We recently bought Datacenter licenses for each of our VMware hosts. This gives us the right to make as many Windows Server VMs as we want to on each host. How do we change the edition from Windows Server Standard (or Enterprise) to the Datacenter edition without rebuilding the server though? Here's how:

Open up an administrative command prompt
Type the command: DISM /online /Get-CurrentEdition
This will show you the current edition.
Now type: DISM /online /Get-TargetEditions
This will show you editions that you can change to, and more importantly, tell you how to identify what to type for the 'edition ID'next command:
DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Here's the trick that stuck me the first time through. For the product key field in the previous command, DO NOT type in your actual Datacenter key. Instead, type in the generic KMS key that Microsoft provides. A list of them can be found here on Technet.

Now, the server will actually change the edition, and you will be prompted to reboot. 
After rebooting, open up computer properties and enter the key as you normally would (Start, right-click on My Computer, choose properties, scroll to the bottom, and select 'Change Key'). NOW enter your Datacenter key and activate Windows. 

A lot of the 'How-Tos' I ran across on the internet neglected to tell me to use the generic KMS key from Technet first, then use my key to activate after the reboot.