DNS CAA proper internal configuration

What is a valid configuration of internal CAA records (internal - not visible in Internet) on Windows DNS servers:

• You should point to valid source of certificates - "issue" prefix for DNS record, for example if Your internal PKI is from pki.internal.contoso.com you should place record issueinternal.contoso.com or issuecontoso.com; this will cover also wildcard certificates;
• If You don't want to allow wildcards You should place another DNS record with empty source record like "issuewild;" - allowed entries is empty; 
• binary representation  of DNS record contains first byte equal zero (the higest bit has critical meaning, rest is not used now), next byte value 5, rest of record is a string data, e.g. "<00><05>issuewild;"
• binary representation must be located in DNS record of Type257

Azure AD Connect - prevent mass deletion of groups

Again we have the same problem with deleted security groups (change in synchronized containers, one of them have groups synchronized - outside of project, but very, very important groups), so how can we counteract groups deletion?

Maybe I can export last runtime log?

Get-ADSyncRunProfileResult [-RunHistoryId ] [-ConnectorId ] [-RunProfileId ] [-RunNumber ] [-NumberRequested ] [-RunStepDetails] [-StepNumber ] [-WhatIf] [-Confirm] []

Get-ADSyncRunStepResult [-RunHistoryId ] [-StepHistoryId ] [-First] [-StepNumber ] [-WhatIf] [-Confirm] []

Invoke-ADSyncRunProfile -ConnectorName -RunProfileName [-Resume] []



So I must change default synchronization cycles to my own cycles using Invoke-ADSyncRunProfile with imports for and analysis of deletion - I must stop exports to Azure when deletion of groups appear in syncstep, but can I look for waiting deletion in connector space for Azure?

Is there any interface, API? Lithnet module for PowerShell?

How to copy transfrom rules, issuance rules between Application Groups, party trusts - ADFS

How to copy rules between relying party trusts

$rules = (Get-ADFSRelayingPartyTrust "Src Party Trust").IssuanceTransformRules

Set-ADFSRelyingPartyTrust "Dst Party Trust" -IssuanceTransformRules $rules






How to copy between application grups

$rules = (Get-ADFSApplicationGroup "src group").Applications[1].IssuanceTransformRules

Set-AdfsWebApiApplication "https://some-uri-for-dest-app" -IssuanceTransformRule $rules



But - is there any powershell cmdlet for Web Application?

An error occurred while enumerating through a collection: Collection was modified; enumeration operation may not execute...

Below code will generate above error:

$someHashTable = @{}
$someHashTable.Add("key1", "value1")
$someHashTable.Add("key2", "value2")
$someHashTable.Keys | %{ $someHashTable[$_] = "newValue" }

It should looks like below code - collection of keys must be copied to fresh new collection.

$someHashTable = @{}
$someHashTable.Add("key1", "value1")
$someHashTable.Add("key2", "value2")
$keys = @(); $someHashTable.Keys | %{ $keys += $_ }
$keys | %{ $someHashTable[$_] = "newValue" }

dynamic arrays in poweshell

By default arrays in Powershell are not dynamic, so the only way to deal with it is to use:

 
c:\>[System.Collections.ArrayList]$DynamicArray = @()
c:\>$DynamicArray.IsFixedSize 
False
c:\>$DynamicArray.Add("june")
c:\>$DynamicArray.Add("june")
c:\>$DynamicArray
june
june
c:\>$DynamicArray.Remove("june")
c:\>$DynamicArray
june
c:\>

We can pass this list to update membership in a group in Active Directory.

c:\>$DynamicArray = "january", "february", "march"
c:\>$DynamicArray += "april"
c:\>$DynamicArray += "april"
c:\>$DynamicArray
january
february
march
april
april
c:\>

So we can do it this way also.

how to enforce password change from Powershell?

At first I was thinking about how to set pwdLastSet to some old value? It is possible by:
$userObj = get-ADUser -Properties pwdLastSet
$userObj.pwdLastSet = 0
set-ADUser -instance $userObj
$userObj.pwdLastSet = -1
set-ADUser -instance $userObj

but it can set two possible values - never (0) and now (-1) - other values are invalid. When I tried to do it by:
$dt = Get-Date
$dt = $dt.AddDays(-70)
$userObj.pwdLastSet = $dt.ToFileTimeUTC()
set-ADUser -instance $userObj

Every time it was finished with error - the same is from Active Directory Users and Computers and from ADSIEdit. It is possible only from SYSTEM level.

For me - the only possible way how to do it is by preparation special kind of granullar password policy and connecting it with selected users.

upload photo to AD account

Just to remember:

Import-Module ActiveDirectory
$photoByte = [byte[]](Get-Content C:\temp\my-photo.jpg -Encoding byte)            
Set-ADUser emicra -Replace @{thumbnailPhoto=$photoByte}

96x96 - less than 10kB

powershell - how to send sms or text message; serial port and powershell

I tried to find code to talk to COM port. Without proper results so I wrote this simple code. Modern phones probably have modem deactivated - I must confirm it, but I tried my old, what's a funny word, HSDPA modem and it is working.

[System.IO.Ports.SerialPort]::getportnames() #list of ports

#my usb modem is connected as virtual COM8
#speed, parity, stop bits should be valid for all devices
$port= new-Object System.IO.Ports.SerialPort COM8,9600,None,8,one
$port.open()

$port.open(); Start-Sleep -Milliseconds 100
$port.Write("AT`r"); Start-Sleep -Milliseconds 100
if ($port.BytesToRead -gt 0) { $port.ReadExisting(); Start-Sleep -Milliseconds 100 } 

$msg = "AT+CMGF=1`r"; $port.Write($msg); Start-Sleep -Milliseconds 100
if ($port.BytesToRead -gt 0) { $port.ReadExisting(); Start-Sleep -Milliseconds 100 } 

#replace xxx with correct number and YY with corect country prefix
$msg = "AT+CMGS=""+YYxxxxxxxxx""`r"; $port.Write($msg); Start-Sleep -Milliseconds 100
if ($port.BytesToRead -gt 0) { $port.ReadExisting();  Start-Sleep -Milliseconds 100 } 

$msg = "something stupid"; $port.Write($msg); Start-Sleep -Milliseconds 100
if ($port.BytesToRead -gt 0) { $port.ReadExisting(); Start-Sleep -Milliseconds 100 } 

#escape character (CTRL-Z from terminal)
$port.Write([char]26); Start-Sleep -Milliseconds 100
if ($port.BytesToRead -gt 0) { $port.ReadExisting(); Start-Sleep -Milliseconds 100 } 

$port.Close()

Output is of course - optional - in my main code it will be connected with commands. 100 ms is only "just in case".

AT commands and communication

AT
OK
AT+CPIN?
+CPIN: SIM PIN

OK

AT - like EHLO in SMTP
AT+CPIN? - query - is PIN required? possible answers are:
+CPIN: SIM PIN - when You MUST enter PIN
+CPIN: SIM PIN2 - when You MUST enter PIN2
+CPIN: SIM PUK - when You MUST enter PUK
+CPIN: SIM PUK2 - when You MUST enter PUK2
+CPIN: READY - when device is not expecting any code
AT - like EHLO in SMTP

AT+CPIN-=
COMMAND NOT SUPPORT
AT+CPIN=
ERROR
AT+CPIN=0000
OK
AT+CPIN?
+CPIN: READY

OK
AT+CPIN=0000
+CME ERROR: operation not allowed

AT+CPIN-= - my mistake - and His majesty answer: COMMAND NOT SUPPORT
AT+CPIN= - my mistake - and His majesty answer: ERROR, because I didn't provide pin
AT+CPIN=0000 - yes - this of course fake pin, but answer is real OK
AT+CPIN? - yes - my device is ready +CPIN: READY, so the same command entering pin...
AT+CPIN=0000 ... will finish with +CME ERROR: operation not allowed

AT+CMGF=1
OK

AT+CMGF=1 - set device in text messages mode, with 0 it will switch in PDU mode - Protocol Descritpion Unit - also for text messages but encoded way

AT+CMGS="xxxxxxxxx"
> mamma mia

+CMGS: 109

OK

AT+CMGS="xxxxxxxxx" - I've been started message addressed to phone xxxxxxxxx
teminal is waiting for the message finished with escape character (26 ascii - Ctrl-Z)
+CMGS: 109 this and OK confirm, that message was sent

how to dump file to hex format?

Yes, I tried to find a solution how to do it in the most easy way, and yes, it is very, very easy :). Use Powershell.

format-hex .\some-file-to-dump.txt
format-hex .\another.file.this.time.exe
format-hex .\just-transfer-output.to.default-stream.txt > some.new.file.txt

powershell - truncate binary file

I was forced to truncate file with tools available on system so I choose powershell - without additional downloads but almost pure powershell. Why I had to truncate file? Because file was uploaded and - by unknown reason - the header was wrong. In zip file the first two letters are "PK", but in my file it was as below (some unvisible characters also).

PS C:\temp> $bytes = [System.IO.File]::ReadAllBytes("c:\temp\some-file.zip")
PS C:\temp> $text = [System.Text.Encoding]::ASCII.GetString($bytes, 0, 12)
9? PK♥♦¶
 
PS c:\temp> $bytes.count
13908241
PS C:\temp> $bytes1 = $bytes[4..($bytes.Length-4)]
PS C:\temp> $bytes1.Count
13908234
PS C:\temp> $bytes1.length
13908234
PS C:\temp> [io.file]::WriteAllBytes('c:\temp\try1.zip', $bytes1)

Active Directory - create root domain

This can be done through PowerShell script - as below:

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012R2" `
-DomainName "contoso.com" `
-DomainNetbiosName "CONTOSO" `
-ForestMode "Win2012R2" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

or using GUI:

create NAT switch for hyper-v

Get adapters to find current list of adapters before any changes - just to notice changes.

PS C:\WINDOWS\system32> Get-NetAdapter

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet                  Intel(R) 82579LM Gigabit Network Con...      20 Disconnected F0-DE-F1-8A-12-5C          0 bps
Bluetooth Network Conn... Bluetooth Device (Personal Area Netw...      19 Disconnected 94-39-E5-8F-C1-79         3 Mbps
WiFi                      Intel(R) Centrino(R) Ultimate-N 6300...      13 Up           24-77-03-19-4A-08       144 Mbps
vEthernet (Default Swi... Hyper-V Virtual Ethernet Adapter              8 Up           1A-15-25-D5-36-C5        10 Gbps

Create new VMSwitch - name is custom - You should use something noticable - with NAT phrase, but it is of course optional, switch type is important - You can choose from Internal, External and Private - choose Internal.

PS C:\WINDOWS\system32> New-VMSwitch -SwitchName "NATSwitch" -SwitchType Internal

Name      SwitchType NetAdapterInterfaceDescription
----      ---------- ------------------------------
NATSwitch Internal


PS C:\WINDOWS\system32> Get-NetAdapter

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet                  Intel(R) 82579LM Gigabit Network Con...      20 Disconnected F0-DE-F1-8A-12-5C          0 bps
Bluetooth Network Conn... Bluetooth Device (Personal Area Netw...      19 Disconnected 94-39-E5-8F-C1-79         3 Mbps
vEthernet (NATSwitch)     Hyper-V Virtual Ethernet Adapter #2          50 Up           00-15-5D-04-20-06        10 Gbps
WiFi                      Intel(R) Centrino(R) Ultimate-N 6300...      13 Up           24-77-03-19-4A-08       144 Mbps
vEthernet (Default Swi... Hyper-V Virtual Ethernet Adapter              8 Up           1A-15-25-D5-36-C5        10 Gbps

New adapter connected to the new switch has interface index (ifIndex) 50 - we will assign other components to this interface. Let's create IP address - it will be default gateway for our NAT network.

PS C:\WINDOWS\system32> New-NetIPAddress -IPAddress 192.168.254.254 -PrefixLength 24 -InterfaceIndex 50


IPAddress         : 192.168.254.254
InterfaceIndex    : 50
InterfaceAlias    : vEthernet (NATSwitch)
AddressFamily     : IPv4
Type              : Unicast
PrefixLength      : 24
PrefixOrigin      : Manual
SuffixOrigin      : Manual
AddressState      : Tentative
ValidLifetime     : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource      : False
PolicyStore       : ActiveStore

IPAddress         : 192.168.254.254
InterfaceIndex    : 50
InterfaceAlias    : vEthernet (NATSwitch)
AddressFamily     : IPv4
Type              : Unicast
PrefixLength      : 24
PrefixOrigin      : Manual
SuffixOrigin      : Manual
AddressState      : Invalid
ValidLifetime     : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource      : False
PolicyStore       : PersistentStore

So we have switch, we have ip address connected with interface in this switch and now - we must inform system - that we have network behind NAT. We can have only ONE network behind NAT, so let's inform system about it.

PS C:\WINDOWS\system32> New-NetNat -Name NATnetwork -InternalIPInterfaceAddressPrefix 192.168.254.0/24


Name                             : NATnetwork
ExternalIPInterfaceAddressPrefix :
InternalIPInterfaceAddressPrefix : 192.168.254.0/24
IcmpQueryTimeout                 : 30
TcpEstablishedConnectionTimeout  : 1800
TcpTransientConnectionTimeout    : 120
TcpFilteringBehavior             : AddressDependentFiltering
UdpFilteringBehavior             : AddressDependentFiltering
UdpIdleSessionTimeout            : 120
UdpInboundRefresh                : False
Store                            : Local
Active                           : True

Now we can reconnect our virtual machines to the new switch and reconfigure them:
- network addresses from 192.168.254.0/24 network;
- default gateway 192.168.254.254;
- DNS server - depends on configuration, for example 8.8.8.8.
Our NAT network:

PS C:\WINDOWS\system32> Get-NetNat


Name                             : NATnetwork
ExternalIPInterfaceAddressPrefix :
InternalIPInterfaceAddressPrefix : 192.168.254.0/24
IcmpQueryTimeout                 : 30
TcpEstablishedConnectionTimeout  : 1800
TcpTransientConnectionTimeout    : 120
TcpFilteringBehavior             : AddressDependentFiltering
UdpFilteringBehavior             : AddressDependentFiltering
UdpIdleSessionTimeout            : 120
UdpInboundRefresh                : False
Store                            : Local
Active                           : True

Our NAT Switch:

PS C:\WINDOWS\system32> Get-VMSwitch

Name           SwitchType NetAdapterInterfaceDescription
----           ---------- ------------------------------
Default Switch Internal   Teamed-Interface
NATSwitch      Internal

netsh dhcp create scope

How to create dhcp scopes in older system - without dhcp module:

#create-DHCPScopes

$fileData = Get-Content c:\temp\scripts\some-file.txt

$fileData | %{
    # header of my file - tab is separator
    #  SHORT_SUBNET SUBNET_MASK  DHCP-LO      DHCP-HI      GW     NAME
    $line = $_
    $tabline = $line.Split("`t")
 

    $name = $tabLine[5]
    $dhcpName = """$name"""
    $description = "some descritpion"

    if ($tabline[0] -ne "SHORT_SUBNET") {
        netsh dhcp server add scope $tabLine[0] $tabline[1] $dhcpName $description
        netsh dhcp server scope $tabLine[0] set state 1
        netsh dhcp server scope $tabLine[0] set name $dhcpName
        netsh dhcp server scope $tabLine[0] set optionvalue 003 IPADDRESS $tabLine[4]
        netsh dhcp server scope $tabLine[0] set optionvalue 051 DWORD 2592000
        netsh dhcp server scope $tabLine[0] add iprange $tabLine[2] $tabLine[3]
    }
} 

measure ldap bind time - for Active Directory powershell script

How to check simple bind anonymously for all domain controllers? Maybe using this script:

#####################Variables#####################
$repeats = 10
###################################################

#####################Main#####################
import-module activedirectory 
cls 
$myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() 
$domCtrls = $myforest.Sites | % { $_.Servers } | Select Name 
$domCtrls | %{
    $domCtrl = $_
    $totalTime = 0
    $i = 0
    $maxTime = 0; $minTime = 100
    while ($i -ne $repeats) {
        $c = New-Object System.DirectoryServices.Protocols.LdapConnection ($domCtrl.Name + ":389")
         
        # Anonymous, Basic, Digest, DPA (Distributed Password Authentication), 
        # External, Kerberos, Msn, Negotiate, Ntlm, Sicily 
        $c.AuthType = [System.DirectoryServices.Protocols.AuthType]::Anonymous

        $c.SessionOptions.ProtocolVersion = 3
        $c.SessionOptions.SecureSocketLayer = $false

        $time = (Measure-Command {$c.Bind()}).TotalSeconds
        $c.Dispose()

        $totalTime += $time 
        if ($minTime -gt $time) { $minTime = $time }
        if ($maxTime -lt $time) { $maxTime = $time }
        $i++
    }
    $avgTime = $totalTime / $repeats 
    $domCtrl.name + "`t" + $minTime + "`t" + $avgTime + "`t" + $maxTime
}

Output is formatted with tabs co You can copy/paste strictly to Excel or to Word and convert to a table.

check group policy templates - compare-ADMX.ps1

How to find missing admx or adml files - of course - You should provide proper path and regional settings:

import-module ActiveDirectory

cls
$currentDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$currentDomain = $currentDomain.Name

$admls = get-item ("c:\windows\sysvol_dfsr\sysvol\" + $currentDomain + "\Policies\PolicyDefinitions\en-us\*.adml")
$admxs = get-item ("c:\windows\sysvol_dfsr\sysvol\" + $currentDomain + "\Policies\PolicyDefinitions\*.admx")

$admls | %{
    $adml = $_
    $admlName = $adml.name
    $admlFullName = $adml.FullName
    $admxName = $admlName.Substring(0, $admlName.Length - 5) + ".admx"
    if (Get-Item ($admlFullName + "\..\..\" + $admxName) -ErrorAction SilentlyContinue) {
        #do nothing 
    } else {
        ".......... " + $admxName + " is missing"
    }
}

$admxs | %{
    $admx = $_
    $admxName = $admx.name
    $admxFullName = $admx.FullName
    $admlName = $admxName.Substring(0, $admxName.Length - 5) + ".adml"
    if (Get-Item ($admxFullName + "\..\en-us\" + $admlName) -ErrorAction SilentlyContinue) {
        #do nothing 
    } else {
        ".......... " + $admlName + " is missing"
    }
}

powershell upgrade - windows 2008r2

Install WMF 5.1 - before installation upgrade .Net Framework to 4.5.2 and check $PSVersionTable. After WMF installation there will be additional restart.

32bit printer driver on 64bit system - migration from Windows 2008 to Windows 2012R2

If you want to add 32 bit drivers to 64 bit Print Server You must use pnputil to upload drivers to the system (like for 64 bit drivers) and finally You must use 32bit Powershell Add-PrinterDriver – from this level enabling 32bit drivers is possible on 64bit system.

How to start 32bit version of Powershell? MSDN link:
Starting the 32-Bit Version of Windows PowerShell

When you install Windows PowerShell on a 64-bit computer, Windows PowerShell (x86), a 32-bit version of Windows PowerShell is installed in addition to the 64-bit version. When you run Windows PowerShell, the 64-bit version runs by default.

However, you might occasionally need to run Windows PowerShell (x86), such as when you are using a module that requires the 32-bit version or when you are connecting remotely to a 32-bit computer.

To start a 32-bit version of Windows PowerShell, use any of the following procedures.
In Windows Server® 2012 R2

On the Start screen, type Windows PowerShell (x86). Click the Windows PowerShell x86 tile.
In Server Manager, from the Tools menu, select Windows PowerShell (x86).
On the desktop, move the cursor to the upper right corner, click Search, type PowerShell x86 and then click Windows PowerShell (x86).
Via command line, enter: %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

In Windows Server® 2012

On the Start screen, type PowerShell and then click Windows PowerShell (x86).
In Server Manager, from the Tools menu, select Windows PowerShell (x86).
On the desktop, move the cursor to the upper right corner, click Search, type PowerShell and then click Windows PowerShell (x86).
Via command line, enter: %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

In Windows® 8.1

On the Start screen, type Windows PowerShell (x86). Click the Windows PowerShell x86 tile.
If you are running Remote Server Administration Tools for Windows 8.1, you can also open Windows PowerShell x86 from the Server ManagerTools menu. Select Windows PowerShell (x86).
On the desktop, move the cursor to the upper right corner, click Search, type PowerShell x86 and then click Windows PowerShell (x86).
Via command line, enter: %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

In Windows® 8

On the Start screen, move the cursor to the upper right corner, click Settings, click Tiles, and then move the Show Administrative Tools slider to Yes. Then, type PowerShell and click Windows PowerShell (x86).
If you are running Remote Server Administration Tools for Windows 8, you can also open Windows PowerShell x86 from the Server ManagerTools menu. Select Windows PowerShell (x86).
On the Start screen or the desktop, type PowerShell (x86) and then click Windows PowerShell (x86).
Via command line, enter: %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

I testted this procedure with about 300 drivers (150 64bit and 150 32bit) and it works perfectly. It was a migration from 2008R2 Print Server to 2012R2 PrintServer.

Available tools (Print Migration Wizzard) can't manage huge print drivers library (above 2GB), we had 4,5GB so only manual process was possible. We migrated manually all drivers (copy all *inf* folders with printer drivers), register them using pnputil, add ports using PowerShell, add printers (connect them 64bit drivers with Ports) and later using 32bit version of Powershell:

- add printer drivers for 32bit.

Powershell Invoke-WebRequest with webproxy

To use Invoke-WebRequest I can't just specify:
Invoke-WebRequest -Uri "http://some.host.com/some.file.txt" -Proxy "proxy1.in.my.company:80"
because I'll receive error message like:

Invoke-WebRequest : The ServicePointManager does not support proxies with the proxy1.in.my.company scheme

Reason? You must specify explicite the protocol http, so it should looks like:
Invoke-WebRequest -Uri "http://some.host.com/some.file.txt" -Proxy "http://proxy1.in.my.company:80"

Of course - you can specify or you must specify credentials or use just only -ProxyDefaultCredentials to use current logon information.

Lync photos in Active Directory - how to retrieve, how to find

To retrieve user photos from Lync, for example to put download photos and put in thumbnailPhoto in Active Directory.
Database: RTC

select UserAtHost,convert(varchar(4000),convert(varbinary(4000),Data))
from PublishedStaticInstance,Resource
where ResourceId = PublisherId
and convert(varchar(4000),convert(varbinary(4000),Data))
like '%%'

Steps (once a day):

• export data from RTC database
• loop for all photos
• download photo
• if needed - scale down to 96x96
• put in thumbnailPhoto

Laast photo update - can be stored in extensionAttributeX (one of available numbers). Why to store photos in both locations? Not every workstation has got Lync 2013 client or newer, the same is for still not migrated all users from Exchange 2010 so... it's better to have all the data in both places.

Huge group - powershell - how to count members

Problem with huge group - members' above 5,000 (web services limit):
(Get-ADGroupMember "some_big_group").Count Get-ADGroupMember : The size limit for this request was exceeded At line:1 char:34 + $groupMembers = Get-ADGroupMember <<<< "some_big_group" + CategoryInfo : NotSpecified: (some_big_group:ADGroup) [Get-ADGrou pMember], ADException + FullyQualifiedErrorId : The size limit for this request was exceeded,Mic rosoft.ActiveDirectory.Management.Commands.GetADGroupMember

Solution:
(Get-ADGroup "some_big_group" -Properties Member | Select -ExpandProperty Member).Count