Version 2 of [ Monitor Disk Space using a nice script ] is now available

 

I have blogged about a nice powershell that you can use to report on disk space on your servers and get nice alerts once a threshold is crossed.

Here is the link of the old version post :  https://ammarhasayen.com/2013/09/22/216/

I am glad to share with you an advance version of the script (Version 2).

Download Version 2 of the script

Click here to download the script http://sdrv.ms/1bEdvy2

What is new in this version?

  1. General Bug fixes
  2. More informative error messages if any, when running the script interactively from the PowerShell console.
  3. Thresholds can be set also as percentage of the total disk space now. So you can say that an error free space threshold is when the disk space is dropped beyond 6% of the total disk space.
  4. Alert mode will send you email only when an error threshold is crossed. The alert email will only include the affected servers.
  5. New variable that you can customize is ($UsePercentage). If set to true, threshold values will be treated as percentages.

Recommendation

  • Download the script, create a text file named list.txt with all servers to monitor (server per line), and place it on the script directory, modify the smtp settings and run the script from Powershell Console. Observe the results and then tweak the script thresholds accordingly.
  • Always remember that you need to open the script and look at the script (Script Customization) section. Make sure you tune variables there to meet your environment.
  • You need to place a text file named (list.txt) at the same path as the script location.The content of the file should be something like this

DiskMontiorFileText

 

 

Give it a try, contact me if you have any questions or suggestions. Tell me what do you think.

Have a nice day.

How to schedule Exchange PowerShell Script using Windows Task Scheduler

Hi, so you have downloaded one of my Exchange PowerShell script, and you liked it ( i hope) , so now you want to schedule the script to run in a schedule that you like.

SO EASY 🙂 Follow my steps :

1. Open the Task Scheduler in Windows > Task Scheduler Library >right click and “Create Basic Task..

Schedule_PowerShell_Task_Scheduler_!2112

2. Type a descriptive name for your task and click Next.

3. On the Trigger section, choose your schedule that fits your needs.

4. On the Action, choose “Start a program” ,Click Next.

5. On the “Start a Program” subsection, Enter:

  • In the Program/Script, type (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
  • In the Add Arguments (Optional) ,type (-command “. ‘c:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1’; Connect-ExchangeServer -auto; D:\Myscript.PS1)
  • In the Start in (Optional), leave it empty

Note : Replace D:\Myscript.PS1 with your script path.

Note: Make sure the machine has Exchange PowerShell Management Tools

Schedule_PowerShell_Task_Scheduler_!323

 

Be careful !!!!!!!!!!

I have discovered in a hard way, that you will get problem and the script will not run if the path length to your script is too long.  For example, it is not good idea instead of D:\Myscript.PS1, to have D:\Path1\path2\path3\path3 management scripts for Exchange that i love to schedule\Script Directory\Cool Scripts\Myscript.PS1

This is a long path, and there is a limit for the length of commands in the Windows Task Scheduler. Keep that in mind.

 

Forefront Identity Management FIM CM / Smart Card Management (Level 400)

If you are a FIM CM Administrator, then part of your work is to manage smart cards using the FIM CM Portal.

It is so difficult to understand what will happen to the certificates in smart cards when performing smart card management tasks. This blog post will present a nice diagrams to show you what will happen in a nice way according to my own tests 🙂

The diagrams will use E to indicate an encryption certificate and S to indicate signing certificate.

  • PERM : mean permanent smart card
  • DUB : means duplicate smart card
  • REP: means replaced smart card
  • Red line across the certificate :means revoked certificate

Smart Card Replacement

Assumptions : FIM portal is configured with the following settings :

  • Workflow: Duplicate Revocation Settings : Not configured
  • Workflow: Revocation Settings:
    • Set old card or profile status to disabled
    • Revoke old certificates.
  • Workflow: General:
    • Re-issue archived Certificates.

Now, this is what will happen : If you have a smart card with E1 and S1 (Encryption and signing certificates inside the smart card) , and you happen to have a duplicate smart card (DUB) with of course E1 and S2 (the same encryption certificate but different signing certificate), then replacing the permanent smart card will do what the figure shows.

  • Upon replacing your permanent smart card, the encryption certificate E1 will be revoked on the permanent and duplicate smart card and the signing certificate on the permanent smart card will be revoked (S1) while the signing certificate on the duplicate smart card will not be touched.The final replacement card will contain a new signing certificate (S3) and a new encryption certificate (E2) and a copy of the old E1 encryption certificate to be used to decrypt any content that was encrypted using E1. New encryption though will be using the new E2. Note that you can always decrypt using a revoked certificate. The permanent card will be set to Disabled state if you configured the workflow revocation settings in FIM portal to (Set old card or profile status to disabled)
  • If you replace the duplicate smart card though, the opposite will happen.
  • If you now duplicate the replacement smart cared, a new signing certificate will be issued (S4) and the remaining is the same.

Note : Since signing certificates are not archived at the CA (this is what you should configure the CA to do), then you will always have a new signing certificate no matter what the operation you are doing to the smart card is.

SC_Management_dfgdfg33

Smart Card Retirement 

Scenario 1 : Retire a duplicate smart card 

1.     Revoke all certificates on the Duplicate Card – Duplicate smart card will not be anymore assigned to the user – smart card doesn’t have any certificates as they are deleted.

2.     Disable the permanent Smart Card (which will revoke all certificates on the card) –Permanent smart card will still assigned to the user –smart card still have certificates but are revoked so they can be used to recover encrypted files.

Scenario 1 : Retire a permanent card that has a duplicate smart card

1.     Revoke all certificates on the Permanent Card – Permanent Card will not be anymore assigned to the user – smart card doesn’t have any certificates as they are deleted.

1.     Disable the Duplicate Smart Card (which will revoke all certificates on the card) –Duplicate smart card will still assigned to the user –smart card still have certificates but are revoked so they can be used to recover encrypted files.

 

SC_Management_3333334443

Disable Smart Card

SC_Management_3232323

Duplicate Smart Card

FIM will recover the same Encryption certificates (if archived) and will always issue new signing certificates.

SC_Management_33234423

Online Update a Smart Card – Case 1

Assumptions:

User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action: Administrator performed online update for the PERM card and chooses (Certificate Content Change) and chooses to update only (Signing Certificate Template).

What will happen:

Online Update cannot be done fully from the administrator workstation. Thus , the (Update Initiator) will initiate the request of Online Update for a smart card , after this action is approved in a workflow as described in the management policy workflow ,the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card).The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the encryption certificate non touched .But both signing certificates on the smart cards will be revoked and deleted and new ones issued and printed on the smart cards as shown on the figure below.

SC_Management_aaaaa

 

Online Update a Smart Card – Case 2

Assumptions:
User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action: Administrator performed online update for the PERM card and chooses (Certificate Content Change) and chooses to update only (Encryption Certificate Template).

What will happen:

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card).The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the signing certificates non touched .But the encryption certificate (E1) will be revoked and kept on the smart cards for recovery usage. Now, a new encryption certificates E2,E3 will be issued and printed on the cards as shown on the figure below.

The user will end up with two cards and with two encryption certificates E1 and E2 .To solve this ,you can now retire Smart card DUB (this will revoke and delete S2,E2) and then duplicate the PERM card .After all is done ,the DUB card will have ( S3,E2, and the revoked E1).

 

SC_Management_fgd54dgdrgd

 

Online Update a Smart Card – Case 3

Assumptions:
User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action: Now the administrator deleted the signing certificate from the profile template and initiated an online update of the smart card (doesn’t matter if it is the PERM card or the DUB card).

What will happen:

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should login to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card).The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the signing certificates revoked and deleted .The encryption certificate is not touched.

SC_Management_sdsfsf

 

Online Update a Smart Card – Case 4

Assumptions:
User X is enrolled for two smart cards , in which one of them is Duplicate .The Online Update Policy is configured to (Revoke Archived Certificates) both in the (Certificate Content Change) and (Certificate Expiry) reasons. Smart cards are enrolled using a profile templates that contains two certificate templates (Encryption Certificate Template and Signing Certificate Template)

Action: Now the administrator deleted the Encryption certificate from the profile template and initiated an online update of the smart card (doesn’t matter if it is the PERM card or the DUB card).
What will happen:

Online Update cannot be done fully from the administrator workstation. Thus, the (Update Initiator) will initiate the request of Online Update for a smart card, after this action is approved in a workflow as described in the management policy workflow, the user will should logon to the FIM Client site and should check his requests. He will see two approved Requests for Online Update (one for each card).The user then should insert his permanent smart card and choose to execute the first approved online update ,and then insert the second duplicate smart card and choose to execute the second approved online update.

The user will end up with two smart card with the Encryption certificates revoked and deleted .The signing certificates is not touched.

SC_Management_asdaa3

 

 

WOW.. That was a lot of info and testing ! hope you find it nice post 

Active Directory AD Inactive Computer Cleanup Script

On of the most wanted scripts in every organization.

You definitely need a way to identify inactive computers in your network (active Directory) and get a detailed report, and perhaps act on this manually or automatically.

First Question : How to identify Inactive Computers ?

the answer is simply mentioned in one of my blog posts. For simplicity, you can identify inactive computer by looking at the Computer last Password reset attribute (pwdLastSet).

Each computer has a password in AD and each computer will attempt to change this password automatically every X days (by default once every 30 days). This behavior can be controlled by group policy under (Computer Configuration> Windows Setting > Security Settings> Security Options > ” Domain Member: Maximum machine account password age”).

So if every computer will (by default) contact domain controllers and change their password once every 30 days, then computers who didn’t change their password in 60 days for example, are considered for sure inactive. (60 Days is a very safe threshold, usually 45 days is a good practice)

ComputerPassword

Second Question : What to do with inactive computers?

Usually you don’t want to delete them, or maybe you want. I prefer created a separate a quarantined OU named (Inactive Computers)  , and then disable each inactive computer and move it to this OU.

Third Point/Question : What is the preferred frequency for doing cleanup.

It depends. I usually do it once every quarter.

Forth Point: Be careful

I have discovered that sometimes, some computer accounts like Cluster Computer objects or so , do not reset their passwords with AD. May be this was the case with legacy systems, but keep an eye on this.

I prefer that you do not invoke actions automatically on data center servers, instead, get a report on what is seemed to be inactive server and act manually on them after communicating with other teams.

The Script :

you can get the script from here :

DOWNLOAD LINK  : http://sdrv.ms/1eMAbfV

AD Inactive Computers 23232

Script Description 

Here we go…. now focus with me for five minutes.

Preparation :

You need to first make sure that the computer that is running the script has the (Active Directory Power Shell) module.  You need also to download Quest Active Directory PowerShell Extensions on that machine and run their MSI. It is a free AD PowerShell extension and the best in the market. (http://www.quest.com/powershell/activeroles-server.aspx)

This is for example how to install the Active Directory PowerShell module on Windows 7 machine (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx)

For Quest Active Directory PowerShell extensions, the link i mentioned above contains the place to download the free quest PowerShell MSI extension.Just run the MSI and you are ready to go.

So why do we need those modules to be installed on the machine from which the script should run ? Well, we need Active Directory PowerShell module as we need to query Active Directory. We also need Quest Active Directory PowerShell extensions because they have very extended commands that makes it easy to query inactive directory.

Finally, you need to run the script with an account that has permission to read AD Computer objects, and the write to disable computer accounts and the write to move computer accounts to the quarantined OU.

Script Modes :

  1.  Report Mode : In this mode, the script will run and will identify inactive computers.It will also send you a nice email with the total number of inactive computers and a breakdown per OU. No actions will be performed
  2. Action Mode : In this mode, the script will Disable and Move inactive computers to a quarantined OU that you will specify in the first lines of the script + the script will send a nice report for inactive computers

You can control which mode the script will run, by modifying the script , by simply setting the    [bool]$ReportOnly  = $True .  

$True will trigger the script to work in report mode, while $false value will trigger it to work in Action Mode

Customize the script for your environment

[int]$DaysforPasswordSet     = 60   : this line of code means that the script will consider computers which dint reset their password with Active directory for more than 60 days , as inactive computers

[string]$ExcludedComputersG      = “Excluded Inactive Computers”  : If you create a security group in your active directory named (Excluded Inactive Computers), and you populate it with computer accounts, then the script will query this group and will not perform any action on those computers. Think of this as a bypass list of computers. I am using a normal security group to group those computers.

$QuarantineOU = “contoso.com/inactive computers” : this is the OU in which inactive computers will be moved to , if the script is running in the (action Mode)

$SearchBase_Sites    = “contoso.com/sites” : This is the root directory that the script will search in. In your case, you can set to to wider scope, like “contoso.com” or a narrow scope like “contoso.com/OU1/OU2”

Finally, the last line of the script will send an email with the result. By default, the script will set the email sender to (noreply@contoso.com), the recipient to (admin@contoso.com), the smtp server to (smtp.contoso.com). Ofcourse you need to customize those settings.

Final Thought

Imagine that someone came to you and ask you to enable a certain computer and move it back to its original OU.  Since the script will disable and move inactive computers to a quarantined OU in Action Mode, then how can you remember the original location of the computer before it was disabled and moved ?

The script will solve this for you. When the script moves a computer to the quarantined OU, it will write the original OU path of the computer on the computer’s custom attribute 1. So just open an attribute editor or adsi.edit, and browse to the computer’s custom attribute 1 , and you will find there the original location of the computer before it was moved.

Last Advise :

Run the script in Report mode once and twice until you are very sure that you fully understand the script power and logic. Also, prevent running the script in Action Mode to data center computers. Instead, run it in reporting mode, and send the results to your Data center admin.

 

Monitor Disk Space using a nice script

Hi everyone,

I was working to find a way to monitor disk space on servers. The solution is simple.
Go to one of your servers and open a PowerShell console as an administrator and type :
Set-ExecutionPolicy remotesigned

Now you can run the below attached scripts, but you need to customize some settings inside the script under the first section

Then you can run the script from a Power Shell window, or you can schedule it using Task Scheduler and it will send you couple of emails with nice reports.

Below is the script… I couldn’t upload the script in PS1 format, so i had to past it in a word document

Version 2 of the script is now available : http://sdrv.ms/1bEdvy2

Script Features:

  • You can set different thresholds for C drives and data drives
  • You can set warning threshold and error thresholds
  • Email notification
  • You can customize the script to report certain logical drives