Using Group Policy to assign WSUS server as windows update location

 

 

Open the Group Policy Editor

1

2

Expand down to the Group Policy Objects container, right click and select New

3

Name it according to whatever standards you are using and click OK.

4

Right click on it and select Edit.

5a

5b

Group Policy Management Editor opens. Navigate down to

Computer Configuration => Administrative Templates => Windows Components => Windows Update. Then look for configure Automatic Updates and double click it.

6

Click enabled and choose the installation method that is appropriate for you.

7

Then double click on Specify intranet Microsoft update service location.

 

8

Click on enabled. Then enter the WSUS server and statistics server and click ok.

Finally link the group policy to the OU that you want to apply it to

9

10

 

 

Installing and configuring WSUS

 

 

Log on to the member server that you want to install WSUS on and open Server Manager

13

Click Add Roles and Features

14

15

Select Windows Server Update Services

16

17

Add Features then click next

18

Click next at the features window

19

 

20

there is the option here to use the Windows Internal Database or another database. I am choosing the WID and clicking next.

21

Select the path where you want to install updates. I am using c:\wsus but a larger storage area on a different disk or network share might be more appropriate.

22

23

click next accepting the defaults.

24

finally click install and give it some time to install.

Once it does install go back to server manager and click on the tools menu

26

Select Windows Server Update Services

28

Click Run

29

Let the task run for a while as it says it might take a few minutes.

30

After it completes click close

31

Update Services opens.

If the windows server configuration tool does not open automatically you can start it from the options menu

32

33

Read the before you begin menu and click next

34

choose whether or not to join the improvement program and click next

This is the upstream server so I am choosing to update with Microsoft Update

35

if you need to use a proxy server configure it here.

36

Click next

37

Click Start Connecting this takes some time.

38

 

Click next

39

The default is to download updates in all languages this can take up a lot of extra space it is better to download only the languages you need. In my case english.

Click next

40

Under the list of products to update. Be sure to only include the ones you need. You should be able to remove Windows 2000 for example.

When you are satisfied click next.

41

select the update classifications that you want to download. And click next

42

you can select how you want synchronization to occur manually or automatically at a certain time and how many times a day.

When you have decided click next.

43

You can now choose to begin the initial synchronization by checking begin then clicking next.

44

Now you can review the final steps and click Finish.

 

Next go to Update Services console and click on updates.

45

Select the updates that you want to approve right click on them and select Approve.

All of the settings to be configured can be found under Options.

46

Click on any of the links and you can make configuration changes here.

 

 

 

 

 

 

Creating an Elastic IP address in AWS

 

 

There are times when using an instances DNS string is fine but there are other times when you always want to know what your servers IP address is.

This is where elastic IP addresses come in.

First step is to create an elastic IP address

 

 

6

 

From the EC2 Dashboard select Elastic IPs

7

Click on Allocate New Address

8

There is an important choice here between EC2 and VCP make sure you choose the correct one for your environment and click Yes, Allocate

9

Your new Static Public IP address is created click close and on to Associate Address step.

10

To Associate the address click on Associate Address then from the popup screen click inside the instance box and a list of current instances appears select the correct on and click associate.

11

If you are not sure which one it is go back to instances and look for the instance ID

12

After you have clicked the associate button you can view which IP address is associated with each instance.

Note there is a nominal fee for elastic IP addresses that are not associated with a running instance. So keep that in mind and don’t create elastic IP’s if you are not going to use them.

Posted in AWS

PowerShell Loops

 

 

There are several different types of loops in PowerShell I am going to show the basic format of 5 of them:

The IF 

Switch

Do while

Do Until

ForEach

and The For Loop

The if loop has the following syntax (check out help about_if )

if (<test1>)
{<statement list 1>}
[elseif (<test2>)
{<statement list 2>}]
[else
{<statement list 3>}]

$q = read-host -Prompt “Enter Yes No or Maybe”

If ($q -eq “yes”){
    Write-host “You entered Yes”}
elseif ($q -eq “No”){
    Write-host “You Entered No”}
elseif ($q -eq “Maybe”){
    Write-host “You entered Maybe” }
else { Write-Host “Your not taking this question seriously”}

The Switch construct has the following Syntax:

From help about_switch

A basic Switch statement has the following format:

Switch (<test-value>)
{
<condition> {<action>}
<condition> {<action>}
}

$q = read-host -Prompt “Enter Yes No or Maybe”

switch ($q)
{
‘Yes’ {Write-Host “you entered Yes”}
‘No’ {Write-Host “you entered No”}
‘Maybe’ {Write-Host “you entered Maybe”}
Default {Write-Host “you didn’t take the question seriously”}
}

Do-While and Do-Until (from help about_do)

The following shows the syntax of the Do-While statement:
do {<statement list>} while (<condition>)
The following shows the syntax of the Do-Until statement:
do {<statement list>} until (<condition>)

$x = 10

do
{
Write-host $x
$x–
}
while ($x -gt 0)

The results of this script is:

do
{
Write-host $x
$x–
}
while ($x -gt 0)
10
9
8
7
6
5
4
3
2
1

The do-until command is slightly different

To achieve the same results you have to change the condition to 0

$x = 10
do
{
Write-host $x
$x–
}
until ($x -eq 0)

ForEach (from help about_foreach)

Syntax
The following shows the ForEach syntax:
foreach ($<item> in $<collection>){<statement list>}

$computers = @(“workstation1”, “WS2”, “windows7”, “Windows8”)

foreach ($computer in $computers){
Write-host “$computer”
}

For (from help about_for)

Syntax
The following shows the For statement syntax.
for (<init>; <condition>; <repeat>)
{<statement list>}

for ($i = 1; $i -lt 10; $i++)
{
write-host $i
}

another way of using this is to scroll through an array

$s = Get-Service

for ($i = 1; $i -lt 10; $i++)
{
$a = $s[$i]
write-host $a
}

How I study for Microsoft Certification

When I study for Microsoft certification I use the following resources:

 

First I use CBT Nuggets. I start by watching the videos in double time. Then in single time I go through and make notes using OneNote. I find it good to paste from the screen straight into OneNote, make my own notes and create links to relevant resources like Technet.

Next where there are procedures I go through and do them on servers that I provision on AWS. I used to use VMware for this but I am limited on how many servers I can bring up at the same time. Having said that I do use VMware for anything relating to hyper v as it is not possible to install on an AWS instance.

After I have made my notes from CBT Nuggets and done the examples I go and buy a practice exam. Whatever questions I get wrong I make notes on and anything that involves a procedure I make sure that I do on a virtual machine.

When I am scoring around 95% consistently then I go sit the exam.

 

5 Ways to find a MAC address

 

 

I was once asked in an interview how to find a MAC address. I answered with getmac which at the time. I thought was the best way of doing this. The guy asking the question obviously wanted ipconfig /all. There is nothing wrong with that but it gives you a lot of unnecessary information if you are only after the MAC address and no way of using this information in a script. It got me thinking about how many ways there are to find a MAC address and which ones are the best ways. Here are 5 that I have came up with.

getmac

1

ipconfig /all

2

 

Get-WmiObject -Class Win32_NetworkAdapterConfiguration

3

Get-WmiObject -Class win32_networkadapter

4

Get-NetAdapter

My favourite one of these is get-netadapter

5

I like this one because of the information that it gives. With a simple bit of scripting you could automate this to find the MAC address of every machine in your network showing name and Mac address.

A good this to know when querying with PowerShell is the Select -expandproperty command. If you use this you can narrow you queries down to just the information that is interesting to you.

 PS C:\Users\Administrator> get-netadapter | select -ExpandProperty macaddress
22-00-0B-0B-95-10

Reading data from a file in PowerShell

 

 

This post is about getting data from an array, file, or csv and cycling it through a PowerShell script.

However you get the data you need to store it into a variable. For this demo I am using the variable $items.

To cycle through items one by one you need a foreach loop.

This takes the following form:

foreach ($variable in $list){

#do something

}

Here is an example

$computers = @(“DC01″,”w8p”,”member01″)

foreach ($computer in $computers){
Test-Connection -ComputerName $computer -Quiet
}

The script goes through the array and tests whether it can ping the hosts one by one. If it can it returns turn is not it returns false

First you need to put your list into a variable. There are a number of ways of doing this.

Get-content can be used to read the content of a file. $A = Get-content -path “C:\temp\list.txt”

Import-Csv inputs the content of a csv comma separated value (can be created with excel). $a = Import-Csv -Path “C:\Temp\file.csv”

You can use an array like I did in the last example  $A = @{“value1″,”value2″,”etc”}

Finally you can use the contents of a get command like $A = Get-ADComputer -Filter *

When you collect objects as opposed to text in the foreach statement you would use something like:

foreach ($item.name in $items){}

here is an example of importing a CSV into a variable and running a simple out-host on it.

15

I have created a simple csv called shapes.csv

$shapes = Import-Csv -Path “C:\Temp\shapes.csv”

foreach ($shape in $shapes)
{
Write-Host $shape.name $shape.colour $shape.sides
}

you can see how the first line of each column becomes the header and the name of the property.

I am going show the same example with a text file.

16

I have made a list called items.txt

If you need to you can copy the content of any get command and paste it to notepad. It may not be the best way of scripting but it works in a pinch.

$items = Get-Content -Path C:\Temp\items.txt

foreach ($item in $items){
Write-Host $item
}

PS C:\WINDOWS\system32> $items = Get-Content -Path C:\Temp\items.txt

foreach ($item in $items){
Write-Host $item
}
square
box
table
graph
chair
speaker
cup

 

 

 

Creating and event viewer subscription

 

 

The server that you want to collect the event viewer entries on is the collector.

The server that you want to sent events to is the forwarder.

The first step is to open event viewer on the collector

1

from event viewer click on subscriptions.

2

You are prompted to start the event collector service click yes.

From a command or PowerShell prompt type:

 wecutil.exe qc

3

You will be prompted to proceed typeto proceed

4

Now on the forwarding computer you need to run winrm quickconfig

A quick way to do that is with PowerShell remoting. From the all servers section of Server Manager right click on the forwarding computer and select PowerShell.

5

6

Now you need to add the Collecting computer to the event log readers local security group on the forwarding computer. This can be done with PowerShell remoting again by entering the following command:

net localgroup “event log readers” dc01$ /add

7

Just to confirm and demonstrate the GUI of doing things I have opened computer manager on the forwarding machine and double clicked on event log readers DC01 is listed as a member. If you want to do this the other way click on the add button and search for the computer.

Now go back to the collecting computer right click on subscriptions and click Create Subscription.

9

10

I am doing collector initiated but you could choose Source computer initiated.

Add the computer or computers as your case may be and it is a good idea to click test just to see that it works

11

12

13

You should select which events that you want to collect.

14

Pick whatever you want to filter on I have chosen the application log.

click OK and OK and the subscription is created.

 

 

 

 

Querying Active Directory with PowerShell tools

 

 

With Windows Server 2012 when you install Active Directory the system also installs the Active Directory PowerShell module.

The other PowerShell tool and it is my prefered one in some ways is the Quest ActiveRoles Management Shell for Active Directory it is a free download and has the advantage of being able to query and manipulate legacy Domains back to 2003 and it can be run from an XP workstation not even in a domain.

For a complete listing of AD commands type get-command get-ad*

1

The main commands that I seem to use are:

Get-ADComputer

NAME
Get-ADComputer

SYNOPSIS
Gets one or more Active Directory computers.
SYNTAX
Get-ADComputer [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADComputer [-Identity] <ADComputer> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition
<String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADComputer [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.
Get-ADUser

NAME
Get-ADUser

SYNOPSIS
Gets one or more Active Directory users.

SYNTAX

Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADUser [-Identity] <ADUser> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>]
[-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
<Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects.
Get-ADGroup
NAME
Get-ADGroup

SYNOPSIS
Gets one or more Active Directory groups.
SYNTAX
Get-ADGroup [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>]    [-SearchScope <ADSearchScope>] [-Server <String>] -Filter
<String> [<CommonParameters>]

Get-ADGroup [-Identity] <ADGroup> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

Get-ADGroup [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>]   [-SearchScope <ADSearchScope>] [-Server <String>]
-LDAPFilter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory.
Get-ADGroupMember

NAME
Get-ADGroupMember

SYNOPSIS
Gets the members of an Active Directory group.
SYNTAX
Get-ADGroupMember [-Identity] <ADGroup> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>] [-Recursive [<SwitchParameter>]] [-Server <String>] [<CommonParameters>]
DESCRIPTION
The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups, and computers.
Get-ADDomainController

NAME
Get-ADDomainController

SYNOPSIS
Gets one or more Active Directory domain controllers based on discoverable services criteria, search parameters or by providing a domain controller identifier, such as the NetBIOS name.
SYNTAX
Get-ADDomainController [[-Identity] <ADDomainController>] [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Server <String>] [<CommonParameters>]

Get-ADDomainController [-AuthType <ADAuthType>] [-AvoidSelf [<SwitchParameter>]] [-DomainName <String>] [-ForceDiscover [<SwitchParameter>]]                                          [-MinimumDirectoryServiceVersion <ADMinimumDirectoryServiceVersion>]
[-NextClosestSite [<SwitchParameter>]] [-Service <ADDiscoverableService[]>]                 [-SiteName <String>] [-Writable [<SwitchParameter>]] -Discover [<SwitchParameter>] [<CommonParameters>]

Get-ADDomainController [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Server <String>] -Filter <String> [<CommonParameters>]
DESCRIPTION
The Get-ADDomainController cmdlet gets the domain controllers specified by the parameters. You can get domain controllers by setting the Identity, Filter or Discover parameters.

 

One thing to note when using these commands is that filter does not always work the way you might think it should.

here is an example

PS C:\Users\Administrator> Get-ADUser -Filter {name -like “*admin*”}
DistinguishedName : CN=Administrator,CN=Users,DC=example,DC=com
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : f19d3d13-169f-4dab-94dd-dc6786d12359
SamAccountName : Administrator
SID : S-1-5-21-771749751-4163724236-1264096806-500
Surname :
UserPrincipalName :

 

PS C:\Users\Administrator> Get-ADUser -Filter {distinguishedname -like “*admin*”}

if you filter name like *admin* you get users with admin in there name but distiguishedname is either -eq the entire Distinguished name or nothing

PS C:\Users\Administrator> Get-ADUser -Filter {distinguishedname -eq ‘CN=Administrator,CN=Users,DC=example,DC=com’}
DistinguishedName : CN=Administrator,CN=Users,DC=example,DC=com
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : f19d3d13-169f-4dab-94dd-dc6786d12359
SamAccountName : Administrator
SID : S-1-5-21-771749751-4163724236-1264096806-500
Surname :
UserPrincipalName :

Another thing to note is that not all properties are passed on to the pipeline unless              -properties * is added. This can be good because you can control what properties are passed.

All of the following properties can be passed through the pipeline:

AccountExpirationDate
accountExpires
AccountLockoutTime
AccountNotDelegated
adminCount
AllowReversiblePasswordEncryption
BadLogonCount
badPasswordTime
badPwdCount
CannotChangePassword
CanonicalName
Certificates
City
CN
codePage
Company
CompoundIdentitySupported
Country
countryCode
Created
createTimeStamp
Deleted
Department
Description
DisplayName
DistinguishedName
Division
DoesNotRequirePreAuth
dSCorePropagationData
EmailAddress
EmployeeID
EmployeeNumber
Enabled
Fax
GivenName
HomeDirectory
HomedirRequired
HomeDrive
HomePage
HomePhone
Initials
instanceType
isCriticalSystemObject
isDeleted
KerberosEncryptionType
LastBadPasswordAttempt
LastKnownParent
lastLogoff
lastLogon
LastLogonDate
lastLogonTimestamp
LockedOut
logonCount
logonHours
LogonWorkstations
Manager
MemberOf
MNSLogonAccount
MobilePhone
Modified
modifyTimeStamp
msDS-User-Account-Control-Computed
Name
nTSecurityDescriptor
ObjectCategory
ObjectClass
ObjectGUID
objectSid
Office
OfficePhone
Organization
OtherName
PasswordExpired
PasswordLastSet
PasswordNeverExpires
PasswordNotRequired
POBox
PostalCode
PrimaryGroup
primaryGroupID
PrincipalsAllowedToDelegateToAccount
ProfilePath
ProtectedFromAccidentalDeletion
pwdLastSet
SamAccountName
sAMAccountType
ScriptPath
sDRightsEffective
ServicePrincipalNames
SID
SIDHistory
SmartcardLogonRequired
State
StreetAddress
Surname
Title
TrustedForDelegation
TrustedToAuthForDelegation
UseDESKeyOnly
userAccountControl
userCertificate
UserPrincipalName
uSNChanged
uSNCreated
whenChanged
whenCreated

 

Not all of them can be filtered but you can search for them with the where-object cmdlet. It is better to use filter when you can and only pass the properties that you need as this can speed up querying dramatically.

The following examples do the same thing but the first one is a better practise.

2

For all these get commands there are correspond set commands. Each get command can be piped to a set command.

For example if I wanted to change the postal code to 4219 from 4218 I can do the following:

Get-ADUser -Properties postalcode -Filter {postalcode -eq “4218”} |

Set-ADUser -PostalCode “4219”

3

And the postal code changed.

 

Now using the Quest Active Directory Tools.

I have installed the pssnapin on my member server to load the snapin run the command:

Add-PSSnapin Quest.ActiveRoles.ADManagement

If you are going to used these tools it is a good idea to put this command in your profile that way it will load every time you open PowerShell. To Get a listing of all the commands type:

Get-Command get-qad*

CommandType Name
———– —-
Cmdlet Get-QADCertificate
Cmdlet Get-QADCertificateRevocationList
Cmdlet Get-QADComputer
Cmdlet Get-QADDiagnosticLogStatus
Cmdlet Get-QADGroup
Cmdlet Get-QADGroupMember
Cmdlet Get-QADInactiveAccountsPolicy
Cmdlet Get-QADLocalCertificateStore
Cmdlet Get-QADManagedObject
Cmdlet Get-QADMemberOf
Cmdlet Get-QADObject
Cmdlet Get-QADObjectSecurity
Cmdlet Get-QADPasswordSettingsObject
Cmdlet Get-QADPasswordSettingsObjectAppliesTo
Cmdlet Get-QADPermission
Cmdlet Get-QADPKIObject
Cmdlet Get-QADProgressPolicy
Cmdlet Get-QADPSSnapinSettings
Cmdlet Get-QADRootDSE
Cmdlet Get-QADUser

I find these commands easier to use. As an example get-qaduser will give me a listing of all users in the directory.

4

filtering is easier to I can just use name go* and it gives me every user starting with go

5

And a simple | fl * will give me all the attributes

6

I find the following easier to do with Quest than with the AD cmdlets

7

And the Post code is changed back.

8

 

Adding Printers with PowerShell

 

 

Adding printers is probably best done with preferences but there may be a time when you want to do this with PowerShell. Like when you want it done now or you are working in a workgroup.

I have found two ways of doing this.

The first:

$PrinterPath = “\\servername.example.local\printer_name”
$net = new-Object -com WScript.Network
$net.AddWindowsPrinterConnection($PrinterPath)

And the second way is:

Add-Printer -ConnectionName \\printServer\printerName

NAME
Add-Printer

SYNOPSIS
Adds a printer to the specified computer.

SYNTAX
Add-Printer [-ConnectionName] <String> [-AsJob] [-CimSession <CimSession[]>] [-ThrottleLimit <Int32>] [-Confirm]
[-WhatIf] [<CommonParameters>]

Add-Printer [-Name] <String> [-DriverName] <String> [-AsJob] [-BranchOfficeOfflineLogSizeMB <UInt32>] [-CimSession
<CimSession[]>] [-Comment <String>] [-ComputerName <String>] [-Datatype <String>] [-DisableBranchOfficeLogging]
[-KeepPrintedJobs] [-Location <String>] [-PermissionSDDL <String>] [-PrintProcessor <String>] [-Priority <UInt32>]
[-Published] [-RenderingMode <RenderingModeEnum>] [-SeparatorPageFile <String>] [-Shared] [-ShareName <String>]
[-StartTime <UInt32>] [-ThrottleLimit <Int32>] [-UntilTime <UInt32>] -PortName <String> [-Confirm] [-WhatIf]
[<CommonParameters>]

Add-Printer [-Name] <String> [-AsJob] [-BranchOfficeOfflineLogSizeMB <UInt32>] [-CimSession <CimSession[]>]
[-Comment <String>] [-ComputerName <String>] [-Datatype <String>] [-DeviceURL <String>] [-DeviceUUID <String>]
[-DisableBranchOfficeLogging] [-KeepPrintedJobs] [-Location <String>] [-PermissionSDDL <String>] [-PrintProcessor
<String>] [-Priority <UInt32>] [-Published] [-RenderingMode <RenderingModeEnum>] [-SeparatorPageFile <String>]
[-Shared] [-ShareName <String>] [-StartTime <UInt32>] [-ThrottleLimit <Int32>] [-UntilTime <UInt32>] [-Confirm]
[-WhatIf] [<CommonParameters>]
DESCRIPTION
The Add-Printer cmdlet adds a printer to a specified computer. You can add both local printers and connections to
network-based printers.

You cannot use wildcard characters with Add-Printer. You can use Add-Printer in a Windows PowerShell remoting
session.

You do not need administrator privileges to use Add-Printer.