1
2
3
4
Install-Module -Name PartnerCenter -AllowClobber -Scope AllUsers
Connect-PartnerCenter
Get-PartnerAuditRecord -Start (Get-Date).AddDays(-89) | select ResourceType,organizationName,id,name
Get-Partner
1
2
3
4
5
6
7
8
9
10
11
12
13
#### Install the AIPService Module - requires Windows
Install-Module -Name AIPService
#### Lists commands in the module
Get-Command -Module AIPService
#### Connects to the service
Connect-AipService
#### Is it enabled or disabled
Get-AipService
#### Configure AIP to point at group & also require license
$group = Get-AzADGroup -DisplayName "_test aip user group"
Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $True -SecurityGroupObjectId $group.id -Scope All
#### Enable Service
Enable-AipService
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$Target = "targetmachine"
$FilePath = "C:\temp\RunningVMs.txt"
$Session = New-PSSession -ComputerName $Target
#Check if any updates
Invoke-Command -Session $Session -ScriptBlock {
$Updates = Start-WUScan
#If there are updates then install them
if ($Updates -ne $null) {
Install-WUUpdates -Updates $Updates
}
}
#Check if target needs reboot after installing updates
$IsPendingReboot = Invoke-Command -Session $Session -ScriptBlock {
#$Updates = Start-WUScan
Get-WUIsPendingReboot
}
if ($IsPendingReboot -eq $true) {write-host "true"}
if ($IsPendingReboot -eq $true) {
#If target needs reboot then save running VMs, reboot, start previously running VMs
Invoke-Command -Session $Session -ScriptBlock {
if (!(Get-Item C:\temp -ea ignore)) {mkdir C:\temp}
(Get-VM | Where-Object {$_.State -eq "Running"}).Name | Out-File -FilePath $using:FilePath
Save-VM -Name (Get-Content -Path $using:FilePath)
}
#Restart the server
Restart-Computer -ComputerName $Target -Wait -Force
#Create new session, and restart previously running VMs
$Session = New-PSSession -ComputerName $Target
Invoke-Command -Session $Session -ScriptBlock {
Do {
Start-Sleep -Seconds 30
}
Until (
(get-service vmms).status -eq "Running"
)
Start-VM -Name (Get-Content -Path $using:FilePath)
Remove-Item -Path $using:FilePath
}
}
Script for Servicedesk to check default MFA method for users
1
2
3
4
5
6
7
8
9
10
$Users = "samaccountname1|samaccountname2"
$Users = $Users.Split("|")
Connect-MsolService
ForEach ($User in $Users) {
$UPN = (Get-ADUser $User).UserPrincipalName
$MethodType = ((Get-MsolUser -UserPrincipalName $upn).StrongAuthenticationMethods | Where-Object {$_.IsDefault -eq $true}).MethodType
If ($MethodType -eq "PhoneAppNotification") {Write-Host $UPN $MethodType -f Green}
ElseIf ($MethodType -eq "TwoWayVoiceMobile") {Write-Host $UPN $MethodType -f Green}
Else {Write-Host $UPN $MethodType -f Red}
}
Generating Certificate Signing Requests on Windows Machines
1
2
3
4
5
https://graph.microsoft.com/v1.0/users?$count=true&$filter=Department eq 'Finance'&$orderBy=displayName&$select=id,displayName,department
https://graph.microsoft.com/v1.0/users?$count=true&$filter=UserType eq 'Guest'&$select=id,displayName,department,externalUserState
https://graph.microsoft.com/v1.0/users?filter=externalUserState
https://graph.microsoft.com/v1.0/users/"SomeUserID"/externalUserState
https://graph.microsoft.com/v1.0/users/{GUID}/externalUserState
General Useful Linux Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#### Sudo is not installed by default on Debian, so install it:
apt install sudo
### Add a user account
sudo useradd -m nameofaccounttoadd
#### Sometimes there is a sudoers list
/etc/sudoers
#### Sometimes there is an ssh users list
etc/ssh/sshd_config
### Change the password for a user
sudo passwd nameofaccounttoadd
<password>
#### Add a user to the sudo group
sudo usermod -a -G sudo nameofaccounttoadd
#### Set the expiry date on an account (at 0000 hrs)
usermod -e 2018-10-24 accountname
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#### Debug Commands
diagnose debug disable
diagnose debug flow filter clear
diagnose debug reset
get router info routing-table all
diagnose debug flow filter addr x.x.x.x —> where x.x.x.x is the IP
address of the source or destination
diagnose debug flow filter addr x.x.x.x x.x.x.x and
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 100
diagnose debug enable
#### Show current flow filters
diag deb flow filter
#### LACP mode
configure system interface edit set lacp-mode {static | passive | active}
#### ARP
get system arp
Various Windows Notes
Updating Firmware on Dells servers should be done in a certain order as per this article: https://www.dell.com/support/article/uk/en/ukbsdt1/how10160/dell-poweredge-update-server-firmware-for-optimal-performance?lang=en
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#### Ping Logging with time
Start-Transcript -path C:/Script/PingLog.txt -Append | Ping.exe -t 192.168.1.1 | ForEach {"{0} – {1}" -f (Get-Date),$_}
# https://blog.roostech.se/2016/02/use-powershell-jobs-to-ping-many-from-many-with-log.html
$sources = 'server1', 'server2', 'server3'
$targets = 'server4', 'server5'
$logpath = 'C:\temp\'
$pingscript = {
while ($true) {
$pingdate = Get-Date -Format u
$logpath = "$($args[2])$($args[0])_$($args[1])_$(Get-Date -f yyyy-MM-dd).log"
Try {
Test-Connection -Count 1 -ErrorAction Stop -Source $($args[0]) -ComputerName $($args[1]) `
| Select-Object {$pingdate}, __SERVER, Address, ResponseTime `
| ConvertTo-Csv `
| Select-Object -Skip 2 `
| Out-File -FilePath $logpath -Append
} catch {
$responseprops = [ordered]@{
'datetime' = $pingdate
'__SERVER' = $args[0]
'Address' = $args[1]
'ResponseTime' = '9999'
}
$response = New-Object psobject -Property $responseprops
ConvertTo-Csv -InputObject $response `
| Select-Object -Skip 2 `
| Out-File -FilePath $logpath -Append
}
Start-Sleep -Seconds 1
}
}
foreach ($source in $sources){
foreach ($target in $targets){
Start-Job -Name "$source ping $target" -ScriptBlock $pingscript -ArgumentList $source, $target, $logpath
}
}
http://pleasework.robbievance.net/howto-force-really-wsus-clients-to-check-in-on-demand/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#### Primes then reports
$updateSession = new-object -com “Microsoft.Update.Session”; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
wuauclt /reportnow
Set-MpPreference -SignatureUpdateInterval 1 -SignatureFallbackOrder {InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC}
Update-MpSignature
# From <https://docs.microsoft.com/en-us/powershell/module/defender/update-mpsignature?view=windowsserver2019-ps>
# Scan, download and install Windows Updates with PowerShell | 4sysops
$updates = Start-WUScan
Install-WUUpdates $updates
Get-WUIsPendingReboot
# https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wsus
# https://microsoftgeek.com/?p=2247
# https://www.stephenwagner.com/2019/05/15/guide-using-installing-wsus-windows-server-core-2019/
#### WSUS on Server Core
# https://mcpmag.com/articles/2017/08/10/automate-wsus-using-the-powershell-updateservices.aspx
# https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/reindex-the-wsus-database
SQLCMD /?
# If error code returned is 0 SQLCMD is present. If not, it is not installed.
# http://woshub.com/schedule-task-to-start-when-another-task-finishes/
#### Extracting descriptions from WSUS DB
# https://serverfault.com/questions/704553/can-i-change-the-update-descriptions-in-wsus
Get-WsusUpdate -UpdateId b8c3207f-4469-46b3-9a0f-b4057b54add3 | select *
$update = $wsus.SearchUpdates(‘KB890830’)
1
2
$size = (Get-PartitionSupportedSize -DiskNumber 10 -PartitionNumber 2)
Resize-Partition -DiskNumber 10 -PartitionNumber 2 -Size $size.SizeMax
1
2
3
4
5
6
7
#### Get mounted ISOs
$Cluster = clustername
$clusternodes = Get-ClusterNode -Cluster $Cluster
foreach ($clusternode in $clusternodes) {get-vm -computername $clusternode.name | get-vmdvddrive}
#### Remove disks from VMs
$VMs = server1,server2,server3
Get-VMHardDiskDrive -ComputerName diplodocus -VMName $VMs -ControllerNumber 1 | Remove-VMHardDiskDrive
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#### Get AD Schema version
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
#### Get groups with extension attribute
Get-ADGroup -Filter * -Properties extensionAttribute15 | select name,extensionAttribute15
#### Set Extension Attributes for array $i
foreach ($i in $groups) {Set-ADGroup $i -add @{extensionAttribute15="NoSync"}}
#### Remove extension attribute from group
Set-ADGroup "groupname" -clear "extensionAttribute15"
#### Autopilot
Save-Script -Name Get-WindowsAutoPilotInfo -Path c:\temp
Get-WindowsAutoPilotInfo.ps1 -OutputFile c:\temp\WindowsAutoPilotInfo.csv
#### Sharepoint
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
$SPAdminSite = "https://contoso-admin.sharepoint.com"
Connect-SPOService -Url $SPAdminSite
#### Get All OneDrive Sites
Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/"
#### Remove Sharepoint / OneDrive Site
Remove-SPOSite -Identity https://contoso-my.sharepoint.com/personal/j_doe_contoso_com
#### Grant permissions to another users OneDrive
Set-SPOUser -Site https://contoso-my.sharepoint.com/personal/j_doe_contoso_com -LoginName firstname.surname@contoso.com -IsSiteCollectionAdmin $false
#### Exchange Powershell Module
Install-Module -Name ExchangeOnlineManagement
#### Azure AD
Get-AzureADUser -all $true | where {$_.UserType -ne "Member" -and $_.UserState -ne "Accepted"}
#### Azure AD – Users group memberships
Get-AzureADUser -Filter "UserPrincipalName eq 'firstname.surname@contoso.com'" |Get-AzureADUserMembership
#### DNS Server copy secondary zones
Get-DnsServerZone -ComputerName DNS1 | Where {$_.ZoneType -eq "Secondary"} | Add-DnsServerSecondaryZone -ComputerName DNS2
#### Get a registry item
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\TSMSI"
#### Get Members of distribution list and enumerate sender permissions
$dist | select Name,RequireSenderAuthenticationEnabled,CustomAttribute7,@{Name='AcceptMessagesOnlyFromSendersOrMembers';Expression={$_.AcceptMessagesOnlyfromSendersOrMembers -join "/",","}} | Export-Csv c:\temp\Dist
#### Get users default auth method
Install-Module MSOnline
Connect-msolservice
(Get-MsolUser -UserPrincipalName firstname.surname@contoso.com).StrongAuthenticationMethods
#### Prefer IPv4
#Check if IPv4 IP address is preferred
ping $env:COMPUTERNAME
#If the reply is IPv6 address, run following registry setting to just prefer ipv4 and reboot
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name "DisabledComponents" -Value 0x20 -PropertyType "DWord"
#If DisabledComponents exists, use the set cmdlet
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name "DisabledComponents" -Value 0x20
#You need to reboot the computer in order for the changes to take effect
Restart-Computer
# From <https://msunified.net/2016/05/25/how-to-set-ipv4-as-preferred-ip-on-windows-server-using-powershell/>
Configuring Split Horizon DNS in Windows Server
1
2
3
4
#### DNS Policy to prevent a subnet from obtaining AAAA records
Add-DnsServerClientSubnet -Name "VPNClientSubnet" -IPv4Subnet "192.168.0.0/24"
Add-DnsServerQueryResolutionPolicy -Name "VPNClientPolicy" -Action IGNORE -ClientSubnet "EQ,VPNClientSubnet" -QType "EQ,AAAA"
Disable-DnsServerPolicy -Name "VPNClientPolicy" -Level Server
1
2
3
4
5
6
7
8
#### Mailbox Rules
Get-Mailbox SomePerson@contoso.com | Select-Object -ExpandProperty UserPrincipalName | Foreach-Object {Get-InboxRule -Mailbox $_ | Select-Object -Property MailboxOwnerID,Name,Enabled,From,Description,RedirectTo,ForwardTo}
#### Remove mailbox permissions
Get-Mailbox firstname.surname@contoso.com | Remove-MailboxPermission -User "groupname" -AccessRights FullAccess -Deny
#### Keep copy of Sent As in Users Mailbox
Set-Mailbox <mailbox name> -MessageCopyForSentAsEnabled $True
#### Keep copy of Sent on Behalf in Users Mailbox
set-mailbox <mailbox name> -MessageCopyForSendOnBehalfEnabled $True
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
### Show interface brief
display interface brief
### Gets Serial Number
display device manuinfo
### Tag vlan 1
port trunk permit vlan 1
#### Backup Switch
backup startup-configuration to x.x.x.x
#### wipe config from switch
reset saved-configuration main
reset saved-configuration backup
reboot
n
y
### Set up SSH, SFTP, TACACS
### From <https://www.madari.co.il/2017/07/hpe-comware-7-using-tacacs-with-aruba.html>
public-key local create rsa
ssh server enable
undo ssh server compatible-ssh1x
sftp server enable
ssh user admin service-type all authentication-type password
local-user admin
service-type ssh telnet terminal
tacacs-server host <ip of primary auth server> key <tacacspassword>
tacacs-server host <ip of secondary auth server> key <tacacspassword>
aaa authentication login privilege-mode
aaa authentication ssh login tacacs local
aaa authentication console login tacacs local
aaa accounting exec start-stop tacacs
aaa accounting commands stop-only tacacs
hwtacacs scheme CPPM
primary authentication <ip of primary auth server>
primary authorization <ip of primary auth server>
primary accounting <ip of primary auth server>
key authentication simple <tacacspassword>
key authorization simple <tacacspassword>
key accounting simple <tacacspassword>
user-name-format without-domain
domain domain.com
authentication login hwtacacs-scheme CPPM local
authorization login hwtacacs-scheme CPPM local
accounting login hwtacacs-scheme CPPM
accounting command hwtacacs-scheme CPPM
authorization command hwtacacs-scheme CPPM
#### Configure the use for default domain
domain default enable domain.com
#### Configure default role
role default-role enable
#### Last configure user interface access
line vty 0 63
authentication-mode scheme
user-role network-operator
command authorization
command accounting