EmailRSS

Category Archives: Scripting

This category contains any scripting related posts.

KList Purge and GPUpdate Security Group Members

Posted on by

Security Group membership changes require a reboot before a computer can apply them. This prevents any newly filtered and scoped GPOs from applying as well. A past article showed how to use the built-in Klist tool to refresh the machine ticket and avoid that reboot.

But what if you need to KList Purge a bunch of computers? The script, below, will purge/refresh the system ticket and run a GPUpdate on all computers in a security group.

You could string together the psexec commands into a single line or call the commands as a batch file to make it more efficient. For simplicity of sharing, I left it as two separate commands.

Enjoy!

Write-Host "This script will refresh the system token and gpupdate all computers in a group."
$GroupName = Read-Host "What is the group name?"

$ADGroup = get-adgroup -Identity $GroupName

if ($? -eq $true){

    $Computers = Get-ADGroupMember -identity "$GroupName" -Recursive  | Where ObjectClass -eq computer

    Write-Host $GroupName contains $Computers.Count devices. Press enter to refresh the token and gpupdate this group.
    pause

    foreach ($Computer in $Computers){
        $ComputerName = $Computer.Name
        write-host $ComputerName
            &psexec.exe \\$ComputerName -accepteula -d -h -s -n 2 "c:\windows\System32\klist.exe" -li 0x3e7 purge
            &psexec.exe \\$ComputerName -accepteula -d -h -s -n 2 "c:\windows\System32\gpupdate.exe"
    }
}

Syncing AD Security Groups to Office 365 Groups and Teams

Posted on by

By using PowerShell, you can keep on-premise Active Directory groups (security or distribution) synced to Office 365 Groups and Microsoft Teams.

Microsoft has been working on a native group syncing tool for a few years. As of the current date, circa 1 AC1, this tool is still in development. You can check the status of it here. The release date has changed several times so don’t get too attached to it.

The PowerShell script, below, will let you sync your on-premise groups to your Azure / Microsoft 365 groups. Most of this script came from this Microsoft Teams blog.

To use it, set the $O365User and $O365Password variables to a user that has permission to update group memberships in Office 3652. You will also need to set ‘@DOMAIN.COM’ on line 54.

When you run the script, it will look at every AD group in your environment3 and compare their name against unified groups. If the name matches, it will sync group membership (add/remove group members) from the unified group in Azure.

One final note. When setting this script to run automatically, limit it to once or so a day. If it runs more than that, Outlook will show incorrect group membership counts to users.

$O365User = "USERNAME@DOMAIN.COM"
$O365Password = ConvertTo-SecureString -string "PASSWORDFORUSER" -AsPlainText -force
$O365Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $O365User,$O365Password

# get credentials and login as Exchange admin and PS Session (remember to close session later)
$ExchangeCred = $O365Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $ExchangeCred -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking -AllowClobber


# get credentials and login as AAD admin
$AADCred =$O365Credential
Connect-MsolService -Credential $AADCred


#Get List of Non School Data Sync Groups from O365 and AD
$Groups = Get-UnifiedGroup -ResultSize Unlimited | ? {$_.PrimarySmtpAddress -notlike "Section_*"}
$ADGroups = get-adgroup -Filter *

#Cycle Through Groups - Compare to AD - Add/Remove Users from O365
foreach ($Group in $Groups){
        $GroupDisplayName = $Group.DisplayName
        if (($ADGroups | where Name -eq $GroupDisplayName) -ne $Null){
                Write-Host $GroupDisplayName
                #pause
                # get name of O365 Group to look up
                $O365GroupName = "$GroupDisplayName"

                # get name of Security Group to look up
                $securityGroupName = "$GroupDisplayName"

                # get O365 Group ID
                ### you can do this via AAD as well: $O365Group = Get-MsolGroup | Where-Object {$_.DisplayName -eq $O365GroupName}
                $O365Group = Get-UnifiedGroup -Identity $O365GroupName 
                $O365GroupID = $O365Group.ID
                Write-Output "O365 Group ID: $O365GroupID"


                # get list of O365 Group members
                ### you can do this via AAD as well: $O365GroupMembers = Get-MsolGroupMember -GroupObjectId $O365GroupID
                $O365GroupMembers = Get-UnifiedGroupLinks -Identity $O365GroupID -LinkType subscribers -ResultSize unlimited

                # get list of Security Group members
                $securityGroupMembers = Get-ADGroupMember -Identity $securityGroupName -Recursive

                # loop through all Security Group members and add them to a list

                Write-Output "Loading list of Security Group members"
                $securityGroupMembersToAdd = New-Object System.Collections.ArrayList
                foreach ($securityGroupMember in $securityGroupMembers) 
                {
                        $memberType = $securityGroupMember.objectClass
                        if ($memberType -eq 'User') {
                                $memberEmail = $securityGroupMember.SamAccountName + '@DOMAIN.COM'
                                $securityGroupMembersToAdd.Add($memberEmail)
                        }
                }

                # add all the Security Group members to the O365 Group
                Write-Output "Adding Security Group members to O365 Group"
                Add-UnifiedGroupLinks -Identity $O365GroupID -LinkType members -Links $securityGroupMembersToAdd
                Add-UnifiedGroupLinks -Identity $O365GroupID -LinkType subscribers -Links $securityGroupMembersToAdd

                # loop through the O365 Group and remove anybody who is not in the security group
                Write-Output "Looking for O365 Group members who are not in Security Group"
                $O365GroupMembersToRemove = New-Object System.Collections.ArrayList
                foreach ($O365GroupMember in $O365GroupMembers) {
                        $userFound = 0
                        foreach ($emailAddress in $O365GroupMember.EmailAddresses) {
                                Write-Host $emailAddress
                                #pause
                                $emailAddress = $emailAddress.substring($emailAddress.indexOf(":")+1,$emailAddress.length-$emailAddress.indexOf(":")-1)
                                Write-Host $EmailAddress
                                if ($securityGroupMembersToAdd -icontains($emailAddress)) { $userFound = 1 }
                        }
                        if ($userFound -eq 0) { $O365GroupMembersToRemove.Add($O365GroupMember) 
                        #pause
                        }
                }


                if ($O365GroupMembersToRemove.Count -eq 0) {
                        Write-Output "   ...none found"
                } else {
                # remove members
                        Write-Output " ... removing $O365GroupMembersToRemove"
                                foreach ($memberToRemove in $O365GroupMembersToRemove) {
                                Remove-UnifiedGroupLinks -Identity $O365GroupID -LinkType subscribers -Links $memberToRemove.name -Confirm:$false
                                Remove-UnifiedGroupLinks -Identity $O365GroupID -LinkType members -Links $memberToRemove.name -Confirm:$false
                        }
                }
        }
}
# close the Exchange session
Remove-PSSession $Session
Write-Output "Done. Thanks for playing."

How to Make Teams Silently Install and Auto Login

Posted on by

Installing Microsoft Teams is easy. Getting Teams to silently install, auto login, and customized for your environment is a bit more work.

By using Group Policy or SCCM, you can have Teams auto starting, running in the background, and visible in the notification areas for all users. Let’s start with deployment.

Deploying Microsoft Teams Silently

Download the x64 machine-wide installers from here: https://teams.microsoft.com/downloads/desktopurl?env=production&plat=windows&arch=x64&managedInstaller=true&download=true

Using Group Policy Software Installation or SCCM, deploy the MSI. The only MSI parameter that I use is ALLUSERS=1 . This installer is a little weird. It will copy a couple of files into ProgramFiles(x86)\Teams Installer.

Teams is installed to the Teams Installer folder in ProgramFiles (x86).

Out of the box, Teams will try to auto start for every user that logs in to a computer by running the \Teams Installer\Teams.exe file. There are a few ways to stop this.

You can use the installation parameter OPTIONS=”noAutoStart=true” . If you did this, your installation command might look like: msiexec /i Teams_windows_x64.msi OPTIONS=”noAutoStart=true” ALLUSERS=1 .

You can also use Group Policy. The Group Policy method provides an easy on/off switch in case you change your mind about autostarting in the future. Download and import the latest Office365 ADMX files into your Group Policy Central Store. And then enable the Prevent Microsoft Teams from starting automatically after installation under Administrative Templates\Microsoft Teams.

I went with a slightly modified Group Policy method because I do not let programs start automatically from the default Run list. Instead, I use a Group Policy Registry Preference Item. This item adds a run once key that starts the Teams Installer executable on logon.

Setting Teams to Auto Login and Open in the Background

Most user settings for Teams, including the Open Application in Background setting are stored in %APPDATA%\Microsoft\Teams\desktop-config.json.

Open your desktop-config.json file1 and find the appPreferenceSettings section. Set openAsHidden, openAtLogin, registerAsIMProvider 2, and runningOnClose as true.

Here is a snippet from my JSON showing those settings:

"appPreferenceSettings":{"disableGpu":false,"openAsHidden":true,"openAtLogin":true,"registerAsIMProvider":true,"runningOnClose":true}

Copy your edited JSON to a network location and deploy it to your user’s roaming appdata. I use Group Policy File Preferences to do this and I have the preference action set to Update.

While you are working in Group Policy Preferences, create an item to delete the Microsoft Teams shortcut that is created on the desktop. Without this, a new Microsoft Teams shortcut is created on every computer that you login on.

If you prevent programs from starting automatically on logon, add %APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Corporation\Microsoft Teams.lnk to your Run these programs at user logon allow list.

Stop Teams Firewall Prompt and Add Notification Icon

There are two final customizations to make. First, let’s get rid of the firewall prompt that can appear when someone starts a Teams call or screen share.3

Copy the below PowerShell script and make it run as a logon/logon PowerShell script in Group Policy. Most of my staff will not jump into Teams on the first logon so I set it as a logoff script as it isn’t a big deal if it runs multiple times.

new-netfirewallRule -name ${UserName}-Teams.exe-tcp -Displayname ${UserName}-Teams.exe-tcp -enabled:true -Profile Any -Direction Inbound -Action Allow -program ${LocalAppData}\microsoft\teams\current\teams.exe -protocol TCP

new-netfirewallRule -name ${UserName}-Teams.exe-udp -Displayname ${UserName}-Teams.exe-udp -enabled:true -Profile Any -Direction Inbound -Action Allow -program ${LocalAppData}\microsoft\teams\current\teams.exe -protocol UDP

Because you set Teams to automatically start and run in the background, you may want it to always appear in the Notification Area (clock location in the bottom right). This gives users an easy way to see notifications and open Teams. To do so, use this PowerShell script:

<#
Set the $ProgramName to the program that needs to stay visible. Tea is the correct program name for Microsoft Teams

Source: https://4sysops.com/archives/forcing-notification-area-icons-to-always-show-in-windows-7-or-windows-8/
#>

$ProgramName = "Tea"
$Setting = 2
$encText = New-Object System.Text.UTF8Encoding
[byte[]] $bytRegKey = @()
$strRegKey = ""
$bytRegKey = $(Get-ItemProperty $(Get-Item 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify').PSPath).IconStreams
for($x=0; $x -le $bytRegKey.Count; $x++)
{
$tempString = [Convert]::ToString($bytRegKey[$x], 16)
switch($tempString.Length)
{
0 {$strRegKey += "00"}
1 {$strRegKey += "0" + $tempString}
2 {$strRegKey += $tempString}
}
}

[byte[]] $bytTempAppPath = @()
$bytTempAppPath = $encText.GetBytes($ProgramName)
[byte[]] $bytAppPath = @()
$strAppPath = ""

Function Rot13($byteToRot)
{
if($byteToRot -gt 64 -and $byteToRot -lt 91)
{
$bytRot = $($($byteToRot - 64 + 13) % 26 + 64)
return $bytRot
}
elseif($byteToRot -gt 96 -and $byteToRot -lt 123)
{
$bytRot = $($($byteToRot - 96 + 13) % 26 + 96)
return $bytRot
}
else
{
return $byteToRot
}
}

for($x = 0; $x -lt $bytTempAppPath.Count * 2; $x++)
{
If($x % 2 -eq 0)
{
$curbyte = $bytTempAppPath[$([Int]($x / 2))]
$bytAppPath += Rot13($curbyte)
}
Else
{
$bytAppPath += 0
}
}

for($x=0; $x -lt $bytAppPath.Count; $x++)
{
$tempString = [Convert]::ToString($bytAppPath[$x], 16)
switch($tempString.Length)
{
0 {$strAppPath += "00"}
1 {$strAppPath += "0" + $tempString}
2 {$strAppPath += $tempString}
}
}

if(-not $strRegKey.Contains($strAppPath))
{
Write-Host Program not found. Programs are case sensitive.
break
}

[byte[]] $header = @()
$items = @{}

for($x=0; $x -lt 20; $x++)
{
$header += $bytRegKey[$x]
}

for($x=0; $x -lt $(($bytRegKey.Count-20)/1640); $x++)
{
[byte[]] $item=@()
$startingByte = 20 + ($x*1640)
$item += $bytRegKey[$($startingByte)..$($startingByte+1639)]
$items.Add($startingByte.ToString(), $item)
}

foreach($key in $items.Keys)
{
$item = $items[$key]
$strItem = ""
$tempString = ""
for($x=0; $x -le $item.Count; $x++)
{
$tempString = [Convert]::ToString($item[$x], 16)
switch($tempString.Length)
{
0 {$strItem += "00"}
1 {$strItem += "0" + $tempString}
2 {$strItem += $tempString}
}
}
if($strItem.Contains($strAppPath))
{
Write-Host Item Found with $ProgramName in item starting with byte $key
$bytRegKey[$([Convert]::ToInt32($key)+528)] = $setting
Set-ItemProperty $($(Get-Item 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify').PSPath) -name IconStreams -value $bytRegKey
ps explorer | kill
}
}

The script, above, will refresh the Explorer process which makes the screen “flicker” once. I set the script to run through a Scheduled Task that waits for Idle. This allows me to deploy it through Group Policy Preferences and ensure it does not run when someone is using their computer.

That is a lot of work for a single app! Hopefully, this guide made it a bit easier for you. Depending on the route you took, you should now have a Teams setup that is automatically installs, auto starts, runs in the background, and is generally unobtrusive for your users.

Setting Up A Scheduled Task Server and Automatic Tasks

Posted on by

As a follow-up to this regular and manual maintenance tasks post, let’s focus on tasks that are scheduled and automated. To make management a bit easier, there are a few things that I like to do before setting up the first task.

Setting Up A Scheduled Task Server

First, where possible – run your tasks from a central dedicated VM with dedicated user(s) accounts. In the past, I’ve setup these tasks on my workstation with my user. When my machine messed up or I changed my password (or any other number of things), the tasks stopped working. Now, I like to use a VM with dedicated service users delegated the permissions required for their task. For example, you might have a user for AD changes, SCCM management, and syncing to outside services. Or you might be comfortable with one account delegated only the permissions that it needs. Either way, your service account(s) most likely do not need domain admin permissions and should not be used elsewhere.

Second, make sure that you have a backup strategy for your maintenance machine. We often forget to include these types of side servers in DR plans. As you centralize tasks, they become critical to your environment.

Automatic Tasks for Your Server

Here is a list of tasks that I have running. Item without a link are custom scripts that I haven’t polished enough to publish here. 🙂

Those are the main tasks that keep our environment humming along. What automatic tasks do you use?

Finding Unconfigured Aerohive APs with PowerShell

Posted on by

Every now and then, an unconfigured Aerohive AP will pop up in our environment. These access points won’t work until their serial number is enrolled into our HiveManager first.

Finding an unconfigured AP is easy with PowerShell, provided you are using a universal naming convention with existing devices. Because configured APs are named SITE-ROOM-AP01, we can look for DHCP leases that match the default Aerohive AP naming scheme.1

Here is a script that will look in all DHCP scopes on a server and return any lease that ends with a dash and half a MAC address (ex: AH-0Fa1B3). You will need to change the first two lines to match your environment and you will need the DHCP cmdlets, which are installed with RSAT.

$DHCPServer = 'DHCP-Server-01'
$DOMAIN = 'domain.local'

$Scopes = Get-DhcpServerv4Scope -ComputerName $DHCPServer

foreach ($Scope in $Scopes){

$ScopeID = $Scope.ScopeID
$Leases = Get-DhcpServerv4Lease -ScopeId $ScopeID -ComputerName $DHCPServer | Select-Object HostName,IPaddress,ClientID

$Regex = '([-])([0-9A-Fa-f]{6})(.' + $DOMAIN + ')$'

    foreach ($Lease in $Leases){
        if ($Lease.HostName -match $Regex -eq $True){
            Write-Host $Lease.IPAddress , $Lease.hostname
        }
    }
}

If you have any problems running this script or improvements to it, just leave a comment!