Active Directory – smsagent

Monitoring Changes to Active Directory Sites and Subnets with PowerShell

February 11, 2019 by Trevor Jones, posted in Active Directory, ConfigMgr, Network, Powershell, SCCM

If you work with SCCM and you use AD Forest Discovery to automatically create boundaries from AD Sites or Subnets, you know how important it is for AD to stay up to date with the current information. And when something is changed in Sites or Subnets, you need to be made aware of it so you can reflect the change in your SCCM boundaries and boundary groups. Unfortunately, communication between IT teams is not always what it should be, so I wrote this script to run as a scheduled task and keep an eye on any changes made in AD Sites and IP subnets.

The script works by retrieving the current site and subnet information and exporting it to cache files. The next time the script runs, it will compare the current information with the information in the cached files, and if anything has changed, a report will be sent by email detailing the changes.

It’s one way of ensuring you’re keeping SCCM in sync with your AD!

Removing Disabled Computer Accounts from SCCM with PowerShell

September 1, 2016December 4, 2017 by Trevor Jones, posted in Active Directory, Compliance, ConfigMgr, configmgr client health, Powershell, Reporting, SCCM

In System Center Configuration Manager there are 2 Site Maintenance tasks that help take care of stale or obsolete client records: Delete Aged Discovery Data and Delete Inactive Client Discovery Data. However in some cases some records can remain in SCCM and are not removed by these tasks, for example, when a system is no longer active but the computer account has not been deleted or disabled in Active Directory. AD System Discovery will continue to pick this system up and create a record for it, so maintenance of AD computer accounts is essential for a healthy ConfigMgr environment.

As long as a client is disabled or deleted from Active Directory and does not get picked up by any of the discovery methods, it will eventually get deleted from SCCM according to the schedule defined in these maintenance tasks.

For computer accounts that are disabled however, you might not want to wait for the maintenance tasks to remove them since you know they are no longer active and can safely be deleted from the SCCM database. Removing them sooner can improve compliance figures for deployment reporting, for example. For this scenario, I prepared a PowerShell script that can run as a scheduled task and remove any system that is marked as inactive – or does not have the SCCM client installed – and is also disabled or not present in active directory.

I’ll run through the script quickly here to explain what it does.

First we define some variables to be used in the script, such as the site code, the site server, and the email information (the script will email the SCCM admin with the list of systems it deletes):


$SiteCode = "ABC"
$SiteServer = "SCCMSERVER-01"
$EmailRecipient = "joe.blow@contoso.com"
$EmailSender = "PowerShell@contoso.com"
$SMTPServer = "SMTPServer.contoso.com"

Then we create a list of discovered systems in SCCM that are either inactive (determined by client health data) or have no SCCM client installed, using WMI on the site server:


try
{
    $DevicesToCheck = Get-WmiObject -ComputerName $SiteServer -Namespace root\SMS\Site_$SiteCode -Query "SELECT SMS_R_System.Name FROM SMS_R_System left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceID where (SMS_G_System_CH_ClientSummary.ClientActiveStatus = 0 or SMS_R_System.Active = 0 or SMS_R_System.Active is null)" -ErrorAction Stop |
        Select -ExpandProperty Name |
        Sort
}
Catch
{
    $_
}

Next we check active directory for each system to find the status of the computer account and filter those that are either disabled or not present in AD using a custom function. Note that this function uses .Net to search AD so it is not dependent on having the RSAT tools installed.


$NotEnabledDevices = ($DevicesToCheck | foreach {
    Get-IsComputerAccountDisabled  -Computername $_
}) | where {$_.IsDisabled -ne $False}

Then we will attempt to remove each resulting system from SCCM using another custom function. This function uses WMI rather than the ConfigMgr PS cmdlets, again to remove the dependency.


$DeletedRecords = New-Object System.Collections.ArrayList
$Output = $NotEnabledDevices| foreach {
    Remove-CMRecord -Computername $_.ComputerName -DeviceStatus $_.IsDisabled -SiteCode $SiteCode -SiteServer $SiteServer
    }
$DeletedRecords.AddRange(@($Output))

Finally we send an HTML formatted email to the SCCM administrator with the list of systems that were deleted from SCCM:


If ($DeletedRecords.Count -ne 0)
{
    $Body = $DeletedRecords | ConvertTo-Html -Head $style -Body "
<h2>The following computer accounts are either disabled or not present in active directory and have been deleted from SCCM</h2>
" | Out-String
    Send-MailMessage -To $EmailRecipient -From $EmailSender  -Subject "Disabled Computer Accounts Deleted from SCCM ($(Get-Date -format 'yyyy-MMM-dd'))" -SmtpServer $SMTPServer -Body $body -BodyAsHtml
}

To verify in SCCM the systems that were deleted you can view the All Audit Status Messages from a Specific Site status message query.

IMPORTANT: As this script deletes records from the SCCM database, please be sure to understand what it does and to test it first before using it in any production environment!

Here is the full script:


$SiteCode = "ABC"
$SiteServer = "SCCMSERVER-01"
$EmailRecipient = "joe.blow@contoso.com"
$EmailSender = "PowerShell@contoso.com"
$SMTPServer = "SMTPServer.contoso.com"

#region Functions

# Function to check with the computer account is disabled
function Get-IsComputerAccountDisabled
{
  param($Computername)

  $root = [ADSI]''
  $searcher = New-Object -TypeName System.DirectoryServices.DirectorySearcher -ArgumentList ($root)
  $searcher.filter = "(&(objectClass=Computer)(Name=$Computername))"
  $Result = $searcher.findall()
  If ($Result.Count -ne 0)
  {
    $Result | ForEach-Object {
        $Computer = $_.GetDirectoryEntry()
        [pscustomobject]@{
            ComputerName = $Computername
            IsDisabled = $Computer.PsBase.InvokeGet("AccountDisabled")
        }
    }
  }
  Else
  {
      [pscustomobject]@{
      ComputerName = $Computername
      IsDisabled = "Not found in AD"
      }
  }
}

# Function to remove the device record from SCCM via WMI
function Remove-CMRecord
{
    [CmdletBinding()]

    Param
    (
        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Computername,
        [Parameter(Mandatory = $True)] [string] $SiteCode,
        [Parameter(Mandatory = $True)] [string] $SiteServer,
        [Parameter(Mandatory = $True)] [string] $DeviceStatus

    )

    Begin
    {
        $ErrorAction = 'Stop'
    }

    Process
    {

        # Check if the system exists in SCCM
        Try
        {
            $Computer = [wmi] (Get-WmiObject -ComputerName $SiteServer -Namespace "root\sms\site_$SiteCode" -Class sms_r_system -Filter "Name = `'$Computername`'" -ErrorAction Stop).__PATH
        }
        Catch
        {
            $Result = $_
            Continue
        }

        # Delete it
        Try
        {
            $Computer.psbase.delete()
        }
        Catch
        {
            $Result = $_
            Continue
        }

        # Check that the delete worked
        Try
        {
            $Computer = [wmi] (Get-WmiObject -ComputerName $SiteServer -Namespace "root\sms\site_$SiteCode" -Class sms_r_system -Filter "Name = `'$Computername`'" -ErrorAction Stop).__PATH
        }
        Catch
        {

        }

        # Report result
        If ($Computer.PSComputerName)
        {
            $Result = "Tried to delete but record still exists"
        }
        Else
        {
            $Result = "Successfully deleted"
        }
    }

    End
    {
        [pscustomobject]@{
        DeviceName = $Computername
        IsDisabled = $DeviceStatus
        Result = $Result
        }
    }
}

#endregion

# Let's get the list of inactive systems, or systems with no SCCM client, from WMI
try
{
    $DevicesToCheck = Get-WmiObject -ComputerName $SiteServer -Namespace root\SMS\Site_$SiteCode -Query "SELECT SMS_R_System.Name FROM SMS_R_System left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceID where (SMS_G_System_CH_ClientSummary.ClientActiveStatus = 0 or SMS_R_System.Active = 0 or SMS_R_System.Active is null)" -ErrorAction Stop |
        Select -ExpandProperty Name |
        Sort
}
Catch
{
    $_
}

# Now let's filter those systems whose AD account is disabled or not present
$NotEnabledDevices = ($DevicesToCheck | foreach {
    Get-IsComputerAccountDisabled  -Computername $_
}) | where {$_.IsDisabled -ne $False}

# Then we will delete each record from SCCM using WMI
$DeletedRecords = New-Object System.Collections.ArrayList
$Output = $NotEnabledDevices| foreach {
    Remove-CMRecord -Computername $_.ComputerName -DeviceStatus $_.IsDisabled -SiteCode $SiteCode -SiteServer $SiteServer
    }
$DeletedRecords.AddRange(@($Output))

# Finally we will send the list of affected systems to the administrator
$style = @"
<style>
body {
    color:#333333;
    font-family: ""Trebuchet MS"", Arial, Helvetica, sans-serif;}
}
h1 {
    text-align:center;
}
table {
    border-collapse: collapse;
    font-family: ""Trebuchet MS"", Arial, Helvetica, sans-serif;
}
th {
    font-size: 10pt;
    text-align: left;
    padding-top: 5px;
    padding-bottom: 4px;
    background-color: #1FE093;
    color: #ffffff;
}
td {
    font-size: 8pt;
    border: 1px solid #1FE093;
    padding: 3px 7px 2px 7px;
}
</style>

"@
If ($DeletedRecords.Count -ne 0)
{
    $Body = $DeletedRecords | ConvertTo-Html -Head $style -Body "
<h2>The following systems are either disabled or not present in active directory and have been deleted from SCCM</h2>
" | Out-String
    Send-MailMessage -To $EmailRecipient -From $EmailSender  -Subject "Disabled Computer Accounts Deleted from SCCM ($(Get-Date -format 'yyyy-MMM-dd'))" -SmtpServer $SMTPServer -Body $body -BodyAsHtml
}

Finding the ‘LastLogon’ Date from all Domain Controllers with PowerShell

June 7, 2016 by Trevor Jones, posted in Active Directory, Powershell, Windows Server, Windows Troubleshooting

In an Active Directory environment, probably the most reliable way to query the last logon time of a computer is to use the Last-Logon attribute. The Last-Logon-Timestamp attribute could be used, but this will not likely be up-to-date due to the replication lag. If you are using PowerShell, the LastLogonDate attribute can also be used, however this is also a replicated attribute which suffers from the same delay and potential inaccuracy.

The Last-Logon attribute is not replicated, however, it is only stored on the DC that the computer authenticated against. If you have multiple domain controllers, you will get multiple values for this attribute depending on which DC the computer has authenticated with and when.

To find the Last-Logon date from the DC that the computer has most recently authenticated with, you need to query all domain controllers for this attribute, then select the most recent.

Following is a PowerShell script I wrote that will read a list of domain controllers from an Active Directory OU, query each one, then return the most recent Last-Logon value. It uses parallel processing to return the result more quickly than processing each DC in turn, which is useful in a multi-DC environment.

To use the script, simply pass the computer name and optionally the AD OU containing your domain controllers, to the function. You can hard-code the ‘DomainControllersOU’ parameter in the script if you prefer, so you don’t need to call it. You need the Active Directory module installed to use this.

Example


Get-ADLastLogon -ComputerName PC001 -DomainControllersOU "OU=Domain Controllers,DC=contoso,DC=com"

capture

Get-ADLastLogon


function Get-ADLastLogon {

    [CmdletBinding()]
    Param
    (
        [Parameter(Mandatory=$false,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [string]$DomainControllersOU = "OU=Domain Controllers,DC=contoso,DC=com",

        [string]
        $ComputerName
    )

    # Multithreading function
    function Invoke-InParallel {
        [CmdletBinding()]
        param(
            [parameter(Mandatory = $True,ValueFromPipeline=$true,Position = 0)]
            $InputObject,
            [parameter(Mandatory = $True)]
            [ScriptBlock]$Scriptblock,
            [string]$ComputerName,
            [parameter()]
            $ThrottleLimit = 32,
            [parameter()]
            [switch]$ShowProgress
        )

        Begin
        {
            # Create runspacepool, add code and parameters and invoke Powershell
                [void][runspacefactory]::CreateRunspacePool()
                $SessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
                $script:RunspacePool = [runspacefactory]::CreateRunspacePool(1,$ThrottleLimit,$SessionState,$host)
                $RunspacePool.Open()

            # Function to start a runspace job
            function Start-RSJob
            {
                param(
                    [parameter(Mandatory = $True,Position = 0)]
                    [ScriptBlock]$Code,
                    [parameter()]
                    $Arguments
                )
                if ($RunspacePool.GetAvailableRunspaces() -eq 0)
                    {
                        do {}
                        Until ($RunspacePool.GetAvailableRunspaces() -ge 1)
                    }

                $PowerShell = [powershell]::Create()
                $PowerShell.runspacepool = $RunspacePool
                [void]$PowerShell.AddScript($Code)
                foreach ($Argument in $Arguments)
                {
                    [void]$PowerShell.AddArgument($Argument)
                }
                $job = $PowerShell.BeginInvoke()

                # Add the job and PS instance to the arraylist
                $temp = '' | Select-Object -Property PowerShell, Job
                $temp.PowerShell = $PowerShell
                $temp.Job = $job
                [void]$Runspaces.Add($temp)  

            }

        # Start a 'timer'
        $Start = Get-Date

        # Define an arraylist to add the runspaces to
        $script:Runspaces = New-Object -TypeName System.Collections.ArrayList
        }

        Process
        {
            # Start an RS job for each computer
            $InputObject | ForEach-Object -Process {
                Start-RSJob -Code $Scriptblock -Arguments $_, $ComputerName
            }
        }

        End
        {
            # Wait for each script to complete
            foreach ($item in $Runspaces)
            {
                do
                {
                }
                until ($item.Job.IsCompleted -eq 'True')
            }

            # Grab the output from each script, and dispose the runspaces
            $return = $Runspaces | ForEach-Object -Process {
                $_.powershell.EndInvoke($_.Job)
                $_.PowerShell.Dispose()
            }
            $Runspaces.clear()
            [void]$RunspacePool.Close()
            [void]$RunspacePool.Dispose

            # Stop the 'timer'
            $End = Get-Date
            $TimeTaken = [math]::Round(($End - $Start).TotalSeconds,2)

            # Return the results
            $return
        }
    }

    # Get list of domain controllers from OU
    try {
    Import-Module ActiveDirectory | out-null
    $DomainControllers = Get-ADComputer -Filter * -SearchBase $DomainControllersOU -Properties Name -ErrorAction Stop | Select -ExpandProperty Name | Sort
    }
    catch {}

    # Define Code to run in each parallel runspace
    $Code = {
        param($DC,$ComputerName)
        Import-Module ActiveDirectory | out-null
        $Date = [datetime]::FromFileTime((Get-ADComputer -Identity $ComputerName -Server $DC -Properties LastLogon | select -ExpandProperty LastLogon))
        $Result = '' | Select 'Domain Controller','Last Logon'
        $Result.'Domain Controller' = $DC
        $Result.'Last Logon' = $Date
        Return $Result
    }

    # Run code in parallel
    $Result = Invoke-InParallel -InputObject $DomainControllers -Scriptblock $Code -ComputerName $ComputerName -ThrottleLimit 64

    # Return most recent logon date
    return $Result | sort 'Last Logon' -Descending | select -First 1
}

Creating a Simple Class Library for PowerShell 5

March 22, 2016 by Trevor Jones, posted in Active Directory, ConfigMgr, Powershell, Windows Troubleshooting

PowerShell 5 brings some nice capability to PowerShell, including support for the creation of custom classes. Very simply, a class can be used to define a custom type, and allow you to create an object of that custom type. This can be useful for example, if you want to create an object that has specific properties that you define, as well as some methods, or portions of code that do something specific to your need and relevant to that object.

Class libraries are used in programming so that instead of having to create code to do low-level, fundamental or often-repeated tasks, a collection of classes are provided for you so you can simply call a class and its properties and methods when you need it.

You can call .Net classes in Powershell using a type accelerator. For example, this code gives me the value of PI using the System.Math class. It is defined in the class as a static property.


[math]::PI

Since the value of PI is returned with 14 decimal places, I might want to reduce that say to 4 decimal places. So I can call a static method on the System.Math class to round the number of decimal places to 4:


[math]::Round([math]::PI,4)

Create a Custom Class

I won’t go into detail here about how to create a custom class (Stephane van Gulick gives a nice introduction), but below is a simple example of a class I created in PowerShell, which allows me to create an object representing a user account in Active Directory. I have defined exactly what properties I want to have returned so I don’t have to pass a list of properties to the Get-ADUser cmdlet every time I run it.


class ADUser
{
    [string]$Username
    [string]$Enabled
    [string]$Displayname
    [string]$Title
    [string]$Department
    [string]$EmailAddress
    [string]$CanonicalName
    [string]$City
    [string]$co
    [string]$OfficePhone
    [string]$MobilePhone
    [string]$ipPhone
    [array]$MemberOf
    [array]$DirectReports
    [string]$homeMDB
    [string]$Created
    [string]$Modified
    [string]$LastBadPasswordAttempt
    [string]$PasswordLastSet

   # Constructor
   ADUser ([string] $Username)
   {
        $this.Username = $Username
        $Properties = @(
            'CanonicalName',
            'City',
            'co',
            'Created',
            'Department',
            'DirectReports',
            'Displayname',
            'EmailAddress',
            'Enabled',
            'homeMDB',
            'ipPhone',
            'LastBadPasswordAttempt',
            'MemberOf',
            'MobilePhone',
            'Modified',
            'OfficePhone',
            'PasswordLastSet',
            'Title'
        )
       try
        {
            $P = Get-ADUser $Username -Properties $Properties | Select $Properties
            $Properties | foreach {
                $this.$_ = $P.$_
                }
        }
       Catch
        {
            $_; continue
        }
   }
}

I can create a custom object from this class in a couple of ways:


# create a new object
$me = New-Object -TypeName ADUser -ArgumentList tjones

# Instantiate using the 'new' static method
$me = [ADUser]::new('tjones')

# Simply set the variable type
[ADUSer]$me = 'tjones'

In each case, I need to pass a username, or actually any of the properties in this list, as this is required by the class constructor and the Get-ADUser cmdlet:
— A distinguished name
— A GUID (objectGUID)
— A security identifier (objectSid)
— A SAM account name (sAMAccountName)

When I create the object, the code runs and gets the info from AD. When I call the variable I can see that the properties I have defined are populated:

I can view the list of properties on the object using the dot operator…

…or view an individual property…

…or even find the value of a property without first storing it to a variable:

Scope

This custom class is quite handy to quickly find out information about a user, and I want to be able to call this class any time I need it. Trouble is, in the current implementation of this, a custom class is limited in scope and I can only use this class in the same context I’ve created it in. Or to say it another way, I can’t change the class scope in the same way you could a variable for example. You can of course change the scope of the object you create from the class, for example:


New-Variable -Name me -Value ([ADuser]::new('tjones')) -Scope Script

But once my current session or script is closed, this custom class is no longer available to me. To use it again, I must add the class code and run it in each session or script so it is available in the current context. This can make your scripts fatter than they need to be.

So here’s an idea:

Create a Class Library (of sorts)

In C# for example, you can create a library of classes as a dll file, but for PowerShell I can’t do that.

So why not simply create a folder of class code saved into text files, then read and run the code in your session?

Here’s one way to do that. In my PowerShell $Profile directory, I have two folders “Modules” and “Scripts”. I add a folder called “Classes”.

I create the code for my custom class using PowerShell ISE, then save it as a text file to the Classes folder. Any time I create a new custom class that I want to reuse later, I save it as a text file in this location.

Now I can simply read the contents of a class file and run it in my current session with a one-liner to give me instant access to this custom class.


Invoke-Expression $([System.IO.File]::ReadAllText('C:\Users\tjones\Documents\WindowsPowerShell\Classes\ADUser.txt'))

I can also load in all the custom classes in the Classes directory into my session like this:

 

# Import Custom Classes
Get-ChildItem '$env:USERPROFILE\Documents\WindowsPowerShell\Classes\' |
    Select -ExpandProperty FullName |
        foreach {
            $class = [System.IO.File]::ReadAllText($_)
            Invoke-Expression $Class
        }

Even better, I can add this code into my PowerShell profile scripts (the Microsoft.Powershell_profile.ps1 and Microsoft.PowershellISE_profile.ps1) and all these classes will be available for me to use every time I start a new PowerShell session 🙂

Get Creative

This capability for custom classes in PowerShell opens a door of creativity for IT administrators and developers alike. You can create simple classes to use in a script for example, or create reusable classes in a kind of class library as we have discussed, and you can add custom code that is relevant to the custom object so you can simply call a method instead of writing out the code each time.

How would custom classes be useful to you? What kinds of objects and methods would be useful in your day to day work?

I do a lot of troubleshooting on remote computers, so I wrote a custom class that gets lots of useful information from a remote computer, or performs certain tasks on the remote computer.

In the example below, I’ve created a custom computer object representing “PC001”. Creating the object runs a quick “Test-Connection” against the machine, so I call the “Online” property to see if it is. Then I get the current user using the “GetCurrentUser()” method, then I output a list of methods in the object. These methods allow me to get information from Active Directory for the computer, get hardware information, get installed hotfixes or software, get local administrators and other useful things.

I can also start / stop services, or kill running processes.

The custom type also contains a couple of static methods that I can use without creating an object and assigning it to a variable. “GetComputerFromUser()” checks my Configuration Manager database to find the computer/s that a user was last logged into, and “GetSerialTag()” gets the serial number (or asset tag) for the remote computer.

Cool stuff 🙂

Ping all the Computers in an AD OU

August 11, 2014 by Trevor Jones, posted in Active Directory, Network, Powershell

Here is a clean and simple PowerShell script to ping all the computer accounts in an Active Directory OU, and return the Name, IP Address and any errors into a csv file.

# Enter CSV file location
$csv = "C:\Script_Files\OUPing.csv"
# Add the target OU in the SearchBase parameter
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Servers,DC=mydomain,DC=com" | Select Name | Sort-Object Name
$Computers = $Computers.Name
$Headers = "ComputerName,IP Address"
$Headers | Out-File -FilePath $csv -Encoding UTF8
foreach ($computer in $Computers)
{
Write-host "Pinging $Computer"
$Test = Test-Connection -ComputerName $computer -Count 1 -ErrorAction SilentlyContinue -ErrorVariable Err
if ($test -ne $null)
{
    $IP = $Test.IPV4Address.IPAddressToString
    $Output = "$Computer,$IP"
    $Output | Out-File -FilePath $csv -Encoding UTF8 -Append
}
Else
{
    $Output = "$Computer,$Err"
    $output | Out-File -FilePath $csv -Encoding UTF8 -Append
}
cls
}

	Neil on Create a Custom Splash Screen…
	Max Soullard on A Customisable WPF MessageBox…
	Trevor Jones on Improving the User Experience…
	Phil Brandvold on Improving the User Experience…
	beautyac on Monitoring Changes to Active D…