Ninth System - Sysadmin Blog

Configure AD Authentication for ESXi Host

September 10, 2016 by TwiZted

No Comments

Configure AD Authentication

If you’re in the business of setting up an ESXi host on your network you may be interested in also configuring it to allow for Active Directory authentication. This allows you to setup vCenter administrators within Active Directory, and allows them to use their Windows credentials in order to do their jobs. Although AD authentication will be setup dedicated vCenter admins can also be setup locally on the vCenter server to authenticate directly. In the AD world, this makes management a bit easier.

Here are the simple steps below. Please note that I am unable to verify whether these steps are the same for every version of ESXi, so your results may vary:

Confirm the ESXi host is synchronizing time with the Active Directory Domain controller. For more information, see Synchronizing ESXi/ESX time with a Microsoft Domain Controller (1035833).
From the vSphere Client, select the host that you want to add to the Active Directory.
Click the Configuration tab
Click the Authentication Services.
Click the Properties link at the top right pane.
In the Directory Services Configuration dialog, select the directory service from the dropdown.
Enter a domain.
Click Join Domain.
Enter the user name (in user@domain.com format) and password of a directory service user account that has permissions to join the host to the domain and click OK.
Click OK to close the Directory Services Configuration dialog box.
Click the Configuration tab and click Advanced Settings.
Navigate to Config > HostAgent.
Change the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting to match the Administrator group that you want to use in the Active Directory. These settings takes affect within a minute and no reboot is required.

Additional notes and knowledge base location

If the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting is changed, ensure to remove any invalid users from the Permissions tab of the ESXi host. In ESXi 4.1, the ESX Admins container is hard coded and must be added on the Active Directory side for authentication to work.

KB Article – https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075361

MBSA Scanning with Powershell

August 29, 2016 by TwiZted

No Comments

A very common audit requirements by many vendors is to run the Microsoft Baseline Security Analyzer (MBSA) against a list of machines to verify some standard setup practices they look for. Although other tools can be used for this in bigger environments, it always seems to be one they ask for and considering the scans can be scripted, they’re pretty easy to do and don’t take much time. In a perfect world, you’ll need to run this from a server in the domain that has MBSA installed on it and also has network access to each machine in the server list you provide the script. It will then remote scan each machine in the list and output a file for each.

<#
Purpose: 
    Runs MBSAcli against multiple PCs defined in serverlist.txt.

Usage: 
    Install MSBA 2.2+ on management box or central server
    Edit serverlist.txt to fit your needs
    Drop zip contents onto desktop of management box; should include PS1, txt, and output folder. Script auto-looks for these files on your desktop.
    Launch PS as admin, run MBSAscan.ps1. Wait.

Requirements:
    MBSA must be installed on server where script is ran.
    Script/MBSA must be ran as user that is also admin on remote machines to be scanned. I.e. if scanning iPay, you must be on iPay.com management box under iPay admin account.
    Remote machine will need to be online and able to be scanned, this will not work for all machines (they'll output blank output files if they're offline or your account doesn't have access)
    Do not click inside PowerShell window while script is running, this will pause the process until you click outside the window again.

Additional Notes:
    Configured to ignore ISS and SQL updates by default, please adjust if needed (i.e. line 48 -> /n IIS+SQL)
    Will not be successful if server cannot check updates against SCCM/WSUS, Windows Update, or local security .cab. Tries all by default.
    Additional resources: https://msdn.microsoft.com/en-us/library/ff647642.aspx, http://ss64.com/nt/mbsacli.html, https://dougvitale.wordpress.com/2011/11/18/microsoft-baseline-security-analyzer/
    https://securityvibe.net/2009/07/17/mbsa-cmdline-wizardry/,https://blogs.technet.microsoft.com/heyscriptingguy/2012/09/26/powertip-use-powershell-multiple-line-comments/
#>

####################
# Verify me
####################

# Customizable variables
$servers = "C:\Users\$username\Desktop\serverlist.txt" # Location of serverlist.txt, usually just dropped on your local desktop.
$exe = "C:\Program Files\Microsoft Baseline Security Analyzer 2" # Location of MBSA executable - default is standard install location from MS.

####################
# Do not edit below
####################

# Stock variables
$username = [Environment]::UserName # Gets domain username
$scanMachine = $env:computername # Gets machine name that MBSA/script scan is running from.
$loaded = Get-Content -path $servers # Load list of servers
$timestamp = Get-Date -UFormat "%Y%m%d" # Generate date stamp for output files (short length)
$scanTime = Get-Date # Generates timestamp for inside of scan files (full length)

# Cycle through each server in the serverlist and run MBSACLI scan.
Foreach ($server in $loaded) {
$filename = "_$timestamp.txt"
$output = $server + $filename

cd $exe # This can be launched a couple different ways, but this resulted in best outcome (cd to dir, then launch cmd)

Write-Host "Starting scan for $server" -ForegroundColor Red # Lets you know which server is currently being scanned since not shown by default
cmd /c "mbsacli.exe /target $server /n IIS+SQL /nd /catalog C:\Users\$username\Desktop\wsusscn2.cab > C:\Users\$username\Desktop\scans\$output" # Bread and butter

# Added 6/9/2016 - spits an entry into the scan logs so you can trace back which machine you ran the MBSA scans from. This is useful for finding scan machines that work and have MBSA already installed.
Add-Content -Path C:\Users\$username\Desktop\scans\$output "###############################################################################################"
Add-Content -Path C:\Users\$username\Desktop\scans\$output "Scripted MBSA scan completed from $scanMachine at $scanTime for $server."
Add-Content -Path C:\Users\$username\Desktop\scans\$output "###############################################################################################"
}

#Boom

Purpose:

Runs MBSAcli against multiple PCs defined in serverlist.txt.

Usage:

Install MSBA 2.2+ on management box or central server

Edit serverlist.txt to fit your needs

Drop zip contents onto desktop of management box; should include PS1, txt, and output folder. Script auto-looks for these files on your desktop.

Launch PS as admin, run MBSAscan.ps1. Wait.

Requirements:

MBSA must be installed on server where script is ran.

Script/MBSA must be ran as user that is also admin on remote machines to be scanned. I.e. if scanning iPay, you must be on iPay.com management box under iPay admin account.

Remote machine will need to be online and able to be scanned, this will not work for all machines (they'll output blank output files if they're offline or your account doesn't have access)

Do not click inside PowerShell window while script is running, this will pause the process until you click outside the window again.

Additional Notes:

Configured to ignore ISS and SQL updates by default, please adjust if needed (i.e. line 48 -> /n IIS+SQL)

Will not be successful if server cannot check updates against SCCM/WSUS, Windows Update, or local security .cab. Tries all by default.

Additional resources: https://msdn.microsoft.com/en-us/library/ff647642.aspx, http://ss64.com/nt/mbsacli.html, https://dougvitale.wordpress.com/2011/11/18/microsoft-baseline-security-analyzer/

https://securityvibe.net/2009/07/17/mbsa-cmdline-wizardry/,https://blogs.technet.microsoft.com/heyscriptingguy/2012/09/26/powertip-use-powershell-multiple-line-comments/

####################

# Verify me

####################

# Customizable variables

$servers = "C:\Users\$username\Desktop\serverlist.txt" # Location of serverlist.txt, usually just dropped on your local desktop.

$exe = "C:\Program Files\Microsoft Baseline Security Analyzer 2" # Location of MBSA executable - default is standard install location from MS.

####################

# Do not edit below

####################

# Stock variables

$username = [Environment]::UserName # Gets domain username

$scanMachine = $env:computername # Gets machine name that MBSA/script scan is running from.

$loaded = Get-Content -path $servers # Load list of servers

$timestamp = Get-Date -UFormat "%Y%m%d" # Generate date stamp for output files (short length)

$scanTime = Get-Date # Generates timestamp for inside of scan files (full length)

# Cycle through each server in the serverlist and run MBSACLI scan.

Foreach ($server in $loaded) {

$filename = "_$timestamp.txt"

$output = $server + $filename

cd $exe # This can be launched a couple different ways, but this resulted in best outcome (cd to dir, then launch cmd)

Write-Host "Starting scan for $server" -ForegroundColor Red # Lets you know which server is currently being scanned since not shown by default

cmd /c "mbsacli.exe /target $server /n IIS+SQL /nd /catalog C:\Users\$username\Desktop\wsusscn2.cab > C:\Users\$username\Desktop\scans\$output" # Bread and butter

# Added 6/9/2016 - spits an entry into the scan logs so you can trace back which machine you ran the MBSA scans from. This is useful for finding scan machines that work and have MBSA already installed.

Add-Content -Path C:\Users\$username\Desktop\scans\$output "###############################################################################################"

Add-Content -Path C:\Users\$username\Desktop\scans\$output "Scripted MBSA scan completed from $scanMachine at $scanTime for $server."

Add-Content -Path C:\Users\$username\Desktop\scans\$output "###############################################################################################"

}

#Boom

Nothing too fancy and gets the job done. One think you might have to do is actually reach out to Microsoft and download the .cab file that is referenced. This can be found here (http://go.microsoft.com/fwlink/?LinkId=76054) and will speed up scans.

New Servers Deployed

July 11, 2016 by TwiZted

No Comments

New Servers – The website and affiliated services have all been moved over to new servers. Everything appears to be be working fine without issues. The main reason I wanted to make a quick post is to let you know that the REPRT backend is currently offline. Any reports that make it through will still make it to the server, but they will not automatically be posted to the RE website. This is intended and will be worked through shortly. Please let me know through the contact page if you run into any issues with the website or software since the server switch.

Additionally, to support the server switch, I will be moving everything over to new routing equipment. This is a big upgrade but downtime should be minimal. Not sure what time I’ll plan on doing this, but it should be late at night and most likely on a weekend.

Grab Weather Data from NWS

June 8, 2016 by TwiZted

No Comments

I have recently been playing with InfluxDB and Grafana and wanted to be able to display the outside temperature without buying an external monitor to feed InfluxDB. I was able to find some weather data in XML format from the NWS, which allowed me to download, parse, and feed the data into InfluxDB. This allowed me to grab weather data and feed it just like I wanted without spending the money for an external monitor of some sort. I have it setup to run once every 30 minutes to grab and update –

# Variables
$url = "http://w1.weather.gov/xml/current_obs/display.php?stid=KSGF" # Remote XML location
$saveFile = "XML_OUTPUT_LOCATION" # Local XML download location

Invoke-WebRequest -Uri $url -OutFile $saveFile # Download and save XML

$loadedXML = [xml]$loaded = Get-Content -Path $saveFile # Load XML
$temperature = $loadedXML.current_observation.temp_f # Read temp_f line in XML

# Variables

$url = "http://w1.weather.gov/xml/current_obs/display.php?stid=KSGF" # Remote XML location

$saveFile = "XML_OUTPUT_LOCATION" # Local XML download location

Invoke-WebRequest -Uri $url -OutFile $saveFile # Download and save XML

$loadedXML = [xml]$loaded = Get-Content -Path $saveFile # Load XML

$temperature = $loadedXML.current_observation.temp_f # Read temp_f line in XML

You can then feed these the InfluxDB using Curl or other methods –

cmd /c curl.exe -i -XPOST http://influxdbserver:8086/write?db=dbname --data-binary "wx_temp,host=""$computer"" value=$temperature"

1	cmd /c curl.exe -i -XPOST http://influxdbserver:8086/write?db=dbname --data-binary "wx_temp,host=""$computer"" value=$temperature"

You can the XML reports at the NWS website here. Once it’s all setup and complete you can make a nice graph in Grafana:

Temp sensor - grab weather data from NWS

Site Update and REPRT

May 5, 2016 by TwiZted

No Comments

As many of you may have noticed, the website has been completed rebuilt and updated. I don’t personally have a ton of time to write a bunch of articles like I want to, but I will try to keep things updated on a regular basis. I’m usually pretty busy pumping out new stuff at work that can be brought into my collection for safe keeping.

For any Regenesis folks out there that might stop by, REPRT has been updated to version 1.5.0.6. This final update was a major overhaul and transforms the software into a client/server model, instead of relying on the client side to do all of the heavy work. The old model functioned, but was much harder to update and keep going with all the different users, operating systems, and configurations. In the past, a small update for client side processes would affect how things worked on the server side (sometimes breaking the tool altogether) and just created a mess in general. This new model means I really only have to worry about the server working, and evening if a client manages to dork up somehow the issue/s can be fixed easily on my side from the server. No more crossing our fingers and hoping I don’t break things.

On a side note, I’d really like to get REPRT in the hands of Mac users. The application is designed in .NET for Windows and I do not have a way to test it working on a Mac system. If someone from the Regenesis world would like to make this idea happen, feel free to let me know. If you’re another developer that stumbles across this and knows how to easily make .NET run under Mac OS, I’d be interested in hearing about that as well. To my knowledge, MONO is one route, however as I mentioned I do not have a way to test.

Detect Server Roles

May 5, 2016 by TwiZted

No Comments

I needed a quick script to scan through a list of servers and detect server roles on any server that had the specified role/s installed, in this case File or Print services. There are probably many other ways to accomplish this. If you have better examples feel free to post them! I didn’t use this script for much, however I more advanced script could potentially come in handy.

$serverlist = Get-Content -Path "C:\serverlist.txt"
$outputpath = "C:\output.txt"

foreach ($server in $serverlist) {
$scan = Get-WindowsFeature -Name Print*, *FileServer* -ComputerName $server | where {$_.installed -eq $True} | Out-string

if($scan -ne "") {
Add-Content $outputpath "Server: $server $scan"
    }
    }

$serverlist = Get-Content -Path "C:\serverlist.txt"

$outputpath = "C:\output.txt"

foreach ($server in $serverlist) {

$scan = Get-WindowsFeature -Name Print*, *FileServer* -ComputerName $server | where {$_.installed -eq $True} | Out-string

if($scan -ne "") {

Add-Content $outputpath "Server: $server $scan"

}

Note that you’ll get the obvious errors if the server doesn’t respond (offline, WMI, etc), but it got the job done for what I needed at the time.

Automatic Purging

May 5, 2016 by TwiZted

No Comments

Automatic Purging with Powershell

This script is used to automatically purge subfolders and all contents within those subfolders in a root folder. My use case was new subfolders being created daily with data backed up to them. The data within the subfolders could have any date on them, but I needed to purge based off the subfolders creation date. Instead of logging into the fileserver every 30 days and manually deleting junk, I tossed this quick script together to look at the date modified of the subfolder, and then purge any that are over 90 days old. If no folders are found, it’ll cancel the purge process (instead of deleting the entire root folder… oops).

#================================#
# Purpose                        #
#================================#

# Locates files and directories older than a specified period (i.e. 90days) and purges them based on last modified date.
# Outputs all of the deleted files and directories to an output of choice, and also purges old log files.
# Log files use a unique file name based off the current date in YYYY/MM/DD format so they're easy to sort and view.
# WARNING - It ONLY looks at the ROOT folders within a directory. If files within a folder are newer than the modified date of the root folder they WILL be purged.


#================================#
# CONFIGURATION                  #
#================================#

#File retention configuration
$delTarget = "C:\filesToDelete\"
$retentionLimit = (Get-Date).AddDays(-90)

#Log retention configuration
$dateFormat = Get-Date -UFormat "%Y%m%d"
$logOutput = "C:\logs\$dateformat.txt"
$logRetentionLimit = "30"
$loggingPath = "C:\logs\" #This is the path to delete logs from.

#================================#
# DO NOT EDIT BELOW THIS LINE    #
#================================#

#Misc Variables
$timeStamp = Get-Date

#Creates a new log file (force if exists)
New-Item -path $logOutput -Force -ItemType file
Add-Content $logOutput "Script started at $timeStamp."
Add-Content $logOutput "Log file created $dateFormat.txt"

#Discovers folders older than the retention limit based on modified date
$target = Get-ChildItem $delTarget | Where { $_.PSIsContainer -and $_.LastWriteTime -le $retentionLimit }
Add-Content $logOutput "Targets loaded to array."

#Discovers log files older than log retention limit
$targetLog = get-childitem $loggingPath -recurse | where { ((get-date)-$_.LastWriteTime).days -ge $logRetentionLimit}

#Checks to make sure it found folders to purge, if not, we cancel the operation.
if ($target -eq $null) {
Add-Content $logOutput "Cannot delete root folder or an empty root directory. Exiting purge process."
 

}

else {

#Removes folders that were found
Add-Content $logOutput "Starting purge process."


Foreach ($dir in $target) {
$combined = $delTarget + $dir
cmd /c rmdir /q /s $combined

        }
  }


#Writes the deleted items to a daily log file
Add-Content $logOutput "The following directories were purged:"
Add-Content $logOutput $target

#================================#

# Purpose #

#================================#

# Locates files and directories older than a specified period (i.e. 90days) and purges them based on last modified date.

# Outputs all of the deleted files and directories to an output of choice, and also purges old log files.

# Log files use a unique file name based off the current date in YYYY/MM/DD format so they're easy to sort and view.

# WARNING - It ONLY looks at the ROOT folders within a directory. If files within a folder are newer than the modified date of the root folder they WILL be purged.

#================================#

# CONFIGURATION #

#================================#

#File retention configuration

$delTarget = "C:\filesToDelete\"

$retentionLimit = (Get-Date).AddDays(-90)

#Log retention configuration

$dateFormat = Get-Date -UFormat "%Y%m%d"

$logOutput = "C:\logs\$dateformat.txt"

$logRetentionLimit = "30"

$loggingPath = "C:\logs\" #This is the path to delete logs from.

#================================#

# DO NOT EDIT BELOW THIS LINE #

#================================#

#Misc Variables

$timeStamp = Get-Date

#Creates a new log file (force if exists)

New-Item -path $logOutput -Force -ItemType file

Add-Content $logOutput "Script started at $timeStamp."

Add-Content $logOutput "Log file created $dateFormat.txt"

#Discovers folders older than the retention limit based on modified date

$target = Get-ChildItem $delTarget | Where { $_.PSIsContainer -and $_.LastWriteTime -le $retentionLimit }

Add-Content $logOutput "Targets loaded to array."

#Discovers log files older than log retention limit

$targetLog = get-childitem $loggingPath -recurse | where { ((get-date)-$_.LastWriteTime).days -ge $logRetentionLimit}

#Checks to make sure it found folders to purge, if not, we cancel the operation.

if ($target -eq $null) {

Add-Content $logOutput "Cannot delete root folder or an empty root directory. Exiting purge process."

}

else {

#Removes folders that were found

Add-Content $logOutput "Starting purge process."

Foreach ($dir in $target) {

$combined = $delTarget + $dir

cmd /c rmdir /q /s $combined

}

#Writes the deleted items to a daily log file

Add-Content $logOutput "The following directories were purged:"

Add-Content $logOutput $target

You may notice that rmdir is used for the actual delete process. PowerShell has delete abilities, however I could not get it to work with folder names over a certain length, which unfortunately was very common for this subset of data being backed up. Rmdir didn’t seem to care about the length of the filenames within the subfolder and just blows the directory away.

Another thing to note that is not included in this version of the script is folder permissions. This is intended to be ran as scheduled task with a service account that has the proper permissions to the root/subfolders it’ll be trying to delete. Although the account I used had this, the scripts used (by another team) to create the backup data would sometimes place ownership on the subfolders and stall the script. In later iterations of the script above, I’ve added a routine that takes ownership of the subfolder before deleting it. I know takeown was used to accomplish this.

Lastly, I believe another issue I had that was caused by the same backup script was it was setting some of the newly created subfolders as Hidden and/or System folders. I’d have to test further, but I believe Get-ChildItem will ignore these. Adding ‘-force” I think was the fix. I haven’t touched the live script in a while, but if I get my hands on it I’ll make a new post.

Locate Stale AD Accounts

May 5, 2016 by TwiZted

No Comments

Locate Stale AD Accounts

This tiny script can help locate stale AD accounts that have been inactive for 30 days. This is just a quick script for a lab I had (single DC, small amount of users).

Import-Module activedirectory
$list = Search-ADAccount -AccountInactive -TimeSpan 30.00:00:00 | where {$_.ObjectClass -eq 'user'} | where {$_.enabled} | Format-Table Name,ObjectClass -A
$test = $list | Out-String
write-host $test

Import-Module activedirectory

$list = Search-ADAccount -AccountInactive -TimeSpan 30.00:00:00 | where {$_.ObjectClass -eq 'user'} | where {$_.enabled} | Format-Table Name,ObjectClass -A

$test = $list | Out-String

write-host $test

I do have a larger script that is more robust. If I can track it down I will be posting this as well. The larger script is used to audit stale accounts so they can be removed if needed. Please note that in a multiple DC environment, this will likely only show valid results from the domain controller the local system (the PC you run the script from) is talking to. If an account has updated its values on another DC, they may not be reflected here. Please keep this in mind if you intend to run this in a larger environment, or wait until the full script is released.

PRTG Alerts with Pushbullet

April 30, 2016 by TwiZted

No Comments

In an earlier post, I had provided a simple little Powershell/Pushbullet API where you could use Powershell to send Pushbullet alerts to all of your registered devices. This is dandy, and works wonders if you simply want to trigger the alert with Powershell by itself, but if you want to use something like PRTG to do the automatic triggering the setup is a bit different. The API and script provided simply takes parameters passed to it from PRTG, throws them into an alert, then fires them off to Pushbullet. Setting this Powershell script up inside PRTG to alert you is actually very simple.

The very first thing you must do besides editing the script I’ve provided is to save and drop the script into PRTG’s alert directory. By default, this is usually located here:

C:\Program Files (x86)\PRTG Network Monitor\Notifications\EXE

1	C:\Program Files (x86)\PRTG Network Monitor\Notifications\EXE

Once the Powershell (.ps1) script is dropped into that directory, the alert will be able to be chosen within PRTG itself. The first step to creating the alert is to login to PRTG and create a new notification:

The default settings should be sufficient, but feel free to edit them where you see fit (giving the notification a name for example). After you have changed the default settings where needed, scroll down and choose the “Execute Program” option. Click the drop down dialog and choose the .ps1 file you uploaded to your PRTG folder earlier:

Once you’ve made it that far, save the notification and you’re about ready to go. The last step is to assign to notification to a device or group:

After you’ve saved this, you can test the alert by logging into Pushbullet and causing the alert to trigger (shutting a service down, rebooting server, simulate error status, etc). If setup correctly, you should receive an alert in Pushbullet to all connected devices.

PushBullet Powershell API

April 29, 2016 by TwiZted

No Comments

PushBullet Powershell API

Here’s a small Powershell script that can be used to link your Powershell scripts to PushBullet. This allows you to fire PushBullet alerts to any device with the software installed. I use this in labs with PRTG monitoring software to fire alerts when a service/server goes down and I’m not around to get a standard email alert. Although email is great, it’s always nice to have 2 methods to receive my alerts so I know when something is amiss.

The Code

Param(
  [string]$device,
  [string]$name,
  [string]$status,
  [string]$message
)

$APIKey = "APIKEY"
$PushURL = "https://api.pushbullet.com/v2/pushes";
$PushMethod = "POST";
$AccessCredential = New-Object System.Management.Automation.PSCredential ($APIKey, (ConvertTo-SecureString $APIKey -AsPlainText -Force));
$Body = @{type='note';title="PRTG Alert";body="$device - $name - $status ($message)";}
Invoke-RestMethod -Uri $PushURL -Method $PushMethod -Body $Body -Credential $AccessCredential;

Param(

[string]$device,

[string]$name,

[string]$status,

[string]$message

)

$APIKey = "APIKEY"

$PushURL = "https://api.pushbullet.com/v2/pushes";

$PushMethod = "POST";

$AccessCredential = New-Object System.Management.Automation.PSCredential ($APIKey, (ConvertTo-SecureString $APIKey -AsPlainText -Force));

$Body = @{type='note';title="PRTG Alert";body="$device - $name - $status ($message)";}

Invoke-RestMethod -Uri $PushURL -Method $PushMethod -Body $Body -Credential $AccessCredential;

Once you have the script, simply change out the APIKEY to your own key, and setup a custom trigger in PRTG to fire off the Powershell script with the parameters defined. Also, for anyone interested PRTG is now free for up to 100 monitors. This is great for you folks with labs they’d like to monitor statistics on, or even people with a handful of servers that need quick and easy Windows monitoring. It’s an easier approach compared to something like Nagios.

Latest Posts

The Code