Sysadmin Magazine March 2020
Sysadmin Magazine March 2020
SysAdmin Contents
Magazine
№ 57 March ‘20
04 Top 10 PowerShell commands for Group Policy
2
Contents SysAdmin Magazine March 2020
Now on
Facebook
SysAdmin Magazine
Get the best articles from the magazine, along with the freshest
IT news and top tips from the IT community.
Follow Us
3
Contents SysAdmin Magazine March 2020
Policy PowerShell
command below creates a new GPO and links it to the Cli-
command below creates a new GPO called ‘Netwrix PCs’
ents OU in the ad.contoso.com domain:
and adds a comment to describe the its purpose:
Russell Smith
Windows Security Expert, IT Consultant, Writer, and MCSE The command creates an empty GPO with no settings. If
To unlink a GPO, use the Remove-GPLink cmdlet:
you have starter GPOs configured in your Active Directory
domain, you can create a new GPO based on their settings.
The following command creates a new GPO called ‘Netwrix Remove-GPLink -Name "Netwrix PCs" -Target
In addition to the Group Policy Management Console PCs’ based on the ‘Windows 10 MS Security Settings’ GPO: "ou=clients,dc=ad,dc=contoso,dc=com"
4
Contents SysAdmin Magazine March 2020
5
Contents SysAdmin Magazine March 2020
Configuring Group Policy settings To get detailed information about a registry key configured in a GPO, use Get-GPRegistryValue:
6
Contents SysAdmin Magazine March 2020
Applying Group Policy settings Get-GPResultantSetOfPolicy -Computer dc1 -ReportType HTML -Path c:\temp\dc1rsop.html
Provided that your GPO is linked to a domain, OU or site, it
will apply to user and computer objects below where it is
linked. But if you want to force a Group Policy update on a
remote server or other device, you can use Invoke-GPUp-
date. Running Invoke-GPUpdate without any parameters
will force an update of user and computer configuration
settings on the local computer. The command below forc-
es a Group Policy update on server1 for user configuration
settings only:
Figure 4. How to get information about which GPOs are applied to a user or computer
7
Contents SysAdmin Magazine March 2020
Most useful Share- A better option is to use the PowerShell ISE. Not only does
it include many cmdlets created especially for managing
Getting SharePoint site information
Get-SPSite cmdlet is the main cmdlet for getting infor-
Point PowerShell
SharePoint, it also offers color-highlighted code, a debug
mation about your SharePoint site collections. It lists the
engine and a cmdlet search engine.
URLs of your SharePoint sites and their compatibility levels
Commands
(SharePoint versions).
To load the SharePoint snap-in, we need to run the follow-
ing command:
After that, it is prudent to update PowerShell help in order Using the Select-Object parameter with this cmdlet, we can
get the latest information about the Microsoft SharePoint get specific properties about a site, such as the site owner,
SharePoint Server is a web-based collaborative platform
PowerShell cmdlets: storage usage, maximum quota level and last content mod-
that integrates with Microsoft Office. To configure Share-
ified date:MAC address filtering.
Point site settings, system administrators often use the
SharePoint Management Shell that is installed with the Update-Help
SharePoint product. Running the SharePoint Management
Shell calls the Windows PowerShell runtime environment Get-SPSite "http://sharepoint/sites/ent"
So, what cmdlets are available in the SharePoint snap-in?
and executes a script file named sharepoint.ps1, which | Select-Object url, owner, @{Expressi-
Here is the command that will list all of them for you:
loads the Windows PowerShell snap-in for SharePoint and on={$_.Usage.Storage}}, @{Expression={$_.
Audit.AuditFlags}}, readonly, LastCon-
runs a few commands. These commands are not very im-
tentModifiedDate, @{Express={$_.QuotaSto-
portant; they include choosing C:\Users\Username as the
Get-Command -Module "Microsoft.Share- rageMaximumLevel}}
home location for command execution and running the
Point.PowerShell"
latest version of PowerShell console.
8
Contents SysAdmin Magazine March 2020
$SPRoles = $WebPath.RoleAssign-
ments;
foreach ($SPRole in $SPRoles)
{
foreach ($SPRoleDefinition in
In addition, we can export information about all sites in our $SPRole.RoleDefinitionBindings)
WithPartialName("Microsoft.SharePoint") }
$SPSiteUrl = "http://sharepoint/sites/
ent" foreach ($List in $WebPath.Lists)
We can also use the Get-SPSite cmdlet to create a SharePoint
$SPSite = New-Object Microsoft.Share- {
PowerShell script that lists all the groups and their members
Point.SPSite($SPSiteUrl); if ($List.HasUniqueRoleAssign-
for a particular SharePoint site: ments)
$ExportFile = "C:\root\Permissions.csv"
{
9
Contents SysAdmin Magazine March 2020
Now let’s make a report that will output all files created
$WebPath.Url + "," + $List.Title + "," + by a certain user. This script can be helpful, for example, Select Name,
$SPRole.Member.Name + "," + $SPRoleDefiniti- when an employee leaves the company and you need to @{Name="URL";
on.Name | out-file $ExportFile -append
transfer their data to other people. Expression={$_.ParentList.Par-
} entWeb.Url + "/" + $_.Url}}
}
}
Get-SPWeb http://sharepoint/sites/ent |
}
Select -ExpandProperty Lists |
}
Where { $_.GetType().Name -eq "SPDocu-
$SPSite.Dispose();
mentLibrary" -and
Using PowerShell to manage
-not $_.Hidden } |
Select -ExpandProperty Items | SharePoint sites and objects
To find a certain file on a SharePoint site, we need to use
Where { $_["Created By"] -like
the Get-SPWeb cmdlet. Here is a script that searches for a New SharePoint sites are typically created using a template.
"*system*" } |
file whose name contains the word “readme” in the “http:// Select Name, url, {$_["Created By"]} To get a list of all site templates, run the Get-SPWebTem-
sharepoint/sites/ent” site: plate cmdlet with no parameters.
10
Contents SysAdmin Magazine March 2020
SharePoint environment
i:0#.w|enterprise\i.scur" carter" -Web http://sharepoint/sites/ent
-Group "Enterprise Owners"
11
Contents SysAdmin Magazine March 2020
365 PowerShell
Microsoft.Exchange -ConnectionUri https://
outlook.office365.com/powershell-liveid/
First, we need to install the Office 365 module for Windows -Credential $Cred -Authentication Basic
Commands
PowerShell and connect to the Office 365 instance. Take -AllowRedirection
the following steps:
Download and install the Microsoft Online Services Connect to all Office 365 services:
Sign-In Assistant for IT Professionals RTW.
Adam Stetson
Systems Engineer, Security Expert
Import the Online Services PowerShell module for Mic- Connect-MsolService –Credential $O365
12
Contents SysAdmin Magazine March 2020
365 PowerShell cmdlets use the Get-MsolUser cmdlet. It’ll retrieve all users with a
valid license in the Office 365 tenant, along with the Display-
To get a list of all available Office 365 PowerShell com- Name, City, Department and ObjectID parameters.
mands, we need to run the Get-Command cmdlet:
13
Contents SysAdmin Magazine March 2020
5. Creating a new user in Office 365 7. Changing a password in Office 365 Add-MsolGroupMember -GroupObjectId
The system will output the user’s password and license sta- Set-MsolUserPassword -UserPrincipalName
[email protected]
tus data.
-NewPassword P@SSw0rd! Get-MsolUser | Select ObjectID.
14
Contents SysAdmin Magazine March 2020
Get-MailTrafficTopReport
15
Contents SysAdmin Magazine March 2020
Effective Password
1809, run the following command in an elevated Power-
Shell console: Create credential with password
using PowerShell
Management Add-WindowsCapability -Online -Name Rsat.
ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 To create a new user account, use the New-ADUser cm-
dlet. In the example below, I have hardcoded the ad.con-
toso.com domain in the $UPN variable. You should change
Russell Smith Earlier Versions of Windows 10 this to match the UPN suffix you want to assign to users.
Windows Security Expert, IT Consultant, Writer, and MCSE
If you are using an earlier version of Windows 10, download
Provide the user’s first name and last name. The UPN and
the appropriate RSAT package from Microsoft’s website:
SamAccountName will then be created by adding a period
Automation is the key to streamlining Active Directory man- between the first and last name. Use the following Power-
If you are managing Windows Server version 1803 or
agement tasks. In this article, I’ll show you how to create, Shell script:
1709, download and install the WS_1803 package.
change and test user passwords with PowerShell scripts.
$GivenName = (Read-Host -Prompt "First
If you are managing Windows Server 2016 or earlier
Name")
versions of Windows Server, download and install the
Installing the AD PowerShell module
$Surname = (Read-Host -Prompt "Last Name")
$User = $GivenName+"."+$Surname
Once RSAT is installed, start the PowerShell console as a $UPN = $User+"@ad.contoso.com"
Before you can use PowerShell to manage Active Direc-
local administrator and enable the AD PowerShell module $Password = (Read-Host -Prompt "Password"
tory, you need to install the Active Directory PowerShell
using this PowerShell command: -AsSecureString)
module. If you are using Windows 10 to manage AD, first New-ADUser -Name $User -SamAccountName
install the Remote Server Administration Tools (RSAT). $User -UserPrincipalName $UPN -AccountPass-
16
Contents SysAdmin Magazine March 2020
17
Contents SysAdmin Magazine March 2020
If you need to extend the time a user can keep their cur- Set-ADUser -ChangePasswordAtLogon $true
18
Contents SysAdmin Magazine March 2020
FREE TOOL
Start-Process -FilePath cmd.exe /c -Credential (Get-Cre-
of password
management
Free Download
19
Contents SysAdmin Magazine March 2020
How-to for IT Pro 2. Open the file produced by the script in MS Excel.
Sample report:
invoke-command {
$members = net localgroup
administrators |
where {$_ -AND $_ -notmatch
"command completed successfully"} |
select -skip 4
New-Object PSObject -Property @{
Computername = $env:COMPUTERNAME
Group = "Administrators"
Members=$members
}
} -computer fs1,sp01,ncnad
-HideComputerName |
Select * -ExcludeProperty RunspaceID
| Export-CSV c:\data\local_admins.csv
-NoTypeInformation
20
Contents SysAdmin Magazine March 2020
Freeware tool that tracks down inactive user accounts, so you can harden your Active Directory security and mitigate the risk of
breaches.
Inactive User
Tracker
Download Free Tool
21
Contents SysAdmin Magazine March 2020
[On-Demand Webinar]
Managing SharePoint Managing SharePoint Online and Exchange Online can be a painful task — you have to con-
stantly switch between multiple administration centers and it’s hard to know where to go for a
In this webinar, Liam Cleary and Jeff Melnick will walk you through how to use PowerShell to:
Watch Now
22
About Netwrix
What did you think Netwrix is a software company that enables information security and governance professionals to reclaim control over
of this issue? sensitive, regulated and business-critical data, regardless of where it resides.
What did you think of this content?
Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.
300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19
5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW