Group Membership Unions and Intersections

A friend of mine recently asked for one-liners for Active Directory group membership union and intersection.

These are the one-liners which I sent him:

Group Union – users present in either of the groups (he needed a list of DNs of direct members of two groups):

(Get-QADGroupMember GroupA –Type user) + (Get-QADGroupMember GroupB –Type user) | 
 Select-ExpandProperty DN | 
 Sort | Select-Unique

Group Intersection – users present in both groups at the same time:

Compare-Object (Get-QADGroupMember GroupA –Type user) `
 (Get-QADGroupMember GroupB –Type user) `
 -ExcludeDifferent -IncludeEqual | Select-ExpandProperty InputObject

You can obviously tweak them to add indirect users (with -indirect parameter) or enabled only (-enabled), etc. – see Get-QADGroupMember help for all options.

I am pretty sure that there are multiple ways to skin these cats – so if you have better alternatives – please post these in the comments.

Advertisement

PowerShell for Multi-Factor Authentication solution updated

Another plug to my fellow Questees who have gone PowerShell (that’s the deal we have here at Quest – you add PowerShell to your product and get a special blog mention and lots of happy customers!). Quest’s Defender (Two-Factor/Multi-Factor Authentication solution) team has just updated their PowerShell module and there’s quite a few useful cmdlets for user provisioning, de-provisioning and general Defender auditing / administration.

For example, for User provisioning, there’s ability to batch-assign tokens to users and provide either unique Personal Identification Numbers (PINs) or set a known PIN to expire on first use so that end users can then create their own:

To assist with the de-provisioning of users accounts from Active Directory when a user has left the company simple commands such as Remove-AllTokensFromUser could be used to ensure all tokens that have been assigned to a user are removed.

For auditing and general administration a number of cmdlets are available, for example, it may be useful for auditing purposes to know which users have authenticated using Defender at any time or for a given period:

Here’s full list of what we’ve got in this release:

• Add-TokenToUser
• Add-TokenToUserBatch
• Find-DefenderToken
• Get-DefenderLicense
• Get-DefenderUsersLastLogon
• Get-TokensForUser
• Get-UnactivatedSoftwareTokens
• Get-UsersForToken
• Remove-AllTokensFromUser
• Remove-DefenderPassword
• Remove-PINFromUserToken
• Remove-TemporaryResponse
• Remove-TokenFromUser
• Remove-TokenFromUserBatch
• Reset-DefenderToken
• Reset-DefenderViolationCount
• Set-DefenderPassword
• Set-PINOnUserToken
• Set-TemporaryResponse
• Test-DefenderToken

As you can see this is a lot more than what we could previously provide with the AD cmdlets integration that we had.

You can get a free trial of Defender here.

Find everyone rolling up to me

Yesterday someone asked me to help create a distribution list for everyone reporting to a particular manager (directly or indirectly). Needless to say, that PowerShell makes getting a list of such user accounts a piece of cake!

Here’s the quick script (using AD cmdlets) which I emailed back:

function Get-QADIndirectReport {
param ($Identity)
  # Find all direct reports
  Get-QADUser -Manager $Identity | ForEach-Object {
      # Output direct report
    $_ 
    # Then recursively call this function for all
    # reports of this report
    Get-QADIndirectReport -Identity $_
  }

}

# usage example
Get-QADIndirectReport 'Dmitry Sotnikov'

Basically, AD cmdlets natively can retrieve all direct reports, and I have created a function which keeps going deeper level-by-level getting everyone reporting indirectly as well.

You can then take this a few steps further. For example, say, you want to get a list of users you could then just copy/paste into Outlook. Simply select the Email property from the user objects and ask PowerShell to put semicolon between the addresses:

# get a list of addresses for an email message
(Get-QADIndirectReport 'Dmitry Sotnikov' | 
  Select-Object -ExpandProperty Email) -join '; '

Or you could indeed use the list to populate a group:

# add everyone to a group
Get-QADIndirectReport 'Dmitry Sotnikov' |
  Add-QADGroupMember DmitrysReports

Or you could further restrict the list by City, Department and so on by simply tweaking Get-QADUser parameters in the code above. PowerShell is super-flexible!

VDI and PowerShell

Here at Quest we strive to PowerShell-enable pretty much everything we see. 🙂 The newest Quest team to have gone PowerShell are our desktop virtualization folks – vWorkspace. They recently released a PowerShell module for vWorkspace that – as you could probably guess – adds great automation capabilities to the product.

(vWorkspace is a commercial product – so if you are not into desktop virtualization feel free to just consider this a commercial break – we will return to the free stuff in the next blog post. ;))

vWorkspace cmdlets include functionality such as:

• Managing vWorkspace administrative accounts,
• Turning on and off computers,
• Remotely installing MSI’s, and
• Setting a wide range of properties on the virtual machines and computers hosted by vWorkspace.

Additionally, vWorkspace offers a dynamic filtering syntax, much like Where-Object , that runs server-side rather than locally to speed up the query of large set s of objects. (As Don Jones put it in a session I once attended: “in PowerShell, keep your formatting as far to the right, and your filtering as far to the left as possible.”)

Get-QVWAdministrator –Filter { $QVWAdministrator.Name –like “mdivdi\*” –and  $QVWAdministrator.IsGroup –eq $true }

If you’re a vWorkspace customer, definitely check out the new module on the Quest Community site. They regularly make new versions available, adding more and more functionality each time. Often there’s also a beta of the new upcoming version of the vWorkspace PowerShell module available for anyone to test. In addition, there are some cool examples of how the vWorkspace PowerShell module can be used to ease day-to-day administration of vWorkspace.  Look for this kind of information in the Powershell section of the vWorkspace Community as well. I know the vWorkspace guys would love to hear some feedback on the module so please feel free to comment on their current release.

P.S. Thanks to Adam Driscoll from the vWorkspace team for helping me write this post. Also, if you have not checked out his interview at the recent PowerScripting podcast – you should. He is one of the smartest software engineers I know!

Clear AD attribute

Just yesterday a colleague of mine asked me how to undo an Active Directory object property change from the value he erroneously put back to <not set>. It turned out that I never actually blogged about that – so here you go. 🙂

Clearing AD attributes us actually as easy as just setting the value to $null. For example, here’s how you do it for properties which we have exposed in Set- cmdlets parameters:

Set-QADUser 'Amy Hardy' -City $null

Or for more internal attributes:

Set-QADUser 'Amy Hardy' -ObjectAttributes @{adminDescription=$null}

Hope that helps!

PowerShell Highlights of 2010

What were your key events of last year? Here’s my list:

PowerGUI Highlights

• Reached 1,000,000 downloads (frankly, I still cannot fully comprehend that),
• Released MobileShell – PowerShell server which gives you PowerShell command line (and scripts) to manage your IT in any computer browser or even mobile device: iPad, iPhone, Android, Blackberry, Windows Phone…
• Script Editor is now extensible and has a rich set of add-ons adding almost any feature you could think of.

PowerShell for developers

• PowerGUIVSX now lets you edit and debug PowerShell scripts right in Visual Studio!

PowerShell Projects

• PowerShell Community Extensions v2
• PowerShell in Bing Visual Search,
• PowerTab got back from the dead and now supports PowerShell 2.0,
• Karl Prosser’s Portable PowerShell.

PowerShell Training

• 5-day MOC Course 10325A: Automating Administration with Windows PowerShell 2.0
• New Microsoft Official Curriculum for PowerShell v2
• New PowerShell, AD and PowerGui training

Contests

• Scripting games,
  
• PowerGUI contest,

Usergroups

• PowerShell Power Users group on LinkedIn has over 1,300 members,
• PowerShellGroup.org launched and is a great resource to find a local usergroup – quite a few of them actually launched in 2010!

New cmdlets

A lot of companies and Microsoft product teams released cmdlets, modules, PowerPacks, etc.:

• Intel has released a vPro PowerShell Module,
• NetApp released a set of cmdlets to manage your storage and cloud resources,
• PKI & certificate management cmdlets,
• Windows Azure Cmdlets,
• SharePoint 2010,
• Lync 2010,
• JAMS enterprise scheduling,
• NetPoint IT inventory management.

Books

• PowerShell for Microsoft SharePoint 2010 Administrators
• PowerShell in Practice
• Windows PowerShell Cookbook, Second Edition,
• PowerShell v.2 TFM

Oh, and NASA started to use PowerShell to control their space craft. Almost. OK, not really… This was an April 1 joke. But wouldn’t it be cool if they did?

I know that the list seems a bit biased including a lot of PowerShell projects in which I was involved one way or another. This is not by intent and is a simple consequence of how memory works. 🙂 This has been an amazing PowerShell year! Please add your PowerShell events of the year in the comments below!

Merry Christmas, Happy Holidays and a great New Year to all of you!

Managing Certificate Revocation Lists and Certificate Stores

Vadims has published a couple of articles with great examples of how to use PowerShell to manage CRLs (Certificate Revocation List) and local certificate stores.

CRL tasks include:

• Importing CRL:

$crl = Import-QADCertificateRevocationList -File C:\pica-1.crl

• Reviewing CRL details:

$crl | format-list *

• Add CRL to local certificate store:

Add-QADCertificateRevocationList -CRL $crl -Store $store

• CRL removal:

Get-QADCertificateRevocationList -Store $store |
  where-object {$_.IssuedBy -like "sysadmins*"} |
  Remove-QADCertificateRevocationList -Store $store

• CRL export:

Export-QADCertificateRevocationList -CRL $crl -File c:\customcrl.crl

• Publishing CRL:

Publish-QADCertificateRevocationList -CRL $crl -CAName CustomCAName

• Unpublishing CRL:

Get-QADPKIObject CDP |
  Get-QADCertificateRevocationList |
  where-object {$_.IssuedBy -like "sysadmins*"} |
  Unpublish-QADCertificateRevocationList -CAName "CustomCAName"

For certificate store management, Vadims goes through:

• Exploring certificate stores:

Get-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName My |
  Get-QADCertificate

• Adding certificate stores:

New-QADLocalCertificateStore -StoreLocation CurrentUser -StoreName CustomStoreNameToAdd

• Removing certificate stores:

Remove-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName CustomStoreToDelete

For all these, Vadims is providing tons of details so I highly recommend checking those out:

Managing Certificate Revocation Lists (CRL) with PowerShell

Managing Certificate Stores with PowerShell

PKI management with PowerShell

Complete guide for security certificate management with AD cmdlets 1.4 got recently published here and is a must-read if you want to automate your public key infrastructure (PKI).

PKI allows security administrators to uniquely identify and trust hardware devices by using digital certificates. This technique is one of the most secure access strategies, but can also be complicated to set up and manage. This guide reviews the security concepts surrounding digital certificate management and details how the AD-PKI cmdlets can be used with Active Directory to simplify PKI management.

Here’s the table of content from the guide:

• Understanding Digital Certificates
  • Cryptography Fundamentals
    • Symmetric Encryption
    • Asymmetric Encryption
    • Best Practices for Symmetric and Asymmetric Encryption
• Types of Certificates
  • X509 Certificate Version 1
  • X509 Certificate Version 2
  • X509 Certificate Version 3
    • Common Certificate Extensions
• Certificate Revocation List
  • X509 Certificate Revocation List Version 1
  • X509 Certificate Revocation List Version 2
    • Common CRL Extensions
• Certificate Stores and Containers
  • Local Certificate Stores
  • Active Directory Certificate Containers
• Certificate cmdlet Descriptions
• Object Structures of Certificate Stores, Certificates, and CR
  • Certificate Store
  • Certificate
  • Certificate Revocation List (CRL)
• Using Quest AD PKI-related cmdlets
  • Working with Certificate Stores
    • Explore Certificate Store
    • Create Certificate Store Container
    • Delete Certificate Store Container
  • Adding Certificates to a Certificate Store
    • Certificate File Types
    • Import a Single Certificate
    • Import a Pkcs7 Certificate Container
    • Import a Serialized Store
    • Import a Pkcs12 Certificate with a Private Key
    • Add Imported Certificates to a Store
    • Add an Imported Certificate to a User Account
    • Advanced Techniques
  • Exporting Certificates from a Certificate Store
    • Simple Certificate Export
    • Export a Certificate with a Private Key
    • Export Multiple Certificates
• Working with Certificate Revocation Lists (CRLs)
  • Add CRLs to a Certificate Store
  • Export CRLs from a Certificate Store
  • Remove a CRL from a Certificate Store
• Manage Active Directory PKI-related Containers
  • Publish a Certificate to Active Directory Containers
  • Remove a Certificate from Active Directory Containers
  • Publish CRLs to Active Directory Containers
  • Remove CRLs from Active Directory

Download the ebook “Guide for Using QuestAD-PKI cmdlets: Using PowerShell to manage your security certificates” and get the most out of your PKI environment.

Resolving external accounts in domain groups

You do not have to do anything to do that. If you group contains an account from a trusted domain, good old

Get-QADGroupMember MyGroup

will resolve foreign security principals and show them as regular users.

However, in some cases – for example for performance reasons – you might not want AD cmdlets to perform these look-ups in trusted domains. For that, you just need to use the KeepForeignSecurityPrincipals parameter that we added in AD cmdlets 1.4:

Get-QADGroupMember MyGroup -KeepForeignSecurityPrincipals

Resolving Foreign Security Principals

Starting with version 1.4 AD cmdlets can retrieve and provide detailed information on all properties for foreign security principals.

When you add a user from a trusted domain to a group in your domain, AD creates a local auxilliary object – foreign security principal – to represent this external account. You can essentially think about this object as a pointer to the actual account in a trusted domain. You can read more about them in the Security Principals section of this TechNet article.

Now QAD cmdlets can resolve these “pointers” and show you real accounts to which they point.

For example, this command will retrieve all foreign security principals which you have in your domain (i.e. all foreign accounts ever granted any rights) and try to resolve them to external accounts from original domains:

Get-QADObject -ResolveForeignSecurityPrincipals -Type foreignSecurityPrincipal