Security measure in PowerShell Script

Security in my Day-to-Day script

I don't know about you, but, me as a Network Admin, my PowerShell is always open. By PowerShell, I mean ISE because I create a DayToDay.ps1 script.

All commands I used every day are there and I have some sensitives. 

But no one is perfect, so the risk to hit the F5 to run all the script is there. So I show you a little trick to prevent this type of error that can cost you your job.

Think before, not after.

The Trick

Put this little word at the beginning of your script :

 break  

This little work stops your script is your run it by accident. After that, to use your script, you just have to select what you want and hit F8.

This little trick can save you a lot of trouble.

Have a good day.

J.

Move AD computer with PowerShell Script

The Need

Be able to easily and rapidly move a computer from an OU to another.

The Problem

If you saw other examples on the web, you saw 2 reccurant things.

1. You need to know the Distinguished Name of your destination OU. And it's like : OU=Laptop,OU=GothamOffice,DC=wayneindus,DC=local. And my example is not so long.
2. Or you can create a CSV with the OU you want.

For me each solution are not good. So I figured to do it otherwise.

The Solution

I created a script to list all OU with certain names, the container object Computers and put it in an array with an index. So you can visually chose witch OU you want.

2 concerns :

1. Your computer OU name needs to have a nomenclature.
2. I think more the 100 OU, you do not like my script.

 <#  
   Move AD computer in an OU.   
   Easily move computer between OU without to know the exact path or have a CSV.  
   To use the function you need to have the ActiveDirectory Module load in your PowerShell.  
   Version 1.1  
   Script by Jeremie Lauzier - Network Administrator, 2015-06-11    
 #>  
     $computer = Read-Host "Enter the name of the computer to move"  
     # Grab all computer OU bases of the name of it and the default container Computers.  
     $listou = Get-ADObject -Filter `  
           '(ObjectClass -eq "organizationalUnit" -and Name -like "Desk*") -or (ObjectClass -eq "organizationalUnit" -and Name -like "Lap*") -or (ObjectClass -eq "container" -and Name -like "Computers")' `  
           |Select DistinguishedName -ExpandProperty DistinguishedName | Sort-Object DistinguishedName  
     # Create an array and an index of it.  
     $arrayou = for($i=0;$i-le $listou.length-1;$i++){"`[{0}] = {1}" -f $i,$listou[$i]}  
     # Current information for the computer.  
     $computerou = Get-ADComputer $computer | Select DistinguishedName -ExpandProperty DistinguishedName  
     Write-Output "Computer $computer is member of this OU : $computerou."  
     Write-Output ""  
     # Show the list of the OU.  
     Write-Output "This is the list with index of your OU"  
     $arrayou  
     $numb = (Read-Host "Please choose the number of the destination OU") -as [int]  
     if (($numb -eq $null) -or ($numb -gt $arrayou.LongLength))  
     {  
       $earry1 = $arrayou.Length -1  
       Write-Error "YOU ENTER A UNVALID NUMBER. ENTER A NUMBER BEWTWEEN 0 and $earry1"  
     }  
     else  
     {  
       # Move the computer.  
       Get-ADComputer $computer | Move-ADObject -TargetPath $listou[$numb]    
     }  
     # Show result  
     Write-Output "Result :"  
     Get-ADComputer $computer  
     pause  

You can easily transform the script in a Function.

Exemple :

Result of the execution of the script

I hope this help you. Be free to comment.

Thanks !

PowerShell script | Keep version | TFS 2013

Hi,

I made some scripts in the past 2 weeks and I realised this week, I have a problem of keeping version of it. So I do some search and I found this article : Protect Your PowerShell Scripts with Version Control

This saves my life... :)

Now I can keep version of my script. But here some tricks and infos I found when I configure it :

1. Yes, that's worked with the free version of Visual Studio. I used VS Community 2013.
2. If you used VS 2013, you need to install Team Explorer for Visual Studio 2013.
3. Don't forget to create your Visual Studio Online Account
4. For VS 2013, you need to install : Microsoft Visual Studio Team Foundation Server 2013 Power Tools
5. In the article, they use PowerShell commands to manage the version and the files. If you're beginner with that, like me, I preferred the visual interface to manage my files and do my check in.

   

   Visual Studio 2013 - Team Explorer

6. Don't forget to add comments for each check in. That's helped a lot when you want to retrace a version.
7. Have fun to explore all options you can do with the TFS and Visual Studio.
8. You can install PowerShell Tools for Visual Studio. That's allow you to script PowerShell directly in Visual Studio. (I tried it, but I still emotionally attached to my ISE.)

I hope this can help you to start keeping versions of your scripts.

Please, feel free to leave comments.

J.

PowerShell function | New Distribution Group - no CSV needed | Exchange

Hi,
Today, I share with you my code to build a function to create a New Distribution Group with PowerShell.

When I create the function, one of my concerns is to facilitate the usage with PSWA. So I don't want to create a CSV with the name of the member before I create my distribution group and call the CSV in my script. I want to do it at one stage. So that's my function does. For me, all my distribution groups are in the same OU so my function is built for that.

Feel free to use and modify my code. If you made some improvements, please share it.

 <#  
 .Synopsis  
   Connect a remote session to the Exchange 2010 server.  
   Create a new distribution group with this options :  
   You can choose if you want the RequireSenderAuthenticationEnabled True (Internal DG) or False (External DG)  
   You can hide the group from the Exchange Global Address List.  
   You can ADD at the same time all members needed for the group.  
 .DESCRIPTION  
   This cmdlet need to have access to the cmdlet of Exchange.  
   Its script to be used with Exchange 2010.  
   Version 1.3  
   Script by Jeremie Lauzier - Network Administrator, 2015-06-05  
 .EXAMPLE  
   Create a new distribution group (Not hidden, no member, need to be authentificated)  
   New-XXXDistributionGroup -DGname _StarLab -DGalias StarLab -senderneedauthen True -HideDG NotHide   
   New-XXXDistributionGroup -DGname "_Star Lab" -DGalias StarLab  
 .EXAMPLE  
   Create a new distribution group for external use (NO authentification needed)  
   New-XXXDistributionGroup -DGname _StarLab -DGalias StarLab -senderneedauthen False -HideDG Hide   
 .EXAMPLE  
   Create a new distribution group for internal use (Authentification needed)  
   New-XXXDistributionGroup -DGname _StarLab -DGalias StarLab -senderneedauthen True -HideDG Hide   
 .EXAMPLE  
   Create a new distribution group hidden of the Exchange Global Address List  
   New-XXXDistributionGroup -DGname _StarLab -DGalias StarLab -senderneedauthen True -HideDG Hide   
 .EXAMPLE  
   Create a new distribution group with member(s) without CSV needed.  
   The syntax is really important. You need to use the username of the member.  
   New-XXXDistributionGroup -DGname _StarLab -DGalias StarLab -senderneedauthen True -HideDG NotHide -member "wellsh","allenb","ramonc"  
 #>  
 function New-XXXDistributionGroup  
 {  
   [CmdletBinding()]  
   [OutputType([int])]  
   Param  
   (  
     # Define the name and SamAccountName for the distribution group  
     [Parameter(Mandatory=$true,  
           ValueFromPipelineByPropertyName=$true,  
           Position=0)]  
     $DGname,  
     # Define the email alias (Alias is the first part of the email address)  
     # For me, in my prod environement, the alias is not the same of the group name.  
     [Parameter(Mandatory=$true)]  
     $DGalias,  
     # Define if RequireSenderAuthenticationEnabled it's True or False  
     # True = Internal only / False = External Authorized  
     [Parameter(Mandatory=$true)]  
     [ValidateSet("True","False")]  
     $senderneedauthen,  
     # Hide from Exchange Address List  
     # It's mandatory just to force to take the right decision  
     [Parameter(Mandatory=$true)]  
     [ValidateSet("Hide","NotHide")]  
     $HideDG,  
     #Define member(s) of the group  
     $member  
   )  
   Begin  
   {  
   $exchsession=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://yourserveraddress/powershell  
   Import-PSSession $exchsession -AllowClobber  
   $convertmem = @($member)  
   }  
   Process  
   {  
    New-DistributionGroup -Name $DGname -OrganizationalUnit 'yourOU' -SamAccountName $DGname -Alias $DGalias  
    if ($senderneedauthen -eq "False")  
    {  
    Set-DistributionGroup $DGname -RequireSenderAuthenticationEnabled $false    
    }  
    if ($HideDG -eq "Hide")  
    {  
    Set-DistributionGroup $DGname -HiddenFromAddressListsEnabled $true  
    }   
    if ($convertmem -ne $null)  
    {  
    $convertmem | foreach {Add-DistributionGroupMember $DGname -Member $_ -BypassSecurityGroupManagerCheck}    
    }  
    Get-DistributionGroup $DGname | Format-Table -Wrap  
    Get-DistributionGroupMember $DGname  
   }  
   End  
   {  
   Remove-PSSession $exchsession  
   }  
 }  

PowerShell function | Add or Remove Full Mailbox Access | Exchange

Hi,

Today, I share with you my code to build a function to add or remove Full Mailbox Access with PowerShell. Feel free to use and modify my code. If you made some improvements, please share it.

1:  <#  
2:  .Synopsis  
3:    Connect a remote session to the Exchange 2010 server.  
4:    Add or remove Full Access permission for an account (user)  
5:  .DESCRIPTION  
6:    This cmdlet need to have access to the cmdlet of Exchange.  
7:    Its script to be used with Exchange 2010.  
8:    Version 1.0  
9:    Script by Jeremie Lauzier - Network Administrator, 2015-06-03  
10:  .EXAMPLE  
11:    Add Full Access permission for Felicity Jones on the account Ray Plamer.  
12:    Set-XXXFullMailboxAccess -accountmodify palmerr -accountFMA jonesf -choice Add  
13:  .EXAMPLE  
14:   Remove Full Access permission for Felicity Jones on the account Ray Plamer.  
15:   Set-XXXFullMailboxAccess -accountmodify palmerr -accountFMA jonesf -choice Remove  
16:  .EXAMPLE  
17:    All parameters are mandatory. So just type Set-XXXFullMailboxAccess and field choice one at a time.  
18:  #>  
19:  function Set-XXXFullMailboxAccess  
20:  {  
21:    [CmdletBinding()]  
22:    [OutputType([int])]  
23:    Param  
24:    (  
25:      # Define the account to modify  
26:      [Parameter(Mandatory=$true,  
27:            ValueFromPipelineByPropertyName=$true,  
28:            Position=0)]  
29:      $accountmodify,  
30:      # Define the account who will have Full Access or Remove it.  
31:      [Parameter(Mandatory=$true)]  
32:      $accountFMA,  
33:      # Add or remove Full Access  
34:      [Parameter(Mandatory=$true)]  
35:      [ValidateSet("Add", "Remove")]  
36:      $choice  
37:    )  
38:    Begin  
39:    {  
40:    $exchsession=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://yourservername/powershell  
41:    Import-PSSession $exchsession -AllowClobber  
42:    }  
43:    Process  
44:    {if ($choice -eq "Add")  
45:     {  
46:     Add-MailboxPermission -Identity $accountmodify -User $accountFMA -AccessRights 'FullAccess'   
47:     }  
48:     if ($choice -eq "Remove")  
49:     {  
50:     Remove-MailboxPermission -Identity $accountmodify -User $accountFMA -InheritanceType 'All' -AccessRights 'FullAccess' -Confirm:$false    
51:     }  
52:     Get-MailboxPermission -Identity $accountmodify | where {$_.AccessRights -eq "FullAccess"} | Format-Table User, AccessRights -AutoSize  
53:    }  
54:    End  
55:    {  
56:    Remove-PSSession $exchsession  
57:    }  
58:  }  

PowerShell function | Add or Remove email address | Exchange

Hi,

Today, I share with you my code to build a function to add or remove an email address with PowerShell. Feel free to use and modify my code. If you made some improvements, please share it.

Thanks!

 <#  
 .Synopsis  
   Connect a remote session to the Exchange 2010 server.  
   Add or remove an email address for an account (user).  
 .DESCRIPTION  
   This cmdlet need to have access to the cmdlet of Exchange.  
   Its script to be used with Exchange 2010.  
   Version 1.1  
   Script by Jeremie Lauzier - Network Administrator, 2015-06-02  
 .EXAMPLE  
   Add an email address to the account Oliver Queen  
   Set-XXXEmailAddress -accountmodify queeno -emailaddress arrow@greenarrow.com -choice Add  
 .EXAMPLE  
   Remove an email address to the account Oliver Queen  
   Set-XXXEmailAddress -accountmodify queeno -emailaddress arrow@greenarrow.com -choice Remove  
 .EXAMPLE  
   All parameters are mandatory. So just type Set-XXXEmailAddress and field choice one at a time.  
 #>  
 function Set-XXXEmailAddress  
 {  
   [CmdletBinding()]  
   [OutputType([int])]  
   Param  
   (  
     # Define the account to modify  
     [Parameter(Mandatory=$true,  
           ValueFromPipelineByPropertyName=$true,  
           Position=0)]  
     $accountmodify,  
     # Define the email adress to add or remove  
     [Parameter(Mandatory=$true)]  
     $emailaddress,  
     # Add or remove address  
     [Parameter(Mandatory=$true)]  
     [ValidateSet("Add", "Remove")]  
     $choice  
   )  
   Begin  
   {  
   $exchsession=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://servername.domain.abc/powershell  
   Import-PSSession $exchsession -AllowClobber  
   }  
   Process  
   {if ($choice -eq "Add")  
    {  
      Set-Mailbox $accountmodify -EmailAddresses @{add=$emailaddress}  
    }  
    if ($choice -eq "Remove")  
    {  
      Set-Mailbox $accountmodify -EmailAddresses @{remove=$emailaddress}  
    }  
    Get-Mailbox -Identity $accountmodify | Select -expand emailaddresses alias  
   }  
   End  
   {  
   Remove-PSSession $exchsession  
   }  
 }