Wednesday, 4 October 2017

PowerShell : Check if user is member of local Adminstrators group

We can find whether the given user is member of local Administrators group or not by accessing ADSI WinNT Provider. In this post, I am going to write powershell script to check if an user is exists in local Administrators group in local machine and remote server.

Check if user is member of local Administrators group:

The following powershell commands checks whether the given user is member of Administrators group in local machine.
$user = "Morgan";
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 
$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})
If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}

Find if user is member of local Admins group in Remote server:

Use the below powershell command to check if user is member of Administrators group in remote computer.
$computer = "hp-pc" 
$user = "Morgan";
$group = "Administrators";
$groupObj =[ADSI]"WinNT://$computer/$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 
$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})
If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}

Check if multiple users are member of Administrators group:

Use the below powershell script to check if multiple users are member of local Admins group.
$users = "Morgan","TestUser1","TestUser2"
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 
$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})

ForEach ($user in $users) {
If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}}
Read More...

Check if an user is member of a local group using PowerShell

We can easily find a local user is member of a local group by accessing ADSI WinNT Provider. In this post, I am going to share powershell script to check if local user is exists in a group, and check multiple users are member of a local group.

Check if local user is member of Administrators group:

The following powershell commands checks whether the given user is member of built-in Administrators group.
$user = "Morgan";
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 

$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})

If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}

Check if multiple users are member of a given local Group:

Run the below powershell command to check if multiple users are member of a given group.
$users = "Morgan","TestUser1","TestUser2"
$group = "Administrators";
$groupObj =[ADSI]"WinNT://./$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 

$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})

ForEach ($user in $users) {
If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}}

Check if users are member of a group in Remote Computer:

Use the below powershell command to check if users are member of a given group in remote machine/server.
$computer = "remote-pc" 
$users = "Morgan","TestUser1","TestUser2"
$group = "Administrators";
$groupObj =[ADSI]"WinNT://$computer/$group,group" 
$membersObj = @($groupObj.psbase.Invoke("Members")) 

$members = ($membersObj | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)})

ForEach ($user in $users) {
If ($members -contains $user) {
      Write-Host "$user exists in the group $group"
 } Else {
        Write-Host "$user not exists in the group $group"
}}
Read More...

Tuesday, 26 September 2017

How to find Windows OS version using PowerShell

For troubleshooting purpose, or before deploy any software, it is good to know what is Windows operating system version that is currently running. We can easily find the OS details from My Computer properties, but if you want to get details from your customer machine to troubleshoot any issue, PowerShell is the best option to get all the required machine details.

In PowerShell, we can find operating system details in different ways, but to be safe we can use the WMI based cmdlet Get-WmiObject, this command is compatible from Windows PowerShell 2.0. Using this command we can query the WMI class Win32_OperatingSystem to get os version number:
(Get-WmiObject Win32_OperatingSystem).Version
The above command only returns the os version number. Run the following command to get the display name of your Windows version.
(Get-WmiObject Win32_OperatingSystem).Caption
Output :
Microsoft Windows 7 Ultimate
We can use select command to get the output of all the required OS related properties.
Get-WmiObject Win32_OperatingSystem |
Select PSComputerName, Caption, OSArchitecture, Version, BuildNumber | FL
We can use the Get-WmiObject cmdlet in short form gwmi.
(gwmi win32_operatingsystem).caption

Get OS version of a remote computer:

We can easily get the OS version details of a remote computer by adding the parameter -ComputerName to Get-WmiObject.
Get-WmiObject Win32_OperatingSystem -ComputerName "Remote_Machine_Name" |
Select PSComputerName, Caption, OSArchitecture, Version, BuildNumber | FL

Get OS details for a list of remote computers using PowerShell:

You can use the following powershell script to find OS version details for multiple remote computers. First create a text file named as computers.txt which includes one computer name in each line. You will get the output of machine name, OS name and version number in the csv file OS_Details.csv.
Get-Content C:\computers.txt  | ForEach-Object{
$os_name = (Get-WmiObject Win32_OperatingSystem -ComputerName $_ ).Caption
if(!$os_name){
$os_name = "The machine is unavailable"
$os_version = "The machine is unavailable"
}
else{
$os_version = (Get-WmiObject Win32_OperatingSystem -ComputerName $_ ).Version 
}
New-Object -TypeName PSObject -Property @{
ComputerName = $_
OSName = $os_name
OSVersion = $os_version 
}} | Select ComputerName,OSName,OSVersion |
Export-Csv C:\OS_Details.csv -NoTypeInformation -Encoding UTF8
Read More...

Friday, 22 September 2017

Block and Unblock access to Office 365 users using PowerShell

Blocking access to an Office 365 account prevents anyone from using the account to sign in and access all the services and data in your Office 365 tenant. We can use the Azure AD powershell cmdlet Set-MsolUser to block user from login into Office 365 service (Ex: Mailbox, Planner, SharePoint, etc).

Block and Unblock an Office user account:

We need to set the user associated property BlockCredential to block user access to Office 365 service.
Set-MsolUser -UserPrincipalName username@domain.com -BlockCredential $true
The following command unblock the blocked user.
Set-MsolUser -UserPrincipalName username@domain.com -BlockCredential $false

Block multiple Office 365 user accounts:

We can use the command Get-MsolUser to fetch set of required Azure AD users with proper filter and then pipe the results to Set-MsolUser cmdlet to block access to every user.
Get-MsolUser -All | Where {$_.Department -eq "Testing"} |
Set-MsolUser -BlockCredential $true

Block bulk user accounts by import CSV file:

We may required to block access to bulk of user accounts, in this case we can have user ids in csv. We need to import csv file, and then pass every user to Set-MsolUser cmdlet. Consider the csv file Block_Users.csv that has users with the column header UserPrincipalName.
Import-Csv 'C:\Block_Users.csv' | ForEach-Object {
$upn = $_."UserPrincipalName"
Set-MsolUser -UserPrincipalName $upn -BlockCredential $true
}

Export blocked user accounts to CSV file:

Run the following command to export all the users that have been blocked to access Office 365 services.
Get-MsolUser -All | Where {$_.BlockCredential -eq $True} |
Select DisplayName,UserPrincipalName, BlockCredential |
Export-CSV "C:\\Blocked_Users.csv" -NoTypeInformation -Encoding UTF8
Read More...

Hide and Un-hide users from GAL using Powershell

We can use the Exchange Powershell cmdlet Set-Mailbox to hide and un-hide mailbox users from Global Address List (GAL). We need to change the mailbox associated property HiddenFromAddressListsEnabled to hide user from GAL.

Before proceed, run the following command to load Exchange Online Powershell commands:
$365Logon = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $365Logon -Authentication Basic -AllowRedirection
Import-PSSession $Session

Hide and Un-hide a mailbox user from Global Address Book:

Run the following command to hide a single mailbox user.
Set-Mailbox -Identity username@domain.com -HiddenFromAddressListsEnabled $true
The following command un-hide the given mailbox user from GAL.
Set-Mailbox -Identity username@domain.com -HiddenFromAddressListsEnabled $false

Hide multiple mailbox users from GAL:

We can use the Get-Mailbox cmdlet to fetch set of required mailboxes by applying proper filter and then pipe the results to Set-Mailbox command to hide every mailbox from GAL.
Get-Mailbox -ResultSize Unlimited | Where {$_.Office -eq "Office1"} |
Set-Mailbox -HiddenFromAddressListsEnabled $true

Import mailbox users from CSV and hide from GAL:

We may required to hide bulk mailboxes from Global Address Book, in this case we can store the mailbox user ids in csv file and import csv in powershell using Import-Csv cmdlet and pass every mailbox to Set-Mailbox cmdlet. Consider the CSV file Hide_Mailboxes.csv which contains mailbox users with the column header UserPrincipalName.
Import-Csv 'C:\Hide_Mailboxes.csv' | ForEach-Object {
$upn = $_."UserPrincipalName"
Set-Mailbox -Identity $upn -HiddenFromAddressListsEnabled $true
}

Export hidden mailboxes to CSV file:

We can use the powershell cmdlet Export-csv to export all the hidden mailbox users to csv.
Get-Mailbox -ResultSize Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $True} |
Select DisplayName,UserPrincipalName, HiddenFromAddressListsEnabled |
Export-CSV "C:\\Hidden_MailBoxes_GAL.csv" -NoTypeInformation -Encoding UTF8
Read More...

Thursday, 21 September 2017

Find mailboxes hidden from the GAL using Powershell

We can easily get the list of all mailboxes that are currently hidden from Global Address Book using the Exchange Powershell cmdlet Get-Mailbox. The Get-Mailbox cmdlet includes the property HiddenFromAddressListsEnabled and this property indicates whether the mailbox is hidden from GAL or not. So we can query the mailboxes with where filter by checking whether the property HiddenFromAddressListsEnabled is set to true or not.
Get-Mailbox -ResultSize Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $True}
You can run the following command if you want the output consist of only selected properties :
Get-Mailbox -ResultSize Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $True} |
Select DisplayName,UserPrincipalName, HiddenFromAddressListsEnabled
We can also export all the hidden mailbox users to csv by simply using Export-csv cmdlet:
Get-Mailbox -ResultSize Unlimited | Where {$_.HiddenFromAddressListsEnabled -eq $True} |
Select DisplayName,UserPrincipalName, HiddenFromAddressListsEnabled |
Export-CSV "C:\\Hidden_MailBoxes_GAL.csv" -NoTypeInformation -Encoding UTF8
Read More...

Tuesday, 19 September 2017

Set office 365 user's password to never expire using powershell

When you set password expiration policy for your Office 365 organization, it will apply to all Azure AD users. If you have requirements to set some individual user's password to never expire, you need to use Windows Powershell and you can achieve this by using the Azure AD Powershell cmdlet Set-MSOLUser.

Before proceed, connect to your online service by running the following command.
Import-Module MSOnline
$msolCred = Get-Credential
Connect-MsolService –Credential $msolCred

Set an individual user's password to never expire

Run the following command to set an user's password to never expire:
Set-MsolUser -UserPrincipalName <upn of user> -PasswordNeverExpires $true
For example, if the UserPrincipalName of the account is alexd@contoso.com, you can use below command:
Set-MsolUser -UserPrincipalName "alexd@contoso.com" -PasswordNeverExpires $true
You can find whether an user's password is set to never expire or not by running following command:
Get-MSOLUser -UserPrincipalName <upn of user> | Select DisplayName,PasswordNeverExpires

Set multiple users password to never expire

In some situations, we may required to update specific set of user's password to never expire. we can put the required user's upn in csv file and import the csv file and set passwordneverexpires setting. Consider the CSV file office365users.csv which contains users with the column header UserPrincipalName.
Import-Csv 'C:\office365users.csv' | ForEach-Object {
$upn = $_."UserPrincipalName"
Set-MsolUser -UserPrincipalName $upn -PasswordNeverExpires $true;
}
Read More...

Thursday, 14 September 2017

Find SharePoint List items with unique permissions using powershell

We can easily find and retrieve SharePoint list items which has unique permissions using CSOM in Powershell. In this script, we are going to use GitHub open source library Load-CSOMProperties.ps1 to fetch extra properties (ex: HasUniqueRoleAssignments) in SharePoint CSOM API. You can refer this post : How to load additional CSOM properties in PowerShell for more details.

The following Powershell script get all files (or list items) which has unique (or explicit) permission entries from a given SharePoint Online document library. To use CSOM in Powershell, we need to load the required Microsoft SharePoint Online SDK assembly files.
#Add required references to SharePoint client assembly to use CSOM
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")

C:\Scripts\Load-CSOMProperties.ps1
  
$siteUrl="https://spotenant.sharepoint.com/sites/mysite1"
$UserName = "admin@spotenant.onmicrosoft.com"
$SecPwd = $(ConvertTo-SecureString 'myAdminPwd' -asplaintext -force) 
$ctx = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl) 
$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($UserName,$SecPwd) 
$ctx.credentials = $credentials
$ctx.Load($ctx.Web)
$ctx.ExecuteQuery()
$list=$ctx.Web.Lists.GetByTitle("Documents")
$ctx.Load($list)
$ctx.ExecuteQuery()
$camlQuery = New-Object Microsoft.SharePoint.Client.CamlQuery
$camlQuery.ViewXml ="<View Scope='RecursiveAll' />";
$allItems=$list.GetItems($camlQuery)
$ctx.Load($allItems)
$ctx.ExecuteQuery()
 
foreach($item in $allItems)
{
Load-CSOMProperties -object $item -propertyNames @("HasUniqueRoleAssignments");
$ctx.ExecuteQuery();
if($item.HasUniqueRoleAssignments -eq $true)
{
Write-Host $item["FileRef"]
Write-Host "##############"
}
}
Read More...