bulk

Creating Security Groups for File Shares in Bulk using PowerShell

Posted on February 8, 2017 by mo wasay Information Technology Windows

Security Groups are great for managing large groups for permissions. A client requested that they needed to have Read-Only, Read-Write, and Ready-Modify (allow for deleting) for all their file shares for better management.

Getting the Share Names

In order for me to create the groups I needed the share names. PowerShell to the rescue!

Type the following on the File Server/ Cluster to list all the shares and capture the output in a text file:

WmiObject -class Win32_Share -computer <yourfileserver.fqdn) | Out-File c:\scripts\shares.txt

1	WmiObject -class Win32_Share -computer <yourfileserver.fqdn) \| Out-File c:\scripts\shares.txt

On your file-server you may have a lot of share but for example purposes I am showing just one.

Output should be similar to:

Cleaning up the Share Names

Now that we have the Share names we need to do a bit of cleanup to avoid having duplicates.

We need to remove all entries for hidden shares “$”
We need to remove duplicates
We need to change the case of the share names to lower case. ( I prefer lowercase but you can decide to do what best fits your needs)

Follow my guide to removing duplicates in a text file using NotePad++

Once the sharenames are clean save it to a text file.

Client Requirement for the Security Groups:

For each file share there are three security groups needed:

<Sharename>_RO : Read-Only
<Sharename>_RW : Read & Write
<Sharename>_RM : Read & Modify

For PowerShell to do this I needed to create a .CSV file with all the security group entries. Now, there are many ways this can be done. I will share what I have been doing.

Open up Microsoft Excel and copy the share on a column to the right (lets say K2)

Now on Cell A2 your value should be =CONCATENATE(K2,"_RW") and drag it down.

It should look something like this:

Do the same for RO & RM. Now you have all the security groups names you need to create.

Create a file called FileShares_Groups.csv using the following format.

Create the file Create Security Groups for File Shares.ps1

.NOTES
	File Name:
	Author: Mohammed Wasay
	Contact Info:
		Website:www.mowasay.com
		Twitter:@wasay
	Requires:
	Tested:
.PARAMETER
    None

.EXAMPLE
    .\Create Security Groups for File Shares.ps1
#>
#Import Active Directory Module
Import-Module ActiveDirectory

$csv = Import-Csv -Path "c:\scripts\FileShares_Groups.csv"

ForEach ($item In $csv)
    {
        $create_group = New-ADGroup -Name $item.GroupName -GroupCategory $item.GroupCategory -groupScope $item.GroupScope -Path $item.OU
        Write-Host -ForegroundColor Green "Group $($item.GroupName) created!"
    }

.NOTES

File Name:

Author: Mohammed Wasay

Contact Info:

Website:www.mowasay.com

Twitter:@wasay

Requires:

Tested:

.PARAMETER

None

.EXAMPLE

.\Create Security Groups for File Shares.ps1

#Import Active Directory Module

Import-Module ActiveDirectory

$csv = Import-Csv -Path "c:\scripts\FileShares_Groups.csv"

ForEach ($item In $csv)

{

$create_group = New-ADGroup -Name $item.GroupName -GroupCategory $item.GroupCategory -groupScope $item.GroupScope -Path $item.OU

Write-Host -ForegroundColor Green "Group $($item.GroupName) created!"

}

Copy the two files: FileShares_Groups.csv & Create Security Groups for File Shares.ps1 into a folder called C:\scripts on the Domain Controller.

Run the PowerShell script and see the security groups get created.

Set password never to expire for users in a particular domain (Bulk mode)

Posted on January 3, 2017 by mo wasay Office 365

Let me start by saying that I don’t recommend doing this at all.

Password Never Expires is bad security practice, but there are situations that might require it.

I had a similar request on how this could be done.

Setting it for multiple users:

#Connect of Office365
Import-Module MSOnline
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService –Credential $O365Cred 

#Get a List of user that belong to the second domain
$SDusers = Get-MsolUser -All -DomainName "yourseconddomain.com"

#Setting the password never to expire
ForEach($SDuser in $SDusers)
{
    Set-MsolUser -UserPrincipalName $SDuser -PasswordNeverExpires $true
}

#Connect of Office365

Import-Module MSOnline

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Connect-MsolService –Credential $O365Cred

#Get a List of user that belong to the second domain

$SDusers = Get-MsolUser -All -DomainName "yourseconddomain.com"

#Setting the password never to expire

ForEach($SDuser in $SDusers)

{

Set-MsolUser -UserPrincipalName $SDuser -PasswordNeverExpires $true

}

Setting it for a single user:

Get-MSOLUser -UserPrincipalName user@domain.com | Select PasswordNeverExpires

1	Get-MSOLUser -UserPrincipalName user@domain.com \| Select PasswordNeverExpires

Active Directory: Changing passwords for users in bulk using a .csv file

Posted on October 13, 2016 by mo wasay Office 365 Windows

Many accounts in your AD might need a password change. What if you want to do this in bulk ?

First, we need to the userlist. Depending on your requirements we need to get a list of users (specifically samaccountname). For random password generation I recommend using http://manytools.org/network/password-generator/ as it can generate up 1000 for free.

Here is what my UserList.csv look like:

sAMAccountName,Password
test1,gqLfZub$OtO#dBg
test2,6eXq78gTyx$YjmM
test3,ZNgl!KdYo7U6yzR
test4,voiIs!TISw!Wcyc
test5,W7ZBTAe7CWcFzyn
test6,BykgCY5b*NGFO5!
test7,3ApLlchwgRQwf1P
test8,9jZvvR2$wDggf3M
test9,*QCDjcgnNLkBDP1
test10,sZpvUnvjJxAE9HE
test11,$C8TX!tcS3d#MjK
test12,Pzw*aH6zjpOx8Wj
test13,XmfIPiIz82!!X77
test14,ri!!hQX!w!FSZuI
test15,S0Gzf6fEUsG!4Ib
test16,Kj8s!vy94S!ozLJ
test17,PzFzjP7obALeuWa
test18,Ri5V2laxxck6Rgg
test19,Rw8KcX*FoMT#gr1
test20,QDndAgzdYo5CYX!

sAMAccountName,Password

test1,gqLfZub$OtO#dBg

test2,6eXq78gTyx$YjmM

test3,ZNgl!KdYo7U6yzR

test4,voiIs!TISw!Wcyc

test5,W7ZBTAe7CWcFzyn

test6,BykgCY5b*NGFO5!

test7,3ApLlchwgRQwf1P

test8,9jZvvR2$wDggf3M

test9,*QCDjcgnNLkBDP1

test10,sZpvUnvjJxAE9HE

test11,$C8TX!tcS3d#MjK

test12,Pzw*aH6zjpOx8Wj

test13,XmfIPiIz82!!X77

test14,ri!!hQX!w!FSZuI

test15,S0Gzf6fEUsG!4Ib

test16,Kj8s!vy94S!ozLJ

test17,PzFzjP7obALeuWa

test18,Ri5V2laxxck6Rgg

test19,Rw8KcX*FoMT#gr1

test20,QDndAgzdYo5CYX!

Make sure you do the following on a domain controller or connecting to your domain controller via PS-remote with elevated permissions.

Run this in PowerShell (Open PowerShell in Admin Mode)

PowerShell:

Import-Module Active Directory
$Resetpassword = Import-Csv "c:\_Scripts\UserList.csv"

foreach ($Account in $Resetpassword) {
    $Account.sAMAccountName
    $Account.Password
        Set-ADAccountPassword -Identity $Account.sAMAccountName -NewPassword (ConvertTo-SecureString $Account.Password -AsPlainText -force) -Reset
}

Import-Module Active Directory

$Resetpassword = Import-Csv "c:\_Scripts\UserList.csv"

foreach ($Account in $Resetpassword) {

$Account.sAMAccountName

$Account.Password

Set-ADAccountPassword -Identity $Account.sAMAccountName -NewPassword (ConvertTo-SecureString $Account.Password -AsPlainText -force) -Reset

}

-Reset
Specifies to reset the password on an account. (User is not prompted to change password).
To use this parameter, you must set the -NewPassword parameter.
You do not need to specify the -OldPassword parameter.

Excel: Check email addresses in bulk if format is correct or not

Posted on August 25, 2016 by mo wasay Windows

So had a request today to clean up email addresses as some of them were not valid. This was needed for over 1500 email addresses.

So used the formula below and was able to find all addresses that were “FALSE”. I filtered them out and was able to fix them as needed.

Here’s what you need to do:

If your e-mails are in A column, go in the B column and in the B1 cell and copy paste this code:

=AND(FIND("@";B2);FIND(".";B2);ISERROR(FIND(" ";B2)))

1	=AND(FIND("@";B2);FIND(".";B2);ISERROR(FIND(" ";B2)))

Then, go down and left on the B1 cell so you can copy and paste the code to the other cells. For all the valid e-mails, it will give you ‘TRUE’ and for the invalid ‘FALSE’.

2016-08-25_14-34-49

Change the password age in bulk for Active Directory accounts

Posted on July 21, 2016 by mo wasay Windows

Ran into an interesting situation where pretty much all domain accounts did not follow the default password policy and had the option of ‘password never expires’ checked. I needed to fix this immediately without impacting the users and expiring any accounts that may affect the business.

I needed to adjust the password age for all domain accounts so that they follow the password aging policy. Typically a password age policy is upto 90 days. Powershell to the rescue:

Import-Module ActiveDirectory

$list= Get-ADUser -SearchBase "DC=yourdomain,DC=local" -Properties samaccountname -Filter *
foreach ($entry in $list) {
	$sam = $entry.samaccountname 
 
	$todouser = Get-ADUser $sam -Properties pwdLastSet -Server yourdomaincontroller.local
     
	$todouser.pwdLastSet = 0 
	Set-ADUser -Instance $todouser 
     
	$todouser.pwdLastSet = -1 
	Set-ADUser -Instance $todouser 
}

Import-Module ActiveDirectory

$list= Get-ADUser -SearchBase "DC=yourdomain,DC=local" -Properties samaccountname -Filter *

foreach ($entry in $list) {

$sam = $entry.samaccountname

$todouser = Get-ADUser $sam -Properties pwdLastSet -Server yourdomaincontroller.local

$todouser.pwdLastSet = 0

Set-ADUser -Instance $todouser

$todouser.pwdLastSet = -1

Set-ADUser -Instance $todouser

}

So now that all the accounts have a password age of 1 day. Time to uncheck that ‘password never expires’ box. Now for some service and system accounts I wanted them to have password never expires. So now I needed to work with a filtered set.

I grabbed the accounts I wanted and was able to save them in a .CSV file.

change.csv contents:

SamAccountName
Aespinoza
ahernandez
aray

SamAccountName

Aespinoza

ahernandez

aray

Now to perform the task on each account:

import-csv C:\ServerCleanup\change.csv | ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$FALSE}

1	import-csv C:\ServerCleanup\change.csv \| ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$FALSE}

Hope this helps if you run into a similar situation.

Bulk removal of Password Never Expires checkbox in AD

Posted on July 23, 2015 by mo wasay Windows

No one intends this but it is a problem that sooner or later you will be come across in your system administrator career.

I’ve see this resolved many different ways, but I like to narrow it down to a particular OU. Depending on your case you may want to clean this across the board in AD.

Here is command prompt to the rescue:

dsquery user "OU=Microsoft,DC=Redmond,DC=CORP,DC=LOCAL" -limit 4000 | dsmod user -pwdneverexpires no

1	dsquery user "OU=Microsoft,DC=Redmond,DC=CORP,DC=LOCAL" -limit 4000 \| dsmod user -pwdneverexpires no

I haven’t tried this, but some have said the following works in Powershell:

For OU:

Get-ADUser -Filter {(ObjectClass -eq "user")} -SearchBase "OU=Offices,DC=Contoso,DC=com" | Set-ADUser -PasswordNeverExpires:$FALSE

1	Get-ADUser -Filter {(ObjectClass -eq "user")} -SearchBase "OU=Offices,DC=Contoso,DC=com" \| Set-ADUser -PasswordNeverExpires:$FALSE

For AD:

Get-ADUser -Filter {(ObjectClass -eq "user")} | Set-ADUser -PasswordNeverExpires:$FALSE

1	Get-ADUser -Filter {(ObjectClass -eq "user")} \| Set-ADUser -PasswordNeverExpires:$FALSE

bulk

Set password never to expire for users in a particular domain (Bulk mode)

Setting it for multiple users:

Setting it for a single user:

Active Directory: Changing passwords for users in bulk using a .csv file

Excel: Check email addresses in bulk if format is correct or not

Change the password age in bulk for Active Directory accounts

Bulk removal of Password Never Expires checkbox in AD

Categories

Archives

Meta

bulk

Getting the Share Names

Cleaning up the Share Names

Client Requirement for the Security Groups:

Setting it for multiple users:

Setting it for a single user:

Categories

Archives

Tags

Meta