Copy certificates from one server to another
So for some reason, which until now remains a mystery, certificates where missing in the Trusted root certificate authorities certificate store on one of our servers.
Of course one of the missing ones, was the one needed for a main part of the servers purpose, so that had to be fixed.
While the certificates mmc does permit the export on the source server and the import onto the broken one, working in the GUI, is just….
So I cooked up a Powershell script to do the job for me:
<#
.SYNOPSIS
Compares a given certificate store between 2 Windows machines. Copies missing to target if specified
.DESCRIPTION
The script compares the specified certificate store of the source machine against the target machine.
If the Write switch is specified, the missing certificates are copied from the source machine to the target machine
.PARAMETER SourceServer
Source Machine name
.PARAMETER TargetServer
Target Machine name
.PARAMETER CertStore
Certificate store to be checked
Possible values of the store:
My - Personal Store
Root - Trusted root certificate authorities
CertificateAuthority - Intermediate certificate authorities
AuthRoot - Third-party certificate authorities
.PARAMETER write
If specified, certificates missing on the target server will be copied to the target server
.INPUTS
System.String
.OUTPUTS
Console output
Certificates
.EXAMPLE
Check-MachineCerts.ps1 -SourceServer "SomeServer" -TargetServer "SomeServer" -certstore "AuthStore"
Outputs the certificates missing in the Third-party certificate authorities store on the target machine as compared to the source machine
.EXAMPLE
Check-MachineCerts.ps1 -SourceServer "SomeServer" -TargetServer "SomeServer" -certstore "My" -write
Outputs the certificates missing in the Personal Store on the target machine as compared to the source machine.
Copies the missing certificates to the target machine
.NOTES
Check-MachineCerts.ps1
by theAdminGuy - theadminguy.wordpress.com
#>
Param(
[Parameter(Mandatory=$true)][String]$SourceServer,
[Parameter(Mandatory=$true)][String]$TargetServer,
[Parameter(Mandatory=$true)]
[ValidateSet("My","Root","CertificateAuthority","AuthRoot")]
[String]$CertStore,
[Parameter(Mandatory=$false)][switch]$write
)
#
#Connect to the source Root store (readonly)
$sourceStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$SourceServer\$CertStore","LocalMachine")
$sourceStore.open("ReadOnly")
#connect to the target store (readwrite)
$targetStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$TargetServer\$CertStore","LocalMachine")
$targetStore.open("ReadWrite")
$sourceCerts = $sourceStore.certificates
$targetCerts = $targetStore.certificates
Function CheckPrecense(){
Param(
$sourcecert
)
[int]$intCertFound = "0"
$script:rtrCheckPrecense = "CertNotFound"
ForEach ($targetcert in $targetCerts){
$test = $sourcecert.Equals($targetcert)
if ($test -eq $true){
$intCertFound++
}
}
If ($intCertFound -ne "0"){
$script:rtrCheckPrecense = "CertFound"
}
} #end function
foreach ($sourcecert in $sourceCerts){
CheckPrecense $sourcecert
If ($rtrCheckPrecense -eq "CertNotFound"){
Write-Host `n`n $sourceCert.Subject " was not found on " $TargetServer
If ($write -eq $true){
Write-Host `n "Copying Certificate from " $SourceServer `n
$targetStore.Add($sourceCert)
}
}
}
Don’t judge me by the fact that the .Synopsis part of the script takes up half the lines in the script, but not being a programmer by trade, I am trying to improve on my documentation skills (as well as making myself able to reuse the script once I have forgotten it’s original purpose)
The script can be easily modified to also remove certs from the target, which is not present on the source.
Do let me know all your input, thoughts etc.
/theadminguy
Powershell One-Liners – Process Monitor
As a server admin, I often face a situation where I have to perform an action on the server, but some process is running, and I have to wait.
Rather than sitting around checking the server every 5 minutes, I set a Powershell one-liner monitor with notification:
powershell.exe -command "& {if (! (get-process -name TheService -erroraction SilentlyContinue)){Send-MailMessage -SmtpServer 'theSMTPServer.void.null' -from theserver@rack.room -To 'theadmin@void.null -Subject 'TheService is not running, check theServer'}}"
I simply add the above line same as in the Folder cleaner
/theadminguy
Powershell One-liners – Folder cleaning
Some application just log to much, and the log files tend to get huge.
Or maybe you have a situation where you just don’t need the log’s from the last 2 years, but would like to retain a few days back, in case of error:
Windows Scheduled task and Powershell to the rescue
powershell.exe -command "& {get-childitem -Path e:\IIS_Logs -Recurse| %{if ($_.CreationTime -lt ([DateTime]::Now.AddDays(-5))){remove-item $_.FullName}}}"
This will delete files older than 5 days in the targeted folder (IIS_logs) and all subfolders
I have tried to wrap this in a schtasks command, so far been unsuccessful.
In the Windows Server 2008 R2 GUI:
- Task Scheduler
- Create a basic task
- Give it a name and a description
- Choose the Task trigger and the properties for the selected trigger
- Choose the action (start a program)
- Add the path for powershell.exe in the program/script box and everything following to the Add arguments (optional) box
- Review and Finish.
- /theadminguy
Powershell One-liners – IP scanner
So why use powershell? I even heard someone say “this powershell is so over-rated, what does it offer, that cannot be done with cmd.exe and a another tool?”
Well, to me, that is exactly it, what does powershell offer, which cannot be done with cmd.exe?
What if you wanted just to check a defined range of IP’s in you managed subnet, to find which ones have live hosts on them?
[PS]# 1..100 | %{ping -n 1 -w 15 11.2.7.$_ | select-string "reply from"}
Reply from 11.2.7.83: bytes=32 time=5ms TTL=122
Reply from 11.2.7.84: bytes=32 time=7ms TTL=122
Reply from 11.2.7.85: bytes=32 time=6ms TTL=122
Reply from 11.2.7.86: bytes=32 time=6ms TTL=122
Reply from 11.2.7.87: bytes=32 time=6ms TTL=122
Reply from 11.2.7.89: bytes=32 time=6ms TTL=122
Reply from 11.2.7.91: bytes=32 time=6ms TTL=122
Reply from 11.2.7.95: bytes=32 time=6ms TTL=122
Reply from 11.2.7.99: bytes=32 time=6ms TTL=122
This one-liner ping’s the range from 1 to 100 and returns the machines which replied.
The point here is not, that only Powershell can do this on Windows, and I know that ping.exe is not a native powershell cmd-let and what if the host does not respond to ICMP…bla bla.. 
But this method is simple, fast and intuitive. No need for starting up a dedicated application, no fiddling with scripts, just get the job done, which in turn leaves more room for other stuff.
/theadminguy
Remove privileged folder in Windows 7
Ever found yourself in the situation where you wanted to delete a folder in Windows 7, but you can’t because it has special rights in some way?
An example of such a folder could be the %windir%\winsxs.
In my case I had attached a virtual disk file (.vmdk) from one virtual machine to a new virtual machine.
So I wanted to clean this disk of the unneeded Windows folder, but as this folder as well as most of the subfolders are owned by TrustedInstaller, not by the local Administrators group. For the %windir%\winsxs folder, the administrators group as well as the local system user (NT Authority\System) has only read access to the files.
In order to delete the folder you have to do two things:
- Take ownership of the folder and files
- Grant the required user at least write access to the folder and files so they can be deleted
The above can be done using the %windir%\system32\takeown.exe and the %windir%\system32\Icacls.exe
If doing this on one machine, then you could just run the respective command lines:
- takeown.exe /F d:\windows /R /D Y
- Icacls.exe d:\windows /grant *<UserSID>:(F) /T /C
But if you ever have to repeat it, then it should have been scripted:
############
#Set-RestrictedFolderRights.ps1
#Set-RestrictedFolderRights -folder
############
param([string]$Folder="")
if($Folder -eq ""){Write-Host "Please specify folder...";Break}
############
#Functions
############
Function Get-UserSID(){
$sCurrentUser = [system.environment]::UserName
$sCurrentUserdomain = [system.environment]::Userdomain
$objUser = New-Object System.Security.Principal.NTAccount($sCurrentUserdomain, $sCurrentUser)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
}#end function Get-UserSID
############
#Main Script
############
$sSysFolder = ([system.environment]::SystemDirectory)
$sArgsA = '/F '+$Folder+' /A /R /D Y'
#grant ownership of the folder and all subfolders to the administrators group..
Start-Process -wait -FilePath "$sSysFolder\takeown.exe" -ArgumentList $sArgsA
#grant the logged on user full control of the folder and it's entire content
$sArgsB = $folder+' /grant *'+(Get-UserSID)+':(F) /T /C'
Start-Process -wait -FilePath "$sSysFolder\icacls.exe" -ArgumentList $sArgsB
The script takes the target folder as a parameter and then sets the rights:
PS > Set-RestrictedFolderRights -folder d:\Windows
After that the folder can be deleted.
A word of caution, there is no error checking in the script, so if you target the %systemroot% (usually c:\windows), the rights will be altered. As the script only adds permissions, the impact is not that huge, if the folder is not deleted after. But the rights are set in this manner for a reason
http://technet.microsoft.com/en-us/library/cc731677(WS.10).aspx
/theadminguy
Export DHCP scopes and their address pools to a csv file
Because I love regular expressions, and I had a need for it, I have modified my previously posted DHCP export script:
$a = (netsh dhcp server 1.1.1.1 show scope) $lines = @() #start by looking for lines where there is IP present foreach ($i in $a){ if ($i -match "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"){ $lines += $i.Trim() } } $csvfile = @() $lines2 = @() foreach ($l in $lines){ $Row = "" | select Subnet,SubNetMask,ScopeStart,ScopeEnd,Location $l = $l + "`n" $l = $l -replace '-Active','' $l = $l -replace '-',',' $l = $l -replace '\s','' $Row.Subnet = ($l.Split(","))[0] $c = $Row.Subnet $Row.SubNetMask = ($l.Split(","))[1] $Row.Location = ($l.Split(","))[2] $b = (netsh dhcp server 1.1.1.1 scope $c show iprange) foreach ($i2 in $b){ if ($i2 -match "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" -and $i2 -notmatch 'Changed the current scope context to' ` -and $i2 -notmatch 'No of IP Ranges : 1 in the Scope'){ $lines2 += $i2.Trim() } } Foreach ($l2 in $lines2){ $l2 = $l2 -replace '-',',' $l2 = $l2 -replace '\s','' $Row.ScopeStart = ($l2.Split(","))[0] $Row.ScopeEnd = ($l2.Split(","))[1] } $csvfile += $Row } $csvfile | sort-object Subnet | Export-Csv "C:\Users\Public\Documents\DHCPExport.csv"
The script put all the server scopes into a variable and then processes it.
As the netsh output is filled with headers and other stuff, quite a number of trims and –replacements are done.
The whole thing is then put into a csv file.
As usual any hints and pointers are welcomed.
/theadminguy
ESX VM guest listed as (invalid)
So we had a massive maintenance on one of our ESX clusters. The maintenance entailed the complete shutdown of all VMs and hosts in the cluster. The entire task went relatively fine, with the exception of the usual stuff like:
- HA configuration failed to apply to most of the hosts when they were powered on. Fix for this issue is straight forward: Disable HA for the cluster and re-enable it.
The upside to disabling HA when having to power-on multiple VMs (350+) is that they power-on faster, as the VMs do not have to go through HA admission control and you will of course receive no HA related errors 
- Job queuing in VI causing VMs to take some time to power-on
It appears to me that VI just throws all jobs in a pool and try to get to them as fast as possible. I would like the option to tell it to process a set amount of jobs at a time. This can of course be achieved with the power of shell, but if anybody knows how it can be done in the GUI, let me know.
But what about the invalid VM?
Well, one of the machines came up with the name in italics and with an (invalid) appended to the name… Of course the GUI did not provide much help. When attempting to power on the machine, the only message I got was a “not allowed in the the current state”
Directed by this post: http://itsupportjournal.com/2008/12/09/fix-invalid-guest-on-virtual-center/ I started checking my .vmx file for errors and found.. none. As it turns out, my issue was in the extended config file (.vmxf)
This is what was in there:
I started scratching my head, as it was obvious that the invalid came from this file, but how to create a new one, when the .vmxf file contains a unique identifier type string amongst others:
(?xml version="1.0"?) (Foundry) (VM) (VMId type="string")52 fc dd 7e 09 fa ac 07-46 87 01 ad 28 e5 ca 98(/VMId) (ClientMetaData) (clientMetaDataAttributes/) (HistoryEventList/)(/ClientMetaData) (vmxPathName type="string")vmname.vmx(/vmxPathName)(/VM)(/Foundry)
Well sometimes the easy solution is the right one (love when that happens
- Unregister the invalid VM in VI
- Open the datastore browser and browse to the folder containing the VM
- Rename the original .vmxf file.
- Register the VM in VI from the datastore browser (right-click –> Add to inventory –> Step through the wizard)
- A new and proper .vmxf file is generated
- Power-On the VM
Do let me know if there is any way of “hand creating” the extended config file. Not that it is very useful if it can be automatically generated, but it would be cool to be able to do it…
/theAdminGuy
Modify Disk layout in Windows using powershell – updated version
At work one of my colleagues is fond of the phrase: Assume – makes and ass of you and me
Now this has, again, become very appropriate for me to use:
In my first post of the disk layout script, found here, I wrote with assumption and confidence: “but should also work on Windows Server 2003, if it does not then I have to redo the Altiris job”…
So I have redone the Altiris job powershell script:
#first we find and initialize physical disks with no partitions $drives = gwmi Win32_diskdrive $scriptdisk = $Null $script = $Null $OSversion = (((Get-WmiObject Win32_operatingsystem).version).ToString()).Split('.')[0] foreach ($disk in $drives){ if ($disk.Partitions -eq "0"){ $drivenumber = $disk.DeviceID -replace '[\\\\\.\\physicaldrive]','' If ($OSversion -eq "5"){ $script = @" select disk $drivenumber online noerr create partition primary noerr "@ } ElseIf ($OSversion -eq "6"){ $script = @" select disk $drivenumber online disk noerr attributes disk clear readonly noerr create partition primary noerr format quick "@ } } $drivenumber = $Null $scriptdisk += $script + "`n" } $scriptdisk | diskpart #then we will move the CDRom drive to x: (gwmi Win32_cdromdrive).drive | %{$a = mountvol $_ /l;mountvol $_ /d;$a = $a.Trim();mountvol x: $a} #then we will assign letters and labels to physical drives # thanks to powershell.com for this bit #(http://powershell.com/cs/blogs/tips/archive/2009/01/15/enumerating-drive-letters.aspx) $volumes = gwmi Win32_volume | where {$_.BootVolume -ne $True -and $_.SystemVolume -ne $True} $letters = 68..89 | ForEach-Object { ([char]$_)+":" } $freeletters = $letters | Where-Object { (New-Object System.IO.DriveInfo($_)).DriveType -eq 'NoRootDirectory' } foreach ($volume in $volumes){ if ($volume.DriveLetter -eq $Null){ If ($OSVersion -eq "5"){ mountvol $freeletters[0] $volume.DeviceID format $freeletters[0] /FS:NTFS /q /y } Else { mountvol $freeletters[0] $volume.DeviceID } } $freeletters = $letters | Where-Object { (New-Object System.IO.DriveInfo($_)).DriveType -eq 'NoRootDirectory' } }
As it turns out, diskpart v5.2 does not support either the online disk command nor the format quick command, which is why I have had to add OS filtering (got to love the one-liner and the format command.
I have also had to remove the $_.DriveType -eq "3", as an unformated primary partition under Windows Server 2003 R2 does not have a drivetype defined. But in order to salvage some honor, I’ll call that optimization, as it is actually not required, because that part of the script only assigns drive letters to volumes without one, and both the floppy and CDRom have one already.
/theadminguy
Export DHCP leases to html using powershell – update
There was a minor quirk in the original script, as lease dates where being mixed with hostnames in the final output html. As it turns out it was all a matter of what date it was, when I created the script
Line 21 in the original:
$l = $l -replace '[-]{1}\d{2}[/]\d{2}[/]\d{4}',''
matches dates in the following format: -xx/yy/zzzz but not -x/yy/zzzz or for that matter -xx/y/zzzz.
The correct –replace should have been:
$l = $l -replace '[-]{1}\d{1,2}[/]\d{1,2}[/]\d{4}',''
Thanks you for the comments, which was the final spark to get me to fix it in my production environment
Modify disk layout in Windows using powershell
So I have been configuring the company Altiris server (I love that tool) with some new jobs.
One of the headaches of past times, for me anyway, has been the modification of the disk layout, e.g. cd-rom must have letter so, a random number of physical disks must be formatted etc.
This is the powershell solution that I ended up with:
#first we find and initialize physical disks with no partitions $drives = gwmi Win32_diskdrive $scriptdisk = $Null $script = $Null foreach ($disk in $drives){ if ($disk.Partitions -eq "0"){ $drivenumber = $disk.DeviceID -replace '[\\\\\.\\physicaldrive]','' $script = @" select disk $drivenumber online disk noerr attributes disk clear readonly noerr create partition primary noerr format quick "@ } $drivenumber = $Null $scriptdisk += $script + "`n" } $scriptdisk | diskpart #then we will move the CDRom drive to x: (gwmi Win32_cdromdrive).drive | %{$a = mountvol $_ /l;mountvol $_ /d;$a = $a.Trim();mountvol x: $a} #then we will assign letters and labels to physical drives # thanks to powershell.com for this bit #(http://powershell.com/cs/blogs/tips/archive/2009/01/15/enumerating-drive-letters.aspx) $volumes = gwmi Win32_volume | where {$_.BootVolume -ne $True -and $_.SystemVolume -ne $True -and $_.DriveType -eq "3"} $letters = 68..89 | ForEach-Object { ([char]$_)+":" } $freeletters = $letters | Where-Object { (New-Object System.IO.DriveInfo($_)).DriveType -eq 'NoRootDirectory' } foreach ($volume in $volumes){ if ($volume.DriveLetter -eq $Null){ mountvol $freeletters[0] $volume.DeviceID } $freeletters = $letters | Where-Object { (New-Object System.IO.DriveInfo($_)).DriveType -eq 'NoRootDirectory' } }
The script has been tested in PSHv2 installed on Windows Server 2008 and in native Windows 2008 R2 PSH, but should also work on Windows Server 2003, if it does not then I have to redo the Altiris job - Update 14-11-2009: As it turns out the above will not work under Windows server 2003 – the updated version can be found here
The script first gets all the physical disks which have no partitions. Then it creates a script for use with diskpart. Once all physical disks are formatted, driveletters are assigned. First we move the cd-rom drive to x: then we loop through all volumes which are not BootVolume (e.g. c:\) or SystemVolume (W2k8 R2 reserved system partition)
Throw some comments or input to improve. I am particularly interested in a way to do this using .NET, so I do not have to use diskpart.
