SysAddict

Note to self: double check what the network guys are doing

2014-10-13T22:28:00.000+02:00

You ask twelve servers on each site with two dedicated gigabit network ports per server for replication. You specifically ask LACP to be implemented on these network ports and you specifically tell the network team that the servers will use the replication interface to replicate over the other site.

When you check the ordered hardware by the networking team you realise they interconnected the switches on both site with a 1 gigabit interface. Duh!

How to get distribution group members recursively with powershell?

2013-12-16T21:34:00.000+01:00

On a current Migration project from an Exchange 2010 forest to another I was asked to migrate existing distribution groups containing multiple levels of nesting to flat distribution groups. Thought you'd be able to do this with a one-liner based on the Get-DistributionGroupMember cmdlet?

The Problem

Unfortunately Get-DistributionGroupMemer does not provide a -recusive switch nor does the Get-Member cmdlet. So in order to retrieve every member you will have to come up with your own recusive definition.

However two things could turn up badly when doing so.

You could very well include a single member several times as he could be a member of several nested distribution groups.
You could also go on ad infinitum if you don't pay attention to the fact that a group can be a member of one of his members group.

With a clean solution to the above two points the rest is just a basic recusive definition. Let's move on to the solution of the above two points.

The Solution

Technically, I guess, there are many ways to address the above problems. However one way or another it will end-up being some kind of memory implementation.

You want to know if you already visited a group and skip it if it is the case and you want to know which members you already accounted for.

I decided to go with two lists:

a members list that would contain all members I want to collect.
a processed list that would contain all groups I already processed.

Technically I decided to go for HashSets that would contain the members and processed elements. The reason being as follows:

Since it is a set I don't need to worry about adding a member several times because the data structure will protect me from this.
I can spare myself some coding since I can both add a new element and test if it was already there in only one instruction (as can be seen below).
Since it is a HashSet it is quite optimized which is a bonus.

The Script

The below script is just an example and doesn't actually do anything with the members but printing them on the console.

To test it simply save it into a .ps1 file and change the group name on the third line with whatever group you want to list the members of instead of TestRoot.

Add-Type -AssemblyName System.Core
 
$group = Get-Group "TestRoot"
$members = new-object 'System.Collections.Generic.HashSet[string]'
$processed = new-object 'System.Collections.Generic.HashSet[string]'
$processed.Add($group.DistinguishedName) | Out-Null

function Get-Members ($group, $members, $processed) {
    $group.members | ForEach-Object {
        $group = $null
        $group = Get-Group $_ -erroraction silentlycontinue
        if ($group) {
            if ($processed.add($group.DistinguishedName)) {
                Get-Members -Group $group -Members $members -Processed $processed
            }
        }
        else {
            if ($members.add($_.DistinguishedName)) {
                $_.DistinguishedName
            } 
        }
    }
}
 
Get-Members -Group $group -Members $members -Processed $processed

Securely storing passwords with Powershell

2013-02-17T20:00:00.000+01:00

I just stumbled upon the Data Protection API from Microsoft that easily solves the problem of storing passwords and other sensitive data in scripts. It is really simple to use it from Powershell as can be seen below.

How to protect data?

The snippet provided here accepts a string and a file name as input and will store the encrypted string into the specified file.

Add-Type -assembly System.Security
function New-Password($password, $file)
{
    $plainText = [System.Text.Encoding]::Unicode.GetBytes($password)
    $cipherText = [System.Security.Cryptography.ProtectedData]::Protect( $plainText, $null, 'CurrentUser')
    $cipherText | Set-Content -Encoding byte -Path $file
}

How to unprotect data?

The function defined here takes the data from the file, decrypt it and transforms it back into a string. Simple enough!

Add-Type -assembly System.Security
function Get-Password($file)
{
    $cipherText = Get-Content -Encoding byte -Path $file
    $plainText = [System.Security.Cryptography.ProtectedData]::Unprotect($cipherText, $null, 'CurrentUser')   
    $password = [System.Text.Encoding]::Unicode.GetString($plainText)
    $password
}

You have no excuse anymore to store your password in clear text inside your scripts!

Powershell: Leveraging the .NET framework

2013-01-29T08:47:00.000+01:00

When I first started out writing powershell scripts I had a strong tendency to use my existing knowledge of Windows instead of using the power of the .NET framework that was available.

The Command Line Way

As an example lets look at name resolution. Let's suppose I am at a command prompt troubleshooting some kind of problems and my troubleshoot involves performing a DNS lookup. Most probably I will use nslookup to get the desired result.

H:\>nslookup gmail.com
Server: anycast-fwd2-be.nw.shared.fortis
Address: 164.140.79.2
Non-authoritative answer:
Name: gmail.com
Addresses: 173.194.34.150, 173.194.34.149

NsLookup is a reliable tool I've been using since I've been working with computers. It never failed me. Now I am writing a simple script that needs to do a DNS lookup. Why not use nslookup here too? Powershell is still a shell and it will let me use any command line tool I'm used to. It shouldn't then be too tricky to parse the answer?

Since NSlookup is a command line tool I get a bunch of strings as a result of executing the tool from within Powershell. More precisely I get an array of Strings. Now I could go on
and establish some kind of for loop that will iterate over each string and parse the string to get the answer. However this is where powershell becomes troublesome. Indeed altough is is used as a shell
by administrators it does not easily befriend with command line tools IT administrators are used to.

The Powershell Way

Instead PowerShell likes the .NET Framework which is full of usefull classes. In this particular instance it seems like the DNS class has everything we need to do a DNS lookup. In particular the GetHostAddresses (Returns the Internet Protocol (IP) addresses for the specified host) function seems about perfect. And instead of returning a bunch of strings to be parsed it will return a bunch of System.Net.IPAddress objects. Perfect!

$Name = "NameOfTheMachine
try { $dns = [System.Net.Dns]::GetHostAddresses($Name) }
catch [System.Net.Sockets.SocketException]
{
    Write-Host "Host Unknown"
}
catch
{
    Write-Host "A problem occured"
}
Write-Host $dns

This is a lot easier than using the equivalent command line tool and it enables easy error checking.

Windows 8, Hyper-V and a USB disk

2012-11-06T20:38:00.001+01:00

Since Hyper-V is now included in Windows 8 I decided to drop altogether using other Client Virtualization softwares such as VMware Workstation or Oracle VirtualBox for the time being and give Microsoft a chance.

It turns out that Hyper-V is not yet very user friendly as a client side virtualization software. While setting up some machines I wanted to give them access to my external USB disk. As it turns out there is no setting anywhere that enables me to share my USB disk with a Hyper-V virtual machine on Windows 8.

Instead I had to go to computer management and set the external disk as offline. This then enables me to add it to a virtual machine by adding another disk in the settings. Doing so requires the machine to be shutdown otherwise it would be to easy.

As soon as I copied over a couple of files I needed to mount an iso file that was on that particular external disk. Again, Shutdown the virtual machine, remove the external disk from the settings of the machine, go to computer management, set the disk online, go to the virtual machine settings, select the DVD drive, select the iso you want to mount, boot the virtual machine, here you go!

While this is not a show stopper and I'll probably keep using Hyper-V for now it is quite frustrating...

How to transform a secure string into an unencrypted string?

2012-05-20T17:38:00.001+02:00

If you've been working with powershell you probably already know the Get-Credential cmdlet. This cmdlet lets you prompt the user for his username and a password and stores that information into a System.Management.Automation.PSCredential object.

Subsequently you can use the PSCredential object any place you need a credential. Really, can you? Well actually not. Not so long a ago, I was writing a powershell script in an environment where WinRM (Powershell Remoting) was not supported and was playing around with a combination of psexec and Get-WmiObject in order to get the job done. The Get-WmiObject cmdlet accepts a PSCredential object as a parameter so I could ask the user for his credentials and then starts querying wmi all around the place whith the supplied credentials. All was good. On the other hand psexec accepts two parameters regarding credentials. You can supply the username after the -u switch and the password after the -p switch. A username and a password can be retrieved from a PSCredential object in the followinf way:

$credential = Get-Credential

Write-Host $credential.UserName #Retrieves the username
Write-Host $credential.Password #Retrieves the password

This little snippet prompts the user for his credentials and then writes in the console the username and the password. However the password is written out as "System.Security.SecureString". A System.Security.SecureString object stores an encrypted string instead of a plain string for security reasons. The SecureString has more features you can read about on msdn. Altough this is a much more secure way of storing sensitive information it cannot be passed along directly to programs like psexec which expects the password to be provided in clear text.

In order to retrieve the password or the unencrypted string you'll need to use the InteropServices. The below snippet realizes just that by allocating unmanaged memory space for the SecureString with SecureStringToBSTR and converting that unmanaged string back to a managed one with PtrToStringAuto. The end result is a standard .NET unencrypted string.

$pw = $credential.password
$intPtr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw)
$stringValue = [Runtime.InteropServices.Marshal]::PtrToStringAuto($intPtr)
[Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr)

I hope this can help you manage your code and leverage the Get-Credential cmdlet for all sort of use cases.

Powershell: How to return an array from a function?

2011-10-29T19:16:00.000+02:00

Today I discovered a neat little trick to return a multidimensional array from a Powershell function. While this should be an apaprently easy task it does not work the intuitive way. Indeed a .NET System.Array type implements the IEnumerable interface. When returning this object type from a function Powershell will enumerate it and store the enumerated data in a one dimensional array of objects. The Queue, ArrayList, SortedList, etc. types will behave the same way. All types that implement IEnumerable will.

Look at the code snippet below. Intuitively I would think this code would return a two dimensional array of integers (System.Int32). However what is returned is a one dimensional array of objects.

function Get-Array1 {
    $table = New-Object 'int[,]' 2,2
    $table[0,0] = 0
    $table[0,1] = 1
    $table[1,0] = 2
    $table[1,1] = 3
    return $table
}
 
$res = Get-Array1
Write-Host $res.gettype() # System.Object[]

So What is the trick to actually return the desired two dimensional array?

First lets make sure we understand what Powershell does to our returned variable. Since the variable is of type IEnumerable then it will enumerate it and will return the objects inside the IEnumerable object. If there is only one object it will return that. If there are many it will return each of them inside an array of object.

Since what we want is the multidimension array created inside the function we have to make sure it doesn't get enumerated but actually returned. The trick is to make our IEnumerable object the only member of another IEnumerable object. When returned the wrapper object gets enumerated and contains only one object (our multidimensional array) which is then returned.

In the below snippet, the returned object is wrapped in a one dimensional array by preceding it with a comma.

function Get-Array2 {
    $table = New-Object 'int[,]' 2,2
    $table[0,0] = 0
    $table[0,1] = 1
    $table[1,0] = 2
    $table[1,1] = 3
    return ,$table
}
 
$res = Get-Array2
Write-Host $res.gettype() # System.Int32[,]

PowerShell Syntax HighLighting Test

2011-10-24T13:00:00.001+02:00

This is a powershell syntax highlighting example:


ForEach ($line in $file) {
  Write-Host $line
}

I used the SyntaxHighlighter from Alex Gorbatchev that can be found at http://alexgorbatchev.com/SyntaxHighLighter.

Hello

2011-10-20T20:14:00.000+02:00

Ok this is the first post and official start of this blog. Stay tuned for more interesting stuff to come regarding system administration and scripting in particular.