Replicate all group members from Group A to Group B in Powershell

This is going to be a very quick article that will show you how to simply replicate all members from a group over to another group with the AD powershell module.

There are mainly two different goals:

  1. You want to replicate all group members from Group A to Group B in Powershell, as they are.
  2. You want to replicate all users that are in Group A recursively to Group B.

Case 1

Simple enough, this will grab every member as it is (either a user, a group or any other object) and add it to Group B.

Case 2

The difference between case 1 and 2 is -Recursive. This will grab all members including members of other groups. For instance if Group A had 3 members, 2 user objects and a group called “Group A1” which then contained 3 users, you will see that Group B will contain just the 5 users and not the groups.

Read More

Set Permissions for a Print Server with Powershell

You cannot set permissions for a print server with Powershell alone. At least you can’t right now (4th of May 2017). There’s a way though :)

I spent a few hours researching this and I noticed I wasn’t the only one that wanted to set up a security group on a Print Server level in a scripted manner, however everybody was stuck with the same issue. Just to be clear, this is what I want to achieve:

print-management_print-server-security

My idea is to get a security group to be able to fully manage the print server, without being Server Admins. And I want to achieve this before adding any printer so that permissions will eventually get applied on new printers. In theory this step will help me with automating a print server installation/configuration.

SetPrinter

I was losing any hope until I came across a technet forum’s thread where there was a discussion over “setprinter.exe“, a tool contained in the Windows Server 2003 Resource Kit. However the one that comes with it, doesn’t really work. After some more time, I was able to obtain the updated MS version of the tool which you can download from here: SetPrinter.Zip.
Note that I only have the 64bit version of it, so this won’t work on a 32bit system.

I will try and explain how we’re going to use this application before showing you a basic powershell script that will assign the permissions. The cool thing of this tool is that it can work remotely as well.

First of all, we will work with the pSecurityDescriptor. This contains the access type and depending on how we use setprinter.exe, we can grab and/or set the pSecurityDescriptor for the Print Server itself or for one of its printers; the last option would be useless as Powershell nowadays allows you to change printer’s security settings easily.

So, let’s run the following to get the current pSecurityDescriptor:

Note that right after the print server you need to add a backslash and you need a space and the number 3 right after.

This is what you’ll get (these are the default permissions):

setprinter_show_1

During the process when I was trying to understand this, I added a security group to the permissions of the server (manually, through the GUI) and gave it Full Control (this is the level of permissions I need for the group). After doing that, I re-ran the command above and I got this:

This might seem confusing, but ultimately it’s simple: Anything within ( ) contains the permissions and the user/group identification and for the group I just added, that’s its SID!
When I was testing this, I ended up adding an extra group manually (again, Full permissions) and re-ran the setprinter.exe command so that I could compare the 3 outputs and have a better understanding of what was happening.

Eventually I figured out that in order to assign full permissions to a user or a group, I need to add the following to the pSecurityDescriptor:

Obviously, replace MYSIDHERE with the SID of the User or Group. That wasn’t so bad after all :)

Powershell

Time to have powershell to do some work now! See the script below:

I’ve added a lot of comments to make sure everything is explained. Remember that the AD Powershell module is required for getting the SID (you could use psgetsid if you don’t want to use the AD Module) and also that you can run this remotely from your own machine as setprinter.exe will be able to grab/apply permissions remotely.

Let’s go quickly through it: (more…)

Read More

Nearest Domain Controller without Powershell AD Module

Getting the nearest Domain Controller when the AD module is present, is fairly simple, all you would need to do is running the following:

But what if you want to achieve the same result on a client/server that doesn’t have the Powershell Active Directory modules installed?
Well, in cmd you can do something like this:

The above will come back with quite a few useless (to our scope) pieces of information (or an error).

dsgetdc-nearest-domain-controller-1

 

So we can run this instead, to just get the “DC”:

So now we have just one line with the Domain Controller (or the error).

dsgetdc-nearest-domain-controller-2

Now, let’s try to work with the above command in powershell. What we want to achieve is having a variable ($DC) that will either contain the domain controller name or any other value that we want if there’s an error, for instance we could assign the value $false to it.

The script is pretty crude so that you can modify it as you like; let’s explain what it does. It first tries to run the above command with a slight difference, I added .split(” “) that will automatically split the result in an array of sub-strings. But, if the command fails, this powershell command won’t be able to split anything and will throw an error. This is why we need a Try/Catch.
If the command fails to retrieve a domain controller then, $DC will be $false.
Now, if the .split command works, then the script runs through each object of the array of sub-strings and checks when the sub-string starts with two backslashes: that means that we’ve got what we’re looking for!.
Finally, $DC will get the name of the domain controller assigned . Note that .replace(‘\\’,”) will remove the two backslashes and will leave us just the domain controller’s hostname.
I hope this explains a bit more the idea behind it.

Read More

Migrate DHCP Reservations with Powershell

In order to Migrate DHCP Reservations with Powershell, you just need one simple line of code. It works also with different OS, for instance I managed to migrate the DHCP Reservations I had on a Microsoft Windows 2008 R2 server over to a Windows Server 2012 R2.

I suggest to run the command from the OS where you’re migrating to, which in theory is going to be the newer version.

The above command will first get (Get-DhcpServerv4Reservation) the current reservations on SRV01 for the Scope ID 10.220.0.0, then, it’ll add each reservation (Add-DhcpServerv4Reservation) to the server called NEWSRV02 for the Scope ID 10.220.0.0.
Migrating DHCP reservations with powershell will make migrations a bit less painful :) .

Read More

How to stop McAfee Client Proxy (mcpservice.exe)

McAfee Client Proxy (mcpservice.exe) Version 2.3.0.0 no longer has its own service, so when you try to stop the process, even as SYSTEM, it’ll fail with an Access Denied error.

mcafee-client-proxy_mcpservice.exe_2.3.0.0_unable-to-terminate_access-denied

So, how to stop McAfee Client Proxy (mcpservice.exe)? Well, with the help of Process Hacker (Process Explorer should also do). Before continuing, let me say that you’ve got to be extra careful and that you’ll be responsible should anything go wrong (these are easy steps though..).

Download link for Process Hacker: http://processhacker.sourceforge.net/

Once I ran Process Hacker, I noticed that the McAfee Client Proxy had a parent process called mfemms.exe that starts from a service called McAfee Service Controller. So that means we’re still going to be able to try and stop this process by working on the parent’s.

mcafee-client-proxy_mcpservice.exe_2.3.0.0_process-hacker-properties

Note: If you’re running an old version of McAfee Client Proxy Service, that has its own service, you may follow the steps below that I will action against mfemms.exe and then stop the process.

So, back in Process Hacker (remember to run it as an administrator!):

  • Go to the Services Tab.
  • Go to mfemms’s properties.
    • mcafee-client-proxy_mcpservice.exe_2.3.0.0_process-hacker-mfemms-properties
  • Under the tab Security, click Advanced and change the owner to Administrators. Click Ok twice, until mfemms’  properties window closes. You must run this step in order to run next’s!
    • mcafee-client-proxy_mcpservice.exe_2.3.0.0_process-hacker-mfemms-properties-security-advanced
    • mcafee-client-proxy_mcpservice.exe_2.3.0.0_process-hacker-mfemms-properties-security-owner
  • Now assign Full Control to Authenticated Users and Administrators (just Administrators didn’t work for me). Do the same for SYSTEM if you’re running as SYSTEM.
    • mcafee-client-proxy_mcpservice.exe_2.3.0.0_process-hacker-mfemms-properties-security-permissions
  • You can finally stop the service.
    • mcafee-client-proxy_mcpservice.exe_2.3.0.0_process-hacker-stop-mfemms
    • mcafee-client-proxy_mcpservice.exe_2.3.0.0_process-hacker-mfemms-stopped
  • Now that the parent service is stoppped, go back to the Processes Tab and kill mcpservice.exe.
    • mcafee-client-proxy_mcpservice.exe_2.3.0.0_process-hacker-terminate
  • After a reboot, the process will start again. You may disable mfemms service to prevent it from starting again (not suggested as this service may be controlling other important processes/services).

Read More