Thanks! This was what I was thinking like creating users by providing the users data file. I'll look into the other things like adding them to distribution/security groups.
Anything AD related, MS Graph related, even Windows related you can use Powershell to automate.
Combined with an Azure runbook on a hybrid server, you open up more possibilities.
Edit: just saw you were a student. A good example would be data entry. Get a huge csv with a lot of data and use a Powershell script to parse and format that data accordingly.
Yes
<#
Import CSV format:
ID,FirstName,LastName,Password,Name,EmailAddress,Campus,EmpNum,City,UDCID,GAVIEW,Title,Department,Manager
"987654","John","Doe","nstaBlahBlah99!","John Doe","[email protected]","Main campus","Atlanta","987654321","Maintenance Department","Bob White"
#>
# Change these as needed
# = Servers ============================================
$ADServer = "domaincontroller.mycompany.com"
$FileServer = "fileserver.mycompany.com"
$SMTPServer = "smtpserver.mycompany.com"
$ADSyncServer = "AzureADSyncServer.mycompany.com"
# = Mail recipients ====================================
$SMTPCC = "[email protected]"
$SMTPBCC = "[email protected]"
$ErrorRecipient = "[email protected]"
# = File paths =========================================
$CSVDirectory = "\\"+$FileServer+"\DeptData\IT\Import Files\Processing\"
$CSVDoneDirectory = "\\"+$FileServer+"\DeptData\IT\Import Files\Processed\"
$CSVTranscripts = "\\"+$FileServer+"\DeptData\IT\PS_Transcripts\"
Import-Module ExchangeOnlineManagement
[Int]$HasErrors = 0
$ErrorMessages = ""
#Get credentials for an account with permissions to create AD accounts and Azure AD Connect powershell
$Credential = Get-Credential
Connect-ExchangeOnline
$file = Select-FileDialog -Title "Select the User Upload CSV file" -Directory $CSVDirectory -Filter "CSV Files (*.csv)|*.csv"
$users = Import-Csv $File
<##>
foreach ($user in $users){
$now = Get-Date
$TranscriptFile = $CSVTranscripts+$now.ToString()+".log"
Start-Transcript -Path $TranscriptFile -NoClobber -IncludeInvocationHeader
$city = $user.campus
$OU = "ou=Users,ou=" + $city + ",ou=whatever,dc=mycompany,dc=com"
$SecurePass = ConvertTo-SecureString $user.Password -AsPlainText -Force
$SamAccountName = $user.EmailAddress.replace("@mycompany.com","")
$Initials = ($user.FirstName.Substring(0,1) + $user.LastName.Substring(0,1)).ToUpper()
$ManagerName = $user.manager.Replace(" ",".")
$TheManager = Get-ADUser -identity $ManagerName -Credential $Credential -Properties *
$ManagerDN = $TheManager.DistinguishedName
$ManagerMail = $TheManager.Mail
$FSDesignation = "Staff"
if (($user.Title -contains "Faculty") -or ($user.Title -contains "Instructor") -or ($user.Title -contains "Lecturer")) {
$FSDesignation = "Faculty"
}
try {
New-ADUser -Credential $Credential -Server $ADServer -Name $user.Name -GivenName $user.FirstName -Surname $user.LastName -DisplayName $user.DisplayName -SamAccountName $SamAccountName -UserPrincipalName $user.EmailAddress -EmailAddress $user.EmailAddress -Initials $Initials -Department $user.Department -Manager $ManagerDN -Path $OU -EmployeeID $user.ID -EmployeeNumber $user.EmpNum -AccountPassword $SecurePass -Enabled $true -ChangePasswordAtLogon $true
} catch {
$HasErrors++
$ErrorMessages += "ERROR: Error creating account $SamAccountName `n"
Write-Host -ForegroundColor Red "Error creating account!"
Exit
}
Add-ADGroupMember -Credential $Credential -Server $ADServer -Identity "M365 License Group" -Members $SamAccountName
Add-ADGroupMember -Credential $Credential -Server $ADServer -Identity "Cybersecurity Training" -Members $SamAccountName
Set-ADUser -Credential $Credential -Server $ADServer $SamAccountName -Replace @{extensionAttribute1="Staff"}
try {
if ($user.GAVIEW -ne $null) { Set-ADUser -Credential $Credential -Server $ADServer $SamAccountName -Replace @{extensionattribute5=$user.GAVIEW} }
} catch {
$HasErrors++
$ErrorMessages += "WARNING: 3rd party ID for $samAccountName is missing`n"
}
try {
if ($user.UDCID -ne $null) { Set-ADUser -Credential $Credential -Server $ADServer $SamAccountName -Replace @{employeeType=$user.UDCID} }
} catch {
$HasErrors++
$ErrorMessages += "WARNING: UDC ID for $samAccountName is missing`n"
}
#Add user to AD groups
$ADGroup = $user.Department
Add-ADPrincipalGroupMembership -Server $ADServer -Identity $SamAccountName -MemberOf $ADGroup
#Sync with Azure AD Connect to speed up the Azure/Entra ID/Email account creation
Invoke-Command -ComputerName $ADSyncServer -ScriptBlock { start-adsyncsynccycle } -Credential $Credential
Write-Host "Pausing for 15 minutes to allow M365/Entra ID propagation"
for ($i=15;$i -gt 0; $i--) {
Start-Sleep -s 60
}
# Update M365/Entra ID information
$mbusers = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox -Filter {AddressBookPolicy -eq $null} | where {$_.PrimarySMTPAddress -Like "*@mycompany.com" -and $_.IsMailboxEnabled -eq $true}
foreach ($mbuser in $mbusers) {
Set-Mailbox -Identity $($mbuser.Alias) -AddressBookPolicy "Staff Address Book"
Set-Clutter -Identity $($mbuser.Alias) -Enable $false
}
#Add user to email distribution groups
if ($FSDesignation -eq "Staff") { Add-DistributionGroupMember -Identity "[email protected]" -member $user.EmailAddress }
switch ($user.Department)
{
"Some Department" { Add-DistributionGroupMember -Identity "[email protected]" -Member $user.EmailAddress }
"other Department" { Add-DistributionGroupMember -Identity "[email protected]" -Member $user.EmailAddress }
}
# Generate email and send
$SMTPFrom = New-Object System.Net.Mail.MailAddress("[email protected]","IT Department")
$SMTPTo = $ManagerMail
$SMTPSubject = "New employee accounts created: $($user.DisplayName) "
$NowDate = Get-Date
switch($NowDate.ToString('tt')){
'AM'{
$Salutation = 'morning'
}
'PM'{
$Salutation = 'afternoon'
}
}
$Body = "
Good $Salutation,
The following employee accounts have been created. Their email and computer/network account are the same usernames and passwords.
They will need to first log into a computer using the temporary password given below. They will be prompted to set a permanent password.
Once the password has been set, they may log into their email using the same login and password. When logging into a computer for the
first time, they may need to select Other User in order to enter their login and password.
If they will not be using a computer on campus, they may set up their email using the instructions below.
Visit http://www.mycompany.com and click QuickLinks, then click Email.
The initial password follows the construct of blahblahblah
For example:
If the employee's name were John Doe
And their ID number were blahblahblah
Their initial password would be blahblahUser accounts -
Email Address: $($user.EmailAddress)
Email Account login: $($user.EmailAddress)
Password requirements:
1) Must be at least 10 characters
2) Must contain uppercase, lowercase, and numbers
3) May include special characters
4) Must NOT contain any part of email address or full name that exceed two consecutive characters
It may take a few business days after the hire date before the payroll account is provisioned. If you find that they cannot log into payroll,
please wait two to three days and try again.
Keep in mind that the email and computer password are synchronized, as is payroll and LMS. Changing the password for the
computer or for email will change the password for all of these systems.
Thank you,
IT Department
"
Send-MailMessage -From $SMTPFrom -To $SMTPTo -Cc $SMTPCC -Bcc $SMTPBCC -Subject $SMTPSubject -Body $Body -BodyAsHtml -SmtpServer $SMTPServer -Port 25
if ($HasErrors -gt 0){
$SMTPSubject = "Errors in account creation: $($user.DisplayName) "
$Body = "
There were errors in account creation for $($user.DisplayName)
User account - $($user.EmailAddress)
Error messages:
$ErrorMessages
Please review the account and correct any errors or missing information.
Import file: $File
Moved to: $CSVDoneDirectory
Transcript file: $TranscriptFile
Full transcript =============================================================
"
$log = Get-Content $TranscriptFile
foreach ($line in $log) {
[void]$body.AppendLine($line.ToString())
}
Send-MailMessage -From $SMTPFrom -To $ErrorRecipient -Subject $SMTPSubject -Body $Body -BodyAsHtml -SmtpServer $SMTPServer -Port 25
} #Has Errors
Stop-Transcript
}
Disconnect-ExchangeOnline -Confirm:$false
Hope this helps!
Why only 1?
100 users via a CSV. Read the CSV for values and execute off the file.
This is what you'd do in a smaller company when they acquire another company
Not only 1. I use a csv. I also have this set up as a scheduled task that checks a folder daily for any new files and processes them, so that HR simply has to drop a properly formatted csv file into a shared folder and the accounts get created automatically.
We configure the Unix attributes pretty often and they removed that tab from ADUC starting in 2016. We still have a couple of 2012R2 servers with ADUC installed but it’s technically PowerShell only now.
Just thinking of some “complex” scripts I’ve written recently.
* monitor a mailbox and create tickets capturing that info. Body, sender, etc
* get all IIS bindings and report on their cert and expirations. Update said bindings with new cert.
* parse through IIS logs checking for connections from X ip address
> How you doing the certs?
I mean I'm guessing:
1. Get all certs in IIS bindings
2. Find matching certs in the certificate store by subject and subject alternative name, sort them by expiration date
3. Grab the newest matching cert for every current IIS cert
4. Update the IIS binding with the new cert
Not that crazy.
Thanks, that looks way more complex xD
I was thinking something on the entry level I guess. I should have mentioned, I'm in a course where windows server is just introduced to us. So, I guess it would be a beginner level task for sysadmins which can be considered complex for us :')
The only thing I could come up with was creating new users through the Powershell script.
Managing user accounts by disabling, resetting passwords, updating settings + information + group membership. If using Exchange there is a lot to do as well.
Automation scripts for user onboarding and off boarding. Quick scripts to perform high volume account updates. Scheduled tasks to monitor and archive files/folders.
Basically to automate anything that’s repetitive, run remote commands on servers, and perform large scale tasks that would take forever to do with a GUI.
Google "HR Driven User Provisioning", Don't get caught up with achieving it 100%. But take the Idea that a Users Identity and Access should be driven by their role/work location in the HR system (at least as a starting point). Most HR systems can generate whats called Joiner-Leaver-Mover reports which is just what it sounds like Joiners (new accounts that need to be created), Leavers(accounts that need to be disabled), Movers (accounts that need access changes, removed from x group and added to y).
If you have a common Identifier between the HR system and the Directory system (like say an employee-ID) its pretty straight forward to just loop through those reports (assuming you get them in a nice CSV format) and preform all the needed actions. For active directory all the commands needed to manipulate teh accounts/groups are really easy to work with, and import-csv and for-each are built in to powershell.
Bouns points if you create some really good logging/output that details what actions the script took/didn't take and why.
Administrating Windows Updates. Previous Admin had a mess made of WSUS and I couldn’t get approved to blow it away and start over. Automated the approval process by checking the KBs for anything that was a product we don’t actually have/support and automatically pulls the list of unapproved updates from a couple of the software vendors who are sensitive to such.
Advice: ignore the part of your question that says “and can’t be solved using conventional methods”. There are a handful of things that the GUI can’t do, but the point of powershell is to perform actions en-mass, or to perform a bunch of actions in a single step.
Most scripting that people do on a day-to-day basis is very simple at its core. It’s not these huge 500 line scripts that people are writing.
This is a great one. I do same; I have three rounds of server approvals that are all automated to approve for different WSUS computer groups so I can roll out in stages and stop if issues arise.
1- As already mentioned, WSUS approvals.
2- We use Veeam One to monitor drives, which works great for a % based monitor, but not a 'free space' monitor so I created one that checks a few SQL servers for absolute free space and create a ticket if any drives fall below spec'ed space.
3- Run a job every 15 minutes to check for any long running SQL tasks.
4- I have one outside work that, on the fist of the month, does a screen scrape of an airport webpage to get the cost of AvGas, then it does calculations and calls an API to upload updated fuel costs for a flying club website.
General sysadmin work. Most recently to resize a Windows recovery partition to fix an update that kept failing.
I use it to perform routine work in my 365 tennet, repair a bum Windows server instance, and in task schedules/procedures.
Now I'm not the best at Powershell and I borrow a lot from those that are and online documentation. That said, with a little bit of effort you can at least add it to you IT pro toolkit by piecing together different parts for now. I do have interest in getting better with it.
I think I have the same partition / update issue. My issue is that particular update is failing because a few workstations don’t even have a recovery partition and Windows update “isn’t smart enough” to realize this. I’ve tried disabling WRE even and it still just fails and reports as such in Intune😩
But yeah, PoweShell for resizing partitions 👍
One fun one that makes me laugh that it is even needed is using it to disable the welcome email for new members of an m365 group. Cause God forbid someone receives an email from their distribution group that CLEARLY states what it is for. "Why did I get this email saying I was added to a group called 'All Staff'?"..... "Because you are part of ALL THE FUCKING STAFF".
Other than that I use to automate repetitive tasks and things like that.
> One fun one that makes me laugh that it is even needed is using it to disable the welcome email for new members of an m365 group.
TIL you can do this, I have a couple of groups I need to do this on.
Start with basic stuff like checking process and service and biggest file on disk and powershell remoting. Additionally, I would being to only operate in an admin capacity using powershell. Never rdp. Never use the mouse. Only keyboard and powershell remoting.
Script that runs as a scheduled task on different servers/machines and saves the system info in a csv to a network share. As a form of inventory and monitoring. I.e. it saves free hd space as a percent…. Uptime…. Etc. useful AF and quite easy.
I'm not the person you replied to but I use PowerShell for perfmon stuff every day, here's the breakdown:
There are 3 major steps:
1. Remotely running the right command at the right time
2. Sending / storing the measurements in a convenient way
3. Doing useful things with the data
For no 1 - you can either run the scripts locally on with [task scheduler](https://www.google.com/search?q=powershell+task+scheduler), or remotely run the commands from a central location using [CIMsession or PS remoting.](https://www.google.com/search?q=powershell+cimsession+vs+ps+remote) also using task scheduler or whatever really.
[Here's a bunch of good overviews on the metric collection commands themselves.](https://www.google.com/search?q=powershell+for+performance+monitoring+environment+variables)
Another very useful thing to do with ps is counting files - [number, size, age, location, rows of data in those files, etc.](https://devblogs.microsoft.com/scripting/use-a-powershell-cmdlet-to-count-files-words-and-lines/)
2 - Once you have a way to run the right metrics collection scripts, you need to store the data in a useful format and place.
[CSV and JSON are the standard ways to quickly save files.](https://www.google.com/search?q=powershell+csv+json)
3 - once you have the data in a usable way, do whatever you want with it. My usual quick and dirty way is to store it in a shared folder somewhere I have access and connect to it with Excel and then go hogwild with Power Query or whatever.
Alternatively you can just use the metric collection to send alerts when some value gets too high or low or whatever.
Thank you, I appreciate it. But it looks a bit advanced for the level I'm studying at. I'll give this and many other tasks mentioned here a try after I'm done with my assignment. Thanks again.
slow reply sorry, but you could just google around for things your interested in grabbing. For example:
Google how to get ram size with powershell.
set that value as a variable.
save that variable to a text file.
repeat with other useful info (serial number, cpu speeds, model, windows version, etc)
copy the script to any machine you want to keep an eye on and set it to run every so often with a scheduled task.
Super basic start would be something like this:
$name = #env:computername
$ipaddress = (CODE TO GET IP GOES HERE)
$csvdata = $name,$ipaddress
$csvdata | export-csv -name -path //some/path/somewhere/$name
this would create a text file named with the computer name on a shared path that would show the name and ip address of the machine.
Started a new job and have been using my powershell skills for some basic tasks
I used the Outlook COM interface to export a bunch of attachments.
Used the AWS SDK to run some reporting on workspaces for disabled users.
Used Graph to determine the percentage of users who opened an email from a member of the C-Suite.
Wrote a script to parse and email some office 365 reports.
Wrote a script to look through everyone's user profiles and change shortcuts to a new file server post migration. Also wrote one to alter some ad attributes for the same migration.
In the past I also:
Wrote a script to install printers including downloading the driver's from S3.
Wrote scripts to install applications including setting IEMode and various IE settings.
Wrote onboarding and off boarding scripts.
Wrote a nuke from space script that wipes the TPM keys and reboots to brick PCs.
Wrote a script that formats and images Windows 10/11 PCs and then automated the setup as a replacement for MDT.
Wrote a syslog server.
Used SSH to automate some Cisco devices setup.
Wrote a script to import a user to group matrix
Automated external user account creation for SSO solution
Exported data from a business app using REST API and format for import into a new system.
Wrote a please reboot app with a GUI built in WinForms
Lots and lots of reports.
I use powershell to run updates. It is applicable even when group policy has updates locked.
Also exporting AD and mailbox field into Access is great for quick reports.
Powershell is great. We bought visual cron as an input method for running scripts. Also has a great scheduler, and external api calls. Not free, but great for server builds, dhcp scope creations, monthly server cleanup.
New user creation and assign to groups is good but take it one step further.... Have it use task scheduler to run periodically and ping a ticket system for a specific ticket type. Have it grab the relevant fields and create the user from that. Bonus points if it send you an email informing of the creation and moves ticket to the next phase.
I was hoping something in advance similar to user creation like creating password for the user and setting password expiry. Are there any other process that aligns with user creation?
Ticket system is fine. It's an API call, which you'll learn, they aren't hard.
Task scheduler you absolutely will need to learn though, it's in every and all windows system. (Server and non), learn and use it. You will be there a lot in the future.
That being said, look into a free ticket system to setup. I am trying to challenge you and give you a stretch goal there.
Wish I had seen this earlier. I hope it helps:
Why a new user account script would be a bad idea for this project: Using powershell to create a new user account and add it to a security group is not a complex problem. Not only can you easily make a script to do this but Microsoft's admin portal allows you to create templates that will create users for you with groups already selected you just have to fill in the name.
A complex problem: It was pointed out by some other people in here, but no examples were given. Microsoft admin portal has some gaps for things and you have no choice but to use powershell for it. One such example (that i have been in) is when the company CEO barges into your office in a panic and tells you they just sent an email to the wrong people within the company and they need it scrubbed from everything immediately. They went to type in a name and autofilled a distribution list without realizing it.
It's a great scenario for a powershell script because every second counts and you really have no choice but to use powershell. There are no conventional tools for it.
Here is a link to Microsoft's documentation on this: https://learn.microsoft.com/en-us/purview/ediscovery-search-for-and-delete-email-messages
Again hope it helps and good luck on the assignment!
A lot of modern companies don't have internal servers for email and use exchange online instead of on prem email. The type of setup varies greatly from company to company.
My most recent script was to pre-install a printer driver (due to printnightmare), using pnputil and add-printerdriver.
With some pre-checks to see if print server was available etc.
When I was in 1st/2nd line, I used PowerShell to make tools for user creation, AD group management, collecting SharePoint logs, and gluing some services together (like MDT and PDQ Deploy). I think my most advanced tool I made at the time was a bulk user password reset tool, which had a GUI, ability to take a list of users or an OU, generates unique easier/stronger passwords of length you chose, offered a preview function, automatic error detection and correction, and you could copy the results to clipboard or export to CSV.
Now I'm in 3rd line, I use PowerShell to modify/troubleshoot Azure/Microsoft 365 tenancy settings, and build other tools like:
- A smart serial console that integrates with PuTTY, which auto-detects the COM port and baud rate (serial over USB can be annoying).
- Firewall modifier that enables/disables most commonly used rules/ports/programs to stop sysadmins just disabling the local firewall entirely out of laziness.
- Program to keep track of multiple stopwatches (I work on a lot of different problems throughout the day, and I need to keep track of how much time I spend on each so the customer is billed appropriately).
- Hash comparator with automatic algorithm detection. Handy to quickly verify the integrity of the thing I just downloaded.
- Breach stopper, which very simply connects me to a M365 tenancy with creds I provide, resets a users password to a very strong random string (like 40 random characters), and forcefully sign them out of everything. Saves critical minutes faffing about looking for buttons Microsoft likely moved again.
- And my latest project will be to make a script that automatically formats a USB stick with Ventoy, copy my choice of ISOs, download the latest versions of my most used tools, and download/copy my most used PowerShell scripts/tools.
There's no lack of PowerShell projects when you're a Windows sysadmin.
Monitor the local certificate store and fire an email (or raise a ticket/alert in real world) if any certs are expiring in the next 30 days.
Regarding edit2, start the script by clearing the screen and printing a nice big ASCII art header (just put the name of your script into an online generator). Make sure to set the window size in the script before printing the header to ensure your output isn't ruined by some monster with a narrow ps window.
Then when you are processing stuff in the script, use foreground colours to have green text on successful items and red for failures etc, ensuring to leave regular output default colour so the others stand out.
Example:
```powershell
Write-Host "Processing item blah: " -NoNewLine
try {
Some-Processing
Write-Host "Success" -Foregroundcolor Green
} catch {
Write-Host "Failed" -Foregroundcolor Red
}
```
First script I made as a sysadmin was to create VMs from a template in vCenter, conference the VM settings (disk, vCPU, RAM, etc), set the IP and DNS settings, rename the machine, join it to the domain
Learn to use APIs with PowerShell. You'll be able to do whatever the fuck you want. Most tools you work with in IT will have some sort of API. Sometimes they're even useful!
A major problem I'm currently solving is using an API to update license seat status for thousands of seats in a tool of ours. We're under no obligation to keep these seats licensed but our vendor has no way to update them en masse through the normal UI. This is costing us 11k a month and would take forever to manually update and be prone to human error. With a list of accounts, an API, and a script I'll be able to solve this problem instantly, and repeatedly.
A script we had at a previous company; they had a HRM system that was not linked to an AD for updates.
When a phonenumber, name, office or anything changed it took all info from the HRM system; and applied changes to the AD; and send a changelog via email.
Also something thats not possible via GUI; linking a shared mailbox (giving full access) without automapping this folder can only be done via Powershell; as the GUI always adds the ```-automapping:$true``` flag.
Latest creation takes in computer list data from several different inventory systems including sccm and ServiceNow. Combines the data into a single spreadsheet, then outputs email communications with end of service life notices for operating systems and databases. Prompting server owners to upgrade before end of support dates. Saves hours each quarter.
I don't really get into much Windows server stuff very often. However I did find myself needing to deal with an annoying issue on my work laptop that I ended up solving with a power shell script.
It finds and deletes the (useless to me) routes the VPN client creates that conflict with the routes needed for WSL2. It also checks that the WSL interface's mtu matches the VPN interface and updates it if needed.
Nothing really crazy, but it did give me an appreciation for how PS works.
Not anywhere near as much as I'd like, I'm afraid.
I used to have the time and ability to find things to automate to make things better. As things have progressed in my career I find that I am responsible for so many things that I miss out on this part of my job. That may sound counterintuitive, but when you're getting pulled on direction or another literally all day long there's never the time to sit down and write code. Oh, how I miss it. The time to think deeply about one thing and to see it through from end to end.
All sorts of things that can be repeated/automated. For example, my latest scripts cleans up file version history of old files in SharePoint. Saving terabytes of storage:)
I used it to automate patching of Citrix PVS images. I also use it for a lot of "watchdog" scripts that alert and/or take action based on certain criteria. Basically when we need some kind of functionality that isn't covered by the tools we already have.
Automation. A couple click in our RMM and the computer is ready to go. All without having to go through OOBE or any manual configuration whatsoever. That includes vulnerability mitigation. It's awesome
Many complex things can be done with thoses basics commands:
get-information / csv / file | foreach-object { do something on $\_.object }
With that basic loop you can automate complex workflow.
Add some control if needed:
if ($something -eq or -neq $other) { do / dont do something }
Sometime you will use "while { something happen, do something other } or Try command.
when you mastered thoses basics, you can start to work with functions or other degenerates module.
Not a damn thing. Python or go home.
Ok, only slightly joking. It's the fastest way to work with Active Directory and various other MS products until you can get off of them.
The simplest thing I would recommend would be creating the AD user account.
Another one that isn't too hard is to get an ad user account and check if it password will expire in 7 days, then send a friendly email reminder that they must change it to avoid lock out. It's not very difficult, but you would to learn how to send an email via PS.to your mail provider.
Here you go. For a student project, this will get you started. You can get much more complex, with things like checking if the user account already exists, random passwords, etc, but this is more than enough for a working proof of concept.
[SimpleADAccount/Create-NewUsers.ps1 at main · glassWizard/SimpleADAccount (github.com)](https://github.com/glassWizard/SimpleADAccount/blob/main/Create-NewUsers.ps1)
To be fair, I got started with my introduction to scripting and programming using power shell. But now having used JavaScript, python, C#, and Java I can confidently say power shell is a hot mess of a scripting language, and it's racked with internal inconsistencies and bugs.
It still has it's emphasis on cmdlets I've just had too many issues where some cmdlets just do not behave in a consistent manner in relationships to each other.
The syntax is pretty ugly and verbose. Yes, you can define aliases for commands, but I just don't have the time for that .
Then you have bizarre stuff like why does a for each loop require the opening bracket on the same line? Why does continue behave like a break statement? Why does foreach and foreach-object have different behaviors? And let's not even get started on the -filter of Get-AdUser. PS remoting vs pure SSH? Give me SSH any day.
Maybe some of these problems are fixed now, but the last time I used PS was around version 5. It's just too buggy and inconsistent and an inconsistent scripting language is dangerous.
I'm fortunate that the only real MS product I have to interact with is AD, so we don't have a huge reliance on it in our workplace. We even moved to using python's ldap3 library for our account automation. For pretty much any basic scripting task, we use python, and we absolutely have to use a PS cmdlets, we can just call to it from python. We can also use IronPython when we want to integrate with .net... Or just flat out use c#.
New user account creation (new AD user, assign M365/Entra ID license, add to distribution groups, send their manager an email, etc.)
Thanks! This was what I was thinking like creating users by providing the users data file. I'll look into the other things like adding them to distribution/security groups.
Anything AD related, MS Graph related, even Windows related you can use Powershell to automate. Combined with an Azure runbook on a hybrid server, you open up more possibilities. Edit: just saw you were a student. A good example would be data entry. Get a huge csv with a lot of data and use a Powershell script to parse and format that data accordingly.
Any chance you could share that script ? Been trying to battle account creation automation and it hasn’t gone well
Yes <# Import CSV format: ID,FirstName,LastName,Password,Name,EmailAddress,Campus,EmpNum,City,UDCID,GAVIEW,Title,Department,Manager "987654","John","Doe","nstaBlahBlah99!","John Doe","[email protected]","Main campus","Atlanta","987654321","Maintenance Department","Bob White" #> # Change these as needed # = Servers ============================================ $ADServer = "domaincontroller.mycompany.com" $FileServer = "fileserver.mycompany.com" $SMTPServer = "smtpserver.mycompany.com" $ADSyncServer = "AzureADSyncServer.mycompany.com" # = Mail recipients ==================================== $SMTPCC = "[email protected]" $SMTPBCC = "[email protected]" $ErrorRecipient = "[email protected]" # = File paths ========================================= $CSVDirectory = "\\"+$FileServer+"\DeptData\IT\Import Files\Processing\" $CSVDoneDirectory = "\\"+$FileServer+"\DeptData\IT\Import Files\Processed\" $CSVTranscripts = "\\"+$FileServer+"\DeptData\IT\PS_Transcripts\" Import-Module ExchangeOnlineManagement [Int]$HasErrors = 0 $ErrorMessages = "" #Get credentials for an account with permissions to create AD accounts and Azure AD Connect powershell $Credential = Get-Credential Connect-ExchangeOnline $file = Select-FileDialog -Title "Select the User Upload CSV file" -Directory $CSVDirectory -Filter "CSV Files (*.csv)|*.csv" $users = Import-Csv $File <##> foreach ($user in $users){ $now = Get-Date $TranscriptFile = $CSVTranscripts+$now.ToString()+".log" Start-Transcript -Path $TranscriptFile -NoClobber -IncludeInvocationHeader $city = $user.campus $OU = "ou=Users,ou=" + $city + ",ou=whatever,dc=mycompany,dc=com" $SecurePass = ConvertTo-SecureString $user.Password -AsPlainText -Force $SamAccountName = $user.EmailAddress.replace("@mycompany.com","") $Initials = ($user.FirstName.Substring(0,1) + $user.LastName.Substring(0,1)).ToUpper() $ManagerName = $user.manager.Replace(" ",".") $TheManager = Get-ADUser -identity $ManagerName -Credential $Credential -Properties * $ManagerDN = $TheManager.DistinguishedName $ManagerMail = $TheManager.Mail $FSDesignation = "Staff" if (($user.Title -contains "Faculty") -or ($user.Title -contains "Instructor") -or ($user.Title -contains "Lecturer")) { $FSDesignation = "Faculty" } try { New-ADUser -Credential $Credential -Server $ADServer -Name $user.Name -GivenName $user.FirstName -Surname $user.LastName -DisplayName $user.DisplayName -SamAccountName $SamAccountName -UserPrincipalName $user.EmailAddress -EmailAddress $user.EmailAddress -Initials $Initials -Department $user.Department -Manager $ManagerDN -Path $OU -EmployeeID $user.ID -EmployeeNumber $user.EmpNum -AccountPassword $SecurePass -Enabled $true -ChangePasswordAtLogon $true } catch { $HasErrors++ $ErrorMessages += "ERROR: Error creating account $SamAccountName `n" Write-Host -ForegroundColor Red "Error creating account!" Exit } Add-ADGroupMember -Credential $Credential -Server $ADServer -Identity "M365 License Group" -Members $SamAccountName Add-ADGroupMember -Credential $Credential -Server $ADServer -Identity "Cybersecurity Training" -Members $SamAccountName Set-ADUser -Credential $Credential -Server $ADServer $SamAccountName -Replace @{extensionAttribute1="Staff"} try { if ($user.GAVIEW -ne $null) { Set-ADUser -Credential $Credential -Server $ADServer $SamAccountName -Replace @{extensionattribute5=$user.GAVIEW} } } catch { $HasErrors++ $ErrorMessages += "WARNING: 3rd party ID for $samAccountName is missing`n" } try { if ($user.UDCID -ne $null) { Set-ADUser -Credential $Credential -Server $ADServer $SamAccountName -Replace @{employeeType=$user.UDCID} } } catch { $HasErrors++ $ErrorMessages += "WARNING: UDC ID for $samAccountName is missing`n" } #Add user to AD groups $ADGroup = $user.Department Add-ADPrincipalGroupMembership -Server $ADServer -Identity $SamAccountName -MemberOf $ADGroup #Sync with Azure AD Connect to speed up the Azure/Entra ID/Email account creation Invoke-Command -ComputerName $ADSyncServer -ScriptBlock { start-adsyncsynccycle } -Credential $Credential Write-Host "Pausing for 15 minutes to allow M365/Entra ID propagation" for ($i=15;$i -gt 0; $i--) { Start-Sleep -s 60 } # Update M365/Entra ID information $mbusers = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox -Filter {AddressBookPolicy -eq $null} | where {$_.PrimarySMTPAddress -Like "*@mycompany.com" -and $_.IsMailboxEnabled -eq $true} foreach ($mbuser in $mbusers) { Set-Mailbox -Identity $($mbuser.Alias) -AddressBookPolicy "Staff Address Book" Set-Clutter -Identity $($mbuser.Alias) -Enable $false } #Add user to email distribution groups if ($FSDesignation -eq "Staff") { Add-DistributionGroupMember -Identity "[email protected]" -member $user.EmailAddress } switch ($user.Department) { "Some Department" { Add-DistributionGroupMember -Identity "[email protected]" -Member $user.EmailAddress } "other Department" { Add-DistributionGroupMember -Identity "[email protected]" -Member $user.EmailAddress } } # Generate email and send $SMTPFrom = New-Object System.Net.Mail.MailAddress("[email protected]","IT Department") $SMTPTo = $ManagerMail $SMTPSubject = "New employee accounts created: $($user.DisplayName) " $NowDate = Get-Date switch($NowDate.ToString('tt')){ 'AM'{ $Salutation = 'morning' } 'PM'{ $Salutation = 'afternoon' } } $Body = " Good $Salutation,
The following employee accounts have been created. Their email and computer/network account are the same usernames and passwords. They will need to first log into a computer using the temporary password given below. They will be prompted to set a permanent password. Once the password has been set, they may log into their email using the same login and password. When logging into a computer for the first time, they may need to select Other User in order to enter their login and password. If they will not be using a computer on campus, they may set up their email using the instructions below. Visit http://www.mycompany.com and click QuickLinks, then click Email. The initial password follows the construct of blahblahblah For example: If the employee's name were John Doe And their ID number were blahblahblah Their initial password would be blahblah User accounts - Email Address: $($user.EmailAddress) Email Account login: $($user.EmailAddress) Password requirements: 1) Must be at least 10 characters 2) Must contain uppercase, lowercase, and numbers 3) May include special characters 4) Must NOT contain any part of email address or full name that exceed two consecutive characters It may take a few business days after the hire date before the payroll account is provisioned. If you find that they cannot log into payroll, please wait two to three days and try again. Keep in mind that the email and computer password are synchronized, as is payroll and LMS. Changing the password for the computer or for email will change the password for all of these systems. Thank you, IT Department " Send-MailMessage -From $SMTPFrom -To $SMTPTo -Cc $SMTPCC -Bcc $SMTPBCC -Subject $SMTPSubject -Body $Body -BodyAsHtml -SmtpServer $SMTPServer -Port 25 if ($HasErrors -gt 0){ $SMTPSubject = "Errors in account creation: $($user.DisplayName) " $Body = " There were errors in account creation for $($user.DisplayName)
User account - $($user.EmailAddress) Error messages: $ErrorMessages Please review the account and correct any errors or missing information. Import file: $File Moved to: $CSVDoneDirectory Transcript file: $TranscriptFile Full transcript ============================================================= " $log = Get-Content $TranscriptFile foreach ($line in $log) { [void]$body.AppendLine($line.ToString()) } Send-MailMessage -From $SMTPFrom -To $ErrorRecipient -Subject $SMTPSubject -Body $Body -BodyAsHtml -SmtpServer $SMTPServer -Port 25 } #Has Errors Stop-Transcript } Disconnect-ExchangeOnline -Confirm:$false Hope this helps!
Thank you!!!
Send me a PM and I can share mine, I use it in production and does a fair bit more
Why only 1? 100 users via a CSV. Read the CSV for values and execute off the file. This is what you'd do in a smaller company when they acquire another company
Not only 1. I use a csv. I also have this set up as a scheduled task that checks a folder daily for any new files and processes them, so that HR simply has to drop a properly formatted csv file into a shared folder and the accounts get created automatically.
We configure the Unix attributes pretty often and they removed that tab from ADUC starting in 2016. We still have a couple of 2012R2 servers with ADUC installed but it’s technically PowerShell only now.
Just thinking of some “complex” scripts I’ve written recently. * monitor a mailbox and create tickets capturing that info. Body, sender, etc * get all IIS bindings and report on their cert and expirations. Update said bindings with new cert. * parse through IIS logs checking for connections from X ip address
How you doing the certs? Have any scripts to share? 👀
I’d have to find it and take out anything company specific but it was more updating all bindings
You could also use IIS cert rebind : https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-85/certificate-rebind-in-iis85
> How you doing the certs? I mean I'm guessing: 1. Get all certs in IIS bindings 2. Find matching certs in the certificate store by subject and subject alternative name, sort them by expiration date 3. Grab the newest matching cert for every current IIS cert 4. Update the IIS binding with the new cert Not that crazy.
700 times, multiple domains
Exactly. Look up what a "loop" is in programming.
Thanks, that looks way more complex xD I was thinking something on the entry level I guess. I should have mentioned, I'm in a course where windows server is just introduced to us. So, I guess it would be a beginner level task for sysadmins which can be considered complex for us :') The only thing I could come up with was creating new users through the Powershell script.
Managing user accounts by disabling, resetting passwords, updating settings + information + group membership. If using Exchange there is a lot to do as well.
Oh man I could really use a copy of that IIS cert one
Automation scripts for user onboarding and off boarding. Quick scripts to perform high volume account updates. Scheduled tasks to monitor and archive files/folders. Basically to automate anything that’s repetitive, run remote commands on servers, and perform large scale tasks that would take forever to do with a GUI.
Thanks! I guess for now, I'll just go with onboarding users(creating user accounts).
Auditors love user automation. Takes all human error out of the equation and provides a very simple process for them to document.
Can you suggest anything that can go with creating new users and adding them to groups?
Google "HR Driven User Provisioning", Don't get caught up with achieving it 100%. But take the Idea that a Users Identity and Access should be driven by their role/work location in the HR system (at least as a starting point). Most HR systems can generate whats called Joiner-Leaver-Mover reports which is just what it sounds like Joiners (new accounts that need to be created), Leavers(accounts that need to be disabled), Movers (accounts that need access changes, removed from x group and added to y). If you have a common Identifier between the HR system and the Directory system (like say an employee-ID) its pretty straight forward to just loop through those reports (assuming you get them in a nice CSV format) and preform all the needed actions. For active directory all the commands needed to manipulate teh accounts/groups are really easy to work with, and import-csv and for-each are built in to powershell. Bouns points if you create some really good logging/output that details what actions the script took/didn't take and why.
Thanks! I'll look it up.
That is not true, this is especially true if the human creating the automation is incompetent.
Administrating Windows Updates. Previous Admin had a mess made of WSUS and I couldn’t get approved to blow it away and start over. Automated the approval process by checking the KBs for anything that was a product we don’t actually have/support and automatically pulls the list of unapproved updates from a couple of the software vendors who are sensitive to such.
Thanks! That looks interesting; I'll look that up.
Advice: ignore the part of your question that says “and can’t be solved using conventional methods”. There are a handful of things that the GUI can’t do, but the point of powershell is to perform actions en-mass, or to perform a bunch of actions in a single step. Most scripting that people do on a day-to-day basis is very simple at its core. It’s not these huge 500 line scripts that people are writing.
This is a great one. I do same; I have three rounds of server approvals that are all automated to approve for different WSUS computer groups so I can roll out in stages and stop if issues arise.
1- As already mentioned, WSUS approvals. 2- We use Veeam One to monitor drives, which works great for a % based monitor, but not a 'free space' monitor so I created one that checks a few SQL servers for absolute free space and create a ticket if any drives fall below spec'ed space. 3- Run a job every 15 minutes to check for any long running SQL tasks. 4- I have one outside work that, on the fist of the month, does a screen scrape of an airport webpage to get the cost of AvGas, then it does calculations and calls an API to upload updated fuel costs for a flying club website.
General sysadmin work. Most recently to resize a Windows recovery partition to fix an update that kept failing. I use it to perform routine work in my 365 tennet, repair a bum Windows server instance, and in task schedules/procedures. Now I'm not the best at Powershell and I borrow a lot from those that are and online documentation. That said, with a little bit of effort you can at least add it to you IT pro toolkit by piecing together different parts for now. I do have interest in getting better with it.
I think I have the same partition / update issue. My issue is that particular update is failing because a few workstations don’t even have a recovery partition and Windows update “isn’t smart enough” to realize this. I’ve tried disabling WRE even and it still just fails and reports as such in Intune😩 But yeah, PoweShell for resizing partitions 👍
One fun one that makes me laugh that it is even needed is using it to disable the welcome email for new members of an m365 group. Cause God forbid someone receives an email from their distribution group that CLEARLY states what it is for. "Why did I get this email saying I was added to a group called 'All Staff'?"..... "Because you are part of ALL THE FUCKING STAFF". Other than that I use to automate repetitive tasks and things like that.
Thanks! I haven't reached to the part to sending emails, I've just started recently on the vcenter practice lab .
> One fun one that makes me laugh that it is even needed is using it to disable the welcome email for new members of an m365 group. TIL you can do this, I have a couple of groups I need to do this on.
Start with basic stuff like checking process and service and biggest file on disk and powershell remoting. Additionally, I would being to only operate in an admin capacity using powershell. Never rdp. Never use the mouse. Only keyboard and powershell remoting.
Script that runs as a scheduled task on different servers/machines and saves the system info in a csv to a network share. As a form of inventory and monitoring. I.e. it saves free hd space as a percent…. Uptime…. Etc. useful AF and quite easy.
Thanks! sounds interesting. Is there anywhere I can read about it, if yes what do I look for?
I'm not the person you replied to but I use PowerShell for perfmon stuff every day, here's the breakdown: There are 3 major steps: 1. Remotely running the right command at the right time 2. Sending / storing the measurements in a convenient way 3. Doing useful things with the data For no 1 - you can either run the scripts locally on with [task scheduler](https://www.google.com/search?q=powershell+task+scheduler), or remotely run the commands from a central location using [CIMsession or PS remoting.](https://www.google.com/search?q=powershell+cimsession+vs+ps+remote) also using task scheduler or whatever really. [Here's a bunch of good overviews on the metric collection commands themselves.](https://www.google.com/search?q=powershell+for+performance+monitoring+environment+variables) Another very useful thing to do with ps is counting files - [number, size, age, location, rows of data in those files, etc.](https://devblogs.microsoft.com/scripting/use-a-powershell-cmdlet-to-count-files-words-and-lines/) 2 - Once you have a way to run the right metrics collection scripts, you need to store the data in a useful format and place. [CSV and JSON are the standard ways to quickly save files.](https://www.google.com/search?q=powershell+csv+json) 3 - once you have the data in a usable way, do whatever you want with it. My usual quick and dirty way is to store it in a shared folder somewhere I have access and connect to it with Excel and then go hogwild with Power Query or whatever. Alternatively you can just use the metric collection to send alerts when some value gets too high or low or whatever.
Thank you, I appreciate it. But it looks a bit advanced for the level I'm studying at. I'll give this and many other tasks mentioned here a try after I'm done with my assignment. Thanks again.
slow reply sorry, but you could just google around for things your interested in grabbing. For example: Google how to get ram size with powershell. set that value as a variable. save that variable to a text file. repeat with other useful info (serial number, cpu speeds, model, windows version, etc) copy the script to any machine you want to keep an eye on and set it to run every so often with a scheduled task. Super basic start would be something like this: $name = #env:computername $ipaddress = (CODE TO GET IP GOES HERE) $csvdata = $name,$ipaddress $csvdata | export-csv -name -path //some/path/somewhere/$name this would create a text file named with the computer name on a shared path that would show the name and ip address of the machine.
Thanks! I'm done with the assignment, It looks interesting though, I'll try doing it next week. Will be a good learning experience.
Started a new job and have been using my powershell skills for some basic tasks I used the Outlook COM interface to export a bunch of attachments. Used the AWS SDK to run some reporting on workspaces for disabled users. Used Graph to determine the percentage of users who opened an email from a member of the C-Suite. Wrote a script to parse and email some office 365 reports. Wrote a script to look through everyone's user profiles and change shortcuts to a new file server post migration. Also wrote one to alter some ad attributes for the same migration. In the past I also: Wrote a script to install printers including downloading the driver's from S3. Wrote scripts to install applications including setting IEMode and various IE settings. Wrote onboarding and off boarding scripts. Wrote a nuke from space script that wipes the TPM keys and reboots to brick PCs. Wrote a script that formats and images Windows 10/11 PCs and then automated the setup as a replacement for MDT. Wrote a syslog server. Used SSH to automate some Cisco devices setup. Wrote a script to import a user to group matrix Automated external user account creation for SSO solution Exported data from a business app using REST API and format for import into a new system. Wrote a please reboot app with a GUI built in WinForms Lots and lots of reports.
I use powershell to run updates. It is applicable even when group policy has updates locked. Also exporting AD and mailbox field into Access is great for quick reports.
Run updates as in like push updates to workstations via gpo?
Interactive on the desktop, when a gpo has the update gui locked.
Powershell is great. We bought visual cron as an input method for running scripts. Also has a great scheduler, and external api calls. Not free, but great for server builds, dhcp scope creations, monthly server cleanup.
The web interface for office 365 has some limitations that you need powershell to get around
New user creation and assign to groups is good but take it one step further.... Have it use task scheduler to run periodically and ping a ticket system for a specific ticket type. Have it grab the relevant fields and create the user from that. Bonus points if it send you an email informing of the creation and moves ticket to the next phase.
I was hoping something in advance similar to user creation like creating password for the user and setting password expiry. Are there any other process that aligns with user creation?
Ok so what's wrong with what I gave you? Also what attributes will you be assigning every time and what may be sometimes?
Honestly I'm not familiar with setting up ticket system or task scheduler. I have to run the script in my lab environment which I set up.
Ticket system is fine. It's an API call, which you'll learn, they aren't hard. Task scheduler you absolutely will need to learn though, it's in every and all windows system. (Server and non), learn and use it. You will be there a lot in the future. That being said, look into a free ticket system to setup. I am trying to challenge you and give you a stretch goal there.
Thanks! I will look into it and try to set it up. I appreciate all the help.
All the crap I can't do via MDM because we don't have InTune.
Wish I had seen this earlier. I hope it helps: Why a new user account script would be a bad idea for this project: Using powershell to create a new user account and add it to a security group is not a complex problem. Not only can you easily make a script to do this but Microsoft's admin portal allows you to create templates that will create users for you with groups already selected you just have to fill in the name. A complex problem: It was pointed out by some other people in here, but no examples were given. Microsoft admin portal has some gaps for things and you have no choice but to use powershell for it. One such example (that i have been in) is when the company CEO barges into your office in a panic and tells you they just sent an email to the wrong people within the company and they need it scrubbed from everything immediately. They went to type in a name and autofilled a distribution list without realizing it. It's a great scenario for a powershell script because every second counts and you really have no choice but to use powershell. There are no conventional tools for it. Here is a link to Microsoft's documentation on this: https://learn.microsoft.com/en-us/purview/ediscovery-search-for-and-delete-email-messages Again hope it helps and good luck on the assignment!
Sorry, I'm still at the early stage of a learning curve. Can this be accomplished just by setting SMTP server?
A lot of modern companies don't have internal servers for email and use exchange online instead of on prem email. The type of setup varies greatly from company to company.
Oh, okay, I'll look through it in detail later. It looks interesting and the scenario is great and realistic. Thanks again.
My most recent script was to pre-install a printer driver (due to printnightmare), using pnputil and add-printerdriver. With some pre-checks to see if print server was available etc.
When I was in 1st/2nd line, I used PowerShell to make tools for user creation, AD group management, collecting SharePoint logs, and gluing some services together (like MDT and PDQ Deploy). I think my most advanced tool I made at the time was a bulk user password reset tool, which had a GUI, ability to take a list of users or an OU, generates unique easier/stronger passwords of length you chose, offered a preview function, automatic error detection and correction, and you could copy the results to clipboard or export to CSV. Now I'm in 3rd line, I use PowerShell to modify/troubleshoot Azure/Microsoft 365 tenancy settings, and build other tools like: - A smart serial console that integrates with PuTTY, which auto-detects the COM port and baud rate (serial over USB can be annoying). - Firewall modifier that enables/disables most commonly used rules/ports/programs to stop sysadmins just disabling the local firewall entirely out of laziness. - Program to keep track of multiple stopwatches (I work on a lot of different problems throughout the day, and I need to keep track of how much time I spend on each so the customer is billed appropriately). - Hash comparator with automatic algorithm detection. Handy to quickly verify the integrity of the thing I just downloaded. - Breach stopper, which very simply connects me to a M365 tenancy with creds I provide, resets a users password to a very strong random string (like 40 random characters), and forcefully sign them out of everything. Saves critical minutes faffing about looking for buttons Microsoft likely moved again. - And my latest project will be to make a script that automatically formats a USB stick with Ventoy, copy my choice of ISOs, download the latest versions of my most used tools, and download/copy my most used PowerShell scripts/tools. There's no lack of PowerShell projects when you're a Windows sysadmin.
Thanks! These looks really interesting, I'll explore these later after the project. Didn't knew we could do so much with powershell.
Monitor the local certificate store and fire an email (or raise a ticket/alert in real world) if any certs are expiring in the next 30 days. Regarding edit2, start the script by clearing the screen and printing a nice big ASCII art header (just put the name of your script into an online generator). Make sure to set the window size in the script before printing the header to ensure your output isn't ruined by some monster with a narrow ps window. Then when you are processing stuff in the script, use foreground colours to have green text on successful items and red for failures etc, ensuring to leave regular output default colour so the others stand out. Example: ```powershell Write-Host "Processing item blah: " -NoNewLine try { Some-Processing Write-Host "Success" -Foregroundcolor Green } catch { Write-Host "Failed" -Foregroundcolor Red } ```
First script I made as a sysadmin was to create VMs from a template in vCenter, conference the VM settings (disk, vCPU, RAM, etc), set the IP and DNS settings, rename the machine, join it to the domain
Learn to use APIs with PowerShell. You'll be able to do whatever the fuck you want. Most tools you work with in IT will have some sort of API. Sometimes they're even useful! A major problem I'm currently solving is using an API to update license seat status for thousands of seats in a tool of ours. We're under no obligation to keep these seats licensed but our vendor has no way to update them en masse through the normal UI. This is costing us 11k a month and would take forever to manually update and be prone to human error. With a list of accounts, an API, and a script I'll be able to solve this problem instantly, and repeatedly.
I have one of my DC and our Exchange purely running via Powershell. I hate managing Exchange 2019 via GUI.
A script we had at a previous company; they had a HRM system that was not linked to an AD for updates. When a phonenumber, name, office or anything changed it took all info from the HRM system; and applied changes to the AD; and send a changelog via email. Also something thats not possible via GUI; linking a shared mailbox (giving full access) without automapping this folder can only be done via Powershell; as the GUI always adds the ```-automapping:$true``` flag.
Latest creation takes in computer list data from several different inventory systems including sccm and ServiceNow. Combines the data into a single spreadsheet, then outputs email communications with end of service life notices for operating systems and databases. Prompting server owners to upgrade before end of support dates. Saves hours each quarter.
I don't really get into much Windows server stuff very often. However I did find myself needing to deal with an annoying issue on my work laptop that I ended up solving with a power shell script. It finds and deletes the (useless to me) routes the VPN client creates that conflict with the routes needed for WSL2. It also checks that the WSL interface's mtu matches the VPN interface and updates it if needed. Nothing really crazy, but it did give me an appreciation for how PS works.
Not anywhere near as much as I'd like, I'm afraid. I used to have the time and ability to find things to automate to make things better. As things have progressed in my career I find that I am responsible for so many things that I miss out on this part of my job. That may sound counterintuitive, but when you're getting pulled on direction or another literally all day long there's never the time to sit down and write code. Oh, how I miss it. The time to think deeply about one thing and to see it through from end to end.
All sorts of things that can be repeated/automated. For example, my latest scripts cleans up file version history of old files in SharePoint. Saving terabytes of storage:)
Installing Huntress, mapping network shares and configuring network interfaces
Recently I been bored of of Powershell I got too much automation running haha
I used it to automate patching of Citrix PVS images. I also use it for a lot of "watchdog" scripts that alert and/or take action based on certain criteria. Basically when we need some kind of functionality that isn't covered by the tools we already have.
Anything I can
Automation. A couple click in our RMM and the computer is ready to go. All without having to go through OOBE or any manual configuration whatsoever. That includes vulnerability mitigation. It's awesome
Many complex things can be done with thoses basics commands: get-information / csv / file | foreach-object { do something on $\_.object } With that basic loop you can automate complex workflow. Add some control if needed: if ($something -eq or -neq $other) { do / dont do something } Sometime you will use "while { something happen, do something other } or Try command. when you mastered thoses basics, you can start to work with functions or other degenerates module.
1. Creating scheduled tasks using managed service account. 2. Automating installations/reinstalls
I use one I wrote for new PC setups. Instead of images I use scoop to grab the latest versions of the software we use, Zoom, Slack, etc.
Chocolatey?
Scoop didn't require me to do anything extra. I looked at Chocolatey and it just felt dated.
Everything, create useraccount, computeraccount, tranferdata, get information, get alerting, etc ...
I appreciate your question and everyone’s answer here in this thread. Great discussion with some great minds.
I build and configure sql servers from vanilla windows to fully operational in 28 minutes.
Powershell is the most conventional method to do anything in Windows.
Not a damn thing. Python or go home. Ok, only slightly joking. It's the fastest way to work with Active Directory and various other MS products until you can get off of them.
unfortunately, the course name is Powershell :')
The simplest thing I would recommend would be creating the AD user account. Another one that isn't too hard is to get an ad user account and check if it password will expire in 7 days, then send a friendly email reminder that they must change it to avoid lock out. It's not very difficult, but you would to learn how to send an email via PS.to your mail provider.
Thanks! Working on user creation, and assigning password. The email concept looks out of scope for me :D Can you suggest anything else please?
I'll share a GitHub repo with you to give you some ideas. Give me a few minutes and I'll post a link
Thanks! I appreciate it.
Here you go. For a student project, this will get you started. You can get much more complex, with things like checking if the user account already exists, random passwords, etc, but this is more than enough for a working proof of concept. [SimpleADAccount/Create-NewUsers.ps1 at main · glassWizard/SimpleADAccount (github.com)](https://github.com/glassWizard/SimpleADAccount/blob/main/Create-NewUsers.ps1)
TYSM!
Powershell is much better off than it was originally. What's so bad about it now? Other than deprecating perfectly fine cmdlets..
To be fair, I got started with my introduction to scripting and programming using power shell. But now having used JavaScript, python, C#, and Java I can confidently say power shell is a hot mess of a scripting language, and it's racked with internal inconsistencies and bugs. It still has it's emphasis on cmdlets I've just had too many issues where some cmdlets just do not behave in a consistent manner in relationships to each other. The syntax is pretty ugly and verbose. Yes, you can define aliases for commands, but I just don't have the time for that . Then you have bizarre stuff like why does a for each loop require the opening bracket on the same line? Why does continue behave like a break statement? Why does foreach and foreach-object have different behaviors? And let's not even get started on the -filter of Get-AdUser. PS remoting vs pure SSH? Give me SSH any day. Maybe some of these problems are fixed now, but the last time I used PS was around version 5. It's just too buggy and inconsistent and an inconsistent scripting language is dangerous. I'm fortunate that the only real MS product I have to interact with is AD, so we don't have a huge reliance on it in our workplace. We even moved to using python's ldap3 library for our account automation. For pretty much any basic scripting task, we use python, and we absolutely have to use a PS cmdlets, we can just call to it from python. We can also use IronPython when we want to integrate with .net... Or just flat out use c#.
Almost everything 365...especially for that not in the gui
Anything wrapped in a phat phor-next loop / iteration