PowerShell Script to enable encryption

Hi All,
I am hoping I can get some assistance. I am looking to create a script that will do following:
1. Enable Encryption
2. Backup Encryption Key and/or TPM Data to specific location and specific file name: ex: Computer Name or FQDN
Is this possible?

There's the Bitlocker cmdlets, like Enable-Bitlocker. See
https://technet.microsoft.com/en-us/library/jj649829.aspx
This appears to encrypt drive when not encrypted already (or resume encryption when currently paused, as it states there).
About writing key protector to a text file:
http://blogs.technet.com/b/leoponti/archive/2013/08/17/powertip-use-powershell-to-write-bitlocker-recovery-key-to-text-file.aspx
Have not tried this myself though.

Similar Messages

Powershell script monitor with encrypted password

I have created a powershell script based monitor in my management pack and everything is ok but I can't get my credentials work inside the script. I want to open pssession to another computer with my credentials. I have triple checked that my pssession is
working because I can access it from powershell console.
This works perfectly at local server from PSconsole:
$EncryptedPassword ="01000000d08c9ddf0115d1118c7a00c04fc297eb01000000534b2....etc...etc..."
$pw = convertto-securestring -String $EncryptedPassword
$cred = new-object System.Management.Automation.PSCredential -argumentlist "MyDOMAIN\MyACCOUNT",$pw
$s = New-PSSession -ComputerName "MyServer" -Port MyPort -Credential $cred
But when I run the same lines inside my management pack the convertto-securestring
does nothing, it just wont convert the encrypted password to secure string!
I have tried this plain text method and it works
inside my management pack, but I don't want to use it because you can see the password in plain text:
ConvertTo-SecureString -String "myPlainTextPassword" -AsPlainText -Force
This is the $error variable, so it's basically says that I don't have anything in the password secure string variable because the convertion did not work for some reason:
The argument is null. Provide a valid value for the argument, and then try running the command again. Cannot process argument transformation on parameter 'Credential'. PromptForCredential Exception calling ".ctor" with "2" argument(s):
"Cannot process argument because the value of argument "password" is null. Change the value of argument "password" to a non-null value." The system cannot find the file specified. Exception calling "SecureStringToBSTR"
with "1" argument(s): "Value cannot be null. Parameter name: s" The system cannot find the file specified. Exception calling "SecureStringToBSTR" with "1" argument(s): "Value cannot be null. Parameter name: s"
The system cannot find the file specified.
So is there some known issue with SCOM Agent / management pack when you are dealing with convertto-securestring
function with encrypted passwords?
I used these methods to encrypt the password: Technet article about encryption

I got it to work!
<TypeDefinitions>
<EntityTypes>
<ClassTypes>
<ClassType ID="MyClass" Accessibility="Public" Abstract="false" Base="Windows!Microsoft.Windows.LocalApplication" Hosted="true" Singleton="false" Extension="false"
/>
</ClassTypes>
</EntityTypes>
<SecureReferences>
<SecureReference ID="MyRunAsAccountProfile" Accessibility="Public" Context="System!System.Entity" />
</SecureReferences>
<ScriptBody>param (
[string]$Username,
[string]$Password
$API = new-object -comObject "MOM.ScriptAPI"
$PropertyBag = $API.CreatePropertyBag()
$cred = New-Object System.Management.Automation.PSCredential -Argumentlist @($Username,(ConvertTo-SecureString -String $Password -AsPlainText -Force))
$s = New-PSSession -ComputerName "myserver" -Credential $cred
Invoke-Command -Session $s -ScriptBlock { $service = Get-Service -Name Spooler}
$invcom = Invoke-Command -Session $s -ScriptBlock { $service.status}
Remove-PSSession -Id $s.Id
if ($invcom.Value -ne "Running") {
$PropertyBag.AddValue("State","ERROR")
$outputLongLine = "Spooler Service is not running on target server!"
$PropertyBag.AddValue("Description", $outputLongLine)
else {
$PropertyBag.AddValue("State","OK")
$outputLongLine = "Spooler is Running on target server."
$PropertyBag.AddValue("Description", $outputLongLine)
$PropertyBag</ScriptBody>
<Parameters>
<Parameter>
<Name>Username</Name>
<Value>$RunAs[Name="MyRunAsAccountProfile"]/Domain$\$RunAs[Name="MyRunAsAccountProfile"]/UserName$</Value>
</Parameter>
<Parameter>
<Name>Password</Name>
<Value>$RunAs[Name="MyRunAsAccountProfile"]/Password$</Value>
</Parameter>

Powershell Script to Enable and Disable SharePoint list versioning

Hi,
We have a Sharepoint list with a date and time field named 'Today' which we update overnight
via PowerShell script to give the current date and this recalculates other calculated fields
in the list.
All is fine but we have versioning enabled on the list and so we get a new version created everyday.
Is there a way to disable the versioning prior to running the update and then re-enable
after?
This is the script
Add-PSSnapin Microsoft.SharePoint.PowerShell
Start-SPAssignment -Global
$SPWeb = Get-SPWeb "<SharePointSiteUrl>"
$List = $SPWeb.Lists["ListName"]
$Items = $List.Items
foreach ($item in $items)
$modifiedBy = $item["Editor"]
$modified = $item["Modified"]
$item["Today"] = Get-Date
$item["Editor"] = $modifiedBy
$item["Modified"] = $modified
$item.Update()
$list.Update()
$SPWeb.Dispose()
Stop-SPAssignment -Global

Hi
Here is a quick powershell script to iterate a site collection and remove versioning on all list of base-type Document Library. Also the iteration removes all the current versions of list items. Great for freeing up space and also to make publishing sites
a little more easy to manage content for trusted content approvers!
Check the below powershell script
[void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
# Get site
$site = new-object Microsoft.SharePoint.SPSite("http://YoServer:1002")
# Iterate all the webs of the site
foreach ($web in $site.AllWebs)
# loop through all lists in web
foreach ($list in $web.Lists)
# Ensure list is of base Document Library
if ($list.BaseType -ne "DocumentLibrary")
# Move on
continue
# Loop through each item
foreach ($item in $list.Items)
# Get the file
$file = $item.File
# Delete all versions
$file.Versions.DeleteAll()
# Remove version from the list
$list.EnableVersioning = $false
$list.EnableModeration = $false
# We still want to ensure check out
$list.ForceCheckout = $true
$list.Update()
$web.Dispose();
$site.Dispose();
Please mark the Answer and Vote me if you think that it will help you to resolved your issue

Windows 8.1 - How to enable "Require additional authentication at startup" for bitlocker using powershell script?

I need help to do this using powershell scripts on Windows 8.1?
OS : Windows 8.1 Enterprise
TPM Chip : None
Enabling bitlocker on OS drive with a password at boot time is a 2 step process.
1) Edit the Group Policy (gpedit.msc) - Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives ->
Require additional authentication at startup -> Allow bitlocker without a compatible TPM
ref : http://www.7tutorials.com/how-enable-bitlocker-without-tpm-chip-windows-7-windows-8
2) Enable Bitlocker on c driver using manage bitlocker snapin
I need help to do this using powershell scripts?
I researched on the forums but ran into an issue.
I found that Group policy commandlets can be used to do step 1.
I am getting the error : "ins have been registered for Windows PowerShell version 4" when I try to do the following in windows 8.1
Add-PSSnapin GroupPolicy
Import-Module GroupPolicy -Verbose

Hi TinkerBotFoo,
I’m writing to just check in to see if the suggestions were helpful. If you need further help,
please feel free to reply this post directly so we will be notified to follow it up.
If you have any feedback on our support, please click here.
Best Regards
Anna
TechNet Community Support
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Enable document management for entities through PowerShell script (Dynamic CRM 2013 on premises)

Hello,
Can anybody let me know if it is possible to enable document management for entities through PowerShell script for Dynamic CRM 2013 on premises.
I want power shall script where user will give the entity (Accounts, Contacts etc.) for the CRM.
The script should enable the document management for the entity.
Thank you for your support.

Hi Jeff,
Any updates? If you have any other questions, please feel free to let me know.
A little clarification to the script:
function _ErrObject{
Param($name,
$errStatus
If(!$err){
Write-Host "error detected"
$script:err = $True
$ErrObject = New-Object -TypeName PSObject
$Errobject | Add-Member -Name 'Name' -MemberType Noteproperty -Value $Name
$Errobject | Add-Member -Name 'Comment' -MemberType Noteproperty -Value $errStatus
$script:ErrOutput += $ErrObject
$errOutput = @()
_ErrObject Name, "Missing External Email Address"
$errOutput
_ErrObject Name "Missing External Email Address"
$errOutput
If you have any feedback on our support, please click here.
Best Regards,
Anna Wang
TechNet Community Support

PowerShell Script to Create a Contact Card and Enable Email Forwarding

Exchange 2010
Can anyone help with creating a powershell script to create a contact card and set email forwarding at the sametime?
I'm looking to import a list of 200 users via a text or csv file, create the contact card with first name, middle initial if one exists, last name, (no alias) and put the contact card in the following OU "DIS###" in the a.b.c.com domain as well
as enable forwarding to @mail.com.
I've been able to create a script to enable mail forwarding but it doesn't help me without a contact card. I hate to put this upon anyone, but my ps scripting and Exchange knowledge is still in it's infant stage and I need get this done post haste

Q:Import csv: Does this contain 200 mailboxes name
A:It contains 200 user logon names.
For the mail forwarding:
I currently have a csv file with two columns -- one named displayname and the next call mailaddress. Under the displayname column I have the users account name (first.mi.last -- middle initial if they have one) and under mailaddress i have @mail.com.
script:
Import-CSV C:\setmailforwarding\mailforwarding.csv | foreach-Object{Get-Mailbox $_.displayname | set-Mailbox -forwardingAddress $_.mailaddress}
The above script should work if the contact card has been created. Obviously I need to create the card first.
I don't have a script to set up the contact card as of yet -- I was hoping to get some help on that.
Q:E-mail forwarding: Is this from mailboxes to mail contact, you will be creating
A:Not really sure what you are asking. I'm looking to create the contact card with a csv or txt file for first name, middle initial if one exists, last name, (no alias) and put the contact card in the following OU "DIS###" in the a.b.c.com domain as
well as enable forwarding to @mail.com. The users current email is @mail.1234.com and we will be migrating our mailboxes to another organization that uses @mail.com. I will need to set forwarding in the interim until the migration is complete.
Hope this helps.

PowerShell - scripting - skip Encrypted\CLR Stored Procedures

Hi all,
Forgot where I got the code below from but, how would I skip Encrypted\CLR procedures because, I get error below...
Message
Executed as user: Loginname A job step received an error at line 81 in a PowerShell script. The corresponding line is '
$MyScripter.Script($proc)|out-null'. Correct the script and reschedule the job. The error information returned by PowerShell is: 'Exception calling "Script" with "1" argument(s): "The StoredProcedure '[dbo].[myrpocname]'
cannot be scripted as its data is not accessible." '. Process Exit Code -1. The step failed.
#STORED PROCEDURES
if($procs -ne $null)
foreach ($proc in $procs)
#Assuming that all non-system stored procs have proper naming convention and don''t use prefixes like "sp_"
if ( $proc.Name.IndexOf("sp_") -eq -1 -and $proc.Name.IndexOf("xp_") -eq -1 -and $proc.Name.IndexOf("dt_") -eq -1)
$fileName = $proc.name
"Scripting SP $fileName"
$scriptfile = "$rootDrive\DatabaseScripts\$sqlDatabaseName\$strDate\StoredProcedures\$filename.sql"
New-Item $rootDrive\DatabaseScripts -type directory -force | out-null
New-Item $rootDrive\DatabaseScripts\$sqlDatabaseName -type directory -force | out-null
New-Item $rootDrive\DatabaseScripts\$sqlDatabaseName\$strDate -type directory -force | out-null
New-Item $rootDrive\DatabaseScripts\$sqlDatabaseName\$strDate\StoredProcedures -type directory -force | out-null
# SetScriptOptions
$MyScripter.Options.FileName = $scriptfile
#AppendTofile has to be ''true'' in order that all the procs'' scripts will be appended at the end
$MyScripter.Options.AppendToFile = "true"
$MyScripter.Script($proc)|out-null
Thanks
gv
Sword

You can exclude encrypted stored procedure using $_.IsEncrypted member.
$storedProcs = $db.StoredProcedures | Where-object { $_.schema -eq $schema -and -not $_.IsSystemObject -and -not $_.IsEncrypted}
$server = "localhost"
$database = "PowerSQL"
$output_path = "F:\PowerSQL\"
$schema = "dbo"
$storedProcs_path = "$output_path\StoredProcedure\"
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.SMO") | out-null
$srv = New-Object "Microsoft.SqlServer.Management.SMO.Server" $server
$db = New-Object ("Microsoft.SqlServer.Management.SMO.Database")
$tbl = New-Object ("Microsoft.SqlServer.Management.SMO.Table")
$scripter = New-Object ("Microsoft.SqlServer.Management.SMO.Scripter") ($server)
# Get the database and table objects
$db = $srv.Databases[$database]
$storedProcs = $db.StoredProcedures | Where-object { $_.schema -eq $schema -and -not $_.IsSystemObject -and -not $_.IsEncrypted}
# Set scripter options to ensure only data is scripted
$scripter.Options.ScriptSchema = $true;
$scripter.Options.ScriptData = $false;
#Exclude GOs after every line
$scripter.Options.NoCommandTerminator = $false;
$scripter.Options.ToFileOnly = $true
$scripter.Options.AllowSystemObjects = $false
$scripter.Options.Permissions = $true
$scripter.Options.DriAllConstraints = $true
$scripter.Options.SchemaQualify = $true
$scripter.Options.AnsiFile = $true
$scripter.Options.EnforceScriptingOptions = $true
function CopyObjectsToFiles($objects, $outDir) {
if (-not (Test-Path $outDir)) {
[System.IO.Directory]::CreateDirectory($outDir)
foreach ($o in $objects) {
if ($o -ne $null) {
$schemaPrefix = ""
if ($o.Schema -ne $null -and $o.Schema -ne "") {
$schemaPrefix = $o.Schema + "."
$scripter.Options.FileName = $outDir + $schemaPrefix + $o.Name + ".sql"
Write-Host "Writing " $scripter.Options.FileName -ErrorAction silentlycontinue
$scripter.EnumScript($o)
# Output the scripts
CopyObjectsToFiles $storedProcs $storedProcs_path
Write-Host "Finished at" (Get-Date)
-Prashanth

Disable Static IP in Windows 8.1 and Windows 7 or Powershell Script to get network "connected to" value

Hi,
I´m in a situation where I need to disable static IP option on all Domain machines (workstations). I have found many different forum topics about that but nothing is suitable for me. Let me describe a situation:
* In our environment every computer have specific IP configured in DHCP (specific MAC = specific IP). Machines Must be configured DHCP enabled!
* In our environment all developers are local admins in their computers. This can´t be changed as we are IT corporation and this is our policy.
* As every IP have specific rights in Firewall to access different places then some IT guys are quite smart to change their IP to static IP that have more access then they should have.
This last thing is my main problem! We have working PKI and NPS in both WLAN and LAN so only domain and certified computers can have access to our local network. My mission is to prevent local admins to change IP addressess by themselves but I can´t find
a good solution for doing that. I have tought about Powershell script that is published by SCCM or GPO to all workstations and script idea is to find network card that is "connected to" our "domain.com" network. If this is true then automatically
DHCP will be enabled for that interface (Set-NetIPInterface -Dhcp Enabled). I know that here is an open window for some moment when script will be ran again or GPO policy will be refreshed but it´s better then nothing. In this script I have one problem - I
can´t find a solution about how to find network interface that is connected to our "domain.com"? It seems that there is no easy way to do that.
Is there any other and better solution to accomplished this situation. Any good ideas will be appreciated.
Best Regards,
Taavi

Hi,
the real answer is the one you don't want to hear: don't make your users local admninistrators.
Local administrators will always be able to get araound any security measurement you put in place. For gpo's for example, they can identify the involved registry key, configure it to their desired value and
remove privileges for everyone but themselves to write the key. Upcoming 'gpupdate' will not be able to write the values...
For your script, I would recommend to just configure all adapters to dhcp on the client computers. After all the location detection depends on the network Location Awareness service. If your users disable that one (an rermove the appropriate privileges from
registry ;) ) your script would again be useless.
That being said, as you post to the security forums my answer is focussed on the security off your solution. if you need assistance in creating this script, I would advice to post back in the Scripting guys forums (and leave out the why as you will otherwise
agin be pointed on the flawed security ;) )
I think get-connectionprofile might already be helpull on 8.1
MCP/MCSA/MCTS/MCITP

PowerShell script : Directory object not found error in Get-ADGroupMember

I am new in powershell scripting. I am writing a script to add users in different AD Groups. while doing so I do the following:
Check if the user already exist in the group:
$mbr_exist = Get-ADGroupMember $grpname | Where-Object {$_.SamAccountName -eq $sam}
If user does not exist then add the user to the group.
When I manually run the script its runs flawless, without any errors. But when I schedule the script to run it gives an error as follows:
3/30/2015 8:32:15 AM Directory object not foundAt + $mbr_exist = Get-ADGroupMember $grpname | Where-Object {$_.SamAc ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~ Error at Line:$mbr_exist = Get-ADGroupMember
$grpname | Where-Object {$_.SamAccountName -eq $sam}
The strange thing is the user for which it throws the error is present in the group.I am not sure why this error is occurring when scheduled. Can any one please help? All the suggestions will be appreciated
Note: (The script is scheduled using Windows Task Scheduler)
try
# # Initialize the variables we will use
$status = 'false'
$drivename = "H:"
$sysdate = Get-Date -UFormat "%m_%d_%Y"
$foldername = $drivename + "\Script_Result\PowershellData"+ $sysdate
$backup_folder = "$foldername\AD_Groups_Backup"
$updatedGroup = "$foldername\Updated_AD_Groups_LogFiles"
$LogFilePath = "$foldername\Log_Update_ADGroups"+$sysdate+".log"
# # Initialize the arrays we will use
$GroupArray = @()
# # maintain log of program startup
$logdate = get-date
$logdate.ToString() + "`tStarted script to Update AD user Groups..." | Out-File -FilePath $LogFilePath
# # Create a sub folder to store the backup files
$fileexist = Test-Path $backup_folder -PathType Container
if($fileexist -ne 'False')
New-Item -ItemType Directory $backup_folder
# # Create a sub folder to store Updated AD group Log files
$fileexist = Test-Path $updatedGroup -PathType Container
if($fileexist -ne 'False')
New-Item -ItemType Directory $updatedGroup
# # Take back up of the AD groups data
Get-ADGroupMember -Identity "Group1" | Export-csv "$backup_folder\Group1_BackUP$sysdate.csv"
Get-ADGroupMember -Identity "Group2" | Export-csv "$backup_folder\Group1_BackUP$sysdate.csv"
Get-ADGroupMember -Identity "Group3" | Export-csv "$backup_folder\Group1_BackUP$sysdate.csv"
Get-ADGroupMember -Identity "Group4" | Export-csv "$backup_folder\Group1_BackUP$sysdate.csv"
(an so on..... 11 such groups )
# # Fetch AD Users data
$ADusers = Get-ADUser -filter {(EmployeeNumber -gt 1) -and (EmployeeNumber -ne "N/A") -and (Enabled -eq $true)} -Properties * | Sort-Object -Property EmployeeNumber
$ADusers.Count
foreach($u in $ADusers)
$sam = $u.SamAccountName
$empnum = $u.EmployeeNumber
$mgr = $u.mgr
$fsal = $u.'fsalary-Hourly'
$comp = $u.Company
$ofc = $u.Office
Write-Host "$sam : $empnum : $mgr :$fsal : $comp : $ofc" -ForegroundColor Yellow
$GroupArray = @()
# # Check if the user fits in any of the 11 scenarios
if($comp -eq "US")
# scenario 7
write-host "7. Add to US Employees"
$GroupArray += "US Employees"
if($mgr -eq "Y")
Write-Host "1. ADD to US MAnagers"
$group = "US Managers"
$GroupArray += $group
if(($fsal -eq "Hourly") -and ($ofc -ne "Canton"))
Write-Host "3. Add to US Hourly (excluding Canton)"
$group = "US Hourly (excluding Canton)"
$GroupArray += $group
if(($fsal -eq "Hourly") -and ($ofc -eq "Canton"))
write-host "4. Add to US Canton Hourly"
$group = "US Canton Hourly"
$GroupArray += $group
if(($fsal -eq "Salaried") -and ($ofc -eq "Corporate" -or $ofc -eq "Landis Lakes 1" -or $ofc -eq "Landis Lakes 2"))
Write-Host "5. Add to US Salaried Corporate"
$group = "US Salaried Corporate"
$GroupArray += $group
if(($fsal -eq "Salaried") -and ($ofc -ne "Corporate" -and $ofc -ne "Landis Lakes 1" -and $ofc -ne "Landis Lakes 2"))
Write-Host "6. Add to US Salaried Plant"
$group = "US Salaried Plant"
$GroupArray +=$group
elseif($comp -eq "canada")
# scenario 9
write-host "9. Canada Employees"
$GroupArray += "Canada Employees"
if($mgr -eq "Y")
Write-Host "2. Add to Canada Managers"
$group = "Canada Managers"
$GroupArray += $group
if($fsal -eq "Hourly")
Write-Host "10. Add to Canada Hourly"
$group = "Canada Hourly"
$GroupArray += $group
if($fsal -eq "Salaried")
Write-Host "11. Add to Canada Salaried Plant"
$group = "Canada Salaried Plant"
$GroupArray += $group
elseif($ofc -eq "Corporate" -or $ofc -eq "Landis Lakes 1" -or $ofc -eq "Landis Lakes 2")
Write-Host "8. Add to Corporate Employees"
$GroupArray += "Corporate Employees"
write-host "Final Group List" -ForegroundColor Green
$grplen = $GroupArray.Length
#$GroupArray
$grplen
for($i= 0; $i -lt $grplen; $i++)
$grpname = $GroupArray[$i]
write-host "$sam will be added to Group : $grpname" -ForegroundColor Magenta
# # Check if the user is already present in the Group
$mbr_exist = Get-ADGroupMember $grpname | Where-Object {$_.SamAccountName -eq $sam}
if($mbr_exist -eq $null)
# #Add user to US Managers group
Add-ADGroupMember -Identity $grpname -Members $sam
Write-Host "1. User $sam is added to $grpname group" -ForegroundColor Green
# # documenting the user list that are added to this group
$grpmbr = New-Object PSObject
$grpmbr | Add-Member -MemberType NoteProperty -Name "EmployeeNumber" -Value $empnum
$grpmbr | Add-Member -MemberType NoteProperty -Name "SamAccountName" -Value $sam
$grpmbr | Add-Member -MemberType NoteProperty -Name "Name" -Value $u.Name
$grpmbr | Add-Member -MemberType NoteProperty -Name "DistinguishedName" -Value $u.DistinguishedName
$grpmbr | Add-Member -MemberType NoteProperty -Name "mgr" -Value $mgr
$grpmbr | Add-Member -MemberType NoteProperty -Name "Company" -Value $comp
$grpmbr | Add-Member -MemberType NoteProperty -Name "Salary/Hourly" -Value $fsal
$grpmbr | Add-Member -MemberType NoteProperty -Name "Office" -Value $ofc
$grpmbr | Add-Member -MemberType NoteProperty -Name "ADGroup" -Value $grpname
$grpmbr | Export-Csv "$updatedGroup\ADUsers_To_Group($grpname)_$sysdate.csv" -Append -NoTypeInformation
else
Write-Host "Member $sam already exist in $grpname group" -ForegroundColor Red
$logdate = get-date
$logdate.ToString() + "`tCompleted script to Update Update AD Groups..." | Out-File -FilePath $LogFilePath -Append
$status = 'true'
return $status
catch
$err_lineno = $error[0].InvocationInfo.ScriptLineNumber
$err_line = $error[0].InvocationInfo.Line
$ExceptionMessage = $_.Exception.Message
#$ExceptionMessage
$error_info = $error[0].ToString() + $error[0].InvocationInfo.PositionMessage
Write-Host "$error_info " -ForegroundColor Red
$FailedItem = $_.Exception.ItemName
if($ExceptionMessage)
$logdate.ToString() + "`t $error_info " | out-file "$foldername\ErrorLog_Update_AD_Groups$sysdate.log" -append
"Line Number: $err_lineno . `nError at Line: $err_line" | out-file "$foldername\ErrorLog_Update_AD_Groups$sysdate.log" -append
#Invoke-Item "C:\ErrorLog.log"
$status = 'false'
return $status

Hi mdkelly, Sorry for such a late reply (due to credential issues).
I am using Windows task scheduler to schedule the task. I am given the administrator access to the server (Windows Server 2012). So I think I set to run the script under system account.
My apologies for asking this, am I missing something while scheduling the script through task scheduler? how to check if the scheduled task is running under who's credentials? How to pass my (admin) credentials, so that the script execution won't face
a problem? Any suggestion on the above questions will be helpful. (I tried to search on net for the questions but didn't get any conclusive answers)
Thanks in advance.

Script that enables mail users and kicks out two csv files

I am working on a script that will mainly be used as a scheduled task to enabled mailuser by calling the update-recipient command.
But before it calls that command it will get for various issues that can cause errors.
Missing PrimarySMTP
Display name having a space at front or back.
The external email address being blank.
I have IF statements setup to check for those and then call a function that will save into an array the issue for that user.
Here is the script
<#
.SYNOPSIS
Enable-MailUsers Synced Mail Users in the Exchange environment
THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
Version .9, 30 June 2014
.DESCRIPTION
This script mail-enables Synced Mail Users and creates a CSV report of mail users that were enabled.
The following is shown:
* Report Generation Time
.PARAMETER SendMail
Send Mail after completion. Set to $True to enable. If enabled, -MailFrom, -MailTo, -MailServer are mandatory
.PARAMETER MailFrom
Email address to send from. Passed directly to Send-MailMessage as -From
.PARAMETER MailTo
Email address to send to. Passed directly to Send-MailMessage as -To
.PARAMETER MailServer
SMTP Mail server to attempt to send through. Passed directly to Send-MailMessage as -SmtpServer
.PARAMETER ScheduleAs
Attempt to schedule the command just executed for 10PM nightly. Specify the username here, schtasks (under the hood) will ask for a password later.
.EXAMPLE
Generate the HTML report
.\Enable-MailUsers.ps1 -SendMail -MailFrom [email protected] -MailTo [email protected] -MailServer ex1.contoso.com -ScheduleAs SvcAccount
#>
param(
[parameter(Position=0,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Send Mail ($True/$False)')][bool]$SendMail=$false,
[parameter(Position=1,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail From')][string]$MailFrom,
[parameter(Position=2,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail To')]$MailTo,
[parameter(Position=3,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail Server')][string]$MailServer,
[parameter(Position=4,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Schedule as user')][string]$ScheduleAs
# Sub Function to neatly update progress
function _UpProg1
param($PercentComplete,$Status,$Stage)
$TotalStages=5
Write-Progress -id 1 -activity "Mail enabled Objects" -status $Status -percentComplete (($PercentComplete/$TotalStages)+(1/$TotalStages*$Stage*100))
#Sub Function create ErrObject output
function _ErrObject{
Param($name,
$errStatus
If(!$err){
Write-Host "error detected"
$script:err = $True
$ErrObject = New-Object -TypeName PSObject
$Errobject | Add-Member -Name 'Name' -MemberType Noteproperty -Value $Name
$Errobject | Add-Member -Name 'Comment' -MemberType Noteproperty -Value $errStatus
$script:ErrOutput += $ErrObject
# 1. Initial Startup
# 1.0 Check Powershell Version
if ((Get-Host).Version.Major -eq 1)
throw "Powershell Version 1 not supported";
# 1.1 Check Exchange Management Shell, attempt to load
if (!(Get-Command Get-ExchangeServer -ErrorAction SilentlyContinue))
if (Test-Path "D:\Exchsrvr\bin\RemoteExchange.ps1")
. 'D:\Exchsrvr\bin\RemoteExchange.ps1'
Connect-ExchangeServer -auto
} elseif (Test-Path "D:\Exchsrvr\bin\Exchange.ps1") {
Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.Admin
.'D:\Exchsrvr\bin\Exchange.ps1'
} else {
throw "Exchange Management Shell cannot be loaded"
# 1.2 Check if -SendMail parameter set and if so check -MailFrom, -MailTo and -MailServer are set
if ($SendMail)
if (!$MailFrom -or !$MailTo -or !$MailServer)
throw "If -SendMail specified, you must also specify -MailFrom, -MailTo and -MailServer"
# 1.3 Check Exchange Management Shell Version
if ((Get-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.Admin -ErrorAction SilentlyContinue))
$E2010 = $false;
if (Get-ExchangeServer | Where {$_.AdminDisplayVersion.Major -gt 14})
Write-Warning "Exchange 2010 or higher detected. You'll get better results if you run this script from an Exchange 2010/2013 management shell"
}else{
$E2010 = $true
$localserver = get-exchangeserver $Env:computername
$localversion = $localserver.admindisplayversion.major
if ($localversion -eq 15) { $E2013 = $true }
#Get date
$filedate = get-date -uformat "%m-%d-%Y"
$filedate = $filedate.ToString().Replace("0", "")
#Get the valid users that are not mail-enabled
_UpProg1 1 "Getting User List" 1
#$Users = Get-mailuser -ResultSize unlimited -OrganizationalUnit "R0018.COLLABORATION.ECS.HP.COM/Accounts/AbbVienet/Users" | ?{$_.legacyexchangeDN -eq ""}
$i = 0
$output = @()
$errOutput = @()
$err = $False
#2 Process users
ForEach ($User in $Users){
$i++
_UpProg1 ($i/$Users.Count*100) "Updating Recipients" 2
If ($user.ExternalEmailAddress -eq $null){
_ErrObject $user.Name, "Missing External Email Address"
ElseIf($user.DisplayName -NotLike "* "){
_ErrObject $user.Name, "DisplayName contains a trailing space"
ElseIf($user.DisplayName -NotLike "_*"){
_ErrObject $user.Name, "DisplayName contains a Leading space"
ElseIf($user.PrimarySmtpAddress -eq $null){
_ErrObject $user.Name, "Missing Primary SMTP address"
Else{
#Disable EmailAddressPolicy on these users
Set-Mailuser $User.Name -EmailAddressPolicyEnabled $false
#pass to Update-recipient
Update-Recipient $User.Name
$LEDN = Get-MailUser $User.Name | Select {$_.LegacyExchangeDN}
If ($LEDN -ne ""){
$object = New-Object -TypeName PSObject
$X500 = "x500:" + $LEDN.'$_.LegacyExchangeDN'
$object | Add-Member -Name 'Name' -MemberType Noteproperty -Value $User.Name
$object | Add-Member -Name 'x500' -MemberType Noteproperty -Value $X500
$output += $object
#Creating CSVFile Output
_UpProg1 99 "Outputting CSV file 3" 3
$CSVFile = "c:\scripts\Mail-enable\Mailenabled_$((Get-Date).ToString('MM-dd-yyyy_hh-mm-ss')).csv"
If($err){
$ErrCSVFile = "c:\scripts\Mail-enable\ProblemUsers_$((Get-Date).ToString('MM-dd-yyyy_hh-mm-ss')).csv"
$errOutput | Select-Object Name, Comment | ConvertTo-CSV -NoTypeInformation > $ErrCSVFIle
$Output | ConvertTo-Csv -NoTypeInformation > $CSVFile
if ($SendMail)
_UpProg1 95 "Sending mail message.." 4
If($err){
Send-MailMessage -Attachments $CSVFile,$ErrCSVFile -To $MailTo -From $MailFrom -Subject "Enable Mail Users Script" -BodyAsHtml $Output -SmtpServer $MailServer
Else{
Send-MailMessage -Attachments $CSVFile -To $MailTo -From $MailFrom -Subject "Enable Mail Users Script" -BodyAsHtml $Output -SmtpServer $MailServer
if ($ScheduleAs)
_UpProg1 99 "Attempting to Schedule Task.." 4
$dir=(split-path -parent $myinvocation.mycommand.definition)
$params=""
if ($SendMail)
$params+=' -SendMail:$true'
$params+=" -MailFrom:$MailFrom -MailTo:$MailTo -MailServer:$MailServer"
$task = "powershell -c \""pushd $dir; $($myinvocation.mycommand.definition) $params\"""
Write-Output "Attempting to schedule task as $($ScheduleAs)..."
Write-Output "Task to schedule: $($task)"
schtasks /Create /RU $ScheduleAs /RP /SC DAILY /ST 22:00 /TN "Enable Mail Users" /TR $task
The Problem is that when I look at the $errOutput I see things but when I pipe the $erroutput to convertTo-CSV I get this within the CSV file. I think its because I an calling a function to do the updating. But not sure.
Jeff C

Hi Jeff,
Any updates? If you have any other questions, please feel free to let me know.
A little clarification to the script:
function _ErrObject{
Param($name,
$errStatus
If(!$err){
Write-Host "error detected"
$script:err = $True
$ErrObject = New-Object -TypeName PSObject
$Errobject | Add-Member -Name 'Name' -MemberType Noteproperty -Value $Name
$Errobject | Add-Member -Name 'Comment' -MemberType Noteproperty -Value $errStatus
$script:ErrOutput += $ErrObject
$errOutput = @()
_ErrObject Name, "Missing External Email Address"
$errOutput
_ErrObject Name "Missing External Email Address"
$errOutput
If you have any feedback on our support, please click here.
Best Regards,
Anna Wang
TechNet Community Support

How to force group policy update remotely in a bunch of desktops(computers name in a textfile) by using powershell script?

Hi,
I want to force group policy on a collection of computers remotely.The name of computers can be stored in a text file.
By using this info. (about computer names) , Could you please guide me writing a Powershell script for this.
Thanks in advance.
Daya

This requires that PSRemoting is enabled in your environment.
$Computers = Get-Content -Path 'C:\computers.txt'
Invoke-Command -ComputerName $Computers -ScriptBlock {
GPUpdate /Force

Powershell script to set custom attribute on mailuser returns WARNING: The command completed successfully but no settings of user have been modified.

I am trying to write a script to enable a mailuser (I do know the difference between mailuser and mailbox) and set a custom attribute for that mailuser. Every time I run the script I get "WARNING: The command completed successfully but no settings
of <User DN> have been modified." Both commands being invoked work when typed manually into the exchange management shell on the exchange server itself. I am using the same administrator account in the script, and when I login to the
exchange server to manually run the commands, so it shouldn't be a permission issue. Here is my script so far. If anyone can shed some light on what I'm doing wrong, I'd appreciate it.
$excel = new-object -com excel.application
$wb = $excel.workbooks.open("c:\temp\testmail8.xlsx")
$ws = $wb.Worksheets.Item(1)
$row = 1
$s = New-PSSession -ConfigurationName microsoft.exchange -ConnectionUri http://<Exchange Server Name>/powershell -Credential [email protected]
Do {
$Email = $ws.Cells.Item($row, 1).Value()
$Cat = $ws.Cells.Item($row, 2).Value()
invoke-command -Session $s -ScriptBlock {Enable-MailUser -ExternalEmailAddress $($args[0][0] + "@domain.com") -Identity $($args[0][0])} -ArgumentList (,$Email, $Cat)
invoke-command -Session $s -ScriptBlock {Set-MailUser -Identity $($args[0][0]) -CustomAttribute1 $($args[0][1])} -ArgumentList (,$Email, $Cat)
$row++
} While ($ws.Cells.Item($row,1).Value() -ne $null)
$excel.quit
Exit-PSSession

Hi,
I'm not sure where is wrong in your script. If you want to get more help about the script troubleshooting, I recommand you to ask a question in Script Center forum for more professional answers:
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
As a workaround, please directly create a mail user in EAC and set related custom attribute to have a try.
Thanks,
Winnie Liang
TechNet Community Support

Powershell script assistance - adding another property to existing script

This is not my script but was written by Richard L. Mueller. It works perfectly for us but I would like to know if the account is enabled or disabled when the output is created. Basically it would output the name, lastlogon and then either enabled or disabled.
I've attempted to add a new property by adding another " $Searcher.PropertiesToLoad.Add" and "$Result.Properties.Item ".
It works fine if I add something like "givenName" but I can't find the property name to show if the account is enabled or disabled.
The entire script is shown below:
# PSLastLogon.ps1
# PowerShell script to determine when each user in the domain last
# logged on.
# Copyright (c) 2011 Richard L. Mueller
# Hilltop Lab web site - http://www.rlmueller.net
# Version 1.0 - March 16, 2011
# This program queries every Domain Controller in the domain to find the
# largest (latest) value of the lastLogon attribute for each user. The
# last logon dates for each user are converted into local time. The
# times are adjusted for daylight savings time, as presently configured.
# You have a royalty-free right to use, modify, reproduce, and
# distribute this script file in any way you find useful, provided that
# you agree that the copyright owner above has no warranty, obligations,
# or liability for such use.
Trap {"Error: $_"; Break;}
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.PageSize = 200
$Searcher.SearchScope = "subtree"
$Searcher.Filter = "(&(objectCategory=person)(objectClass=user))"
$Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
$Searcher.PropertiesToLoad.Add("lastLogon") > $Null
# Create hash table of users and their last logon dates.
$arrUsers = @{}
# Enumerate all Domain Controllers.
ForEach ($DC In $D.DomainControllers)
$Server = $DC.Name
$Searcher.SearchRoot = "LDAP://$Server/" + $Domain.distinguishedName
$Results = $Searcher.FindAll()
ForEach ($Result In $Results)
$DN = $Result.Properties.Item("distinguishedName")
$LL = $Result.Properties.Item("lastLogon")
If ($LL.Count -eq 0)
$Last = [DateTime]0
Else
$Last = [DateTime]$LL.Item(0)
If ($Last -eq 0)
$LastLogon = $Last.AddYears(1600)
Else
$LastLogon = $Last.AddYears(1600).ToLocalTime()
If ($arrUsers.ContainsKey("$DN"))
If ($LastLogon -gt $arrUsers["$DN"])
$arrUsers["$DN"] = $LastLogon
Else
$arrUsers.Add("$DN", $LastLogon)
# Output latest last logon date for each user.
$Users = $arrUsers.Keys
ForEach ($DN In $Users)
$Date = $arrUsers["$DN"]
"$DN;$Date"

It is part of the userAccountControl attribute. Retrieve that attribute for each user and test if the ADS_UF_ACCOUNTDISABLE bit (2) is set.
-- Bill Stewart [Bill_Stewart]

Problem with a package that calls powershell script

The long story short: I'm trying to schedule a SSIS package, with SQL Server Agent, that runs a powershell script/command via a proxy account. The problem seems to be that proxy account didn't have the required permissions to run a .ps1 script, so I've
changed the execution policy to "Unrestricted" of everything that could be changed (from ps command prompt):
Scope ExecutionPolicy
MachinePolicy Unrestricted
UserPolicy Unrestricted
Process Undefined
CurrentUser Unrestricted
LocalMachine Unrestricted
So far, so good! But when I try to execute the SSIS package that calls the powershell script like this:
powershell.exe -file D:\script.ps1 -FileName testme
I get the error:
AuthorizationManager check failed.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecord
Exception
+ FullyQualifiedErrorId : UnauthorizedAccess
And when I try something more simple like:
powershell.exe -Command &{Get-ExecutionPolicy}
I get this:
Get-ExecutionPolicy : Access denied At line:1 char:3
+ &{Get-ExecutionPolicy}
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ExecutionPolicy], Managem
entException
+ FullyQualifiedErrorId : System.Management.ManagementException,Microsoft.
PowerShell.Commands.GetExecutionPolicyCommand
It's worth mentioning that I can call the regular cmdlets: dir; get-content, whoami, so powershell.exe is working fine! Anyone with an idea what's going on here?

Check to make sure Windows Management Instrumentation service (WMI) is Enabled and running. If it’s disabled, try enabling it and starting it to see if that clears the error.
If all else fails, go to the path noted in the error and delete the PowerShell profile file.
Arthur
MyBlog
Twitter

Compliance Settings Adobe flash Player disable Automatic Updates Powershell Scripts fail

Hello,
I have setup compliance to check and remediate if Adobe flash Player automatic updates is enabled by using PowerShell scripts.
If I run the scripts below manually on my pc they work fine, but if I run in sccm 2012 compliance I get:
Setting Discovery Error
0x87d00327
Script is not signed
CCM
I tried contacting the person that created the scripts, but didn't get a response.
Discovery Script
Set-ExecutionPolicy Unrestricted -force
<#
This script will check if automatic updates is disabled and return a Compliant/Non-Compliant string.
Created:     04.08.2014
Version:     1.0
Author:      Odd-Magne Kristoffersen
Homepage:    https://sccmguru.wordpress.com/
References:
- Configure auto-update notification Flash Player
http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html
- Adobe Flash Player Administration Guide for Flash Player 14
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_14_0_admin_guide.pdf
- Adobe Flash Player Administration Guide for Microsoft Windows 8
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_13_0_admin_guide.pdf
#>
$OSArchitecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture
If($OSArchitecture.OSArchitecture -ne "32-bit")
    $CFGExists = Test-Path -Path "$Env:WinDir\SysWow64\Macromed\Flash\mms.cfg"
         if($CFGExists -eq $True)
         {$UpdateCheck = Select-String "$Env:WinDir\SysWow64\Macromed\Flash\mms.cfg" -pattern "AutoUpdateDisable=1" | Select-Object Line}
            if($UpdateCheck.Line -eq 'AutoUpdateDisable=1') {Write-Host 'Compliant'}
            else {Write-Host 'Non-Compliant'}
else
    $CFGExists = Test-Path -Path "$Env:WinDir\System32\Macromed\Flash\mms.cfg"
         if($CFGExists -eq $True)
         {$UpdateCheck = Select-String "$Env:WinDir\System32\Macromed\Flash\mms.cfg" -pattern "AutoUpdateDisable=1" | Select-Object Line}
            if($UpdateCheck.Line -eq 'AutoUpdateDisable=1') {Write-Host 'Compliant'}
            else {Write-Host 'Non-Compliant'}
Remediation Script
Set-ExecutionPolicy Unrestricted -force
<#
This script will check if automatic updates is disabled and return a Compliant/Non-Compliant string.
Created:     04.08.2014
Version:     1.0
Author:      Odd-Magne Kristoffersen
Homepage:    https://sccmguru.wordpress.com/
References:
- Configure auto-update notification Flash Player
http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html
- Adobe Flash Player Administration Guide for Flash Player 14
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_14_0_admin_guide.pdf
- Adobe Flash Player Administration Guide for Microsoft Windows 8
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_13_0_admin_guide.pdf
#>
$OSArchitecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture
If($OSArchitecture.OSArchitecture -ne "32-bit")
    $CFGExists = Test-Path -Path "$Env:WinDir\SysWow64\Macromed\Flash\mms.cfg"
         if($CFGExists -eq $True)
         {$UpdateCheck = Select-String "$Env:WinDir\SysWow64\Macromed\Flash\mms.cfg" -pattern "AutoUpdateDisable=1" | Select-Object Line}
            if($UpdateCheck.Line -eq 'AutoUpdateDisable=1') {Write-Host 'Compliant'}
            else {Write-Host 'Non-Compliant'}
else
    $CFGExists = Test-Path -Path "$Env:WinDir\System32\Macromed\Flash\mms.cfg"
         if($CFGExists -eq $True)
         {$UpdateCheck = Select-String "$Env:WinDir\System32\Macromed\Flash\mms.cfg" -pattern "AutoUpdateDisable=1" | Select-Object Line}
            if($UpdateCheck.Line -eq 'AutoUpdateDisable=1') {Write-Host 'Compliant'}
            else {Write-Host 'Non-Compliant'}
Thanks,
Mark

Hi Jeff,
You were correct, Default client settings was set to All signed and once I set to bypass, PowerShell Scripts executed. But now I am getting:    If I run them both from PowerShell, they work fine. Thanks again for your help, Mark
Error Type
Error Code
Error Description
Error Source
Enforcement Error
0x87d00329
Application requirement evaluation or detection failed
CCM

PowerShell Script to enable encryption

Similar Messages

Maybe you are looking for