Comparer l’appartenance des groupes AD entre 2 comptes

Ce document décrit le script qui permet de comparer 2 comptes AD afin de calquer les appartenances.

Pre-requis
exécution des scripts powershell
droit de modification de comptes AD

Le script

Param(
<pre>    $sourceacc, 
    $destacc, 
    [switch]$noconfirm 
) 
 
# Checks if both accounts are provided as an argument, otherwise prompts for input 
if (-not $sourceacc) { $sourceacc = read-host "Please input source user name, the user the rights will be read from" } 
if (-not $destacc) { $destacc = read-host "Please input destination user name, the user which will be added to the groups of the source user" } 
 
# Retrieves the group membership for both accounts 
$sourcemember = get-aduser -filter {samaccountname -eq $sourceacc} -property memberof | select memberof 
$destmember = get-aduser -filter {samaccountname -eq $destacc} -property memberof | select memberof 
 
# Checks if accounts have group membership, if no group membership is found for either account script will exit 
if ($sourcemember -eq $null) {"Source user not found";return} 
if ($destmember -eq $null) {"Destination user not found";return} 
 
# Checks for differences, if no differences are found script will prompt and exit 
if (-not (compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'})) {write-host "No difference between $sourceacc & $destacc groupmembership found. $destacc will not be added to any additional groups.";return} 
 
# Routine that changes group membership and displays output to prompt 
compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'} | 
    select -expand inputobject | foreach {write-host "$destacc will be added to:"([regex]::split($_,'^CN=|,OU=.+$'))[1]} 
 
# If no confirmation parameter is set no confirmation is required, otherwise script will prompt for confirmation 
if ($noconfirm)    { 
    compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'} |  
        select -expand inputobject | foreach {add-adgroupmember "$_" $destacc} 
} 
 
else { 
    do{ 
        $UserInput = Read-Host "Are you sure you wish to add $destacc to these groups?`n[Y]es, [N]o or e[X]it" 
        if (("Y","yes","n","no","X","exit") -notcontains $UserInput) { 
            $UserInput = $null 
            Write-Warning "Please input correct value" 
        } 
        if (("X","exit","N","no") -contains $UserInput) { 
            Write-Host "No changes made, exiting..." 
            exit 
        }      
        if (("Y","yes") -contains $UserInput) { 
            compare-object $destmember.memberof $sourcemember.memberof | where-object {$_.sideindicator -eq '=>'} |  
                select -expand inputobject | foreach {add-adgroupmember "$_" $destacc} 
        } 
    } 
    until ($UserInput -ne $null) 
}

Utilisation du script

activer le module ActiveDirectory

Import-Module activedirectory

lancer le script

.\Compare-ADuserAddGroup.ps1
Please input source user name, the user the rights will be read from: user1
Please input destination user name, the user which will be added to the groups of the source user: user2
pruban will be added to: Group ABC 1
pruban will be added to: Group ABC 2
pruban will be added to: Group ABC 36dfa920
pruban will be added to: Group ABC 43
pruban will be added to: Group ABC 42
pruban will be added to: Group ABC 45
pruban will be added to: Group ABC 543
pruban will be added to: Group ABC 45
pruban will be added to: Group ABC 34

Are you sure you wish to add user2 to these groups?
[Y]es, [N]o or e[X]it: Y

source:http://gallery.technet.microsoft.com/scriptcenter/Compare-group-membership-36dfa920

Advertisements

#ad, #compare, #group, #membership, #powershell, #script

Keeping Track of the Shadow … copies

I have 2008R2 and 2012 servers that has been in production for quite some time, running smoothly – I have never paid attention to VSS.

Various volumes with Shares are setup to capture shadows copies – every hours every day. The storage area is set to unlimited (300GB). VSS captures shadow copies accordingly as per schedule.

The problem I’m having is that the Shadow Copies are not growing to use all of the ‘Maximum Shadow Copy Storage space’. The ‘Used Shadow Copy Storage space’ is at 10.962GB – I’ve seen it go a bit higher, but never over 12GB. As a result, I’m not capturing as many prior versions of the volume as I would like.

There are no errors in the System log. Running ‘vssadmin list shadowstorage’ confirms that max size is 27GB. Running ‘vssadmin list writers’ shows all states as ‘stable’ and no errors. Running ‘vssadmin list providers’ shows there is only one provider (Microsoft Software Shadow Copy Provider, version 1.0.0.7).

Anyhow, I wanted to keep an eye on the shadow copies so I created this dirty script

#variables
$ComputerName = hostname

#preflight
if ($args.Length -eq 0)
{
    write-host &quot;Usage = report-vss.ps1 driveletter:&quot;
    exit
}
else
{
$driveletter = $args[0]
$trimmedletter = $driveletter.TrimEnd(&quot;:&quot;)

write-host &quot;Reporting for $driveletter drive on $ComputerName...&quot;
}

#use vssadmin to list the date time and count them
$logfilename = &quot;.\report-vss-$ComputerName-$trimmedletter.log&quot; #vssreports must exists!
$message = &quot;VSS info for $driveletter volume on $ComputerName&quot;
echo $message &gt; $logfilename
vssadmin list shadows /for=$driveletter | Select-String contained &gt;&gt; $logfilename
$vsscount = (vssadmin list shadows /for=$driveletter | Select-String contained).count
echo &quot;There are $vsscount shadows for this volume&quot; &gt;&gt; $logfilename

#use vssadmin to list the shadow storage
vssadmin list shadowstorage /for=$driveletter &gt;&gt; $logfilename

#use powershell to send an email.
$title = "$message wiht $vsscount shadows"
$stringBuilder = New-Object System.Text.StringBuilder
$body = Get-Content -Path $logfilename -Raw
$null = $stringBuilder.Append($body)
send-mailmessage -from "powershell@x.ca" -to "y@x.ca" -subject $message -body $stringBuilder.ToString() -priority High -dno onSuccess, onFailure -smtpServer EMAIL.ca

#do some clean up
rm $logfilename

I then call this from a batch script and use ps-remotesession to get the information on various server volumes.

#remotehost A
$s = New-PSSession -computerName A
Invoke-Command -Session $s -filepath &quot;\\gaia\it\Scripts\files\report-vss.ps1&quot; -ArgumentList &quot;f:&quot;
Invoke-Command -Session $s -filepath &quot;\\gaia\it\Scripts\files\report-vss.ps1&quot; -ArgumentList &quot;l:&quot;
Remove-PSSession $s

#remotehost B
$s = New-PSSession -computerName B
Invoke-Command -Session $s -filepath &quot;\\gaia\it\Scripts\files\report-vss.ps1&quot; -ArgumentList &quot;f:&quot;
Invoke-Command -Session $s -filepath &quot;\\gaia\it\Scripts\files\report-vss.ps1&quot; -ArgumentList &quot;l:&quot;
Remove-PSSession $s

I am now thinking, is there anything in WMI do get those metrics?

Yes there is! Let me know dig this out and come back with some other ideas.

Win32_ShadowProvider
Win32_ShadowContext
Win32_ShadowStorage
Win32_ShadowBy
Win32_ShadowFor
Win32_ShadowOn
Win32_ShadowVolumeSupport
Win32_ShadowDiffVolumeSupport
http://msdn.microsoft.com/en-us/library/aa394428%28v=vs.85%29.aspx

#powershell, #script, #vss