Indented! » wmi

PowerShell, IIS and log settings

Chris — Tue, 12 Jan 2010 10:06:45 +0000

A function to retrieve IIS log settings from a local or remote IIS 6 server. Written to be compatible with PowerShell 1.0.

Function Get-IISLogSetting
{
  Param([String[]]$Servers = $Env:Computername)

  $Servers | %{
    $Server = $_

    $WMI = New-Object Management.ManagementScope("\\$Server\root\MicrosoftIISv2")
    $WMI.Options.Authentication = "PacketPrivacy"
    $Query = New-Object Management.ObjectQuery( `
      "SELECT Name, LogFileDirectory, LogFileTruncateSize, " + `
      "LogType, LogFilePeriod FROM IIsWebServerSetting")

    $Searcher = New-Object Management.ManagementObjectSearcher($WMI, $Query)

    Trap [UnauthorizedAccessException]
    {
      Write-Error "$($Server): Unable to connect or Access is denied"
      continue
    }
    $Searcher.Get() | Select-Object `
      @{n='Name';e={ $Server }}, `
      @{n='Site';e={ $_.Name }}, `
      @{n='IIS Logging';e={
        Switch ($_.LogType) {
          0 { "Disabled" }
          1 { "Enabled" }
        } }}, `
      @{n='Log Path';e={ $_.LogFileDirectory }}, `
      @{n='Log File Size';e={
        If ([Int]$_.LogFileTruncateSize -eq -1) { "Unlimited" } else {
          "$([Int]$_.LogFileTruncateSize / 1Gb) Gb" } }}, `
      @{n='Log File Rollover';e={
        Switch ($_.LogFilePeriod) {
          0 { "Size" }
          1 { "Date" }
        } }}
  }
}

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Reading share security with PowerShell

Chris — Fri, 20 Feb 2009 17:31:23 +0000

The cmdlet Get-ACL is very capable when it comes to NTFS permissions, but it cannot read share permissions. This function makes an effort to provide a simple way to return share security (and other information) from a share.

The function makes use of two WMI Classes, Win32_Share and Win32_LogicalShareSecuritySetting. To simplify enumeration each Access Control Entry found within the shares Discretionary Access Control List is converted to a FileSystemAccessRule before being added to the Access object, allowing the access to be displayed in a similar way to Access from Get-ACL.

Security information is only returned for shares of type 0, standard shared folders. Security for automatically generated administrative shares will not show. Access is added to the remainder of the information returned by Win32_Share. The Control Flags for the security descriptor are available, but not interesting as they are set to DiscretionaryAclPresent and SelfRelative.

The function accepts two parameters, the name of the share, and optionally the name of a computer. With no parameters, information for all shares on the computer is returned. WQL wildcards are supported (% and _) within the share name.

Get-ShareACL

Function Get-ShareACL {
  Param(
    [String]$Name = "%",
    [String]$Computer = $Env:ComputerName
  )

  $Shares = @()
  Get-WMIObject Win32_Share `
    -Computer $Computer -Filter "Name LIKE '$Name'" | `
    %{
      $Access = @();
      If ($_.Type -eq 0) {
        $SD = (Get-WMIObject -Class Win32_LogicalShareSecuritySetting `
          -Computer $Computer `
          -Filter "Name='$($_.Name)'").GetSecurityDescriptor().Descriptor
        $SD.DACL | %{
          $Trustee = $_.Trustee.Name
          If ($_.Trustee.Domain -ne $Null) {
            $Trustee = "$($_.Trustee.Domain)\$Trustee"
          }
          $Access += New-Object Security.AccessControl.FileSystemAccessRule( `
            $Trustee, $_.AccessMask, $_.AceType)
        }
      }
      $_ | Select-Object Name, Path, Description, Caption, `
        @{n='Type';e={ Switch ($_.Type) {
          0 { "Disk Drive" }
          1 { "Print Queue" }
          2 { "Device" }
          2147483648 { "Disk Drive Admin" }
          2147483649 { "Print Queue Admin" }
          2147483650 { "Device Admin" }
          2147483651 { "IPC Admin" } }} }, `
        MaximumAllowed, AllowMaximum, Status, InstallDate, `
        @{n='Access';e={ $Access }}
  }
}

Example

PS C:\> Get-ShareACL Test

Name           : Test
Path           : C:\Test
Description    :
Caption        : Test
Type           : Disk Drive
MaximumAllowed :
AllowMaximum   : True
Status         : OK
InstallDate    :
Access         : {System.Security.AccessControl.FileSystemAccessRule}

PS C:\> (Get-ShareACL Test).Access

FileSystemRights  : ReadAndExecute
AccessControlType : Allow
IdentityReference : somedomain\chrisdent
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

Get-DsAcl The goal of this PowerShell function is to create a...

Related posts brought to you by Yet Another Related Posts Plugin.

Reading NTFS and Share security with VbScript

Chris — Thu, 19 Feb 2009 17:25:25 +0000

NTFS (File System) and Share security can be enumerated using the Win32_LogicalFileSecuritySetting and Win32_LogicalShareSecuritySetting WMI classes. This post demonstrates how to use each class to read the security descriptors.

In each case the WMI class contains a GetSecurityDescriptor method used to retrieve the Security Descriptor (as a Win32_SecurityDescriptor).

The references section at the bottom of this article include details of sources for all constants. A little PowerShell creeps in to show how the numeric values were retrieved and checked.

DACLs and SACLs

A DACL or Discretionary Access Control List is the most heavily used, it contains Access Control Entries that define who can, and who cannot, access a resource or object. These are seen when viewing the Security tab of an object.

An SACL or System Access Control List defines which actions will be audited when accessing an a resource or object. Seen by accessing the Audit tab through Security and Advanced.

NTFS security vs Share security

Both the NTFS and the Share security descriptor can be read in exactly the same way. However, there are important differences between them.

NTFS security descriptor

Supports inheritance on descriptor and on individual Access Control Entries
Can hold a Discretionary Access Control List and an System Access Control List

Share security descriptor

Has no owner or Primary Group
Control flags will be set (and usually limited) to SelfRelative and DiscretionaryACLPresent
Access Control Entry (ACE) Flags will not be set
Can hold a Discretionary Access Control List only
Supports a sub-set of Access Masks (rights) on each ACE

Getting the security descriptor

NTFS

Dim strComputer : strComputer = "."
' Connect to WMI on strComputer
Dim objWMI : Set objWMI = GetObject("winmgmts://" & strComputer & "/root/cimv2")
' Get an instance of LogicalFileSecuritySetting for C:\
Dim objSecuritySettings : Set objSecuritySettings = _
  objWMI.Get("Win32_LogicalFileSecuritySetting='C:\'")
Dim intReturnValue : Dim objSD
' Request the Security Descriptor as objSD
intReturnValue = objSecuritySettings.GetSecurityDescriptor objSD

Dim strComputer : strComputer = "."
' Connect to WMI on strComputer
Dim objWMI : Set objWMI = GetObject("winmgmts://" & strComputer & "/root/cimv2")
' Get an instance of LogicalShareSecuritySetting for ShareName
Dim objSecuritySettings : Set objSecuritySettings = _
  objWMI.Get("Win32_LogicalShareSecuritySetting='ShareName'")
Dim intReturnValue : Dim objSD
' Request the Security Descriptor as objSD
intReturnValue = objSecuritySettings.GetSecurityDescriptor objSD

Error handling

The GetSecurityDescriptor method of each WMI class (Win32_LogicalFileSecuritySetting and Win32_LogicalShareSecuritySetting) has a return value to allow errors to be handled. The return codes are represented by the constants below.

Const SUCCESS = 0
Const ACCESS_DENIED = 2
Const UNKNOWN_FAILURE = 8
Const PRIVILEGE_MISSING = 9
Const INVALID_PARAMETER = 21

Values in the security descriptor

The security descriptor contains three fields in addition to the DACL and SACL which are described later.

Control flags

Each security descriptor has a ControlFlags field which dictates how the descriptor behaves. This includes settings such as DACLProtected which indicates that the DACL cannot inherit values from a parent.

The script loads the values above into a Scripting.Dictionary object to simplify enumeration.

Dim objControlFlags : Set objControlFlags = CreateObject("Scripting.Dictionary")
objControlFlags.Add 32768, "SelfRelative"
objControlFlags.Add 16384, "RMControlValid"
objControlFlags.Add 8192, "SystemAclProtected"
objControlFlags.Add 4096, "DiscretionaryAclProtected"
objControlFlags.Add 2048, "SystemAclAutoInherited"
objControlFlags.Add 1024, "DiscretionaryAclAutoInherited"
objControlFlags.Add 512, "SystemAclAutoInheritRequired"
objControlFlags.Add 256, "DiscretionaryAclAutoInheritRequired"
objControlFlags.Add 32, "SystemAclDefaulted"
objControlFlags.Add 16, "SystemAclPresent"
objControlFlags.Add 8, "DiscretionaryAclDefaulted"
objControlFlags.Add 4, "DiscretionaryAclPresent"
objControlFlags.Add 2, "GroupDefaulted"
objControlFlags.Add 1, "OwnerDefaulted"

Note that they are intentionally entered in order from highest to lowest. A For Each loop will start with the highest value (because it was added first), then compare it to the ControlFlags value. In bitwise comparison, if the integer value can be there, then it must be there, that would all go wrong unless it starts with the highest possible value.

The values and names were taken from the .NET Framework, they can be displayed in PowerShell with the following command.

[Enum]::GetValues([System.Security.AccessControl.ControlFlags]) | `
  Select-Object @{ n='Name';e={[String]$_} }, @{ n='Value';e={$_.value__} }

That logic is applied within the code as follows.

' Read the value of Control Flags from the descriptor
dblControlFlags = objSD.ControlFlags
WScript.Echo "Control Flags:"
' For each possible flag
For Each dblFlag in objControlFlags
  ' If it is possible for the flag to be there, then it must be there
  ' Something like bitwise AND
  If dblControlFlags >= dblFlag Then
    ' Echo the flag, indicating it is present
    WScript.Echo "  " & objControlFlags(dblFlag)
    ' Remove this value from the control flag value,
    ' already found this flag
    dblControlFlags = dblControlFlags - dblFlag
  End If
Next

Primary group

The Primary Group is not very interesting unless Services for Unix is in use. In many cases it will be blank.

If set, it can be enumerated as a Win32_Trustee, an object containing a Domain, Username, SID array, SID length and SIDString.

Owner

As with the Primary Group, the owner is stored as a Win32_Trustee object. It can be read from the descriptor as follows.

WScript.Echo "Domain: " & objSD.Owner.Domain
WScript.Echo "Username: " & objSD.Owner.Name
WScript.Echo "SID: " & objSD.Owner.SIDString

Access control entries in the DACL and SACL

Both the DACL and SACL, if present, consist of one or more Access Control Entries (ACE). The ACE, like the security descriptor, breaks down into a number of different fields.

Access Mask

The access mask defines which rights should be used by the Access Control Entry. In the case of System ACL it defines which actions should be audited.

A number of the right names are omitted from the list below as they carry the same numeric value (mask the same bit), the meaning only changes in the context the right is applied.

Dim objAccessRights : Set objAccessRights = CreateObject("Scripting.Dictionary")
objAccessRights.Add 2032127, "FullControl"
objAccessRights.Add 1048576, "Synchronize"
objAccessRights.Add 524288, "TakeOwnership"
objAccessRights.Add 262144, "ChangePermissions"
objAccessRights.Add 197055, "Modify"
objAccessRights.Add 131241, "ReadAndExecute"
objAccessRights.Add 131209, "Read"
objAccessRights.Add 131072, "ReadPermissions"
objAccessRights.Add 65536, "Delete"
objAccessRights.Add 278, "Write"
objAccessRights.Add 256, "WriteAttributes"
objAccessRights.Add 128, "ReadAttributes"
objAccessRights.Add 64, "DeleteSubdirectoriesAndFiles"
objAccessRights.Add 32, "ExecuteFile"
objAccessRights.Add 16, "WriteExtendedAttributes"
objAccessRights.Add 8, "ReadExtendedAttributes"
objAccessRights.Add 4, "AppendData"
objAccessRights.Add 2, "CreateFiles"
objAccessRights.Add 1, "ReadData"

Note that a number of the rights in the list are composites of simpler rights, including Read, FullControl, Write and Modify.

The list can be retrieved, using PowerShell again, with the following command:

[Enum]::GetValues([System.Security.AccessControl.FileSystemRights]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

Holding the flags in this fashion allows the Access Mask to be converted to a friendly form in the same way as the Control Flags were displayed.

' For each access control entry in the discretionary access control list
For Each objACE in objSD.DACL
  WScript.Echo "Access Mask:"
  ' Read the value of the access mask from the Access Control Entry
  dblAccessMask = objACE.AccessMask
  ' For each possible Right
  For Each dblAccess in objAccessRights
    ' If the right can be there then it must...
    If dblAccessMask >= dblAccess Then
      ' Echo the right name
      WScript.Echo "  " & objAccessRights(dblAccess)
      ' Remove the value from the access mask,
      ' already found this right.
      dblAccessMask = dblAccessMask - dblAccess
    End If
  Next
Next

Flags

The flags on an Access Control Entry defines whether the entry applies to Leaf or Container objects, how it behaves when inheritance is calculated, and whether or not the ACE is inherited or explicit.

Dim objAceFlags : Set objAceFlags = CreateObject("Scripting.Dictionary")
objAceFlags.Add 128, "FailedAccess"
objAceFlags.Add 64, "SuccessfulAccess"
objAceFlags.Add 16, "Inherited"
objAceFlags.Add 8, "InheritOnly"
objAceFlags.Add 4, "NoPropagateInherit"
objAceFlags.Add 2, "ContainerInherit"
objAceFlags.Add 1, "ObjectInherit"

Heading back to PowerShell again we can find the the names and values for these.

[Enum]::GetValues([System.Security.AccessControl.AceFlags]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

A few are intentionally left out as they are composites of values more interesting to display separately.

Enumeration of the Access Control Entry flags is performed as follows.

' For each access control entry in the discretionary access control list
For Each objACE in objSD.DACL
  WScript.Echo "ACE Flags:"
    ' Read the value of ACE Flags from the Access Control Entry
  dblAceFlags = objAce.AceFlags
  ' For each possible flag
  For Each dblFlag in objAceFlags
    ' If the flag can be there then it must...
    If dblAceFlags >= dblFlag Then
      ' Echo the name of the flag
      WScript.Echo "  " & objAceFlags(dblFlag)
      ' Found it, remove it to note that it has been found.
      dblAceFlags = dblAceFlags - dblFlag
    End If
  Next
Next

Trustee

The value for the trustee (Win32_Trustee), the security principal (user, group, computer, etc) the right applies to is enumerated in the same way as the Owner above.

For Each objACE in objDACL
  WScript.Echo "Domain: " & objACE.Trustee.Domain
  WScript.Echo "User: " & objACE.Trustee.Name
  WScript.Echo "SID: " & objACE.Trustee.SIDString
Next

Type

Finally, the ACEType consists of three values which define whether the ACE permits access, denies access or is an audit control.

Dim objAceTypes : Set objAceTypes = CreateObject("Scripting.Dictionary")
objAceTypes.Add 0, "Allow"
objAceTypes.Add 1, "Deny"
objAceTypes.Add 2, "Audit"

Once again, we can discover all of the possible values for AceFlags using PowerShell.

[Enum]::GetValues([System.Security.AccessControl.AceType]) | `
  Select-Object @{n='Name';e={[String]$_} }, @{n='Value';e={$_.value__} }

However, this time the only values that are used in the script are 0 (Allow), 1 (Deny), and 2 (Audit).

' For each access control entry in the discretionary access control list
For Each objACE in objDACL
  ' Echo the type: Allow, Deny or Audit.
  WScript.Echo "ACE Type: " & objAceTypes(objAce.AceType)
Next

Listing permissions for all Shares

Time to put all of that together. This sample lists the NTFS and Share permissions for each share configured on strComputer.

Option Explicit

' WMI Constants

Const WBEM_RETURN_IMMEDIATELY = &h10
Const WBEM_FORWARD_ONLY = &h20

' Constants and storage arrays for security settings

' GetSecurityDescriptor Return values

Dim objReturnCodes : Set objReturnCodes = CreateObject("Scripting.Dictionary")
Const SUCCESS = 0
Const ACCESS_DENIED = 2
Const UNKNOWN_FAILURE = 8
Const PRIVILEGE_MISSING = 9
Const INVALID_PARAMETER = 21

' Security Descriptor Control Flags

Dim objControlFlags : Set objControlFlags = CreateObject("Scripting.Dictionary")
objControlFlags.Add 32768, "SelfRelative"
objControlFlags.Add 16384, "RMControlValid"
objControlFlags.Add 8192, "SystemAclProtected"
objControlFlags.Add 4096, "DiscretionaryAclProtected"
objControlFlags.Add 2048, "SystemAclAutoInherited"
objControlFlags.Add 1024, "DiscretionaryAclAutoInherited"
objControlFlags.Add 512, "SystemAclAutoInheritRequired"
objControlFlags.Add 256, "DiscretionaryAclAutoInheritRequired"
objControlFlags.Add 32, "SystemAclDefaulted"
objControlFlags.Add 16, "SystemAclPresent"
objControlFlags.Add 8, "DiscretionaryAclDefaulted"
objControlFlags.Add 4, "DiscretionaryAclPresent"
objControlFlags.Add 2, "GroupDefaulted"
objControlFlags.Add 1, "OwnerDefaulted"

' ACE Access Right

Dim objAccessRights : Set objAccessRights = CreateObject("Scripting.Dictionary")
objAccessRights.Add 2032127, "FullControl"
objAccessRights.Add 1048576, "Synchronize"
objAccessRights.Add 524288, "TakeOwnership"
objAccessRights.Add 262144, "ChangePermissions"
objAccessRights.Add 197055, "Modify"
objAccessRights.Add 131241, "ReadAndExecute"
objAccessRights.Add 131209, "Read"
objAccessRights.Add 131072, "ReadPermissions"
objAccessRights.Add 65536, "Delete"
objAccessRights.Add 278, "Write"
objAccessRights.Add 256, "WriteAttributes"
objAccessRights.Add 128, "ReadAttributes"
objAccessRights.Add 64, "DeleteSubdirectoriesAndFiles"
objAccessRights.Add 32, "ExecuteFile"
objAccessRights.Add 16, "WriteExtendedAttributes"
objAccessRights.Add 8, "ReadExtendedAttributes"
objAccessRights.Add 4, "AppendData"
objAccessRights.Add 2, "CreateFiles"
objAccessRights.Add 1, "ReadData"

' ACE Types

Dim objAceTypes : Set objAceTypes = CreateObject("Scripting.Dictionary")
objAceTypes.Add 0, "Allow"
objAceTypes.Add 1, "Deny"
objAceTypes.Add 2, "Audit"

' ACE Flags

Dim objAceFlags : Set objAceFlags = CreateObject("Scripting.Dictionary")
objAceFlags.Add 128, "FailedAccess"
objAceFlags.Add 64, "SuccessfulAccess"
objAceFlags.Add 16, "Inherited"
objAceFlags.Add 8, "InheritOnly"
objAceFlags.Add 4, "NoPropagateInherit"
objAceFlags.Add 2, "ContainerInherit"
objAceFlags.Add 1, "ObjectInherit"

Sub ReadNTFSSecurity(objWMI, strPath)
  WScript.Echo "  Displaying NTFS Security"

  Dim objSecuritySettings : Set objSecuritySettings = _
    objWMI.Get("Win32_LogicalFileSecuritySetting='" & strPath & "'")
  Dim objSD : objSecuritySettings.GetSecurityDescriptor objSD

  Dim strDomain : strDomain = objSD.Owner.Domain
  If strDomain <> "" Then strDomain = strDomain & "\"
  WScript.Echo "  Owner: " & strDomain & objSD.Owner.Name
  WScript.Echo "  Owner SID: " & objSD.Owner.SIDString

  WScript.Echo "  Basic Control Flags Value: " & objSD.ControlFlags
  WScript.Echo "  Control Flags:"

  DisplayValues objSD.ControlFlags, objControlFlags

  WScript.Echo

  Dim objACE

  ' Display the DACL

  WScript.Echo "  Discretionary Access Control List:"
  For Each objACE in objSD.DACL
    DisplayACE objACE
  Next

  ' Display the SACL (if there is one)

  If Not IsNull(objSD.SACL) Then
    WScript.Echo "  System Access Control List:"
    For Each objACE in objSD.SACL
      DisplayACE objACE
    Next
  End If
End Sub

Sub ReadShareSecurity(objWMI, strName)
  WScript.Echo "  Displaying Share Security"

  Dim objSecuritySettings : Set objSecuritySettings = _
    objWMI.Get("Win32_LogicalShareSecuritySetting='" & strName & "'")

  Dim objSD : objSecuritySettings.GetSecurityDescriptor objSD

  WScript.Echo "  Basic Control Flags Value: " & objSD.ControlFlags
  WScript.Echo "  Control Flags:"

  DisplayValues objSD.ControlFlags, objControlFlags

  WScript.Echo

  Dim objACE

  ' Display the DACL

  WScript.Echo "  Discretionary Access Control List:"
  For Each objACE in objSD.DACL
    DisplayACE objACE
  Next
End Sub

Sub DisplayValues(dblValues, objSecurityEnumeration)

  Dim dblValue
  For Each dblValue in objSecurityEnumeration
    If dblValues >= dblValue Then
      WScript.Echo "      " & objSecurityEnumeration(dblValue)
      dblValues = dblValues - dblValue
    End If
  Next
End Sub

Sub DisplayACE(objACE)

  Dim strDomain : strDomain = objAce.Trustee.Domain
  If strDomain <> "" Then strDomain = strDomain & "\"
  WScript.Echo "    Trustee: " & UCase(strDomain & objAce.Trustee.Name)
  WScript.Echo "    SID: " & objAce.Trustee.SIDString

  WScript.Echo "    Basic Access Mask Value: " & objACE.AccessMask

  WScript.Echo "    Access Rights: "
  DisplayValues objACE.AccessMask, objAccessRights

  WScript.Echo "    Type: " & objAceTypes(objACE.AceType)

  WScript.Echo "    Basic ACE Flags Value: " & objACE.AceFlags

  WScript.Echo "    ACE Flags: "
  DisplayValues objACE.AceFlags, objAceFlags
  WScript.Echo
End Sub

'
' Main Code
'

' The system to execute this script against
Dim strComputer : strComputer = "."

' Connect to WMI
Dim objWMI : Set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

' Return all of the shares (Type = 0 means File Shares only, exclude
' are Administrative, Printer, etc)
Dim colItems : Set colItems = _
  objWMI.ExecQuery("SELECT * FROM Win32_Share WHERE Type='0'", "WQL", _
  WBEM_RETURN_IMMEDIATELY + WBEM_FORWARD_ONLY)

Dim objItem
For Each objItem in colItems
  WScript.Echo
  WScript.Echo "Security for " & objItem.Path & _
    " (Shared as " & objItem.Name & ")"

  ReadNTFSSecurity objWMI, objItem.Path
  ReadShareSecurity objWMI, objItem.Name
Next

References

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Get-MailboxStatistics for Exchange 2003

Chris — Thu, 22 Jan 2009 17:35:54 +0000

Using PowerShell to create a version of Get-MailboxStatistics for Exchange 2003.

Get-MailboxStatistics returns a set of information about a mailbox for Exchange 2007. It is possible to retrieve roughly the same information using WMI for Exchange 2003.

The differences

The following table notes the differences in property names between Exchange 2003 and Exchange 2007.

Exchange 2007	Exchange 2003
AssociatedItemCount	AssocContentCount
DeletedItemCount	Not available
DisconnectDate	DateDiscoveredAbsentInDS
DisplayName	MailboxDisplayName
ItemCount	TotalItems
ObjectClass	Can be assumed to be Mailbox
StorageLimitStatus	StorageLimitInfo
TotalDeletedItemSize	DeletedMessageSizeExtended
TotalItemSize	Size
Database	Composed of Server, Storage Group and Store
DatabaseName	StoreName
Identity	MailboxGuid (repeat of above included for pipeline)
IsValid	Not available
OriginatingServer	Same as ServerName

In addition to these the MailboxGuid attribute is formatted slightly differently. The MailboxGuid is enclosed in curly braces, {}, these are stripped in the code (or added when a search is being performed using a GUID)

No formatting is applied to the output. The output from this function can be made to look like the Exchange 2007 version of Get-MailboxStatistics by using Format-Table.

Get-2003MailboxStatistics | Format-Table MailboxDisplayName, TotalItems, `
  StorageLimitStatus, LastLogonTime

This is the code for the function, it is not as flexible as the Exchange 2007 version with regard to pipelines, but it should accept simple input and work in much the same way otherwise.

Usage examples

# With a Mailbox Display Name
Get-2003MailboxStatistics "Chris Dent"
# With a Legacy Exchange DN ("-Identity" itself is optional)
Get-2003MailboxStatistics -Identity "/O=SomeOrg/OU=AdminGroup/CN=RECIPIENTS/CN=Someone"
# For a single Mailbox Database
Get-2003MailboxStatistics -Database "Mailbox Database"
# For a different server
Get-2003MailboxStatistics -Server "ExchangeServer02"

Get-MailboxStatistics for Exchange 2003

Function Get-2003MailboxStatistics {
  Param(
     [String]$Identity = "",
     [String]$Server = $Env:ComputerName,
     [String]$Database = ""
  )

  $Filter = "ServerName='$Server'"
  if ($Database -ne "" ) {
    $Filter = "$Filter AND StoreName='$Database'"
  }
  if ($Identity -ne "") {
    $Filter = "$Filter AND (MailboxGuid='{$Identity}' OR LegacyDN='$Identity'"
    $Filter = "$Filter OR MailboxDisplayName='$Identity')"
  }

  Get-WMIObject -ComputerName $Server `
    -Namespace "root/MicrosoftExchangeV2" -Class "Exchange_Mailbox" `
    -Filter $Filter | `
  Select-Object `
    AssocContentCount, `
    @{n='DateDiscoveredAbsentInDs';e={
      If ($_.DateDiscoveredAbsentInDs -ne $Null) {
        [Management.ManagementDateTimeConverter]::ToDateTime(`
          $_.DateDiscoveredAbsentInDs)
      }} }, `
    MailboxDisplayName, TotalItems, LastLoggedOnUserAccount, `
    @{n='LastLogonTime';e={ if ($_.LastLogonTime -ne $Null) { `
      [Management.ManagementDateTimeConverter]::ToDateTime($_.LastLogonTime)}}
    }, `
    @{n='LastLogoffTime';e={ if ($_.LastLogoffTime -ne $Null) { `
      [Management.ManagementDateTimeConverter]::ToDateTime($_.LastLogoffTime)}}
    }, `
    LegacyDN, `
    @{n='MailboxGuid';e={
      ([String]$_.MailboxGuid).ToLower() -Replace "\{|\}" }}, `
    @{n='ObjectClass';e={ "Mailbox" }}, `
    @{n='StorageLimitStatus';e={ `
      Switch ($_.StorageLimitInfo) {
        1 { "BelowLimit" }
        2 { "IssueWarning" }
        4 { "ProhibitSend" }
        8 { "NoChecking" }
        16 { "MailboxDisabled" } }} }, `
    DeletedMessageSize, Size, `
    @{n='Database';e={
      "$($_.ServerName)\$($_.StorageGroupName)\$($_.StoreName)" }}, `
    ServerName, StorageGroupName, StoreName, `
    @{n='Identity';e={ ([String]$_.MailboxGuid).ToLower() -Replace "\{|\}" }}
}

Changing the Primary Group with PowerShell Exactly as the title says, an example of how to...

Related posts brought to you by Yet Another Related Posts Plugin.

Administering Microsoft DNS in PowerShell

Chris — Tue, 30 Dec 2008 12:35:50 +0000

DNS administration in PowerShell, including tasks like creating zones and adding Host (A) records, can be performed using the WMI interface. Full documentation for the interface is available from Microsoft in the DNS WMI Provider Reference.

I have released a PowerShell 2.0 module using the WMI provider here.

There are a few limitations of the interface. The properties associated with Aging are read-only and cannot be set. Several of the configuration options are not available including the option to enable GlobalNames with Windows Server 2008.

Common variables

The examples below use two common variables. Both should be updated to reflect the environment used to execute any command.

$ServerName = "dns01"
$ContainerName = "somedomain.example"

Management Class vs Management Object

Two different classes from the .NET Framework are used below. The ManagementObject, created using Get-WMIObject, and the ManagementClass created using [WMIClass].

[WMIClass] creates the same object as the following example.

$Scope = New-Object Management.ManagementScope("\\$ServerName\root\MicrosoftDNS")
$Path = New-Object Management.ManagementPath("MicrosoftDNS_Zone")
$Options = New-Object Management.ObjectGetOptions($Null, `
  [System.TimeSpan]::MaxValue, $True)

$ZoneClass = New-Object Management.ManagementClass($Scope, $Path, $Options)

In general terms, to change something that already exists use the properties and methods of a ManagementObject via Get-WMIObject. To add something new use the methods associated with a ManagementClass.

Creating an instance of a Management Object

$Zones = Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"

Exploring the Management Object

Showing the object type:

PS C:\Stuff\Scripts\PowerShell> $Zones.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Object[]                                 System.Array

Showing the properties and methods:

PS C:\Stuff\Scripts\PowerShell> $Zones | Get-Member

   TypeName: System.Management.ManagementObject#rootMicrosoftDNSMicrosoftDNS_Zone

Name                      MemberType   Definition
----                      ----------   ----------
AgeAllRecords             Method       Management.ManagementBaseObject AgeAllRec...
ChangeZoneType            Method       Management.ManagementBaseObject ChangeZon...
ForceRefresh              Method       Management.ManagementBaseObject ForceRefr...
GetDistinguishedName      Method       Management.ManagementBaseObject GetDistin...
PauseZone                 Method       Management.ManagementBaseObject PauseZone()
ReloadZone                Method       Management.ManagementBaseObject ReloadZone()
ResetSecondaries          Method       Management.ManagementBaseObject ResetSeco...
ResumeZone                Method       Management.ManagementBaseObject ResumeZone()
UpdateFromDS              Method       Management.ManagementBaseObject UpdateFro...
WriteBackZone              Method       Management.ManagementBaseObject WriteBack...
Aging                     Property     Boolean Aging {get;set;}
AllowUpdate               Property     UInt32 AllowUpdate {get;set;}
AutoCreated               Property     Boolean AutoCreated {get;set;}
AvailForScavengeTime       Property     UInt32 AvailForScavengeTime {get;set;}
Caption                   Property     String Caption {get;set;}
ContainerName             Property     String ContainerName {get;set;}
DataFile                  Property     String DataFile {get;set;}
Description               Property     String Description {get;set;}
DisableWINSRecordReplicat Property     Boolean DisableWINSRecordReplication {ge...
DnsServerName             Property     String DnsServerName {get;set;}
DsIntegrated              Property     Boolean DsIntegrated {get;set;}
ForwarderSlave            Property     Boolean ForwarderSlave {get;set;}
ForwarderTimeout          Property     UInt32 ForwarderTimeout {get;set;}
InstallDate               Property     String InstallDate {get;set;}
LastSuccessfulSoaCheck    Property     UInt32 LastSuccessfulSoaCheck {get;set;}
LastSuccessfulXfr         Property     UInt32 LastSuccessfulXfr {get;set;}
LocalMasterServers        Property     String[] LocalMasterServers {get;set;}
MasterServers             Property     String[] MasterServers {get;set;}
Name                      Property     String Name {get;set;}
NoRefreshInterval         Property     UInt32 NoRefreshInterval {get;set;}
Notify                    Property     UInt32 Notify {get;set;}
NotifyServers             Property     String[] NotifyServers {get;set;}
Paused                    Property     Boolean Paused {get;set;}
RefreshInterval           Property     UInt32 RefreshInterval {get;set;}
Reverse                   Property     Boolean Reverse {get;set;}
ScavengeServers           Property     String[] ScavengeServers {get;set;}
SecondaryServers          Property     String[] SecondaryServers {get;set;}
SecureSecondaries         Property     UInt32 SecureSecondaries {get;set;}
Shutdown                  Property     Boolean Shutdown {get;set;}
Status                    Property     String Status {get;set;}
UseNBStat                 Property     Boolean UseNBStat {get;set;}
UseWins                   Property     Boolean UseWins {get;set;}
ZoneType                  Property     UInt32 ZoneType {get;set;}
...

Showing a subset of the properties within the object:

PS C:\Stuff\Scripts\PowerShell> $Zones | Select-Object Name,DsIntegrated,ZoneType,Reverse

Name                            DsIntegrated            ZoneType             Reverse
----                            ------------            --------             -------
1.2.3.in-addr.arpa                     False                   1                True
1.2.4.in-addr.arpa                     False                   1                True
1.2.5.in-addr.arpa                     False                   1                True

Creating an instance of a Management Class

$ZoneClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone"

Exploring the Management Class

Showing the object type:

PS C:\Stuff\Scripts\PowerShell> $ZoneClass.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     ManagementClass                          System.Management.ManagementObject

Showing the properties and methods:

PS C:\Stuff\Scripts\PowerShell> $ZoneClass | Get-Member

   TypeName: System.Management.ManagementClass#ROOTMicrosoftDNSMicrosoftDNS_Zone

Name                   MemberType    Definition
----                   ----------    ----------
Name                   AliasProperty Name = __Class
CreateZone             Method        System.Management.ManagementBaseObject CreateZone(Sys...
...

Listing the parameters required for a method

The output above truncates the strings detailing the parameters used for each method. The following shows how the full list can be displayed.

([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_AType") | `
  Get-Member -Name CreateInstanceFromPropertyData | Format-List

Note that while this shows the parameter type it does not show whether or not the parameter is required or optional. For full details refer to the DNS WMI Provider Reference.

Creating Zones

The following values represent the Zone Types available with Microsoft DNS.

0 Primary zone
1 Secondary zone
2 Stub zone
 * Windows Server 2003:  This zone type is introduced in Windows Server 2003.
3 Zone forwarder
 * Windows Server 2003:  This zone type is introduced in Windows Server 2003.

Create a Forward or Reverse Lookup Zone

This example shows all of the possible parameters, this can be reduced to a single line by dropping the comments and use of variables. Note that any optional variable can be set to $Null or “”.

# Forward Lookup zone name (example)
$Name = "somedomain.example"
# Reverse Lookup zone name (example for 1.2.3.x Subnet)
$Name = "3.2.1.in-addr.arpa"
# See above
$Type = 0
# AD Integration (only valid on Active Directory Domain Controllers)
$IsDSIntegrated = $False
# FileName (Optional and only valid for zones with AD integrated set to $False)
# File must exist if specified and have size greater than 0b.
$Filename = $Null
# Master IP (Optional and only valid for Secondary, Stub and Forwarder zones)
$MasterIP = $Null
# AdminEmail (Optional and only valid for Primary zones, writes into SOA record)
$AdminEmail = $Null

$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  $Name, $Type, $IsDSIntegrated, $FileName, $MasterIP, $AdminEmail)

Examples

# New Standard Primary Forward Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "standardprimary.example", 0, $False)
# New Standard Primary Forward Lookup Zone using existing zone file
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "standardprimary-existing.example", 0, $False, "standardprimary-existing.example.dns")
# New Active Directory Integrated Forward Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "adprimary.example", 0, $True)
# New Standard Primary Reverse Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "1.168.192.in-addr.arpa", 0)
# New Active Directory Integrated Reverse Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "2.168.192.in-addr.arpa", 0, $True)
# New Secondary Forward Lookup Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "standardsecondary.example", 1, $False, "", `
  @("192.168.0.1", "192.168.0.2"))
# New Stub Zone
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "stub.example", 2, $False, "", @("192.168.0.1", "192.168.0.2"))
# New Conditional Forwarder
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "conditionalforwarder.example", 3, $False, "", @("192.168.0.1", "192.168.0.2"))
# New AD Integrated Conditional Forwarder
$NewZone = ([WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_Zone").CreateZone( `
  "adconditionalforwarder.example", 3, $True, "", @("192.168.0.1", "192.168.0.2"))

Creating resource records with CreateInstanceFromPropertyData

CreateInstanceFromPropertyData is available on each individual record class. For example, the method can be invoked from MicrosoftDNS_AType, or MicrosoftDNS_MXType, and so on. Note that the syntax for the method varies slightly depending on the record type.

Create an A record

# Record Name (Owner Name). Should include full suffix to prevent the method
# throwing an error.
$OwnerName = "www.$ContainerName"
# Class, as in IN, CS, CH or HS. Normally only care about IN (Internet: 1) which
# is the default. (Optional)
$RecordClass = $Null
# Time To Live in seconds (Optional)
$TTL = $Null
# IP Address is required
$IPAddress = "1.2.3.4"

$NewATypeClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_AType"
$NewARecord = $NewATypeClass.CreateInstanceFromPropertyData( `
  $ServerName, $ContainerName, $OwnerName, $RecordClass, $TTL, $IPAddress)

Create an MX record

# Record Name (Owner Name). Normally the SMTP domain, in this case it matches
# ContainerName.
$OwnerName = $ContainerName
$RecordClass = $Null
$TTL = $Null
# Preference, numeric value used to determine the preferred server(s)
$Preference = 10
# The server used to handle the mail
$MailExchange = "mail.somedomain.example"

$NewMXTypeClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_MXType"
$NewMXRecord = $NewMXTypeClass.CreateInstanceFromPropertyData( `
  $ServerName, $ContainerName, $OwnerName, $RecordClass, $TTL, $Preference, $MailExchange)

Creating resource records with CreateInstanceFromTextRepresentation

CreateInstanceFromTextRepresentation is available from the MicrosoftDNS_ResourceRecord class. It takes fewer parameters than the previous method but ultimately requires exactly the same information.

Create an NS record

# The text version of the record. Must include Class (IN) or this will fail.
# @ represents the origin, or zone / domain name.
$TextRepresentation = "@ IN NS ns1.somedomain.net"

$NewRRClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_ResourceRecord"
$NewRR = $NewRRClass.CreateInstanceFromTextRepresentation( `
  $ServerName, $ContainerName, $TextRepresentation)

Create a TXT record

# Using @ with the TXT record here will cause an error when executing the method.
# Instead, this uses the $ContainerName variable.
# Unlike the zone file itself the method does not require a terminating
# period following each name.
$TextRepresentation = "$ContainerName IN TXT `"hello world`""

$NewRRClass = [WMIClass]"\\$ServerName\root\MicrosoftDNS:MicrosoftDNS_ResourceRecord"
$NewRR = $NewRRClass.CreateInstanceFromTextRepresentation( `
  $ServerName, $ContainerName, $TextRepresentation)

Update server data file

DNS zones are held in memory, any change to the zone is performed in memory rather than as a direct alteration of the zone file. The following method can be used to force the updated zone to write back to the file.

(Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone" `
  -Filter "ContainerName='$ContainerName'").WriteBackZone()

Reload a zone

Changes made to the zone file can be loaded into memory immediately using the ReloadZone method.

(Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone" `
  -Filter "ContainerName='$ContainerName'").ReloadZone()

Enabling and starting scavenging on a server

Enabling scavenging requires setting the ScavengingInterval property to a non-zero value. The value representing the interval uses Hours.

# Connecting to the Server Management Object
$Server = Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Server"
# Setting a new Scavenging Interval
$Server.ScavengingInterval = 24
$Server.Put()
# Start Scavenging
$Server.StartScavenging()

Clear the cache

Any cached entries on a server can be cleared using the ClearCache method of the MicrosoftDNS_Cache class.

(Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Cache").ClearCache()

Displaying the DNS server statistics

Each DNS server holds a variety of statistics that can help to evaluate server performance.

Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Statistic" | `
    Select-Object Name, StringValue, Value

PowerShell, IIS and log settings A function to retrieve IIS log settings from a local...

Related posts brought to you by Yet Another Related Posts Plugin.

Modifying DNS records with WMI

Chris — Thu, 23 Oct 2008 11:40:19 +0000

Using WMI it is possible to modify any existing record hosted on a Microsoft DNS Server. The method used varies slightly depending on which record type we want to change.

References for each version of the Modify method can be found in the DNS WMI Provider Reference. These are the most common:

The examples below show modification of Host or A records, but it is possible to extend the example to use any of the types above.

Using VbScript to modify records

This example demonstrates the use of WMI in VbScript to modify a record. The first value for Modify is the TTL, by using objItem.TTL we just reinsert the existing value, only changing the IP address.

' Connect to the WMI Service
Set objWMIService = GetObject("winmgmts:\\dc01\root\MicrosoftDNS")
' Run a query to get the record we want to change
Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType" & _
  " WHERE ContainerName='thezone.net' AND OwnerName='test.thezone.net'",,48)

' Loop through the results
For Each objItem in colItems
  ' Modify the record
  objItem.Modify objItem.TTL, "1.2.3.4"
Next

If the TTL must be changed it is important to exclude the IP Address parameter, failure to do so will result in the record being deleted. Any attempt to use Modify without making any changes will result in a “SWbemObjectEx: Generic failure” exception.

Using PowerShell to modify records

The same failure reasons and restrictions apply with PowerShell (including the obscure deletion). Otherwise changing the record can be performed like this.

$ServerName = "dns01"
$ContainerName = "somedomain.example"
$RecordName = "test.somedomain.example"

$Record = Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
  -Filter "ContainerName='$ContainerName' AND OwnerName='$RecordName'"
# Using the existing TTL value (in seconds)
$ModifiedRecord = $Record.Modify($Record.TTL, "2.3.4.5")

In both VbScript and PowerShell the method call returns an object representing the updated record if further processing is required.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

NTFS, WMI, VbScript & listing explicit rights

Chris — Wed, 22 Oct 2008 15:04:02 +0000

This script uses WMI to enumerate each access control entry in an NTFS access control list, looking for explicit entries, that is, entries that are not inherited.

If SECURITY_PRINCIPAL is blank the script will return all explicit rights beneath granted from base path down. The script attempts to provide a summary for common rights.

The PowerShell version of this script is considerably better for granular reporting of rights assigned. This one is more of a demonstration of security descriptor enumeration.

Option Explicit

' Looks for a Trustee containing the SECURITY_PRINCIPAL string on
' the file system. Recurses from BASE_PATH down (file and folders).

' Set these values for the search.

Const BASE_PATH = "C:\"
Const SECURITY_PRINCIPAL = "Chris"

Sub FSRecurse(strPath)
  ' Simple FS recursion

  Dim objFolder, objFile, objSubFolder

  Set objFolder = objFileSystem.GetFolder(strPath)

  For Each objFile in objFolder.Files
    CheckDescriptor objFile.Path
  Next
  For Each objSubFolder in objFolder.SubFolders
    CheckDescriptor objSubFolder.Path

    FSRecurse objSubFolder.Path
  Next

  Set objFolder = Nothing
End Sub

Sub CheckDescriptor(strPath)
  ' Look for the Trustee in the Security Descriptor and filter out
  ' inherited ACEs

  Const ACE_FLAG_INHERITED = &H10 ' 16

  Dim objSecuritySettings, objSecurityDescriptor, objACE, objTrustee

  Set objSecuritySettings = objWMIService.Get _
    ("Win32_LogicalFileSecuritySetting.Path='" & strPath & "'")
  objSecuritySettings.GetSecurityDescriptor objSecurityDescriptor

  For Each objACE in objSecurityDescriptor.dACL
    If InStr(1, objACE.Trustee.Name, _
        SECURITY_PRINCIPAL, VbTextCompare) > 0 Then

      ' ACEFlags is binary. Must perform binary comparison.
      If objACE.ACEFlags And ACE_FLAG_INHERITED Then
        ' Problems with negation of the above.
        ' This is just easier.
      Else
        EnumAccess strPath, objACE
      End If
    End If
  Next
End Sub

Sub EnumAccess(strPath, objACE)
  ' Most access mask values have matching Folder versions. These are not
  ' numerically different, they only differ when interpreted.

  ' ACE Type

  Const ACCESS_ALLOWED_ACE_TYPE = &h0
  Const ACCESS_DENIED_ACE_TYPE  = &h1

  ' Base Access Mask values

  Const FILE_READ_DATA = &h1
  Const FILE_WRITE_DATA = &h2
  Const FILE_APPEND_DATA = &h4
  Const FILE_READ_EA = &h8
  Const FILE_WRITE_EA = &h10
  Const FILE_EXECUTE = &h20
  Const FILE_DELETE_CHILD = &h40
  Const FILE_READ_ATTRIBUTES = &h80
  Const FILE_WRITE_ATTRIBUTES = &h100
  Const FOLDER_DELETE = &h10000
  Const READ_CONTROL = &h20000
  Const WRITE_DAC = &h40000
  Const WRITE_OWNER = &h80000
  Const SYNCHRONIZE = &h100000

  ' Constructed Access Masks

  Dim FULL_CONTROL
  FULL_CONTROL = FILE_READ_DATA + FILE_WRITE_DATA + FILE_APPEND_DATA + _
    FILE_READ_EA + FILE_WRITE_EA + FILE_EXECUTE + FILE_DELETE_CHILD + _
    FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + FOLDER_DELETE + _
    READ_CONTROL + WRITE_DAC + WRITE_OWNER + SYNCHRONIZE

  Dim READ_ONLY
  READ_ONLY = FILE_READ_DATA + FILE_READ_EA + FILE_EXECUTE + _
    FILE_READ_ATTRIBUTES + READ_CONTROL + SYNCHRONIZE

  Dim MODIFY
  MODIFY = FILE_READ_DATA + FILE_WRITE_DATA + FILE_APPEND_DATA + _
    FILE_READ_EA + FILE_WRITE_EA + FILE_EXECUTE + _
    FILE_READ_ATTRIBUTES + _
    FILE_WRITE_ATTRIBUTES + FOLDER_DELETE + READ_CONTROL + SYNCHRONIZE

  Dim strRights
  Dim intAccessMask

  WScript.Echo "Path: " & strPath
  WScript.Echo "Username: " & objACE.Trustee.Name
  WScript.Echo "Domain: " & objACE.Trustee.Domain
  WScript.Echo "ACE Flags (Decimal): " & objACE.ACEFlags

  ' ACE Type

  If objACE.ACEType = ACCESS_ALLOWED_ACE_TYPE Then
    WScript.Echo "ACE Type: Allow"
  Else
    WScript.Echo "ACE Type: Deny"
  End If

  ' Attempt to generate a basic summary of access rights

  strRights = ""
  intAccessMask = objACE.AccessMask

  If intAccessMask = FULL_CONTROL Then
    strRights = " (FullControl)"
  ElseIf intAccessMask = MODIFY Then

    strRights = " (Modify)"
  ElseIf intAccessMask = READ_ONLY Then
    strRights = " (ReadOnly)"
  End If

  ' Echo the decimal mask with any summarised rights

  WScript.Echo "Access Mask (Decimal): " & intAccessMask & strRights

  WScript.Echo
End Sub

'
' Main code block
'

Dim objFileSystem, objWMIService

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
' WMI Connection to the local machine
Set objWMIService = GetObject("winmgmts:\\.")

FSRecurse BASE_PATH

Set objWMIService = Nothing
Set objFileSystem = Nothing

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Microsoft DNS & stale records

Chris — Fri, 10 Oct 2008 11:18:56 +0000

This post explains how to identify and report on stale records in a dynamically updated Microsoft DNS zone.

The time stamp taken from a DNS record represents the numbers of hours since 01/01/1601 00:00. The value can be converted into a useful date within a script. By default, all times are reported and tested in UTC.

A stale record is a record where both the No-Refresh Interval and Refresh Interval have passed without the time stamp updating. Ordinarily stale records would be removed by a Scavenging process. These scripts may be useful if trying to asses the impact of enabling Scavenging or reducing Aging intervals.

Listing stale records with VbScript

This script uses a WMI query to return all A records for a domain, then it sorts through each record, echoing when the time stamp is older than our pre-defined maximum age. The script will work best when run with cscript.

' No-Refresh + Refresh (in Days)
Const MAXIMUM_AGE = 4

' Connect to the MicrosoftDNS Namespace
Set objWMIService = _
  GetObject("winmgmts:\\dc01.internal.highorbit.co.uk\root\MicrosoftDNS")

' Query A records with MicrosoftDNS_AType class where the record is not static
Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType " &_
  " WHERE ContainerName='internal.highorbit.co.uk' AND TimeStamp<>0")

For Each objItem In colItems
  ' Convert the timestamp into a date and time
  dtmTimeStamp = DateAdd("h", objItem.TimeStamp, "01/01/1601 00:00:00")
  ' Compare the date and time with MAXIMUM_AGE
  If dtmTimeStamp <= (Date() - MAXIMUM_AGE) Then
    ' Echo the record details if it is older than the MAXIMUM_AGE
    WScript.Echo objItem.OwnerName & VbTab & objItem.IPAddress &_
      VbTab & dtmTimeStamp
  End If
Next

Listing stale records with PowerShell

This snippet uses Get-WMIObject and a improved query to return only stale records rather than sorting after returning all dynamic records.

A timespan value is generated to represent the minimum value of TimeStamp for valid records.

# No-Refresh + Refresh (in Days)
$TotalAgingInterval = 4

$ServerName = "dc01.internal.highorbit.co.uk"
$ContainerName = "internal.highorbit.co.uk"

$MinTimeStamp = [Int](New-TimeSpan `
  -Start $(Get-Date("01/01/1601 00:00")) `
  -End $((Get-Date).AddDays(-$TotalAgingInterval))).TotalHours

Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
  -Filter `
  "ContainerName='$ContainerName' AND TimeStamp<$MinTimeStamp AND TimeStamp<>0" `
 | Select-Object OwnerName, `
  @{n="TimeStamp";e={(Get-Date("01/01/1601")).AddHours($_.TimeStamp)}}

Reading Aging intervals with PowerShell

The Aging intervals and the date the zone can be scavenged set on a zone can be read using WMI using the MicrosoftDNS_Zone class. As with the TimeStamp the .AddHours method must be used to return a date.

$ServerName = "dc01.internal.highorbit.co.uk"
$ContainerName = "internal.highorbit.co.uk"

Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone" `
  -Filter "ContainerName='$ContainerName'" `
 | Select-Object NoRefreshInterval, RefreshInterval, `
  @{n="AvailForScavengeTime";e={
    (Get-Date("01/01/1601")).AddHours($_.AvailForScavengeTime)}}

Localisation

As mentioned at the beginning of this post, all times are reported in UTC by default. By calling a the ToLocalTime method the date returned can be converted to local time, using the time zone configured on the system executing the query.

$ServerName = "dc01.internal.highorbit.co.uk"
$ContainerName = "internal.highorbit.co.uk"

$MinTimeStamp = [Int](New-TimeSpan `
  -Start $(Get-Date("01/01/1601 00:00")) `
  -End $((Get-Date).AddDays(-$TotalAgingInterval))).TotalHours

Get-WMIObject -Computer $ServerName `
  -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
  -Filter `
  "ContainerName='$ContainerName' AND TimeStamp<$MinTimeStamp AND TimeStamp<>0" `
 | Select-Object OwnerName, `
  @{n="TimeStamp";e={
    ((Get-Date("01/01/1601")).AddHours($_.TimeStamp)).ToLocalTime()}}

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Microsoft DNS & static records

Chris — Thu, 02 Oct 2008 11:59:32 +0000

Windows 2008 has an improved user interface for DNS. The main console includes details of a records time stamp and whether or not the record is Static. Life isn’t quite so easy with Windows 2003. However, as each static record has a time stamp set to 0 they can be found with a little work.

When using an Active Directory Integrated zone records are stored within Active Directory as dnsNode objects. The Time Stamp value is encoded along with the rest of the record properties (TTL, etc) in the dnsRecord attribute on the dnsNode. The attribute is a Binary Large Object (BLOB), Microsoft do not currently publish references or maps for these attributes. WMI queries can be used as an alternative.

The DNS management console

To see the current time stamp, and whether a record is dynamic or not first enable View / Advanced in the DNS console. For each record that makes an additional tick box and text box visible.

The record below is dynamic, if the box is not ticked, and the time stamp field is blank the record is static. That means that unticking the box stating the record can be scavenged changes the record to static.

DNSCMD

DNSCMD installs along with the Windows Support Tools. It can be used to identify static records, although it can be very difficult pulling the results out of a list like this.

For example:

dnscmd /ZonePrint somedomain.example

WMIC

WMIC, Windows Management Instrumentation Command-Line, will install the first time it is run. As the name suggests, it allows execution of WMI queries on the command line.

WMIC /NAMESPACE:"\\root\MicrosoftDNS" PATH "MicrosoftDNS_AType" WHERE "ContainerName='somedomain.example’ AND TimeStamp=0" GET "OwnerName,TTL,TimeStamp"

WMIC /NAMESPACE:"\\root\MicrosoftDNS" PATH "MicrosoftDNS_AType" WHERE "TimeStamp=0" GET "OwnerName,TTL,TimeStamp"

VbScript

This VbScript snippet echoes each static record, it is works best when run with cscript.

strServerName = "dc01.somedomain.example"
strContainerName = "somedomain.example"

Set objWMIService = GetObject("winmgmts:\\" & strServerName & _
  "\root\MicrosoftDNS")
Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType " &_
  " WHERE ContainerName='" & strContainerName & "' AND TimeStamp=0")

For Each objItem In colItems
  WScript.Echo objItem.OwnerName & VbTab & objItem.IPAddress & VbTab & "Static"
Next

Set colItems = Nothing
Set objWMIService = Nothing

PowerShell

$ServerName = "dc01.somedomain.example"
$ContainerName = "somedomain.example"

Get-WMIObject -Computer $ServerName `
    -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" `
    -Filter "ContainerName='$ContainerName' AND TimeStamp=0" `
  | Select-Object OwnerName,TTL, @{n="TimeStamp";e={"Static"}}

The same search can be used for any record type, by changing the WMI class. The options most likely to be useful are:

MicrosoftDNS_AType – Address or Host records
MicrosoftDNS_CNAMEType – Alias records
MicrosoftDNS_MXType – Mail Exchanger records
MicrosoftDNS_NSType – Name Server records
MicrosoftDNS_SRVType – Service records
MicrosoftDNS_PTRType – Pointer records (Reverse Lookup zone)

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.