diff --git a/control-ad.ps1 b/control-ad.ps1 new file mode 100644 index 0000000..f427462 --- /dev/null +++ b/control-ad.ps1 @@ -0,0 +1,61 @@ +# load ActiveDirectory module +Try +{ + Import-Module ActiveDirectory -ErrorAction Stop +} +Catch +{ + Write-Warning $_ + Break +} + +function Show-Menu +{ + param ( + [string]$Title = 'Control Center' + ) + cls + Write-Host "================ $Title ================" + + Write-Host "1: Unlock User" + Write-Host "2: Reset Password" + Write-Host "3: Get Lockout Location" + Write-Host "4: Disable Computer" + Write-Host "5: Restart Computer" + Write-Host "6: Remove Public Desktop Icons" + Write-Host "Q: Press 'Q/q' to quit." +} + +do +{ + Show-Menu + $input = Read-Host "Please make a selection" + switch ($input) + { + '1' { + cls + .\scripts\users\unlock-account.ps1 + } '2' { + cls + .\scripts\users\reset-password.ps1 + } '3' { + cls + start powershell ` + -ArgumentList '-noexit .\scripts\users\get-lockout-location.ps1' + } '4' { + cls + .\scripts\computers\disable-computer.ps1 + } '5' { + cls + start powershell ` + -ArgumentList '.\scripts\computers\restart-computer.ps1' + } '6' { + cls + .\scripts\misc\remove-public-desktop-icons.ps1 + } 'q' { + return + } + } + sleep 1 +} +until ($input -eq 'q') diff --git a/scripts/computers/disable-computer.ps1 b/scripts/computers/disable-computer.ps1 new file mode 100644 index 0000000..4af687f --- /dev/null +++ b/scripts/computers/disable-computer.ps1 @@ -0,0 +1,21 @@ +# load ActiveDirectory module +Try +{ + Import-Module ActiveDirectory -ErrorAction Stop +} +Catch +{ + Write-Warning $_ + Break +} + +function Disable-Computer +{ + $samAccountName = Read-Host 'Please enter a computer name' + $date = Get-Date -format "yyyy-MM-dd" + Get-ADComputer -Identity $samAccountName | Disable-ADAccount + Set-ADComputer -Identity $samAccountName ` + -Description "disabled by $(whoami) $date" +} + +Disable-Computer diff --git a/scripts/computers/restart-computer.ps1 b/scripts/computers/restart-computer.ps1 new file mode 100644 index 0000000..e15193b --- /dev/null +++ b/scripts/computers/restart-computer.ps1 @@ -0,0 +1,20 @@ +function Restart-Domain-Computer +{ + $computername = Read-Host 'Please enter a computer name' + Restart-Computer -Force -ComputerName $computername + sleep 30 + while ($status -eq $null) + { + if(Test-Connection ` + -Computername $computername ` + -BufferSize 16 ` + -Count 1 ` + -Quiet){break} + Write-Host 'Still offline' + sleep 5 + } + Write-Host -foregroundcolor "green" $computername ' is online' + Read-Host 'Press a key to quit' +} + +Restart-Domain-Computer diff --git a/scripts/misc/remove-public-desktop-icons.ps1 b/scripts/misc/remove-public-desktop-icons.ps1 new file mode 100644 index 0000000..056963e --- /dev/null +++ b/scripts/misc/remove-public-desktop-icons.ps1 @@ -0,0 +1,8 @@ +function Remove-Public-Desktop-Icons +{ + $computername = Read-Host 'Enter the name of the computer' + Remove-Item \\$computername\c$\users\public\desktop\*.lnk ` + -Exclude "SAP Logon Pad.lnk" +} + +Remove-Public-Desktop-Icons diff --git a/scripts/template.ps1 b/scripts/template.ps1 new file mode 100644 index 0000000..6845fca --- /dev/null +++ b/scripts/template.ps1 @@ -0,0 +1,15 @@ +# load ActiveDirectory module +Try +{ + Import-Module ActiveDirectory -ErrorAction Stop +} +Catch +{ + Write-Warning $_ + Break +} + +function Show-Menu +{ + +} diff --git a/scripts/users/get-lockout-location.ps1 b/scripts/users/get-lockout-location.ps1 new file mode 100644 index 0000000..bcd7e07 --- /dev/null +++ b/scripts/users/get-lockout-location.ps1 @@ -0,0 +1,154 @@ +#Requires -Version 2.0 +Function Get-LockedOutLocation +{ +<# +.SYNOPSIS + This function will locate the computer that processed a failed + user logon attempt which caused the user account to become locked + out. + +.DESCRIPTION + This function will locate the computer that processed a failed + user logon attempt which caused the user account to become locked + out. The locked out location is found by querying the PDC Emulator + for locked out events (4740). The function will display the + BadPasswordTime attribute on all of the domain controllers to add + in further troubleshooting. + +.EXAMPLE + PS C:\>Get-LockedOutLocation -Identity Joe.Davis + + + This example will find the locked out location for Joe Davis. +.NOTE + This function is only compatible with an environment where the + domain controller with the PDCe role to be running Windows Server + 2008 SP2 and up. The script is also dependent the ActiveDirectory + PowerShell module, which requires the AD Web services to be + running on at least one domain controller. Author:Jason Walker + Last Modified: 3/20/2013 +#> + [CmdletBinding()] + + Param( + [Parameter(Mandatory=$True)] + [String]$Identity + ) + + Begin + { + $DCCounter = 0 + $LockedOutStats = @() + + Try + { + Import-Module ActiveDirectory -ErrorAction Stop + } + Catch + { + Write-Warning $_ + Break + } + }#end begin + + Process + { + + #Get all domain controllers in domain + cls + $DomainControllers = Get-ADDomainController -Filter * + $PDCEmulator = ( + $DomainControllers | Where-Object + { + $_.OperationMasterRoles -contains "PDCEmulator" + } + ) + + Write-Verbose "Finding the domain controllers in the domain" + Foreach ($DC in $DomainControllers) + { + $DCCounter++ + Write-Progress -Activity "Contacting DCs for lockout info" ` + -Status "Querying $($DC.Hostname)" ` + -PercentComplete (($DCCounter/$DomainControllers.Count) * 100) + Try + { + $UserInfo = Get-ADUser -Identity $Identity ` + -Server $DC.Hostname ` + -Properties AccountLockoutTime,` + LastBadPasswordAttempt,` + BadPwdCount,` + LockedOut + -ErrorAction Stop + } + Catch + { + Write-Warning $_ + Continue + } + If($UserInfo.LastBadPasswordAttempt) + { + $LockedOutStats += New-Object -TypeName PSObject -Property @{ + Name = $UserInfo.SamAccountName + SID = $UserInfo.SID.Value + LockedOut = $UserInfo.LockedOut + BadPwdCount = $UserInfo.BadPwdCount + BadPasswordTime = $UserInfo.BadPasswordTime + DomainController = $DC.Hostname + AccountLockoutTime = $UserInfo.AccountLockoutTime + LastBadPasswordAttempt = ` + ($UserInfo.LastBadPasswordAttempt).ToLocalTime() + } + }#end if + }#end foreach DCs + $LockedOutStats | Format-Table -Property Name,` + LockedOut,` + DomainController,` + BadPwdCount,` + AccountLockoutTime,` + LastBadPasswordAttempt ` + -AutoSize + + #Get User Info + Try + { + Write-Verbose "Querying event log on $($PDCEmulator.HostName)" + $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName` + -FilterHashtable @{LogName='Security';Id=4740} ` + -ErrorAction Stop | Sort-Object ` + -Property TimeCreated + -Descending + } + Catch + { + Write-Warning $_ + Continue + }#end catch + Foreach($Event in $LockedOutEvents) + { + If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value}) + { + $Event | Select-Object -Property ` + @( + @{Label = 'User'; Expression = {$_.Properties[0].Value}} + @{Label = 'DomainController'; Expression = {$_.MachineName}} + @{Label = 'EventId'; Expression = {$_.Id}} + @{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}} + @{Label = 'Message'; Expression = {$_.Message ` + -split "`r" | Select -First 1}} + @{Label = 'LockedOutLocation'; Expression = + { + $_.Properties[1].Value + } + } + ) + }#end ifevent + + }#end foreach lockedout event + + }#end process + +}#end function + +$username = Read-Host 'Please enter a username' +Get-LockedOutLocation -Identity $username diff --git a/scripts/users/reset-password.ps1 b/scripts/users/reset-password.ps1 new file mode 100644 index 0000000..52d8221 --- /dev/null +++ b/scripts/users/reset-password.ps1 @@ -0,0 +1,24 @@ +# load ActiveDirectory module +Try +{ + Import-Module ActiveDirectory -ErrorAction Stop +} +Catch +{ + Write-Warning $_ + Break +} + +function Reset-Password +{ + $username = Read-Host 'Please enter a user name' + $default_password = 'default-password' + Unlock-ADAccount -Identity $username + Set-ADAccountPassword -Identity $username ` + -Reset -NewPassword + ( + ConvertTo-SecureString -AsPlainText $default_password -Force + ) + Set-ADuser $username -ChangePasswordAtLogon $True +} + diff --git a/scripts/users/unlock-account.ps1 b/scripts/users/unlock-account.ps1 new file mode 100644 index 0000000..50843dc --- /dev/null +++ b/scripts/users/unlock-account.ps1 @@ -0,0 +1,29 @@ +# load ActiveDirectory module +Try +{ + Import-Module ActiveDirectory -ErrorAction Stop +} +Catch +{ + Write-Warning $_ + Break +} + +function Unlock-Account +{ + $username = Read-Host 'Please enter a user name' + Try + { + Unlock-ADAccount -Identity $username -ErrorAction Stop + Write-Host $username ' unlocked' -backgroundcolor green + } + Catch + { + Write-Warning $_ + Read-Host 'Press a key to quit' + Break + } + Read-Host 'Press a key to quit' +} + +Unlock-Account