Monday, May 14, 2018

How to find largest files using Powershell

If your hard drive is running out of space, you need to know which files causing this issue!
To establish this we will use Get-ChildItem.
Use the following command to get the top three files.
Get-ChildItem -r| sort -descending -property length | select -first 3 name, Length

The Length will be displayed in Bytes, if you have large files it´s better to display it in Mega Bytes, so let´s calculate the responding property length into MB.
Get-ChildItem -r|sort -descending -property length | select -first 3 name, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}

Now we get all files, where are these files located? Just select DirectoryName as well, to get it.
Get-ChildItem -r|sort -descending -property length | select -first 3 name, DirectoryName, @{Name="Megabytes";Expression={[Math]::round($_.length / 1MB, 2)}}

Thursday, May 3, 2018

Get and set DFS-R primary member

You can use the following command to get and set the DFSR primary member.

Get which DFSR member is primary member
Dfsradmin Membership List /RGname:<replication group name> /attr:MemName,RFName,IsPrimary

Set the primary member for a replication group
dfsradmin Membership Set /RGName:<replication group name> /RFName:<replication folder name> /MemName:<primary member> /IsPrimary:True

Run "dfsrdiag pollad" to update Active Directory configuration.

Wednesday, April 18, 2018

How to find all AD Users with a specidfic profilepath or homeDirectory

If you try to search for a specific homeDirectory or profilepath that are assigned to users, you have to filter on this path.

Therefore, let´s assume you have a DFS share named \\\DFSShare\User and in this share you have all homeDirectories. To find all users using this path you could expect that you can use a query like this:
Get-ADUser -Filter "homedirectory -like '\\\DFSShare\User*'" -Properties homedirectory | select samaccountname, homedirectory

If you run this line, the output will be empty, even if some users using this share as homeDirectory.

Why? A network path has backslashes and a backslash „\” is a special character. Therefore, if you filter on those paths, you have to replace every \ with \5c.

For more information check out the following MS article:

If we do that our PowerShell query looks like this:
Get-ADUser -Filter "homedirectory -like '\5c\\5cDFSShare\5cUser*'" -Properties homedirectory | select samaccountname, homedirectory

Now we see all users that have a homeDirectory located in \\\DFSShare\User

Thursday, April 5, 2018

Syncing NPS Settings between two servers

If you want to be redundant, you need a second server running NPS with all the settings you need to handle requests of your Radius Clients. Network devices typically allow you to specify multiple Radius Servers in their configuration using a shell or web interface. If you have two servers, you have to define a "Master Radius Server", so you can use this server to do all configuration changes and these changes have to be imported to a second server. You can sync your NPS configuration, manually via GUI or using a PowerShell script that running in a schedule task. Find attached a picture that show this process.

The following script could be used to sync your NPS configuration between two servers. This path C:\admin\NPS\Backup\ must be available on both servers. Just create them or add it to the sript.

# Get date
$date = get-date -Format yyyy_MM_dd
# Export NPS config
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig_$date.xml
Export-NpsConfiguration -Path C:\admin\NPS\Backup\NPSConfig.xml
# Destination Server
$NPSDestServer = "SecondRadius"
# Copy config to destination server
Copy-Item -path C:\admin\NPS\Backup\NPSConfig.xml -destination \\$NPSDestServer\C$\admin\NPS\NPSConfig.xml
# Export current config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Export-NPSConfiguration -Path C:\admin\NPS\BackupNPSConfig.xml}
# Import new config
Invoke-Command -ComputerName $NPSDestServer -ScriptBlock {Import-NPSConfiguration -Path C:\admin\NPS\NPSConfig.xml}

Just copy this script to your Master Radius, change $NPSDestServer = "SecondRadius" to match to your second NPS server name and create a schedule task that execute this script.

Monday, March 26, 2018

Monday, March 19, 2018

Can Certificate Transparency affect your Active Directory CA?

Certificate Transparency
So first of all what is Certificate Transparency (CT)? With CT, all HTTPS certificates are logged into public log servers, and clients refuse to honour certificates that are not present in at least a subset of trusted logs. These logs provide a record of certificates that are issued and would help identify certificates that aren’t issued. Google pushing this topic and we all know how it influence the IT Business. It will enforce CT in Google Chrome on end of April of 2018 for certificates issued after the first April of 2018.

I just want to make it clear it only affects HTTPS certificates. For other purposes like SMIME, Smartcard Logon, Code Signing and so on are not affected. If you think of you even don’t see those certificates in Chrome. So let‘s get back to the topic. So the common scenarios would be an internal (private) CA and the second if you are chain certificates to public Root.

Internal CA
If you have a internal/private CA within your Environment, that does not chain up to a public root, CT will not affect your CA.  Google Chrome uses Windows native CAPI to determine trusted chains and know what is internal.

CA with Certificates chain to public Root
If a CA chains up to a public root and you issue HTTPS certificates, CT may affect your CA. In this case you should contact your Services Provider.