Using PowerShell to Manage Distribution Groups in Exchange 2007

This is a quick post for a small task I found the basis for the commands in Ying Li’s post here.

We had an admin leave us and go to Facebook recently.  She was a member of a TON of our distribution groups set up for all of our Amazon Web Services account.  Well, I couldn’t go into ECM and remove the user from the groups, and there were a bunch of them, so I really didn’t want to click each individual group and remove her.  So, I did a quick google search and strung a command together remove the user from the groups.

All of our AWS accounts start with AWS, i.e. AWS-ClientName@company.com.  So, this is what I came up with:

Get-DistributionGroup "AWS*" | Remove-DistributionGroupMember -member oldadmin

That worked like a charm.  So, I then ran this command to add myself to those same groups:

Get-DistributionGroup "AWS*" | Add-DistributionGroupMember -member mrichardson

That too worked like a charm.  I had some other cleaning up to do, so I encorporated a couple other commands to remove the old admin from all groups.  That required two different commands:

Get-DistributionGroup "*" | Remove-DistributionGroupMember -member oldadmin
Get-SecurityGroup "*" | Remove-SecurityGroupMember -member oldadmin

Of course I got errors for the groups she was not a member of, but that was to be expected. That pretty much sums it up.  Hope this is helpful for someone.

Runas Batch File To Launch MMC as Domain Admin

So, I recently started with a new company that wisely implements User Account Control on the desktops, and follows the best practice of having one administration account for Domain Admins and a separate account for everyday use. I came from an environment where I was supporting several different domains so to build an MMC for my clients didn’t make much sense. Had I written this little batch file before, it would have made my onsite visits much easier. I am running this on Windows 7 SP1 x64. The batch file is quite simple, but I didn’t find anything with instructions on how to ‘make it all work’ so I thought I’d throw this blog out there.

Step 1: Check your services, and make sure the “Secondary Login” service is running and set to Automatic. If this service isn’t running, you can’t log in using runas.

Step 2: Create a folder on the C drive and name it MMC. If you are going to be visiting multiple clients, or if you are going to be administering multiple disjointed domains, add the “Everyone Full Control” permission to this folder. I’m not 100% sure if is important (and I honestly didn’t test it), but I would believe it would simplify things so that the batch file doesn’t have to get past the local permissions of your PC to also run on the domain your PC is a guest on. If you are running this on your own domain, or a domain your PC is a member of, then this isn’t as important.

Step 3: Create a new MMC with all of the Snap-Ins you like to use regularly and save it to the C:\ MMC folder. I added ADUAC, DNS, DHCP, ADS&S, RDC, Event Viewer, Services, and Computer Management. I’m sure I’ll add more later but those are the basics that I started with.

Step 4: Create a batch file in that folder with the following text where:

  • %domain% is the domain you’re logging in to.
  • %username% is the user name you’re logging in with.
  • %filename% is the name of the MMC file you created and saved in Step 3.


runas /user:%domain%\%username% “mmc C:\MMC\%filename%.msc”

For Example, if I were logging into company.com with the user ID Matt and the MMC file I created was named Console, then the script would look like this:

 runas /user:company\Matt “mmc C:\MMC\console.msc”

I initially had problems with Windows 7 and received the error: 193: console.msc is not a valid win32 application, which is why I added the “mmc ” into the script. Not sure why Windows 7 had a problem associating MMC with msc in the batch file, but specifying mmc did the trick. I read that tip here.

Step 5: Save and close your batch file naming it something that makes sense to you.

Step 6: Copy a shortcut to your desktop (or other convenient location) and change the Icon if desired.

Step 7: Launch your batch file. Be sure to Right Click and select “Run As Administrator” if your PC has UAC turned on.

Step 8: After you launch the batch file, a cmd window will pop up and you will be prompted for a password. Enter the password for the user you defined in the batch file and you’re all set.

So, you can see the different applications of this batch file. If you’re a roaming admin, you can create a separate file for each client. In my case, we acquired a company not too long ago, so I will have one batch file (and likely a different msc defaulting to certain servers) for each of the domains for ease of administration.

Still working on the Exchange Management console.  The same script throws the same ‘invalid Win32 Application’ with our without the preceeding MMC part of the script.  I can Shift-Right Click, and ‘Run as different user’, but I’d rather not…..

Good luck, and happy administration!

Deauthorized DHCP Servers Still Listed

I’ve run into the situation several times in the past where you deauthorize a DHCP server/scope, but when you click on “Add Authorized” server in your DHCP MMC snap-in, it still lists the old servers. I’ve found the quickest and most efficient way to remove these servers is using ADSIedit.

  1. Click start, in the search box type MMC and hit enter.
  2. On the console screen that pops up, add ADSIEdit to your list of snap-ins.
  3. Right Click “ADSI Edit” and select “Connect to…” from the menu.
  4. Leave all defaults except the “Select a wekk known Name or Naming Context”. Hit the drop down arrow and select Configuration and then click OK:

  5. Drill down to CN=NetServices and highlight it:

  6. Double click on CH=DhcpRoot.

  7. Scroll down until you find the dhcpServers attribute. Double click on that attribute and remove the offending servers from the value field. Apply and close and you’re done!

Active Directory Health Checks

AD Health Checks

As a matter of course, I always start my troubleshooting of any funky network issues with a standard set of Active Directory health checks. This is the blog post I’ve used for a few years now: (http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx)

After doing this several hundred times, I finally got around to writing a batch file to run all of the checks in sequence. Below is the text for the script. Paste this into a .bat, create the ADLogs folder and then change the file location appropriately and you’ll be all set. Good Luck!

========================================================

echo off

REM ###########################################

REM    AD Health Check batch file. This runs standard health

REM    checks in Active Directory and puts the results into

REM    the D:\ADLogs directory.

REM    Written by: Matt Richardson

REM    Last Update: 9/2/2011

REM    Reference: 06/03/2008 Blog post by MSMVP BrianM

REM ###########################################

echo The following AD Health Checks are now running: dcdiag, netdiag, dhcp, and repadmin. Your results can be found in D:\ADLogs.

title AD Health Check Now Running…..

REM The real work begins here

dcdiag /v >> d:\ADLogs\dcdiag.txt

netdiag.exe /v >> d:\adlogs\netdiag.txt

netsh dhcp show server >> d:\adlogs\dhcp.txt

repadmin /showreps >> d:\adlogs\showreps.txt

repadmin /replsum /errorsonly >> d:\adlogs\repadmin_err.txt

title AD Health Check Complete!

echo AD Health Check Complete!

timeout 10

exit

UPDATE for Server 2008

I have updated the script to give a more complete look at the domain with the addition of the /c switch on the dcdiag command, and removed the netdiag command which has been essentially removed from 2008.

echo off

REM ###########################################

REM    AD Health Check batch file. This runs standard health

REM    checks in Active Directory and puts the results into

REM    the c:\ADLogs directory.

REM    Written by: Matt Richardson

REM    Last Update: 1/25/2012

REM    Reference: 06/03/2008 Blog post by MSMVP BrianM

REM ###########################################

echo The following AD Health Checks are now running: dcdiag, dhcp, and repadmin. Your results can be found in c:\ADLogs.

title AD Health Check Now Running…..

REM The real work begins here

dcdiag /c /v >> c:\ADLogs\dcdiag.txt

netsh dhcp show server >> c:\adlogs\dhcp.txt

repadmin /showreps >> c:\adlogs\showreps.txt

repadmin /replsum /errorsonly >> c:\adlogs\repadmin_err.txt

title AD Health Check Complete!

echo AD Health Check Complete!

timeout 10

exit