Powershell


Script to check multiple servers which services are using specific accounts

A client wanted to rename a specific account, but they were afraid to change this specific account because it could be used as a service account for several services running on a number of servers. Because I didn’t want to logon to all those servers manually I decided to create a powershell script.

 

Hereby the source code :

$DefineSaveLocation="f:\powershell"
$SaveLocaPath=Test-Path $DefineSaveLocation
if ($SaveLocaPath -eq $False)
    {New-Item -ItemType directory -Path $DefineSaveLocation}
cd $DefineSaveLocation

Foreach ($Server in Get-Content "F:\powershell\inputfile.txt" )
 {
  Write-Host "Retrieving Servers for $Server "    
  Get-WmiObject win32_service -ComputerName $Server  | select Name,
  @{N="Startup Type";E={$_.StartMode}},
  @{N="Service Account";E={$_.StartName}},
  @{N="System Name";E={$_.Systemname}} | Sort-Object "Name" > ".\$Server -Services.txt"
 }

 

This script uses a inputfile containing the servernames. You can use for example use rvtools or an WMI query to create this file.

After running the script the output is as follows :

services_export

(Click the picture for a full view)

I imported this file into excel and from now it’s easy to check for accounts being used etc.

Make sure to run powershell in elevated mode and don’t forget the set-executionpolicy unrestricted option.


Exchange & Lync : Find and fix broken inheritance

Many times I’ve ran into the following error :

move mailbox

(Error : unsufficient access rights to perform the operation) while moving Lync users of moving mailboxes in Exchange.

This is due to the following :

security002

Include inheritable permissions MUST BE ENABLED. (Also for other tasks)

When this is one or a couple of users this is no problem. When you have >100 users then you don’t want to do this manually.

This is how to script this :

First check witch users are having this problem using the following command :

Get-QADUser -SizeLimit 0 | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected}

Example :

security001

You see the accounts which are having this problem. Nothing is fixed yet. Therefore you need to run the following command :

Get-QADUser -SizeLimit 0 | where {$_.DirectoryEntry.psbase.ObjectSecurity.AreAccessRulesProtected} | Set-QADObjectSecurity -UnlockInheritance