Time for yet another blog post...

My duty was to create RBAC user roles in Active Directory for delegating local administrator permissions on individual servers. The reason was having a better control of who are the local administrators in every single server in the domain and we also would like to create a new workflow that includes a team manager must approve their team members before the individual may become a local administrator on a single server which improves the internal security.

This task included creating Active Directory security groups for every single server, adding these groups in Administrators group and removing all other administrators which exists in the local Administrators group. Creating these groups and adding them one by one for 900 servers? No thanks, so what I've done is I've written three scripts, actually they are all identical but these scripts offers different types of input methods which is, "All Servers In Active Directory", "Single Server" and "A Server List in a CSV File". I could have wrap them up into a single script by using arguments and parameters in the functions but my deadline was quite short so I had to do it as effective and quick as possible.

Here we go, how these scripts works is:

- Load Quest ActiveRoles Management Shell for Active Directory in Powershell (To download the module, CLICK HERE)
- Ask for Domain Admin credentials
- Check AD if the server has a Windows Server OS. Drop all computers with Windows XP/Vista and 7. In cluster computer objects i AD, they don't include any OS information in AD which means the script doesn't create unnecessary security groups. Create a log file for dropped items
- Ping the server first, if the remote server responds - continue. Otherwise skip that server and create a log. The reason is minimizing the creation of the security groups becuase the risks of obsolete objects in AD. Yes, I know that some companies blocks ICMP in their internal environment but if you are 100% sure, go ahead and modify this script.
- Generate a security group name based on your naming standard and the server name and check if that name exists in AD. If that name exists in AD, create a log then move on the next server. If that object doesn't exist, go on to the next step.
- Create the AD object, wait for 15 seconds to replicate within the AD same site to ensure that the new security group is in place in every single AD server in the same site, then add the object in the servers local Administrators group.

(Keep in mind that it may take more than 15 seconds sometimes so in this case you might need to do a manual work for few servers. Take always look at the log files created by this script)

For removal of all other objects I have another script but I'll share it as soon as I find it in my laptop...

For a sneak preview of one of the scripts, click to: Create_RBAC_LocalAdmin_AllAD.ps1

To download all these scripts, CLICK HERE.

I've been interested in UC (Unified Communications) with Office Communications Server 2007 R2 for a long time but never really had the time to deploy a lab environment with OCS 2007 R2. However, there is new kid on the street, the Microsoft LYNC Server 2010, (Lync is a combination of "Link" and "Sync") which is the "new" version of OCS. I had the opportunity to play with the product at Swedish UC Club this evening and the only thing I may say about LYNC is, I LOVED IT!!!

This time, I am really serious about to learn (hopefully almost everything about) the Lync and found a great tool for starters and obviously I would like to share it...

Planning Tool for Microsoft Lync Server 2010, which is available at Microsoft Download website.

I installed the planning the tool for an hour ago and how it work is, at start, you have to answer few questions about how your current infrastructure looks like and what your needs are. Based on the answers, the tool will generate a Visio drawing of how your deployment may look like, port requirements for the network, hardware requirements and so on.

Download, install and have fun!

NOTE: Take a look at Tommy Clarke's blog if you also are interested in Lync Server. http://www.cinline.se/

Most people, when they are writing their own Powershell scripts, they are creating one script per task and they starts over when it's time for a new. Sometimes you may need to use exactly the same function in another script, but the problem is, if you have written a script long ago which includes the specific function that you are looking for now, it may take long time to find the "old" script itself (if you are lucky) and you will need to read through the whole script process to find what you really need.

Whenever I write a Powershell script what I'm focusing is, dividing the script into blocks (or "functions" is a better way to say). I always save those blocks seperately so I may reuse these functions easily in another script which may do something completely else than the first one. As soon as I am done with the individual blocks, I usually put them together like lego bits for the main script.

And never forget to put comments in your scripts because it really helps you to find out what you have done when you really need it.

Let me show you a good example. Please take a look at the "Create_LocalUsers_ServerList.ps1" script.

In this script, I've defined 3 different functions, "Ping-Svr" to check if the destination computer is alive, "Add-LocalUser" and "Add-LocalAdmin". Obviously what this script does is:

- Get a list of servers where this account will be created
- Define the local user name, password and description in a variable
- Depending on what you've provided, ping the server, if you get any answer, create the local user and add it as a member in "Administrators" group. Create log files when this task is executing.

So, when I'll post my scripts on my blog later on, I will try to publish these "blocks" instead of publishing the whole main script itself.

Download: Create_LocalUsers_ServerList.ps1 and Remove_LocalUsers_ServerList.ps1 scripts

I've been thinking for a while to share some of my "simple" PowerShell scripts on my blog so here we go, it's time to upload the first one.

For a year ago, I got a little request from my customer to shutdown more than 500 computers at the same time so to take care of this request, I've written a simple script which worked smoothly.

What this script does is, it reads a file called "computers.txt" and shuts down every single computer which is defined in this text file. You need to ensure that the RPC (port 135, because this script runs WMI queries) and ICMP ports are open on the firewalls. By the way, you have to be a "Domain Admin".

To see the script, please click here 

DOWNLOAD THE SCRIPT