Devices, Scripting, Technology, windows

100-level 101

By my semi-quasi scientific reasoning, I estimate that this scenario has occurred in my presence approximately 34.75 times in the past 10 years. That number could be completely fictitious, but you have to prove me wrong, so good luck.

Anyhow, it happened yesterday, and today I had to actually apply it again myself, so it reminded me to blabber about it again, here, on my blabber blog. Remember, this is 100-level 101 stuff, so if you start rolling your eyes, I warned you already.

Challenge: You need to confirm a registry key is set on a remote client, RIGHT THIS FREAKING SECOND. The registry key is under one of the users who uses that machine. You only know the following:

  • The machine name
  • The user’s first and last name

Caveats: You are logged onto one of the domain controllers. You do not have Configuration Manager. You only have a keyboard, a mouse, a brain, a pair of eyeballs, and possibly a sleeping dog and angry cat nearby. Nothing else. Clothing is optional.

Workflow:

  • You ping the remote computer (e.g. “DT001”) and it responds with a happy wave and a smile.
  • You open trusty, old, bearded REGEDIT.exe and click File / Connect Network Registry. You enter the computer name (e.g. “DT001”). It tells you to **** off.
  • You apply some wax to your mustache and curl the ends neatly, crack your knuckles and continue. If you don’t have a mustache, use someone else’s for now.
  • Open a PowerShell console
  • Type: Get-Service RemoteRegistry -ComputerName DT001
  • It returns some information, including Status = “Stopped”
  • You attempt to start it: Get-Service RemoteRegistry -ComputerName DT001 | Start-Service. But it tells you to **** off.
  • You crack your knuckles once more and dawn a sinister look, like Daniel Day Lewis in There Will Be Blood
  • Set-Service RemoteRegistry -ComputerName DT001 -StartupType Manual
  • Get-Service RemoteRegistry -ComputerName DT001 | Start-Service
  • So far, so good. Go back to REGEDIT and connect successfully
  • You open HKEY_USERS and see a bunch of SID stuff, like “S-1-5-21-1234567890-0987654321-234234234234-1234, but you don’t know which one is related to the desired user account
  • Your dog reminds you that you are currently logged onto a domain controller.
  • You know the user is “Jimmy Jerkweed”, so you search for him using Get-ADUser -Filter ‘Name -like “*Jerkweed*”‘ | select *
  • You find one with a SID property that matches the registry key names and dive in

The Short Version

  • ping DT001
  • Set-Service RemoteRegistry -ComputerName DT001 -StartupType Manual
  • Get-Service RemoteRegistry -ComputerName DT001 | Start-Service
  • Regedit.exe / Connect Network Registry / DT001
  • Get-ADUser -Filter ‘Name -like “*jerkweed*”‘ | select SID

Way too many times, this would stop at the second bullet (above). The technician would insist that either a firewall, or anti-virus, were blocking access. Or maybe there was a problem with the machine. Not so.

  • By default, the Remote Registry service is disabled. Therefore, it cannot be forced to start, especially remotely.
  • Without this service running, you cannot connect to the registry from a different machine on the network, regardless of your privileges.
  • In most cases, by default, as a user with direct (or indirect) administrative rights on the remote machine, you can change the service startup type property from “disabled” to “manual”, allowing you to then start it, even remotely.
  • When using a Windows workstation, or member server (not a domain controller), you can also run the Get-ADxxxx cmdlets, if you have RSAT installed and enabled. If you don’t, and can’t, you can install the AdsiPS powershell module and do the same using Get-AdsiUser.

Cheers!

Advertisements
Personal, Projects, Technology

ud-cmwt, conferences and doggy poo bags

ud-cmwt

A few people asked what I was blabbering about on Twitter recently that mentioned “ud-cmwt“. I promised I would elaborate, alas, I procrastinate, but here’s the nutshell:

Millions of years ago, before the last ice age melted and uncovered what would become Mitch McConnell and Keith Richards, there was a quasi web-project, oh, never mind. I’m too tired to be stupid. Wait. You’re never too tired to be stupid. I should say, too stupid to be tired.

Anyhow: it’s a revised/revamped/retooled CMWT built on Adam Driscoll’s fantabulously increditastical PowerShell module: UniversalDashboard (Community Edition). It’s at 0.0.5 on PowerShell Gallery, but it’s only a scaffold framework right now. It lets you poke around and list users, groups, computers, packages, applications, os images, and a bunch of SQL information (server, database, tables, etc.) – linked to ConfigMgr, AD, AzureAD and SQL Server, just like the old CMWT was (except for AAD part).

Yes, it’s one more project I’m piling on my pile of over-piled project piles. But it’s really fun. And 0.0.6 will add drill-down searching and detail views like CMWT had. Phase 3 will add manipulation gyration to the extrapolation of interpolation. hmm. Here are some screen shots to wow you with…

Upcoming Conferences

PowerShell Saturday – Raleigh

I’ll be presenting at PowerShell Saturday in Raleigh NC on Saturday, September 21, 2019. Yes, you read correctly: I’m actually getting in front of a large group of people and speaking. Some would say torturing is a better word, but I hope it’s at least mildly entertaining. Tickets are still available, but are going fast, so don’t wait too long!

Aside from me, there are quite a few incredible people presenting at the conference, so please do not make up your mind on my participation. Do it for the awesome stuff you’ll learn from the other awesome people. But if you attend my session, please stop by afterwards and say hello?

MMS Jazz – New Orleans

I will also be (tentatively) speaking at two (2) , yes, holy shit, at MMS Jazz Edition in New Orleans, November 10 – 14, 2019. The schedule is posted, but may change as things solidify. Tickets are still available, but not for much longer. Just take a look at the list of speakers and you’ll be looking for where your jaw fell off, right next to mine. I’m still pinching myself.

Doggy Poo Bags

So, one of other other human pets walking their dog masters around the neighborhood started bagging their master’s poo and leaving the bags where they tied them up. I’m not kidding. Little green bags all over the place.

One of the neighbors assumed it was me, but I kindly corrected his malformed perceptions. I showed him my custom doggy poo bags I purchased in a crate-sized package from Amazon. No one else uses them in my hood. I’m saving the planet, one pile at a time. Of course, they go into a landfill, sealed in plastic, for the next 5000 years, just like nature intended.

Podcasting

I’ve been toying with podcasting, solo format for now. I ran out of space on SoundCloud, so when I get time, I plan on finding a more suitable place to store and host them from. As if you don’t already have enough noise in your life. I’ll add some more.

Thank you for reading!

business, humor, Projects

How to Use Your Consultants

If you work for a company, or maybe you own a company, or maybe you just know of a company, and you hire or work with consultants for various things, there are some common things to pay attention to which are often overlooked. Let’s get started!

Let’s say that your boss asks you, “Hey, Jim. Don’t we have some vouchers sitting around?

You answer, “We sure do, Bob, and my name is Dave.

That’s great, Jim! Maybe we can use those to get a fancy consultant in here to whip us into shape!

Yes ma’am, I’ll get right on it!

You dig around and find the vouchers, and then call your trusty vendor representative, who was already eagerly awaiting your phone call. He/she tells you about their “partner program”.

You swallow hard, and ask, “Tell me about this ‘partner’ thing?

It’s a fantastic program we offer to only our highest-valued premium super-awesome platinum-level customers, just like you! It’s a program with partners.

That sounds awesome! How do we use it?!

It’s easy Dan.”

It’s Dave.”

Right, sorry about that, Doug. Anyhow, it’s where we offer you a list of partner consulting firms, and you choose one to help you solve a technical challenge, or adopt a new challenge, right from the comfort of your conference room.”

You slam the phone down, jump around and squeal like a baby pig, then calm down and make some calls. You ask all your drunk high school buddies for recommendations, and they all agree that they don’t know what a consultant is. So you pick one from the vendor list, and arrange a conference call to discuss your ideas.

Soon after, you’re on your way to pursuing a new project. Now it’s time to plan how to misuse their services to greatest benefit of someone else, not you. Here’s how you do it…

Don’t have a clear list of objectives

That’s right. Clear objectives are for the movies. Real people don’t have them.

Figure out what the consultant should do when he/she arrives. They don’t mind waiting around for vague direction. And whatever issues you’re facing each day, you can leverage the consultant to help with those, while they’re waiting for the actual project to begin. You hired them to help onboard O365 and Intune accounts, but why not ask them to help with your printer issues? It’s your money, so burn it up however you want.

Also, all that mumbo-jumbo the vendor mentioned about “valid uses” for using your vouchers is just talk. They don’t care if you want to use them for completely unrelated products and services. Microsoft vouchers? No problem, they’ll be fine for working on that VMware problem.**

Don’t assign one person to each role

Leave every decision to a committee. It works great. After all: If one person can make a great decision, then 8 people can make an even greater decision! It’s like traffic: Just add more lanes and the traffic jams go away.

When the consultant asks for a user account to be created in Active Directory, it should involve as many people as possible. One for each object attribute if possible. And when it comes to PXE, oh boy, that should involve at least one person from every protocol-related aspect of your business.

For example, to create the guest account for the consultant, you might need the following:

  • Someone from the Networking team (because PXE needs a network)
  • A Facilities person or two (because networks have wires and stuff, and they use closets sometimes)
  • Someone for DNS (since your imaging process will probably need name resolution somewhere)
  • Someone else for DHCP (of course)
  • An Active Directory team:
    • Someone to focus on the naming convention
    • Someone to focus on group memberships
    • Someone to focus on the initial password
    • Someone to create the account incorrectly the first time
    • Someone to fix the incorrect account, but also remove it from requested groups
    • Someone to add the fixed account back to the missing groups
  • Someone from IT Security (because they have to be at every meeting anyway, so why not?)
  • Someone from HR to make sure the consultant isn’t offensive or insensitive.
  • A Telecom person (make sure the conference room is working for the remote folks)
  • Someone from Accounting (because something will cost something),
  • At least one Project Manager for each group above (got to keep those toddlers in line, after all)
  • And, someone from the cafeteria (you’re going to need coffee during all those meetings).

After a dozen or so meetings, you should have a clearer picture of how many weeks it will take to get the first account created, and a few more weeks to get the correct permissions assigned to it. If you start now, you might get 3 accounts created before the next fiscal budget runs out.

As a general rule: A meeting isn’t considered appropriately-staffed unless there are at least 12 people in the room. So, to be safe – double that.

Don’t be in a hurry

You’re important. You have a lot going on. Printers jamming. Passwords expiring. Facebook is slow. Jimmy spilled another beer into his keyboard. And the cleaning crew unplugged your router again. When that pesky consultant asks for some information, make sure to take your sweet time getting them an answer. Giving them a quick answer only cheapens your value in their eyes. Taking your time earns their respect.

A typical best practice rule is at least 24 hours per question. If they ask three (3) questions, that should take at least 72 hours. And if you only work 1 shift per day, that should be 72 business hours, or roughly 31 days.

And if the consultant reminds you about some so-called “expiration date” on those vouchers, be sure to remind them how important your business is. The vendor will obviously jump through every hoop to extend your deadline, because you’re waaaaay more important than any of their other customers. As if they have any other customers. Ha ha ha!

Be Flexible

One of the worst things you can do when bringing a consultant onto a project is lock things down too much. It’s important to keep your options open. Even something like picking one system or product to focus on can be risky.

Remember: Contracts are just rules. And rules are made to be broken.

For example, let’s say you signed a contract to get a consultant to help you with migrating to Office 365 and Exchange Online. There’s nothing stopping you from shifting direction at the first meeting. Some good examples might be:

  • “We can’t get these 5-year old laptops to image with Windows 10 using our old Ghost setup and DVD disks”
  • “Skype keeps crashing on the CFO’s computer, at his condo.”
  • “The CEO’s 6 year old daughter says she knows more about Office 365 than you.”

Just remember to stay flexible and adapt to whatever you feel is important each day. After all, you don’t know how many more you’ll get.

Conclusion

I hope you found this article informative and educational. Doing your part to keep consultants on their toes is the best way to insure you get the most out of the shares you own in their company.

** Disclaimer: Nothing said above makes any sense whatsoever and should be completely ignored.

Projects, Scripting, Technology

Building Blocks: PowerShell module rollbacks

What is a “roll back” you ask? (I know you didn’t really ask, but for those that wanted to ask…) in general terms, it is rolling back to a previous version of some piece of software, in this case a PowerShell module. For example, going from module version 1.2 back to 1.1.

A customer asked me, “What’s the best way to roll back to a specific version of a PowerShell module?

I said, “As a consultant, the answer is ‘it depends’“, ha ha! Just kidding. Well, kind of kidding. Okay, not really kidding, but all kidding aside… The process usually follows this workflow (assuming this is a public module, which you do not own/maintain):

Rollback Scenarios

Reminder: Because this happens so often, it’s like struggling with a USB plug – – – Whenever you are working with installing, updating or removing PowerShell modules, open the PowerShell console using “Run as administrator”. Alternatively, you can manage them under your “user” scope alone.

For the following examples, I’m using the PowerShell module: dbatools. There is nothing wrong (as far as I’ve seen) with the latest version, but I’m going to roll it back to a previous version to demonstrate my incoherent blabbering.

Scenario A – Old Version Still Installed

If the PowerShell module was updated using Update-Module, there’s a good chance that the prior version(s) are still installed on the local system. To confirm, use Get-Module <modulename> -ListAvailable.

In this example, I have two (2) versions installed (1.0.15 and 1.0.20). I want to uninstall the newer version (1.0.20) and leave only 1.0.15 installed.

I would normally use Uninstall-Module <modulename> -RequiredVersion <bad-version> or in this example: Uninstall-Module dbatools -RequiredVersion 1.0.20, as shown below.

You may get an error saying another module is “dependent” upon the one you’re trying to remove (see example above). If so, make note of the dependent module, uninstall it, then try the first uninstall again. Once you have the version you want, you can reinstall the dependent module (assuming it’s not actually dependent on the version you just uninstalled, doh!!)

After all this fuss, it now shows dbatools version 1.0.15 installed.

Scenario B – PS Gallery

If only the newest version (the bad version) is installed, check to see if the prior version is still available on the PowerShell Gallery. You can do this using Find-Module <modulename> -AllVersions.

Warning: dbatools lists pretty much every version since inception, so the list is very long.

If the results show the version you want/need, simply uninstall the current module and install the specific version from the PS Gallery.

Tip: This method supports rolling back to as far back as the author maintains in the PS Gallery. If they chose to unlist a particular version that you need, this won’t work, and you’re on to scenario C below.

Scenario C – GitHub Repository

If the prior version you need is no longer available on the PowerShell Gallery, the next place to look is on the “Project site” or GitHub repository. In some cases, this isn’t possible, but thankfully, it’s more often available than not.

Go to the GitHub site, open the repository, confirm the version, and the branch, and click the Clone or Download button, then click Download Zip. Extract the ZIP file contents somewhere.

Keep in mind that the folder structure provided by the GitHub ZIP download is not the same as what PowerShell modules require in the default path environment. Use the following command to display the current module path…

(Get-Module <name> -ListAvailable).Path

Note the version number in the path string. You will need to “spoof” this to match the version you downloaded so the PowerShell environment will properly recognize it. For this example, just pretend it shows “…\1.0.20\…” and “…\1.0.15\…” doesn’t exist.

Navigate to the parent folder (e.g. the module name itself, “dbatools”), such as “c:\Program Files\WindowsPowerShell\Modules\dbatools”

Create a new sub-folder for the version you want (i.e. “1.0.15”)

Open the ZIP file, drill-down under the first root-level folder, to see the main files and folders. Extract the contents from there into that new module path folder on your hard drive.

IMPORTANT: This extract/copy process will place more than is really needed, but it’s okay. PowerShell will only load what it needs and ignore what it doesn’t need.

If there is not GitHub (or other) repository available, or the version is no longer available for some reason, you’re on to scenario D below.

Scenario D – F**k it

That’s right, just F**K it. Yell out obscenities, and claim you have Tourette syndrome. After you calm down, search for alternative sources:

  • Other systems which still have the older module version installed (copy the folders/files)
  • System or file backups which you could pilfer to get the older module files back. Use the $env:PATH variable to guide you towards the folder and file location(s).
  • Call a friend who might have an older version installed somewhere, and threaten them with fresh doughnuts or cold beer, until they give in.

If that doesn’t work, go to a gym and beat up a punching bag for an hour.

Meanwhile

As it turned out, they’d built a PowerShell-based automation process using internal scripts, and modules available on the PowerShell Gallery. Nothing unusual about that; it is what it was intended for. However, they had also built-in an automatic “update all modules” task at the beginning of their script.

This is a major no-no, because it violates basic “change control” rules. Every change (emphasis on “every“) should (read: must) be tested prior to applying in a production environment. Making the update process part of the production workflow automatically breaks that rule. And in their case, the module they were using was updated to deprecate a parameter on a particular function, which crashed their particular process.

Be careful not to confuse what I’m saying with automated CI/CD pipelines (dev > test > prod). This is merging external changes into a production environment; skipping dev and test entirely. In a nutshell, if you follow standard change control practices, you should rarely, if ever, encounter this situation.

Long story short (like I’m any good at short stories), they couldn’t locate a local copy of the older version and didn’t have a suitable backup to search, but the older version of the module was available in PS Gallery, so they went with scenario B.

Then the angry pack of wolves climbed in through the bedroom window in the middle of the night and ate every single one of them. Oh wait, wrong story…

And they lived happily ever after. The end.

Cloud, Scripting, Technology

Building Blocks: GitHub Issues via PowerShell

The PowerShell module “PowerShellForGitHub” contains a powerful collection of functions to let you interact with, and manage, your GitHub goodies. (Note: read the Configuration section carefully before using). I won’t repeat the installation and configuration part since they already took care of that just fine.

After playing around with it, I found one useful way to leverage this is to query the open issues for my repos, and feed selected information to other things like e-mail, Teams, and so forth. Since it’s just providing a pipeline of information, you can send it off anywhere your mind can imagine.

#requires -modules PowerShellForGitHub
function Get-GitHubRepoIssues {
  [CmdletBinding()]
  param (
    [parameter(Mandatory=$True, HelpMessage="The name of your repository")]
    [ValidateNotNullOrEmpty()]
    [string] $RepoName,
    [parameter(Mandatory=$False, HelpMessage="GitHub site base URL")]
    [ValidateNotNullOrEmpty()]
    [string] $BaseUrl = "https://github.com/skatterbrainz"
  )
  try {
    $issues = Get-GitHubIssue -Uri "$BaseUrl/$RepoName" -NoStatus |
      Where-Object {$_.state -eq 'open'} | 
        Sort-Object Id |
          Select Id,Title,State,Labels,Milestone,html_url
    $issues | % {         
      $labels = $null         
      if (![string]::IsNullOrEmpty($_.Labels.name)) {
        $labels = $_.Labels.name -join ';'
      }
      [pscustomobject]@{
        ID     = $_.Id
        Title  = $_.Title
        State  = $_.state
        Labels = $Labels
        Milestone = $_.milestone.title
        URL    = $_.html_url
      }
    }
  }
  catch {
    Write-Error $Error[0].Exception.Message
  }
}

Sample output…

So, if you have a GitHub account with active repositories and issues, you might be able to glue some cool things together using PowerShell. If you have a cool example, share it in the comments below and I’ll be happy to share it on Twitter as well.

Cheers!

BitBucket, Society

Beer Talk Ammunition

For the next time you get into a rough and sweaty debate over various statistically-related topics while consuming liquified intoxicants, I hereby provide a list of handy “oh yeah?! ACTUALLY …. ” resources to defend your fortress of illogical logic.

But First…

Be careful when stepping in to refute someone’s claims, especially if they’re armed, drunk, or armed and drunk. Also, when someone invokes a statistic, pay close attention to the date of the statistic. VERY few statistical reports are (or can be) released within a year of the date on which they closed. It takes a while for nerds to crunch numbers down to a form which drunk idiots can understand.

Lock -n- Load…

Now…. Lock -n- Load!

System Center, Technology

Support Requests – 2017 Flashback

I was just talking with someone about how “times have changed” just since 2017. Then I found an old email which had a list of cases I was working on around Q1-17 (former employer). Compared to then, 2019 has been much more calm.

  1. ConfigMgr client push account not having permissions on the remote devices.
  2. Over-zealous Antivirus settings getting in the way (McAfee) of ConfigMgr client installations.
  3. Network admins added/changed subnets without telling SCCM admins (site boundary updates)
  4. Using separate accounts in trusted AD forests, rather than a central trusted account, and the passwords were out of sync.
  5. Another team installed a 3rd party help desk product on the SQL host as SCCM uses, and didn’t tell them it hogs most of the available memory and violates the terms of the ConfigMgr/SQL license.
  6. After suggesting the use of an isolated IP subnet and dedicated DP for a central imaging workbench, the server admin team instead added a 2nd NIC to both the SCCM primary site server and a different DP, on different subnets, one without a gateway, and didn’t tell the SCCM anyone else.
  7. IT staff enrolled several Surface Book’s with EMS/Intune, and then removed the Intune client and installed the SCCM client and then opened a support ticket about why the client no longer shows as “managed” in Intune.  Microsoft investigated, explained and closed the request (as they should have).  The customer argued to keep the request open.  I was brought in to help explain why it should be closed (that alone took 2 days).
  8. Primary site server has CrowdStrike, Symantec EP, and Malware Bytes agents installed, all are active, and none have ConfigMgr exclusions. Long day.
  9. Client Push installation has custom settings which set the default MP to one that was removed from the environment years ago.
  10. Network team re-assigned subnets during an office relocation.  No one was notified to update AD sites and subnets or ConfigMgr (site boundaries).
  11. DNS scavenging was turned off, with DHCP lease duration of 3 days and 50% of devices roam around the campus every day or two.