GPODoc – PowerShell Module

I just posted my first PowerShell module to the PowerShell Gallery, even though it’s been available on my GitHub site for a little while longer.  It’s a small project, with only two (2) functions, so far.  Get-GPOComment and Export-GPOCommentReport.

Get-GPOComment is purely CLI and helps query GPO’s to return embedded descriptions, comments and so on.

Export-GPOCommentReport is a CLI function as well, but produces an HTML report, which is technically GUI output, of embedded GPO comments and descriptions.

The module is simple to load by way of the Install-Module and Import-Module cmdlets (see below).  The only requirement is to have the GroupPolicy PowerShell module installed first.  This is normally installed on all AD domain controllers, as well as other servers and workstations which have the Windows 10 RSAT package installed (tip: You can also use Chocolatey to install RSAT:  choco install rsat <or> cinst rsat)

Loading The PowerShell Module

Install-Module GPODoc

Trying it out: Get-GPOComment

Get-GPOComment -GPOName '*' -PolicyGroup Policy

get-gpocomment1

Get-GPOComment -GPOName '*' -PolicyGroup Preferences

get-gpocomment2You can easily modify the output layout since the output is in hash table format…

Get-GPOComment -GPOName '*' -PolicyGroup Preferences | Format-Table

If you want more flexibility in selecting the inputs, you can use the Get-GPO cmdlet and channel the output through a pipeline.  For example…

Get-GPO -All | Where-Object {$_.DisplayName -like "U *"} | 
  Select-Object -ExpandProperty DisplayName | 
    Foreach-Object {Get-GPOComment -GPOName $_ -PolicyGroup Policy}

get-gpocomment3

The parameters for this function are as follows:

  • GPOName
    • [string] single or array of GPO names
  • PolicyGroup
    • [string] (select list) = “Policy”, “Preferences” or “Settings”
    • Policy = query the GPO descriptions only
    • Settings = query the comments attached to GPO internal settings only
    • Preferences = query the comments attached to GPO Preferences internal settings only

This also respects -Verbose if you want to see more background details.

Export-GPOCommentReport

This function only takes two (2) inputs:

  • GPOName
    • [string] single or array of GPO names
  • ReportFile
    • [string] the path/filename for the HTML report file to create.

It invokes Get-GPOComment, combining “policy”,”preferences” and “settings” output, and writes it all to an HTML report file of your choosing.  The CSS formatting is hard-coded for now, but I’m open to feedback if you want more options. You can specify the GPO name(s) directly, or feed them via the pipeline.

export-gpocommentreport1

Example web report…

export-gpocommentreport2

If you used 1.0.1 (posted a few days earlier) scrap that and get 1.0.2.  The older version had some major bugs in the Get-GPOComment function, and the Export-GPOCommentReport function wasn’t available until 1.0.2.

Feedback and suggestions are welcome.  Even if it’s “hey man, your shit sucks. Consider a dishwashing job, or something else.”  Any feedback is better than no feedback.

Thank you!

 

Documenting Your IT Environment (The Easy Way)

One of the most common, and tragically problematic, aspects of today’s IT world is the lack of sufficient documentation. In fact, ANY documentation. It’s not associated with any one area either. It crosses everything from help desk tickets, to change requests, to Active Directory objects, to Group Policy, to SQL Server, to System Center to Azure.

UPDATED 8/8/17 – added SQL and SCCM examples at very bottom.

When and Why Does It Matter?

It matters when things go wrong (or “sideways” as many of my colleagues would say).  There’s the “oh shit!” moments where you or your staff find the problem first.  Then there’s the “oh holy shit!!” moments when your boss, his/her boss, and their bosses find the problem first and come down hard on you and your team.  When shit goes wrong/sideways, the less time you waste on finding out the what/where/why/who/when questions for the pieces involved with the problem, the better.  To that end, you can document things in other places, like Word documents, spreadsheets, help desk and ITIL systems, post-it notes, whiteboards, etc.  Or you can attach comments DIRECTLY to the things which are changed.  This isn’t possible in all situations, but it is most definitely possibly for many of the things that will straight-up shove your day into shit storm, and I have no idea what that really means, but it just sounds cool.  Anyhow…

The best part of this approach is that you can leverage PowerShell and other (free and retail) utilities to access and search comments you nest throughout the environment.  For example, you can collect and query Group Policy Object comments…

Need to Get the Comment buried in a particular GPO or GPPref setting?  Here’s one example for querying a GPO under User Configuration / Preferences / Control Panel Settings / Folder Options…

#requires -modules GroupPolicy
<#
.SYNOPSIS
  Get-GPPrefFolderOptionsComments.ps1
#>
param (
  [parameter(Mandatory=$True)]
  [ValidateNotNullOrEmpty()]
  [string] $GPOName
)
try {
  $policy = Get-GPO -Name $GPOName -ErrorAction Stop
}
catch {
  Write-Error "Group Policy $GPOName not found"
  break
}
$policyID = $policy.ID
$policyDomain = $policy.DomainName
$policyName  = $policy.DisplayName
$policyVpath = "\\$($policyDomain)\SYSVOL\$($policyDomain)\Policies\{$($policyID)}\User\Preferences\FolderOptions\FolderOptions.xml"
Write-Verbose "loading: $policyVpath"

if (Test-Path $policyVpath) {
  [xml]$SettingXML = Get-Content $policyVpath
  $result = $SettingXML.FolderOptions.GlobalFolderOptionsVista.desc
}
else {
  Write-Error "unable to load xml data"
}
Write-Output $result

Example…

So, What Now?

So, in the interest of avoiding more bad Mondays, start documenting your environment now.  Need some examples of where to start?  Here you go…

 

Thank you for your support.

Poor Man’s IT Chain Reactions

wpid-chinese-take-out.jpg

Challenge:

Make sure every machine in the enterprise (connected to LAN or always-on VPN) has the latest version of psexec.exe on the local C: drive.

Why?

Why not?  That’s why.

Option 1:

AKA – the semi-automated, safety switch turned off, fully-loaded, drunk guy holding the trigger option.

  1. Download psexec.exe from live.sysinternals.com (or direct: https://live.sysinternals.com/psexec.exe) and place into AD domain SYSVOL scripts folder (e.g. \\contoso.com\netlogon)
    Example…

    $WebClient = New-Object System.Net.WebClient
    $WebClient.DownloadFile("https://live.sysinternals.com/psexec.exe","\\contoso.com\netlogon\psexec.exe"
  2. Create Group Policy Object (GPO) with Computer Preferences setting to copy psexec.exe from the SYSVOL share to a location on the local C: drive. Configure to “update” so that future version updates will be passed down to the clients.
  3. Create a Scheduled Task to keep the SYSVOL copy up to date with the latest version.

Pros

  • Cheap (free)
  • Fairly automated (just add water, makes it’s own sauce / set it and forget it)

Cons

  • Smells like duct tape and coat hanger wire

Option 2:

AKA – The “I have a budget, so kiss my butt” option.

  1. SCCM package or application deployment

Pros

  • You look cool pulling it off, but not as geeky as option 1.

Cons

  • More moving parts under the hood.
  • May require additional steps to maintain a consistent current version across all devices.

Option 3:

AKA – The “I don’t have a budget, so kiss my butt” option.

  1. Include within image configuration (MDT, SCCM, Ghost, Acronis, etc.)

Pros

  • Easy

Cons

  • Difficult to maintain a consistent and current version across the enterprise

Option 4:

AKA – the “most fun to laugh about during the next beer-meeting” option

  1. Send the new guy around with a USB thumb drive

Pros

  • Great fun in the office

Cons

  • Do I really need to spell this out?

 

The 5 Immutable Laws of IT Life

1 – The person you need most will be unavailable when you need them.
2 – The problem will stop as soon as you try to show it to someone else.
3 – The simplest task will end up taking the most time.
4 – The feature you need most will be the least documented.
5 – That which saves you time, will cost more money (and vice versa).

Setting up a Real World IT Lab

1wearandtear

Updated: v1.1 – Fixed bug in step 8.2 added final step for consultants

Whether it’s for your full-time job, a customer reflection platform as a consultant, or a certification study environment, if you work in IT today, you have to make or buy a lab in order to keep up.  It’s no longer a luxury, it’s a must-have.  But, while many resources exist for making a lab at home, or in the cloud, most are fairly clean and “textbook” configurations.  The real world is nasty, ugly and smells pretty bad.  If off-the-shelf lab tools and hydration kits were a dog, they’d be neatly-trimmed and bathed poodles, while the real world lab would be a dumpster filled with dead fish, baking in the Texas sun for weeks on end.  This is one of the trade secrets seasoned IT professionals keep close to their chest.

Well, fear not.  I have compiled and prepared a simple how-to outline for building your own lab, to reflect that beast we call the ‘real world’.  Let’s get started.

  1. First off, start with 5-8 year old hardware.  Make sure it doesn’t support anything really new, like TPM.  If it still has DB25 and PS/2 ports, that’s a winner.
  2. Beef it up to no more than 8 GB of DDR2 memory
  3. Stuff a hefty 250 GB 7200 RPM Hard Disk in it, and add a few others at either 5400 or 7200 RPM rates.  Find the nearest vacuum cleaner, and empty the dust bag into the vents on the server case.  The more dust, the better. Kind of like a seasoned cast-iron skillet.
  4. Load it up with Windows 2000 Server
  5. Install VMware Workstation 9
  6. DO NOT, and I repeat DO NOT, install ANY hotfixes or updates on it.
  7. Power it on and wait for it to get to the login prompt.  It should take around 15 to 20 minutes or so.  If it gets there sooner, remove some memory and reboot again.
  8. Configure an Active Directory forest and domain.
    1. Create 100 random OU’s
    2. Create 400 random GPO’s and link them to as many OU’s as possible.
    3. For added realism, randomly select a dozen GPO’s and apply inheritance blocking.
    4. Modify the Default Domain Policy to contain at least 75 settings.  It doesn’t matter what they are, random selections work best.
    5. Do not document any GPO settings whatsoever.
    6. Create 500 computer accounts with random names. Create 500 user accounts with random names. These will reflect a typical company environment which has 25 real computers and 35 real users.
  9. Turn off all firewalls, and install any antivirus that comes up in the sidebar ads while searching Bing for “ultimate antivirus”, but avoid any products with recognizable names.
  10. Add “Domain Users” and “Users” to the local “Administrators” group on every machine in your lab.
  11. Copy random files to every machine until the C: drive is around 96% full.

Now, you are ready to play the game of “ask management for an upgrade budget”

  1. If you’re married, put some clothes on and carefully knock on the bedroom door.  It works best if your wife/husband is watching his/her favorite show on his/her tablet or phone, that way your intrusion puts him/her in an authentic mood, to match that of a real MBA type, who’s busy updating Facebook and LinkedIn when you knock on their office door.
  2. If you’re not married, substitute your most-recent girlfriend/boyfriend.  Otherwise, use a random neighbor, stranger or off-duty bus driver.  Do not use anyone under 21 years of age who didn’t drop out of school, because they’ll be too smart for this.  Remember, the key here is to be authentic.
  3. Make your best pitch for a budget to replace all of that hardware and software with modern stuff.  If you want really real realism, ask for a budget to migrate everything to AWS or Azure.  Always double your asking price, so they’ll cut that in half, and approve 40% of the remainder.
  4. Ask for additional IT staff, but be sure to double that number as well, so when they reject the entire request, it will at least look like you tried.

Now comes the real work.

  1. Turn off the server and go mow the lawn, wash the car, do some dishes, walk your dog or cat around the block a few times.  This will simulate dealing with support request tickets and attending useless status meetings.
  2. If you get back to the server in less than 5 hours, you rushed it.  Go back and do it again until you use at least 5 or 6 hours.
  3. When you get back to the server, turn it on and then go take a shower.  This will simulate you trying to get caught up on email, Slack, Teams, SharePoint, Hangouts, and writing all the reports you were asked to do during all those daily meetings.
  4. When you get back to the server, it should be around 8 PM (assuming you started around 7:30 AM), so this is about perfect for a typical time to get started on actual technical work.
  5. After one hour, stop and ask your wife/girlfriend/boyfriend/neighbor/bus driver if they need anything from the nearby fast food place.  When you get back it should be around 11 PM or midnight, so it’s time to make coffee and get that last OU populated.
  6. If you’re doing this right, you should fall asleep at your desk around 1:30 AM at the earliest.
  7. Don’t forget tomorrow is that 6:30 AM all-hands meeting, that the CIO requested.
  8. And don’t forget that at 8:00 AM you’re supposed to demo how you’re planning to migrate all of your infrastructure to Azure using Hyper-V, PowerShell and Office 365, in front of all the executives who need to approve your request.  If you don’t have it ready yet, forget the sleep stuff tonight.

That should just about do it.  But there’s more.  For added realism, you can include the following:

  • Cut your sleep down to 2:30 AM to 6:00 AM, or 3:00 AM to 5:00 AM for optimal effect.
  • Start massive consumption of coffee, Red Bull or Monster.  In fact, never leave your desk without one of these in one of your hands
  • Always carry a mess of papers in one hand and coffee cup in the other, and your smartphone in the other.  Yes, that’s three hands, figure it out.  Always look stressed and anxious, and out of breathe.  This is commonly referred to as “office camouflage”
  • Stop eating healthy. It’s bad for you.  Doughnuts are the most efficient food source.  Pure calories for pure energy.
  • Time yourself in the desk chair.  If you’re getting out of your chair more than every 3 or 4 hours, that’s too much.
  • Wherever you sleep, if you do, make sure to keep your cell phone next to you, with the ringer volume at the max.  You’ll need this for on-call rotation practice.  Set the alarm to go off every 55 minutes for randomized effect.  If you have a friend that barely speaks your native language, ask them to have a friend of theirs call you at random times between midnight and 5 AM and scream about something crashing or being on fire.
  • Ask for a raise.  This is best practiced on someone who doesn’t understand your native language at all.  Not even one word.  Go ahead, make your best case.
  • Take up smoking. Not for your health, but as a proven excuse to out outside to call recruiters, searching for another job.  If smoking isn’t feasible, walking is an okay substitute, just not as good for your health.
  • Hire consultants

Within a few weeks, you’ll be out of the hospital and back to work, just a real IT professional.

IT Security Methods by Industry

After years (okay, decades,… okay, okay, centuries…..  damn it… alright! alright already, eons… are you happy now?  yes.  I’m THAT freaking old.  I still remember coal-fired computers and horse-drawn airplanes and shit.  My birthday cake is a slice of tree trunk of matching rings, but the table can’t hold the weight anymore.  sheesh!)

What was I saying?  …. (eyes wandering left and right…. … . . .          …  .         …. . .      .   .  )

oh yeah!  I’ve amassed a data set that accurately summarizes the predominant security practices or strategic “methods” leveraged by each major US industry. I warn you: this is highly scientific information.  It may require additional consumption of various questionable substances just to remain conscious while trying to read it all. Here goes.

Idiocracy-LB-1

Banking

Method: Place sufficient restrictions on the adoption of new technologies, so as to (A) mitigate unknown vulnerabilities and exploits, (B) insure that those with knowledge of older, proven exploits have died from old age, and (C) keep certain aging consultants employed (because they’re married into your family).  And besides, what’s wrong with COBOL?

Insurance

Method:  Never leave important IT decisions up to any one person, ever.  In fact, the more people involved, the greater insurance that the decision will eventually be reliable, maybe.  Larger companies focus on perfecting multi-role hyper-proliferated subterfuge logic branching and coalescing processes.  In layman’s terms: they foster greater variety among responses to decision inquiries.  Many have invested heavily in processes which depend entirely on custom hand-stitched, stone-carved, natural leather encased software, usually written by someone who left or died long ago.

Defense Manufacturing

Method: Implement dozens of stop-gap procedures to insure every motion of IT is slowed to the lowest possible, almost un-measurable, velocity.  Think of a Japanese rock garden, only slower.  Where the sand is executive processes and the stones are IT staff, now simply add quick-set cement to the sand mix and sprinkle some water on it.  This insures that even the bad stuff will take forever to make headway, and by that time, the entire system will have been eventually decommissioned.  Forget penetration attempts, even social engineering-based, because they’re often project-oriented, not departmental, so most people have no clue what that next cube is working on.  In fact, they probably don’t use the same network, computers or operating systems.

Legal

Method: Relegate “IT” to whomever answers the Craig’s List ad for an “IT Expert”.  Critical skills include: printer management, thumb drives, recovering lost files and emails, and using Excel databases” (that’s not a typo).  Must also have experience with Macs and Windows XP, particularly with kids games.

If they have any in-house “IT” capacity at all, it’s often enough shock to send a consultant into cardiac arrest.  Due to possible legal implications, it’s best to never change passwords for critical user accounts and never, I mean NEVER, delete anything.  Keep everything forever, or as long as you can afford somewhere to store it.

Travel

Method:  Agents need to be flexible and mobile.  Everything is done on laptops.  Everything remains on laptops.  No time for that silly, trendy, cloud stuff.  No backups, no cloud sync, but OMFG do NOT let anything happen to that precious data on those roaming laptops!  Thumb drives are forgotten like Matt Damon in Interstellar, waiting for someone to give them a hug, only to have their face shield cracked open and their chip tossed away.  Shit.  Did I give away the plot?

Advertising / Marketing

Method: Hire someone quick, and get back to the conference before the food runs out.

Transportation

If it’s airlines, use railroad standards.  If railroads, use airlines standards.  Either way, the older the technology the better.  It’s like a cast-iron frying pan, after years of seasoning, or a vintage wine.

 

Municipal

Method: Deny all requests for pay increases for five (5) years, reduce promotions from once every five (5) years to once every ten (10) years, discontinue any training programs, and for God’s sake: deny all requests for stupid things like newer software and hardware  It worked in 1995, so it should still work!  Hire a consultant to blame internal staff for every deficiency, terminate and reassign to avoid audit trails and blame the contractor afterwards.

Federal Agencies

Method: Same as municipal, but on a much larger scale.  Every four (4) years, change direction from in-sourcing to out-sourcing, and blame the opposite for any failures that remain.  If conservatives win, out-source to private contractors, where expertise and trust are premium values, after all, when has anyone ever heard of a private contractor doing something wrong in a government position?  Then blame liberals.  If liberals win, open up the job requisition flood gates and hire at will.  However, keep GS-rating pay scales at 1995 levels to avoid asking for tax increases.  This helps insure only the highest-quality employees are onboarded from their previous positions as private contractors or foreign exchange students.  Then blame conservatives for any failures.  Think of it as seasonable employment.

Medical/Dental Practices

Method: Hire the first contracting IT firm that actually shows up.  If they wear those spiffy-looking polo shirts with a slick company logo, they might be too expensive.  Ask if your cousin’s friend graduated tech school yet.  You know, the one who puked all over your sofa when he brought her to crash in your apartment while you were out of town.  That one.  If she’s not available, what about that kid that asked you about spark plugs while you were trying to inflate your car tires that day.

 

Summary

See if you can guess which of these most closely matches the photo above.

Expert Tips for SCCM Log Analysis

1wearandtear

1. Locate cmtrace.exe (or another suitable “active” log viewer)
2. Open cmtrace.exe and click “yes” to register it as default log viewer
3. Consume precisely 5 quarts of a strong, caffeinated liquid substance
4. Browse to location (folder) with log files and double-click desired log file
5. Rub eyelids approximately 12 times, make sure to yawn fully and loud
6. Stare at log details and look for any lines colored in red.
7. Ignore red lines which do not actually display an error, but are instead mentioning that they’re looking for an error
8. Ignore yellow lines which do not actually display a warning, but instead show mention of looking for warnings
9. Rub eyelids 12 more times.
10. Announce to whomever interrupts that you’re busy reviewing log files (the louder the better)
11. Open another log file (selected at random)
12. Stare intently at one line, without scrolling
13. Rub chin, squint, and nod slightly. You may also say “hmmmm”
14. Scroll and repeat step 12
15. Repeat steps 10 through 13, approximately 5 more times.
16. Open browser and begin searching for fragments of error messages along with “sccm error log…”
17. Inhale deeply, exhale loudly.
18. Consume more caffeinated liquids
19. Rub eyes some more
20. Lunch break.