Jan Egil`s Admin-Blog

Validate SPN mappings using Windows PowerShell

January 28, 2010

What is a SPN mapping?

A Service Principal Name (SPN) mapping allows a service running on an Active Directory computer to be associated with a domain account that are responsible for the management of the service. This allows the use of mutual Kerberos authentication, and an account defined in a SPN mapping are able to request Kerberos tickets on the requesting user`s behalf. Examples of services that uses Kerberos and SPN mappings include SQL Servers, web servers, LDAP servers, Exchange servers and so on.

Validation of SPN mappings

A SPN mapping must be unique within an Active Directory domain, and duplicate mappings will result in problems for the involved services.

While the command line tool setspn.exe, which are used for managing SPN mappings also can be used for queries, I wanted to use Windows PowerShell to accomplish this. I`ve put together a script module with two functions:
Resolve-SPN – Resolves the provided SPN mapping
Resolve-AllDuplicateDomainSPNs – Resolves all SPN mappings in the domain and reports duplicate mappings

The script module are available on the TechNet Script Center Gallery, click here for the direct link.

Save the script module as a psm1-file in the following directory: %userprofile%\Documents\WindowsPowerShell\Modules\SPNValidation

You need to manually create the 3 subfolders under %userprofile%\Documents if they doesn`t exist.

When done, start Windows PowerShell and type the following command:

You should now see the SPNValidation module.
Import the module with the Import-Module cmdlet:

Resolve-AllDuplicateDomainSPNs can be executed without any parameters:

Resolve-SPN has one mandatory parameter: –SPN
Example usage:

Note that the PowerShell Active Directory module for Windows
Server 2008 R2 are required, because the Get-ADObject cmdlet are used in one of the script module`s functions.
The PowerShell Active Directory module are also available in Remote Server Administration Tools (RSAT) for Windows 7.

Leave a Comment » | Active Directory management, Scripting, Windows PowerShell | Tagged: duplicate SPN, Service Principal Name, SPN mappings | Permalink
Posted by Jan Egil Ring

Automate Group Policy Preferences printer-management using Windows PowerShell

January 18, 2010

I`ve written a couple of blog posts earlier on Group Policy Preferences and printer deployment using Group Policy.

Using Group Policy Preferences is a very flexible way to deploy printer connections. This is also very manageable in smaller environments. What if you got hundreds, or even thousands of printer connections you need to deploy? Do you want to sit down and make several thousands of mouse clicks to accomplish the task? There are better alternatives!

Based on SDM Software`s Group Policy Automation Engine, I`ve created a script module to handle this. The script module are available from this link.

Save the script module as a psm1-file in the following directory: %userprofile%\Documents\WindowsPowerShell\Modules\GPPreferencesPrinters
You need to manually create the 3 subfolders under %userprofile%\Documents if they doesn`t exist.

When done, start Windows PowerShell and type the following command:

You should now see the GPPreferencesPrinters module.
Import the module with the Import-Module cmdlet:

As you can see there are two functions in addition to SDM Software`s cmdlet: Add-GPPreferencesPrinter and Get-GPPreferencesPrinter.

Example 1:

Example 2:

If you got the printers listed in an Excel spreadsheet, save the document in csv-format:

The csv-file may be used like this to import the printer connections:

Additional functions and parameters will later be added to the script module, i.e. Remove-GPPreferencesPrinter and Item-Level Targeting. Note that example usage for Item-Level Targeting are provided in the Group Policy Automation Engine User Manual.

1 Comment | Active Directory management, Deployment, Group Policy, Print management, Scripting, Windows PowerShell | Permalink
Posted by Jan Egil Ring

Outlook signature based on user information from Active Directory

January 9, 2010

To provide a consistent company image all users should use the same signature template in their Outlook profile. I`ve created a Windows PowerShell-script to deploy a consistent Outlook signature to users, based on user information retrieved from Active Directory. I`ve used the fields “Display name”, “Title, “E-mail” and “Telephone number”, however, additional fields may be added to suit your needs.

Step-by-step

1) Download the script from here. Save it to a UNC-path accessible for all users.

2) Adjust the custom variables:

3) From an Outlook client, create a signature based on your company template:

4) Copy the signature files from %appdata%\Microsoft\Signatures to the UNC-path specified in the SigSource-variable in the script:

5) Open both Company Name.rtf and Company Name.htm in Microsoft Office Word and insert the following bookmarks:

Mark each word, e.g. “EmailAddress”, go to “Insert”, press the “Bookmark”-button and name the bookmark “EmailAddress”. It`s important that the names of the bookmarks are “DisplayName”, “Title”, “TelephoneNumber” and “EmailAddress”.
This is because these bookmarks are replaced by the information retrieved from Active Directory for the logged-on user.

6) When appropriately tested, deploy the script to end users. This may be accomplished by e.g. Group Policy:

Additional information

Sample signature created using Set-OutlookSignature.ps1:

Active Directory object for sample user:

Settings are stored in HKCU in the registry:

A few notes:
-Existing signatures are preserved
-Users are allowed to make customizations to their signatures until a new version are deployed. Then the exisiting company-signature will be overwritten.

2 Comments | Microsoft Outlook, Scripting, Windows PowerShell | Tagged: outlook signature from active directory | Permalink
Posted by Jan Egil Ring

Single Sign-On to Remote Desktop Services

December 25, 2009

Single sign-on is an authentication method that allows users with a domain account to log on once to a client computer by using a password, and then gain access to remote servers without being asked for their credentials again. See more details here for Windows Server 2008 and here for Windows Server 2008 R2.

On the client-side SSO are currently available for Windows XP with SP3, Windows Vista and Windows 7.

Configure SSO on the server-side

To configure SSO on the server-side (Windows Server 2008 Terminal Services or Windows Server 2008 R2 Remote Desktop Services), set the option “Security layer” to either “Negotiate” or “SSL (TLS 1.0)”:

Best practice would be to configure this in a common GPO for all Remote Desktop Services servers in the domain:

This setting resides under Computer Configuration->Policies->Administrative templates->Windows Components->Terminal Services->Terminal Server->Security.

Configure SSO on the client-side

Using a common GPO would also be the best practice to deploy the client settings needed for SSO to work.
The “Allow Delegating Default Credentials” resides under Computer Configuration->Policies->System->Credentials Delegation:

Enable “Allow Delegating Default Credentials”, press the “Show”-button and either specify the domain pre-fixed with * to allow delegation to all servers in the domain, or specify specific servers:

Next, create a RDP-file and deploy this file to the client computers.
Before deploying the file, open it in a text editor, e.g. Notepad, and add the following line: enablecredsspsupport:i:1
This will enable SSO for the RDP-file.

I would also recommend to sign the RDP-file with a Code Signing certificate. This can be accomplished using the utility rdpsign.exe:

Sample signing:

When a RDP-file are signed, the following will be added to the bottom of the file:

signature:s:AQABAAEAAADBCgAAMIIKvQ……..

For Windows Vista and Windows 7 clients, the configuration would now be completed when the RDP-file are deployed.

For Windows XP clients the following would be necessary in addition to the steps above:
-Service Pack 3 needs to be installed
-At least version 6.0 of the Remote Desktop Client
-Turn on the CredSSP Security Provider

The steps to turn on the CredSSP Security Provider are described in this kb-article.

I would recommend deploying these registry settings using Group Policy Preferences:

Also the RDP-file may be deployed in the same way:

I`ve covered the usage of Group Policy Preferences in a previous post.

Also, SSO can be combined with Remote Desktop Services Web Access. The Remote Desktop Services Team has posted an excellent post describing how to set up SSO in RDS Web Access.

1 Comment | Group Policy, Remote Desktop Services, Terminal Services, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP | Tagged: rds web access, Remote Desktop Services, Single Sign-On, Single Signon, SSO, terminal server | Permalink
Posted by Jan Egil Ring

Mapping printers based on Active Directory group membership using Windows PowerShell

November 28, 2009

While researching for a logon script setup for mapping network printers using Windows PowerShell, I thought of using the Windows native tool printui.dll for the actual printer mappings.
However, I was`nt quite sure how to check for a users` group membership in Active Directory. This sure can be accomplished with a tool like Quest`s PowerShell Commands for Active Directory. However, installing this on every domain computer wasn`t an option.
Then I found Andy Grogan`s PowerShell function for determining AD group membership.

Based on this function, and the printui.dll the task was easy to accomplish. I`ve published a sample script to PoshCode.org, available from here.

You may also want to check out “PrintUI.DLL User’s Guide and Reference“.

Tested with Windows PowerShell v 1.0/2.0 and Windows XP/Vista/7.

As an alternative, you may also want to check out this blog post on mapping printers using Group Policy.

Leave a Comment » | Deployment, Print management, Scripting, Windows PowerShell | Permalink
Posted by Jan Egil Ring

Deploying printers using Group Policy

November 8, 2009

Traditionally printer connections have been deployed to users with scripting, like batch (net use) and Kixtart (AddPrinterConnection).

I would now like to show how printer connections can be deployed using Group Policy. Today we have 2 possible solutions for natively deploy printers using Group Policy without the need for any scripting:

1) Group Policy Preferences – available in Windows Server 2008 and later

2) Print Management – available in Windows Server 2003 R2 and later

Using Group Policy Preferences to deploy printers are described in an earlier blog post, available here. Therefore, I won`t explain any further details regarding this.

I will focus on the Print Management which has a powerful “Deploy with Group Policy” feature.

Configure printer deployment on

print servers

To use the “Deploy with Group Policy” feature, you need to install the “Print Management Component” feature from “Add/Remove Windows Components” in Windows Server 2003 R2. In Windows Server 2008/2008 R2 you need to install the “Print Server”-role from the “Add Roles Wizard”.

When installed, you`ll find “Print Management” under “Administrative tools” on the Start menu:

The following screenshots are taken from Windows Server 2008 R2.

When you open the Print Management Console you will see an overview of Custom Filters, Print Server and Deployed Printers:

You may add additional filters and print servers to the console, which you can read more about in the links in the bottom of this post. For now, we`ll focus on the printer deployment part.

Right-click the printer you want to deploy, and select “Deploy with Group Policy”:

Select “Browse” to choose a Group Policy Object where the printer connection will be deployed. Select “per user” and/or “per machine” and press “Add”. Then click “OK”:

You should now receive a message stating that the deployment operation was successful. Click “OK”:

The printer will now be deployed to client computers.

Behind the scenes

To understand how the print deployment feature works, we`ll activate the “Advanced Features” option on the “View”-menu in “Active Directory Users and Computers”:

Open the “Group Policy Management Console”, go to the Group Policy Object you deployed the printer to, and select “Details”:

Note the “Unique ID” (GUID).

Back in ADUC, expand “System” and then “Policies”:

This is where the actual Group Policy Objects in Active Directory are stored, in addition to \\domain.local\sysvol\policies.

Find and expand the Group Policy Object you deployed the printer to. You will now see “PushedPrinterConnections” under the “Machine” and “User” nodes:

When looking at “PushedPrinterConnections” under the “User” node, we see an entry of type “msPrint-ConnectionPolicy”:

When we go into “Properties” on the “msPrint-ConnectionPolicy” and go to “Attribute Editor”, we can see that this represents the printer connection we added:

Deployment to client computers

Client computers running Windows Vista and later have native support for the new printer connection policies, and will work “out-of-the-box” when printer connections are added to a Group Policy.

Client computers running Windows 2000 and Windows XP doesn`t support the the new printer connection policies natively. To resolve this, there are a utility called “pushprinterconnections.exe” which must be added to a logonscript in Group Policy. This utility will check the computer and user Group Policy Objects and add any printer connections defined.

This utility have 1 parameter: –log. This is useful when troubleshooting problems, and I would recommend you to use this parameter. As you can see, the utility should not be run manually from the command line:

Here is an example of the utility added to a logon-script in a Group Policy Object:

The log-files are named “ppcUser.log” and “ppcComputer.log”. These are located in the %temp% directory:

Here is an example output of the logfile:

In Windows 2000 and Windows XP, no other feedback than these log-files are provided.

In Windows Vista/Windows Server 2008 and later, the following feedback are shown during logon:

In addition, any failures are logged to the “Application”-log with Source “SpoolerSpoolss”.

Special considerations

Windows 2000 supports only “per machine” deployments when using the pushprinterconnections.exe utility.

The pushprinterconnections.exe utility won`t catch “per user” connection policies when using “User Group Policy loopback processing”. You must link the GPO containing the “per user” connection policies to an Organizational Unit where the users reside.

Use ACL`s on the printer objects on the print servers to publish the printers based on group membership. By using this approach, all printer connections may be defined in the same Group Policy Object.

My recommendations

As I said in the introduction to this post, printer connections have traditionally been deployed to users with scripting. Since there are native ways to accomplish this using Group Policy, this would be my recommendation.

Considerations for using the “Deploy with Group Policy” feature in the print server role:

-the print administrator would have an overview over all printers which are deployed with the Print Management Group Policy feature in the Print Management console
-printers can be administered in an individual GPO like GP Preferences with the Print Management console. To do so, open Group Policy Editor, expand Computer Configuration/User Configuration->Policies->Windows Settings->Deployed Printers
-it requires that pushprinterconnections.exe are run on Windows XP and Windows Server 2003 clients
-it is available with Windows XP/Windows Server 2003 R2 and later (backwards compatible to Windows 2000 Professional/2000 Server)
-it requires Windows Server 2003 Client Access Licenses (CALs)

Considerations for using Group Policy Preferences:

-it can handle more different printer types (local, TCP/IP, and shared instead of only “shared”)
-it has several additional options (deleting all existing connections, setting default printer, etc.)
-it can save a lot of GPOs because you can have many printer objects in one GPO and use “Item Level Targeting” to address each printer individually (e.g. clients in a specific IP-range, per group or even per user)
-it is easy to automate the process of adding printer objects to a GPO using Windows PowerShell, since the GP Preferences settings are store in XML-files
-it requires that Group Policy Client Side Extenstions are deployed on Windows XP and Windows Server 2003 clients
-it is available with Windows Vista/Windows Server 2008 and later (backwards compatible to Windows XP/2003 Server)
-it requires Windows Server 2008 Client Access Licenses (CALs)

Resource links

Step-by-Step Guide for Print Management
(Applies To: Windows Server 2003 R2)

Print Management Step-by-Step Guide
Applies To: Windows Server 2008

Print Management
(Applies To: Windows 7, Windows Server 2008 R2, Windows Vista)

Deploy the PushPrinterConnections.exe Utility

2 Comments | Deployment, Group Policy, Print management, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2 | Permalink
Posted by Jan Egil Ring

Bulk-create printer objects on print servers using Windows PowerShell

November 7, 2009

When installing a new print-server with several hundreds or thousands of printer objects there arent`t too much fun doing this manually.

Here are 3 steps to automate this process:

1) Install all the necessary printer drivers on the printserver

2) Create a csv-file with a listing of all printer objects and their properties

3) Bulk-import the printer objects using a script

For the 3rd step I`ve created a basic Windows PowerShell script, available on PoshCode.org from this link.

The script contains one function for creating a TCP/IP printer port and one function for creating a printer object. These functions are used in a foreach-loop cycling through the csv-file containing all the printer objects. The script are pretty basic, and should be further expanded with error handling and further details for printer properties.

The script are created and tested on a Windows Server 2008 server against a remote Windows Server 2003 server.
Running the script from Windows Server 2003 returns an access denied error, possibly due to the impersonation-model in Windows Server 2003. However, it should work from Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 against remote print-servers (2000/2003/2008/2008 R2).

Especially the ability to set NTFS permissions on the printer objects would be a useful addition in the script.

Please feel free to leave suggestions for improvements in the comments section below.

Update 09.11.2009:
I`ve got some feedback regarding the ability to set NTFS permissions on the printer objects in the script.
A utility called SubInACL from Microsoft could be used for this.

Example usage:
subinacl.exe /printer “\\print-server\printer” /revoke=”Power Users”
subinacl.exe /printer “\\print-server\printer” /grant=”DOMAIN\Domain Users”

The tool can be downloaded from here.

6 Comments | Print management, Scripting, Windows PowerShell | Permalink
Posted by Jan Egil Ring

How to install an Excel Add-in with PowerShell

November 1, 2009

Recently I had the need to automate the process of installing Excel Add-ins in a terminalserver (or more correctly Remote Desktop Services environment since this was Windows Server 2008 R2) environment.

Since Excel Add-ins are per-user based, this was in the first place a manual setting. Of course we wanted to automate this process, so I researched a bit on the internet and found mostly VBScripts. I`ve used this KB-article as a template.

Although this worked very well, I`m trying to leverage the use of PowerShell as much as possible. Many would say that VBScripts load much faster, and are more effecient as logonscripts.
Even though PowerShell v1 was a bit slow due to the lack of assemblies not being ngen`ed, as described on the PowerShell Team`s Blog, this bug is fixed in v2 and I`m quite happy with the loading time now.

I basicly re-wrote the sample VBScript in the KB-article, the result are uploaded to PoshCode.org and available from here.

I used an if-statement to check if the Add-in are already installed, to avoid installing it on every logon.

When tested and ready for production, the script may be distributed as a traditional logonscript, or alternatively with Group Policy:

Leave a Comment » | Group Policy, Remote Desktop Services, Scripting, Windows PowerShell, Windows Server 2008 R2 | Tagged: Excel Addin automation | Permalink
Posted by Jan Egil Ring

Active Directory group membership modifications report

October 11, 2009

Based on customer needs I`ve created a Windows PowerShell script to report Active Directory group membership modifications. The script are uploaded to PoshCode and available from here.

In Windows 2000 Server and Windows Server 2003, the following security event IDs were valid for group membership changes:

Scope	Member added	Member removed
Local	636	637
Global	632	633
Universal	660	661

In Windows Server 2008 and Windows Server 2008 R2 the security event IDs changed:

Scope	Member added	Member removed
Local	4732	4733
Global	4728	4729
Universal	4756	4757

Source for 2000/2003 event IDs.
Source for 2008/2008 R2 event IDs.

Group membership auditing are enabled by default from Windows 2000 Server to Windows Server 2008 R2, so there are no need change any auditing settings to accomplish this.
I`ve added event ID`s for both 2000/2003 and 2008/2008 R2 to the script to cover all event ID`s currently available.
Group membership changes are logged to the Security eventlog on the domain controller the modification was run against. Because of this the script are set up to get all domain controllers in the current domain and loop through the security eventlog on each of them, searching for the relevant event ID`s described in the table above.

The script are based on Alan Renouf`s Daily Report script for PowerCLI.

The “isWithin”-function are taken from Jeffrey Snover`s blog-post regarding DateTime Utility Functions.

Preview of the HTML-report the script will generate:

A tip would be to run the script as a scheduled task e.g. once a day, and store the file in a central location.

For those of you interested in Active Directory auditing I would recommend you to have a look at the AD DS Auditing Step-by-Step Guide on Microsoft TechNet.
Personally I think the new "directory service changes" category are very useful, which allows us to see both the old and new values on modified Active Directory user objects.

4 Comments | Active Directory management, Auditing, Scripting, Windows PowerShell | Tagged: Active Directory group membership auditing | Permalink
Posted by Jan Egil Ring

Generate random passwords for Active Directory users v2

September 29, 2009

A litte while ago I posted a script to generate random passwords for each user in a specified OU in an Active Directory environment.

Now I`ve just posted another version of this script on PoshCode.

This script are intended for another scenario:
Power users with delegated permissions to reset password for specified Organizational Units. The power users get this script available as a published application in Remote Desktop Services.

Leave a Comment » | Active Directory management, Scripting, Windows PowerShell | Tagged: Active Directory reset passwords, Windows PowerShell | Permalink
Posted by Jan Egil Ring