Trigger a remote GPUpdate without PSRemoting or PSExec

I recently enabled Windows Firewall on an unused server via GPO, but forgot to include the inbound RDP exception. This, of course, kicked me off my RDP session.

Rather than wait ~90 minutes for my revised GPO to take effect, I found that I could trigger a GPUpdate remotely using WMI (WinRM wasn’t enabled, and I didn’t want to use PSExec)

The following command does the trick:

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "gpupdate.exe" -ComputerName <computername>

Correct Horse Battery Staple for PowerShell, AKA Random Memorable Password Generator

I’m a fan of using for generating temporary passwords for users, rather than always using a static password. The site itself is a reference to the XKCD webcomic, and yes, I’m aware that there are plenty of opinions on the web about this topic.


I’ve had the idea in the back of my mind for a while to see if I could replicate the site’s functionality in PowerShell. I noticed that the source code for the site is on GitHub, so I ducked over there to check out the word list.

I found that it’s possible to replicate most of the functionality of the site with just two lines of PowerShell (although it doesn’t result in very readable code):

  1. I used Invoke-WebRequest to grab the word list from GitHub
  2. I then expanded out the Content property, and split it up given the comma delimiter
  3. I then used a combination of the Range operator, Foreach-Object, [string]::join,Get-Random and the TextInfo class to generate a given number of passwords along these rules:
    1. 4 random words, each with the first letter capitalised
    2. A separator in between
    3. A random number between 1 and 99 at the end

Note that this isn’t failure-proof, and isn’t intended to be used in any complex scenario. There’s no error handling, and not much flexibility built in. It’s just a quick function you could put into your PowerShell profile.

You can, at least, do the following:
A PowerShell window displaying the output of Get-RandomPassword. Also shows the function being called with a Count parameter as well as a separator parameter

Here’s the code:

ADFS 3.0 Error: The Web request failed because the web.config file is malformed

Had a strange one today after an Azure outage. One of my Server 2012 R2 ADFS proxies wouldn’t start the ADFS service.

When looking in the logs, it appeared like a case of simply having to re-establish the proxy trust, but I got a different error when trying to start the service:

The federation server proxy could not be started.
Reason: Error retrieving proxy configuration from the Federation Service.

Additional Data
Exception details:
An error occurred when attempting to load the proxy configuration.

There were other errors in the ADFS Event logs about a malformed config file:

The Web request failed because the web.config file is malformed.

User Action:
Fix the malformed data in the web.config file.

Exception details:
Root element is missing. (C:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config)
Root element is missing.

When I opened the abovementioned config file, it was empty. I compared this to the config file on the other ADFS proxy, and that one looked like a normal config file.

My solution, and what ended up fixing the issue in the end, was simply to copy the contents of the .config file from the working ADFS proxy to the broken one. I could then re-establish the proxy trust, and everything started running again.

I’m not sure if this would work, but in case you don’t have another ADFS proxy to grab the config file from, here’s a sanitised version of mine:

<?xml version="1.0" encoding="utf-8"?>
<section name="microsoft.identityServer.proxyservice" type="Microsoft.IdentityServer.Management.Proxy.Configuration.ProxyConfiguration, Microsoft.IdentityServer.Management.Proxy, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
<congestionControl latencyThresholdInMSec="8000" minCongestionWindowSize="64"
enabled="true" />
<connectionPool connectionPoolSize="200" scavengeInterval="5" />
<diagnostics eventLogLevel="15" />
<host tlsClientPort="49443" httpPort="80" httpsPort="443" name="" />
<proxy address="" />
proxyTrustRenewPeriod="21600" />
<!-- <system.serviceModel>
<messageLogging logEntireMessage="true"
</system.serviceModel> -->

Once I’d resolved the problem, I did a bit of searching around for this error message, and it appears that other people have had the same problem previously, with no resolution listed in the one thread that I looked at on the TechNet forums.

Script to create new local admin account for use with LAPS

I’ve got a bunch of older SOE machines that still had the local Administrator account enabled. As part of implementing Microsoft LAPS, I wanted to disable that account, and use a newly-created ‘LocalAdmin’ account with LAPS.

The account is created with a randomly-generated GUID as the password. The account’s password is going to come under the management of LAPS anyway. Additionally, it would be a terrible idea to hard-code a password into a script that’s stored in Sysvol.

If an account with that name already exists, the script will quit. Some basic events are also logged to the Event Log to indicate what happened.

My first revision of the script used ADSI to create the account and add it to the Administrators group, but I found that my mileage varied with that method. Some computers had the account created, but it wasn’t a member of Administrators.

It’s now set up to use plain “NET USER” and “NET LOCALGROUP” commands. This is an example of what would be executed:
2016-04-04 16_01_06

This script is designed to be set up as a computer Startup Script:

PowerShell: Finding folders that don’t match a pattern

This week I came across an issue where some folders didn’t match a naming convention that was required by another third-party system. Because of this, data wasn’t being extracted from all of the incorrectly-named folders.

The naming convention in question goes like this: “{whatever} {4-digit-number}”. Lots of folders were missing the relevant number at the end.

To quickly identify which folders were wrongly-named, I used a regex that searches the end of a string for a space followed by four numbers. I then used that in conjunction with Where-Object:

Get-ChildItem -Path | Where-Object {$_.Name -notmatch " d{4}$"}

Then, so that I could identify who was naming new folders incorrectly, I then did this:

Get-ChildItem -Path  | Where-Object {$_.Name -notmatch " d{4}$"} | Select-Object -Property Name,CreationTime,@{Name="Owner";Expression={(Get-Owner $_.FullName).Owner.AccountName}}

I then piped the above command to Sort-Object, and exported the lot to a CSV file for the department in question to review:

Get-ChildItem -Path  | Where-Object {$_.Name -notmatch " d{4}$"} | Select-Object -Property Name,CreationTime,@{Name="Owner";Expression={(Get-Owner $_.FullName).Owner.AccountName}}| Sort-Object CreationTime -Descending | Export-Csv c:tempinsolfolder.csv -NoTypeInformation

In all, a quick, easy, and repeatable way of getting a report out to the people who need to maintain the folder structure. It’s possible to extend it further to just email the owners of each of the non-compliant folders on a set schedule.

Delete old log files with PowerShell

Today I came across a folder full of log files created by an import/integration application on one of our servers. The folder contained over 50,000 files. Rather than manually delete the old logs, here’s how I removed all items older than 1 month:

Get-ChildItem "C:Path_To_logs*.txt" | Where-Object {$_.CreationTime -lt (Get-Date).AddMonths(-1)} | Remove-Item -Force -Verbose -WhatIf

Since PowerShell is based on the .NET Framework, you can use standard System.DateTime methods when working with dates and times.

PS C:> Get-Date | Get-Member Add*

   TypeName: System.DateTime

Name            MemberType Definition
----            ---------- ----------
Add             Method     datetime Add(timespan value)
AddDays         Method     datetime AddDays(double value)
AddHours        Method     datetime AddHours(double value)
AddMilliseconds Method     datetime AddMilliseconds(double value)
AddMinutes      Method     datetime AddMinutes(double value)
AddMonths       Method     datetime AddMonths(int months)
AddSeconds      Method     datetime AddSeconds(double value)
AddTicks        Method     datetime AddTicks(long value)
AddYears        Method     datetime AddYears(int value)

Passing a negative value to one of the Add* methods will result in subtracting that amount of time:

PS C:> Get-Date
Wednesday, 12 August 2015 2:37:23 PM

PS C:> (Get-Date).AddMonths(1)
Saturday, 12 September 2015 2:37:37 PM

PS C:> (Get-Date).AddMonths(-1)
Sunday, 12 July 2015 2:37:40 PM

Obviously you need to be very careful with specifying a path to a command like Remove-Item. I’ve left the -WhatIf switch on the example code above.

It’s easy to add something like this to a scheduled task to keep a log folder tidy.