Script to create new local admin account for use with LAPS

I’ve got a bunch of older SOE machines that still had the local Administrator account enabled. As part of implementing Microsoft LAPS, I wanted to disable that account, and use a newly-created ‘LocalAdmin’ account with LAPS.

The account is created with a randomly-generated GUID as the password. The account’s password is going to come under the management of LAPS anyway. Additionally, it would be a terrible idea to hard-code a password into a script that’s stored in Sysvol.

If an account with that name already exists, the script will quit. Some basic events are also logged to the Event Log to indicate what happened.

My first revision of the script used ADSI to create the account and add it to the Administrators group, but I found that my mileage varied with that method. Some computers had the account created, but it wasn’t a member of Administrators.

It’s now set up to use plain “NET USER” and “NET LOCALGROUP” commands. This is an example of what would be executed:
2016-04-04 16_01_06

This script is designed to be set up as a computer Startup Script:

Create a Scheduled Task to keep all Chocolatey Packages up-to-date

Rebuilding your PC is always a drag, even with useful utilities like Ninite.

I recently created a PowerShell DSC script that I can use whenever I need to rebuild my PC. As part of that, I used the cChoco provider to automatically install applications using Chocolatey. I’ll be writing a blog post with more details shortly.

That’s a great way to get the applications installed, but not for keeping them up-to-date. Chocolatey allows you to run ‘choco upgrade all’ manually to do this:

Command prompt window showing the results of a 'choco upgrade all -y' command

Rather than manually create the scheduled task to automate this, I created this short PowerShell script:

The script will:

  1. Locate the choco.exe binary (It’ll quit if it can’t find it in the path)
  2. Set up a scheduled task that runs said binary at system startup

Note that this script will only work on Windows 8 and newer machines, because it relies on the *-ScheduledTask cmdlets.

Reading the Windows DHCP Server logs with PowerShell

I’ve been doing a bit of work with DHCP over the last week or so – specifically with troubleshooting IP assignment from various VLANs. I threw together a quick function to read the last (x) lines out of the current day’s DHCP server log. For now, there’s no support for reading the logs remotely. This needs to be run on the server itself.

Once you’ve dot sourced the script, just call the function. By default, it will grab the last 20 lines out of the current day’s log file.

Get-DHCPServerLog

You can specify a day, and/or the number of lines to grab from the end of the log file:

Get-DHCPServerLog -Lines 5 -Day mon

You can also pipe it to Select-Object:

Get-DHCPServerLog | Select-Object Date,Time,Description,MAC*,IP* | Format-Table -AutoSize

Here’s the source:

Braindump: ADDS NTP Configuration via GPO

There’s a great article on the Microsoft AD team blog about configuring the authoritative time server automatically via group policy and WMI filters. This may save you from domain time sync issues if your PDC emulator role eventually ends up moving to a different server.

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

Their article covers how to set up the WMI filter, but doesn’t address the settings for NTP. Those are listed in detail under this support note.

These are the settings I’ve implemented in my GPO using Admin Templates->System->Windows Time Service:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfig]
"MaxNegPhaseCorrection"=dword:00000708
"MaxPosPhaseCorrection"=dword:00000708
"AnnounceFlags"=dword:00000005
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters]
"Type"="NTP"
"ntpserver"="au.pool.ntp.org,0x1"
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpClient]
"Enabled"=dword:00000001
"SpecialPollInterval"=dword:00000384
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeTimeProvidersNtpServer]
"Enabled"=dword:00000001