Tuesday, August 3, 2021

Check or Verify Esxi Credentials on Multiple Esxi Hosts

There are times that you will need to check if esxi credentials are correct & consistent across the multiple hosts, and this PowerCLI script will save your time a lot. It uses TCP port 443 so it takes a bit longer than using ssh, but the good thing is you do not need to open port 22 from your client. The process is quite simple:

  • It prompts for Esxi's credentials for the first time.
  • Using the given credentials, it connects to each Esxi by TCP 443.
  • After the connection is succeed, it disconnects the current connection.
  • To save time in executing multiple esxi hosts, PoshRsJob powershell module is used for simultaneously execution.

If you do not have PoshRSJob module, install it in the elevated powershell console by the following command before running the script.

Install-Module -Name PoshRsJob


Posted by at No comments:
Labels: ,

Monday, July 19, 2021

PowerCLI to set Evacuated Esxi Hosts into Maintenance Mode

It's the little script that will set all esxi hosts into maintenance mode when no VMs are left running, particularly useful when you're doing the bulk VMs migration or shutdown for Esxi maintenance. You will need to define the script runtime whereas the interval for each check (the action which will loop all esxi hosts to see if VMs are still running or not) should be defined as 15 sec as a minimum.



Posted by at No comments:
Labels: ,

Saturday, December 12, 2020

Delete Empty Folders with Powershell Recursively

In this blog, I'd like to show you the little one-liner powershell code that will delete empty folders recursively. 

Note: Even if there is a single file in the child nested folder, it will exclude the parent path from deletion.

For example, we will create folder tree like this in Fig-1.1.

Fig-1.1: The folder structure

 If you're not sure & want to see which files will be deleted, you can run the following one-liner.

(gci -Directory -R) | ?{$_.GetFileSystemInfos().Count -eq 0}  | select Attributes,Fullname

But, you will not see the folder child2 (but it will be deleted finally) in the current directory because it doesn't know ahead that its sub-folders are empty or not. See Fig-1.2.

Fig-1.2: Showing the folder which are missing from preview

Then we run the following command for recursive empty folder deletion. You can remove -verbose if you don't want to see the messy output ;D

while   ((gci -Directory -R) |  ? {$_.GetFileSystemInfos().Count -eq 0} )  { (gci -Directory -R) | ?{$_.GetFileSystemInfos().Count -eq 0} | remove-item -Confirm:$false -verbose }

 Then, let's check the remaining files and folders with the previous command (as in Fig-1.1).

 (gci -Directory -R) | ?{$_.GetFileSystemInfos().Count -eq 0}  | select Attributes,Fullname

Fig-1.3: Checking the result


Posted by at 3 comments:
Labels:

Saturday, September 19, 2020

Parsed the DNS Debug Log File to a More Flexible One

Normally we turn on the DNS debugging to find out the source client IP addresses and the queried records. And, here is the script that will covert the DNS Debug Log file into a more flexible csv format, though you will have to rename the file to .csv if needed. New lines, whitespace and header information will be ignored during conversion. The script supports DNS Debug log of Server 2012, 2016 and 2019 (not tested on Server 2008 and if you can do it successfully, please comment). This script should not be run on Domain Controllers/DNS Servers as it consumes certain amount of processing power.

Fig-1: Sample Run

 

Posted by at 1 comment:
Labels: ,

Sunday, May 3, 2020

Lockup Domain User in Specific Computer and Escalate Permissions

Sometimes, you will need to give some domain users (may be the desktop support) Network Configuration Operators role or even Local Administrator permissions on specific client machines so that they can fix something with the elevated permissions.  You can do this by simply adding these users into the necessary local security groups on these machines.
Nope! it's a boring day-to-day task and what if you forget to remove these permissions later ?

Here, I wrote the script that will give the necessary permissions by adding them into the specific privileged domain security group and lock them up in the specific computers (so he can't go nowhere now, except from the assigned one).
(**Note: Even user cannot RDP or interactive logon to the other machines, he still can access the other machines by WSMan or MMC Snap-Ins. For that case, you can restrict it by Windows Firewall Policy Predefined Rules or GPO the topics which are not covered in this post)

Things in brief:
  • Add that specific domain security group into the client machines' local security group and GPO can do this. But, you will need to do gpupdate or reboot the machine.
  • Then run the script in domain controller or machine with RSAT installed, specify the username, computer name, the allowed duration and the countdown will start thereafter. If the time limit is reached, the user will be automatically removed from the security group and unlock from specific computer. So no need to close the window.
  • If the user is currently logged on the client machines, he needs to logoff and login again to take effect

Here is the demo:
I have one domain controller and one client machine. My purpose is to give user1 the local administrator rights  on client machine (Win-10-Test) for 1hr.
On Domain Controller, I created the security group named Desktop Support Administrators.
Create the group policy to define the Restricted Groups of the local machine and attach the policy to the OU1. We will also add Domain Admins in the Restricted Groups. See Fig-1.

Fig-1: Attach the GPO to put the domain security group into the local privileged security group
 Type gpupdate /force on the client machine to immediately apply the GPO.
OK, now we're going to run the script on domain controller. Right-click the script and choose Run with Powershell which will prompt for necessary information. Don't close the windows since it will automatically close when the countdown reaches zero. You can check the user1's properties in the Active Directory Users and Computers console. See Fig-2.
Fig-2: Running the script and check the actions
If you want to stop the script midway, you can press Ctrl+C which will automatically revoke user1's permissions immediately. See Fig-3.
Fig-3: Stopping the script in the midway

Posted by at 2 comments:
Labels: ,

Tuesday, February 25, 2020

VMware Network Portgroup Connectivity Check with Circular VM vMotion

Now, it's a blogging time. Here is the little script that you can use to check the network connectivity of each portgroup in your vmware environment, which can also be used to determine if the portgroups or physical uplink (backing the vswitch) has the desired vlan access for the multiple exsi hosts.

This script will output the the VM's ICMP Ping status after making vMotion to each host within the current vmware cluster (where the VM resides) or any clusters. I assumed you have already connected to vCenter with the command: Get-VC -Server xxx.xxx.xxx.xxx -Credential (Get-Credential)

Example Usage:
.\Vlan_Portgroup_Check_with_Circular_VM_vMotions.ps1 -VMName "Testing-VM" -IPAddress 10.10.10.10 -ClusterNames "vmware-cluster1"
This will vMotion the "Testing-VM" within all esxi hosts in the cluster named as "vmware-cluster1" and output the Ping result of 10.10.10.10
It will count only one 32 byte ICMP Ping packet as success or failure by default.

.\Vlan_Portgroup_Check_with_Circular_VM_vMotions.ps1 -VMName "Testing-VM" -IPAddress 10.10.10.10 -TimeOut 2
This will vMotion the "Testing-VM" within all esxi hosts in the cluster where this VM exists and output the Ping result of 10.10.10.10
It will count only two 32 byte ICMP Ping packets as success or failure as defined in "TimeOut" value.

The Sample Output
Posted by at 3 comments:
Labels: ,
Subscribe to: Posts (Atom)