Find who reset my password: The Powershell Script to Audit User Accounts Changes

Getting the account management activity is an essential process for auditing purpose. We can check it at the windows event log if the auditing for account management is enabled. To automate this tiresome job, I wrote this powershell script to make life easier.
This script will show you all the changes that admin made to the user/system account, such as the time when the password was reset and who reset the password; who added user to specified group; which attributes of user account was changed. Before running this script, you'll have to enable auditing of account management to 'Success' in local security policy, for the enough of the time so that required events are collected. Don't worry I have included the user's option to enable from within this script. All you need is to run the powershell in elevated command prompt.
Each column has different meaning:

• DateTime - The date and time when event is created
• Account Operation - Changes made to an account
•  ID - The ID of the event.
• Target Account - The user/group/system account that has been changed
• ExistingAcc - 'Yes' if the TargetAccount still exists on system. 'No' if the account no longer exists on system.
• InitiatedBy - The user who did the changes to the another account (TargetAccount)
• TargetGroup - The security group with which the user has been made changes, such as the group that the user has been added to or the group that the user has been removed from.
• ExistingGrp - 'Yes' if the TargetGroup still exsits on system. 'No' if the group no longer exists on system.
• ChangedValue - It shows the changed value when the target account attributes or UAC has been changed, such as when the user's password expiration settings has been changed to 'Never'.

To work with it, simply run the script without any parameters.
.\Get_Account_Audit_Events.ps1

To display in table format in console, use the following command.
.\Get_Account_Audit_Events.ps1 | Format-Table -auto

To export the result to csv file, use the following command.
.\Get_Account_Audit_Events.ps1 |Exportto-Csv -Notypeinfo Users_Account_Audit_Events.csv

Following is the illustration on my testing computer.

Script to Log TCP Connections by Powershell

Logging TCP connection is useful for troubleshooting or for auditing purpose. You can use TCPView to view the real-time the incoming and outgoing TCP connections between servers and clients. To save the log into file, you need to use TCPLogView. But, the limitation is the duration of TCP capture, or based on log file size without actually doing the custom scripting. Windows has a built-in netstat command which can capture the TCP/UDP connection. So, with the help of powershell, I loop the execution of netstat command & capture the new TCP connection based on previous connections. With this script, you can capture new TCP connections to a specific time or until the log file size is reached to avoid the disk space consumption.
On my testing machine, I run the below command and it will capture the incoming/outgoing TCP connections for 90 minutes (See Fig-1).
.\Get-TcpLog.ps1 -min 1 -sec 30 -CsvFile | ft

Fig-1: Logging TCP Connections for 90 seconds

A Quick Start Guide: How to Manage Veeam Backup & Replication 9 with Powershell

Most enterprise backup software has come with powershell support to make backup administrators life easier. In this post, we will play some veeam powershell
commands to backup/restore VMs or for listing current backup jobs. The veeam powershell has more cmdlets for advanced Vss aware backup (such as SQL, Exchange) which I do not cover here. Here, I will show only VM level backup/restore with powershell.

Batch/Powershell: How to check Pending Computer Restart after Installing Windows Update

Some windows updates require a system restart after installation because it needs to change some system files which are currently used by running processes, or changes in registry. You'll be prompted with the yellow icon shield like in fig-1.

Fig-1: Pending Restart after windows update install

Windows created a registry subkey RebootRequired under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\ to detect this pending state.

PowerCLI Connection Error: The underlying connection was closed: An unexpected error occurred on a send

PowerCLI is a very flexible tool for vSphere automation. One morning, I connect to vSphere environment & found this error. See Fig-1.

"The underlying connection was closed: An unexpected error occurred on a send"

 Fig-1: Error connecting to vCenter

 I can ping to vCenter server & can connect to vSphere Web Client. So, I checked for the $Error[0] for exception, it is likely to be a certificate error. But, when I checked the certificate by vSphere Web Client, it's not going to be expired soon.

Load Testing the FTP Site with Open Source Apache Jmeter

Sometimes we might have to load test your website/ ftp site for reliability or to measure performance. The top listed open-sourced tools are:

• The Grinder
• Gatling
• Tsung
• JMeter

(item list from bazemeter.com)
Out of the top 4, I'll use Apache JMeter which has a good reputation and is available for windows platform. A lot of options are available for beginner to advanced testers. Java will be needed prior to Jmeter installation. Test if you machine already has java installed in the command prompt by typing:
java -version
If not installed, download java from here.
Download Jmeter for windows from sourceforge.

Powershell: How to Shift Time Offset of a Movie's Subtitle

I usually go through my holidays with good movies. Some of the subtitles I downloaded do not have a correct timing with the video soundtrack. And it makes me re-adjust the subtitle whenever I re-play old movies. Since I do not want to install extra software or use websites to change my file whenever I get this problem, I decided to make it work in powershell. It takes me more than expected time in writing script as I want to include running dots while changing the time offset of the file. No matter what ! You can try out the script if you want.

Find all SNMP Settings of Windows Machine in Powershell

SNMP has a long history with Microsoft Windows. And Microsoft now said that it has been deprecated (moreover, snmp v1 or v2 is less secure than the latest snmp v3, but windows natively doesn't support version 3 till now) and recommend using CIM for managing hardware and software layers.
SNMP is deprecated. Instead, use the Common Information Model (CIM), which is supported by the WS-Management web services protocol and implemented as Windows Remote Management.

But, there might be Servers/Desktops that still use snmp v1/v2c for monitoring purpose. And, here is the powershell function to get the SNMP Security Settings by reading registry. For each SNMP service options tab, microsoft technet stated that:

Set Windows Service Permission to Non-Administrator Accounts

Service related operations such as start/stop/restart windows services are usually assigned to Administrators. Sometimes, you might need to delegate these tasks to non-admin users. In this article, I will show the 4 methods to set the service's permission to any user account/service account. I will use SQL service (MSSQLSERVER) in domain environment.

Assign SQL service start,stop permission to Non-Administrator Account and SDDL explained

For full syntax of SDDL(Security Descriptor Definition Language) and ACEs (Access Control Lists), you can refer this TechNet article.

Here we will assign the start/stop permission of MSSQLSERVER to ‘MyUser’ domain user. Assume that computer has been SQL 2012 installed in domain environment. We can easily assign the necessary permission the by Powershell Access Control Module and will check which permissions are changed.

Change the Defult Boot OS and Time-Out for Dual Boot Windows

Recently I installed windows 8.1 along with existing windows 10 on my free partition. After reboot, the dual boot option gives me 30 second time-out with the default to windows 8.1 as seen in Fig-1. As I worked with Win-10 most of the time, I need my computer boot directly into windows 10 with less time-out. Since Windows Vista and later, windows shipped with bcdedit.exe which gives enhanced user option to edit the BCD Store (Boot Configuration Data, formerly called boot loader) before calling the windows kernel.

Active Directory Recycle Bin: Restore Deleted Objects or Wipe Off your Bin ?

Active Directory Recycle Bin is available from Server 2008R2 but it is disabled by default and it is one of the most useful feature for system admins in that he can restore any directory objects (user/computer or system accounts) that he mistakenly deleted.
You need Active Directory Administrative Center Console and forest functional level 2008R2 as a minimum to use this.
For the restore process, you can use GUI or powershell. For permanent deletion, powershell is the way to go.

Enumerate and Check DNS Records between two Windows DNS Servers

I love powershell scripting as I like games. Today, I finished up the script that I've been writing these days which is the checker of DNS records between two DNS servers. Powershell DNS Client module is only available from Windows 8, Server 2012/R2, which makes powershellers easy for dns query & administration. But as I want to include the old server 2008 in this scenario, I scripted the 'nslookup' command in this script.


You will just need to put the -DestinationServer parameter for the server you want to query. Also, the records of local dns server will be enumerated.
Open the powershell console in elevated mode and run the following command to the script.
.\Check_DNS_Records_Status -DestinationServer  myServerNameOrIP | ft -auto

Check If your running Processes and Files are Digitally Signed

Digital Signatures of running process is needed when your want to validate that the softwares actually comes from trusted source and is unmodified by viruses or trojans. You can also check the the executable files (.exe, .dll etc,.) on your system that they are digitally signed. In Microsoft Article, it is stated that:

"Software that is downloaded from the Internet to users' computers can contain programs such as viruses and Trojan horses that are designed to cause malicious damage or provide clandestine network access to intruders. As networks become more interconnected, malicious software and viruses also become a threat to intranets. To help counter this growing threat, you can digitally sign the software that you distribute on your intranets or the Internet to ensure its integrity and to assure others that the software can be trusted. Signed software ensures that users can verify the origin of the software, as well as verify that no one has tampered with it.
Microsoft developed the Microsoft® Authenticode® technology, which enables developers to digitally sign software. The last thing developers do before they release software is digitally sign the software. Any modification to the software after it is signed invalidates the digital signature. By using Authenticode technology, code signers who own valid X.509 version 3 code-signing certificates can sign software with their private key. Several other third-party code signing technologies also use digital certificates to enable code signing."

Let's see how we can check the digital signatures of files on our system if the critical windows files has been changed. We will also check the digital signature of running processes on our computer. For single file, the easiest way is right-click the file and find the Digital Signature Tab on properties. But, it is not a easy task for multiple files. So, we can say there are generally 3 methods and each has pros and cons and different features.

Take it Easy: How to Automate SSH-ing with Powershell

Being away from blogging a while, since I have been on vacation after my VCP exam, now it's time back to my blogging. Today let's see how we can automate SSH-ing with powershell. Instead of connecting to each ssh hosts (eg, your routers/switches or linux servers), you can make the powershell snippets and insert the linux commands with plink.exe. Most of the time, you can use 2 methods to do ssh connection via powershell. You can use either of these methods.
1) Using plink.exe which is a command line version of putty.
2) Using one of the SSH Powershell Modules which are available on Powershell Gallery


There are other ssh modules and I use this SSH-Sessions Module written by Joakim Svendsen which uses SSH.NET library & Microsoft .Net framework.
Here, I use 2 linux hosts which are running ssh services. I use Windows 10 and Windows 7 with Powershell base version to connect to these hosts. The IP addresses in my lab are:
Host Names         IP Addresses
=======          ========
example1.local     10.170.0.50
example2.local     10.170.0.51
Windows10.local  10.170.0.10
Windows7.local    10.170.0.11