Category Archives: Windows server 2008 R2

“Poor man” monitoring of creation/enablement and addition and removal to/from security group of an account in Active Directory (part 1)

If you want to implement “poor man” monitoring of important events that can happen in your Active Directory like – creation of an user or in case if someone enables or disables an user account or if user is added to a security group (for example in domain admins) you can do it by using out-of-the box solutions that Windows Server provides.

Without touching any additional auditing (by using Group policy or Local policy) you can simply attach a task to events:

Event ID: 4720 – A user account was created.
Event ID: 4722 – A user account was enabled.
Event ID: 4725 – A user account was disabled.
Event ID: 4728 – A member was added to a security-enabled global group.

I find these events very important because if they are not triggered by an intentional creation / modification of an user in Active Directory it might mean that someone is making some unwanted and potentially dangerous changes (and we all know how devastating for our infrastructure can be if privileges escalate to Domain admins level).

So let’s use out-of-the box solutions to get information if such event happens.
We will use:
Event Viewer and the option to trigger an action of out the event id by using Task Scheduler and some Powershell scripting to get alert e-mailed to administrator.

On DC I have created a folder on c:\ps in which I have placed PS1 script called: NewUser.PS1
In the script I have some lines that parse newly created Event with ID 4720.

$EventMessage = get-winevent -FilterHashtable @{Logname=’Security’;ID=4720} -MaxEvents 1 | fl TimeCreated, Message
$eventmessagetstring = $EventMessage | Out-String
$EventMessageAccountNameTextAdmin = $EventMessagetstring | Select-String -Pattern “Subject:\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+” -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
$EventMessageAccountNameTextNewUser = $EventMessagetstring | Select-String -Pattern “New Account:\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+” -AllMatches | Select -ExpandProperty matches | Select -ExpandProperty value
$EmailTo = “”
$EmailFrom = “”
$Subject = “New user in Active Directory!”
$Body = “New user created by: `n $EventMessageAccountNameTextAdmin `n `n `n New user username: `n $EventMessageAccountNameTextNewUser”
$SMTPServer = “YourSMTPServer”
$SMTPMessage = New-Object System.Net.Mail.MailMessage($EmailFrom,$EmailTo,$Subject,$Body)
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)

This script is saved.

After that we run Task Scheduler and create new Basic task where Trigger is When a specific event is logged on next screen we chose as Log: Security then Source: Microsoft Windows security auditing. and we insert Event ID: 4720.

After that we need to chose Action
: Start a program as Program/script: Powershell and in Add arguments (optional): -ExecutionPolicy ByPass -File c:\ps\NewUser.ps1

on Finish screen we can check checkbox Open the Properties dialog …

General tab of task properties we can chose radio button: Run whether user is logged on or not and then checkbox Do not store password. The task will only have access to local computer resources.

If you try to create new user in AD in couple of seconds you should receive e-mail with alert where you get the user that created new user in AD and the actual username of the newly created user.

new user

In the video you can check the tasks described above.



Getting ASP.NET – C# running a System center Orchestartor 2012 Runbook and survive :)

I wanted to create ASP.NET webpage with three simple fields name, surname and mobile and I wanted Orchestrator behind to create Exchange 2010 mailbox on my Exchange server…
My friends helped me out by giving me suggestions and help – I want to share this knowledge with you now…

What we have:
Exchange 2010 server on one server
SC 2012 – Orchestrator – on different server – with Exchange 2010 console instaled + SP2 applied

My friend Saso created a ps1 script that creates user in Exchange 2010 (with address book policy, active sync policy…) that I use on Exchange 2010 server by inserting a line of comma separated values name,surname,password.

I wanted this script to be run from Orchestrator server – so first thing you need to do if you want to run PS script against Exchange 2010 server you need to install Exchange 2010 console on Orchestartor! Hey! You need to install also SP2 if you want full functionality of Exchange Powershell Snapin!

You can not run Exchange Snapin and powershell scripts directly – Jure has more info how you can do it in Orchestrator

When this thing worked (I forgot SP2 for Exchange 2010 on Orchestrator and I lost 2 hours to figure it out! 🙂 ) I have started to write code for my website where I want to trigger my runbook with parameters…

I have fist set input parameters in my Runbook…

After that I have folowed this article to create costum class file (search for part Creating the custom interface).

So I created (name it however you want in a previous step) and imported it in my Visual Studio evironment…

You need to place it:

You should comment this line to get it work in your project…

and finaly you can go to your project and start coding…

1. Put the URL of your Orch web service
2. Enter credentials
3. Define the name of your runbook
4. runbookpars [X] – X is ID of the input parameter in rubook

and finaly you should be able to run your script…

I find System center Orchestator 2012 as fantastic product that can realy help you automate your IT processes…

So guys let’s automate! 🙂

Help: – thanks to Damien – thanks to Jure
voodoo C# help – thanks to Miha

Hyper-V virtual machine backup script…

Today my friend Marko Cepe sent me his VBS script that does great job to backup virtual machines that are running on Hyper-V.
This script does shut down virtual machine by sending shut down command to machine using integration services, then it waits virtual machine to enter stopped state, after that it does export of the machine and turns the machine back on.


C:SKRIPTE> ExportVM.vbs VMName ExportDirectory


C:SKRIPTE> ExportVM.vbs TestVM X:BackupTestVM

Click, download and enjoy the script.

Comments appreciated…

My contribution to IPv6 day – Configuring IPv6 in Windows server 2008 R2 – video tutorial

My contribution to IPv6 day will be this small “lab” test where I will show you some basic IPv6 configuration that you can do with Windows server 2008 R2.
Here are the videos:

IPv6 day – configuring IPv6 in Windows server 2008 R2 part 1 –
IPv6 day – configuring IPv6 in Windows server 2008 R2 part 2 –

What do we have in our LAB?

1. Windows server 2008 R2 with two network cards:
External – with IPv6, gateway and DNS configured
Internal – with IPv6 address only

External IP has internal class static routed on our Cisco router in front of Windows server external card.

2. Windows 7 machine with single network card that is connected to the same switch as servers’ internal card.

What will we do:

In the fist video:

First we will start with some basic checking of network configuration on server.
Then we will run netsh (I run a command prompt with “Run as administrator”) and go to
netsh / interface / ipv6

with command

show route we can see ipv6 routes currently configured – we would like to enable publishing of route that I have highlighted in the video.

set route PREFIX INTERFACE_NUMBER publish=yes

then we will run an command to enable advertising, to disable address management (so Windows 7 will generate IPv6 without help od DHCPv6) (M flag) and we will disable other stateful configuration (O flag).

set interface INTERFACE_NUMBER adv=enabled managed=disabled other=disabled

Meanwhile we are checking IPv6 connectivity from our Windows 7 machine… Windows 7 is still unable to ping outside the network…

well we need to configure some other stuff on server now… we will enable forwarding on our two interfaces (External and Internal)

set interface INTERFACE_NUMBER forwarding=enabled

still no connectivity from win 7? 🙂

last step that we need to do on our server is to advertise default route to our clients

set interface INTERFACE_NUMBER advertisedefaultroute=enabled

So our Windows 7 sudenly start to recive ICMPv6 echo replyes from some IPv6 machine outside our network WUHU! 🙂

But Windows 7 machine is not able to resolve hostnames to IPV6 addresses – this is becouse we have now global IPv6 address configured and default gateway – so we have connectivity but we are not able to resolve hostnames as we do not have any DNS servers to do that.

On Windows server 2008 R2 I will start the installation of two roles – first DHCP role which I wil configure later and DNS role.

When the roles are installed I will configure so called forwarders on my DNS server so my clients will be able to use my server as a DNS server for their queries.

In the second video:

I will first flush IPv6 configuration on Windows 7 machine by using command
ipconfig /release6
ipconfig /renew6
(is the opposite command to regain IPv6 configuration)

Secondly I will configure DHCPv6 server by starting New Scope wizard under IPv6 settings…

I will configure prefix – this ipv6 prefix of Internal network card

Skip the exceptions and activate the scope…

You will see that Windows 7 still did not ask DHCPv6 servers for address this is becouse managed flag is set to disabled on server so…

in netsh / interface / ipv6 we need to activate managed flag by inserting this command:

set interface INTERFACE_NUMBER managed=enabled

Our Windows 7 machine can now be found in IPv6 leases on our DHCP server – but still it is unable to ping hostnames on the internet… This is becouse our DHCPv6 server is not giving DNS servers as scope options and Other stateful flag is disabled.

So we first need to add DNS Recursive Names Server IPv6 Address in our Scope options and then use netsh command:

set interface INTERFACE_NUMBER other=enabled

Yeeepppeee!!! Our Windows 7 is ready to ping hostnames on the internet – so it is able to surf the IPV6 internet…

When I am finishing this article is 8.6.2011 23:37 – this is my small contribution to IPv6 day so happy IPv6 day to all of you! 🙂

Get IP address of virtual machines running on Hyper-V – FIXED!

Big thank you – goes to Max Trinidad my fellow MVP from Powershell group…
Here is errorless script – much better than mine! 🙂
Copa, paste and save as .ps1 – then run on your Hyper-V server and you will get IP’s of your virtual machines…

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

## – Use Line below to list all your Virtualization Class
#get-wmiobject -namespace “root/virtualization” -list

## – Load filter (or function first)
filter Import-CimXml{

    $CimXml = [Xml]$_
    $CimObj = New-Object -TypeName System.Object
    foreach ($CimProperty in $CimXml.SelectNodes(“/INSTANCE/PROPERTY”)){
        if ($CimProperty.Name -eq “Name” -or $CimProperty.Name -eq “Data”){
            $CimObj | Add-Member -MemberType NoteProperty -Name $CimProperty.NAME -Value $CimProperty.VALUE

## – Collect WMI Virtual information
$getWmiVirtual = Get-WmiObject -Namespace “rootvirtualization” -Query “Select * From Msvm_ComputerSystem” | sort-object elementname

## – Build your results from your collected objects
ForEach($v in $getWmiVirtual){
    $vm = $v.ElementName;
    $VmObj = Get-WmiObject -Namespace “rootvirtualization” -Query “Select * From Msvm_ComputerSystem Where ElementName=’$vm'”;
    $KvpObj = Get-WmiObject -Namespace “rootvirtualization” -Query “Associators of {$VmObj} Where AssocClass=Msvm_SystemDevice ResultClass=Msvm_KvpExchangeComponent”;
    if($KvpObj.GuestIntrinsicExchangeItems -ne $null){
        write-host $vm;
        $KvpObj.GuestIntrinsicExchangeItems | Import-CimXml | where {$_.NAME -match “NetworkAddressIPv4”} | ft;

## – End of Script

Get IP address of virtual machines running on Hyper-V

I have been searching for an easy solution to somehow “scan” virtual machines and get their IP addresses becouse sometimes you need to find your virtual machines and it is more practical to somehow get a whole list of machines + IPs in stead of loging in from machne to machine and check IP… Well it can be done using Powershell… I have encountered an article but the problem is that here you need to put machine name on which you want to get data… I modified this script a bit so it looks like:

Get-WmiObject -Namespace rootvirtualization -Query “Select * From Msvm_ComputerSystem”| sort-object elementname | ForEach-Object {$vm = $_.Elementname
write-host $vm
filter Import-CimXml
    $CimXml = [Xml]$_
    $CimObj = New-Object -TypeName System.Object
    foreach ($CimProperty in $CimXml.SelectNodes(“/INSTANCE/PROPERTY”))
if ($CimProperty.Name -eq “Name” -or $CimProperty.Name -eq “Data”)

         $CimObj | Add-Member -MemberType NoteProperty -Name $CimProperty.NAME -Value $CimProperty.VALUE

$VmObj = Get-WmiObject -Namespace rootvirtualization -Query “Select * From Msvm_ComputerSystem Where ElementName=’$vm'”
$KvpObj = Get-WmiObject -Namespace rootvirtualization -Query “Associators of {$VmObj} Where AssocClass=Msvm_SystemDevice ResultClass=Msvm_KvpExchangeComponent”
$KvpObj.GuestIntrinsicExchangeItems | Import-CimXml
} | where {$_.NAME -match “NetworkAddressIPv4”} | ft

So… Copy paste this script to an text file and save it as getip.ps1 and run it using powershell – it does need any other modules you should only run it on Windows Server where you have Hyper-V role installed… (I do not remember but I think you should enable execution policy for ps1 scripts… If you have truble executing your ps1 check here…)

By the way… This script has an error first virtual machine name will not fit in table (I do not know why 🙂 ) and you will get an error when this script will try to analyze your Hyper-V host machine… I do not know how to solve this two errors if someone out there solves it please provide feedback. 🙂 Thank you!

Windows Server 2008 R2 Foundation on HP ML 110 G6 – SBSBIOSLock

NT Konferenca 2010 is almost here…

While preparing my demos for my sessions I needed to install Windows server 2008 R2 Foundation on an HP ML 110 G6 which was given to me for demos…
After unpacking and starting the server I inserted DVD with installation inside… I get this nice screen telling me Validantih HP Platform Please Wait … 🙂

After a minute I got this error – a popup windows came up with folowing message:


could not find the media

If you want to continue your installation you need to get to HP BIOS and change the value on SATA emulation from RAID to AHCI. It worked for me… Well leave me alone I need to finish my installation. 🙂

Windows server 2008 R2 Active Directory – Recycle Bin Feature

Sometimes you delete user from AD and it could cause a big headache 🙂

Well… No more. Windows server 2008 R2 Beta – which is by the way already publicly available has a new functional level for AD that allows you to activate so called Recycle Bin Feature
In this demo you will se my AD server with a domain called demoadps.local on which I will enable this feature. As I mentioned before – functional level should be Windows server 2008 R2.

Watch the video

First of all you need to enable the feature by typing a Powershell cmdlet/command:

Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope Forest -Target ‘domain.local

after that you can check for deleted items by typing:

Get-ADObject -SearchBase “CN=Deleted Objects,DC=domain,DC=local” -ldapFilter “(objectClass=*)” -includeDeletedObjects | FT ObjectGUID,Name -A

This will show you the deleted objects which you can restore by entering:

Restore-ADObject -Identity 6ff46162-15c2-4d42-8e15-2fcac5c8422e

** domain.local should be changed with your domain name
6ff46162-15c2-4d42-8e15-2fcac5c8422e should be changed with a ID that matches your deleted object…

To make it simplier I have recorded a video tutorial to do that…