Remove WINS & Disable Netbios over Tcpip PowerShell

As part of  a recent decommission / security audit, we needed to remove an old WINS server. For desktop client this is fairly easy as they are all assigned through DHCP so it was just a case of removing WINS from the DHCP scope options.

For the hundreds of servers it is set manually, which to remove one by one would take a long time and be pretty boring for the person tasked with it. So I decided the simplest option would be to use PowerShell.

First I wanted to check if servers had WINS enabled so I could reduce the amount of server I would need to run the disable script against.

I am going to use Get-WmiObject and the Win32_NetworkAdapterConfiguration class as this is the simplest way I found to do this in PowerShell.

We will use a text file with a list of server names and a variable called $WINSServer that will be used to filter only network interfaces that have WINS set.

Below is the script to check for WINS and output to PowerShell windows I am just getting all adapters that have WINSPriamryServer value set to the IP in the $WINSServer variable and then selecting the objects to be outputted.

If you wanted to export to a csv or text file just add a | after the WINSPrimaryServer at the end of the script and do either Out-file or Export-csv and the path to export too. 

Below is the script to check WINS:

$comps = Get-Content “C:\Temp\complist.txt”
$WINSServer = “192.168.0.2”
foreach ($comp in $comps){
Write-Warning “Checking $comp”
$NETBios = Get-WmiObject -ComputerName $comp -Class Win32_NetworkAdapterConfiguration -Filter “WINSPrimaryServer=’$WINSServer'”
foreach($net in $NETBios){
$net | Select-Object @{N=”ComputerName”;E={$comp}},IPAddress,DefaultIPGateway,IPSubnet,WINSPrimaryServer
}
}

WINSTo remove the WINS IP and set NetBios option, we will use the set method in the WMI classs.

Below is the script:

$comps = Get-Content “C:\Temp\complist.txt”
$WINSServer = “192.168.0.2”
foreach ($comp in $comps){
Write-Warning “Checking $comp”
$NETBios = Get-WmiObject -ComputerName $comp -Class Win32_NetworkAdapterConfiguration -Filter “WINSPrimaryServer=’$WINSServer'”
foreach($net in $NETBios){
Write-Warning “WINS currently set to $($net.WINSPrimaryServer) on $comp ”
Write-Warning “Removing WINS and Disabling NetBios on Interface $($net.InterfaceIndex) with IP:$($net.IPAddress)”
$NETBios.SetWINSServer(“$Null”,”$Null”) | Out-Null
$NETBios.SetTcpipNetbios(“2”) | Out-Null
}
}

WINS01Once the script has run WINS should be removed and NetBios over Tcpip should be disabled this can be checked under the advanced properties on the NIC.

WINS02

Remove RDS Profile from AD PowerShell

I was having a issue with slow logon times and temporary profile when users where logging on to an Windows RDS 2012 farm. I had a look at the issue and it was down to the RDS profile path in AD being set to use an old decommissioned server.RDS1

Once I found the issue, I need to figure out how many users where affected so the easiest way I could do this was to use PowerShell.

Below is the report script that I used.  The distinguished name used in Get-ADUser -searchbase will need to be update and the export path.  (Test before running any script and also check the quotes and doubles quotes when copying) 

## Get list of Users
$RDUsers = Get-aduser -SearchBase “OU=TestUsers,OU=Users,DC=Domain,DC=Local” -Filter *

## Set Results Array
$Results = @()

foreach ($user in $RDUsers){
$RD = [ADSI]”LDAP://$($user.DistinguishedName)”
if ($RD.Properties.Contains(“userParameters”)){

$profilepath = $RD.psbase.Invokeget(“terminalservicesprofilepath”)
$profileHome = $RD.psbase.Invokeget(“terminalServicesHomeDirectory”)
$props = @{
UserName = $user.SamAccountName
RDSProfile = $profilepath
RDSHome = $profileHome
DistinguishedName = $user.DistinguishedName
}

$Results += New-Object psobject -Property $props
}

else {
Write-Host “No UserParameters set on” $user.SamAccountName -ForegroundColor Green
}
}
$Results | Export-Csv C:\Temp\Logs\RDSProfile.csv -NoTypeInformation

RDS2

Once the script has completed the results will be export to a CSV with all user and there profile pathsRDS3Once we have the list we can either remove manually or the better option use the CSV and remove the profiles using the invokeset method.

Below is the script I used. The script could be run against all AD users but I prefer to limit the amount of object I have to run against. (This will replace values on users so should be fully tested before apply to large amount of users.)

$RDProfile = Import-Csv -Path C:\Temp\Logs\RDSProfile.csv
foreach ($RDU in $RDProfile){
Write-Warning “Removing Profile from $($RDU.UserName)”
$RD = [ADSI]”LDAP://$($RDU.DistinguishedName)”
$RD.psbase.Invokeset(“terminalservicesprofilepath”,”$null”)
$RD.psbase.Invokeset(“TerminalServicesHomeDirectory”,”$null”)
$RD.setinfo()
}

RDS4

After the script has run the profiles should now be cleared.RDS5

Bulk add and remove Office 365 Licences

I recently had a to move around a few thousand EMS licences to enable MFA for Office 365 and Azure, I decided to do two quick scripts to remove and add back the licences to the required users. I thought I would do a quick post on how I moved the licences.

As always any scripts should be tested on a subset of users before running on larger groups to test that they work as expected.

For this script we need the Office365 PowerShell module installed.

To check if the module is installed run

Get-Module -ListAvailable MSOnlineBulkAdd

First step is to get the AccountSKU to do this run

Import-Module MSonline and then Connect-MsolServiceBulkAdd2

Get-MsolAccountSku | Select-Object AccountSkuIdBulkAdd3

To make things easier and more repeatable in case I need to remove or add other licence I am using Out-GridView -PassThru to select the CSV file and also the licence SKU.

First Out-GridView is for the Csv file with UserPrincipalName (UPN)BulkAdd4

The second is to select the SKU to be removedBulkAdd5

Once the two items are selected the script will then runBulkAdd6

The full remove licence script is below. The only part that needs to be updated is the $csv variable to point to the correct folder where the csv files will be kept.
## Bulk Remove EMS licences ##
## Select Csv file
$csv = Get-ChildItem -Path “C:\temp\Office365Licence\Remove\Csv\” -File | Out-GridView -PassThru
## Import Csv
$users = Import-Csv $csv.FullName
## Select Account SKU to be removed
$accountSKU  = Get-MsolAccountSku | Select-Object AccountSkuId | Out-GridView -PassThru
## Loop through each user in the Csv
foreach($user in $users){
Write-Host “Removing $($accountSKU.AccountSkuId) licence from $($user.UserPrincipalName)” -ForegroundColor Yellow
## Remove licence
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $licenceSKU
}

The add script is the same only I added a check to confirm if the user requires the licence. The only part that needs to be updated is the $csv variable to point to the correct folder where the csv files will be kept.

Just a note on this I was applying the licence to existing users who where already setup with a usage location so if this is not set the script will error out. 

## Bulk Add EMS licences ##
## Select Csv file
$csv = Get-ChildItem -Path “C:\temp\Office365Licence\Remove\Csv\” -File | Out-GridView -PassThru
## Import Csv
$users = Import-Csv $csv.FullName
## Select Account SKU to be added
$accountSKU  = Get-MsolAccountSku | Select-Object AccountSkuId | Out-GridView -PassThru
## Loop through each user in the Csv
foreach ($user in $users) {
## Check if Licence is already applied
$EMS = Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Select-Object UserPrincipalName, Licenses
if ($EMS.Licenses.AccountSkuId -notcontains “$accountSKU”){
## Add licence
Write-Warning “Adding EMS licnece from $($user.UserPrincipalName)”
Set-MsolUserLicense -userprincipalname $user.UserPrincipalName -AddLicenses $accountSKU
}
else
{
## Licence already applied
Write-Host “$($user.UserPrincipalName) has $($accountSKU) licence assigned” -ForegroundColor Green
}
}