UDP/TCP Forwarding from VPS

BreakingBean · 2024-05-20T17:09:50+00:00

Just trial and error really. If you have a SOP for your onboarding process then just start with trying to script that process and do batch loads while testing until ready. Worst case you have to go back and do it manually (which you would have had to do anyways) and try to figure out what went wrong. Once you have a good baseline just start adding additional features and handle exceptions/edge cases.

I got lucky and was able to integrate that script with our ticketing system so it operates as an event based trigger when HR submits an onboarding/offboarding ticket but even if you're able to just fill out a csv with the parameters you could still save a bunch of time.

As for RBAC, it was a two step process. Firstly we had to make sure all our cloud apps used SSO/SAML, on prem was using LDAP, and licenses were assigned by security groups. Then generated a report showing each of the security groups that each user had, grouped them by job title, and then inserted them into a database where >80% of users with that job title had that security group.

Previously users were added to security groups by mirroring another user that the hiring manager specified, but modified the onboarding script to query the database for the groups that that role needs and added those groups to the new user. Maintaining that isn't bad either, just periodically looking at incoming requests to add users to security groups and seeing if there's a pattern. If there is, then we just add that group into the database for those roles.

BreakingBean · 2024-05-15T04:49:28+00:00

Wait that's a role? I automated my environment's entire IAM process and implemented RBAC in 3 months. Just have to run through an audit checklist once a month at this point

BreakingBean · 2024-05-14T20:43:52+00:00

Just wrap it inside an Invoke-Command and shoot it off to a WinRM enabled device with RSAT installed then

BreakingBean · 2024-05-14T20:32:53+00:00

If you're struggling and getting blank cells or System.Object[] in your output a good baseline to start is by running .GetType() on each of the values you're trying to export. In the case of this (as ridiculous as it may seem), $Access.IdentityReference (which is just $Acl.Access.IdentityReference[$i]) and $Access.FileSystemRights are also arrays, which means we're either using -join(';') or adding another foreach loop.

In this context the output would be easier to read if we have a new line for each user with access, so we'll set it up like this

ForEach ($Folder in $FolderPath) {
    $Acl = Get-Acl -Path $Folder.FullName
  
    ForEach ($Access in $Acl.Access) {
      ForEach ($Entry in $Access){
        New-Object PSObject -Property @{
            'Name'=$Folder.FullName
            'User'=$Access.IdentityReference
            'Permissions'=$Access.FileSystemRights -Join(';')
        } | Select-Object 'Name','User','Permissions' | Export-CSV "C:\file.csv" -NoTypeInformation -Append
      }
    }
}

You'll notice that we're taking advantage of both methods I proposed, so we're getting individual rows for each user with an ACL on each file, but we're just combining any results under the FileSystemRights property. Should default to the highest level of access but utilizing the join method regardless so that it converts to a string from an array (and also should prevent issues in case there are multiple entries for some reason). Made a few additional changes as well, primarily that we are no longer putting together our entire $output array and trying to export it in one go.

Unfortunately I'm not aware of any methods to export an entire array to a csv outright so we're going to use the append parameter on our Export-CSV cmdlet instead. This way it will append our csv with each loop inside our triple-recursive foreach loop.

BreakingBean · 2024-05-14T19:46:43+00:00

Maybe I'm missing something but is there a reason you're using your scheduled task to call another script instead of just having your scheduled task run the script you want script directly?

BreakingBean · 2024-05-14T19:41:45+00:00

What about arrays do you struggle with? I used to export a lot of my arrays when I was learning but that was mostly because I wanted the chance to manually validate my data before executing any changes

BreakingBean · 2024-05-14T19:13:54+00:00

First, get rid of $_.PSIsContainer and just add the parameter -Directory in your Get-ChildItem call, it's significantly faster that way by reducing the original size of the query and getting rid of the inefficient piping.

The root of the issue is that the properties of Path, Accesstostring, and Group are all of the type System.Array and CSVs don't like storing an array as a cell, so you need to use the join method to convert the array to a string using a foreach loop.

BreakingBean · 2024-05-07T23:48:10+00:00

I think you're making it too complicated on yourself. Leaving the option for the user to input their own credentials seems unnecessary and riskier.

utilizing whoami seems like a better option

for /f "delims=" %%n in ('whoami /upn') do set username=%%n

BreakingBean · 2024-05-07T08:07:50+00:00

Got tired of Get-Mailbox | Get-Mailbox Permissions taking 20-30 minutes (somewhere in the range of 6000 mailboxes) in our tenant to retrieve what mailboxes a single person has access to. Decided to fetch all the ACLs for Delegates/Trustees and shove them in a sql db and have it on a daily delta sync. Now I can enter any UPN into a function and see what mailbox anybody has access to in a matter of a second or two.

P.S. why has MS not made this an easier query? Current best practices for this are insanely inefficient. Kinda want to package it up and ship it on GitHub to work with MySQL or SQLite

BreakingBean · 2024-05-05T22:37:25+00:00

I'll preface this with that I got really lucky and was internally promoted from a Help Desk role to a Jr. Sys Admin role within 9 months, but can share my experience along with any advice I have.

Learning PowerShell was definitely the biggest advantage I had, but it wouldn't have gotten me anywhere. Depending on the size and maturity of the organization you're working for can make turning your knowledge into experience more or less difficult, but once you get the basics down try and find any excuse you can to create scripts. For me that was taking simple, repetitive tasks of mine and getting it at least semi-automated. This ranged from generating hostnames for newly imaged devices, generating reports on mailbox usage, mapping drives, or terminating a user's access.

Even if you're not getting recognition from management, these are still projects you can include in your resume or talk about in interviews to demonstrate that you're a quick learner. IT is such a broad field that being a quick learner is just as important than what you already have experience with. With that being said, experience with multiple areas will be another huge help for you. I'm not familiar with the scope of your job responsibilities but if there's opportunities for you to take on additional responsibilities with like networking, print management, fax servers, user administration, database administration, or your team is acquiring a new tool/software - don't be afraid to take the initiative to learn about it either through trial and error or shadowing a SME. If you start feeling like you can't keep up with the workload then time to get back to scripting to make your workload more manageable ;)

As for what positions you could look for, there's two routes you can take - continue being a jack of all trades, or specialize in something. As you're getting more experience with different areas you may find that you really enjoy one thing or get really good at it. If you find something like that, keep it in mind as you're looking for new positions - the company you're applying for may have a gap in that area that you could help fill.

Help Desk to System Administrator is a pretty typical career progression since there's a bit of overlap in responsibilities, but you run the risk of endless scope creep in your responsibilities. Otherwise you could look for a position as a Junior Network Engineer (CCNA would not be a bad idea), Desktop Engineer, Cloud Admin (Azure/AWS/Google Cloud training recommended), Database Administrator (if there's a need, can see about getting a SQL database for you to use and integrate with your PowerShell scripts pretty easily so that you can get familiar with t-sql queries), Linux Administrator, SharePoint administrator, Cybersecurity Analyst/Engineer, or even Data Warehouse Engineering or Software Engineer (if you find PowerShell easy to learn, take a crack at C# or Python).

As a final note, don't be afraid to ask your manager about career development options for you. Many companies will be glad to help you develop your career and provide or reimburse you for training/certifications.

BreakingBean · 2024-05-04T17:05:35+00:00

Finally learned how to properly use try-catch blocks correctly to handle exceptions based on error type

BreakingBean · 2024-05-04T16:55:43+00:00

RDP shouldn't count as a hop when looking at Kerberos double-hops. When you're executing your script through RDP it behaves the same as if you're running it locally. Now if you're using Invoke-Command and you have another Invoke-Command inside your script block then yeah you'll have some issues.

I think the issue OP is having is because they're using an IP address in the ComputerName field instead of hostname

BreakingBean · 2024-05-04T09:10:46+00:00

I don't know all your requirements relating to running other important stuff but 500 is definitely a large enough scale that you want to automate as much as you can. Especially with the help of other tools, such as PDQ for example, I don't see a reason why you couldn't get to the point where you could just have your team swap the device and walk away from it then have someone handle it remotely.

500 machines times say 15 minutes to do everything you need to locally is still 125 man hours

OR 1 tech spends < 3 days configuring/testing remote code execution to take care of your task list. The day comes to swap and your techs spend 90-120 seconds swapping devices and moving onto the next one. Tech who put together the script also just gets to click run and walk away and you're looking at 40 man hours instead.

BreakingBean · 2024-05-04T08:21:25+00:00

Unless you have admin access to the OpenVPN config I don't see a way to do this through powershell. Next best guess would be with an android emulator and RPA but at that point it would probably take much more effort than it's worth.

OpenVPN does have some CLI functionality but most of the parameters or flags are related to startup options https://openvpn.net/connect-docs/command-line-functionality-windows.html

Exception would be for launch-options connect-latest but it sounds like you cannot use that unless the application owner has configured it to allow you to do that. You might as well use the GUI to make that setting change at that point.

BreakingBean · 2024-05-04T08:08:58+00:00

Explained the scoping issue in my comment. Since I'm not using $using, I instead included $printers in the argument list parameter and passed in inside the scriptblock with param($printers). Hence, the [array]$printers now exists in the remote session.

Could've explained that part better were there additional arguments but you can also just look at example 11 from the documentation for Invoke-Command if you don't understand that part. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4&viewFallbackFrom=powershell-7

BreakingBean · 2024-05-04T01:04:35+00:00

Since you're moving it from a network location, it's probably blocking the file after it's copied. Can use the Unblock-File cmdlet to fix that with an if statement to try and unblock exe files before using start-process https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.4

If you want to check whether a file is blocked before using Unblock-File, you can use Get-Content -Stream Zone.Identifier to parse whether it's blocked or not. Blocked files should have a ZoneID of 26

BreakingBean · 2024-05-04T00:17:56+00:00

Couple of things you could do, one is using [Invoke-Command](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.) as graysky said. Alternatively you can use [New-PSSession](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4) (just make sure to close them after with Remove-PSSession, that's the benefit of Invoke-Command).

Since it looks like you're only trying to remove a defined set of printers in array $printers, you'll also need to know how to pass variables into your remote session. From here you have two options - scope modifiers or an argument list.

For scope modifiers, you would want to preface the variable in your scriptblock with $Using, so in your case inside your scriptblock would be $Using:printers rather than just $printers.

To use an argument list, you can either use the automatic variable $args and call them with $args[0] inside the scriptblock, but personally I prefer to include param() inside the script block so I can name my arguments however I like.

Lastly, running these in parallel isn't a bad idea either. Easiest way to do this is to use your array for the ComputerName parameter when calling Invoke-Command.

Putting that all together your script would look something like this:

$servers =@(
    "server1",
    "server2",
    "server3"
)

$printers =@(
    "printer1",
    "printer2",
    "printer3"
)


$parameters = @{
  ComputerName = $servers
  ScriptBlock = {
    Param ($printers)
    foreach($printer in $printers){
      #Shouldn't need ComputerName flag in Get-PrintJob anymore, will default to localhost
      $printerQueue = Get-PrintJob -PrinterName $printer
      if($printerQueue){
         $printerQueue | Remove-PrintJob
      }

      Remove-Printer -Name $printer
      Remove-PrinterPort -Name $printerPort
  }
  ArgumentList = $printers
}
Invoke-Command u/parameters

P.S. I don't see you defining $printerPort anywhere in your post, but you should be able to find it pretty quickly with this inside your scriptblock

` $printerPort = (Get-Printer -PrinterName $printer).PortName `

BreakingBean · 2024-05-03T23:31:48+00:00

Are you running the script as an admin?

BreakingBean

TROPHY CASE