Friday, March 2, 2012

Password Expire Email - Powershell

Here's one for you Group Policy Administrators out there. We have a good number of remote users in our organization, and the helpdesk is contantly getting calls about expired passwords. Basically, because they log into their laptops first, then VPN, they never get the prompts warning them their password will expire. So, I created a simple powershell script that runs on a server at noon every day.

I'm not a powershell guru, so there might be better ways to write this, but this is what I came up with. Basically it searches an OU that you can choose and it finds all accounts where the password will expire in the next 14 days. It will send them an email every day at noon until they change it. The script has a few variables that you will need to put in your own information, like $smtpserver, $to, $from, and -searchroot. Also, make sure the folders are created before you try to run it.

Just copy the text below into a txt file and rename it with a ps1 extension (and take word wrap off...it's easier to read). Then set up a scheduled task that calls the script. Have fun! If you have better ways to do this I'd love to learn!


$today = (get-date)
$days_before_expire = 14

new-item -path c:\scripts\passwordexpiredemails\expiredpasswords.txt -type file
$users_to_be_notified = get-qaduser -searchroot 'enter your domain/ou path here' -Enabled -passwordneverexpires:$False | where {($_.passwordexpires -lt $today.adddays($days_before_expire))}
foreach ($user in $users_to_be_notified) {
$days_remaining = ($user.passwordexpires - $today).days
$resetby = $user.PasswordExpires.date.tostring('MM/dd/yyyy')
$to = $user.email
$from = '<sender's email address>'
$smptserver = EmailServerFQDN
$subject = "Reminder - Password is expiring in $days_remaining day(s)."
$body = "<html>
            <head></head>
                <body>
                Your password will expire in $days_remaining days(s). Please change it by $resetby.<BR><BR>
                To reset your password, press CTRL-ALT-DEL and choose 'Change Password'<BR><BR>
                If you have a MobileDevice, please be sure to change your password on the device as well. You can find instructions for changing it on your device here: 'Path To Document in UNC format'<BR><BR>
                If you have any issues, please submit a ticket at 'URL of Ticket System if applicable'<BR><BR>
                Thank You!<BR>
                Help Desk
                </body>
         </html>"
        
if ($days_remaining -le 0) {
add-content -path 'c:\scripts\passwordexpiredemails\expiredpasswords.txt' -value $user
}

if ($days_remaining -gt 0) {
send-mailmessage -bodyashtml -to $to -from $from -subject $subject -body $body -smtpserver $smtpserver
}

}
$to = '<AccountManagementGroupEmailAddress>'
$subject = "The following accounts have expired passwords"
$body = "Please see the attached file for the accounts with expired passwords."
send-mailmessage -bodyashtml -to $to -from $from -subject $subject -body $body -attachment 'c:\scripts\passwordexpiredemails\expiredpasswords.txt' -smtpserver $smtpserver

remove-item c:\scripts\passwordexpiredemails\expiredpasswords.txt

Symantec Endpoint Protection - Change Parent Server

This is just a quick post for changing the parent server of a Symantec Endpoint Protection client.  In the past, the parent server could be modified by changing a few registry keys, but since Symantec Endpoint Protection came out, Symantec relies on xml files.  The quickest way to make this change is:

  1. Click on Start-Run
  2. Type in smc -stop (type in the password if you have SEP set up for it)
  3. Navigate to C:\Program Files\Symantec\Symantec Endpoint Protection
  4. Rename Sylink.xml to Sylink.old
  5. Copy an updated Sylink.xlm file from the new parent server (or another client that is pointing to the new server)
  6. Click on Start-Run
  7. type in smc -start
You should be all set.

Thursday, March 1, 2012

Device42 - IP Address Management

For those of you out there relying on Excel spreadsheets to document your companies IP addresses...check this out:

http://www.device42.com/

View 5 Security Gateway - SSL

Ok, after a few months of working with VMWare View 5 internally, it was time to get our View Security Gateway up and running.  After doing some research, the build of the View Security Gateway is pretty straightforward and VMWare has some really good documentation so I'm not going to go through all the steps to getting the server up and running. What I do want to go over is how to set up the Certificate for SSL on the secure gateway. There really isn't a lot of consistent documentation on this, so here's how I got it working...

1.) The first thing we need to do on the View Security Gateway server is to modify the Path environmental variable to include the path to the keytool tool.  Keytool is what vmware uses to create, import, and modify Vmware certificates.
  • Right click My Computer and select properties
  • Choose Advance System Settings
  • Click on Environmental Variables
  • Under System Variables, select Path and choose Edit
  • Put a ; after the last entry, then add install_directory\VMware\VMware View\Server\jre\bin
  • Click Ok 3 times
2.) Open a command prompt with elevated privelages
3.) Run the following command to create a key
  •  keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360 -keysize 2048
  • When prompted, create a password for the new key file
  • When prompted for your first and last name, enter in the external dns name that will be used to access the view security gateway
  •  Continue to enter in your OU, City, State, Country
4.) Generate the Cert Request
  • keytool -certreq -file filename.csr -keystore keys.p12 -storetype pkcs12 -storepass password (from step 3)
5.) At this point you will need to send your csr file to CA
6.) Once you have the new cert from the CA, you will need to convert the cert to a p7b file. This is where I ran into some issues.  I had to do this on an XP machine, then copy the p7b file to my 2008 server...my server wouldn't recognize the cert path when I tried to do this...even after importing the root and intermediate certs...weird
  • Open the cer file and click on the Details Tab
  • Click Copy to file
  • Click Next
  • Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (p7b)
  • Also select Include all certificates in the certification path
  • Give the file a name and save it
  • Copy the file to your server
7.) Now that you have a p7b file, you can import it via keytool
  • keytool -import -keystore keys.p12 -storetype pkcs12 -storepass password -keyalg "RSA" -trustcacerts -file filename.p7b
  • you should receive a message stating "Certificate reply was installed in keystore"
8.) Copy keys.p12 to C:\Program Files\VMware\Vmware View\Server\sslgateway\conf
9.) Create a file called locked.properties
10.) Open locked.properties with a txt editor and add the following lines
  • keyfile=keys.p12
  • keypass=password
11.) You can either restart the services or restart the box
12.) You should be all set now.