Securing the Guest account

Thanks to WMI and well known sids we can query a computer for the status of user accounts, lets start with the simple query seen here:








From the results of the query we can see that the SID of the built in guest account ends in ‘-501’. so if we run the query

Get-WmiObject -Class Win32_UserAccount|where {$_.sid -like "*-501"}

or better yet (accounting for domain accounts)

Get-WmiObject -Class Win32_UserAccount -Filter  "LocalAccount='True'" |where {$_.sid -like "*-501"}

which shows us some simple info about the user

ensuring that we have the correct user we can use the command ‘Net User‘ to set the password. below is what I use to set a complex 20 character random password for the guest account:

Net User ((Get-WmiObject -Class Win32_UserAccount -Filter  "LocalAccount='True'" |where {$_.sid -like "*-501"}).name) (('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+='.ToCharArray()|Get-Random -Count 20) -join "")

Install SCOM agent without the GUI?

SCOM can be a bit of a bear to the newcomer, there are several components that are quirky at best and if its not set up correctly or if you don’t know what you are doing things could go awry very quickly. Thank goodness there is a plethora of PowerShell commandlets for SCOM management and install to make things easier for us.
On the SCOM management server I experimented with the Install-SCOMAgent commandlet, what I found was that with the right parameters I could very quickly install the agent on remote servers with very little input. Lets look at this one liner that installs the SCOM agent on FileServer1 without the need to launch the SCOM console and run the discovery wizard:

Install-SCOMAgent -DNSHostName -PrimaryManagementServer

Just like that the agent installs immediately on FileServer1, no need to wait, no wizard to run, no hassle.

But wait… what if I didn’t have to log onto the SCOM server at all to install the client? Below is a simple function I created which allows you to install the SCOM agent from your desktop using PSRemoting, the only thing you need to know is the name of the SCOM server, and the target server name.

Function Install-SCOMClient{            
Param ([string]$Computer,            
    $RMSSession = New-PSSession –ComputerName $SCOMServer ;             
    Invoke-Command -Session $RMSsession -ScriptBlock {Add-PSSnapin “Microsoft.EnterpriseManagement.OperationsManager.Client”} ;             
    Invoke-Command -Session $RMSsession -ScriptBlock {Install-SCOMAgent -DNSHostName ($args[0] + '.' + $env:USERDNSDOMAIN) -PrimaryManagementServer (Get-SCOMManagementServer) -Verbose} -ArgumentList $computer;            
    Remove-PSSession $RMSSession            
Install-SCOMClient -Computer FileServer1 -SCOMServer SCOM01

It’s one I like to put into my $Profile so its easily accessible to me on my client desktop.

Are those files being accessed?

Building a new file server I wanted to check to see if a particular drive was being used during the day. Luckily Since the days of Server 2003, Windows Server has shipped with an executable openfiles.exe that we can leverage. The bad news is that the executable was written to output the data to the command console and to be discarded, luckily we can use the PowerShell pipeline to interpret the output of openfiles.exe and format it. I have made a PowerShell “One Liner” to quickly retrieve the open files on a server:

$OpenFiles = openfiles /query /fo CSV | Select-Object -Skip 9 | ConvertFrom-Csv -Header "ID","AccessedBy","Type","OpenFile"

The script saves the output of openfiles.exe to the variable $OpenFiles
Let’s dive into the rest of it…
openfiles /query /fo CSV this is the command that can be used with PowerShell or in a command console to export the results to a .csv file (but we don’t really want to save a file)
Select-Object -Skip 9 states that we want to ignore the first 9 lines of the input (like I said, the openfiles.exe command was meant to display on the screen so there’s a bunch of junk in there )
ConvertFrom-Csv -Header “ID”,“AccessedBy”,“Type”,“OpenFile” takes the CSV formatted data and converts it to a PowerShell object so we can manage the data.
So lets run the command on FileServer1 and see if there are any open files on the X:\ drive…

$OpenFiles = openfiles /query /fo CSV | Select-Object -Skip 9 | ConvertFrom-Csv -Header "ID","AccessedBy","Type","OpenFile"            
$OpenFiles | where {$_.OpenFile -like "X:\*"}

Or we could see what a particular user is viewing:
$OpenFiles | where {$_. AccessedBy -like “McCann*”}

Yes you could use the MMC, add the computer management snap in, navigate through, sort, etc, etc…. but the great thing about PowerShell is its remote capabilities, let’s see what we get when we format the script to run remotely on FileServer1…

Invoke-Command -ComputerName FileServer1 -ScriptBlock {            
    $OpenFiles = openfiles /query /fo CSV | Select-Object -Skip 9 | ConvertFrom-Csv -Header "ID","AccessedBy","Type","OpenFile"            
    $OpenFiles | where {$_.OpenFile -like "X:\*"} | Format-Table            

Aren’t computers neat?