Administrator

PowerShell: Check for user accounts running Windows Services

Recently I worked with a client to validate that if a user account were to be disabled that it wasn’t going to break any of their currently running applications. You can be bitten by an accidental miss-configuration where an end-users account is running a Windows Service or possibly at a lower level in a specific application such as SQL Server jobs. Luckily with the Power of PowerShell, we can conquer the Windows Services! It is also possible to create a SQL Query or even PowerShell scripts to query SQL, but we are not covering that in this article.

Checking Windows Services:

The biggest concern I had was the Windows Services. It is easy enough for a junior admin to install SQL and specify their account as the Service Account, THIS IS BAD! However, with some pure PowerShell, we can perform a visual inspection, or with some minor adjustments, we could look for a service running with a specific user.

Get-CimInstance -ComputerName (Get-ADComputer -Filter 'OperatingSystem -like "Windows Server*"' | Select -ExpandProperty Name) -Query "SELECT Name, StartName FROM Win32_Service WHERE StartName <> 'LocalSystem'" | ? { $_.StartName -notlike 'NT AUTHORITY*' -and $_.StartName -notlike 'NT SERVICE*' } | Select Name, StartName, PSComputerName

In the above example, we are using a parenthetical command along with the Get-CimInstance Cmdlet. The command that executes first is the Get-ADComputer. This command requires the ActiveDirectory module is available on your computer system. It uses the filter parameter to look for any computer that is running Windows Server (any version).

Then it passes those values to the Get-CimInstance, which performs an initial WQL Query, which doesn’t allow and statements. Therefore, we have to pipe it’s returned values to a where statement which continues filtering for us. The end of the command provides the service name, the user account running it, and the computer this service is on.

I was able to run this against the client’s environment, and within a few minutes, we knew it was safe to disable the account.

GriffinMonitor Module v1.5 – Additional Functionality

This evening I’ve decided to add additional functionality to the GriffinMonitor Module. I noticed that I am filling up my storage on my lab server fairly quickly. With that in mind I knew I needed to know once I am about to max it out. I’ve decided to write a fairly simple alert for remaining disk space per volume. Before we dive into how to use the cmdlet and the code itself please reference the previous blog post on Monitoring Storage Pool Health – GriffinMonitor Module.

Using Alert-GMLowDiskSpace:

This cmdlet is very similar to the Alert-GMUnhealthyStoragePool as it has 3 mandatory parameters. There is a 4th parameter that is optional so you can specify the threshold at which it alerts. As I mentioned in the previous blog post at some point I intend to add additional functionality for TLS or SSL secured SMTP servers along with the ability to pass authentication. That functionality is still not there, but it is still on my to-do list.

Example:

Alert-GMLowDiskSpace -SMTPServer smtp.example.com -ToAddress Joe@example.com -FromAddress alert@example.com

-OR-

Alert-GMLowDiskSpace -SMTPServer smtp.example.com -ToAddress Joe@example.com -FromAddress alert@example.com -PctThreshold 15

 The Module Code:

#Requires -Version 3 
#Requires -Module Storage

<#
 # Module Name: GriffinMonitor.psm1
 # Created: 05/22/2014
 # Version: 1.5
 # Author: Matt Griffin (MattBlogsIT.com)
 # Purpose: This Module is a set of custom cmdlet's that are used to alert of potential health concerns in your Windows Environment
 # Legal: This module was built by Matt Griffin for use in his home lab environment. This module comes with no warranty or guarantee. 
 #        This module is provided to be used at your own risk and will not have any support backing it up.
 # History: Matt Griffin 06/18/2014
            Corrected some typo's, added new cmdlet called Alert-GMLowDiskSpace

            Matt Griffin 05/22/2014
 #          Initial creation of Module with first cmdlet Alert-GMUnhealthyStoragePool
 #>

function Alert-GMUnhealthyStoragePool
{
    <#
    .Synopsis
       This cmdlet will check all of your local systems storage pools and send you can alert when one of them enters a state other than healthy.
    .DESCRIPTION
       This cmdlet will check all of your local systems storage pools and send you can alert when one of them enters a state other than healthy. The alert will be sent through email.
    .PARAMETER SMTPServer
       This parameter will be used to specify a standard SMTP Server that doesn't require SSL or TLS.
    .PARAMETER ToAddress
       This parameter will be used to specify the email address to which the alert messages will be sent.
    .PARAMETER FromAddress
       This parameter will be used to specify the email address from which the alert messages will be sent.
    .EXAMPLE
       Alert-GMUnhealthyStoragePool -SMTPServer smtp.example.com -ToAddress Joe@example.com -FromAddress alert@example.com
    #>
    [CmdletBinding()]
    [OutputType([int])]
    Param(
        # SMTPServer This parameter specifies the SMTP Server to utilize when alerting of unhealthy Storage Pool
        [Parameter(Mandatory=$true,Position=0)]
        $SMTPServer,
        
        # ToAddress This is the email address that the alert message will be sent to
        [Parameter(Mandatory=$true,Position=1)]
        $ToAddress,

        # FromAddress This is the email address that the alert message will be sent to
        [Parameter(Mandatory=$true,Position=2)]
        $FromAddress
    )
    #Import Required PowerShell Module
    Import-Module -Name Storage

    $storagePools = Get-StoragePool

    foreach($pool in $storagePools){
        if($pool.HealthStatus -ne "Healthy" -and $pool.IsPrimordial -ne "True"){

            $physicalDisks = $pool | Get-PhysicalDisk | 
            Select FriendlyName, Manufacturer, Model, SerialNumber, OperationalStatus, HealthStatus, Usage, Size | ConvertTo-Html

            #Create hash table to splat for Send-MailMessage
            $mailMessageParams = @{'SmtpServer'=$SMTPServer;
                                   'From'=$FromAddress;
                                   'To'=$ToAddress;
                                   'Subject'="The Storage Pool $($pool.FriendlyName) is currently $($pool.HealthStatus) on $env:computername";
                                   'Body'=($physicalDisks | Out-String);
                                   'BodyAsHtml'=$true}

            Send-MailMessage @mailMessageParams
        }
    }
}

function Alert-GMLowDiskSpace
{
    <#
    .Synopsis
       This cmdlet will check all of your local systems volumes and send you can alert when one of them reaches a specified threshold.
    .DESCRIPTION
       This cmdlet will check all of your local systems volumes and send you can alert when one of them reaches a specified threshold. The default threshold is 10.
    .PARAMETER SMTPServer
       This parameter will be used to specify a standard SMTP Server that doesn't require SSL or TLS.
    .PARAMETER ToAddress
       This parameter will be used to specify the email address to which the alert messages will be sent.
    .PARAMETER FromAddress
       This parameter will be used to specify the email address from which the alert messages will be sent.
    .PARAMETER PctThreshold
       This parameter is the threshold the remaining space must reach before sending an email, by default it is 10.
    .EXAMPLE
       Alert-GMLowDiskSpace -SMTPServer smtp.example.com -ToAddress Joe@example.com -FromAddress alert@example.com
    .EXAMPLE
       Alert-GMLowDiskSpace -SMTPServer smtp.example.com -ToAddress Joe@example.com -FromAddress alert@example.com -PctThreshold 15
    #>
    [CmdletBinding()]
    [OutputType([int])]
    Param(
        # SMTPServer This parameter specifies the SMTP Server to utilize when alerting of unhealthy Storage Pool
        [Parameter(Mandatory=$true,Position=0)]
        $SMTPServer,
        
        # ToAddress This is the email address that the alert message will be sent to
        [Parameter(Mandatory=$true,Position=1)]
        $ToAddress,

        # FromAddress This is the email address that the alert message will be sent to
        [Parameter(Mandatory=$true,Position=2)]
        $FromAddress,

        # PctThreshold is the threshold the remaining space must reach before sending an email
        [Parameter(Mandatory=$false,Position=3)]
        $PctThreshold=10
    )
    #Import Required PowerShell Module
    Import-Module -Name Storage

    $volumes = Get-Volume

    foreach($volume in $volumes){
        if($volume.DriveType -eq "Fixed"){
            #Calculating the amount of space remaining as a percentage
            $pctRemaining = "{0:N2}" -f ($volume.SizeRemaining/$volume.Size*100)

            if($pctRemaining -le $pctThreshold){
                $output = $volume | 
                Select DriveLetter, FileSystemLabel, FileSystem, HealthStatus, @{N="PctRemaining";e={$pctRemaining+"%"}} | 
                ConvertTo-Html

                #Create hash table to splat for Send-MailMessage
                $mailMessageParams = @{'SmtpServer'=$SMTPServer;
                                       'From'=$FromAddress;
                                       'To'=$ToAddress;
                                       'Subject'="The Volume $($volume.DriveLetter): has $pctRemaining% remaining on $env:computername";
                                       'Body'=($output | Out-String);
                                       'BodyAsHtml'=$true}

                Send-MailMessage @mailMessageParams
            }
        }
    }
}

 Update Instructions:

  1. Open C:\Users\<username>\Documents\WindowsPowerShell\Modules\GriffinMonitor with the PowerShell ISE or your favorite text editing document
  2. Replace the code with the above script
  3. Create a Scheduled Job for the new PowerShell cmdlet
    1. #The below PowerShell commands will schedule the cmdlet to run every 30 minutes using the SMTPServer xxx.xxx.xxx.xxx, emailing to joe@example.com and coming from noreply@example.com - Make sure you update the parameter values.
      $trig = New-JobTrigger -Once -At "5/22/2014 0am" -RepetitionInterval (New-TimeSpan -Minute 30) -RepetitionDuration ([TimeSpan]::MaxValue)
      Register-ScheduledJob -Name CheckStoragePoolHealth -ScriptBlock { Alert-GMLowDiskSpace -SMTPServer xxx.xxx.xxx.xxx -ToAddress joe@example.com -FromAddress noreply@example.com} -Trigger $trig

Installation Instructions:

  1. Navigate to C:\Users\<username>\Documents\WindowsPowerShell\Modules\GriffinMonitor
    1. (Note: If the directory doesn’t exists you must create it.)
  2. Save the above code in a file named GriffinMonitor.psm1 under the above directory
  3. Create a Scheduled Job using PowerShell
    1. #The below PowerShell commands will schedule the cmdlet to run every 30 minutes using the SMTPServer xxx.xxx.xxx.xxx, emailing to joe@example.com and coming from noreply@example.com - Make sure you update the parameter values.
      $trig = New-JobTrigger -Once -At "5/22/2014 0am" -RepetitionInterval (New-TimeSpan -Minute 30) -RepetitionDuration ([TimeSpan]::MaxValue)
      Register-ScheduledJob -Name CheckStoragePoolHealth -ScriptBlock { Alert-GMLowDiskSpace -SMTPServer xxx.xxx.xxx.xxx -ToAddress joe@example.com -FromAddress noreply@example.com} -Trigger $trig

Once it is scheduled, keep an active eye on your inbox for when your Storage Pool goes unhealthy!

Miscellaneous Notes:

  • This module was built and tested using PowerShell v4 on Server 2012 R2 running a single Storage Pool.
  • This module “should” work with Server 2012 running PowerShell v3 with one or many Storage Pools
  • This module comes with no guarantee or support, this is a run at your own risk and I take no responsibility for any repercussions that may occur by running this.
    • With that being said I’ll try my best to assist anyone who may have questions if you post in the comments of this thread.

Exploring Windows Management Framework 5.0 May 2014 Preview

The Windows Management Framework 5.0 Preview was released in early April, and an update to it was posted during Microsoft TechEd in May. Some major things are changing with PowerShell; the main one being that new versions of PowerShell are not going to be tied to major OS releases. PowerShell will be released as it is ready, and then added into the OS for the latest version.

Two of the major changes with PowerShell v5.0 include two new modules; the OneGet Module and the PowerShellGet Module. In this blog post we are going to explore some of the basics for these modules. If you would like to play with the Windows Management Framework 5.0, if can be downloaded from the Microsoft Download Center. Please note that this is preview code and should not be used in production. You are using this at your own risk and I strongly encourage testing it on the VM until the final code is released.

Please note that this is just a very quick overview of the modules and we will dive into more depth on them in upcoming blog posts.

psv5

Monitoring Storage Pool Health – GriffinMonitor Module

There have been times in the past (more than I like to remember) where I’ve had a hard drive fail, a raid 5 fail, and eventually I am sure I’ll have a Storage Pool fail at some point with my lab environment. The best way to avoid this is by introducing active and heavy monitoring. In my work world I am very good and forward thinking when it comes to this; however no matter how many times it happens in my home environment I still fail at maintaining the system.

When Server 2012 was released with the introduction of Storage Pools I had just lost my RAID 5, I decided it was the right time to implement Storage Pools as my primary storage at home. It uses parity which is basically a software raid, and I was able to use cheap consumer drives along with USB drives (YAY! more space since I was out of it inside of the server.)

I’ve been running Storage Pools for over a year, knowing one major issue with my setup. I have absolutely no monitoring in place, and if I were to have a drive fail it could be weeks… maybe months before I realize an issue exists. I recently went through updating my home lab from Server 2012 to 2012 R2 and decided I needed to stop fooling around with my data and get some monitoring in place.

Well the first issue came along… how am I going to monitor my Storage Pool? Sadly there is no easy alerting of an unhealthy Storage Pool built in… I’m sure there are third party tools, but do I really want to go through the hassle of setting that up for just my Storage Pool? The good news is that PowerShell has some fantastic cmdlet’s available for working with storage.

When I started building my monitoring solution I initially thought… a simple script on a scheduled task will get the job done. As I built it out, I decided that I needed to go further than I have in the past, I needed to build a cmdlet, then once I finished that I thought why stop there? Why not built my first module? This module currently only contains a single PowerShell cmdlet, but as time goes on I hope to build out many more that I can continue to use in my environment at home. Below is the entire source of the psm1 file that is stored in my Modules directory along with installation instructions and directions on how to use the cmdlet.

Using Alert-GMUnhealthyStoragePool:

This is a fairly straightforward cmdlet, only 3 mandatory parameters and it works. There are quite a few restrictions surrounding the SMTP Server including it cannot use TLS or SSL (Currently) and it doesn’t accept Authentication. These will be added in the future but for the first iteration of it I was going for quick and dirty for a lab environment.

Example:

Alert-GMUnhealthyStoragePool -SMTPServer smtp.example.com -ToAddress Joe@example.com -FromAddress alert@example.com

 The Module Code:

#Requires -Version 3 
#Requires -Module Storage
<#
 # Module Name: GriffinMonitor.psm1
 # Version: 1.0
 # Created: 05/22/2014
 # Author: Matt Griffin (MattBlogsIT.com)
 # Purpose: This Module is a set of custom cmdlet's that are used to alert of potential health concerns in your Windows Environment
 # Legal: This module was built by Matt Griffin for use in his home lab environment. This module comes with no warranty or guarantee. 
 #        This module is provided to be used at your own risk and will not have any support backing it up.
 # History: Matt Griffin 05/22/2014
 #          Initial creation of Module with first cmdlet Alert-GMUnhealthyStoragePool
 #>
function Alert-GMUnhealthyStoragePool
{
    <#
    .Synopsis
       This function will check all of your local systems storage pools and send you can alert when one of them enters a state other than healthy.
    .DESCRIPTION
       This function will check all of your local systems storage pools and send you can alert when one of them enters a state other than healthy. The alert will be sent through email.
    .PARAMETER SMTPServer
       This parameter will be used to specify a standard SMTP Server that doesn't require SSL or TLS.
    .PARAMETER ToAddress
       This parameter will be used to specify the email address to which the alert messages will be sent.
    .PARAMETER FromAddress
       This parameter will be used to specify the email address from which the alert messages will be sent.
    .EXAMPLE
       Alert-GMUnhealthyStoragePool -SMTPServer smtp.example.com -ToAddress Joe@example.com -FromAddress alert@example.com
    #>
    [CmdletBinding()]
    [OutputType([int])]
    Param(
        # SMTPServer This parameter specifies the SMTP Server to utilize when alerting of unhealthy Storage Pool
        [Parameter(Mandatory=$true,Position=0)]
        $SMTPServer,
        
        # ToAddress This is the email address that the alert message will be sent to
        [Parameter(Mandatory=$true,Position=1)]
        $ToAddress,

        # FromAddress This is the email address that the alert message will be sent to
        [Parameter(Mandatory=$true,Position=2)]
        $FromAddress
    )
    #Import Required PowerShell Module
    Import-Module -Name Storage

    $storagePools = Get-StoragePool

    foreach($pool in $storagePools){
        if($pool.HealthStatus -ne "Healthy" -and $pool.IsPrimordial -ne "True"){

            $physicalDisks = $pool | Get-PhysicalDisk | 
            Select FriendlyName, Manufacturer, Model, SerialNumber, OperationalStatus, HealthStatus, Usage, Size | ConvertTo-Html

            #Create hash table to splat for Send-MailMessage
            $mailMessageParams = @{'SmtpServer'=$SMTPServer;
                                   'From'=$FromAddress;
                                   'To'=$ToAddress;
                                   'Subject'="The Storage Pool $($pool.FriendlyName) is currently $($pool.HealthStatus) on $env:computername";
                                   'Body'=($physicalDisks | Out-String);
                                   'BodyAsHtml'=$true}

            Send-MailMessage @mailMessageParams
        }
    }
}

Installation Instructions:

  1. Navigate to C:\Users\<username>\Documents\WindowsPowerShell\Modules\GriffinMonitor
    1. (Note: If the directory doesn’t exists you must create it.)
  2. Save the above code in a file named GriffinMonitor.psm1 under the above directory
  3. Create a Scheduled Job using PowerShell
    1. #The below PowerShell commands will schedule the cmdlet to run every 30 minutes using the SMTPServer xxx.xxx.xxx.xxx, emailing to joe@example.com and coming from noreply@example.com - Make sure you update the parameter values.
      $trig = New-JobTrigger -Once -At "5/22/2014 0am" -RepetitionInterval (New-TimeSpan -Minute 30) -RepetitionDuration ([TimeSpan]::MaxValue)
      Register-ScheduledJob -Name CheckStoragePoolHealth -ScriptBlock { Alert-GMUnhealthyStoragePool -SMTPServer xxx.xxx.xxx.xxx -ToAddress joe@example.com -FromAddress noreply@example.com} -Trigger $trig

Once it is scheduled, keep an active eye on your inbox for when your Storage Pool goes unhealthy!

Miscellaneous Notes:

  • This module was built and tested using PowerShell v4 on Server 2012 R2 running a single Storage Pool.
  • This module “should” work with Server 2012 running PowerShell v3 with one or many Storage Pools
  • This module comes with no guarantee or support, this is a run at your own risk and I take no responsibility for any repercussions that may occur by running this.
    • With that being said I’ll try my best to assist anyone who may have questions if you post in the comments of this thread.

PowerShell Summit Round Up

I’ve been fairly distant from my blog for quite a few months… work has been very busy and preparing for the PowerShell Summit really took quite a bit of time. On top of all of that I was also traveling to Microsoft TechEd shortly after the PowerShell Summit.

The PowerShell Summit was an amazing event, probably the most well prepared conference I’ve attended. The venue was great, the evening events were very cool and the food was fantastic! I was lucky enough that my presentations were Monday morning, so I was able to relax and enjoy the remainder of the conference.

One fun thing that wasn’t well known is that the Sunday before the conference I did a quick run through my VM’s to validate my demos would work… I started walking through my SharePoint Demo and guess what… no go. Luckily I had all of the media on my local machine, after troubleshooting a bit I gave up and rebuilt the demo day before presenting it. Everything went smoothly the next day.

I was also lucky enough that Aaron Hoover sat in on my PowerCLI: How to Automate Your VMware Environment Reports session and recorded everything. The recording was done on a webcam, so you will see it have to refocus occasionally. I have the slides posted on the blog so you can follow along with those.


It was a great experience presenting at the PowerShell Summit and I hope present in coming years. Now the very exciting information at the Summit did not come from my session, but sessions from Jeffrey Snover and the PowerShell Product team.