Thursday, February 25, 2010

The Power of -Split

I work with Active Directory everyday. Sometimes, when I'm exporting information, I want to be able to break down the distinguishedName property to just give me the actual name. For example, in our environment we create names in AD with LastName, FirstName. The distguishedName for a user name like that ends up looking like this:

cn=Doe\, Jane,ou=users,ou=location,dc=example,dc=com

If I want to get just the name without the escape character or all the extra path info that makes up a distinguished name without PowerShell I'm probably going to copy the whole name to an editor and manually remove everthing to leave just Doe, Jane (probably just easier to type Doe, Jane instead of all of that copying stuff). But what happens if I need to get just the LastName, FirstName of a thousand people. Now I've some problems. I will have to export the DN's from AD, copy them to Word or Excel and then do a bunch of replacements or string manipulation on them.

Or I can write a PowerShell script to give them to me:

function Get-NameFromDN([string]$DN){            
    return ($DN.replace('\','') -split ",*..=")[1]            
Get-QADObject | %{Get-NameFromDN $_.distinguishedName}            

Did you notice that I can split the string with a [regex] delimiter?  That is really cool.  Try the split yourself; paste the string below into a PowerShell prompt and hit enter:

"cn=mygroupobjectname,ou=security groups,ou=location,dc=example,dc=com" -split ",*..="

That produces:

PS C:>"cn=mygroupobjectname,ou=security groups,ou=location,dc=example,dc=com" -split ",*..="            
security groups            

The [regex] expression ",*..=" says find a pattern that matches zero or more commas any two characters and an equal sign.  That would match any of the following:

This pattern becomes my delimiter so that when the split function runs it will split the string where ever it finds the match.  It puts the remaining elements in a zero based array.  Because a DN starts with a pattern match the first element of the array [0] will be empty.  That is why in my Get-NameFromDN function above I retrieve element [1].

PowerShell has a nice help article that explains the full functionality of -split.  I recommend that you read it to see just how powerful -split is.  You can find the help article by issuing the command:

Get-Help about_split

I used this example to show the power of the split operation, but you might be wondering just how practical this is.  Well as it turns out I have a scheduled tasks that runs every week that does a csvde export of ActiveDirectory.  We keep the csv files around for several months just in case we delete a user and need to recreate it we have all the info we need for the recreation.

When you delete a user account all of the group memberships are deleted.  So even if you use tools like ADFind and ADMod or Hyena to restore the account in AD, you will still need to get a list of groups the account belonged to from somewhere.  If you haven't backed up AD you need to query the user and they probably wont know and the whole process becomes time consuming.  That is why I do a csvde export for every domain I manage.  The csvde export creates a column in the csv file called memberof and in that column concatenates the distinguishedNames of all the non-principal groups the account belongs to with a semi-colon.  You can't just copy and paste the groups from the export into ADUC to add the groups, because, as mentioned above, ADUC's add group dialog won't accept distinguished names.  You could create a script to use the DN which would be fine.  But what if, like me, you needed to just supply the groups to your Logical Access team and they don't have any scripting ability.  Well you can run a script like this:

function Get-NameFromDN([string]$DN){            
    return ($DN.replace('\','') -split ",*..=")[1]            
$lastname = ""            
<#The following produces a list of group DNs that are found in the csv for the users with the last name specified.  
To narrow your search you could -match on something else like 'lastname\, firstname' or a whole different column altogether.  
Import-Csv .\adexport.csv | ?{$_.DN -match 'lastname' -and $_.objectclass -eq 'user'} | %{$_.memberof.split(';')}            
<#However, you can't just copy the output, and send it to the LogicalAccess admin to paste in ADUC.  ADUC's add group 
dialog won't accept DN's.  So add the function at the end and now you get a list of names that you can copy and paste in 
an email to your LogicalAccess admin for him/her to create the account with.
Import-Csv .\adexport.csv | ?{$_.DN -match 'lastname' -and $_.objectclass -eq 'user'} | %{$_.memberof.split(';')} | %{Get-NameFromDN $_}             

The first Import-Csv produces a list of group DNs.  I can't use that for ADUC.

The second Import-Csv produces what I want.  Here is what it does.

The second Import-Csv line passes each line of the csv file to the pipeline where a match is performed in both the DN column and the objectclass column.  Once a match is found it grabs the memberof field in the matched line and splits it based on the semi-colon as the delimiter which produces a [string[]] of distinguished names of all the groups the account belonged to.  This array is passed to the pipeline and each DN is passed to the function Get-NameFromDN which uses the powerful -split operation to split the string based on a pattern ",*..=" (which will match ou= or ,ou= or cn= or ,dc= etc...).  The function then returns the second element of the split distinguished name (remember that because a DN starts with my delimiter pattern the first element [0] is empty).  The output produces a list of Group names only, that I pasted into an email and sent to my logical access guy.
I could have piped the group DNs to another function like Get-QADGroup $_, wrapped the function with parentheses, and gotten the name property like this:

...| %{(Get-QADGroup $_).name}

but that was significantly slower so I'd rather run it through my splitting function for speed sake.

You may have noticed in my Get-NameFromDN function I used the replace method.  That is because in my environment we use Lastname, Firstname.  LDAP has to escape the comma in the DN because each path element in the DN is separated by a comma; so commas within an attribute are escaped with a slash (\).  Additionally, csvde escapes the \, again so that it is \\, in the csv file.  The replace method in the function is replacing the escape character with nothing.  That way the list that is produced can be directly used in ADUC.

Of course this is just one example of how you can use the split functionality in PowerShell.  I'm sure that as you do more scripting the knowledge of the power of -split will come in handy.

Have fun.

Tuesday, February 9, 2010

Windows Pentesters Delight--Watch Out Linux Users, Move Over for MS.

Well one of my hobbies is security.  Of course anyone who wants the respect for the Security community should probably learn Linux and the tools that come with Linux.  This has led to me doing some cool stuff with Bash, learning BackTrack, and research and gaining knowledge of the Linux environment.  I've also been taking the course over at  I know that Linux is for serious security guru's (who would laugh at someone that said they use Windows for all their security needs), but I think that PowerShell has the ability to offer viable alternatives to some of the Linux tools.  Just throwing this out there--Linux should watch it or else it may lose it's 'Security' throne to Windows (I'm sure that comment is going to get flamed).

Anyway, take for example Information Gathering Techniques.  The BackTrack distro offers a number of tools to find user info and email info about companies from web sites.  So I was thinking, "How can I start converting some of these tools over to Windows using PowerShell?"  Well here is my start...

One of the first things I was thinking would be nice, would be to grab web pages to search for email addresses or other things.  So here is a quick little function for grabbing web pages:

function Get-WebPage{            
    $WebClient = New-Object System.Net.WebClient            
    $WebPage = $WebClient.DownloadData($Url)            
    return [System.Text.Encoding]::ASCII.GetString($WebPage)            

That little goody will get you the HTML text of the URL you supply.  "What can you do with that?" you ask.  How about getting Google results (if you get permission from Google first of course)...

function Get-GoogleResults{            
    Param(  [string]$Search,            
            [string]$SearchPrefix = "/search?q="            
    Function Get-ResultObject([string]$rTitle,[string]$rUrl){            
        $tempobject = New-Object PSObject -Property @{Title=$null;Link=$null}            
        $tempobject.Title = $rTitle            
        $tempobject.Link = $rUrl            
        return $tempobject            
    $PageNumber = ($PageNumber - 1) * 10            
    $WebSearch = "$site$searchprefix$search`&start=$PageNumber"             
    $regex = [regex]'<h3 class=r>.*?</h3>'            
    $GoogleResults = Get-WebPage $WebSearch            
    $regex.matches($GoogleResults) |             
        %{  $Title = [regex]::replace($_,"<.*?>","")            
            $Link = [regex]::matches($_,'\".*\"')| %{$_.value.trim('`"')}            
            $AllResults += @(Get-ResultObject $Title $Link)            
    return $AllResults            
The Get-GoogleResults will return the Title and link for each search result.  You can supply the page number to get the next page of results.  I.e. Get-GoogleResults 'beer lovers' 3 will retrieve the third page of results from a Google search.

That particular function returns an array of objects with Title and Link as properties.  You can then go through the array get the URL for each link and search it if you want for email addresses.

for($i=1;$i -le 10; $i++){Get-GoogleResults "" $i | %{Get-WebPage $_.Link | %{([regex]'\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*').matches($_) | %{$_.value}}}}

I'm pretty sure there's a couple of Linux tools that'll replace (LOL).

Have fun

Thursday, January 7, 2010

Get-Oneliner | Group it | Sort it | Format it

Well if you read my first post on my blog you will note that I'm not (or wasn't) a fan of one-liners.  I really like structured code; and PowerShell does a great job at letting me do that.  Recently, though, I've had a change of heart (the more I use PowerShell the more I change my views on it).  I've now officially become a fan of one-liners.

I've been reading Dr. Tobias Weltner's book Mastering-PowerShell (I find it to be very well written and super helpful).  Chapter 5 entitled "The PowerShell Pipeline" was very enlightening.  So I wrote a one-liner that gets all AD users and groups them by manager, sorts them and displays them in a nice text tree.  I have two versions.  I wrote the first one because I have a multi-domain forest and some of the mangers are not in the same domain as the users and currently the ActiveDirectory module won't let you search cross domain to my knowledge.  The second example is for a single domain forest.  Both one-liners take into consideration that the user object my not have the manager attribute set.

Example 1 Multi-domain Forest (replace foreigndomain and localdomain with real domain names)
Get-ADUser -filter * -Properties samaccountname, displayname, manager |             
    group {if(($_.manager -ne $null) -and ($_.manager -imatch "dc=localdomain")){            
        (Get-ADObject $_.manager -Properties displayname).displayname            
        if($_.manager -imatch "dc=foreigndomain"){"FOREIGNDOMAINNAME"            
        "UNKNOWN"}}} |             
        sort name |             
        %{$_.Name; "-------------------"; ($_.Group |             
            %{if($_.displayname -ne $null){"`t$($_.displayname)"}else{"`t$($_.samaccountname)"}}); "`n"}

Get-ADUser -filter * -Properties samaccountname, displayname, manager | group {if(($_.manager -ne $null) -and ($_.manager -imatch "dc=localdomain")){(Get-ADObject $_.manager -Properties displayname).displayname}else{if($_.manager -imatch "dc=foreigndomain"){"FOREIGNDOMAINNAME"}else{"UNKNOWN"}}} | sort name | %{$_.Name; "-------------------"; ($_.Group | %{if($_.displayname -ne $null){"`t$($_.displayname)"}else{"`t$($_.samaccountname)"}}); "`n"}            

Example 2 Single-domain Forest
Get-ADUser -filter * -Properties samaccountname, displayname, manager |             
    group {if($_.manager -ne $null){(Get-ADObject $_.manager -Properties displayname).displayname}else{"UNKNOWN"}} |            
    sort name |             
    % { $_.Name;             
        ($_.Group | %{if($_.displayname -ne $null){"`t$($_.displayname)"}else{"`t$($_.samaccountname)"}});            

Get-ADUser -filter * -Properties samaccountname, displayname, manager | group {if($_.manager -ne $null){(Get-ADObject $_.manager -Properties displayname).displayname}else{"UNKNOWN"}} | sort name | % { $_.Name;"-------------------";($_.Group | %{if($_.displayname -ne $null){"`t$($_.displayname)"}else{"`t$($_.samaccountname)"}});"`n"}

Output will be something like this:

PS C:\>Get-ADUser -filter * -Properties samaccountname, displayname, manager | group {if(($_.manager -ne $null) -and ($_.manager -imatch "dc=localdomain")){(Get-ADObject $_.manager -Properties displayname).displayname}else{if($_.manager -imatch "dc=foreigndomain"){"FOREIGNDOMAINNAME"}else{"UNKNOWN"}}} | sort name | %{$_.Name; "-------------------"; ($_.Group | %{if($_.displayname -ne $null){"`t$($_.displayname)"}else{"`t$($_.samaccountname)"}}); "`n"}            

Foreign Domain




You get the idea.

Have fun.!

Monday, January 4, 2010

I definately recommend the PowerShellPack.

When I first started developing for PowerShell I was using the PowerShell ISE that comes with Windows 7.  Mainly because my version of Sapien PrimalScript doesn't support PowerShell v2 with Intellisense.  So I looked all over for a snazzy IDE that gave me full support for PS 2.  I liked Quest's editor (PowerGUI) the best, but it just doesn't work at present with the AD module from Microsoft (go figure--Quest has their own AD tools, which are very robust).  So I checked out Idera's PowerShellPlus.  It is just a bit much for me.  Don't get me wrong.  PowerShellPlus is really amazing and Dr. Tobias Weltner has a really good book (and it's free) to help learn PowerShell, but the IDE is just too much for me (price wise-at least for now).  Also, Sapien's PrimalScript 2009 is supposed to be very good (I've been using 2007 for all my VBScripting for years now and I really like their IDE).

However, the more I used PowerShell ISE the more I enjoyed developing with it. It has a great interactive environment.  I can try out my commands first in the console window then go on the left pane (where I've located the editor in my environment), and type my code when it finally works. It's so simple, yet so powerful.

But...I want intellisense (so I thought).  Also I'm blogging now, and I want to copy my nice color coded script to my blog.  Well there really isn't a need for intellisense in ISE. Microsft allows the script editor to use tab completion (out-of-the-box).  I love tab completion and behaves just like the PS console.  Once you get used to tab completion intellisense becomes annoying (at least in my case it did).

What about my blogging though. Well that is where the PowerShellPack comes in (finally--maybe I should have titled this blog entry something else).  When you install the pack (get it here) it adds a ton of features to the ISE.  I can now copy my code in colored HTML straight to the clipboard so that I can post it in my blog.  Isn't that great!

That's not all the PowerShellPack does.  It comes with 10 modules that let you do all kinds of things.  I'm playing around with building UIs using the new cmdlets around WPF.  Good stuff.  Head over to the main site.  Check out some videos and have fun.

Running PowerShell v2 RTM on Something Other Than Win 7 or Win 2008R2

I know this site is dedicated to running PowerShell v2 RTM on Windows 7 or Windows 2008 R2.  However if you would like to start playing with PowerShell v2 RTM on some other operating system go here.

Have fun.

How to use PowerShell v2 RTM and the ActiveDirectory Module that comes with RSAT.

I noticed that not a lot of people are using the new Active Directory module in PowerShell v2 RTM (ps2rtm).  Maybe it's because you can only take advantage of the AD module if you are running Windows 7.  Windows 7 with AD module and ADWS will let you manage Win 2003 AD but you cannot run the PowerShell AD module on Win XP or 2003. 

I had been avoiding PowerShell until recently for the more familiar (in my case) vbscript for several years now.  I just didn't want to give up vb.  [adsi] in PowerShell didn't seem that much easier than adsi in vbscript.  However, recently a catastrophic event took place in my life (all my work in vb for the last year were gone) which caused me to re-evaluate PowerShell.  I'd been putting it off but now forces were at work that kind of shoved me in that direction.  So I dove in.  I have to say--I am so glad I did.

That said I'm finding that a large majority of the posh community are not using the latest greatest.  I can understand that.  Had I invested a couple of years in ps1 I would be reluctant to move to ps2rtm for production stuff (look at me I didn't even want to move away from vbscript).  Plus I was reluctant to move to Windows 7.  All my colleagues were using Win7 RCx not sure which version.  I waited until RTM and then only installed it on an extra workstation in my office.  Now I run it on my primary workstation--it really is a nice OS.

Anyway, I just wanted to say to moving to ps2rtm and using the new ActiveDirectory module is not that painful (if you are running Windows 7).  It takes all of 15 minutes.  I'm not trying to diminish the value of Quest tools, but really the future of ps2 includes a fully functional, fully featured set of AD tools.  And it's really not that hard to start taking advantage of them (even if you are running a Windows 2003 functional AD environment).

First prepare your AD environment.  Here are the instructions and download.  Read the page carefully.  For Windows 2003 DCs you will need to install two patches (the links for the patches are in the instructions on that page) and you may need to install the latest .Net 3.5 from Microsoft Update site.  Again all of the instructions and prerequisites are found on the page I linked to above.  I'm running a Windows 2003 native AD environment on DCs with Windows 2003 SP2 (no R2 in my environment) and ADWS works great.  You only need one DC running ADWS in each domain.

Next install the RSAT tools in Windows 7.  Installation and instructions are here.  After installing the RSAT tools you need to enable the AD features.

If you have prepared your environment according to the instructions, then, after starting PowerShell enter the command import-module activedirectory

enter get-help *-ad* or get-command -Module ActiveDirectory to see all of the AD functionality that the ActiveDirectory module gives.

Sorry Windows XP users or Windows 2003 server users.  The ActiveDirectory module is not (as of yet) available for those systems.  I saw a number of forums with complaints about that but with no response so not sure if MS will ever make the module available for those systems.

Have fun.