Wednesday, May 16, 2012

Query remote registry for My Documents location

A common question I get is, "Can we move all these users My Documents folder from Server A to Server B"?

"Sure," I'll respond, "we'll just update their AD home directory attribute and have them log off and log back on."

Inevitably, this will fail in some capacity.  The users don't wait for the copy to complete is an example and then it fails and the My Documents is still pointing to their old server.  To correct this issue you can pre-copy the files then when doing the login copy, folder redirection will only copy changed files.  This can still take a while but it's much faster then copying everything, especially with a big directory.

Eventually, I'll get asked, "we want to shut down the old server, can we verify that all the users my docs have been copied off and their computers are pointing to the correct location?"

In order to accomplish this effectively, I wrote a script that runs through a list of computers you give it and it checks the registry and presents you a list of all the network "My Documents" it finds.  This is the script:

:Find-redir.cmd

:This next bit will query the registry to see if they are redirecting already...
del /q "%temp%\redir.txt"


:you need to drop a list of computers on this file.


FOR /F "tokens=*" %%a IN ('type %1') DO (
  echo =============================================== >> "%temp%\redir.txt"
  echo %%a >> "%temp%\redir.txt"
  reg query \\%%a\HKU | findstr /V /C:"_Classes" | findstr /R /V /C:"S-1-5-1[89]" | findstr /R /V /C:"S-1-5-20" | findstr /v /c:".DEFAULT" | findstr /v /c:"!" | findstr  /c:"HKEY_USERS\S" > "%temp%\reg-user.txt"
  for /f "tokens=*" %%A IN ('type "%temp%\reg-user.txt"') DO reg query "\\%%a\%%A\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" | findstr \\\\ >> "%temp%\redir.txt"
  echo =============================================== >> "%temp%\redir.txt"
)
notepad "%temp%\redir.txt"





To use the script; get a list of computers or IP addresses and then run the script as:
find-redir.cmd "list-of-computers.txt"

The list of computers.txt can look like:
192.168.1.1
192.168.1.2
Laptop1
Laptop2

Monday, May 14, 2012

I've had a bit of a battle getting PowerShell to work on creating remote shares with the permissions I want. I think I have it working now in a fairly minimalist fashion.



    #create a share using WMI and PowerShell
    #
    #5/14/2012 - By Trentent Tye
    #
    #To create a share with PowerShell utilizing WMI (so you don't need
    #to use PSRemoting) you need to do the following:
    #1) Create the Win32_Share class
    #2) Create the Security Descriptor for the share
    #3) Create the ACE for the share
    #4) Create the Trustee fo rthe ACE
    #5) Set all the variables
    #6) Create the share.
    #
    #The next lines sets a computer (%cn%) to "EVERYONE FULL CONTROL" on the
    #share "HomeDirs"

    $cshare = [WMIClass]"\\%cn%\root\cimv2:Win32_Share"
    $securityDescriptor = ([WMIClass] "\\%cn%\root\cimv2:Win32_SecurityDescriptor").CreateInstance()
    $ACE = ([WMIClass] "\\%cn%\root\cimv2:Win32_ACE").CreateInstance()
    $Trustee = ([WMIClass] "\\%cn%\root\cimv2:Win32_Trustee").CreateInstance()
    $Trustee.Name = "EVERYONE"
    $Trustee.Domain = $Null
    $Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)
    $ace.AccessMask = 2032127
    $ace.AceFlags = 3
    $ace.AceType = 0
    $ACE.Trustee = $Trustee
    $securityDescriptor.DACL += $ACE.psObject.baseobject

    #trying to create share...  variables are:
    #,,,(if $Null set to maximum allowed),,,
    $result = $cshare.create("%homeDrive%:\homedirs","homedirs",0,$Null,"Home Directory Share",$Null,$securityDescriptor)
   
}


Enjoy!