As our business continues to focus on providing white labeled Tier 3 IT support services, RMM as a service, and co-managed IT services this blog will be highlighting tips for using Powershell to create Office 365 User and add them to groups. We have several clients with high employee turn-over which makes it necessary to often create Office 365 user. We will detail how to find all the needed data to create the proper script for each client (yes it will take a different script for each client due to different group names for each client).
Research
You need to get two pieces of information – the license type used by the organization to create users and the names of the groups to add users to
To find out the license types used use this commands:
Connect-MsolService
Get-MsolAccountSku
To find out all the groups in the organization use this commands:
Connect-ExchangeOnline
Get-UnifiedGroup | Format-Table Alias
Variables
$displayName = Full user name – usually First name & Last Name $userPrincipleName = Email address for user $adminuser = Email address for admin of Office 365 Tenant $adminpass = Password for admin of Office 365 Tenant $licenseType = Office 365 license type found in research above
There is also the need for variables for each group you will be adding users to (found in research above). For this example I will be using:
$CompanyShared = Company Shared Contacts $CompanyTimeOff = Company Time Off Calendar $BillingPayroll = Billing & Payroll Group Email
Script Snippet
###Use this command to be allowed to use DotNet assemblies
Add-Type -AssemblyName System.web
$displayName = "UserFirst UserLast"
$userPrincipleName = “User@Company.com”
$adminuser = "admin@Company.com"
$adminpass = '@dm1nP4ssw0rd'
$CompanyShared = "yes"
$CompanyTimeOff = "yes"
$BillingPayroll = "no"
###converts admin credentials to useable format for connections to Office 365
$adminpassword = ConvertTo-SecureString -string $adminpass -AsPlainText -Force
$admincred = new-object -typename System.Management.Automation.PSCredential -argumentlist $adminuser, $adminpassword
Connect-AzureAD -Credential $admincred
Connect-MsolService -Credential $admincred
$mailNickname = $userPrincipleName.Split("@")[0]
###To find User License Types use Get-MsolAccountSku
$licenseType = "companytenantID:SPB"
###Generates a random password length
$minPassLength = 8 ## characters
$maxPassLength = 15 ## characters
$passlength = Get-Random -Minimum $minPassLength -Maximum $maxPassLength
###Generates a random number of non-alpha characters in the password
$minNonAlphaChars = 1 ## characters
$maxNonAlphaChars = 5 ## characters
$nonAlphaChars = Get-Random -Minimum $minNonAlphaChars -Maximum $maxNonAlphaChars
###Creates the password, makes it useable by Azure, sets it up to not require password change, and creates account
$password = [System.Web.Security.Membership]::GeneratePassword($passlength, $nonAlphaChars)
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = "$password"
$PasswordProfile.ForceChangePasswordNextLogin = $false
Write-Host "Password is set to $password for $displayName"
$user = New-AzureADUSer -DisplayName $displayName -PasswordProfile $PasswordProfile -UserPrincipalName $userPrincipleName -mailNickname $mailNickname -AccountEnabled $true
###Waits 5 minutes for the user creation process in Office 365
Start-Sleep -Seconds 300
###Sets additional parameters for account that are needed like location, license type, and sets password to never expire
Get-MsolUser -UserPrincipalName $userPrincipleName | Set-MsolUser -UsageLocation US
Get-MsolUser -UserPrincipalName $userPrincipleName | Set-MsolUserLicense -AddLicenses $licenseType
Get-MsolUser –UserPrincipalName $userPrincipleName | Set-MsolUser –PasswordNeverExpires $True
###Adds new user to groups
if ($CompanyShared -eq "yes")
{ Add-MailboxPermission -Identity companyshared@premieror.com -User $userPrincipleName -AccessRights FullAccess -InheritanceType All}
if ($CompanyTimeOff -eq "yes")
{ Add-MailboxPermission -Identity companytimeoff@premieror.com -User $userPrincipleName -AccessRights FullAccess -InheritanceType All}
if ($BillingPayroll -eq "yes")
{ Add-MailboxPermission -Identity billing_payroll@premieror.com -User $userPrincipleName -AccessRights FullAccess -InheritanceType All}
This script requires that the admin account you use to setup the user have multifactor authentication turned off (I know not secure), so use a really long complex password. The script creates a random password for the new user and write it to output. The script will take several minutes to run due to the waiting for the account to finish setup before adding additional parameters and adding them to groups.
If your company is a MSP or wants to become one and automation just seems out of reach, then contact usto run your RMM for you.
As our business continues to focus on providing white labeled Tier 3 IT support services, RMM as a service, and co-managed IT services this blog will be highlighting tips for Synology resource monitoring. We have developed best practices for alerting on a Synology device for resources like CPU, Memory, and Disk Usage. When these Synology resource monitoring alerts are consistently triggered it show that the device is over utilized or if they remain triggered for long periods of time then it shows there is an issue on the device itself. We also setup weekly Storage Reports to get an accurate view of the changes and growth going on with client storage.
Setup Notifications
Make sure that Notifications are setup on the Synology first
Open Control Panel
Click on Notifications
Check enable email notifications
Choose Service Provider
Login to Gmail or use Custom SMTP server for Office 365 as the sender
Change Subject to indicate name of device
Add recipient email (Best to use one that ties into a PSA or RMM)
Click Apply
Send a Test Email
Setup Synology Resource Monitoring
Open Resource Monitor app
Click on Performance Alarm to the left
Click on Rules tab
Click Create
Create the following Rules one by one
Volume Critical
Select which volume [create multiple rules if more than one volume]
Select Disk I/O utilization
Greater than 90%
Level Critical
Volume Warning
Select which volume [create multiple rules if more than one volume]
Select Disk I/O utilization
Greater than 75%
Level Warning
System Memory Critical
Memory Usage
Greater than 90%
Level Critical
System Memory Warning
Memory Usage
Greater than 75%
Level Warning
System CPU Critical
CPU Usage
Greater than 90%
Level Critical
System CPU Warning
CPU Usage
Greater than 75%
Level Warning
Click Settings and check box to Enable usage history then click Save
Setup Storage Reports
Open Storage Analyzer
Select new location
Create new shared folder named Log Files – hide from network
Go back to Storage Analyzer and select new folder
Set volume usage data to be collected Daily at 2am
Create report task
Send to email (Best to use one that ties into a PSA)
Generate reports at Monday 4am
Keep 60 reports then click Next
Select report items
Volume Usage
Shared Folders
Potential Duplicate Files
Large Files
Least Recently Modified Files then click Next
Analyze all folders then click Next
Leave duplicate file defaults then click Next
Click Done
Close App
Once this is setup you will start getting email alerts sent to you or better yet your PSA / RMM for ticket creation and review.
If your company is a MSP or wants to become one and automation just seems out of reach, then contact us to run your RMM for you.
This is the seventh in a series about the concept of Zero Trust, which means in the IT sense that you trust nothing and always verify everything surrounding and connected to your network. Today’s discussion will be on software patching.
Software Patching
Software patching is a neccesity because no person who writes code is perfect and hackers are actively looking for these mistakes. The hackers find the mistakes and then develop ways of using these to exploit the software, computer, or whatever else they can gain access to. The only way to combat both the mistakes and the exploits is to discover them before the hackers do and patch the hole in the software. This patch can however lead to unforseen consequences to the software, so a plan for testing and deployment of patches is needed to avoid unexpected downtime to businesses.Here are some questions to ask:
Do you know all of the hardware and software on your network?
Do you check for hardware, operating system, and other software regularly?
How do you check for updates, patches, or upgrades to software?
How do you install these patches? Is it automated?
Are these patches tested before installation?
What happens if a patch causes problems?
Do you have a log of all installed updates?
Are any systems or software on your network no longer supported for updates?
If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.
As our business continues to focus on providing white labeled Tier 3 IT support services, RMM as a service, and co-managed IT services this blog will be highlighting tips for RMM automation. Here is a script that we came up with to handle a particular client that dumps tons of PDFs into a folder unsorted and wants individual folders created for each unique file name. We have tailored this script to be used not only at that client but for any folder on any Microsoft Windows computer that needs to be sorted in this manner. This script could easily be modified to sort other types of files.
Variables
Here are the variables we are using for this script:
$SourceFolder = This is the target folder to be sorted
Script Snippet
# Defines the folder that sorted data will go into
$TargetFolder = $SourceFolder + " Sorted"
#Defines how to match files with similar names, in this case we put files with the same name then a dash or underscore and other numbers or letters to be placed in the same folder
$MatchRegEx = "[-_]"
#Grabs only the PDF files in the folder being sorted (modify for other extension types or remove filter to sort all files)
Get-ChildItem -Path $SourceFolder -Filter *.pdf |
ForEach-Object {
#Creates folder name for child folders in sorted data
$FileNameFolder = $_.Name -split $MatchRegEx
$ChildPath = Join-Path -Path $FileNameFolder[0].Replace('.pdf','') -ChildPath $_.Name
[System.IO.FileInfo]$Destination = Join-Path -Path $TargetFolder -ChildPath $ChildPath
#Checks if folder exists and if not creates child folder
if( -not ( Test-Path -Path $Destination.Directory.FullName -erroraction silentlycontinue) ){
New-Item -ItemType Directory -Path $Destination.Directory.FullName
}
#Copies file into child folder
Copy-Item -Path $_.FullName -Destination $Destination.FullName
}
This script is non-destructive meaning that the files are copied and not moved. This script gives screen output of each new child folder created.
If your company is a MSP or wants to become one and automation just seems out of reach, then contact us to run your RMM for you.
As our business continues to focus on providing white labeled Tier 3 IT support services, RMM as a service, and co-managed IT services this blog will be highlighting tips for RMM automation. Here is one of the recent scripts we added to our RMM. We often find ourselves wanting to modify the registry for all users:
Variables
It is important to not store variables in scripts especially when they are credentials for a user on the local computer, so make sure to define variables accordingly. In this script there are no variables like that, but wanted to explain some that are in the script:
$PatternSID = this is the Regular Expression pattern for the Security ID of the users to look for (found it was different for local / domain vs. Azure)
$ProfileList = List of SIDs and other information from the HKLM folders
$LoadedHives = List of logged in users from HKU
$UnloadedHives = List of not logged in users from HKU
Script Snippet
# Regex pattern for Local or Domain SIDs
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} |
Select @{name="SID";expression={$_.PSChildName}},
@{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}},
@{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}}
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}
# Get all users that are not currently logged
$UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select @{name="SID";expression={$_.InputObject}}, UserHive, Username
# Loop through each profile on the machine
Foreach ($item in $ProfileList) {
# Load User ntuser.dat if it's not already loaded
IF ($item.SID -in $UnloadedHives.SID) {
reg load HKU\$($Item.SID) $($Item.UserHive) | Out-Null
}
#####################################################################
# This is where you can read/modify a users portion of the registry
# This example checks for a key, adds it if missing, and creates / changes a DWORD in that key
"{0}" -f $($item.Username) | Write-Output
If (!(Test-Path registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement)) {
New-Item -Path registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement -Force | Out-Null
}
Set-ItemProperty registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement -Name “ScoobeSystemSettingEnabled” -Value “0” -Type DWord
#####################################################################
# Unload ntuser.dat
IF ($item.SID -in $UnloadedHives.SID) {
### Garbage collection and closing of ntuser.dat ###
[gc]::Collect()
reg unload HKU\$($Item.SID) | Out-Null
}
}
# Regex pattern for AzureAD SIDs
$PatternSID = 'S-1-12-1-\d+-\d+\-\d+\-\d+$'
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} |
Select @{name="SID";expression={$_.PSChildName}},
@{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}},
@{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}}
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}
# Get all users that are not currently logged
$UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select @{name="SID";expression={$_.InputObject}}, UserHive, Username
# Loop through each profile on the machine
Foreach ($item in $ProfileList) {
# Load User ntuser.dat if it's not already loaded
IF ($item.SID -in $UnloadedHives.SID) {
reg load HKU\$($Item.SID) $($Item.UserHive) | Out-Null
}
#####################################################################
# This is where you can read/modify a users portion of the registry
# This example checks for a key, adds it if missing, and creates / changes a DWORD in that key
"{0}" -f $($item.Username) | Write-Output
If (!(Test-Path registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement)) {
New-Item -Path registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement -Force | Out-Null
}
Set-ItemProperty registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement -Name “ScoobeSystemSettingEnabled” -Value “0” -Type DWord
#####################################################################
# Unload ntuser.dat
IF ($item.SID -in $UnloadedHives.SID) {
### Garbage collection and closing of ntuser.dat ###
[gc]::Collect()
reg unload HKU\$($Item.SID) | Out-Null
}
}
Checking whether each item already exists helps the RMM to get the proper exit code and not show the script as failed when run.
If your company is a MSP or wants to become one and automation just seems out of reach, then contact us to run your RMM for you.
As our business continues to focus on providing white labeled Tier 3 IT support services, RMM as a service, and co-managed IT services this blog will be highlighting tips for RMM automation. Here is one of the recent scripts we added to our RMM. We often find ourselves creating a local user and network share for SMB scanner on the customer network. Here is the script we created to automate this process:
Variables
It is important to not store variables in scripts especially when they are credentials for a user on the local computer, so make sure to define variables accordingly. Here are the variables we are using for this script:
$ScanDir = the local directory (c:\scans) where the scanner with store files via SMB
$Username = username for the new local user account
$Password = password for the new local user account
Script Snippet
#Change password to useable by powershell and create new user if it does not already exist
$Pass = ConvertTo-SecureString $Password -AsPlainText -Force
if(!(gwmi -class Win32_UserAccount | Where {$_.Name -eq $Username}))
{
New-LocalUser -Name $Username -Password $Pass -PasswordNeverExpires
Write-Host "User has been created successfully"
}
else
{
Write-Host "The given user: $Username already exists"
}
#Create scans directory specified if it does not already exist.
if(!(Test-Path -path $ScanDir))
{
New-Item -ItemType directory -Path $ScanDir
Write-Host "Folder path has been created successfully at: " $ScanDir
}
else
{
Write-Host "The given folder path $ScanDir already exists"
}
#Create scans share if it does not already exist
if(!(Get-SMBShare -Name scans -ea 0))
{
New-SMBShare –Name “scans” –Path $ScanDir –FullAccess everyone
Write-Host "The scans Share has been created successfully"
}
else
{
Write-Host "The scans share already exists"
}
#Set network profile to Private to allow SMB communication on all currently attached networks
Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private
Checking whether each item already exists helps the RMM to get the proper exit code and not show the script as failed when run. Please notice that the script changes the network profile to Private, which may need to be altered if you are in a domain to DomainAuthenticated. We do this as Windows Firewall will not allow SMB traffic to traverse in the Public profile, which is the default on a new network. All that is left is to setup the printers scanner profiles with the SMB share \\computername\scans and the new user created.
If your company is a MSP or wants to become one and automation just seems out of reach, then contact us to run your RMM for you.
As our business continues to focus on providing white labeled Tier 3 IT support services, RMM as a service, and co-managed IT services this blog will be highlighting tips for RMM automation. Here is one of the recent updates we are making to several of our scripts. It is great to have a diagnostic script that outputs information and review those logs to help figure out issues or to write out the log file created to output for review from the RMM.
What if you have a software tool that aggregates log files to look for trends or security issues across the organization. Running the script and manually collecting log files from each computers gets tedious at scale, so I came up with the idea to automate the log collection via sending them to a FTP site. Here is what we are adding to scripts:
Variables
It is important to not store variables in scripts especially when they are credentials for the FTP server, so make sure to define variables accordingly. Here are the variables we are using for this script:
$LocalDir = the local directory where you expect to find the logs from the script
$RemoteDir = the FTP server address and file directory structure (ie ftp://myftpserver.com/LOGS)
Notice that we use the $LatestLogFile variable to find the most recent log file. Edit this as needed (ie *.txt or whatever) to get the newest log file name. Adding this to the end of the RMM automation script will allow the needed log files to be placed in the FTP server. Collecting from multiple machines means that each file collected should have a different file name, so make sure when you are scripting the diagnostic that you use to name the log file with $env:computername or some other identifier to make sure the files don’t overwrite themselves when uploaded.
If your company is a MSP or wants to become one and automation just seems out of reach, then contact us to run your RMM for you.
Farmhouse Networking made the switch from Autotask/Datto RMM to Solarwinds N-Central RMM about six months ago. We migrated all our customization too. We use a ton of automation in our RMM to keep the time invested in managing clients to a minimum. This article is a little taste of our secret sauce – an automated RBL blacklist check. “Real-time Blackhole List (RBL) is an effort to stop email spamming. It is a “blacklist” of locations on the Internet reputed to send email spam.” Having this check in place will keep clients email flowing to its intended recipients and notify you about any problems in hopes that you can address them before clients do. Here are the steps to creating the automation:
Create Custom Property
Click on Administration and choose Custom Properties
2. Click on Add, then By Customer, and choose Text Type
3. Give it a Property Name and leave the Default Text blank
4. Select all customers this will apply to and select propagation settings then click Save and Propagate
Click on Configuration, then on Scheduled Tasks, and choose Scripts/Software Repository
2. Click on Add and choose Automation Policy
3. Browse to the downloaded file
Create Custom Service
Click on Administratrion, then on Service Managment, and choose Custom Services
2. Click on Add, then on Service, and choose Automation Manager Policy
3. Give the Custom Service a name
4. Select the Automation Policy and set the URL variable to the new Custom Property
5. Change the schedule as needed (I recommend before business hours each day)
6. Change the Threshold as follows:
7. Click Save
Create Service Template
You will be creating three separate rules – one for laptops, one for desktops, and one for servers
Click on Administration, then on Service Management, and choose Service Templates
2. Give the service template a name
3. Choose the new Custom Service from the dropdown and click Add Service
4. Click Save and Save again. Then repeat as needed.
Edit Windows Probe Rule
Click on Configuration, then Monitoring, and choose Rules
2. Scroll down and click on Windows Probes
3. Click on the Monitoring Options tab
4. Add the three new Service Templates
5. Click on Grant Customers & Sites Access tab
6. Select all customers this will apply to and select propagation settings then click Save
Create Notification
Click on Configuration, then on Monitoring, and choose Notifications
2. Click Add Notification
3. Give the Notification a name
4. Choose the Recipients
5. Click on Trigger Details tab
6. Click Add
7. Give the Trigger a name
8. Change state to Failed
9. Select the Custom Service
10. Select Windows Probe Rule
11. Click OK and Save
Those are the basics of creating automation in Solarwinds N-Central RMM. If your MSP uses Solarwinds N-Central RMM and is looking for help with automating it then contact us for assistance.
And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkNoPrivacy policy