Monday, August 11, 2014

Powershell - check if members of a group are members of another group

import-module activedirectory

foreach ($u in Get-ADGroupMember -Identity "Users")
  if(-not (Get-ADPrincipalGroupMembership $u| ?{$_.Name -eq "Domain Users"})){write-host $u " is missing from Domain Users"}  


Thursday, July 31, 2014

Poor man's IP to to Username, using Powershell & Domain Controller logs

This customer had many offices and needed to get rid of Windows XP machines.
Due to the lack of inventory and computer management, we were unable to know who were the people behind them!
Ping and remote access were shut off from the host so we couldn't gather information via WMI.

But the LastLogonTimeStamp was being updated for these computers which led us to believe they were still in use.
The solution I came up with : if someone was still using these XP machines, they were authenticating against the domain controllers, and a "logon event" was created with the source ip and the username.

Once you load the quick and dirty function called "Get-UserName-for_PC-by-DC-events (silly name sorry), run these 2 commands to get some results

Import-module ActiveDirectory
Get-ADComputer -Filter {Enabled -eq $true -and operatingsystem -like '*xp*'} -Properties IPv4Address | %{Get-UserName-for-PC-by-DC-events -DCname "DC01" -Ip $_.IPv4Address}

7/31/2014 1:18:33 PM  --  john.doe at this address -->  using  Kerberos

A nice enhancement would be to query all domain controllers.
Finally, your mileage may vary depending on how big your security logs are, how often they rotate and how often these XP users log on (you could run a scheduled task)
Function Get-UserName-for-PC-by-DC-events
    $xpathfilter = 'Event[System[EventID=4624] and EventData[Data[@Name="IpAddress"]="'+$ip+'"]]'

    Foreach ($event in get-winevent -ComputerName $DCname -LogName Security -FilterXPath $xpathfilter -MaxEvents 1)
        Write-host $event.TimeCreated " -- " $event.Properties[5].Value "at this address --> " $event.Properties[18].Value " using " $event.Properties[9].Value


Wednesday, July 16, 2014

DCHP server migration from Debian to Windows Server 2008

My customer wanted to migrate DHCP server function from Debian Wheezy 7.50 running ISC-DHCP to Windows Server 2008.
The task can broken in 6 parts

  1. parse dhcpd.conf on the DHCP server (Linux)
  2. import the parsed file to your *new* DHCP server
  3. setup DHCP role on *new*server
  4. run a script on the *new* DHCP server which creates scopes,pools and reservations (Windows) according to the parsed file.
  5. manually rename the scopes to "friendly" names
  6. manually set the server,scope and/or reservation options and scope lease times
Parse dhcpd.conf
get this great AWK parser onto the Debian box
make it executable
chmod +x dhcpparse.awk
parse the file
cat /etc/dhcp/dhcpd.conf | dhcpparse.awk > dhcp-config.txt

Import the parsed file to your Windows Server
have a look at it to remove errors.
Setup DHCP role on Windows Server
skipping this part as it's pretty self explanatory
Run script
You will need this Powershell module , referred to as "Microsoft.DHCP.Powershell.Admin.psm1" in the script. If Window Server is version 2012 R2 , I guess you can use the DHCP server cmdlets from Microsoft instead.
You will also need to make a Powershell module -which is a combination of this function and this function. Just add one function under the other and put the line "export-modulemember IsIpAddressInRange,Get-IPrange". This module is referred as "IPutil.psm1"

Import-Module .\Microsoft.DHCP.Powershell.Admin.psm1

Import-Module .\IPutil.psm1

#Group by line types

$subnets = Select-String -Pattern 'subnet' -Path .\dhcp-config.txt |%{$_.Line}

$pools = Select-String -Pattern 'pool' -Path .\dhcp-config.txt | %{$_.Line}

$hosts = Select-string -Pattern ‘host’ -path  .\dhcp-config.txt |%{$_.Line}

#Create scopes

$scopes = $subnets |%{$l=$_.Split(','); New-DHCPScope -Server $env:COMPUTERNAME -Address $l[1] -SubnetMask $l[2] -Name $l[3]}

foreach ($scope in $scopes)


    # generate all the IP addresses in this scope

    $ips=Get-IPrange -ip $scope.Address -mask $scope.SubnetMask

    # Create pools

    Write-host "Creating pool(s) for " $scope.Address

    foreach ($line in $pools)


        if($ips -contains $line.split(',')[1])


            Add-DhcpIPRange -scope $scope -startaddress $line.split(',')[1] -endaddress $line.split(',')[2]



    # Create reservations

    Write-host "Creating reservation(s) for " $scope.Address

    foreach ($line in $hosts)


        if($ips -contains $line.split(',')[1])


            New-DHCPReservation -scope $scope -IPAddress $line.split(',')[1] -MACAddress $line.split(',')[2] -Description $line.split(',')[4]




Write-host “You should now rename the scopes to friendly names”

Write-host “You should manually set options and lease times"

Sunday, February 2, 2014

Wifi break-in notifier


You've grown paranoid of people who could be stealing your Wifi ?
You have the securest form of Wifi encryption ... still wouldn't you like to know STRAIGHT AWAY if someone managed to crack into your network?
Here's a home baked solution ( not suitable for work ) your mileage may vary depending on your Wifi access point.


Every 5 minutes, a script checks your Wifi access point for unknown Wifi devices.
If one of these devices isn't included in a list of Wifi devices you defined, you get an alert on your iPad/iPhone every day until you add it to your list of known Wifi devices.


  • Raspberry Pi running RaspBMC, powered on & connected to your Wifi 24/7
  • Prowl
  • Prowl API key
  • iOS device - iPhone/iPad
  • understanding of Bash/shell scripting
  • you need to make a list of your wifi devices as csv
To add devices to this list, use this command
echo "device_owner;device_name;00:23:68:BE:E7:62" >> known_wifi_devices.csv

You need to understand how to get MAC addresses from your modem/router - i have a Zhone router with Adamo, not much I can help you with here, you need to master curl and grep !

The script


# check if all Wifi devices on the router are known MAC addresses

# if unknown, send a notification via Prowl

# run this as "cron job"


#get the list of MAC addresses from the webpage of my Wifi access point.

html=$(curl -u user:user

echo "$html" | grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}'| while read mac


# check if MAC address is known

 if grep -i -q $mac /home/pi/known_wifi_devices.csv; then

  echo "OK - $mac is known wifi device"


  #if station in logfile in the last day, just log it.

  if grep -E "^$(/bin/date +"%a %b %d")..............$(/bin/date  +"%Y")" -q /var/log/rogue_wifi_monitor; then

   echo "$(/bin/date +"%a %b %d %T %Z %Y") --- $mac is not a known Wifi device on this network" | tee -a /var/log/rogue_wifi_monitor

  else # log it and notify via Prowl

   echo "$(/bin/date +"%a %b %d %T %Z %Y") --- $mac is not a known Wifi device on this network, admin notified" | tee -a  /var/log/rogue_wifi_monitor

   curl \

       -F apikey=$APIKEY \

       -F application="XBMC Rpi" \

      -F event="Rogue Wifi device detected" \

      -F description="MAC Address $mac is unknown !"




Configure cron

Configure Cron for the script to run every 5 minutes.
crontab -e

*/5 * * * * /home/pi/

If you're curious about what 'cron' does, I recommend this tutorial

Enable cron

Since cron is disabled in RaspBMC, you must enable it.

nano .xbmc/userdata/addon_data/script.raspbmc.settings/settings.xml

change sys.service.cron to "true"

Start cron
service cron start

Possible improvements

rotate or truncate log file
log when Wifi device is recognized after being added.

Post your questions in the comments :-)