PowerShell license tips

Well as I know many users are trying to find Windows key with some key viewer software. Nothing wrong, but this software is not always “nice” and can do something else than just show you a key. Of course, with Windows 8.1 and Windows 10 you have many times a key in BIOS, so there is no need to search for it.
Anyway, if you feel better when you have a key printed on a piece of paper, you can do that simply with one PowerShell cmdlet:

Get-WmiObject -query ‘select * from SoftwareLicensingService’

This will show you more than only a key. There are a lot of information on licensing, like KMS server, OS version, … In some cases it can be useful.

Creating VM start order in Hyper-V Cluster 2016

Many times (or almost always), you have to define start order of VMs as services on one VM in an exactly defined order. We tried to solve this problem with start delays in the past – or with some additional software, but there were always situations where we are unable to control all factors.
Now in Windows Server 2016 edition it is better, as we can define startup groups. This means, that we define a group of servers who will start together and another group of servers who will start later when the first group is started or also with some delay after the first group is started. Additionally, we can start just a last group of servers and because this group depends on other groups, system will first start the parent server group. So, you are not able to start some servers before all infrastructure depends on it is started. We have new cmdlets in PowerShell to define and manage Cluster Groups (you can list them with Get-Command -Noun *ClusterGroup*).

To do these settings, you have to know some concepts that are introduced in Windows Server 2016 and we will use them.

  • This post explains how to create groups in Hyper-V cluster; it will not work on non-clustered servers. If you want to setup startup order for a single Hyper-V host, this is the post where you can find how to do it.
  • Cluster Group: Represents clustered services or applications (resource groups) in a failover cluster – any HA VM has his group. You can view cluster groups with PowerShell cmdlet Get-ClusterGroup. You don’t need to change anything here; just leave them as they are.
  • Cluster Group Set: Is a set of Cluster groups (VMs) that we want to control together. This is a set of VMs that have similar services and we want to control them as a group. Here we can control some settings (startup delay, global or local, …). Cmdlet we have to use at this point is Set-ClusterGroupSet (cmdlet syntax)
  • Cluster group set dependency: Is a dependency where we specify which group and when it will start. To be clear, with dependency we define VM startup order.

How to setup environment?
I always start creating output with cmdlet Get-ClusterGroup, because it is easier to manage all VMs when I have all their names on a paper or TXT file. It is easier to review them, define services that they offer and later functionally define group sets.
When you have defined group sets (put VMs with similar services or dependencies together) it is time to create Cluster Group Sets. This operation is done in few steps:

  • Create Cluster Group Set: this will create an empty group for grouping VMs. To do this you have to use cmdlet New-ClusterGroupSet -Name GroupName.
  • Add Cluster Groups (VMs) to sets. In this step, we will populate Cluster Group Sets with VMs – this mean that we will put together all VMs with similar services or VMs that we need to start at the same time. When Cluster Group Set will be asked to start, all VMs that are in it will be started. There is no dependency inside the Cluster Group Set and we have no chance to control the start order inside the group. If we think that some VMs need to start before other VMs, we need more than one Cluster Group Set. To add VM to Cluster Group Set we will use PowerShell cmdlet Add-ClusterGroupToSet -Name GroupName -Group ClusterGroupName. In this cmdlet, you have to change GroupName with your Cluster Group Set name and ClusterGroupName with Cluster Group name (VM name – output in firs step). We have to repeat cmdlet for every single VM.
  • Create dependency between Cluster Group Sets: We have to use cmdlet Add-ClusterGroupDependency -Group GroupName -ProviderSet GroupDependsOn. GroupName is the name of the Cluster Group Set we want to start and GroupDependsOn is a Cluster Group Set necessary to be started previously. At this point we need to create startup order (dependency) between groups. The start of any group can depend on successful start of one or more groups. If previous group will fail to start, the group who depends on it will not start. I suggest you to have in mind this situation (maybe develop a script to add and remove all VMs from groups – you will quickly solve problems if they appear).

With this few steps, we created a startup order for our environment. If it is all OK, we will never have a situation when a service will not work because some dependency server is not started. Practically, the system will look to start all VMs in a defined order. This also means, that we have to add and remove depreciated and newly deployed VMs in this groups – we have to change this mechanism every single time we change our environment. Don’t forget it.

Using FSRM against Ransomware

Every administrator is afraid about Ransomware software. We want to protect our systems with so many different approaches and at many layers, but almost always we try to use complicate techniques to archive basic objectives. I found on TechNet an article, which sounds good for me and I am also confidential using Windows embedded functionalities for trying to prevent an attack.
Are there positive and negative sides? Of course they are, the most important negative thing I recognize is that we are using technology based on file type. Actually we are trying to prevent to write all known file extensions that can be written on our system. This will work if we know the extension and we have to search for new used file extensions and add them as blocked file types. But there are also positive things: we don’t need to buy anything, we have all we need ready on our server – we have just to use it! It is very simple to configure and maintain and it works!
When I read this article, I was surprised why I have to do all those steps thru GUI? We can simply use PowerShell that is quicker and it will do exactly the same things every time we will start it. Well, I made a script that you can run on every server you have to protect and for every share or partition you want to protect. There is only one think that you cannot protect: system drive if you try to prevent whole drive. In this case, the protection will be passive and not active and there is no way to change it (but I hope that you don’t share system drive).
Things that you have to know are basic, just few data:
  • Path to protect
  • SMTP server for sending mail (and be careful with authentication! Test it!)
  • Mail address form which mail will be sent
  • Mail address from administrator
  • Script that you want to run after detection (if you want)
You can run it as many times you want, on every server you want (version 2008 and newer) and you will be able to protect your data. It is a secure way to do it because you just prevent to change the data transformation and not the malware itself. I recommend also to use a script published on TechNet article for disabling the AD user or deny user access to server (It is also zipped into my file; including subinacl.msi).
To prevent malware, you can use an additional build in function: AppLocker and also this is explained here. And by the way, the approach is tested on Server 2016 TP5 – it’s working!

Create redirected folders with PowerShell

As many of us know, to setup redirected folders you have to create root folder, permissions and sharing manually. You do it always in the same way: search internet for exact permissions that you need to set, control that is all OK, than share the folder…
Therefore, the job is ideal for a script as is always done in the same way; the only thing that is changing is the folder location and the domain name.
To simplify all this work I wrote a script to create a folder, setup the right permissions and share this folder. The only things you have to change in the script are:

  • the folder name and location
  • the name of shared folder
  • the group to which redirection will apply
  • the domain admins group (it is changing the domain)

You have to write these four variables in the beginning of the script and then just run it. All the work is done!

You can download script here..