Pull – Ex-Shell

PowerShell Scriptlets to check if NLA is enabled for Remote Desktop

Scenario: You want to see if NLA (Network Level Authentication) is enabled on all of your servers for Remote Desktop.

The PowerShell code below is not a .ps1, although you can make a .ps1 out of it if you would like. I like to teach working “within” PowerShell, not just being a script monkey.

In order to run the code, you will need to open Powershell OR Powershell ISE with an account with elevated permissions to access your servers (Run-AS). The purpose of working within PowerShell is so that you can reuse/recycle the code below to do other things too.

Once PowerShell is opened, follow the steps:

Build your $Servers Variable — Select a method to populate $Servers
Run the Query to build the $Results table
Display the $Results — Select a method

#1. Build your $Servers Variable — Select one of the methods below to populate $Servers

$Servers = “ExSrv1″,”ExSrv2” #Feel free to list the servers by name

#-or-
$Servers = Import-csv C:tempservers.csv | Select -expandproperty Name #Create a CSV with a NAME column header

#-or-
$Servers = get-adcomputer -searchbase “OU=Servers,DC=steve,DC=com” -properties Name -Filter *| Select -ExpandProperty Name #Pull a list of AD Computers via AD PowerShell

#2. Run the query to build the $Results variable

$Results = @()
$Servers | %{
    #Collect NLA Data
    $name = $_
    $NLA = Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace rootcimv2terminalservices -ComputerName $name -Filter “TerminalName=’RDP-tcp'” | Select -ExpandProperty UserAuthenticationRequired

    #Display in PowerShell Screen
    “$name : NLA_Enabled:$(If($NLA -eq 1){“Yes”}else{“No”})”

    #Add the data to the $results variable
    $ServerObj = New-Object PSObject
    $ServerObj | Add-Member NoteProperty -Name “Server” -value $name
    $ServerObj | Add-Member NoteProperty -Name “NLA_Enabled” -value $(If($NLA -eq 1){“Yes”}else{“No”})
    $Results += $ServerObj

    #Reset Variable
    $Name = $null
    $NLA = 0
}

#3. Display the $Results – Select a method

$Results

#-or Export the Results –
$Results | Export-CSV C:tempresults.csv

    #-or Email the Results –
        $Header = @”
        <style>
        TABLE {border-width: 1px; border-style: solid; border-color: black; border-collapse: collapse;}
        TH {border-width: 1px; padding: 3px; border-style: solid; border-color: black; background-color: #6495ED;}
        TD {border-width: 1px; padding: 3px; border-style: solid; border-color: black; text-align: center;}
        tr:nth-child(odd) { background-color:#F2F2F2;}
        tr:nth-child(even) { background-color:white;}
        </style>
“@
        $body =”$($results | ConvertTo-Html -Head $header)”
        $smtp = “smtp.steve.com”
        $to = “steve@steve.com”
        $from = “SteveDoingSomething@steve.com”
        $subject = “Results of NLA”
        send-MailMessage -SmtpServer $smtp -To $to -From $from -Subject $subject -Body $body -BodyAsHtml -Priority high

Format the TLSCertificateName in a SendConnector so it uses the X.509 certificate value

Scenario: You need to change the TLSCertificateName for the send connector because you recently upgraded your certificate. (Get-sendconnector | Select Name, TLSCertificateName)

Solution: Perform the following steps:

#Pull the Cert Info into a Variable:

$TLSCert = Get-ExchangeCertificate -Thumbprint <Thumbprint> -server <Servername>

#Format the CertName so it an acceptable value for the TLSCertificateName property

$TLSCertName = “<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)”

#Set the TLSCertificateName for the send connector:

Set-SendConnector <Name of send connector> -TLSCertificateName $TLSCertName

Exchange Activesync Monitor for Specific Devices

Scenario: Monitor specific ActiveSync Devices and report when a device has not made a successful ActiveSync connection for over an hour. Report the time in local time and not Greenwich.

Script: I ran the following Exchange PS script every hour . Depending on your requirements, you may need to manipulate or move the script around.

#Format Date to Greenwich
$currentdate = get-date
$currentdate = $currentdate.Addhours(-1)
$currentdate = $currentdate.touniversaltime()

#Pull the devices that have not connected to LastSuccessSync in over an hour
$devices = get-activesyncdevicestatistics DeviceID | Where {$_.LastSuccessSync -lt $currentdate} | Sort LastSuccessSync | Select DeviceID, DeviceOS, deviceFriendlyName, LastSuccessSync, LastSyncAttemptTime, DeviceModel, Identity

#For the device(s) found, format the information
ForEach ($entry in $devices){
$Device = “Device: “+$entry.DeviceFriendlyName
$DeviceOS = “Device OS: “+$entry.DeviceOS
$DeviceLastAttempt = “Last Sync Attempt (EST): “+$entry.LastSyncAttemptTime.ToLocalTime()
$DeviceLastSync = “Last Success Sync (EST): “+$entry.LastSuccessSync.ToLocalTime()
$DeviceModel = “Device Model: “+$entry.DeviceModel
$DeviceIdentity = “DeviceID: “+$entry.Identity
$DeviceIdentity = $DeviceIdentity -replace “Domain/OU/”,””
$DeviceIdentity = $DeviceIdentity -replace “/ExchangeActiveSyncDevices/”,”_”
}

#Email the results if there is a device that has not reported in over 1 hour.
If ($Devices -ne $null){
$SmtpClient = new-object system.net.mail.smtpClient
$MailMessage = New-Object system.net.mail.mailmessage
$SmtpClient.Host = “smtp.domain.com”
$mailmessage.from = (“EASMonitoring@domain.com”)
#$mailmessage.To.add(“User@domain.com”)
$mailmessage.Subject = “Alert: A mobile device has not connected to e-mail in over 60 minutes.”
$mailmessage.Body = “The mobile device below has not connected to e-mail in over 60 minutes.
$DeviceIdentity
$Device
$DeviceOS
$DeviceLastAttempt
$DeviceLastSync
“
$smtpclient.Send($mailmessage)
}