We had to do a few random clean up items to get machines to work correctly post-migration. Set a few registry keys, copy some files, enable Bitlocker keys, etc.
This first one copies a couple BAT files over to the client machine and then sets an auto run registry key. Since we were completely changing out the Lync environment and using a whole new SIP we had to force the client to re-do autodiscovery
##call include file . .\params.ps1 ##this was our list of relevant computer names. $import=$computerlist ForEach ($item in $import){ $computer=$item.computer write-host "Setting Reg Key on " $Computer ##let's copy the bat files over. We use 2 just in case the first one misses it. Lync likes to start up as soon as you login, but must be closed for this setting to take effect copy-item d:\migration\scripts\nightof\lyncreset.bat -destination \\$computer\c$ copy-item d:\migration\scripts\nightof\lyncreset2.bat -destination \\$computer\c$ ##registry magic $HKLM = 2147483650 $key = "Software\Microsoft\Windows\CurrentVersion\Runonce" $reg = [wmiclass]"\\$computer\root\default:StdRegprov" $value="c:\Lyncreset.bat" $reg.SetStringValue($HKLM, $key, $name, $value) }
Lyncreset.bat
@echo off rem Kill Lync taskkill /IM communicator.exe /f rem Delete the autodiscovery settings reg delete HKCU\Software\Microsoft\Shared\UcClient /va /f rem Delete the OAB's and the nickname cache for older clients rmdir "%userprofile%\appdata\local\microsoft\outlook\offline address books" /s /q rmdir "%userprofile%\local settings\application data\microsoft\outlook\offline address books" /s /q ren "%userprofile%\AppData\Roaming\Microsoft\Outlook\*.nk2" *.nk2old rem add another runonce so that we can do this all over again the next time we boot. reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce /ve /d "C:\LyncReset2.bat" /f
LyncReset2.bat
rem Check if the empty file exists. we don't want to turn this into a loop. if not exist %temp%\EmptyFile.txt ( taskkill /IM communicator.exe /f reg delete HKCU\Software\Microsoft\Shared\UcClient /va /f rmdir "%userprofile%\local settings\application data\microsoft\outlook\offline address books" /s /q rmdir "%userprofile%\appdata\local\microsoft\outlook\offline address books" /s /q ) rem create the empty file echo. 2>%temp%\EmptyFile.txt
Bitlocker was a fun one. No easy Powershell way to do this, so had to run some commands, scrape the output, then run some other commands.
#setting a variable so we don't get prompted for creds in our params file. None of these need credentials. $Creds="NO" #setting the variables for bitlocker. I tried to build a script to poll the client for actual HDD's but it didn't work consistently without enabling WinRM on all the machines, so had to hardcode these in there. Made the script a mess, but ran out of time for a clean way to do it. $app="manage-bde.exe" $DriveLetters = @("C","D","E") ##call include file . .\params.ps1 ##set up an array $bad=@() $import=import-csv "d:\migration\admtincludes\bitlockercompincludes1.csv" ## go thru each item in the import file, then go thru each drive in the drive array foreach ($item in $import){ $computer=$item.computer foreach ($drive in $driveletters){ #set up our variables. Re-null out some and configure drives $a=$null $b=$null $c=$null $key=$null $getparams=$null $putparams=$null $share=$drive+"$" $Bdrive=$drive+":" ## test the drive to see if it's good. most computers only have C$. If they have D$ or E$ this will run the commands against those drives if ($(Test-path "\\$computer\$share")){ ## Set up our param list for the manage-bde command ## i.e. manage-bde.exe -cn MYcomp -protectors -delete C: -type recoverypassword ## deletes the protectors on mycomp's c: $Parameters =@("-cn","$computer","-protectors","-delete","$Bdrive","-type","recoverypassword") ## Run the command. Since we'red doing an executable we must do it this way & $App $Parameters ##basically the same as above, but we now want to add the recovery key back into the new AD ## i.e. manage-bde.exe -cn mycomp -protectors -add C: -recoverypassword $Parameters = @("-cn","$computer","-protectors","-add","$Bdrive","-recoverypassword") & $App $Parameters ##sometimes the above command doesn't work, so as a backup we want to tell it backup the recovery key to AD ##this requires getting the current key first ##i.e. manage-bde.exe -cn mycomp -protectors -get C: $GetParams=@("-cn",$Computer,"-protectors","-get",$Bdrive) ##store the results into a variable $Result=& $app $GetParams ##browse the results for the line we're looking for ##We'll get a couple lines back one is the DRA and one is the actual ID for the drive that we need $a=$result|foreach-object {if($_ -match "ID") {$_}} if ($a){ ##let's manipulate the data ##get the last line in the data that has ID in it $b=$a[-1].trim() ##convert it to a string and then split each space, creating an array of the results. I.e. "ID:" is [0] and the GUID is the [1]. "Password" is [2] and the password is [3] $c=$b.ToString().split(' ') ##set the key to the last item (i.e. the password) $Key=$c[-1] ##rewrite the params so that we can backup the key ##ie. manage-bde.exe -cn mycomp -protectors -adbackup C: -ID 11111-1111-.... $PutParams=@("-cn",$Computer,"-protectors","-adbackup",$Bdrive,"-ID",$key) & $app $putparams } } ##write out computers we couldn't connect to ELSE {$BAD+=$Computer} } } $bad|sort|unique|out-file "d:\migration\admtincludes\BLOutput.txt"