Active Directory Migrations: A few little odds and ends

We had to do a few random clean up items to get machines to work correctly post-migration. Set a few registry keys, copy some files, enable Bitlocker keys, etc.

This first one copies a couple BAT files over to the client machine and then sets an auto run registry key. Since we were completely changing out the Lync environment and using a whole new SIP we had to force the client to re-do autodiscovery


##call include file
. .\params.ps1

##this was our list of relevant computer names.
$import=$computerlist

ForEach ($item in $import){
 $computer=$item.computer
 write-host "Setting Reg Key on " $Computer
##let's copy the bat files over. We use 2 just in case the first one misses it. Lync likes to start up as soon as you login, but must be closed for this setting to take effect
 copy-item d:\migration\scripts\nightof\lyncreset.bat -destination \\$computer\c$
 copy-item d:\migration\scripts\nightof\lyncreset2.bat -destination \\$computer\c$
##registry magic
 $HKLM = 2147483650
 $key = "Software\Microsoft\Windows\CurrentVersion\Runonce"
 $reg = [wmiclass]"\\$computer\root\default:StdRegprov"
 $value="c:\Lyncreset.bat"
 $reg.SetStringValue($HKLM, $key, $name, $value)
}

Lyncreset.bat


@echo off

rem Kill Lync
taskkill /IM communicator.exe /f

rem Delete the autodiscovery settings
reg delete HKCU\Software\Microsoft\Shared\UcClient /va /f

rem Delete the OAB's and the nickname cache for older clients
rmdir "%userprofile%\appdata\local\microsoft\outlook\offline address books" /s /q

rmdir "%userprofile%\local settings\application data\microsoft\outlook\offline address books" /s /q
ren "%userprofile%\AppData\Roaming\Microsoft\Outlook\*.nk2" *.nk2old

rem add another runonce so that we can do this all over again the next time we boot.
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce /ve /d "C:\LyncReset2.bat" /f

LyncReset2.bat


rem Check if the empty file exists. we don't want to turn this into a loop.
if not exist %temp%\EmptyFile.txt (
 taskkill /IM communicator.exe /f
 reg delete HKCU\Software\Microsoft\Shared\UcClient /va /f
 rmdir "%userprofile%\local settings\application data\microsoft\outlook\offline address books" /s /q
 rmdir "%userprofile%\appdata\local\microsoft\outlook\offline address books" /s /q
)

rem create the empty file
echo. 2>%temp%\EmptyFile.txt

Bitlocker was a fun one. No easy Powershell way to do this, so had to run some commands, scrape the output, then run some other commands.


#setting a variable so we don't get prompted for creds in our params file. None of these need credentials.
$Creds="NO"

#setting the variables for bitlocker. I tried to build a script to poll the client for actual HDD's but it didn't work consistently without enabling WinRM on all the machines, so had to hardcode these in there. Made the script a mess, but ran out of time for a clean way to do it.
$app="manage-bde.exe"
$DriveLetters = @("C","D","E")
##call include file
. .\params.ps1

##set up an array
$bad=@()

$import=import-csv "d:\migration\admtincludes\bitlockercompincludes1.csv"

## go thru each item in the import file, then go thru each drive in the drive array

foreach ($item in $import){

$computer=$item.computer
 foreach ($drive in $driveletters){
#set up our variables. Re-null out some and configure drives
$a=$null
 $b=$null
 $c=$null
 $key=$null
 $getparams=$null
 $putparams=$null
 $share=$drive+"$"
 $Bdrive=$drive+":"

## test the drive to see if it's good. most computers only have C$. If they have D$ or E$ this will run the commands against those drives
if ($(Test-path "\\$computer\$share")){
## Set up our param list for the manage-bde command
## i.e. manage-bde.exe -cn MYcomp -protectors -delete C: -type recoverypassword
## deletes the protectors on mycomp's c:
$Parameters =@("-cn","$computer","-protectors","-delete","$Bdrive","-type","recoverypassword")

## Run the command. Since we'red doing an executable we must do it this way
 & $App $Parameters

##basically the same as above, but we now want to add the recovery key back into the new AD
## i.e. manage-bde.exe -cn mycomp -protectors -add C: -recoverypassword
 $Parameters = @("-cn","$computer","-protectors","-add","$Bdrive","-recoverypassword")
 & $App $Parameters

##sometimes the above command doesn't work, so as a backup we want to tell it backup the recovery key to AD
##this requires getting the current key first
##i.e. manage-bde.exe -cn mycomp -protectors -get C:

$GetParams=@("-cn",$Computer,"-protectors","-get",$Bdrive)
##store the results into a variable
 $Result=& $app $GetParams

##browse the results for the line we're looking for
##We'll get a couple lines back one is the DRA and one is the actual ID for the drive that we need
 $a=$result|foreach-object {if($_ -match "ID") {$_}}
 if ($a){
##let's manipulate the data
##get the last line in the data that has ID in it
 $b=$a[-1].trim()
##convert it to a string and then split each space, creating an array of the results. I.e. "ID:" is [0] and the GUID is the [1]. "Password" is [2] and the password is [3]
 $c=$b.ToString().split(' ')

##set the key to the last item (i.e. the password)
 $Key=$c[-1]

##rewrite the params so that we can backup the key
##ie. manage-bde.exe -cn mycomp -protectors -adbackup C: -ID 11111-1111-....
 $PutParams=@("-cn",$Computer,"-protectors","-adbackup",$Bdrive,"-ID",$key)
 & $app $putparams
}
 }
##write out computers we couldn't connect to
ELSE {$BAD+=$Computer}
 }
}

$bad|sort|unique|out-file "d:\migration\admtincludes\BLOutput.txt"

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s