What is Virtualization?

Virtualization is the abstraction of the operating system away from the hardware so that other operating systems may reside on the same hardware as the original operating system.   The software that does the abstracting is called the hypervisor.   It is not an operating system of itself.   Instead, the hypervisor will gather the hardware logically and divide up that hardware as resources to the guest operating systems as needed.   No one operating system will utilize all of one hardware resource.

Before we get into the main players out there right now, we first need to cover another aspect of hypervisors.   There are currently 2 types of hypervisors:

  • Type 1 hypervisors are installed directly on the hard drive and is booted from the BIOS/UEFI.
  • Type 2 hypervisors are actually programs that runs on a conventional operating system (such as Microsoft’s Windows 10 or a Linux desktop distro).   When the main operating system is booted, the user is able to open the program will utilize the main computer’s hardware available to it to give to guest operating systems.   Once the program is loaded does the possibility of utilizing a guest operating system available.

There are a few players in both of these spaces that are available.   In the Type 1 category, we have VMware’s vSphere (ESXi), Microsoft’s Hyper-V, Linux QEMU/KVM, and XenServer.

  • VMWare’s vSphere (ESXi) is typically your most popular flavor as it has been in the game for a very long time.   It is capable of adding virtual hardware to the guest machines while the machines is still on, such as disk space, memory, and CPUs.   A critical feature if you cannot withstand down time but have applications that are starving for resources.   If you use the free version of ESXi, then you are restricted to just using their web interface, which blocks you from their API, and prevents you from being able to utilize other 3rd party applications for such things as automation, such as Terraform, or backups, such as Veeam or Unitrends.
  • Microsoft Hyper-V is right under VMware for the next contender because the companies are already familiar with Microsoft and Windows Server since Windows NT.   Hyper-V does not allow the addition of adding components to the guest operating systems while it is running, but does allow you to interface with the system by PowerShell and Windows Server Manager.   There is a free version of Hyper-V where it is just the hypervisor and no base Windows Server system.   If you were to install from Windows Server 2016, then it will be a 180-day trial and you are only limited to 2 instances of Windows.   The host operating system (which would be installed on the server from a CD), deploy Hyper-V, and the deploy your guest server.   I do not suggest the second, but recommend the first if you are going to deploy Hyper-V because of business costs.   If you own a computer with Windows 10 Pro, then you can easily turn your normal computer into a Type-1 hypervisor by enabling the Hyper-V role on your computer.   This changes how things work underneath the hood of Windows and, when you reboot, you are actually loading Hyper-V first, and then loading your original computer as a guest.
  • QEMU/KVM is one of the varieties that Linux distributions offer.   Typically these are offered as part of the distribution of your choice by installing your favorite distribution first (minimal install is what is recommended), update (as usual), then “groupinstall virtualization” in accordance with your distribution of choice.   Typically the cost here is free, except for the labor/expertise that would be put into this project.   Support is also typically not apart of this solution, unless being purchased from a 3rd party or in-house.
  • Xen is its own hypervisor that was developed in conjunction with The Linux Foundation.   It is used more in cloud computing, but is still a hypervisor in its own right, totally free
  • XenServer is its own type of hypervisor, typically supported within its own circles at XenServer.org, but not typically in the main Linux distribution circles.   It was forked (source code taking a different direction) after The Linux Foundation laid claim to Xen in 2013.   Citrix at one time had took advantage of XenServer as a marketing exploit and sold annual licenses on a per socket basis.

Type 2 Hypervisors are, as mentioned before, programs already installed on a host OS, such as Windows 10 or MacOS.   Examples of these includes:

VMware Workstation

  • You can download a trial of this and begin using it.   However, after the trial period is over, guest machines that are turned off at the point that the trial period is over or after can’t be booted.   In order to get around this problem, you would need to purchase a license from a reseller VMware.   Once purchased, guest machines can be powered on and off as you need.  

Oracle VirtualBox

  • VirtualBox is typically best to begin learning the basics of virtualization and is free (only if you don’t have Windows 10 Pro).

There is no one technology or product better than the other.  Each depends on your situation.   Microsoft Hyper-V Server 2016 is free and allows you to deploy as many guest servers as you want and allows you to backup its guest machines, but does not have a direct GUI, like VMWare’s ESXi/vSphere has.   However, VMware’s ESXi/vSphere’s free offering does not allow you to interface with its API’s unless you purchase licenses.   Linux’s QEMU/KVM is totally free but requires familiarity with a Linux server distribution of choice (Fedora, Red Hat, Debian, Ubuntu, etc.).

Type 1 Hypervisors are typically recommended for production usage (companies using it to support other systems to make a profit with) while Type 2 Hypervisors are typically used by people that are wanting to learn about virtualization or another operating system than the one typically on their main system, such as running a Fedora desktop OS on an Windows 10 box.

Verify your information

I recently had the privilege of attending a convention and training in another major city besides mine.

I was leaving the hotel and summoned a popular ride service to get from the hotel to the airport.  Of course, in their app, when a driver agrees to pick you up, you get their name, their picture, the make and model of car they are driving, and their license plate.   Me being the untrained traveler that I am, got into a car that I shouldnt have.

 

Where did I mess up?

I didn’t verify the information that I had with the information provided to me.  Make and model closely matched, but the plates and the driver didn’t.  Thats where I messed up.   I realized it when it was too late.  I was already in the car and on the highway heading to, hopefully, to the airport.   Suddenly, my parents voices were in my head “Don’t get into cars with strangers.”

 

“Glad you’re safe and all but how does this apply to IT?”

Well, I’m glad you asked.   When companies try to promise you that their products can do X, Y, and Z, checks all of your boxes and gives you the world on a silver platter, you may want to take a step back and research so and so company and make sure that they truly can fulfill your requirements.

How do you do this?

Ask around.   There are vendor/product-agnostic communities out there of IT people that are willing to tell you what you want to know in regards to that vendor’s product.   Seek out unbiased feedback.   Do your due diligence. You never know.   That vendor may be able to provide you with all of your requirements, or they may be inadvertently causing you to void another companies support/warranty contract, or worse, break another product altogether.

Protecting the Jewel

So, in the last post, we discussed the biggest asset IT can have, the data.   But, does the Queen of England keep her jewels out for everybody to be able to touch?  Nope.   Do banks let people walk right into the vaults to touch all of the money?  No.   So, what do we need to do to protect the data?

There are 2 big things that IT people do to protect their data, and they go hand-in-hand:

  1. Least Privileges (aka JITJEA, Just-In-Time, Just-Enough-Access)
  2. Backups
Least Privileges

Does you remember when Edward Snowden released the NSA documents back in 2013?   Regardless of which political party you most identify with, Snowden made big news and made companies rethink their internal IT security strategies.   Basically, he had access to a LOT of documents, some he probably didn’t need access to.   Was this his fault?  No, it was the NSA’s for giving him access to all of the jewels instead of limiting his access to just what he needed to know and needed access to.

This is where the Least Privileges philosophy comes in.   Give the user or administrator just enough access to do their job.   If the user needs more access to fulfill their job requirements, then it is the responsibility of their supervisor to request access on behalf of the user.   This access request also needs to be documented, preferably by a helpdesk ticket, in order to protect the IT department and the user in the event of an audit or investigation.

The least amount of people that have access to the data to manipulate the data, the safer the data is from losing its integrity.  Does everybody need to have the ability to store files on the file server?   No?  Then look at the permissions of the file server and begin taking people out that have no business in that particular folder.   If they truly need access, then they will ask their supervisor, who will then submit a ticket asking for permission on behalf of the user.

Backups

Backups are CRITICAL to an organization.   If a critical system within the organization accidentally corrupts the data, then how would the data or system be recovered without a backup?   It can’t.   Like I said before, without that data, it could be catastrophic to the organization.   Backups needs to have the ability of doing 3 things:

  1. Restore data – What good is a backup if you cannot get data out of the backup?   Its not.   This is why it is imperative for the administrator to check their backups and make sure that they are reliable backups.
  2. Restore data back in time – Time travel is great, in backups.   I have had users come back to me and tell me that they accidentally deleted a file (eh, it happens, we’re all human, but it took away availability) from last week and they need it restored.   What if you only had one set of backups that were taken last night?   That file that the user needed could be critical to the organization, and now it is gone because last night’s backup just overwrote the backup from before that the file was on.   This is why it is necessary to have incremental backups in different points in time for critical systems.
  3. Survive a real world catastrophe – There have been a number of natural disasters, from the tsunami of Sri Lanka to Hurricane Katrina to Superstorm Sandy to Hurricane Harvey.   Natural disasters can happen anywhere.   What happens if it is at your location?   Will your backups survive the devastation or will it be safe at another location outside of harms way?   Could your organization survive without the data?   If not, then it probably needs to also be stored offsite of your production location.

This is where the 3-2-1 rule comes into play.   Many people have different philosophies on this rule, but this is my take on it.   It is not hard and fast, but has helped me in the past.   You need to have 3 copies of your critical data (1 in production, 1 onsite, and 1 offsite).   Production data is just as it sounds, the data that the company is currently running on.   Onsite backups can be on the same physical site as the production system, but are not at a risk of being lost if the production system was to fail for some reason.   This allows for quick recovery, less downtime, and less production revenue loss.   Offsite data is the set of backups that are offsite.   As mentioned before, if the production facility was to be destroyed by whatever means necessary, the organization could rebuild (from insurance money, etc) and restore the data from the offsite data.

Backup Management

Find a way to manage these backups and how you plan on keeping up with them.   There are a lot of good management platforms out there.   Depending on your environment and needs will determine the strategy and management of the system that you need.

The Big Jewel

What is it?

So, what is the biggest prized possession of IT?   Is it the people?  No.   Is it the equipment? Not really.

IT’s biggest asset is the data. The data could consist of a number of different things, as it pertains to the organization and how it operates.   To a manufacturing organization, it could be the way they manufacture their product, or their list of customers or suppliers.   To a non-profit, such as a church, it might be its patrons, or the people that it is serving.

Why is it so important?

Consider the absence of the data.   What would happen to the organization that the data was important to?   Would they be able to continue to operate or would they have to close their doors as they have no way of making money in order to continue operations?   More than likely not.   The organization could attempt to recover as much data as possible, either through reproduction from past reports, peoples memories, etc, but by then, the organization’s business advantage could be lost to its competitors and could take a very long time, if ever, to regain that competitive advantage.   Otherwise, it would close its doors, go bankrupt, and layoff all of its employees.   This is why data and keeping it safe is so critical to the organization.

How do we keep it safe?

There are 3 main factors to keeping data safe in both storage and transmission.   It is called the CIA triad, Confidentiality, Integrity, and Availability.   Let’s break this down as to why it is important.

Confidentiality

This is the main cause as to how breaches happen.   A user in the network clicks a link that installs a program onto their computer, unknowingly.   This program gives the attacker the ability to see the user’s data, such as their position, other people that they talk to, and the information that they may have on their computer.   If somebody of importance within the organization becomes compromised, then organization secrets could be revealed on a public website and that data is no longer confidential, especially to competitors.   Now the organization’s competitor knows the organization’s competitive advantage and knows how to overcome that and keep their own advantage.   Hence, the compromised organization has lost business and will eventually close its doors.

Integrity

The organization has to rely on the integrity of its data, believing that it is true to the context and timeliness of the organization.   If the data loses its integrity because of a breach, then the information derived from the data would lead the management team to steer the organization into a direction that would ultimately mean the organization’s demise.   If the breach was discovered in time, could the data regain its integrity, giving management correct information to be able to correct coarse?  Maybe, but very unlikely.   Once the faith of the integrity of the data is lost, then it is very difficult to regain faith into the data and trust it again.

This typically doesn’t happen unless there is a “bad actor” within the organization, intentionally feeding it bad information.   Without checks and balances to make sure that everybody is doing their job correctly, this is hard to determine when it is happening.

Availability

Lets put it this way.  What if you suddenly lost access to your bank account?   Would you be able to know how much money was in your account?  Maybe.   No access after some time?   Now it begins to get hard.   This is similar to what organizations face when they lose the ability to access their data.   Without the ability to access information, organizations are operating in the dark, if they can even operate at all.   Typically this happens by an infection of ransomware of some type.

Remember the Petya outbreak of 2017 that infected just about the entire globe?   That is exactly what happens here.   The virus could infect, not only the users local machine, but servers that contains the data, encrypting that data, making it unavailable to the user.   Typically there is a message on the infected system saying that the contents have been encrypted and to pay a ransom of some amount in bitcoin (or some other cryptocurrency) in order to receive the decryption key and decode the information.   However, its been shown that, even after paying the ransom, the decryption keys typically do not work, and the data is left unable to be recovered.   Even if the key did work, the original source of the infection still has to be dealt with in order to prevent a relapse.

Conclusion

This is why it is so important to keep data safe.   Not only to keep IT in a job, but also to keep the organization in a competitive advantage within its market.   Therefore, data is the Big Jewel of the organization.

What is IT?

This is a question that is easy to answer, but the term “IT” (aka Information Technology) is misleading and doesn’t make sense.   To better understand IT, we must apply it in a business situation for it to make sense.   Don’t get me wrong.  Technology is a great tool in our everyday lives that has definitely helped us.  But to better understand the importance of technology, we need to see it in the light of business.

Technology holistically is meant to help the business run more efficiently, effectively, and therefore, more profitably.   Unless the business in consideration makes money through technology, such as Netflix or Amazon, IT will always be a cost center and never makes the company money.

In physical terms, IT consists of computers, both desktops and servers; networking gear, such as switches, routers, and firewalls; other specialty equipment, the management and care of the data stored within these systems, along with the management of the equipment.   All can either be stored at the same site as the company or most could be stored in a hosting provider (cloud) company in order to take care of the physical requirements of the equipment in a more controlled environment.

All of this equipment and management is contained within IT and stays within the IT realm.

 

Disable a User w/ O365

Going along with the current theme, we need to be able to disable a user. This script is setup for administrators that is interfaced with O365 & Exchange Online. Does the same thing as the other Disable a User script, but forwards the emails on Exchange Online instead of Exchange On Premises.

#(Module 2.02)
Import-Module activedirectory
Import-Module MSOnline

$un = Read-Host "Who are we disabling today? (Login Credentials)" #(Module 2.03)
$man = Read-Host "Who are we forwarding mail to? (Login Credentials)" #(Module 2.04)
$auth = Read-Host "Who are you? (Login Credentials)" #(Module 2.05)

#Resets the old user's password (Module 2.06)
Set-ADAccountPassword -Identity $un -Reset -NewPassword (Read-Host -AsSecureString "Account Password")

#Connects to the Exchange box, forwards the users email account to their supervisor/manager, then disconnects from the Exchange box
$mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Authentication Basic -Credential $cred -AllowRedirection #(Module 2.07-Part 1)
Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null #(Module 2.07-Part 2)
Set-Mailbox $un -ForwardingAddress $man -RemovePicture #Sets the forwarding address to the manager and removes their picture (Module 2.08)
Remove-PSSession -Session $mail #Disconnects from the Exchange box (Module 2.09)

#Removes License in O365
Connect-MsolService #(Module 2.10)
Set-MsolUserLicense -UserPrincipalName (-join($un,'@<MyDomain>.com')) -RemoveLicenses #(Module 2.11)

$dt = get-date #Gets Date & Time (Module 2.12)
$authn = Get-ADUser $auth -Properties DisplayName | select -ExpandProperty DisplayName #Gets the administrators name
$unn = Get-ADUser $un -Properties DisplayName | select -ExpandProperty DisplayName #Gets the disabled users name
$mann = Get-ADUser $man -Properties DisplayName | select -ExpandProperty DisplayName #Gets the managers name

$report = "Human Resources,

The user account for $unn ($un) has been disabled from the company network as of $dt. All email messages will be forwarded to $mann ($man) for now on.

Regards,

$authn ($auth)"
#(Module 2.13)

Send-MailMessage -To HR@<MyDomain>.com, IT@<MyDomain>.com -Subject "Disconnected User Report" -Body $report -From IT@<MyDomain>.com -SmtpServer <YourExchangeURI> #(Module 2.14)

Create a User w/ O365

This script is a modification of my other script. this one does pretty much the same thing, except that it waits about 30 minutes for an AD Sync to occur before it creates the new user’s mailbox in O365. It also manages mailbox sizes, depending on what position they are in, whether they are in management, in IT, or an ordinary user.

Prerequisites:

Microsoft’s Remote Server Administration Tool
Microsoft Online Services Sign-in Assistant
Windows Azure Active Directory Module for Windows PowerShell 64-bit

#Imports the AD & O365 Modules (Module 1.02)
Import-Module activedirectory
Import-Module MSOnline

#Sets Variables (Module 1.03)
$fn #First Name
$ln #Last Name
$title
$dep #Department
$loc #Location
$man #Manager
$un #Username
$officePhone
$streetAdd
$city
$ZIP
$fi #First Name Initial, will be used to figure out Username

#Getting information (Module 1.04)
Write-Host "I need some information from you first. Answer the following questions to get started."
$fn = Read-host "First Name?"
$ln = Read-Host "Last Name?"
$title = Read-Host "Title?"
$dep = Read-Host "Department?"
$man = Read-Host "Manager (Username)?"
$loc = Read-Host "Loc1 or Loc2?"

#Finding out the Username (Module 1.05)
$fi = $fn.Substring(0,1)
$un = -join ($ln, $fi)

#Sets Location information (Module 1.06)
if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
    $officePhone = "(999) 999-9999";
    $streetAdd = "123 Anywhere Drive";
    $city = "YourTown";
    $ZIP = "12345";
}
Else { #If the user is in Loc2 (Module 1.08)
    $officePhone = "(987) 654-3210";
    $streetAdd = "987 Nothere Blvd";
    $city = "Somewhere Else";
    $ZIP = "98765";
}

#Sets Password (Module 1.09)
$passwd = (Read-Host -AsSecureString "Account Password")
$password = ConvertFrom-SecureString -SecureString $passwd

$userParams = @{ #(Module 1.10)
    'Name' = $un;
    'Enabled' = $true;
    'AccountPassword' = $passwd;
    'UserPrincipalName' = -join ($un, "@mycompany.com");
    'SamAccountName' = $un;
    'ChangePasswordAtLogon' = $false;
    'GivenName' = $fn;
    'Surname' = $ln;
    'DisplayName' = -join ($fn, " ", $ln);
    'Description' = $title;
    'OfficePhone' = $officePhone;
    'StreetAddress' =  $streetAdd;
    'City' = $city;
    'State' = "Texas";
    'PostalCode' = $ZIP;
    'Title' = $title;
    'Department' = $dep;
    'Company' = 'MyCompany';
    'Manager' = $man;
}

#Creates the user in AD (Module 1.11)
New-ADUser @userParams

#Wait for the account to be created before doing anything else (Module 1.12)
Start-Sleep -Seconds 10

#Makes the user's network drive and scan folder (Module 1.13)
if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.14)
    New-Item -Name $un -ItemType directory -Path "\\server\folder" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
}
Else { #If the user is in Loc2 (Module 1.15)
    New-Item -Name $un -ItemType directory -Path "\\server\folder" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
}

#Adds the user to the correct Security Group for permissions and other network drives
if ($dep -eq "Accounting"){ #(Module 1.16)
    Add-ADGroupMember -Identity 'Accounting' -Members $un #(Module 1.17)
} #Adds the user to the Accounting Group
Elseif ($dep -eq "Customer Service") { #(Module 1.18)
    Add-ADGroupMember -Identity 'Customer Service' -Members $un #(Module 1.19)
} #Adds the user to the Customer Service Group
Elseif ($dep -eq "Executives") { #(Module 1.20)
    Add-ADGroupMember -Identity 'Executives' -Members $un #(Module 1.21)
} #Adds the user to the Executives Group
Elseif ($dep -eq "HR") { #(Module 1.22)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.23)
} #Adds the user to the Human Resources Group
Elseif ($dep -eq "Human Resources") { #(Module 1.24)
    Add-ADGroupMember -Identity 'Human Resources' -Members $un #(Module 1.25)
} #Adds the user to the Human Resources Group
Elseif ($dep -eq "IT") { #(Module 1.26)
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un #(Module 1.27)
} #Adds the user to the Domain Admins Group for IT
Elseif ($dep -eq "Maintenance") { #(Module 1.28)
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un #(Module 1.29)
} #Adds the user to the Maintenance Group
Elseif ($dep -eq "Production") { #(Module 1.30)
    Add-ADGroupMember -Identity 'Production' -Members $un #(Module 1.31)
} #Adds the user to the Production GroupHR
Elseif ($dep -eq "QA") {  #(Module 1.32)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.33)
} #Adds the user to the QA Group
Elseif ($dep -eq "Quality Assurance") {  #(Module 1.34)
    Add-ADGroupMember -Identity 'QA Group' -Members $un #(Module 1.35)
} #Adds the user to the QA Group
Elseif ($dep -eq "Shipping") {  #(Module 1.36)
    Add-ADGroupMember -Identity 'SHIP' -Members $un #(Module 1.37)
} #Adds the user to the Shipping Group
Else { #(Module 1.38)
    Add-ADGroupMember -Identity 'Domain Users' -Members $un #(Module 1.39)
} #Dumps the user to the Domain Users Group

$manfn = Get-ADUser $man -Properties Name | select Name #Gets the manager's name (Module 1.40)

#Creates a report of the User's information
$report = "Hello $fn $ln,

From the IT Department, welcome to <MyCompany>.   We
are here to help you connect to the resources that you need for
your job.   If you need assistance with technology, please feel
free to contact us at either the help page, which is set as your
home page in Internet Explorer, email us at
[email protected]<MyCompany>.com, or call us at extension 4357.

Below you will find your information so that you can login to
the network and get started:

Your username is domain\$un
Your password is
Your email address is [email protected]<MyCompany>.com
Your phone number is $officePhone Ext.

It is suggested that you change your password to something that
you can remember but difficult enough that somebody else cannot
figure out.   The requirement is only 6 characters, but we do
advise on making it longer, throw some numbers and special
characters in there as well to make it stronger.   Best advice
would be to use a pass-PHRASE instead of a pass-WORD.

Your computer should already be setup with your email loaded and
your network drives.   At <MyCompany>, we use Microsoft
Outlook as the email client.   Depending on what department you
are in will depend on what drives you have available.  
Generally, everybody will have an F: drive and a G: drive.   The
F: drive is your network folder.   Place in there the documents
that you feel you cannot do your job without.   In the F: drive
will be a scan folder.   When you go to the Xerox to scan in
documents, then you will find them in your scan folder.   The G:
drive is a company-wide shared folder.  As for your department
drives, it would be best to talk with $($manfn.name),
your supervisor/manager, about the nature and uses of these drives.

The use of the equipment and resources provided are a privilege
to you for use and should not be taken advantage of.   There are
measures set in place that allows us to manage the network.   Do
not assume that there is any personal privacy on this network.  
The only privacy that you can assume is for the nature of your
work.   All information (including emails, documents,
spreadsheets, pictures, etc.) contained on the equipment
provided and on the network is the sole property of MyCompany.

If you have problems with your equipment or network resources,
please feel free to ask.   We do not mind helping, but we cannot
help if we do not know, so please ask!

Sincerely,


Your IT Department"


if ($loc -eq "Loc1") { #(Module 1.43)
    Write-Output $report | Out-Printer
}
Else { #(Module 1.44)
    Write-Output $report | Out-Printer \\server\'Xerox WorkCentre 4260'
}

#Invoke a Sync (Module 1.45)
Invoke-Command -ComputerName <ADSync Server> {Start-ADSyncSyncCycle -PolicyType Delta}
Start-Sleep -Seconds 60

#Connect to O365 and licenses the user
Connect-MsolService #(Module 1.46)
Set-MsolUserLicense -UserPrincipalName (-join($un,'@<MyCompany>.com')) -AddLicenses #(Module 1.47)

#Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
$mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -AllowRedirection -Authentication Basic -Credential $cred #(Module 1.48-Part 1)
Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null #(Module 1.48-Part 2)
enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox (Module 1.49)
IF ($dep -eq "Executives") { #(Module 1.50)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 19.5GB -ProhibitSendReceiveQuota 20GB -IssueWarningQuota 19GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.51)
} #If they are an executive, then they get 20 GB of mailbox space
elseif ($dep -eq "IT") { #(Module 1.52)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) #(Module 1.53)
} #IT gets the full mailbox, of course
else { #(Module 1.54)
    Set-Mailbox (-join($un,'@<MyCompany>.com')) -ProhibitSendQuota 9.5GB -ProhibitSendReceiveQuota 10GB -IssueWarningQuota 9GB #Sets the mailbox size in Exchange Online so that the user isn't using all 50 GB of storage (Module 1.55)
} #Otherwise, everybody else gets 10 GB of mailbox space
Remove-PSSession -Session $mail #Disconnects from the Exchange box (Module 1.56)

Disabling a User

It’s hard to create a user, but its REALLY easy to disable a user’s account. That is exactly what this script does. Well…it doesn’t “disable” the user’s account, but it does make it impossible for the user to login to the network without help from IT. Basically, this script will ask 4 things from you. It will ask you who you are disabling, who their manager is, who you are, and a password to change the user’s account to. It will then create an email to be sent to you and HR, informing HR of who has changed the user’s password, and when. That way they can be assured that all technical resources owned by the company are kept safe as the user is leaving the network, if not the company.

This script assumes a few things:
1) You at least have Exchange Admin rights in order to connect and send the email.
2) You have Domain Admin rights in order to change the user’s password.
3) You have 2 distribution groups (HR & IT) with the necessary personnel in each group.
4) Your Exchange server is on premises.

As usual, everything is commented and sterilized for your usage.

Import-Module activedirectory

$un = Read-Host "Who are we disabling today? (Login Credentials)" #username
$man = Read-Host "Who are we forwarding mail to? (Login Credentials)" #manager's username
$auth = Read-Host "Who are you? (Login Credentials)"

#Resets the old user's password
Set-ADAccountPassword -Identity $un -Reset -NewPassword (Read-Host -AsSecureString "Account Password")

#Connects to the Exchange box, forwards the users email account to their supervisor/manager, then disconnects from the Exchange box
$mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Exchange/powershell -name Exchange -Authentication Kerberos -Credential $cred
Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null
Set-Mailbox $un -ForwardingAddress $man -RemovePicture #Sets the forwarding address to the manager and removes their picture
Remove-PSSession -Session $mail #Disconnects from the Exchange box

$dt = get-date #Gets Date & Time
$authn = Get-ADUser $auth -Properties DisplayName | select -ExpandProperty DisplayName #Gets the administrators name
$unn = Get-ADUser $un -Properties DisplayName | select -ExpandProperty DisplayName #Gets the disabled users name
$mann = Get-ADUser $man -Properties DisplayName | select -ExpandProperty DisplayName #Gets the managers name

$report = "Human Resources,

The user account for $unn ($un) has been disabled from the company network as of $dt. All email messages will be forwarded to $mann ($man) for now on.

Regards,

$authn ($auth)"

Send-MailMessage -To [email protected], [email protected] -Subject "Disconnected User Report" -Body $report -From [email protected] -SmtpServer Exchange

Creating a User

User Management is important in any organization, especially when they have ActiveDirectory deployed in their environment. Any way of automation can be very helpful in saving time, reducing errors, and making sure that all of the tasks that are involved with creating a user are completed.

I understand that this whole script will not suite everybody, but I know that there are pieces in here that are going to be more valuable to some than others. If there is anything in here that would provide a value to you, by all means, you are more than welcome to use it. The whole script is commented and are sectioned off into modules that relates to a flowchart for this script. Maybe one day I can post the flowchart as well. This one is designed to interact with an Exchange server that is on-premises (in house, not O365/Exchange Online). I do have another script similar to this one but is written for O365/Exchange Online instead of Exchange On-Premises.

#Imports the AD
Import-Module activedirectory

#Sets Variables
$fn #First Name
$ln #Last Name
$title
$dep #Department
$loc #Location
$man #Manager
$un #Username
$officePhone
$streetAdd
$city
$ZIP
$fi #First Name Initial, will be used to figure out Username

#Getting information
$fn = Read-host "First Name?"
$ln = Read-Host "Last Name?" #Special characters have not been tested. I would suggest not using special characters in last names in AD. In theory, its probably okay, but I have not yet tested it.
$title = Read-Host "Title?"
$dep = Read-Host "Department?"
$man = Read-Host "Manager (Username)?"
$loc = Read-Host "Loc1 or Loc2?" #If you need to add locations, make sure that you also edit modules 1.06 - 1.08 to conform to the new logic.

#Finding out the Username
$fi = $fn.Substring(0,1)
$un = -join ($ln, $fi)

#Sets Location information (Module 1.06)
if ($loc -eq "Loc1") { #If the user is in Loc1 (Module 1.07)
    $officePhone = "(999) 999-9999";
    $streetAdd = "123 Anywhere Drive";
    $city = "YourTown";
    $ZIP = "12345";
}
Else { #If the user is in Loc2 (Module 1.08)
    $officePhone = "(987) 654-3210";
    $streetAdd = "987 Nothere Blvd";
    $city = "Somewhere Else";
    $ZIP = "98765";
}

#Sets Password
$passwd = (Read-Host -AsSecureString "Account Password")
$password = ConvertFrom-SecureString -SecureString $passwd

$userParams = @{
    'Name' = $un;
    'Enabled' = $true;
    'AccountPassword' = $passwd;
    'UserPrincipalName' = -join ($un, "@.com");
    'SamAccountName' = $un;
    'ChangePasswordAtLogon' = $false;
    'GivenName' = $fn;
    'Surname' = $ln;
    'DisplayName' = -join ($fn," ",$ln);
    'Description' = $title;
    'OfficePhone' = $officePhone;
    'StreetAddress' = $streetAdd;
    'City' = $city;
    'State' = "Texas";
    'PostalCode' = $ZIP;
    'Title' = $title;
    'Department' = $dep;
    'Company' = '';
    'Manager' = $man;
}

#Creates the user in AD
New-ADUser @userParams

#Wait for the account to be created before doing anything else
Start-Sleep -Seconds 10

#Makes the user's network drive, scan folder, and sets the permissions to their folders and files
if ($loc -eq "Loc1") { #If the user is in Loc1
    New-Item -Name $un -ItemType directory -Path "\\server\folder" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
}
Else { #If the user is in Loc2
    New-Item -Name $un -ItemType directory -Path "\\server\folder" #Creates users network drive
    New-Item -Name scans -ItemType directory -Path "\\server\folder\$un" #Creates users scan folder
}

#Adds the user to the correct Security Group for permissions and other network drives
if ($dep -eq "Accounting"){
    Add-ADGroupMember -Identity 'Accounting' -Members $un
} #Adds the user to the Accounting Group
Elseif ($dep -eq "Customer Service") {
    Add-ADGroupMember -Identity 'Customer Service' -Members $un
} #Adds the user to the Customer Service Group
Elseif ($dep -eq "HR") {
    Add-ADGroupMember -Identity 'Human Resources' -Members $un
} #Adds the user to the Human Resources Group
Elseif ($dep -eq "Human Resources") {
    Add-ADGroupMember -Identity 'Human Resources' -Members $un
} #Adds the user to the Human Resources Group
Elseif ($dep -eq "IT") {
    Add-ADGroupMember -Identity 'Domain Admins' -Members $un
} #Adds the user to the Domain Admins Group for IT
Elseif ($dep -eq "Maintenance") {
    Add-ADGroupMember -Identity 'MaintGroup' -Members $un
} #Adds the user to the Maintenance Group
Elseif ($dep -eq "Production") {
    Add-ADGroupMember -Identity 'Production' -Members $un
} #Adds the user to the Production Group
Elseif ($dep -eq "QA") {
    Add-ADGroupMember -Identity 'QA Group' -Members $un
} #Adds the user to the QA Group
Elseif ($dep -eq "Quality Assurance") {
    Add-ADGroupMember -Identity 'QA Group' -Members $un
} #Adds the user to the QA Group
Elseif ($dep -eq "Shipping") {
    Add-ADGroupMember -Identity 'SHIP' -Members $un
} #Adds the user to the Shipping Group
Else {
    Add-ADGroupMember -Identity 'Domain Users' -Members $un
} #Dumps the user to the Domain Users Group

#Connects to the Exchange box, creates the users email account, then disconnects from the Exchange box
$mail = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange/powershell -name -Authentication Kerberos -Credential $cred
Import-PSSession $mail -WarningAction SilentlyContinue | Out-Null
Enable-Mailbox -Identity $un -Alias $un -DisplayName (-join($fn,$ln)) #Creates the users mailbox
Remove-PSSession -Session $mail #Disconnects from the Exchange box

$manfn = Get-ADUser $man -Properties GivenName | select GivenName #Gets the managers first name
$manln = Get-ADUser $man -Properties SurName | select SurName #Gets the managers last name

#Create a report of the User's information
$report = "Hello $fn $ln,

From the IT Department, welcome to . We
are here to help you connect to the resources that you need for
your job. If you need assistance with technology, please feel
free to contact us at either the help page, which is set as your
home page in Internet Explorer, email us at
[email protected], or call us at extension 4357.

Below you will find your information so that you can login to
the network and get started:

Your username is \$un
Your password is
Your email address is [email protected]
Your phone number is $officePhone Ext.

It is suggested that you change your password to something that
you can remember but difficult enough that somebody else cannot
figure out. The requirement is only 6 characters, but we do
advise on making it longer, throw some numbers and special
characters in there as well to make it stronger. Best advice
would be to use a pass-PHRASE instead of a pass-WORD.

Your computer should already be setup with your email loaded and
your network drives. At , we use Microsoft
Outlook as the email client. Depending on what department you
are in will depend on what drives you have available.
Generally, everybody will have an F: drive and a G: drive. The
F: drive is your network folder. Place in there the documents
that you feel you cannot do your job without. In the F: drive
will be a scan folder. When you go to the Xerox to scan in
documents, then you will find them in your scan folder. The G:
drive is a company-wide shared folder. As for your department
drives, it would be best to talk with $($manfn.name),
your supervisor/manager about the nature and uses of these drives.

The use of the equipment and resources provided are a privilege
to you for use and should not be taken advantage of. There are
measures set in place that allows us to manage the network. Do
not assume that there is any personal privacy on this network.
The only privacy that you can assume is for the nature of your
work. All information (including emails, documents,
spreadsheets, pictures, etc.) contained on the equipment
provided and on the network is the sole property of .

If you have problems with your equipment or network resources,
please feel free to ask. We do not mind helping, but we cannot
help if we do not know, so please ask!

Sincerely,

Your IT Department"

if ($loc -eq "Loc1") {
    Write-Output $report | Out-Printer \\server\Printer
}
Else {
    Write-Output $report | Out-Printer \\server\Printer
}