Tuesday, October 27, 2015

AD and SCCM Device Cleanup

This Script Removes devices from AD and SCCM that have not been logged onto in 90days, and have not reset thier device password in 120. It then goes on to check the User device affinity to ensure Devices are sorted to the same OU as the Primary owner. (Unless that user is a member of the service desk, then leave as is. it Also maintains a complete log of all changes. 
$log="C:\temp\sorter.log
$date=get-date
$oulist=Get-ADOrganizationalUnit -LDAPFilter '(name=*)' -SearchBase 'OU=DEPT,DC=Domain,DC=com' -SearchScope OneLevel #get-oulist

########################################Cleanup Stale PC's##################

$t="Starting Purge on $date"
$t|out-file $log -append


#Collect Stale devices.
Foreach ($x in Get-QADComputer -NotLoggedOnFor 90 -PasswordNotChangedFor 120 -searchroot Domain.com/Dept/){
$t="$x.name was Purged on $date"
$t|out-file $log -append 
Write-host $t
#Remove from AD/SCCM
remove-cmdevice -devicename $x.name –force –confirm:$false  
remove-qadobject $x.DN –force –confirm:$false
 
}

$t="Purge complete on $date. "
$t|out-file $log -append

############################################## Object Sorter

$t="Starting Sort on $date"
$t|out-file $log -append

#get all computers
foreach ($z in Get-qadcomputer -searchroot "Domain.com/Dept/"){
$t=""
$x=get-cmdevice -name $z.name 
if (!$x.username){ #check for Assigned user. If none log, and move on.
$t=$z.dn+" no user attached - unable to move."
write-host $t
$t|out-file $log -append

}elseif((Get-ADUser $x.Username -Properties memberof).memberof -like "CN=ISM-ALL*"){ #if member of servicedesk, dont touch 

$t=$z.dn+" last used by service desk. Do not move.."
write-host $t
$t|out-file $log -append

}else{
$y=get-qaduser $x.UserName;

$f=$z.name.lenght+16
$G=$y.displayname.length+14
$zdn= $z.dn.substring($f)
$ydn= $y.dn.substring($g)
#write-host $f $zdn 
if($zDN -match $ydn){ #if user dn and PC dn match - move on.
 write-host $z.name " is properly located"
 $zdn=""
 $ydn=""
}else{
 $zdn=""
 $ydn=""
#sort based on DN.

Foreach ($q in $OUlist){
$q.Name
if ($y.DN -match $q.name){write-host "yes";$dept=$q.name}
}

$newou="Domain.com/Dept/"+ $dept +"/Computers"
$t=$z.dn+" moved to "+$newou
write-host $t
$t|out-file $log -append
Move-QADObject $z.dn -NewParentContainer $NewOU
$NewOU=""
}#end move if
}#end no user if
}#end dn match if
Posted by at 1 comment:
Labels: , , ,

Adding Users Devices to a Collection by First and Last Name

Recently I was given a Set of User's Names to exclude from a deployment. Easy. Until I realized the deployment was deployed to devices, not users. I dropped the user list into a text file. First Last, each on its own line. I read the file and grabbed the username, then performed a User Device affinity check, throwing the associated computer into the exclusion collection. 
$collectionname="Exclude Reader DC"

foreach ($x in gc C:\temp\adobe.txt){
$y=get-qaduser $x
$user="DOMAIN\"+$y.samaccountname
$z=Get-CMUserDeviceAffinity -UserName $user
#$q=Get-CMDevice -ResourceId $z.resourceid
#$q.name
$z.resourceid 
 Add-CMDeviceCollectionDirectMembershipRule -CollectionName $collectionname -ResourceId $z.resourceid   
}
Posted by at No comments:
Labels: ,

Monday, October 26, 2015

De-clouding Adobe Reader DC.

The following reg keys remove all cloud features from Adobe Reader DC. This will remove the Sign-In buttons, Up-sell screens and any prompts to do stuff in the cloud.


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cCloud]
"bDisableADCFileStore"=dword:00000001
"bAdobeSendPluginToggle"=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices] 
"bToggleAdobeDocumentServices"=dword:00000001
"bTogglePrefsSync"=dword:00000001
"bToggleWebConnectors=dword:00000001
"bToggleAdobeSign"=dword:00000001
"bUpdater""=dword:00000001



[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM]
"bAllowUserToChangeMsgPrefs"=dword:00000000
"bDontShowMsgWhenViewingDoc"=dword:00000000
"bShowMsgAtLaunch"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint]
"bDisableSharePointFeatures"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWebmailProfiles]
"bDisableWebmail"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown]
"bAcroSuppressUpsell"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM]
"bAllowUserToChangeMsgPrefs"=dword:00000000
"bDontShowMsgWhenViewingDoc"=dword:00000000
"bShowMsgAtLaunch"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint]
"bDisableSharePointFeatures"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWebmailProfiles]
"bDisableWebmail"=dword:00000001
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)