PowerCLI

Hi All,

Can someone help me in below task. I have been asked to find & shutdown windows VMs which are harldy used (not used in last say 5 weeks or 30 days ie no login on them with rdp or console)

All my vms are in a AD domain, so i used "dcquary" to find inactive VMs. But it gave list of vms which are already decomed.

So from vcenter point of view can i find such inactive VMs ? my target is a certain 10X /24 subnet only.

Thanks

You would first need to define how you will qualiffy VMs that are "not used".

Is that no logons since a number of days, or CPU usage less than x% over the last number of days, or ...

There are several samples of both methods available in this community.

Hi LucD

If you could share both would be gr8.

1, No login says last X days

2. CPU & RAM is below X%

But I need to direct my search to a range of ips says in 10.x.x.x/24 subnet only

Thanks,

Kiran

BTW I found your note on console access in Powercli script to analyze the idle VM's

But then it does not take into account the RDP & all of my vms are windows vms ,so above will not help me.

Is there any AD plug of powercli (if any)  in we can use here  ?

Also can you help modify the search to specific subnet only pls

Thanks

You can do something like this to select the VM based on a subnet

$subnet = "10.0.0"

Get-VM | where {$_.Guest.IPaddress | where {$_ -match $subnet}} | Select Name

This does require the VMware Tools to be installed on all VMs.

Thanks LucD

Get-ADComputer is what I am using now, I get error in powercli

The term 'Get-ADComputer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or

if a path was included, verify that the path is correct and try again.

At line:1 char:15

+ Get-ADComputer <<<<

    + CategoryInfo          : ObjectNotFound: (Get-ADComputer:String) [], CommandNotFoundException

    + FullyQualifiedErrorId : CommandNotFoundException

So I am using powershell for this

PS C:\> import-module activedirectory

PS C:\>

PS C:\> $domain = "xyz.com"

PS C:\> $DaysInactive = 30

PS C:\> $time = (Get-Date).Adddays(-($DaysInactive))

PS C:\> Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |select-object Name,@{Name=

"Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv C:\Temp\intactive-vm.csv

PS C:\>

PS C:\>

I want to modify this to take input of as a file which has the vm names i give & give me o/p of

1. when (date & time)  did this VM contacted the Active directory for my domain say, xyz..com (ie a user tried to autenticate with the Active directory domain)

2. Who was the user id

Thanks

Is the ActiveDirectory module present, and did you import it when you received that error ?

The information you are after should be available in the security eventlogs on the domain controllers of the domain, provided you audit those events.

Hi LucD

Well i have used Powershell for this (import-module activedirectory) & worked well , does it available in powercli as well ?

I did lot of research, looks like AD do not keep last login on a computer of a "user" ... can you pls give cmd which can pull the info in the format below ?

[Computer name -- Last Login in AD -- Name of user Who logged in last ]

My code which does not give the User logged info info tho

$DaysInactive = 7

$time = (Get-Date).Adddays(-($DaysInactive))

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp -SearchBase "OU=WORKSTATIONS,DC=yyy,DC=xxx,DC=com" |select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv C:\Temp\intactive-vm1.csv

Thanks

You can try to get the registry value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName.

That should give the user that last logged on on the computer.

You can run this through the Invoke-VMScript cmdlet in the guest OS of the VM.

I checked one of my windows 7 vm & this value was blank.. anyways i am digging more

Then it is probably disabled through a GPO I'm afraid.

It is a security advisory the disable this after all.

An alternative could be to be to check the security eventlog, but that would require you to audit successful logons.

Is that active ?

Hi LucD,

I checked, under Windows Logs- Security

I can see the login info..

SO can u guide which powercli can pull this ?

Thanks in advance

I was trying to understand how to works.. got a easy eg too  but it does not tell how can i apply to my situation here

Andrews Tech Blog: Change DNS settings of virtual machines using powershell and vmware tools

Not sure how that article relates to auditing logons I'm afraid.

But have a look at Get-Winevent Part III: Querying the Event Log for Logons (Part B)

Thanks, this is useful

But i was able to reach upto

Get-WinEvent -ComputerName xxx  -Credential xxx  -FilterHashtable @{LogName="Security" ; ID=4672} -MaxEvents 5 | Format-List

I need only computer name & account name in this .. with powercli i just do export-csv ..but wondering how can i do this in powershell

Format-List|out-file -append c:\data\file.csv works but i need only certain rows ie only 2 , how this can be done ?

Below working ok, i am on correct path :smileyhappy:  thanks Lucd ..

Get-WinEvent -ComputerName xxx  -Credential xxx\xxx -FilterHashtable @{LogName="Security" ; ID=4672} -MaxEvents 5 | Format-List

output is :-

TimeCreated  : xxx

ProviderName : Microsoft-Windows-Security-Auditing

Id           : 4672

Message      : Special privileges assigned to new logon.

               Subject:

                   Security ID:        xxx

                   Account Name:        xxxx

                   Account Domain:        xxxx

                   Logon ID:        0x4efd1b

               Privileges:        SeSecurityPrivilege

                           SeTakeOwnershipPrivilege

                           SeLoadDriverPrivilege

                           SeBackupPrivilege

                           SeRestorePrivilege

                           SeDebugPrivilege

                           SeSystemEnvironmentPrivilege

                           SeImpersonatePrivilege

===

Now i have 2 requirements :-

1. I bunch of Vms ( i have the names) for which i need to do this.

2. The output should be in xls

3. I need the xls with only vmname/account name/domain AND MaxEvents 5 per VM ..

4.  I have a common username/passwd for all these VMs ie -Credential xxx\xxx

Can someone Please help here ...

Some code i found in

but that is not working at all

PS C:\> $a = (Get-Date).AddDays(-1)

PS C:\> Get-WinEvent -filterHashtable @{LogName='Security'; StartTime=$a; Id=4624; Level=0} |

>> Where-Object { $_.Properties[8].Value -eq 10} |

>> Select-Object *, @{l='LogonAccount';e={$_.Properties[6].Value + "\" + $_.Properties[5].Value }}

>>

PS C:\>

PS C:\>

http://serverfault.com/questions/314386/listing-users-using-rdp

finally got a working code

Get-WinEvent -ComputerName xxx -Credential xxx -Filterhashtable @{LogName="Security"; ID=4624; StartTime=(Get-Date).AddDays(-1)} |  Where { (2,7,8,9,10,11,12,13 -contains $_.Properties[8].Value) -and -not ($_.Properties[5].Value -match '^DWM|^SYSTEM|^ANONYMOUS|SERVICE$') } | Select MachineName,TimeCreated,@{n="Username";e={$($_.Properties)[5].Value}} -First 1

Well I have not used this cmdlet in past .. so just trying to get it worked for now.. Thanks Lucd, I am looking at the

Get-Winevent now

By the way a sample cmd i ran

get-vm <VM-name> | `

   Invoke-VMScript -ScriptText  "c:\Windows\system32\Shutdown.exe /l /f"  -HostUser <ESX-account> -HostPassword <ESX-password> -GuestUser <guest-account> -GuestPassword <guest-password>

the output is

ScriptOutput

-------------------------------------------------------------------------------------------------------------------------------------------------------------------|

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

But nothing happens on the vm

Any idea what i am doing wrong ?