Detecting the Administrative Context in PowerShell

I was writing a PowerShell script and it needed to know whether or not it was running in the administrative context. It’s a bit fiddly but here’s a one-liner that sets a Boolean variable for it:

$currentIdentity = New-Object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())
$adminContext = $currentIdentity.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)

Run that and $adminContext will be True if the script is running as admin, and False if not.

Migrating all Office 365 students/users to the new Education Plus license

Microsoft recently renamed the free license that academic institutions on Office 365 get (if you have an active EA) to “Office 365 Education Plus for students”. At the same time they added in the Office Pro Plus license option to allow our students (and staff) to get Office 2013 (soon to be 2016).

Of course what they didn’t do was give us a simple way to migrate all our users away from the Student Advantage license onto the new licensing option.

So here’s some powershell to help with doing that:

#connect to 365 prompting for credentials
Connect-Msol
#collect the new license we wish to assign
$newLicense = (Get-MsolAccountSku | ? AccountSkuId -Like "*STANDARDWOFFPACK_IW_STUDENT").AccountSkuId
#find the old Student Advantage license
$oldLicense = (Get-MsolAccountSku | ? AccountSkuId -Like "*OFFICESUBSCRIPTION_STUDENT").AccountSkuId
#find all users with teh Student Advantage license
$needNewLic = (Get-MsolUser -All | Select UserPrincipalName,Licenses | %{if($_.Licenses.AccountSkuId -contains $oldLicense){$_}})
#loop through all users with old license and replace it with new one
$a = 0; foreach ($user in $needNewLic) {$a++; echo "$a of $($needNewLic.Count): $($user.UserPrincipalName)";
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses ($user.Licenses).AccountSkuId -AddLicenses $newLicense
}

Some caveats with the above code:
– it doesn’t work for users that already have some element of the new Education Plus license as the code assumes it has not been applied to your users yet
– it removes all existing licenses from the user and adds the new licenses in their place, so if you have extra licenses you want to keep then the code will need to modified to handle that
– as with all these things, I take no responsibility for the above code blatting your tenancy! it worked for me but please test it beforehand on your own ‘test’ tenacy – like we all have one of those…

Find a computer’s model using PowerShell

Interestingly this blog’s most popular post is one where I demonstrate how to find the serial number of a PC in a batch file so you can write a script that does different things for different computer models.

I pretty much don’t write batch code any more, instead using PowerShell as much as possible. So I thought I’d add a post explaining how to get your computer model in PowerShell as well. If you’ve any experience using PowerShell then you know this could be a very short post…

And the answer?

(Get-WmiObject -Class:Win32_ComputerSystem).Model

Extending that to a specific model to allow us to work on something specific we have many options to play with. My preferred method if I’m only dealing with one model would be to filter at the point of making the query, like so:

Get-WmiObject -Class:Win32_ComputerSystem -Filter:"Model LIKE '%H77ITX%'" -ComputerName:localhost

Notice I’ve filtered the query using the LIKE operator which in WMI queries requires the % character as the wildcard indicator, not *. I’ve also specified the ComputerName as localhost in the above commands. Usually WMI commands operate on network objects, even if you only have the one PC, and as a result can take a little time to respond. If you specify localhost it speeds up the command and ensures you only get a result from the PC where you run your script. Of course if you want to do this on remote PCs then you’d use the ComputerName to specify one or more remote PCs.

Anyway that command is only going to return the object if we are running the query on the right PC model. That’s not too useful on its own so we need to make it return something like True or False, then we can work inside an If statement perhaps. Actually we don’t need to bother! If handles a returned object as if that means True, and no returned object as meaning False.

For example:

If(Get-WmiObject -Class:Win32_ComputerSystem -Filter:"Model LIKE '%H78ITX%'" -ComputerName:localhost)
{ Write-Host "Found an H78ITX model" }
Else
{ Write-Host "Model not found" }

OK so what do we do if we’ve got different models and we want to do different things on different models? Easy, go back to the first command, and use its output with the Switch statement.

$pcModel = (Get-WmiObject -Class:Win32_ComputerSystem).Model
Switch -wildcard ($pcModel)
{
    "*Latitude*" { # install special apps for a Dell }
    "*Elite*"    { # install special apps for an HP }
    default      { # install other things for everything else }
}

There’s plenty you can do with the switch statement, even using regex. There’s a good explanation of it here.

Of course you might want to do things for specific models, and also things for all models from a particular vendor. We can achieve that by being less specific with our initial command and just select different properties of the object from the variable like this.

$computerSystem = (Get-WmiObject -Class:Win32_ComputerSystem)
Write-Host $computerSystem.Manufacturer
Write-Host $computerSystem.Model

Hopefully that shows you how to get the model and manufacturer, then you can construct some logic around both.

Finally, something else to consider is that if you want to drill down using the serial number of a machine we need to make use of a different WMI object, namely Win32_BIOS, like this:

(Get-WmiObject -Class:Win32_BIOS).SerialNumber

Find a computer’s model using the command line or in a batch file

Say you’ve got a script and you want to run something in that script that only runs if you’re on a specific type of machine, what can we do to find out what machine we are on?
Some might say “use vbscript and do a wmi call”. Well yes you could do that, but that’s needlessly hard! Use this simple command instead…

wmic csproduct get name

On my machine that returns two lines, one saying Name and another with my machine’s model name: HP Compaq dc7600 Small Form Factor
How cool is that!! Basically here we’re using a WMI command line tool. There’s lots to it, just type: wmic /?

So to use this in a script we’ll need to check for the existence of a particular machine name being returned, we can use the find command a different way and return the number of lines with a specific word in it. If we get 1 or more lines with that word then we’re on the machine we’re looking for.
Here’s an answer:

wmic csproduct get name | find /c /i "7600"

On my machine that returns a 1, so we just need to parse that into a variable and use a simple if statement and we’re there:

@echo off
for /f "delims==" %%a in ('wmic csproduct get name ^| find /c /i "7600"') do set /a machine=%%a
if %machine% geq 1 (
echo Running on a 7600 machine
) else (
echo Not running on a 7600 machine
)

[script now works, thanks to the comment pointing to the pipe-char issue]

You could modify that to do a goto to jump to another part of your script I guess. Just change the "7600" part for something that uniquely identifies the machine you’re looking for in your environment.

Ths works on XP and Vista. I think it should work in WinPE too as long as you have the WMI add-in installed.

— Updated 2011-10-06 —

And now here’s a better version of my script which will help people who want to use it to batch things a bit more easily!

@ECHO OFF
REM do a wmi query to get the info we want and put it in a variable
FOR /F "tokens=2 delims==" %%A IN ('WMIC csproduct GET Name /VALUE ^| FIND /I "Name="') DO SET machine=%%A
ECHO Computer model: "%machine%"

REM Now we have the model in a variable we can do some logic and run commands, for example...
REM Watch for stray spaces at the end, take out all spaces with: SET machine=%machine: =%
IF /I "%machine%" == "Latitude E6410" (
REM do something specific for an E6410
) ELSE (
REM do something for other types
)

— Updated 2013-09-21: new version of this article using PowerShell here

Decrypting a PFX file with OpenSSL

Occassionally we have to host services that need securing with SSL and unfortunately we can only get our certificates in PKCS12 format, i.e. in a .pfx file – which is only suitable for installing in a Windows IIS box.
So what do you do if you have to put a certificate that’s in the form of a .pfx file into something that’s asking for a private and a public key in plain text?! Well it’s easy actually, we have to convert the .pfx file into something we can use. And thanks to the OpenSSL project there’s a great and free tool for doing it.

1. Get and install OpenSSL from http://www.slproweb.com/products/Win32OpenSSL.html
2. Using the command line browse to where you installed openssl and then into the bin folder
3. Run this command, replacing [path] with the path to your certificate:
openssl pkcs12 -in [path]certificate.pfx -out [path]certificate.pem -nodes
4. You’ll be asked for the password needed to decrypt the certificate at this point
5. Open your new certificate.pem in notepad and you’ll see two sections, a private key section and a public key section. Those are what we’re looking for. You can now copy and paste those into your service that’s asking for the certificate.

By the way, here’s a super page with a handy list of common openssl commands, very useful for a mostly Windows person who forgets commands frequently 🙂 A few frequently used SSL commands