Major Virus Attack Emergency Powershell Script

Issue:

Our organization recently became under a virus attack. Luckily the virus wasn’t serious, but that got me thinking. After this experience I wanted a powershell script to help quickly reset passwords for users or even disable user or computer accounts.  I also wanted the script to quickly rollback any actions this script took.

The only problem with Active Directory is that querying is limited to 1000 rows.  So you have to break the query into OU’s that have fewer that 1000 objects.  Keep this in mind as you organize your Active Directory into OU’s as well.

Solution:

Here is an example of the script.   You will have to change sites, OU’s, and paths as needed.  Break up the sites into useful separations so that a site could be contained if they caught a virus that was spreading.

Import-Module ActiveDirectory
#Major Virus Attack Password Reset, Disable Computer Accounts
#Break Glass Type of Emergency
#Change a variable below to $True and run

#Editable Variables

    #Site Scope for Actions
    $SITE1 = $False
    $MainOffice = $False

    #Actions
    $passwordReset = $False             #PasswordResetAtNextLogin for each Active Directory User Account
    $disableUserAccounts = $False       #Disable Active Directory User Accounts
    $disableComputers = $False          #Disable Active Directory Computer Accounts

    #Undo Actions (Roll back)
    $rollbackDisableComputers = $False
    $rollbackPasswordReset = $False
    $rollbackDisableUserAccounts = $False


#End Editable Variables


#Make c:\temp if it does not exist
if(!(Test-Path -Path 'c:\temp' ))
{
    New-Item -ItemType directory -Path 'c:\temp'
}


if ($disableComputers)
{
    $dlogfile = 'c:\temp\disableComputers_Log.txt'

    $adlogfile = 'c:\temp\preexistingDisabledComputers_Log.txt'

    Set-Content $adlogfile ''
    

    If ($SITE1)
	{
        #Site1 Staff Already Disabled Log
        $computers = Get-ADComputer -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" -SearchBase "OU=SITE1,DC=CONTOSO,DC=com" -Property Name
        foreach ($comp in $computers)
        {
            $compname = $($comp.name)
            $compdn = $($comp.distinguishedname)
            #Write-Host "$compname $compdn"
            Add-Content $adlogfile $compdn
        }
    }

    If ($MainOffice)
	{
        #Main Office Staff Already Disabled Log
        $computers = Get-ADComputer -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" -SearchBase "OU=Main Office,DC=CONTOSO,DC=com" -Property Name
        foreach ($comp in $computers)
        {
            $compname = $($comp.name)
            $compdn = $($comp.distinguishedname)
            #Write-Host "$compname $compdn"
            Add-Content $adlogfile $compdn
        }
    }

    Set-Content $dlogfile ''
    Write-Host 'Disable Computers Log:'
    
    
    Add-Content $dlogfile 'Disable Computers Log:'
    
    If ($SITE1)
	{
        Write-Host 'Disable Site1 Computers Log:'
        $computers = Get-ADComputer -LDAPFilter "(primaryGroupID=515)" -SearchBase "OU=SITE1,DC=CONTOSO,DC=com" -Property Name
        foreach ($comp in $computers)
        {
            $compname = $($comp.name)
            $compdn = $($comp.distinguishedname)
            #Write-Host "$compname $compdn"
            Disable-ADAccount -identity $compdn
            Add-Content $dlogfile $compdn

        }
    }
    If ($MainOffice)
	{
        Write-Host 'Disable Main Office Computers Log:'
        $computers = Get-ADComputer -LDAPFilter "(primaryGroupID=515)" -SearchBase "OU=Main Office,DC=CONTOSO,DC=com" -Property Name
        foreach ($comp in $computers)
        {
            $compname = $($comp.name)
            $compdn = $($comp.distinguishedname)
            #Write-Host "$compname $compdn"
            Disable-ADAccount -identity $compdn
            Add-Content $dlogfile $compdn

        }
    }

}


if ($rollbackDisableComputers)
{
    $dlogfile = 'c:\temp\rollbackDisabledStaffComputers_Log.txt'

    Set-Content $dlogfile ''
    Write-Host 'Disable Computers Log:'


    Add-Content $dlogfile 'Disable Computers Log:'
    

    If ($SITE1)
	{
        Write-Host 'Disable Site1 Computers Log:'
        Add-Content $dlogfile 'Disable Site1 Computers Log:'
        $computers = Get-ADComputer -LDAPFilter "(primaryGroupID=515)" -SearchBase "OU=SITE1,DC=CONTOSO,DC=com" -Property Name
        foreach ($comp in $computers)
        {
            $compname = $($comp.name)
            $compdn = $($comp.distinguishedname)
            #Write-Host "$compname $compdn"
            Enable-ADAccount -identity $compdn
            Add-Content $dlogfile $compdn

        }
    }

    If ($MainOffice)
	{
        Write-Host 'Disable Main Computers Log:'
        Add-Content $dlogfile 'Disable Main Office Computers Log:'
        $computers = Get-ADComputer -LDAPFilter "(primaryGroupID=515)" -SearchBase "OU=Main Office,DC=CONTOSO,DC=com" -Property Name
        foreach ($comp in $computers)
        {
            $compname = $($comp.name)
            $compdn = $($comp.distinguishedname)
            #Write-Host "$compname $compdn"
            Enable-ADAccount -identity $compdn
            Add-Content $dlogfile $compdn

        }
    }

}


#Set all Staff Users to Change Password at Next Logon


if ($passwordReset)
{
    $logfile = 'c:\temp\passwordresetatnextloginlog.txt'

    Set-Content $logfile ''

    Add-Content $logfile 'Staff Users Password Reset:'
    Write-Host 'Staff Users Password Reset:'
    #Office Users Password Reset at Next Login
    
    
    
    If ($SITE1)
	{
        Add-Content $logfile 'Site1 Users:'
        Write-Host 'Site1 Users:'
        #Site1 Users Password Reset at Next Login
        $site1users = Get-ADUser -LDAPfilter '(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))' -SearchBase "OU=SITE1,DC=CONTOSO,DC=com"
        foreach ($user in $site1users)
        {
	        $samaccountname = $($user.samaccountname)
	        #Write-Host $samaccountname
	        Set-ADUser -identity $samaccountname -ChangePasswordAtNextLogon $True
        
            Add-Content $logfile $samaccountname
        }
    }


    If ($MainOffice)
	{
        Add-Content $logfile 'Main Office Users:'
        Write-Host 'Main Office Users:'
        #Main Office Users Password Reset at Next Login
        $mainofficeusers = Get-ADUser -LDAPfilter '(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))' -SearchBase "OU=Main Office,DC=CONTOSO,DC=com"
        foreach ($user in $mainofficeusers)
        {
	        $samaccountname = $($user.samaccountname)
	        #Write-Host $samaccountname
            Set-ADUser -identity $samaccountname -ChangePasswordAtNextLogon $True
        
            Add-Content $logfile $samaccountname
	
        }
    }

}



if ($rollbackPasswordReset)
{
    $logfile = 'c:\temp\rollbackPasswordResetAtNextLogin_Log.txt'

    Set-Content $logfile ''

    Add-Content $logfile 'Staff Users Rollback Password Reset:'
    Write-Host 'Staff Users Rollback Password Reset:'
    #Rollback PasswordReset
    
    	
    If ($SITE1)
	{
        Add-Content $logfile 'Site1 Users:'
        Write-Host 'Site1 Users:'
        #Site1 Users Rollback Password Reset at Next Login
        $site1users = Get-ADUser -LDAPfilter '(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))' -SearchBase "OU=SITE1,DC=CONTOSO,DC=com"
        foreach ($user in $site1users)
        {
	        $samaccountname = $($user.samaccountname)
	        #Write-Host $samaccountname
	        Set-ADUser -identity $samaccountname -ChangePasswordAtNextLogon $False
            Add-Content $logfile $samaccountname
        }
    }


    If ($MainOffice)
	{
        Add-Content $logfile 'Main Office Users:'
        Write-Host 'Main Office Users:'
        #Main Office Users Rollback Password Reset at Next Login
        $mainofficeusers = Get-ADUser -LDAPfilter '(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))' -SearchBase "OU=Main Office,DC=CONTOSO,DC=com"
        foreach ($user in $mainofficeusers)
        {
	        $samaccountname = $($user.samaccountname)
	        #Write-Host $samaccountname
            Set-ADUser -identity $samaccountname -ChangePasswordAtNextLogon $False
            Add-Content $logfile $samaccountname
	
        }
    }

}







if ($disableUserAccounts)
{

    $adlogfile = 'c:\temp\staffUsersAlreadyDisabled_Log.txt'
    Set-Content $adlogfile ''

    
    $officeusers = Get-ADUser -LDAPfilter '(&(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))(userAccountControl:1.2.840.113556.1.4.803:=2))' -SearchBase "OU=SITE1,DC=CONTOSO,DC=com"
    foreach ($user in $officeusers)
    {
	    $samaccountname = $($user.samaccountname)
	    #Write-Host "User Already Disabled: $samaccountname"
        Add-Content $adlogfile $samaccountname
    }
    $officeusers = Get-ADUser -LDAPfilter '(&(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))(userAccountControl:1.2.840.113556.1.4.803:=2))' -SearchBase "OU=Main Office,DC=CONTOSO,DC=com"
    foreach ($user in $officeusers)
    {
	    $samaccountname = $($user.samaccountname)
	    #Write-Host "User Already Disabled: $samaccountname"
        Add-Content $adlogfile $samaccountname
    }



    $logfile = 'c:\temp\disableStaffUserAccountslog.txt'

    Set-Content $logfile ''

    Add-Content $logfile 'Staff Users Disable User Accounts:'
    Write-Host 'Staff Users Disable User Accounts:'
    #Users Disable
	
    If ($SITE1)
	{
        Add-Content $logfile 'Site1 Users:'
        Write-Host 'Site1 Users:'
        #Site1 Users Disable
        $site1users = Get-ADUser -LDAPfilter '(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))' -SearchBase "OU=SITE1,DC=CONTOSO,DC=com"
        foreach ($user in $site1users)
        {
	        $samaccountname = $($user.samaccountname)
	        #Write-Host $samaccountname
            Disable-ADAccount -identity $samaccountname
            Add-Content $logfile $samaccountname
        }
    }


    If ($MainOffice)
	{
        Add-Content $logfile 'Main Office Users:'
        Write-Host 'Main Office Users:'
        #Main Office Users Password Reset at Next Login
        $mainofficeusers = Get-ADUser -LDAPfilter '(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))' -SearchBase "OU=Main Office,DC=CONTOSO,DC=com"
        foreach ($user in $mainofficeusers)
        {
	        $samaccountname = $($user.samaccountname)
	        #Write-Host $samaccountname
            Disable-ADAccount -identity $samaccountname
            Add-Content $logfile $samaccountname
	
        }
    }

}



if ($rollbackDisableUserAccounts)
{
    $logfile = 'c:\temp\rollbackDisableUserAccount_Log.txt'

    Set-Content $logfile ''

    Add-Content $logfile 'Staff Users Rollback Disable User Accounts:'
    Write-Host 'Staff Users Rollback Disable User Accounts:'
    #Office Users Rollback the Disable
    
	
    If ($SITE1)
	{
        Add-Content $logfile 'Site1 Users:'
        Write-Host 'Site1 Users:'
        #Site1 Users Rollback Disable
        $site1users = Get-ADUser -LDAPfilter '(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))' -SearchBase "OU=SITE1,DC=CONTOSO,DC=com"
        foreach ($user in $site1users)
        {
	        $samaccountname = $($user.samaccountname)
	        #Write-Host $samaccountname
            Enable-ADAccount -identity $samaccountname
            Add-Content $logfile $samaccountname
        }
    }


    If ($MainOffice)
	{
        Add-Content $logfile 'Main Office Users:'
        Write-Host 'Main Office Users:'
        #Main Office Users Rollback Disable
        $mainofficeusers = Get-ADUser -LDAPfilter '(&(&(objectCategory=person)(objectClass=user))(memberof=CN=Staff,DC=CONTOSO,DC=com))' -SearchBase "OU=Main Office,DC=CONTOSO,DC=com"
        foreach ($user in $mainofficeusers)
        {
	        $samaccountname = $($user.samaccountname)
	        #Write-Host $samaccountname
            Enable-ADAccount -identity $samaccountname
            Add-Content $logfile $samaccountname
	
        }
    }

}

Leave a Reply

%d bloggers like this: