Category Archives: Citrix

NetScaler PowerShell function to get nsmode “mediaclassification”

In version 11. build 64.34 there is a bug with NetScaler mode “MediaClassification” that can potentially crash a NetScaler appliance if AppFlow is enabled. Additionally, there is a separate bug that enables the “mediaclassification” mode on the NetScaler. This can occur when Insight Center (or a specific Nitro API call) communicates with the NetScaler appliance to add AppFlow policies. This means that if running this particular build, and someone uses Insight Center to create a new policy, it can potentially enable the “mediaclassification” mode, thus potentially causing the NetScaler appliance to encounter the bug with said mode, and ultimately crash the appliance. I have seen this real world, and it can put an HA pair into an infinite boot loop. Be warned, HA will not save the day with this particular issue. The bug specifically crashes a NetScaler when “mediaclassification” is enabled, and the NetScaler receives a http request that does not contain a host header (HTTP 1.0 anyone?). The workaround for this is to disable the mode. However, as previously mentioned, a seperate bug can and will re-enable this mode. So here is a PowerShell Script to check the mode on NetScaler(s) and send an SMTP message if the mode is discovered to be enabled. This could be modified to suit other alert\notification needs as well.



Function Get-NSmode


# Choose protocol for contacting the NetScaler, http:// or https://
$nsprotocol = "http://"
# NetScaler account authorized to a least show ns mode. Recommend full read only account for ease of use.
$nsuser = "ns_read_only_account"
# Password for account defined in $nsuser
$nspass = "SomeCrazyPasswordForReadOnlyServiceAccount" | ConvertTo-SecureString -asPlainText -Force
# SMTP server address
$psemailserver = ""
# Mail to address
$mailto = ""
# Mail from address
$mailfrom = ""
# Do not modify unless you know what you are doing
$cred = New-Object System.Management.Automation.PSCredential($nsuser,$nspass)

### MAIN ###

if (Invoke-RestMethod -Method GET -Credential $cred -Uri ($nsprotocol + $nsip + "/nitro/v1/config/nsmode") | ?{$_.nsmode -lik e "*MediaClassification=False*"}) {$mediaclassification = $false}
else {
$report = Invoke-RestMethod -Method GET -Credential $cred -Uri ($nsprotocol + $nsip + "/nitro/v1/config/nsmode") | select -Exp andProperty nsmode | select mediaclassification
$body = ("MediaClassification Mode is enabled on $nsip. This mode can cause the NetScaler to crash. Investigate if this was
Send-MailMessage -smtpserver $psemailserver -to "$mailto" -from $mailfrom -Subject "*** NetScaler $nsip MediaClassification Mode Enabled ***" -body $body }



###  END   ###

This script is best run as a scheduled task. Leave your comments below.


Get-ApplockerReport (Function)

Here is another time saver I use almost daily. You can enter a servername here, and answer the how many days question to get a nice list of applocker logs. This is very useful to quickly see if something is being blocked.

Function Get-AppLockerReport
        $TimeInput = Read-Host "Enter number of days to query logs"
        $AppLockerServers = $ServerNames
        $StartTime = (Get-Date).AddDays(-$TimeInput)

        Foreach ($AppLockerServer in $AppLockerServers)
                Get-WinEvent -filterhashtable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL";
                StartTime=$StartTime} -Computername $AppLockerServer | Where-Object {$_.LevelDisplayName -eq "Error"} | group-object message -noelement | Format-List

Create RDS directories (Scheduled Task)

This script is intended to query AD for a list of users (samaccountname). The returned list will be matched against a path to check\create user profile directories for 2008 and up domains. This script only checks for the existence of the directory, and creates it if it does not exist.

$List = Get-ADUser -Filter * -SearchBase "ou=something,dc=jameier,dc=com" | select samaccountname

$Users = $List.samaccountname

#$Users = "username"

foreach ($user in $users) {

$exist = test-path ("\\some\path\to\RDS\" + $user + ".V2")
if ($exist -match $true) {
write-host -foregroundcolor Green ("$user already has a V2 profile directory")

else {
new-item -itemtype directory -path ("\\some\path\to\RDS\" + $user + ".V2") # Set path of roaming.V2 profile

$objUser = New-Object System.Security.Principal.NTAccount("corp\$user")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser,"FullControl","3","None","Allow")

$objACL = Get-ACL ("\\some\path\to\RDS\" + $user + ".V2") # Set path for ACL

Set-ACL ("\\some\path\to\RDS" + $user + ".V2") $objACL # Set path to modify ACL