Tag Archives: script

A simple, but effective, annoyance.

heres a funny one for you scripters out there, we had a chat in work a few weeks ago about just how effective scripting is and whether it is actually useful.

taking massive offense to this, i ofcourse decided to show said moaner just how effective batch files are!

Heres an evil one for you:

:starting

start cmd

goto starting

Thats it! watching moaners pc crease and die when i executed this in his session using psexec was my entertainment for the week.

And before you start emailing me, dont ask how i got it into his session. psexec.exe /?

Administration Automation Part 1:

Every company has there build specs, their dummy accounts, after installation software and other internal doo dad’s they feel are vital to the build. Even with imaging you can never guarantee its all done right so i always prefer to script the end of install just to make sure its clean, fresh and right each time a system comes off the build line.

Heres a few pointers i threw together to get your “post build” script in order starting with dummy accounts, passwords and user memberships.

Renaming the administrators account (admrename.vbs):

strComputer = “.”
Set wshShell = WScript.CreateObject( “WScript.Shell” )
strComputerName = wshShell.ExpandEnvironmentStrings( “%COMPUTERNAME%” )

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

Set objWMIService = GetObject(“winmgmts:” & strComputer & “rootcimv2″)
Set colAccounts = objWMIService.ExecQuery _
(“Select * From Win32_UserAccount Where LocalAccount = True And Name = ‘Administrator'”)

For Each objAccount in colAccounts
objAccount.Rename “ADM” & strComputerName

The above script will rename the Administrator account to ADMcomputername, it can easily be changed to a static name deleting the & strComputerName and adding the full name in the “” ‘s.

Creating a local account using the command line (batch):

net user patchacc passw0rd /add /comment:”Patch account” /fullname:”windows Patch account” /active:yes /passwordchg:no /passwordreq:yes

the above script will create a username (patchacc) with password (passw0rd), the account will also be enabled.

Add an account to the local administrators(batch):

net localgroup /add administrators patchacc

The above command adds the username patchacc to the local group administrators, you can use the above command to add a domain account using net localgroup /add administrators domainusername.

Setting a password to never expire (pwd.vbs):

Set objUser = GetObject(“WinNT://” & strcomputer & “/username“)
objPasswordNoChangeFlag = objUser.UserFlags XOR ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put “userFlags”, objPasswordNoChangeFlag
objUser.SetInfo

The above scriptlet will simply set the password to the “username” account to never expire, dont try to do it with net user, it doesnt work… ever.

Creating a dummy administrator account:

net user Administrator Notreal123 /add /comment:”Bogus Admin Account” /fullname:”Bogus Admin Account” /active:no /passwordchg:no /passwordreq:yes

The above script will create a disabled user called administrator (rename the current administrator first), with password of Notreal123.

After the jump is an example of how to tie them all into one super script and the source files.

http://www.4shared.com/file/64993533/ef9ff324/users.html

Continue reading

How to monitor a server reboot

Often when restarting a server its nice to get a complete timeline of when the server went down and subsequently comes back up. I found this script a while back but found it lacked the later port 3389 to enable remote desktop again. I editted the following script from eric and have been using it for a very long time now.

http://www.ericwoodford.com/use_ping_to_notify_when_server_reboots

I have modified it slightly to include a program called portqry, when a server is restarted it monitors ping responses until the server goes down. It then continually pings the server until it gets a response. Once a responce on icmp is received it will query port 3389 (remote desktop) until it gets a response indicating the server is now ready to be logged into again.

you can either type rebooter “servername” or simply type rebooter and the program will ask you for the servers name.

After the jump is the code, and the zip file i have uploaded packaging it all together.

Continue reading

How do i remove the language bar? (Updated)

The language bar, as handy as Microsoft think it is can cause real hassle in terminal services or Citrix sessions. Seeing a language bar for each opened application is both annoying and confusing… and well lets face it, how do often you actually use it?

As the language bar is part on the office installation, i did not want to go fiddling with the installation properties incase it knocked anything else in the office install out of sync but i did need to remove it from 70+ citrix servers without much overhead.

I read an article recently on the citrix forums and it suggested that ctfmon.exe was the owner of the language bar, once i knew this i wrote a script to deny users access to this file, which in turn would block from running.

I decided to use xcacls as a command line utility, i used xcacls to straight out deny members of the users group (locally) to access the file, this is done like this:

xcacls.exe C:windowssystem32ctfmon.exe /E /d users /Y

if you are using windows 2000, you can copy the xcacls.exe to an network share and run it from there without any issue.

serversharexcacls.exe %SystemRoot%system32ctfmon.exe /E /d users /Y

and if you want to hit 60+ servers remotely, use psexec

psexec @servers.txt -u domainusername cmd /c “servernamectxutilsxcacls.exe %SystemRoot%system32ctfmon.exe /E /d users /Y”

Servers.txt would be in the same directory as psexec, and would contain the server names one per line.

I’ve uploaded the script here:

Update:

As of server 2008 / windows vista the above fix no longer works, this is due to the language bar being heavily integrated.

The following key controls the language bar in these operating systems:

HKEY_CURRENT_USERSoftwareMicrosoftCTFLangBar

Showstatus (DWORD).

To hide the language bar, set the value of showstatus to 3.

This can be done using a mandatory profile or group policy as below:

List Members (and email addresses) of an Active Directory group.

Recently i was asked to list a: all members of an active directory group, and b: pull their primary email address, leaving me with an end report of username and primary email address.

I used dsget to pull the user information from the group, below is the command i used:

dsget group “cn=Groupname,ou=DLs,ou=Exchange Recipients,dc=ie,dc=domain,dc=company,dc=com” -members >> 1.txt

the above command enumerates the “groupname” group in an ou called dls, in an ou called exchange recipients in the domain ie.domain.company.com. if your ou or domain structure is different trim out (or add) what you need.  The -members at the end of the file will dump only the usernames in FQDN format.

Once the script is run check the current directory for a textfile called 1.txt.  This text file will contain the usernames you need in FQDN format like below:

“CN=Tom Thumb (IE),ou=Dublin,dc=ie,dc=domain,dc=company,dc=com”
“CN=Mike Hunt (IE),ou=Dublin,dc=ie,dc=domain,dc=company,dc=com”

In order to get the email address’es i decided not to try and read from the file, instead i just ran the same command again and piped the results to another dsget query.

dsget group “cn=Groupname,ou=DLs,ou=Exchange Recipients,dc=ie,dc=domain,dc=company,dc=com” -members | dsget user -email >> 2.txt

The above will pull the results we saw in 1.txt, but instead it passes it straight into another query (dsget user -email) and sends those results to a text file. 2.txt should contain the users primary email address:

tom.thumb@company.com
mike.hunt@company.ie

Now simply copy the contents on both text files into neighboring columns in excel and you have your report :)

Update: 13/08/2012

An old friend of mine Rob reminded me that this post existed and wondered how to do it with powershell. Luckily This is much, much easier to do with Windows Powershell!

On a server with the active directory module for powershell installed (normally a domain controller), run the following commands: (replace the group name with your own one).

 

[sourcecode language=”PowerShell”]

#######Change the below values#######
$groupname = "My Group Name"
$exportfile = c:tempreport.csv
#####################################

if (!(get-module -ListAvailable | where {$_.name -eq "ActiveDirectory1"} -ea 0)){
write-warning "The ActiveDirectory PowerShell module is Not Installed!"
break}
else{
write-host "Importing Active directory module";import-module activedirectory -ea 0
Get-ADGroupmember $groupname | %{get-aduser $_.samaccountname -properties cn,samaccountname,emailaddress | select cn,samaccountname,emailaddress | export-csv -notypeinformation $exportfile}
}
[/sourcecode]