- Cool Gadget - USB to Ethernet Network Adapter
-
I was traveling last week and found myself without Internet connectivity in my hotel room. If there is one thing a field engineer needs why traveling is Internet connectivity. This is the second time I have stayed at a Courtyard Marriott and had no internet. Both hotels use iBahn boxes that plug into a telephone jack and have an ethernet port on the front. Try as I might I was unable to get an IP address issued to my wired adapter. After jumping through all the hoops (restart computer, check adapter config etc.) the technical support representative put me through I finally asked for my case to be escalated. When a senior person got on the phone he asked if if I had a Broadcom network adapter in my laptop. When I answered yes he explained that Broadcom adapters are not compatible with the iBahn adapter and that was the reason I could not be issued an IP address. Great! One of the most widespread network adapters in the industry would not work at one of the largest hotel chains in the world. A frustration "perfect storm". I now had two choices; switch hotels (did that last time) or find another solution.
I tethered the cell phone, connected to the Internet and searched for information on USB Ethernet adapters. I ran down to the local Office Depot and picked up a Cisco(aka Linksys) USB Ethernet adapter. I plugged the device in, loaded drivers and I was back in business. If you travel you might want to pick up one of these just in case...
http://www.linksysbycisco.com/US/en/products/USB300M
- Windows 7 Release Candidate: Download instructions
-
The Windows 7 Release Candidate is available for download "free" (see previous post). In Microsoft terms, Release Candidate (RC) code is code that we think is ready for release to our customers but we are still doing some final test and evaluation before the official release. Installing RC code is a good way to become familiar with a product before it is released (RTM or Release to Manufacturing). RC code is usually very stable and feature complete.
I recommend you give it a try. I have been running Vista since the earliest internal betas and had no issues with the product. My coworkers kept ranting and raving about the new build so I took the plunge last week and performed an in-place upgrade. WOW! There is a noticeable difference in the day to day performance of my laptop plus a number of cool new features.
More information can be found here.
- Like the NRBQ Song Says - "Ain't No Free"
-
I saw this post on the Genuine Windows Blog site today Pirated Windows 7 RC builds a botnet. So let me understand this. Instead of getting the software for free from Microsoft, people prefer to get it from some stranger(s) over the Internet for free.
<SOAPBOX>It always amazes me how many people troll the Internet looking for "free" stuff. Free music, free movies, free pirated software. No one ever stops to wonder why it's free. I know people that spend an inordinate amount of time downloading movies from the Internet. Then they jump through a bunch of hoops burning or converting the movies so they can use them. Maybe I'm getting lazy but most DVDs cost less than $20 so it seems like a lot or work (and risk) to me for a movie. Search for "malware bit torrent" in your favorite search engine and you can see what I am talking about. In my experience there is no such thing as free. You will end up paying with your time and time is not free... </SOAPBOX>
- How To Burn ISO Images to Media Using DVDBURN and CDBURN Utilities
-
Sites that distribute software like MSDN and TechNet make it possible to download ISO images of CDROMs and DVDs. An ISO image allows you to burn an exact duplicate of a piece of media. One of the challenges we all face from time to time is corrupt media. There is nothing worse than burning an image to media, starting an install, and getting the "cannot read file" message half way through an install. ARRGH!
I was trying to burn an image of Visio 2007 to CDROM recently and experienced this same problem on four disks in a row. Each one would burn successfully but the application install would fail. I downloaded the latest version of my burning software and tried again- FAIL. I tried burning at a slower speed - FAIL. I tried burning at an even slower speed (hello 1999) - FAIL. There has got to be a better way...
You can test the integrity of burned media by checking the CRC value of the media after it has been burned (and before you start installing). A CRC is cyclic redundancy check and is simply a hash of the file and can help you determine if the file has changed during download or burning. There are utilities available that can check the CRC value of a file or media. I used CRC305.exe available on the MSDN Subscriber Downloads site. The tool could not be easier to use. The syntax looks like this:
CRC305.exe { filename | x: } [options]
CRC305 image name.iso to check a file.
CRC305.EXE E: to check the media in a drive.
After it runs it will display the computer CRC value (e.g. E8A1C394) of the file or media.
The Windows resource kit contains two tools for burning ISO images to media; CDBURN and DVDBURN. These are utilities are gems. Easy to use and fast. They burn faster than the commercial software I have been using and they have worked flawlessly every single time. No more "coasters". The syntax is pretty straight forward:
DVDBURN - Usage: dvdburn <drive> <image> [/Erase]
CDBURN - Usage: cdburn <drive> image [options]
My new burning process works like this:
- Download the ISO file and check the CRC with CRC305 and compare to download documentation.
- Burn ISO to media and check CRC with CRC305 and compare to values above. Should match exactly.
The whole process takes less time than using GUI based burning software and works every time. I will probably wrap these two steps into a batch file in a few days to automate the whole process so stay tuned...
- Hyper-V Error "cannot connect to the virtual machine because the authentication certificate is expired"
-
This error appeared on one of my Hyper-V servers this morning. A search of TechNet revealed that KB967902 has an update that can be downloaded to correct the issue. The issue occurs because the because the Hyper-V Virtual Machine Management service (VMMS) certificate has expired. There is a blog entry here that explains how to correct the issue by renewing the certificate manually.
- Group Policy Resources
-
In the last couple of weeks I have been working with customers on GPO implementations. One of the first things I show them are the Excel spreadsheets that contain all the settings in a search able format. These spreadsheets are useful when you don't know the name of the setting but know the item you are trying to control. The files contain the name of the policy setting name, scope, policy path, Registry information, requirements and explanatory text for every GPO setting. Anyone who is working on GPO administration should have a copy of thee files.
Let's say you are trying to control the recycle bin behavior on your Vista computers but you don't know what policies are available. Open the "GPO_WindowsServer2008andWindowsVistaSP1GroupPolicySettings.xls" file (see below), select the "Administrative Templates" tab, hit CTRL+HOME to go to cell A1 then hit CTRL+F to open the find dialog and enter the word recycle and press enter. Each new line contains a different setting. You can also use this method if you have a registry key that needs to be set and you are trying find out which policy setting you can use.
For additional information on managing configuration using Group Policy spend some times with the links below. If you are new to Group Policy, start with the Group Policy Documentation Survival Guide.
RESOURCES
The Basics
Group Policy Settings Reference for Windows Server 2008 and Windows Vista SP1
http://www.microsoft.com/downloads/details.aspx?familyid=2043B94E-66CD-4B91-9E0F-68363245C495&displaylang=en
Group Policy Settings Reference (2003 & XP)
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14
Group Policy Management Console with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?familyid=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Group Policy ADM Files
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b
Group Policy Documentation Survival Guide
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=66643d52-bd3d-4b10-972c-316eca5dbedf
Vista/Server 2008
Group Policy ADM Files
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b
Group Policy ADMX Syntax Reference Guide
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b0628355-baa2-4565-80a4-467245db9e28
Group Policy ADMX Schema files
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b4cb0039-e091-4ee8-9ec0-2bbce56c539e
Starter Group Policy Objects (GPOs)
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ae3ddba7-af7a-4274-9d34-1ad96576e823
Administrative Templates (ADMX) for Windows Server 2008
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=927fc7e3-853c-410a-acb5-9062c76142fa
Applications
2007 Office system Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool version 2.0
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7
Group Policy Settings Reference for Windows Internet Explorer 8
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ab4655f2-0a3c-42eb-974d-24b2790bf592
Miscellaneous
ADMX Migrator
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0f1eec3d-10c4-4b5f-9625-97c2f731090c
Group Policy Inventory (GPInventory.exe)
http://www.microsoft.com/downloads/details.aspx?familyid=1D24563D-CAC9-4017-AF14-8DD686A96540&displaylang=en
- Testing Domain Controller Connectivity Using PORTQRY
-
One common problem I see with Active Directory implementations is an Active Directory topology that is not fully routable. In a fully routable environment every domain controller (DC) can communicate with every other DC. While most customers "think" they have a fully routable environment in reality they do not. In some cases there are multiple firewalls between the DCs that are blocking ports or DCs connected across VPN links that do not have the proper ports open. For more information on how Active Directory replication works read the articles in the RESOURCES section below.
Here are the ports required by Active Directory as described in the "Service Overview" link below. The basic ports are TCP:
88 (Kerberos)
135 (RPC)
389 (LDAP)
445 (CIFS)
3268 (Global Catalog)
There are additional ports and protocols but these are enough to get started testint the basics.
The PORTQRY utility can be found in the Windows Server 2003 Support Tools and the newest version can be found in the links that follow. PORTQRY can be used to test connectivity on a port or range of ports from one server to another. For example to test TCP port 389 from the current computer to a server named VDC02 you would type the following command:
PORTQRY - n VDC02 -e 389 -p TCP
The query will return a great deal of information when you query 389 but you should see a line similar to the following if port 389 is reachable and able to respond:
TCP port 389 (ldap service): LISTENING
In order to speed up the process of testing you can use a batch file with a FOR loop in it to read server names from a text file and perform several ports test against a server. The sample script shown below will perform some basic testing but you might need to perform more detailed analysis if you are having problems (note somelines may be wrapped due to blog formatting).
:::::::::::::::::::::::::::: BEGIN SCRIPT :::::::::::::::::::::::::
@ECHO OFF
:: NAME: DCPortTest.CMD v1.0
:: DATE: 03/29/2009
:: PURPOSE: Test connectivity from one DC to one or more remote DCs
:: using PORTQRY utility.
:: The SERVERS.TXT contains a list of servers (one server per line)
:: to check connectivity to.
ECHO DATE: %DATE% > DC_PORTQRY.TXT
ECHO TIME: %TIME% >> DC_PORTQRY.TXT
ECHO USER: %USERNAME% >> DC_PORTQRY.TXT
ECHO COMPUTER: %COMPUTERNAME% >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
FOR /F "tokens=1" %%i in (servers.txt) DO (
ECHO :::::::::::::::::::::: %%i :::::::::::::::::::::::::: >> DC_PORTQRY.TXT
ECHO Testing %%i
ECHO. >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 88 -p TCP | findstr /i "88" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 445 -p TCP | findstr /i "445" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 389 -p TCP | findstr /i "389" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 3268 -p TCP | findstr /i "3268" >> DC_PORTQRY.TXT
PORTQRY -n %%i -e 135 -p TCP | findstr /i "135" >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
ECHO. >> DC_PORTQRY.TXT
)
:::::::::::::::::::::::: END SCRIPT :::::::::::::::::::::::::
RESOURCES
How Active Directory Replication Topology Works
http://technet2.microsoft.com/WindowsServer/en/Library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx
Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/kb/832017
New features and functionality in PortQry version 2.0
http://support.microsoft.com/kb/832919
Download PortQry Command Line Port Scanner Version 2.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en
- Finding Scheduled Tasks Configured with Disabled Accounts
-
One of my customers has undergone a great deal of turnover in the past few weeks on the System Administration team. We discovered that a number of Scheduled Tasks configured on the servers were configured with the accounts of admnistrators (instead of service accounts!). The accounts were disabled when the admins left the organization and the Scheduled Tasks stopped working. We needed to find all the Scheduled Tasks configured with admin accounts instead of service accounts on the servers.
The simpe batch file below uses the SCHTASKS utility to dump the configuration information from each server listed in a SERVERS.TXT file and dump the output to a file named SCHED_TASKS_CONFIG.TXT.
<<<------------------------------BEGIN BATCH FILE------------------------- >>>
:: NAME: SCHED_TASK_ACCT.CMD v1.0
:: DATE: 1/13/2009
:: PURPOSE: TO dump the configuration of scheduled tasks on a server to a text file
:: so tasks configured with disabled accounts can be located.
ECHO %DATE% > SCHED_TASKS_CONFIG.TXT
ECHO %TIME% >> SCHED_TASKS_CONFIG.TXT
ECHO %USERNAME% >> SCHED_TASKS_CONFIG.TXT
ECHO. >> SCHED_TASKS_CONFIG.TXT
FOR /F "tokens=1" %%i in (servers.txt) DO schtasks /query /s %%i /v /fo list >> SCHED_TASKS_CONFIG.TXT
<<<------------------------------END BATCH FILE------------------------- >>>
- Using a Logon Script to Install the SMS Advanced Client
-
One of my customers has an extensive lab environment with multiple forests, domains and workgroup computers. SMS 2003 was deployed to help manage the configuration of all these different systems. Between the locked down security settings (no C$, ADMIN$ shares!) and the number separate forest/domains/workgroups involved the ability to "push" the advanced client to desktops is no longer an option. After meeting with the client last week we decided to configure a logon script to install the SMS client. The script and associated files (CCMSETUP.EXE, CLIENT.MSI, SMSCLIENT.VBS) were placed in a folder named SMS in the NETLOGON share of the Domain Controllers. We then configured the LOGON SCRIPT properties of the Domain Administrator account to run the SMSSTARTUP.VBS script shown below to install the client.
Now for a quick run through of the code.
- Declare our variables and create the objects we will be working with.
- Determine the path to the NETLOGON \SMS folder we are using.
- Check to see if the SMS client is installed (Set oSMSClient ... If Err.Number....)
- Display a timed popup message with a Cancel button
- Copy install files to local computer.
- Run installation script (SMSCLIENT.VBS)
- Set commands in the RunOnce registry key to delete the SMSCLIENTINSTALL folder the next time someone logs in.
SMSSTARTUP.VBS
'**********************************************
' SCRIPT: SMSStartup.VBS
' AUTHOR:
' DATE: 10/16/2008
' VERSION: 2.0
' PURPOSE: Check for thr presence of the SMS client,
' if not installed, copy files from the
' network to c:\smsclientinstall and install
' USAGE: SMSStartup.vbs
'
'REVISION: 10/17/2008 added check
' to make sure files and folders exist
' before moving to next step in script
'
'**********************************************
OPTION EXPLICIT
On Error Resume Next
Dim oSMSClient, intButton,objWshShell,sFolder, objFSO, sCurrentPath
Dim oExec
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = WScript.CreateObject("WScript.Shell")
Set oSMSClient = CreateObject ("Microsoft.SMS.Client")
'Folder to copy SMS install files to
sFolder = "C:\SMSCLIENTINSTALL"
WScript.Sleep 15000
'Build path to SMS files
sCurrentPath = objWshShell.ExpandEnvironmentStrings("%LOGONSERVER%")
sCurrentPath = sCurrentPath & "\NETLOGON\SMS"
If Err.Number <> 0 Then 'change to zero when testing complete
'Clear error buffer
err.clear
objWshShell.LogEvent 2, "SMS Client is not installed, installing now."
intButton=objWshShell.Popup("Installaing SMS Client software on this computer in the background",5,"SMS Client Software Installation",1)
'wscript.echo intbutton
If intButton = 2 Then
objWshShell.LogEvent 1, "SMS Client installation was cancelled by the user"
wscript.quit
End If
'copy files to local computer and begin client installation
Do While objFSO.FolderExists(sFolder) <> TRUE
CreateFolder sFolder
WScript.Sleep 10000
Loop
'copy files
'Check for files before continuing to next file
Do While objFSO.FileExists(sFolder & "\SMSCLIENT.VBS") <> TRUE
objFSO.CopyFile sCurrentPath & "\SMSCLIENT.VBS", sFolder & "\", TRUE
wscript.sleep 2000
Loop
Do While objFSO.FileExists(sFolder & "\Client.msi") <> TRUE
objFSO.CopyFile sCurrentPath & "\client.msi", sFolder & "\", TRUE
wscript.sleep 2000
Loop
Do While objFSO.FileExists(sFolder & "\ccmsetup.exe") <> TRUE
objFSO.CopyFile sCurrentPath & "\ccmsetup.exe", sFolder & "\", TRUE
wscript.sleep 2000
Loop
'now run sms client install
Set oExec = objWshShell.Exec("wscript.exe " & sFolder & "\SMSCLIENT.VBS")
Do While oExec.Status = 0
WScript.Sleep 1000
Loop
'delete the folder by adding command to the Runonce key
'CMD.exe /c "RD /s /q c:\SMSCLIENTINSTALL"
objWshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\SMS", "CMD.EXE /c " & CHR(34) & "RD /s /q C:\SMSCLIENTINSTALL" & CHR(34), "REG_SZ"
Else
'Computer has client, quit
wscript.quit
End If
Function CreateFolder(folder)
Dim ofso, f
Set ofso = CreateObject("Scripting.FileSystemObject")
Set f = ofso.CreateFolder(folder)
CreateFolder = f.Path
End Function
Sub DeleteAFolder(filespec)
Dim ofso
Set ofso = CreateObject("Scripting.FileSystemObject")
ofso.DeleteFolder filespec,TRUE
End Sub
- Configuring SMS to Work on Workgroup Computers and Computers in Other Domains (LMHOSTS)
-
As described in the previous post the lab environment includes multiple forests, domains and workgroup computers. One of the nice things about SMS 2003 is the fact that once the SMS Client has been installed on a system, you "own" that system and can manage it from that day forward. In the previous post, we discussed how to use a logon script to install the SMS Advanced Client. In this post we will discuss how to configure computers that are not located within the same domain as the SMS server to be able to find the SMS Management Point (MP) and Server Locator Point (SLP).
All Windows operating systems since Windows 2000 rely on DNS for name resolution. A clients still have WINS installed to support some legacy applications but most do not. An LMHOSTS file is similar to a HOSTS file. A HOST files is used to map DNS hosts names to IP addresses. An LMHOSTS file is used to map NetBIOS names to IP addresses. NetBIOS names differ from DNS names because you can have different types of NetBIOS names (e,g, domain, workstation service etc.). The LMHOSTS files is placed in the same folder as the HOSTS file (%WINDIR%\System32\Drivers\Etc).
An example of the LMHOSTS file is shown below. Copy the code below into Notepad and save the file as LMHOSTS (no extension) to the "%WINDIR%\System32\Drivers\Etc" folder. Customize the entries to match your environment. When you see the pound (#) sign in an LMHOSTS file it is usually followed by a comment unless it is followed by one of the special directives such as PRE< DOM, INCLUDE etc. The PRE directive loads the entires into the NetBIOS name cache on startup. The DOM directive is used to indicated a domain name. The INCLUDE directive is used to include another LMHOSTS file.
In the sample file below the first three lines are comments. The fourth line pre-loads the domain name where the SMS servers is located and provides the IP address of a DC in that domain. The next line provides the name and IP address of the SMS server (SMSSERVER1). The next line provides the name of the SMS Server Locator Point (SMS_SLP) and the line that follows defines the Management Point (MP_C01). Notice the entries for the SLP/MP look very different from the others. The "\01xa" is a NetBIOS suffix and there must be exactly 15 characters between the the first quote and the backslash. For the SMS_SLP line on change the IP address to the IP of the computer hosting the SMS SLP role. For the MP, change the IP and change the SMS site code in the file from C01 to the site code of your SMS site.
<------------------------------ BEGIN LMHOSTS ----------------------------------->
# LAB LMHOSTS File
#REVISION: 2
#DATE: 10/17/2008
192.168.101.143 DC01 #PRE #DOM:LABDOMAIN1 # Lab Domain DC
192.168.101.141 SMSSVR1 #PRE
192.168.101.141 "SMS_SLP \0x1A" #PRE
192.168.101.141 "MP_C01 \0x1A" #PRE
<------------------------------ END LMHOSTS ----------------------------------->
When you start using LMHOST files you quickly realize that trying to manage the content of these files on multiple computers because a big pain real fast. If you need to make a change, you need to update every file with the change. Fortunately the #INCLUDE directive discussed earlier enables you to use a centralized LMHOSTS file. In our lab environment we created a share on the SMS server named "SMSLMHOST" and placed the first LMHOSTS file shown above there. The LMHOSTS file shown below was placed on the computers that needed a LMHOSTS. There are two entries shown. The first one provides the name/IP of the SMS server and the second directs the client to read the master LMHOSTS file stored on the server.
<------------------------------ BEGIN LMHOSTS ----------------------------------->
192.168.101.141 SMS1 #PRE
#INCLUDE \\SMSSVR1\SMSLMHOSTS\lmhosts
<------------------------------ END LMHOSTS ----------------------------------->
REFERENCE
NetBIOS Suffixes (16th Character of the NetBIOS Name)
http://support.microsoft.com/default.aspx/kb/163409/
HOWTO: Assign SMS Advanced Client to the Isolated Secondary Site
http://support.microsoft.com/kb/555853
LMHOSTS File Information and Predefined Keywords
http://support.microsoft.com/kb/102725
Domain Browsing with TCP/IP and LMHOSTS Files
http://support.microsoft.com/kb/150800
Chapter 10 - Using LMHOSTS Files
http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/net/sur_lmh.mspx?mfr=true
- Who's in the Local Administrators Group?
-
I was organizing files this weekend and ran across a script I created for a customer recently. They we trying to determine the membership of the local Administrators group on each computer on their network. The had determined that non-admin users were being added to the local Administrator group and needed to know how widespread the problem was. Once they determine that I recommended they use Group Policy, Restricted Groups to fix the problem.
The VBScript below follows my standard script format that starts with an input file (INPUT.TXT) with a list of computers and automatically creates a tab-separated (for analysis in Excel) output file based on the name of the input file and appends RESULTS.TXT to the name. Once we open the input for to read, and the output file for writing we start the loop. The real work happens in the DO WHILE loop. First thing we do is run a Function named Get ComputerStatus. Since we are connecting to a remote computer, I use this function to determine if a computer is online by pinging it. If it is online we continue, if not we write "Computer Could Not Be Contacted" to the log and get the next computer in the list. The EnumGroup function is used to get the membership of the local Administrators group and write it to the log file. Once we finish the files are closed and the log file is opened in notepad.
To use this script, copy the contents to notepad and save the file with a VBS extension. Create an input file with computer nameon each line. You can run the script by double clicking it but I prefer to run it from a command prompt using cscript so that I only have a single command prompt instead of a command prompt for every "ping". If anyone uses this script and finds it useful leave me a comment and/or a rating.
LocalAdminGroupMembership.vbs
'**********************************************
' SCRIPT: LocalAdminGroupMembership.vbs
' AUTHOR: Muaddib :-)
' DATE: 08/21/08
' VERSION: 1.0
' PURPOSE: Used to Query remote computers and enumerate memebers of
' local admin group
' USAGE: 1. List computers to be queried in input.txt (other text file)
' 2. LocalAdminGroupMembership.vbs
' 3. Output file, results.txt will show status
'Revision:
'
'
'**********************************************
Option Explicit
'ON ERROR RESUME NEXT 'Do Not Uncomment until script is ready for production
Dim oWshShell, oFSO, oFileName1, oFilename2, objWMIService, colItems, sProtocol, sSearch, sNWStatus, sDate, iErrNumber
Dim objItem, strComputer, oExec, strPingStdOut, sStatus, bComputerOnline, aComputers, Computer, sOutPutFile, sInPutFile, sComputerStatus
Dim arrFileNAme, sOutPutFileName,objGroup, strOffset
CONST ForReading = 1
CONST ForWriting = 2
CONST ForAppending = 8
'Prompt for name of input file
sInPutFile = INPUTBOX("Enter name of input file. Input file must exist in the script folder.", "Enter Input File Name","input.txt" )
IF sInputFile = "" THEN
wscript.echo "Operation was cancelled"
wscript.quit
END IF
'Trim extension from sInputFile1
arrFileNAme = Split(sInPutFile, ".")
sOutPutFileName = UCASE(arrFIleNAme(0))
'Prompt for name of output file
sOutPutFile = INPUTBOX("Enter name of output file. Output file will be placed in script folder.", "Enter Output File Name",sOutPutFileName & "_RESULTS.TXT" )
IF sOutPutFile = "" THEN
wscript.echo "Operation was cancelled"
wscript.quit
END IF
Set oWshShell = Wscript.CreateObject("Wscript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")
'Open input file and read
Set oFilename1 = oFSO.OpenTextFile(".\" & sInPutFile, ForReading, False)
iErrNumber = err.number
'Check for missing file
IF iErrNumber = 53 THEN
Wscript.echo "Error - " & sInPutFile & " file was not found."
wscript.quit
END IF
Set oFilename2 = oFSO.OpenTextFile(".\" & sOutPutFile, ForWriting, True)
' OPTIONAL LOG HEADER
'Get date and write it to log
'sDate = Now()
'oFilename2.writeline "Log Started " & sDate
'oFilename2.writeblanklines 1
'Read external list of computers and check their status
DO While oFilename1.AtEndOfStream <> True
strComputer = oFileName1.ReadLine
IF GetComputerStatus(strComputer) = 1 Then
'sComputerStatus = "Online"
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
sComputerStatus = EnumGroup(objGroup, "")
Else
sComputerStatus = "Computer Could Not Be Contacted"
End IF
oFilename2.writeline strCOmputer & vbTab & sComputerStatus
Loop
'OPTIONAL LOG FOOTER
'sDate = Now()
'oFilename2.writeblanklines 2
'oFilename2.writeline "Log Completed " & sDate
'Close input file
oFilename1.close
'Close Log file
oFilename2.close
'Wscript.echo "Finished Scanning Computers" 'open log file
oWshShell.run "notepad.exe .\" & sOutPutFile, 5, FALSE
Set oWshShell = Nothing
Set oFSO = Nothing
Set oExec = Nothing
Set oFilename1 = Nothing
Set oFilename2 = Nothing
Function GetComputerStatus (strComputer)
'Function Returns a 1 if computer is available
'Used to determine if a computer is online before
'attempting WMI connection
'IP Address or computer name can be used
Dim sStatus
sStatus = 0
' wscript.echo "Echo strCOmputer - " & strcomputer
Set oWshShell = Wscript.CreateObject("Wscript.Shell")
Set oExec = oWshShell.Exec("ping -n 2 -w 1000 " & strComputer)
strPingStdOut = oExec.StdOut.ReadAll
If InStr(1,strPingStdOut, "reply from ",1) <> 0 Then
sStatus = 1
Else
sStatus = 0
End IF
GetComputerStatus = sStatus
END FUNCTION
Function EnumGroup(objGroup, strOffset)
Dim objMember, strMembers
For Each objMember In objGroup.Members
strMembers = strmembers & strOffset & objMember.Name & ", "
Next
EnumGroup = strMembers
End Function
Sample INPUT.TXT
Computer1
Computer2
Computer3
Computer4
Sample Input_RESULTS.TX
Computer1 Computer Could Not Be Contacted
Computer2 Administrator, Administrator, Domain Admins, SMS_ADMIN,
Computer3 Administrator, Domain Admins, Administrator, SMS_ADMIN,
Computer4 Administrator, Domain Admins, Administrator, SMS_ADMIN,
- Sub-Select Query - The Holy Grail of SMS Collections
-
Learned a cool trick this week for building SMS/SCCM collections that will return a list of computers that "do not have something". Building a collection that returns a group computers with a particular file or program on them is easy enough. You create a query that returns the systems you want and then import the query when you are defining the collection.
How do you build a collection of systems that do not have have something. If you build a query that says "give me every computer that does not have Adobe Reader installed" the query will return every computer listed in your database. This will occur because every system will have at least one entry (actually dozens) in Add Remove Programs that does not match "Adobe Acrobat". Therefore every system evaluates as true and is selected as part of your query.
What you really need is a query that says "I need every computer that is not in the 'Computers with Adobe Reader' collection". What you need is a Sub-Select query. Lets take an example:
My customer needed to deploy Microsoft Office Infopath 2003 on systems that did not have the product installed. The first thing we did was create a query that showed us all the systems that had InfoPath installed. Easy enough:
select SMS_R_System.NetbiosName from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "infopath.exe" and SMS_G_System_SoftwareFile.FileVersion like "12.0.62%"
When we defined the query and named it "Computers with InfoPath". We only had it return the computer name (SMS_R_System.NetbiosName ) and the Criteria was the file name and the version. Click apply to save you changes then click Edit Query Statement > Show Query Language and copy the code out and paste it into Notepad for now.
Next step is to create a second query and name it "Computers without InfoPath. Again we only selected the computer name for display. For Criteria we do something different. For Criterion Type field, select "SubSelected Values", for the Operator field, select "is not in" and for the Subselect field, paste the code pasted into Notepad in the step above. Click OK twice and click apply to save you changes. Now click Edit Query Statement > Show Query Language and you should have a query that looks like this:
select SMS_G_System_SYSTEM.Name from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.Name not in (Select SMS_G_System_SYSTEM.Name From SMS_R_System Inner join SMS_G_System_SYSTEM On SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId Inner join SMS_G_System_SoftwareFile On SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId Where SMS_G_System_SoftwareFile.FileName = "infopath.Exe" And SMS_G_System_SoftwareFile.FileVersion LIKE "12%") and SMS_R_System.Client = 1
Notice the code in blue above is from our original query of "Computers with InfoPath" and the new query says "return every computer who's name is not in the following query".
- Query Individual Properties of the "userAccountControl" Active Directory User property
-
I was working with a customer this week who was asking me how to query Active Directory for valid, active users accounts that were not service accounts. I made a couple of assumptions; an active account would not be disabled and only service accounts would be set to PASSWORD NEVER EXPIRES. Initially I tried to query the valueuserAccountControl property of the user object using operators like > and < but soon realized there were too many exceptions. I then discovered it was possible to query the individual bits of the userAccountControl property which yielded the query below.
The following LDAP query can be used in Active Directory Users and Computers to query specific details of the userAccountControl property in AD. The query below will return all active user accounts that are not set to PASSWORD NEVER EXPIRES
(&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl<=600))
I'll describe the query in more detail:
(objectCategory=person)(objectClass=user)(mail=*) - All user objects with a value in the mail field (no contacts)
(!userAccountControl:1.2.840.113556.1.4.803:=2) - Filters out disabled accounts
(!userAccountControl:1.2.840.113556.1.4.803:=65536) - Filters accounts set to PASSWORD NEVE EXPIRES
(!userAccountControl<=600)) - Filters out Exchange Organization Mailboxes
SAMPLE LDAP QUERIES
UAC - SMart Card Login Enforced on The User
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=262144) )
UAC - PWD Never Expires
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))
UAC - CAC Enabled Accounts
(&(objectCategory=person)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(userPrincipalName=1*@mil))
UAC - Not CAC Enabled
(&(objectCategory=person)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userPrincipalName=1*@mil))
REFERENCE
How to use the UserAccountControl flags to manipulate user account properties
http://support.microsoft.com/kb/305144
How to query Active Directory by using a bitwise filter
http://support.microsoft.com/kb/269181
- Modifying Security on Active Directory Objects using a script
-
I was working with a customer this week and we found some user objects in Active Directory had incorrect security settings. I put together a list of commands for the customer to use. I thought a few of the FOR command examples below were useful so here you go...
These command can also be used in a script. Keep in mind the FOR command syntax changes slightly (FOR /?) when used within a batch file.
DUMP CNs for all users in an OU
DSQUERY USER "ou=test accounts, dc=contoso,dc=local"
Show security for an object in Active Directory
DSACLS "cn=Jane doe1,ou=test accounts, dc=contoso,dc=local"
Show security for the SELF security principle on an object in Active Directory
DSACLS "cn=Jane doe1,ou=test accounts, dc=contoso,dc=local" | find /i "self"
Use DSACLS on list of users in a file
FOR /F "tokens=* usebackq" %i in (`type users.txt`) DO dsacls %i
(NOTE ` is a back quote found on same key as ~)
Use DSACLS on output of DSQUERY USERS <OU DN>
FOR /F "tokens=* usebackq" %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i
(NOTE ` is a back quote found on same key as ~)
FOR /F "tokens=* usebackq" %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i | find /i "self"
(NOTE ` is a back quote found on same key as ~)
Reset a user to the default permissions as defined by the schema
DSACLS "cn=jane doe1,ou=test accounts,dc=contoso,dc=local" /S (case sensitive)
Perfrom same task for all users in an OU
FOR /F "tokens=* usebackq" %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i /S (case sensitive)
- Windows Vista Resource Kit Has Been Released
-
The Windows Vista Resource Kit has been released:
http://www.microsoft.com/MSPress/books/9536.aspx?wt_svl=10125VHa1&mg_id=10125VHb1
If you are respponsible for deploying and supporting Vista then you should have a copy of the resource kit on your desk. Mine is on the way...
