I had a request the other day from someone who knows some of my work. He had seen my scripts for manipulating local accounts on machines but couldn't make sense of them. (This was essentially because he was only seeing half of the system.) He asked if I could explain them in my blog, so here goes...
There are many different methods for manipulating local accounts on machines. Some companies make a profit from selling software that will go and talk to all of the machines and change passwords, accounts, group memberships, etc. Surprisingly, Microsoft has not yet integrated any system for easy management of local computer accounts into their own domain management systems. (Edit: Of course Microsoft has finally done something about this and you can now use Group Policy Preferences to manage local accounts quite easily. I thoroughly recommend using Group Policy instead of the method described here!)
Anyway, one way to achieve this is to use the Group Policy system. Computers run the Computer Startup Scripts with system administrative rights (Computer Configuration / Windows Settings / Scripts / Startup.) This enables the savvy administrator to run a script that can be used to manipulate local accounts.
What about the fact that the passwords may be exposed in the script? Some administrators will suggest that you do it in VBScript and then encrypt it. This is not a good idea because it is far too easy to decrypt these files. IMHO, it is much better to let Microsofts domain security protect it for you. (I can't believe I just said that. Scary but true!)
You can place these 'scriptlets' below in your scripts folder and pass the required parameters to them from your GPO. You secure your GPO by removing Authenticated Users from having read and apply group policies rights and giving Domain Computers read and apply group policy rights. Using this method, the users cannot see the new passwords, but the computers which are running the scripts can.
There is a caveat. The computers have to be processing group policies in order to run the scripts. This may be prevented by slow link detection, the behaviour of which can be modified. It may also not be processed by computers coming into the network by remote access. A user logging into the computer by remote access can process the scripts, but a user logging into your VPN or dial-up after logging in the computer using cached credentials will not process the scripts.
IDCHPASS.BAT: Used to Change a local user identity password.
@ECHO OFF
REM USAGE: IDCHPASS username newpassword
NET USER %1 %2
IDCREATE.BAT: Used to create a local identity.
@ECHO OFF
REM USAGE: IDCREATE username password
NET USER %1 %2 /ADD
IDDELETE.BAT: Used to delete a local identity.
@ECHO OFF
REM USAGE: IDDELETE username
NET USER %1 /DELETE
IDENABLE.BAT: Used to enable or disable a local identity.
@ECHO OFF
REM USAGE: IDENABLE username YES\NO
NET USER %1 /ACTIVE:%2
IDGROUP.BAT: Used to change the group membership of a local identity, or to create or delete local groups.
@ECHO OFF
REM USAGE: IDGROUP group ADD\DELETE username
REM USERNAME IS ADDED TO OR DELETED FROM GROUP
REM USERNAME CAN BE LEFT OFF TO ADD OR DELETE GROUPS
NET LOCALGROUP %1 %3 /%2
A shoutout goes to ripvankip for giving me something to write about! ;)
Sean
Sunday, November 15, 2009
Wednesday, November 11, 2009
How to differentiate a VM from a physical machine
My company wanted to apply a policy to Virtual machines to change the screen saver to the blank one. Makes sense right? Why waste shared CPU cycles on a screen saver nobody is ever actually going to see because the machine has no screen?
The issue was, how to differentiate a VM from other machines. (Personally, I would just have forced a blank screen saver on a 10 minute idle timer on everything and save a little money on the energy bills. You then create an exception group in Active directory, give it deny apply permissions on the policy and put computer accounts of machines that must always have the display running such as wall monitors for call queues or network monitoring, etc in the exception group..... but I digress from the topic at hand.)
So to get back to the topic, how can we differentiate a VM from a physical machine? A little walk through WMI Explorer gave me the answer. A WMI query:
Select * from Win32_ComputerSystem WHERE Manufacturer LIKE "VMWare%"
Add that as a filter to your GPO and it'll only apply to VMWare machines.
"What about Microsoft Virtual Server?" I hear you ask. I don't know. We don't use them, but I suspect if you look through WMI, you'll find a similar marker that can be used to identify them.
It's also worth noting that the LIKE filter in the statement will only work on XP and later machines.
Cheers,
Sean
The issue was, how to differentiate a VM from other machines. (Personally, I would just have forced a blank screen saver on a 10 minute idle timer on everything and save a little money on the energy bills. You then create an exception group in Active directory, give it deny apply permissions on the policy and put computer accounts of machines that must always have the display running such as wall monitors for call queues or network monitoring, etc in the exception group..... but I digress from the topic at hand.)
So to get back to the topic, how can we differentiate a VM from a physical machine? A little walk through WMI Explorer gave me the answer. A WMI query:
Select * from Win32_ComputerSystem WHERE Manufacturer LIKE "VMWare%"
Add that as a filter to your GPO and it'll only apply to VMWare machines.
"What about Microsoft Virtual Server?" I hear you ask. I don't know. We don't use them, but I suspect if you look through WMI, you'll find a similar marker that can be used to identify them.
It's also worth noting that the LIKE filter in the statement will only work on XP and later machines.
Cheers,
Sean
Wednesday, November 4, 2009
How to use ROMON to recover from a bad boot image on a Cisco ASA
Note that this can be applied to other Cisco devices, but commands will vary from device to device. The specific commands here apply to the Cisco ASA 5500 series.
Connect a computer to the console port of the device using a Cisco console cable. Use a terminal emulator such as Putty set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
Power cycle the device.
During startup, press the Escape key when you see the prompt to enter ROMMON mode.
It is always a good idea to retain the previous boot image on the device during an upgrade, if space permits. If there is an alternative image available on the flash memory you can issue the boot command as follows:
rommon #1> boot asa821-k8.bin
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa821-k8.bin... Booting...
Platform ASA5505
Loading...
If you don't have a local copy of an alternative boot image and need to copy an image from a network location, define the interface settings as follows:
rommon #1> ADDRESS=172.31.255.1rommon #2> SERVER=10.200.4.29rommon #3> GATEWAY=172.31.255.4rommon #4> IMAGE=asa821-k8.binrommon #5> PORT=GigabitEthernet0/1GigabitEthernet0/1 Link is UP
MAC Address: 0021.a09a.bf89
Test connectivity using the ping server command.
rommon #6> ping serverSending 20, 100-byte ICMP Echoes to server 10.200.4.29, timeout is 4 seconds:
Success rate is 100 percent (20/20)
Load the software image using the tftp command. This assumes that you have a TFTP server running on the target address and a copy of the required image in the target directory.
rommon #7> tftpROMMON Variable Settings:
ADDRESS=172.31.255.1
SERVER=10.200.4.29
GATEWAY=172.31.255.4
PORT=GigabitEthernet0/1
VLAN=untagged
IMAGE=asa821-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp asa821-k8.bin@10.200.4.29 via 172.31.255.4
Received 16275456 bytes
Launching TFTP Image...
After the image is loaded the device automatically exits ROMMON.
Connect a computer to the console port of the device using a Cisco console cable. Use a terminal emulator such as Putty set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
Power cycle the device.
During startup, press the Escape key when you see the prompt to enter ROMMON mode.
It is always a good idea to retain the previous boot image on the device during an upgrade, if space permits. If there is an alternative image available on the flash memory you can issue the boot command as follows:
rommon #1> boot asa821-k8.bin
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa821-k8.bin... Booting...
Platform ASA5505
Loading...
If you don't have a local copy of an alternative boot image and need to copy an image from a network location, define the interface settings as follows:
rommon #1> ADDRESS=172.31.255.1rommon #2> SERVER=10.200.4.29rommon #3> GATEWAY=172.31.255.4rommon #4> IMAGE=asa821-k8.binrommon #5> PORT=GigabitEthernet0/1GigabitEthernet0/1 Link is UP
MAC Address: 0021.a09a.bf89
Test connectivity using the ping server command.
rommon #6> ping serverSending 20, 100-byte ICMP Echoes to server 10.200.4.29, timeout is 4 seconds:
Success rate is 100 percent (20/20)
Load the software image using the tftp command. This assumes that you have a TFTP server running on the target address and a copy of the required image in the target directory.
rommon #7> tftpROMMON Variable Settings:
ADDRESS=172.31.255.1
SERVER=10.200.4.29
GATEWAY=172.31.255.4
PORT=GigabitEthernet0/1
VLAN=untagged
IMAGE=asa821-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp asa821-k8.bin@10.200.4.29 via 172.31.255.4
Received 16275456 bytes
Launching TFTP Image...
After the image is loaded the device automatically exits ROMMON.
Sunday, October 25, 2009
Cannot start Microsoft Outlook. Cannot open the Outlook window.
I had an interesting problem over the weekend... on my HOME computer!! O_o
Trying to launch Outlook, I was receiving the error message “Cannot start Microsoft Outlook. Cannot open the Outlook window.”
It appears that the configuration file for the Navigation Pane can get corrupted and this will prevent Outlook from launching successfully.
This can be remedied by running OUTLOOK.EXE with the /RESETNAVPANE switch.
Trying to launch Outlook, I was receiving the error message “Cannot start Microsoft Outlook. Cannot open the Outlook window.”
It appears that the configuration file for the Navigation Pane can get corrupted and this will prevent Outlook from launching successfully.
This can be remedied by running OUTLOOK.EXE with the /RESETNAVPANE switch.
Thursday, September 10, 2009
How to Edit an INI file using VBScript
Modify the highlighted sections with the appropriate changes.
Note that you can use environment variables to ensure that it will work on all systems. eg. If you use %SystemRoot% it will work whether windows is installed in C:\WINNT or D:\Windows.
' This script can be used to edit entries in ini files
'
' Written by Sean Bradley
' Version 1.0
' Last modified 11/09/09
'
Const ForReading = 1
Const ForWriting = 2
Set oShell = CreateObject( "WScript.Shell" )
'Set the target file and backup directory.
'Note that I've used an environment variable here to ensure it works on all systems.
'
targfile=oShell.ExpandEnvironmentStrings("%SystemRoot%") + "\editthisfile.ini"
backdir=oShell.ExpandEnvironmentStrings("%TEMP%") + "\"
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Make sure the file exists to prevent errors.
'
if objFSO.FileExists(targfile) then
'Copy it to the backup directory then open the file.
objFSO.CopyFile targfile, backdir, true
Set objTextFile = objFSO.OpenTextFile(targfile, ForReading)
'Read through each line of the file for the entry you want to set
'
Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
intLineFinder = InStr(strNextLine, "IniFileEntrytoEdit")
If intLineFinder <> 0 Then
'Set your new entry here.
'
strNextLine = "IniFileEntrytoEdit=My Entry in the File"
End If
strNewFile = strNewFile & strNextLine & vbCrLf
Loop
objTextFile.Close
'Write the file with the new entry
'
Set objTextFile = objFSO.OpenTextFile(targfile, ForWriting)
objTextFile.WriteLine strNewFile
objTextFile.Close
End If
Note that you can use environment variables to ensure that it will work on all systems. eg. If you use %SystemRoot% it will work whether windows is installed in C:\WINNT or D:\Windows.
' This script can be used to edit entries in ini files
'
' Written by Sean Bradley
' Version 1.0
' Last modified 11/09/09
'
Const ForReading = 1
Const ForWriting = 2
Set oShell = CreateObject( "WScript.Shell" )
'Set the target file and backup directory.
'Note that I've used an environment variable here to ensure it works on all systems.
'
targfile=oShell.ExpandEnvironmentStrings("%SystemRoot%") + "\editthisfile.ini"
backdir=oShell.ExpandEnvironmentStrings("%TEMP%") + "\"
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Make sure the file exists to prevent errors.
'
if objFSO.FileExists(targfile) then
'Copy it to the backup directory then open the file.
objFSO.CopyFile targfile, backdir, true
Set objTextFile = objFSO.OpenTextFile(targfile, ForReading)
'Read through each line of the file for the entry you want to set
'
Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
intLineFinder = InStr(strNextLine, "IniFileEntrytoEdit")
If intLineFinder <> 0 Then
'Set your new entry here.
'
strNextLine = "IniFileEntrytoEdit=My Entry in the File"
End If
strNewFile = strNewFile & strNextLine & vbCrLf
Loop
objTextFile.Close
'Write the file with the new entry
'
Set objTextFile = objFSO.OpenTextFile(targfile, ForWriting)
objTextFile.WriteLine strNewFile
objTextFile.Close
End If
Monday, August 17, 2009
Log File Cleanup
I needed a tool to clean up log files that exceed a certain age and I remembered a simple executable that I used to have called deleteifolderthan.exe that did just what was required, but when I went looking for it, I couldn't locate it anywhere.
Giving up on that, I decided to write my own script. I needed something that would delete log files over a month old in subdirectories of a parent directory. This is what I came up with:
Const ParentFolder = "E:\Logs"
Const MaxDays = 31
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(ParentFolder)
Set colSubFolders = objFolder.SubFolders
For Each objDir in colSubFolders
Set colFiles = objDir.Files
For Each objFile in colFiles
If DateDiff("d",objFile.DateCreated,now) >= MaxDays Then
objFSO.DeleteFile(objFile.Path)
End If
Next
Next
If you wanted to delete old logs in a single folder, you could simplify this to:
Const WatchFolder = "E:\Logs"
Const MaxDays = 31
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDir = objFSO.GetFolder(WatchFolder)
Set colFiles = objDir.Files
For Each objFile in colFiles
If DateDiff("d",objFile.DateCreated,now) >= MaxDays Then
objFSO.DeleteFile(objFile.Path)
End If
Next
Cheers,
Sean
Giving up on that, I decided to write my own script. I needed something that would delete log files over a month old in subdirectories of a parent directory. This is what I came up with:
Const ParentFolder = "E:\Logs"
Const MaxDays = 31
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(ParentFolder)
Set colSubFolders = objFolder.SubFolders
For Each objDir in colSubFolders
Set colFiles = objDir.Files
For Each objFile in colFiles
If DateDiff("d",objFile.DateCreated,now) >= MaxDays Then
objFSO.DeleteFile(objFile.Path)
End If
Next
Next
If you wanted to delete old logs in a single folder, you could simplify this to:
Const WatchFolder = "E:\Logs"
Const MaxDays = 31
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDir = objFSO.GetFolder(WatchFolder)
Set colFiles = objDir.Files
For Each objFile in colFiles
If DateDiff("d",objFile.DateCreated,now) >= MaxDays Then
objFSO.DeleteFile(objFile.Path)
End If
Next
Cheers,
Sean
Tuesday, August 11, 2009
JDE IE Recommended Settings
I just got back from the snow! Had an awesome time snowboarding in Thredbo.
I thought I'd quickly post this Group Policy ADM Template that I developed to configure Internet Explorer with some settings recommended by Oracle and JDE for running their OneWorld Web Client.
; This policy template has been written to optimise the IE web client
; with Internet Explorer due to a limitation in this browser and the
; number of connections to the web server as per recommendations from
; Oracle for IE to interact with JDE
;
; The IE changes are used to change the number of connections to the
; server which can help to improve the performance of the web client
; and rendering of the menus.
;
; The CSV MIME Type is used to fix an issue when opening CSV files in
; the web client (please see Oracle documentation for further details).
;
; This is a System Policy template and does not use the preferred
; Group Policy method
;
; Refer to Microsoft TechNet article Q323639 for further information.
; Therefore these registry settings are permanent.
;
; When viewed via a Group Policy Object Editor, you must enable the view for system
; policies, which will appear as red icons as oppose to the standard blue ones.
;
; Windows 2000 Active Directory Group Policies:
; Click on Administrative Templates
; Righ click
; View >
; Select Show Policies Only so that it removes the tick.
;
; Windows 2003 Active Directory Group Policies:
; Click on Administrative Templates
; Righ click
; View >
; Select Filtering...
; Deselect Only show policy settings that can be fully managed
; so that it removes the tick.
; Select OK
;
;
;Developed by: Sean Bradley
;Contact info: Contact via http://draxonic.blogspot.com/
;Date last modified: 07/07/2009
;version: 1.0
;This file is provided AS IS for informational purposes to help assist other
;administrators in maintaining a high degree of client manageability.
;Be sure to fully test this in a lab environment PRIOR to implementation.
;The author makes no guarantee or warranty. IE: Use at your own risk.
CLASS MACHINE
CATEGORY "JDE Web Client Policies"
POLICY "CSV MIME Type"
KEYNAME "Software\Classes\MIME\Database\Content Type\application/csv"
EXPLAIN "Setting this policy fixes an issue when opening CSV files in the JDE web client."
PART "Set CSV MIME Type" CHECKBOX DEFCHECKED
VALUENAME "Extension"
VALUEON ".csv"
VALUEOFF ""
END PART
END POLICY
END CATEGORY
CLASS USER
CATEGORY "JDE Web Client Policies"
POLICY "Increase Max Connections per Server"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
EXPLAIN "Setting this policy changes the number of connections to the server which can help to improve the performance of the web client and rendering of the menus in the JDE Web Client. Note that existing Internet Explorer Maintenance Policy Objects can be used to permit HTTP 1.1 over proxy conenctions."
PART "Increase Max Connections values" CHECKBOX DEFCHECKED
VALUENAME "MaxConnectionsPerServer"
VALUEON NUMERIC 10
VALUEOFF NUMERIC 3
ACTIONLISTON
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "MaxConnectionsPer1_0Server" VALUE NUMERIC 10
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "MaxConnectionsPer1_0Server" VALUE NUMERIC 3
END ACTIONLISTOFF
END PART
END POLICY
END CATEGORY
I thought I'd quickly post this Group Policy ADM Template that I developed to configure Internet Explorer with some settings recommended by Oracle and JDE for running their OneWorld Web Client.
; This policy template has been written to optimise the IE web client
; with Internet Explorer due to a limitation in this browser and the
; number of connections to the web server as per recommendations from
; Oracle for IE to interact with JDE
;
; The IE changes are used to change the number of connections to the
; server which can help to improve the performance of the web client
; and rendering of the menus.
;
; The CSV MIME Type is used to fix an issue when opening CSV files in
; the web client (please see Oracle documentation for further details).
;
; This is a System Policy template and does not use the preferred
; Group Policy method
;
; Refer to Microsoft TechNet article Q323639 for further information.
; Therefore these registry settings are permanent.
;
; When viewed via a Group Policy Object Editor, you must enable the view for system
; policies, which will appear as red icons as oppose to the standard blue ones.
;
; Windows 2000 Active Directory Group Policies:
; Click on Administrative Templates
; Righ click
; View >
; Select Show Policies Only so that it removes the tick.
;
; Windows 2003 Active Directory Group Policies:
; Click on Administrative Templates
; Righ click
; View >
; Select Filtering...
; Deselect Only show policy settings that can be fully managed
; so that it removes the tick.
; Select OK
;
;
;Developed by: Sean Bradley
;Contact info: Contact via http://draxonic.blogspot.com/
;Date last modified: 07/07/2009
;version: 1.0
;This file is provided AS IS for informational purposes to help assist other
;administrators in maintaining a high degree of client manageability.
;Be sure to fully test this in a lab environment PRIOR to implementation.
;The author makes no guarantee or warranty. IE: Use at your own risk.
CLASS MACHINE
CATEGORY "JDE Web Client Policies"
POLICY "CSV MIME Type"
KEYNAME "Software\Classes\MIME\Database\Content Type\application/csv"
EXPLAIN "Setting this policy fixes an issue when opening CSV files in the JDE web client."
PART "Set CSV MIME Type" CHECKBOX DEFCHECKED
VALUENAME "Extension"
VALUEON ".csv"
VALUEOFF ""
END PART
END POLICY
END CATEGORY
CLASS USER
CATEGORY "JDE Web Client Policies"
POLICY "Increase Max Connections per Server"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
EXPLAIN "Setting this policy changes the number of connections to the server which can help to improve the performance of the web client and rendering of the menus in the JDE Web Client. Note that existing Internet Explorer Maintenance Policy Objects can be used to permit HTTP 1.1 over proxy conenctions."
PART "Increase Max Connections values" CHECKBOX DEFCHECKED
VALUENAME "MaxConnectionsPerServer"
VALUEON NUMERIC 10
VALUEOFF NUMERIC 3
ACTIONLISTON
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "MaxConnectionsPer1_0Server" VALUE NUMERIC 10
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "MaxConnectionsPer1_0Server" VALUE NUMERIC 3
END ACTIONLISTOFF
END PART
END POLICY
END CATEGORY
Subscribe to:
Posts (Atom)
Posts
