Friday, November 21, 2008

Add mobile number to 1000 users

Hi all,

This is a script i wrote it in a response to a question asked by someone in Microsoft newsgroups:
how to add mobile numbers easily to 1000 users?
Let's assume that you have the users in a file named mobile.txt formatted like this:
User Phone number
Jon Kerry 0743221021
The first column is the name of the user, the second column is his mobile number (separated by a tab). The following script would do the trick:
For /F "Tokens=1,* Delims= " %%A In (mobile.txt) Do (
Set name=%%A
Set mobile=%%B)
dsquery user -name "%name%" dsmod user -mobile %mobile%
Pay attention that after Delims= it is a tab character.

Essential LDAP attributes

In this note i'll show you the essentials ldap attributes that can be used with different tools (like csvde or ldifde) to easily query for the required properties.

In the general tab, these are the ldap attributes (in the second column are the corresponding ldap attributes):
First name: givenname
Initials: initials
Last name: sn
Description: description
Display name: displayname
Office: physicalDeliveryOfficeName
TelephoneNumber: telephoneNumber
Webpage: wWWHomePage
E-mail: mail

In the address tab:
Street: streetAddress
P.O. Box: postOfficeBox
City: I
State: st
Zip code: postalCode
Country: co

In the account tab:
User logon name: UserPrincipalName
User logon name (pre Windows 2000): sAMAccountName
Account expires: accountExpires

In the profile tab:
Profile path: profilePath
Logon script: scriptPath
Home folder, drive: homeDrive
Home folder, local path: homeDirectory

In the telephones tab:
Home: homePhone
Pager: pager
Fax: facsimileTelephoneNumber
Ip Phone: ipPhone
Notes: Info

In the organization tab:
Title: title
Department: department
Company: company
Manager: manager

Thursday, October 9, 2008

Distribution lists and managers

Another 2 useful scripts:
Find distribution lists and their managers:

dsquery * -filter "(&(samAccountType=268435457)(managedBy=*))" -Attr sAMAccountName managedBy -Limit 0

Find all groups which have managers:

dsquery * -filter "(&(objectclass=group)(managedBy=*))" -Attr sAMAccountName managedBy -Limit 0

Wednesday, August 27, 2008

Allow dial in access by script

I will show you how to enable the Remote Access Service "Allow Access" permission in the Remote Access Permission of the Dial-In tab in the user's properties.
There are 2 cases:
1) For Windows 2000-based domains in Mixed mode or Windows 2000-based domains in Native mode that include RAS servers hosted by Microsoft Windows NT-based computers, see here;en-us;252398
2) For Windows 2000 domains in native mode and Windows 2003 Server mode, this is the script that will enable Dial-in access for all the users in Test OU:

OUPath ="LDAP://OU=Test,DC=test,DC=com"
Set CNUsers = GetObject (OUPath)
CNUsers.Filter = Array("user")
For Each User in CNUsers
Set objUser = GetObject("LDAP://" & User.DistinguishedName)
objUser.Put "msNPAllowDialIn", True

Thursday, July 17, 2008

Complete script to create users, home folders and ntfs permissions

Assuming that you have a file users.txt with this format:
Last_name First_name Group Password
This script automatically create groups in the specified ou Sales, add users to this ou and to the respective groups, give users specified passwords, assign a logon script, create and share home folders and give ntfs permissions on them....a lot of work isn't it?
I must say that the script uses the rmtshare tool for setting shares, available for download from Microsoft.

@set ou=OU=Sales,DC=test,DC=com
@set domainadmins=CN=Domain Admins,CN=Users,DC=test,DC=com
@set domainusers=CN=Domain Users,CN=Users,DC=test,DC=com
@rem Creation of groups
for /f "tokens=1,2* delims= " %%a in (users.txt) do dsadd group "CN=%%c, %ou%"
@rem Creation of users
for /f "tokens=1,2* delims= " %%a in (users.txt) do dsadd user "CN=%%b %%a, %ou%" -upn "%%b %%a" -fn %%b -ln %%a -display "%%b %%a" -loscr Scripts\logon.bat -pwd %%d -memberof "CN=%%c, %ou%"
@rem Creation of personal folders (home folders)
for /f "tokens=1,2* delims= " %%a in (users.txt) do md "D:\Homes\%%b %%a"
@rem Make shares on home directories
for /f "tokens=1,2* delims= " %%a in (users.txt) do rmtshare \\%COMPUTERNAME%\"%%b %%a$" = "D:\Homes\%%b %%a"
@rem Grant share rights on home folders
for /f "tokens=1,2* delims= " %%a in (users.txt) do rmtshare \\%COMPUTERNAME%\"%%b %%a$" /grant "%domain%\%%b %%a":CHANGE /grant "%domain%\Domain Admins":"FULL CONTROL"
@rem Give NTFS rights on home folders
for /f "tokens=1,2* delims= " %%a in (users.txt) do cacls "D:\Homes\%%b %%a" /T /C /G "%domain%\%%b %%a":C "%domain%\Domain Admins":F

Wednesday, July 16, 2008

Rename all users from AD

This was one problem I faced a time ago. I must change all active directory users name from "name surname" to "name.surname". The magic was done for me by this little vbscript which has done in seconds the amazing job. All users were in the organizational unit Test.

OUPath = LDAP://OU=Test,DC=test,DC=com
Set CNUsers = GetObject (OUPath)
CNUsers.Filter = Array("user")
For Each User in CNUsers
NewNameFormat = User.givenName & "." &
Set objUser = GetObject("LDAP://" & User.DistinguishedName)
objUser.SamAccountName = NewNameFormat
objUser.UserPrincipalName = NewNameFormat

Security and distribution groups

Useful one-step scripts:

- Show the creation date of all groups from AD forest:
dsquery * forestroot -filter "(&(objectClass=Group))" -attr name whenCreated description -limit 0

- Show the date of modification of all groups from AD forest:
dsquery * forestroot -filter "(&(objectClass=Group))" -attr name whenChanged description -limit 0

- Show the creation date of all users from AD forest:
dsquery * forestroot -filter "(&(objectClass=User))" -attr name whenCreated description -limit 0

- Show all distribution groups mail enabled from AD forest
dsuery * forestroot -filter "(&(samAccountType=268435457)(mail=*))" -limit 0

- Show all distribution groups without mail enabled from AD forest
dsquery * forestroot -filter "(&(samAccountType=268435457)(!mail=*))" -limit 0

- Show all security groups mail enabled from AD forest
dsquery * forestroot -filter "(&(samAccountType=268435456)(mail=*))" -limit 0

- Show all security groups without mail enabled from AD forest
dsquery * forestroot -filter "(&(samAccountType=268435456)(!mail=*))" -limit 0

- Show membership of a group named "XXX"
dsget group "XXX" -members -expand

Saturday, July 12, 2008

Filter information from event log

The following script will show when specific events logged in event viewer happened. This helped me find out if a computer was shut down daily during a month. For this, i searched for specific event id 6009 in the System event log and put in a text file the date and time when it was logged:

Set dtmDate = CreateObject("WbemScripting.SWbemDateTime")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _& "EventCode = '6009'")
For Each objItem in colItems
Wscript.Echo "Computer Name: " & objItem.ComputerName
Wscript.Echo "Event Code: " & objItem.EventCode
dtmDate.Value = objItem.TimeWritten
dtmTimeWritten = dtmDate.GetVarDate
Wscript.Echo "Time Written: " & dtmTimeWritten

Find users who are local admins

Here is a Visual Basic script, which will audit what accounts/groups are members of the local administrator group. I put it as a a logon script. It puts in a shared folder named public a text file with the computer name and users which are in the local administrators group and are not domain admins or administrator:

Option Explicit
Const ForAppending = 8
Dim objGroup, strComputer, objMember, WshNetwork, objRecordSet, objFSO, objFile, strFileName
strComputer = "."
Set WshNetwork = WScript.CreateObject("WScript.Network")
WScript.Echo "Computer Name = " & WshNetwork.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
For Each objMember In objGroup.Members
If objMember.Name <> "Administrator" and objMember.Name <> "Domain Admins"
ThenSet objFSO = CreateObject("Scripting.FileSystemObject")
strFileName = "C:\Public\" & WshNetwork.ComputerName & ".txt"
Set objFile = objFSO.OpenTextFile(strFileName, ForAppending, True)
objFile.WriteLine (objMember.Name)
End If

Add users from a file to a specific OU

Hi all,

Today i will post a bunch of useful scripts for a system administrator. This is the one about adding a users from a text file (users.txt) in which you have the first and last name of the users. The users will be created with the password P@ssw0rd.

for /F "tokens=1,2 delims= " %%i in (users.txt)
do dsadd user "cn=%%i %%j,ou=Sales,dc=test,dc=ro" -samid "%%i %%j" -upn "%%i %%j" -fn "%%i" -ln "%%j" -display "%%i %%j" -pwd P@ssw0rd -disabled no

The script can be easily customized, For example, if in the users.txt you have the first name, last name and a description of every user, the script will look like this:

for /F "tokens=1,2,3 delims= " %%i in (users.txt) do dsadd user "cn=%%i %%j,ou=Sales,dc=test,dc=ro" -samid "%%i %%j" -upn "%%i %%j" -fn "%%i" -ln "%%j" -display "%%i %%j" -pwd P@ssw0rd -disabled no -desc=%%k

Monday, May 26, 2008

Find Exchange Server for a given account

Set User = GetObject(LDAP://CN=Username,CN=Users,DC=test,DC=com)
Server = User.msExchHomeServerName
WScript.Echo "Exchange Server is " & Server

Restrict DHCP on Windows 2003

A few months ago, I was facing off the problem of assigning ip address only to our domain computers. Anyone from the outside should not get an ip from our network. The result of all my conclusions are here. I hope those will help somebody in the future.
There are a few ways to restrict dhcp:
1. Create a dhcp scope with only reserved IP addresses for domain computers. But this will not stop people that manually configure their ip addresses on computers to access your network and is usually not practical if you have many computers.
2. Switches that can manage port access by mac address filtering. The drawback of this approach is that mac addreses can be spoofed.
3. The third and the last option is also the most secure of all: 802.1x authentication for wired clients. 802.1X for wired networks provides authentication and authorization protection at the switch port. Port-based network access control uses the physical characteristics of a switched LAN infrastructure to authenticate devices attached to a LAN port. Use of the port is denied if the authentication process fails. Alternately, the port can be assigned to a VLAN that does not contain important resources. For this you must have switches that support 802.1x authentication, a IAS server installed and certificate services deployed on Windows 2003. This is the help:

Reset bulk user passwords

To reset a user password and force him change at next logon:dsmod user "CN=user name,CN=Users,DC=test,DC=Com" -pwd dfsdsafd -mustchpwd yes
If you have a text file with user distinguished name, make a script similar to this:
for /f "delims=" tokens=1" %%i in (user distinguished name.txt) do
dsmod user "%%i" -pwd dfsdsafd -mustchpwd yes
This is the help for the for statement:

Tuesday, May 13, 2008

List of computers with Windows XP Service Pack 2

This is a script to find computer with this OS. It helped me find easily the information required about all the workstations in my domain.

dsquery * domainroot -filter "(&((objectCategory=computer))(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))"

To find computers with Windows XP Professional with no Service Pack installed, use (!operatingSystemServicePack=*) in the last part of the script.

Sunday, May 11, 2008

Dhcp or static ip address from script

Assign a static IP address to local area connection network interface:
netsh interface ip set address name= "Local Area Connection" static
netsh interface ip set dns "Local Area Connection" static primary

Assign a dynamic allocated IP address to local area connection network interface:
netsh interface ip set address name="Local Area Connection" source=dhcp
netsh interface ip set dns name="Local Area Connection" source=dhcp

Date of user's last logon

Here is a little script which will give you the date of a user last logon. But first, I will thell you some things which will introduce you in the background of this problem.
Windows 2000 domain controllers save last logon date in the "lastlogon" attribute. This attribute is NOT replicated among all domain controllers in the domain and is listed in a wired format such as 12327435289, which means the number of 100 nanosecond intervals which have elapsed since 1/1/1601. So, if you have a domain level of Windows 2000, the following script is the way to do it. The script interogates a specific DC and return the value from this.
Windows 2003 domain controllers save last logon date in the "lastlogonTimestamp" attribute. This attribute IS replicated among all domain controllers in the domain.

Option Explicit
Dim objOU, objUser, objRootDSE, objLastLogon
Dim Container, Domain
Dim intLastLogonTime
Dim location
Container = "OU=Sales, " //Put here the desired OU
Domain = "DC=test,DC=com" //Put here your domain
location= Container & Domain
wscript.echo location
location = Container & Domain
set objOU =GetObject("LDAP://Desired DC to interogate/ " & Container & Domain)
For Each objUser In objOUSet
objLastLogon = objUser.Get("lastLogon")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
Wscript.Echo objUser.Name & " last logon time: " _
& intLastLogonTime + #1/1/1601#

Thursday, January 31, 2008

Export RRAS configuration

This is a vey useful command line backup option i use it frequently.
netsh routing dump > Routing.txt
netsh RAS dump > RAS.txt
Then we can use netsh exec on another server to import the configuration.
If you want to export other settings, just look at other netsh command line switches.

Tuesday, January 29, 2008

System hardware information and uptime

Systeminfo is a useful tool to collect valuable system hardware information remotely.
For example, the following line will return the hardware information (System Model, System type, uptime, etc) of a remote server "remotemachine" and write them in "remotemachine.csv" file.
SYSTEMINFO /S remotemachine /FO csv >>remotemachine.csv

RRAS server logging and debugging

RRAS logging

To view who logged in, how long, etc you have to go to remote acces logging and on properties tab of the local file log, check authentication request. You will see in windows\system32\logfiles the results.

RRAS debugging

We can debug RAS connections using RAS logs. To enable RAS logs run command
netsh ras set tracing * enabled . Then, we check the logs at %windir%\tracing directory.
Error code related to RRAS are listed here
After we resolve the issue, we disable RAS logs by command:
netsh ras set tracing * disabled