Thursday, July 17, 2008

Complete script to create users, home folders and ntfs permissions

Assuming that you have a file users.txt with this format:
Last_name First_name Group Password
This script automatically create groups in the specified ou Sales, add users to this ou and to the respective groups, give users specified passwords, assign a logon script, create and share home folders and give ntfs permissions on them....a lot of work isn't it?
I must say that the script uses the rmtshare tool for setting shares, available for download from Microsoft.

@setlocal
@set ou=OU=Sales,DC=test,DC=com
@set domain=test.com
@set domainadmins=CN=Domain Admins,CN=Users,DC=test,DC=com
@set domainusers=CN=Domain Users,CN=Users,DC=test,DC=com
@rem Creation of groups
for /f "tokens=1,2* delims= " %%a in (users.txt) do dsadd group "CN=%%c, %ou%"
@rem Creation of users
for /f "tokens=1,2* delims= " %%a in (users.txt) do dsadd user "CN=%%b %%a, %ou%" -upn "%%b %%a" -fn %%b -ln %%a -display "%%b %%a" -loscr Scripts\logon.bat -pwd %%d -memberof "CN=%%c, %ou%"
@rem Creation of personal folders (home folders)
for /f "tokens=1,2* delims= " %%a in (users.txt) do md "D:\Homes\%%b %%a"
@rem Make shares on home directories
for /f "tokens=1,2* delims= " %%a in (users.txt) do rmtshare \\%COMPUTERNAME%\"%%b %%a$" = "D:\Homes\%%b %%a"
@rem Grant share rights on home folders
for /f "tokens=1,2* delims= " %%a in (users.txt) do rmtshare \\%COMPUTERNAME%\"%%b %%a$" /grant "%domain%\%%b %%a":CHANGE /grant "%domain%\Domain Admins":"FULL CONTROL"
@rem Give NTFS rights on home folders
for /f "tokens=1,2* delims= " %%a in (users.txt) do cacls "D:\Homes\%%b %%a" /T /C /G "%domain%\%%b %%a":C "%domain%\Domain Admins":F

Wednesday, July 16, 2008

Rename all users from AD

This was one problem I faced a time ago. I must change all active directory users name from "name surname" to "name.surname". The magic was done for me by this little vbscript which has done in seconds the amazing job. All users were in the organizational unit Test.

OUPath = LDAP://OU=Test,DC=test,DC=com
Set CNUsers = GetObject (OUPath)
CNUsers.Filter = Array("user")
For Each User in CNUsers
NewNameFormat = User.givenName & "." & User.sn
Set objUser = GetObject("LDAP://" & User.DistinguishedName)
objUser.SamAccountName = NewNameFormat
objUser.UserPrincipalName = NewNameFormat
objUser.SetInfo
Next

Security and distribution groups

Useful one-step scripts:

- Show the creation date of all groups from AD forest:
dsquery * forestroot -filter "(&(objectClass=Group))" -attr name whenCreated description -limit 0

- Show the date of modification of all groups from AD forest:
dsquery * forestroot -filter "(&(objectClass=Group))" -attr name whenChanged description -limit 0

- Show the creation date of all users from AD forest:
dsquery * forestroot -filter "(&(objectClass=User))" -attr name whenCreated description -limit 0

- Show all distribution groups mail enabled from AD forest
dsuery * forestroot -filter "(&(samAccountType=268435457)(mail=*))" -limit 0

- Show all distribution groups without mail enabled from AD forest
dsquery * forestroot -filter "(&(samAccountType=268435457)(!mail=*))" -limit 0

- Show all security groups mail enabled from AD forest
dsquery * forestroot -filter "(&(samAccountType=268435456)(mail=*))" -limit 0

- Show all security groups without mail enabled from AD forest
dsquery * forestroot -filter "(&(samAccountType=268435456)(!mail=*))" -limit 0

- Show membership of a group named "XXX"
dsget group "XXX" -members -expand

Saturday, July 12, 2008

Filter information from event log

The following script will show when specific events logged in event viewer happened. This helped me find out if a computer was shut down daily during a month. For this, i searched for specific event id 6009 in the System event log and put in a text file the date and time when it was logged:

Set dtmDate = CreateObject("WbemScripting.SWbemDateTime")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _& "EventCode = '6009'")
For Each objItem in colItems
Wscript.Echo "Computer Name: " & objItem.ComputerName
Wscript.Echo "Event Code: " & objItem.EventCode
dtmDate.Value = objItem.TimeWritten
dtmTimeWritten = dtmDate.GetVarDate
Wscript.Echo "Time Written: " & dtmTimeWritten
Next

Find users who are local admins

Here is a Visual Basic script, which will audit what accounts/groups are members of the local administrator group. I put it as a a logon script. It puts in a shared folder named public a text file with the computer name and users which are in the local administrators group and are not domain admins or administrator:

Option Explicit
Const ForAppending = 8
Dim objGroup, strComputer, objMember, WshNetwork, objRecordSet, objFSO, objFile, strFileName
strComputer = "."
Set WshNetwork = WScript.CreateObject("WScript.Network")
WScript.Echo "Computer Name = " & WshNetwork.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
For Each objMember In objGroup.Members
If objMember.Name <> "Administrator" and objMember.Name <> "Domain Admins"
ThenSet objFSO = CreateObject("Scripting.FileSystemObject")
strFileName = "C:\Public\" & WshNetwork.ComputerName & ".txt"
Set objFile = objFSO.OpenTextFile(strFileName, ForAppending, True)
objFile.WriteLine (objMember.Name)
objFile.Close
End If
Next

Add users from a file to a specific OU

Hi all,

Today i will post a bunch of useful scripts for a system administrator. This is the one about adding a users from a text file (users.txt) in which you have the first and last name of the users. The users will be created with the password P@ssw0rd.

for /F "tokens=1,2 delims= " %%i in (users.txt)
do dsadd user "cn=%%i %%j,ou=Sales,dc=test,dc=ro" -samid "%%i %%j" -upn "%%i %%j"@test.ro -fn "%%i" -ln "%%j" -display "%%i %%j" -pwd P@ssw0rd -disabled no

The script can be easily customized, For example, if in the users.txt you have the first name, last name and a description of every user, the script will look like this:

for /F "tokens=1,2,3 delims= " %%i in (users.txt) do dsadd user "cn=%%i %%j,ou=Sales,dc=test,dc=ro" -samid "%%i %%j" -upn "%%i %%j"@test.ro -fn "%%i" -ln "%%j" -display "%%i %%j" -pwd P@ssw0rd -disabled no -desc=%%k