Set User = GetObject(LDAP://CN=Username,CN=Users,DC=test,DC=com)
Server = User.msExchHomeServerName
WScript.Echo "Exchange Server is " & Server
Monday, May 26, 2008
Restrict DHCP on Windows 2003
A few months ago, I was facing off the problem of assigning ip address only to our domain computers. Anyone from the outside should not get an ip from our network. The result of all my conclusions are here. I hope those will help somebody in the future.
There are a few ways to restrict dhcp:
1. Create a dhcp scope with only reserved IP addresses for domain computers. But this will not stop people that manually configure their ip addresses on computers to access your network and is usually not practical if you have many computers.
2. Switches that can manage port access by mac address filtering. The drawback of this approach is that mac addreses can be spoofed.
3. The third and the last option is also the most secure of all: 802.1x authentication for wired clients. 802.1X for wired networks provides authentication and authorization protection at the switch port. Port-based network access control uses the physical characteristics of a switched LAN infrastructure to authenticate devices attached to a LAN port. Use of the port is denied if the authentication process fails. Alternately, the port can be assigned to a VLAN that does not contain important resources. For this you must have switches that support 802.1x authentication, a IAS server installed and certificate services deployed on Windows 2003. This is the help: http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en
There are a few ways to restrict dhcp:
1. Create a dhcp scope with only reserved IP addresses for domain computers. But this will not stop people that manually configure their ip addresses on computers to access your network and is usually not practical if you have many computers.
2. Switches that can manage port access by mac address filtering. The drawback of this approach is that mac addreses can be spoofed.
3. The third and the last option is also the most secure of all: 802.1x authentication for wired clients. 802.1X for wired networks provides authentication and authorization protection at the switch port. Port-based network access control uses the physical characteristics of a switched LAN infrastructure to authenticate devices attached to a LAN port. Use of the port is denied if the authentication process fails. Alternately, the port can be assigned to a VLAN that does not contain important resources. For this you must have switches that support 802.1x authentication, a IAS server installed and certificate services deployed on Windows 2003. This is the help: http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en
Reset bulk user passwords
To reset a user password and force him change at next logon:dsmod user "CN=user name,CN=Users,DC=test,DC=Com" -pwd dfsdsafd -mustchpwd yes
If you have a text file with user distinguished name, make a script similar to this:
for /f "delims=" tokens=1" %%i in (user distinguished name.txt) do
dsmod user "%%i" -pwd dfsdsafd -mustchpwd yes
This is the help for the for statement:http://www.ss64.com/nt/for_f.html
If you have a text file with user distinguished name, make a script similar to this:
for /f "delims=" tokens=1" %%i in (user distinguished name.txt) do
dsmod user "%%i" -pwd dfsdsafd -mustchpwd yes
This is the help for the for statement:http://www.ss64.com/nt/for_f.html
Tuesday, May 13, 2008
List of computers with Windows XP Service Pack 2
This is a script to find computer with this OS. It helped me find easily the information required about all the workstations in my domain.
dsquery * domainroot -filter "(&((objectCategory=computer))(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))"
To find computers with Windows XP Professional with no Service Pack installed, use (!operatingSystemServicePack=*) in the last part of the script.
dsquery * domainroot -filter "(&((objectCategory=computer))(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))"
To find computers with Windows XP Professional with no Service Pack installed, use (!operatingSystemServicePack=*) in the last part of the script.
Sunday, May 11, 2008
Dhcp or static ip address from script
Assign a static IP address to local area connection network interface:
netsh interface ip set address name= "Local Area Connection" static 192.168.1.2 255.255.255.0 192.168.1.1
netsh interface ip set dns "Local Area Connection" static 192.168.1.10 primary
Assign a dynamic allocated IP address to local area connection network interface:
netsh interface ip set address name="Local Area Connection" source=dhcp
netsh interface ip set dns name="Local Area Connection" source=dhcp
netsh interface ip set address name= "Local Area Connection" static 192.168.1.2 255.255.255.0 192.168.1.1
netsh interface ip set dns "Local Area Connection" static 192.168.1.10 primary
Assign a dynamic allocated IP address to local area connection network interface:
netsh interface ip set address name="Local Area Connection" source=dhcp
netsh interface ip set dns name="Local Area Connection" source=dhcp
Date of user's last logon
Here is a little script which will give you the date of a user last logon. But first, I will thell you some things which will introduce you in the background of this problem.
Windows 2000 domain controllers save last logon date in the "lastlogon" attribute. This attribute is NOT replicated among all domain controllers in the domain and is listed in a wired format such as 12327435289, which means the number of 100 nanosecond intervals which have elapsed since 1/1/1601. So, if you have a domain level of Windows 2000, the following script is the way to do it. The script interogates a specific DC and return the value from this.
Windows 2003 domain controllers save last logon date in the "lastlogonTimestamp" attribute. This attribute IS replicated among all domain controllers in the domain.
Option Explicit
Dim objOU, objUser, objRootDSE, objLastLogon
Dim Container, Domain
Dim intLastLogonTime
Dim location
Container = "OU=Sales, " //Put here the desired OU
Domain = "DC=test,DC=com" //Put here your domain
location= Container & Domain
wscript.echo location
location = Container & Domain
set objOU =GetObject("LDAP://Desired DC to interogate/ " & Container & Domain)
For Each objUser In objOUSet
objLastLogon = objUser.Get("lastLogon")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
Wscript.Echo objUser.Name & " last logon time: " _
& intLastLogonTime + #1/1/1601#
Next
WScript.Quit
Windows 2000 domain controllers save last logon date in the "lastlogon" attribute. This attribute is NOT replicated among all domain controllers in the domain and is listed in a wired format such as 12327435289, which means the number of 100 nanosecond intervals which have elapsed since 1/1/1601. So, if you have a domain level of Windows 2000, the following script is the way to do it. The script interogates a specific DC and return the value from this.
Windows 2003 domain controllers save last logon date in the "lastlogonTimestamp" attribute. This attribute IS replicated among all domain controllers in the domain.
Option Explicit
Dim objOU, objUser, objRootDSE, objLastLogon
Dim Container, Domain
Dim intLastLogonTime
Dim location
Container = "OU=Sales, " //Put here the desired OU
Domain = "DC=test,DC=com" //Put here your domain
location= Container & Domain
wscript.echo location
location = Container & Domain
set objOU =GetObject("LDAP://Desired DC to interogate/ " & Container & Domain)
For Each objUser In objOUSet
objLastLogon = objUser.Get("lastLogon")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
Wscript.Echo objUser.Name & " last logon time: " _
& intLastLogonTime + #1/1/1601#
Next
WScript.Quit
Subscribe to:
Posts (Atom)