Entries in Systems Administration (3)

Friday
Apr162010

Generating a system list from Active Directory

DateFriday, April 16, 2010 at 1:13PM

Having a large number of workstations or servers within an enterprise brings a host of challenges in trying to maintain them. We are constantly having to reach out and perform an action on a set of boxes. Relying on your own or someone else's outdated system list is not an option. A quick and easy fix is to go straight to the source. Dsquery is a command-line too that allows us to query Active Directory based on criteria we feed into it. Today we are going to focus on one common criteria used, dsquery computer, which finds computers in the directory that matches our search patterns. Here's the syntax:

dsquery computer [{<StartNode> | forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}] [-name <Name>] [-desc <Description>] [-samid <SAMName>] [-inactive <NumberOfWeeks>] [-stalepwd <NumberOfDays>] [-disabled] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

So to pull a list of workstations from OU Test we can simply run:

C:\> dsquery computer "OU=Test,DC=testdomain,DC=com" -limit 0 -o rdn

"workstation1"
"workstation2"
"workstation3"

So if we break that command down we see that we are querying the Test OU in our domain for computers, -limit 0 means give me everything found, and in an output specifed as rdn. RDN displays the relative distinguished name of each entry. This will allow us to parse it in a for loop and run commands against it.

So let's say we want to ping those machines to see which ones are up:

C:\> for /f %w in ('dsquery computer "OU=Test,DC=testdomain,DC=com" -limit 0 -o rdn') do (
more? ping -n 1 %w
more? )

Pretty easy right!

So what if you don't know what OU a workstation is in? Well dsquery can find out that too! Lets suppose your workstations are called WORKSTATION1, WORKSTATION2, and so on. We can use a portion of the name to find out where they are:

C:\> dsquery computer -limit 0 | find "WORK"

Here's a quick example of a bat file I threw together taking advantage of dsquery.

@echo off
title Build WKS List
rem --------------------------------------------
rem ScriptName: build_wks_list.bat
rem
rem Usage:
rem    build_wks_list.bat wks_OU output_dir
rem
rem Example:
rem    build_wks_list.bat Test c:\admin
rem
rem Change History:
rem    DATE    DEVELOPER    CHANGE
rem    19MAR10    shaun hess    Initial Creation
rem --------------------------------------------
IF %1.==. GOTO USAGE
IF %2.==. GOTO USAGE

setlocal
set HOSTLIST=%2\%1_wkslist.txt
set HOSTLISTTEMP=%2\%1_wkslist.tmp
rem Modify the variable below to include OU's you
rem want to run against when passing the arg "All"
set SITELIST=Test, Engineering, Production
set OU=%1
set OUTPUT_DIR=%2
set ERRORLOG=%2\build_wks_list_error.log

echo.
if exist %HOSTLISTTEMP% del /f /q %HOSTLISTTEMP%
if exist %HOSTLIST% del /f /q %HOSTLIST%

if /I %1 == all (
   for %%i in (%SITELIST%) do (
   @echo Building workstation list for OU=%%i
   dsquery computer "OU=%%i,DC=testdomain,DC=com" -limit 0 -o ^
      rdn >> %HOSTLISTTEMP% 2> %ERRORLOG%
   for /f "delims=" %%a in (%HOSTLISTTEMP%) do echo %%~a >> %HOSTLIST%
   del /f /q %HOSTLISTTEMP%
   @echo Workstation List: %HOSTLIST%
) else (
   @echo Building workstation list for OU=%1
   dsquery computer "OU=%1,DC=testdomain,DC=com" -limit 0 -o ^
      rdn >> %HOSTLISTTEMP% 2> %ERRORLOG%
   for /f "delims=" %%a in (%HOSTLISTTEMP%) do echo %%~a >> %HOSTLIST%
   del /f /q %HOSTLISTTEMP%
   @echo Workstation List: %HOSTLIST%
)
goto done

:USAGE
echo.
echo Usage:
echo.
echo build_wks_list.bat wks_OU output_dir
echo.
echo Ex: build_wks_list.bat Test c:\admin
echo.
echo You may also pass the argument "All" for
echo the OU field if your sitelist is setup.
echo.

:done
echo.
if not "%ERRORLEVEL%"=="0" (
   echo Please see %ERRORLOG% for details.
   echo.
   echo Script failed with return code %ERRORLEVEL%
   echo.
) else (
   echo Script completed successfully.
)
endlocal

exit /b

Some other useful arguments to dsquery computer are:

-name <Name>

Searches for computers whose name attributes (value of CN attribute) matches <Name>. For example, "jon*" or "*ith" or "j*th".

-desc <Description>

Searches for computers whose description attributes match <Description>. For example, "jon*", "*ith", or "j*th".

-inactive <NumberOfWeeks>

Searches for computers that have been inactive (stale) for the number of weeks thatou specify.

-stalepwd <NumberOfDays>

Searches for computers whose passwords have not changed for the number of days that you specify.

-disabled

Searches for all computers whose accounts are disabled.


If you have other handy ways to build system lists feel free to share in the comments. If not give dsquery a try!

AuthorShaun Hess | CommentPost a Comment | Reference1 Reference |
tagged , , , , , in , , ,
Thursday
Sep242009

Shutdown or Reboot a remote Windows box with remote credentials (Quick Tip)

DateThursday, September 24, 2009 at 11:06PM

Quick Tip: Shutdown or Reboot a remote Windows box with remote credentials from the cmd line

Heres the setup, your logged into a workstation and need to reboot a remote box, but your account doesn't have the juice to run the standard shutdown command:

Many people don't know there is a simple flag you can use to pass remote credentials (the acct doesn't need to exist on the local box or even the same domain!) using the runas command:

Success! Remember you can run all sorts of commands both remotely and locally using different credentials using this command.

AuthorShaun Hess | CommentPost a Comment |
tagged , , , , in , ,
Saturday
Jun062009

How to tell what time a Windows user logged in?

DateSaturday, June 6, 2009 at 6:42PM

This question was posted on ServerFault, so I decided to spend some time answering based on my experiences querying this data in the past. The answer depends on what Windows platform the user is logging into. For Windows 2000/XP/2003 event id 528 with logon type 2 will show you interactive logons from a local or domain account. LogParser is a great tool to parse the event logs from a large number of machines and supports a large number of outputs. So for example you could use the following to query the security log on a remote machine and output to a tab separated file:

c:> logparser.exe "select TimeGenerated, SID from \\wksname\Security where EventID = 528" -i EVT -resolveSIDs:ON -q:ON -headers:off -o:TSV >> c:\UserLogons.txt

Querying events from the Security logs on Windows Vista/2008/7 is slightly different in that the log file format has changed, as well as the event ids. Event id 4624 with logon type 2 will show successful interactive logins. We can use the wevtutil to query for similar data and output it in XML format:

c:> wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events > c:\UserLogons.xml


So what about all thos 540 event id's appearing in your Security event logs?

Event 540 gets logged for a few different reasons. So for example you could see event id 540 with logon type 3 when a shared resource is accessed by the server service. Here are the logon types for this event id provided by Microsoft:

  • 2 Interactive A user logged on to this computer at the console.
  • 3 Network A user or computer logged on to this computer from the network.
  • 4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention.
  • 5 Service A service was started by the Service Control Manager.
  • 7 Unlock This workstation was unlocked.
  • 8 NetworkCleartext A user logged on to a network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
  • 9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
  • 10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
  • 11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.


Happy hunting.

AuthorShaun Hess | CommentPost a Comment | Reference3 References |
tagged , , , , , , , in ,