Archive for the ‘CMD line’ Category

Even in a well run network it’s easy to let things slip through the cracks; scheduled tasks in Windows are one of those things that can get out of hand. You set them and forget them until one day you change the password on a service account that keeps getting locked out to your frustration and then you discover the culprit was a long lost automated job that did something important a computer-eon ago.

If you have a good tool such as Hyena by System Tools you can run a report using Exporter Pro but if you are on a beer budget or are a contractor going site to site then a good script is your weapon of choice. Running Windows command line SCHTASKS is a powerful means to task automation on a number of levels. Having a view of all the tasks running inside an Active Directory (AD) domain is valuable to any admin and a must know for any system security expert. With a little extra coding effort you can generate a clean report encompassing all Windows systems, the below script flips the tables and on this unexciting work like this, another great way of buying time by workin’ them tasks.

Workin' Them Tasks

All you need to make this script run is to define the root of the search by modifying LDAP variable at the top of the script to search your domain. This script uses built-in Windows commands so no extra utilities are needed. In nutshell computer names are pulled from AD using DSQUERY, then the list is cleaned up buy removing disabled computer accounts. You can further refine the list by adding computer names to a file called _Exclude.dat (return carriage format) you want exploded from the report. To save time the script further refines the list to run against by pinging each one first, those that are available are checked and a report is spit out in CSV format so you can open it easily in a spreadsheet.

Recommendations

To start using the script modify the _srcroot variable as shown below:

Modify the variable as follows in light green:

REM Set variables for the root of your LDAP search
REM **********************************************
set _srcroot=DC=yourdomain,DC=com

• Download Workin' Them Tasks

Possible Errors

It’s best to run the script manually at least the first few times because you may run into computers that deny you access, sometimes schtasks bombs out on the target system and generates an error, you may also hit a machine disjoined from the domain which prompts you for credentials and the script will not continue until it's given an entry. Worry not the script will finish regardless, as annoying as this may seem you are getting good information. No centrally controlled computer should deny you access with the exception of outdated Windows OS’s, such issues are telling you which computers are not acting properly or security may have been modified on.

(server names are blurred)

The goal of every administrator is become lazy. Through elf’n magic and a batch file you can get others to do your job, as they should. Administrators and ISSO’s need to coordinate with HR and department heads to go regularly through the bone yard of disabled and active user accounts in active directory to ensure enabled and disabled employee user accounts are accurate. So having grown tired of doing this mundane task too many times manually I created a script that does that. With a hint of self amusement and some butcherious hack, haaack code you can make a batch file send an email via the command line in Windows via an adjunct SMTP enabled IIS web server.

There are only two files:

_Exclude.dat
Using return carriage format enter names you don’t want showing up in your report such as service accounts, administrative accounts, template accounts, etc.

ADuserList.cmd
Modify the variables to suit your needs and then schedule a task pointing to this file as you need, once a week works for me .

No special utilities are needed, the workhorse is DSQUERY, a few FOR statements, and a healthy dose of ECHO piped into a file. As always I do me best to set variables at the top of the file so you need not worry about the code below. They are as follows in light green:

set _emailto=To@yourdomain.com
set _emailfr=From@yourdomain.com
set _Subject=Your Company User Account Report for %date%
set _dropdir=c:InetpubmailrootPickup
(or a UNC path WebServerc$InetpubmailrootPickup)
set _srcroot=OU=Your Employees,DC=YourDomain,DC=COM
set _emailHD=Help_Desk@yourdomain.com

Variables Explained

_emailto – email address of Person or distribution group email is being sent to
_emailfr – who email is coming from, this email address does not need to exist on the mail server as long as the mail server accepts emails from the same domain for example if your domain was @yourdomain.com it can come from and also be sent to @yourdomain.com and the mail server won't reject it.
_Subject – Something inspiring to get those responsible to read your email
_dropdir – The drop directory on an SMTP enabled IIS web server, the default is usually C:InetpubmailrootPickup but you can schedule a task to run this batch file another server and use a UNC path such as WebServerc$InetpubmailrootPickup so you have no issues it's easiest to run the task using an account with Domain Admin permissions.
_srcroot – LUV'ly LDAP, you can narrow the scope of accounts returned by placing all user accounts in a root OU that way you don't have service accounts or built-in accounts show up and confuse department heads with scary technical things.
_emailHD – Your help desk's email address mentioned in the body of the email below.

• Download – Email active & disabled users in AD (2KB)

Not the preferred method for shutting down Windows servers; but if you have a power outage and too many servers and too little battery life on your UPS this is better than having them shutdown hard. This script I have dubbed Shut-em-down uses PSshutdown, yes using Windows built shut down command would do the trick as well but it's what I picked.

The code is short and to the point. Ω

@echo off
color 0c
echo THIS WILL SHUT DOWN ALL SERVERS LISTED IN SERVERS.TXT!
echo IF THIS IS NOT WHAT YOU INTEND TO DO CLOSE THIS WINDOW OUT NOW!
echo.
echo OTHERWISE...

pause
cls
echo FIRE!
FOR /F "tokens=*" %%a in (servers.txt) do psshutdown -f -k -t 1 %%a

• Download Shut-em-down

So was I and at the time our IT budget wasn't there for loftier tools such as a nice KACE KBOX. At times like this your best friend is ye-old command line utilities, but these tools often only give a current view of what is on the network. The only way to put command line tools on steroids is to write a useful batch file. Who’s On does exactly that, a ready to use batch file which generates automated static HTML and CSV reports making use two very nice free command line utilities. One is taken from the PSTools arsenal, "PSloggedon" created by Sysinternal’s Mark Russinovich and Bryce Cogswell (now acquired by Microsoft), and Microsoft’s Robocopy, created to compete with XXCopy.

• Download Who's On

PSTools is available here:
http://www.sysinternals.com or here

http://technet.microsoft.com/en-us/sysinternals/default.aspx

Robocopy was included natively beginning in Windows Vista and Server 2008. If you are running earlier versions of Windows then you can acquire it by installing Windows Server 2003 Resource Kit Tools which can be procured here http://www.microsoft.com/downloads/details.aspx…. Ω