Archive for the ‘Security’ Category

The goal of every administrator is become lazy. Through elf’n magic and a batch file you can get others to do your job, as they should. Administrators and ISSO’s need to coordinate with HR and department heads to go regularly through the bone yard of disabled and active user accounts in active directory to ensure enabled and disabled employee user accounts are accurate. So having grown tired of doing this mundane task too many times manually I created a script that does that. With a hint of self amusement and some butcherious hack, haaack code you can make a batch file send an email via the command line in Windows via an adjunct SMTP enabled IIS web server.

There are only two files:

_Exclude.dat
Using return carriage format enter names you don’t want showing up in your report such as service accounts, administrative accounts, template accounts, etc.

ADuserList.cmd
Modify the variables to suit your needs and then schedule a task pointing to this file as you need, once a week works for me .

No special utilities are needed, the workhorse is DSQUERY, a few FOR statements, and a healthy dose of ECHO piped into a file. As always I do me best to set variables at the top of the file so you need not worry about the code below. They are as follows in light green:

set _emailto=To@yourdomain.com
set _emailfr=From@yourdomain.com
set _Subject=Your Company User Account Report for %date%
set _dropdir=c:InetpubmailrootPickup
(or a UNC path WebServerc$InetpubmailrootPickup)
set _srcroot=OU=Your Employees,DC=YourDomain,DC=COM
set _emailHD=Help_Desk@yourdomain.com

Variables Explained

_emailto – email address of Person or distribution group email is being sent to
_emailfr – who email is coming from, this email address does not need to exist on the mail server as long as the mail server accepts emails from the same domain for example if your domain was @yourdomain.com it can come from and also be sent to @yourdomain.com and the mail server won't reject it.
_Subject – Something inspiring to get those responsible to read your email
_dropdir – The drop directory on an SMTP enabled IIS web server, the default is usually C:InetpubmailrootPickup but you can schedule a task to run this batch file another server and use a UNC path such as WebServerc$InetpubmailrootPickup so you have no issues it's easiest to run the task using an account with Domain Admin permissions.
_srcroot – LUV'ly LDAP, you can narrow the scope of accounts returned by placing all user accounts in a root OU that way you don't have service accounts or built-in accounts show up and confuse department heads with scary technical things.
_emailHD – Your help desk's email address mentioned in the body of the email below.

• Download – Email active & disabled users in AD (2KB)

So was I and at the time our IT budget wasn't there for loftier tools such as a nice KACE KBOX. At times like this your best friend is ye-old command line utilities, but these tools often only give a current view of what is on the network. The only way to put command line tools on steroids is to write a useful batch file. Who’s On does exactly that, a ready to use batch file which generates automated static HTML and CSV reports making use two very nice free command line utilities. One is taken from the PSTools arsenal, "PSloggedon" created by Sysinternal’s Mark Russinovich and Bryce Cogswell (now acquired by Microsoft), and Microsoft’s Robocopy, created to compete with XXCopy.

• Download Who's On

PSTools is available here:
http://www.sysinternals.com or here

http://technet.microsoft.com/en-us/sysinternals/default.aspx

Robocopy was included natively beginning in Windows Vista and Server 2008. If you are running earlier versions of Windows then you can acquire it by installing Windows Server 2003 Resource Kit Tools which can be procured here http://www.microsoft.com/downloads/details.aspx…. Ω