Showing posts with label scripting. Show all posts
Showing posts with label scripting. Show all posts

Tuesday, July 1, 2014

Disabling many AD user accounts on Windows Server 2003 without powershell

This may or may not help you but it's for my future reference.

My source was from dumping using MAP (Microsoft Assessment and Planning) toolkit using report "ActiveDevicesUsageTracker"

My AD wasn't using the default OU structure
Usable output = "Username" column = samID

Retrieve User-DN on Windows Server 2003
With the samID above, for each name

dsquery user -samid

Disable AD user accounts on Windows Server 2003
dsmod user user-DN -disabled yes

References (just got the important bits):
http://technet.microsoft.com/en-sg/library/cc781527(v=ws.10).aspx
https://kb.bluecoat.com/index?page=content&id=KB4548

Not related but I needed to get the AD group membership of those disabled AD accounts for clean up purposes.

Retrieve by AD user object AD group membership:
dsget user "" -memberof -expand 

Reference:
http://social.technet.microsoft.com/wiki/contents/articles/2195.active-directory-dsquery-commands.aspx
Posted by at No comments:
Labels: , , , , , , , , , , ,

Wednesday, July 17, 2013

Have multiple fields in excel to compare and output results? Use vlookup in excel

--- Start of Rant ---

Let me tell you something. Sometimes in IT you're stuck with an unenviable task of scripting mass changes to AD, you've got the starting point - the requirements and the objects that need to be changed, you have somehow managed to extract the data required to be changed. Now you need to eye-ball both spread sheets line by line to make sure you can produce the script that will update the required attributes.

It's not fun.

--- End of Rant ---

With this it will be fun:
http://www.techonthenet.com/excel/formulas/vlookup.php


Posted by at No comments:
Labels: , , , , ,

Wednesday, May 29, 2013

Debugging scripts, output to console

Example 1

--- Script start ---
if not exist c:\Logs md c:\Logs
net use \\sourceserver\robocopy /user:username password 1>c:\Logs\test.txt 2>&1
--- Script end ---

"1>c:\Logs\test.txt 2>&1"

"1>" To capture error output; specify a full path for the log file. If not it might end up in the System32 folder.
"2>" = re-direction in DOS Command Prompt (console)

Example 2

--- Script start ---
net use \\sourceserver\robocopy /user:username password 1> c:\output.txt 2> c:\error.txt
dir \\sourceserver\robocopy 1>> c:\output.txt 2>> c:\error.txt
--- Script end ---

Or to use one single log file:

--- Script start ---
net use \\sourceserver\robocopy /user:username password 1> c:\output.txt 2>&1
dir \\sourceserver\robocopy 1>> c:\output.txt 2>>&1
Posted by at No comments:
Labels: , , , , , , , ,

Schedule a robocopy task on Windows 2008 R2 (WIP)

Objective:
1. Schedule a task to copy a set of files from a DC to another DC.
2. Apply least privilege principle.

Environment:
Windows 2008 R2 (
Robocopy version on Windows 2008 R2 (XP10 aka 5.1.10.1027)

Symptoms:
Using robocopy, you will be able to copy folders from source location to destination location (folders will be created). However, files within the source folder will fail to copy.

Common errors:
1. ERROR : You do not have the Manage Auditing user right.
2. ERROR 5 (0x00000005) Copying NTFS Security to Destination Directory -instead-path-here- Access is denied.

Required Permissions:

To use the robocopy /COPYALL switch on a DC, at minimum, user account MUST BE in "Builtin\Administrators" group.

THIS CAN'T BE AVOIDED. Ref URL #4 below - "UAC operates under a dual token method where even if you have the right to have elevated access, until you request it via UAC its not provided. Once requested its a new process."

Tried to minimize security access with credentials "Builtin\Server Operators" (able to open an elevated command prompt but UAC will prompt for password) and "Builtin\Backup Operators"
However, with these credentials, during the copy process, the folders will be created successfully but files inside folders, you will hit error #2 mentioned above.


Required NTFS Permissions
1. Source location, at least read access to the files and folders
2. Destination location, "full control" to files and folders (If not you may have
3. If your destination folder is in a root folder, ie, D:\ or E:\, you will need to
3.1. Disable inheritance
3.2 Grant full control to the user that is used to run the robocopy scheduled task script

Windows 2008 R2 may not copy ACLs properly
Workaround:

 1. XCOPY source_folder target_folder /I /E /X /T 
2.  ROBOCOPY source_folder target_folder /COPYALL /SECFIX /E 

 References:
1. http://ss64.com/nt/robocopy.html
2. http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/292b40ec-a6b3-47db-b9ac-e7ab9aa5c913
3. http://serverfault.com/questions/419835/what-permissions-are-required-to-back-up-to-a-remote-folder
4. http://superuser.com/questions/416188/is-there-any-way-to-elevate-a-command-prompt-in-windows-7
5. http://support.simplefailover.com/KB/a5/using-robocopy-with-simple-failover.aspx
6. http://virtualmowfo.blogspot.sg/2009/07/running-scheduled-task-using-system.html
Posted by at No comments:
Labels: , , , , , , , , , , , ,

Wednesday, April 11, 2012

How to enable local administrator in Windows 7 using command line / scripting

1. Go to your Start menu and in “Accessories” list, open “Command Prompt” by right-clicking on its icon and choosing “Run as Administrator”
2. When the Command Prompt window appears, enter the command net user administrator /active:yes
3. When done, log out from your current account.
4. The Administrator account should now be present on your log in screen.

To turn the build in administrator account off, do the same except the command will be
net user administrator /active:no
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)