290

Remove Admin Rights Scripts

4
930 days
by in 290, administrator, command line, netware, networking, Scripts, Uncategorized, Utilities

We have been tightening up security at our place recently which has prompted me to do a couple of simple scripts to find out who has local admin rights and another one to take them away. I again have used a couple of tools to get the job done one is isadmin.exe by Bill Stewart which just checks that locally logged on users group access to see if they are members of the administrators group. The other is blat which is a utility for sending smtp emails by command line. I then pipe the output to a text file and get the contents emailed to me and then just use filters to filter the email into either a box for admin users or a box for non admin users.

That script is:

:script for discovering admin privledges

If exist c:\%nwusername%.txt (exit) else goto :check

:check

echo off

(drive letter):\admin\isadmin.exe > c:\%nwusername%.txt

{drive letter):\BLAT\BLAT C:\%nwusername%.txt -TO (emailadress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

The bits in () you will obviously need to personalise for your environment.

Once that has reported the results to me any users who have admin permissions then also get added to a script that removes them from the Administrators Group. Again its faily simplistic:

If exist c:\delusr.txt(exit) else goto :script for removing admin Privledges

:Script for removing admin Privledges

echo off

net localgroup administrators %username% /delete > c:\delusr.txt

echo %username% has been deleted from %nwusername% admin account >> c:\delusr.txt

(drive letter):\BLAT\BLAT C:\delusr.TXT -TO (emailaddress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

So hopefully that will complete the removal or admin rights, I shall wait a week or two then change the text file the first script looks for so that it runs again and hopefully will get no reports of people still with admin rights.

Now of course admin rights are generally given to users because of funky old applications that cant handle tightened permissions so I expect that may be a bit of running around trying to find ways of fixing broken apps.

One thing I must say again is how brilliant notepad++ is for creating and editing any kind of script file. If you need to write scripts I would recommend at least trying it out.

Citrix Application Installations

2
971 days
by in 290, CCA, Citrix, Tutorial

Heres A short tutorial on how to install applications in a citrix or terminal services environment. Quite basic stuff but its always good to revisit!

LINK!

Kerberos Tutorial

0
1089 days
by in 290, 291, 70-290, Scripts, Tutorial

HI all,

I’ve just been writing a few notes for myself again so I thought I’d put them up for you to have a look at. The notes are on the Kerberos authentication process that takes place when a computer and or user logs onto the system.

 

As always please feel free to comment.

LINKY

More useful tidbits

0
1368 days
by in 290

 

tea

Hi all,

here’s another little list of things you may find useful.

The Network interface\output queue length and Bytes total\sec counters in Performance logs and alerts should have a low queue length and a high Bytes total\sec. This means that there is alot of data going through without a great deal of delay.

commands

SCHTASKS allows you to view/create and modify schtasks on a local or remote computer. the basics for using the schtasks command are

SCHTASKS /QUERY this will display an output of all the scheduled tasks on the local machine, note that if you are just interested in the local machine then just typing "schtasks" will also output the same list.

To query a remote computer you will need the /s %computername% syntax for example "schtasks /query /s homedc". You can also combine the command with the /u "username" /p "password" to check the scheduled tasks running under a particular user account.

Schtasks can also use the /delete /change /run /end as well as /query, all these have similar sytaxes to /query. The /create however has alot of syntaxes that you will need to view if you want to create a tasks on a headless server with no remote desktop (for that I would suggest you perform a "schtasks /create /?" to view all the possible combinations.

Useful stuff to memorise

0
1369 days
by in 290

BibleStudy

Hi all,

 

I have not taken the exam yet but it is getting fairly close so I’ve found it easiest in the past to memorise certain things shortly before the exam, things like minimum sys specs etc, as they tend to chuck in a question or two about it but its not the sort of thing you need to know for ever more, as who still owns a rickety old pc they say can run said OS/ application.

 

Minimum specs for Server 2003 enterprise edition

Pentium 133 MHZ CPU

128MB ram (64GB max in an x86 processor, and 2TB max on a 64 bit processor)

1.2GB hard drive

 

Default Domain Password Policy

When you first DC is set up several items on security are put in place by default. The default domain group policy is configured so that.

under the computer configuration/windows settings/security settings/account policies/password policy the following enteries are made:

enforce password history is set to 24, which means that when users change their passwords it will remember up to 24 previous passwords the user has used. This would stop then cycling from say using "Password1" then "Password2" and then back to "Password1" again, they could only use Password1 after they had created 23 different passwords.

Maximum password Age is set to 42 days, which means that when they set a password it will be valid for 42 days and will expire on the end of the 42nd day.

Minimum password Age is set to 1 day, which means that if a user got a bright idea when their oh so secure "Password1" password expired to change their password 24 times in a day so they can go back round to "Password1" again then they would be unable to do it. Once they have changed their password they would be required to wait 1 day before they can change it again.

Minimum Password Length is set to 7 characters which means pretty much what it says on the tin.

Password must meet complexity requirements is enabled by default. You really want to look at this one with the Minimum Password Length policy setting as this is a big part of securing passwords. a complexity requirement means that a user must have at least 3 components in their passwords and they are capital letters, lower case letters, numbers and symbols. For example password1 does not meet complexity requirements as it only uses lower case letters and a number, however Password1 does as it has a capital letter, lower case letter and a number.

Now while most other settings can be changed to suit you should never really disable the complexity requirement as that would allow your users to use very simple passwords such as "aaaaaaa" even if you change the minimum password length to 14 (which is also the maximum length of password that older clients can use, windows 95,98,mr) then they could still put "aaaaaaaaaaaaaa" as their password.

Store passwords using reversible encryption is disabled by default. This policy should remain enabled unless for some reason you have an application that uses a protocol which requires a users password for authentication purposes. Also this is a requirement if you are using IIS in digest authentication mode.

 

Anyway thats all I can think of now.

IIS

0
1414 days
by in 290, 291, iis, netware

Well over the past couple of days I’ve been having a look into iis and at this point I’ve discovered that iis administration bleeds over into the 291 exam, in the same way alot of admin tasks from the 270 exam can be taken in some way or another to the 290 exam.

To start with the host header values you set for iis and multiple websites must be accompanied by a DNS entry to point to the iis server and the host header value sorts out what to present back to the client. so this way you can have hundreds of websites on the same server and it will always know what to serve a client.

Now a work related item, I found an interesting and time saving tool the other day. The problem Im having is that in our work place it appears folder access has always been granted to individual users which sometimes has resulted in a huge list of 20-30 users in the netware DACL. This I suppose isnt really a problem but it looks untidy and could be a security risk. So what I’ve started doing is when coming across such folders with a ridiculous amount of users assigned to it, is I’ve created a group for the folder and added the users into it to help me administer them easily.

However this can take an absolute age because of the sheer number of users involved and there is no way of specifiying (that I can find) just usernames to add to the group, so you have to add them by roaming around all the OU’s in console one, which itself can take a long time.

 

However this tool helps me loads as it allows me to enter just logon names in a text file and import them into the newly created group. firstly it will ask you for the group name and will ask you to confirm if thats what you mean (incase there are two or more similar ones) and then a text file to import. it saves me a bundle of time.

Go to Top