Category: administrator

Generating a new SID in windows server 2008 R2

A lot of people use the newsid tool to generate new sids for servers this unfortunately does not work so well with server 2008 and can produce some stunning results if you try and use it in R2 (hint it wont boot afterwards).

However you can create a newsid with sysprep, which is installed by default with server 2k8.

Click Start/Run
Type sysprep into the box and hit enter
it will direct you to the sysprep folder
double click the exe in the folder
leave the default option “Enter system out of box experience” and tick the generalise box which is the bit that will generate a new sid.
Click OK and wait for a bit the server will reboot run though some basic installation tasks and also run you through the mini-setup process.

This is great for template vm’s that have not already been set to to use the customisation wizards available in the various hypervisors.

Script to remove admin rights pt2

Its been a while since I had a play with this script but what I have discovered is the software that I used to find out who has admin rights seems to also detect power users as Administrators. Which I guess is actually a good thing, however I did not suspect to get quite as many hits as I did for power users.

 

I’ll link all my old posts on the subject below so you can compare notes but the script that I have created now needs to include:

 

net localgroup “power users” %username% /delete > “%userprofile%\pwrusr.txt”

 

and

 

Y:\BLAT\BLAT %userprofile%\pwrusr.TXT -to email@address.com -server <smtp server IP> -f mail@address.com

 

Of course if you don’t want to be notified when these scripts run then you wont need the blat portion of the script and if you really don’t care about knowing if the initial check script has run then I guess you could just push out a script in the order of:

 

@echo off

c:

cd “%userprofile%”

If exist delusr1.txt (exit) else goto :Script

:Script

rem for removing admin Privileges

net localgroup administrators %username% /delete > %userprofile%\delusr1.txt

net localgroup “power users” %username% /delete > %userprofile%\pwrusr.txt

exit

 

This would then run regardless and attempt to remove the locally logged in user from power users and administrators groups. This would need to be assigned to just standard users though as you do not want to assign the script to administrators in your directory (be it AD, ED or maybe OpenLDAP).

 

Again this script is just the way I have chosen to do it, I am no expert in script writing (I really do need to figure out Vbscript), so I’m sure there are better ways of doing this.

 

Admin Script pt1

Applications requiring admin rights

As you know I have been tightening up security at work by finding out who has admin rights and removing it. I must say that i am quite shocked at the amount of apps that assume users have local admin rights.

Even things like scanner drivers are affected especially when they are called from other large corporate applications (think of a company who makes pdf reading software and also photo editing software). So the next couple of days will be spent running round figuring out which reg keys and folders users need higher access too. All fun stuff.

I am also working on a post about speed screen and am again thinking about making a few video tutorials.

Remove Admin Rights Scripts

We have been tightening up security at our place recently which has prompted me to do a couple of simple scripts to find out who has local admin rights and another one to take them away. I again have used a couple of tools to get the job done one is isadmin.exe by Bill Stewart which just checks that locally logged on users group access to see if they are members of the administrators group. The other is blat which is a utility for sending smtp emails by command line. I then pipe the output to a text file and get the contents emailed to me and then just use filters to filter the email into either a box for admin users or a box for non admin users.

That script is:

:script for discovering admin privledges

If exist c:\%nwusername%.txt (exit) else goto :check

:check

echo off

(drive letter):\admin\isadmin.exe > c:\%nwusername%.txt

{drive letter):\BLAT\BLAT C:\%nwusername%.txt -TO (emailadress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

The bits in () you will obviously need to personalise for your environment.

Once that has reported the results to me any users who have admin permissions then also get added to a script that removes them from the Administrators Group. Again its faily simplistic:

If exist c:\delusr.txt(exit) else goto :script for removing admin Privledges

:Script for removing admin Privledges

echo off

net localgroup administrators %username% /delete > c:\delusr.txt

echo %username% has been deleted from %nwusername% admin account >> c:\delusr.txt

(drive letter):\BLAT\BLAT C:\delusr.TXT -TO (emailaddress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

So hopefully that will complete the removal or admin rights, I shall wait a week or two then change the text file the first script looks for so that it runs again and hopefully will get no reports of people still with admin rights.

Now of course admin rights are generally given to users because of funky old applications that cant handle tightened permissions so I expect that may be a bit of running around trying to find ways of fixing broken apps.

One thing I must say again is how brilliant notepad++ is for creating and editing any kind of script file. If you need to write scripts I would recommend at least trying it out.