Category: netware

Remove Admin Rights Scripts

We have been tightening up security at our place recently which has prompted me to do a couple of simple scripts to find out who has local admin rights and another one to take them away. I again have used a couple of tools to get the job done one is isadmin.exe by Bill Stewart which just checks that locally logged on users group access to see if they are members of the administrators group. The other is blat which is a utility for sending smtp emails by command line. I then pipe the output to a text file and get the contents emailed to me and then just use filters to filter the email into either a box for admin users or a box for non admin users.

That script is:

:script for discovering admin privledges

If exist c:\%nwusername%.txt (exit) else goto :check

:check

echo off

(drive letter):\admin\isadmin.exe > c:\%nwusername%.txt

{drive letter):\BLAT\BLAT C:\%nwusername%.txt -TO (emailadress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

The bits in () you will obviously need to personalise for your environment.

Once that has reported the results to me any users who have admin permissions then also get added to a script that removes them from the Administrators Group. Again its faily simplistic:

If exist c:\delusr.txt(exit) else goto :script for removing admin Privledges

:Script for removing admin Privledges

echo off

net localgroup administrators %username% /delete > c:\delusr.txt

echo %username% has been deleted from %nwusername% admin account >> c:\delusr.txt

(drive letter):\BLAT\BLAT C:\delusr.TXT -TO (emailaddress.co.uk) -SERVER (email server) -F (emailaddress.co.uk)

So hopefully that will complete the removal or admin rights, I shall wait a week or two then change the text file the first script looks for so that it runs again and hopefully will get no reports of people still with admin rights.

Now of course admin rights are generally given to users because of funky old applications that cant handle tightened permissions so I expect that may be a bit of running around trying to find ways of fixing broken apps.

One thing I must say again is how brilliant notepad++ is for creating and editing any kind of script file. If you need to write scripts I would recommend at least trying it out.

IIS

Well over the past couple of days I’ve been having a look into iis and at this point I’ve discovered that iis administration bleeds over into the 291 exam, in the same way alot of admin tasks from the 270 exam can be taken in some way or another to the 290 exam.

To start with the host header values you set for iis and multiple websites must be accompanied by a DNS entry to point to the iis server and the host header value sorts out what to present back to the client. so this way you can have hundreds of websites on the same server and it will always know what to serve a client.

Now a work related item, I found an interesting and time saving tool the other day. The problem Im having is that in our work place it appears folder access has always been granted to individual users which sometimes has resulted in a huge list of 20-30 users in the netware DACL. This I suppose isnt really a problem but it looks untidy and could be a security risk. So what I’ve started doing is when coming across such folders with a ridiculous amount of users assigned to it, is I’ve created a group for the folder and added the users into it to help me administer them easily.

However this can take an absolute age because of the sheer number of users involved and there is no way of specifiying (that I can find) just usernames to add to the group, so you have to add them by roaming around all the OU’s in console one, which itself can take a long time.

 

However this tool helps me loads as it allows me to enter just logon names in a text file and import them into the newly created group. firstly it will ask you for the group name and will ask you to confirm if thats what you mean (incase there are two or more similar ones) and then a text file to import. it saves me a bundle of time.