I recently came across a handy script which examines a Windows NT/2000/XP/2003 computer or an Active Directory domain controller to read out the last log on time for each user. By piping the output to a text file, it could be useful for sorting and identifying redundant user accounts.
Earlier today I needed to shell out to a command prompt from a locked-down desktop PC. With only a limited set of icons and no access to the Run dialog from the Start Menu, I asked a colleague if he knew any back doors in the client build. He showed me this neat method for shelling out to pretty much anything you like from within an Office application:
Sub Main()Dim x
x = Shell("cmd.exe")
End SubThe security implications of this could be severe, but as an administrator it’s a useful trick to know.
One of the shortcomings of the net user command in Windows is the inability to set the password never expires flag on an account (account expiry options can be set, but not password expiry and the full syntax is described in Microsoft knowledge base article 251394).
There are 13 flags on an NT SAM/Active Directory user account which may be manipulated using VBScript (for further details of the 13 flags, see Microsoft’s sample scripts or there is some useful information about the object model at the Motobit Software website).
This script can be used to set the password never expires flag on a specified account. I’ve tested it against the local SAM database on a Windows XP PC, but in theory it should work on all versions of Windows NT (2000, XP, 2003 Server, etc.) and also against Active Directory accounts if you run it on a domain controller.
I found a useful script on the SUSserver.com website for detecting and interpreting the automatic updates client registry settings.
A few weeks back I published a post about Microsoft’s plans to withdraw support for VBscript. One of my clients tipped me off a couple of days back with some more information about the new Microsoft Scripting Host (MSH) shell – codenamed Monad, which will be included in the Windows Server product codenamed Longhorn.
Windows and .NET Magazine reports that:
“Monad is a new administration scripting and automation solution for Longhorn. Although the technology is roughly 2 years away from being released, Monad appears to be Microsoft’s long-awaited comprehensive, consistent, and unified systems administration model designed from the ground up for Windows IT professionals…Monad will be the technology through which Microsoft and Independent Software Vendors (ISVs) will enable their Windows applications to be managed from the command line and automated using shell scripts.”
OK, we’ve all heard of Microsoft trying to withdraw support for a product (NT 4.0 anybody?), but at a recent partner event they stated that support for VBscript is to be phased out. Apparently there is a replacement product codenamed Monad, which will allow the scripting of console applications. When I pushed for timescales, I was told that it won’t be tomorrow, but could be as soon as 12-18 months before VBscript is withdrawn.
Expect to see an outcry soon from Windows system administrators everywhere!
A useful new feature of Windows XP and Windows Server 2003 is the PagefileConfig utility (pagefileconfig.vbs) which enables an administrator to display and configure a system’s virtual memory settings from the command line.
As this new feature is implemented as a Visual Basic script, I tried it on Windows Server 2000 and it works – with one proviso – before running the script, I needed to copy the cmdlib.wsc windows script component from Windows Server 2003 and register it (regsvr32 cmdlib.wsc /s). Just to be sure about the state of my Windows 2000 server, once the page file modifications had been made, I unregistered cmdlib.wsc (regsvr32 /u cmdlib.wsc /s) and deleted the file.
Of course, on useful parameter to have when scripting page file operations is the amount of physical RAM installed in the computer. For this, I used the getram.vbs script from Rob van der Woude’s scripting pages.
One of the most significant additions to server hardware in recent years has been the inclusion of on-board management facilities. HP, IBM and Dell all have their own hardware implementations, but I’ve been looking at a great piece of software for the Compaq/HP remote insight lights-out edition (RILOE) cards – the HP lights-out configuration utility (cpqlocfg.exe). This can be used (along with appropriate security credentials and an XML configuration file) to remotely manage servers from the command line, for example:
cpqlocfg -s ipaddress -v -f poweron.xml
poweron.xml is a modified version of one of the HP-supplied sample scripts which logs on to the server, sets write access and turns the power on. Full documentation on the scripting interface is available from the HP website.
Earlier today, I needed to include some registry permissions changes within a command line script that I was writing. Microsoft knowledge base article 245031 discusses a method using the regini.exe resource kit tool for Windows NT 4.0; however, for Windows 2000, XP and Server 2003 there is the SubInACL utility (subinacl.exe) which is far more powerful and much easier to use, enabling administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.