List All Active Directory User Accounts in a CSV

May 20th, 2009 Wayne Zimmerman

We all know maintaining hundreds of user accounts can be frustrating especially when it comes to audit time and you need a good list of information to pass on to an auditor. Well today I am your savory, this simple script will produce you a list of users with some detailed information that can make audits or documentation much easier. The script creates a Comma Separated Values file or CSV that you can edit in Microsoft Excel or any standard spreadsheet application so you can customize the information before adding it to your report or audit. Below are the specific fields that this script will provide detail on for your Active Directory Users.

User Details

  • Name
  • Description
  • Profile Path
  • Home Drive
  • Account Disabled
  • Password Required
  • User Changable Password
  • Password Expires
  • SmartCard Required
  • Login Count
  • Last Login (date)
  • Last Password Change (date)
  • Created (date)
  • Modified (date)

Script Configuration
Before running this script there is some minor configuration that must be done so it can communicate with your Active Directory setup.

  1. Find objConnection.Open "Active Directory Server" change Active Directory Server to the name of your Domain Controller
  2. Find objCommand.CommandText = _
    "SELECT Name, description, profilePath, homeDrive, distinguishedName,userAccountControl FROM 'LDAP://dc=subdomain,dc=domain,dc=suffix' WHERE objectCategory='user'"     change subdomain, domain, and suffix to the name of your domain i.e. west consco com (respectively)
  3. Find Set logStream = objFSO.opentextfile("C:\domainusers.csv", 8, True) and change C:\domainusers.csv to the location where you want the file saved. Be sure to save it with the extension CSV
?Download ListUserAccounts.vbs
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
 
Const ADS_UF_ACCOUNTDISABLE = &H0002 
Const ADS_UF_PASSWD_NOTREQD = &H0020 
Const ADS_UF_PASSWD_CANT_CHANGE = &H0040 
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000 
Const ADS_UF_SMARTCARD_REQUIRED = &H40000 
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Server"
Set objCommand.ActiveConnection = objConnection
 
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
 
objCommand.CommandText = _
    "SELECT Name, description, profilePath, homeDrive, distinguishedName,userAccountControl FROM 'LDAP://dc=subdomain,dc=domain,dc=suffix' WHERE objectCategory='user'"  
Set objRecordSet = objCommand.Execute
 
objRecordSet.MoveFirst
Set objFSO = CreateObject("scripting.filesystemobject")
Set logStream = objFSO.opentextfile("C:\domainusers.csv", 8, True)
logStream.writeline("Name,Description,Profile Path,Home Drive,Account Disabled,Password Required,User Changable Password,Password Expires,SmartCard Required,Login Count,Last Login,Last Password Change,Created,Modified")
Do Until objRecordSet.EOF
 
	strDN = objRecordset.Fields("distinguishedName").Value 
	Set objUser = GetObject ("LDAP://" & strDN)
 
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_ACCOUNTDISABLE Then
		Text = "Yes"
	Else
		Text = "No"
	End If
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_PASSWD_NOTREQD Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If
 
	If objRecordset.Fields("userAccountControl").Value AND ADS_PASSWORD_CANT_CHANGE Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If	 
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_DONT_EXPIRE_PASSWD Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_SMARTCARD_REQUIRED Then
		Text = Text & ",Yes"
	Else
		Text = Text & ",No"
	End If
 
	logStream.writeline(objRecordset.Fields("Name").Value & ","_
		& objRecordset.Fields("description").Value & ","_
		& objRecordset.Fields("profilePath").Value & ","_
		& objRecordset.Fields("homeDrive").Value & ","_
		& text & ","_
		& objUser.logonCount & ","_
		& objUser.LastLogin & ","_
		& objUser.PasswordLastChanged & ","_
		& objUser.whenCreated & ","_
		& objUser.whenChanged & ","_
		)
 
    objRecordSet.MoveNext
Loop
logStream.Close

Living without Cable

May 18th, 2009 Wayne Zimmerman

It is coming up on a year that I have not had to pay for cable television. I still have cable in my house as it it is the fastest cheapest internet source for where I live but I don’t pay for any sort of standard TV programming with that.

Before I went without cable I was spending about $140 a month for having an HD DVR, HD Channels and extended basic, with HBO and standard 3 megabit internet. I am currently paying $55 a month for just 8 megabits high speed internet. There is some real savings there of over $1000 dollars, but the real question is did I miss a show. No, is the answer to that, I have a DVR though Hulu which never misses a show unlike my DVR did, and if i’m hanging around that night and want to watch it live I am able to pick up ABC, CBS, FOX and NBC with Over-the-Air HD so i’m really not missing out on much HD primetime TV when I’m home, and Hulu and the other websites that give you TV over the internet do a full screen and look great on my TV using my HP Z555 Media Center PC connected via HDMI.

For the shows that I cannot find on Hulu or their respective networks website, I turn to torrents because if I have this problem so does everyone else. They are not hard to find especially if you are looking for the latest episode of Heroes for example, you can even get some in HD if you really want to spend the extra time downloading. I tend to stick with the standard divx file. Also with my skills of installing XBMC on Xbox it allowed me to see any of the media I have downloaded in the bedroom using my home network. Even better is that is Media Mall’s PlayOn Media Server which will access internet content including Hulu and stream it to “dumber” devices across your home network. This is how we have been able to see Hulu in the bedroom with out the use XBMC Hulu Plugin, which is still not ready for prime time.

For the most part I don’t miss a show, I do miss ESPN, Versus and Fox Sports because they tend to carry the live sports that I would like to see, and although ESPN has ESPN 360 it doesn’t carry the things I wanna see like Nascar races or some college football games. So if you are a sports lover then you still might need cable or satellite for that need, I find that it is just excuse to go find some friends and watch the game with them or find a bar and makes new friends watching the game.

I will continue not paying for cable and enjoying saving that bit of cash. The only real problem I can see with this is with bandwidth caps, that might force me to rethink this whole thing if the limit the amount of content that I can download from sources, but for now the pipe is wide open and I will use it to my advantage.

National Bike to Work Day – May 15th

May 14th, 2009 Wayne Zimmerman

I would just like to remind everyone that tomorrow is National Bike to Work Day. For all of you out there that haven’t tried biking somewhere in a while this is a perfect time to start. I am on vacation at the moment but I still have not forgotten that it is Friday. Here in DC the local bike Bike and Roll Rental Shop will allow you to rent a bicycle for free all day on Friday if you live in the DC and will use it to commute. I don’t know what they are doing back in Texas but anyone that hasn’t ridden since they were a little kid needs to give it a shot. It is a great way to get into shape and save some money on that daily commute.

If you are needing a bike, Craigslist is probably the best way to get one for cheap, especially right around when students are moving out. If you are curious about what a good brand is or if a certain one will fit you, feel free to contact me or comment this post.

The Bryan/College Station area is a great place to bike as many road in College Station have dedicated bike lanes or sidewalks. Bryan is less formal about bikes on the road, however I’ve found all kinds of ways between towns on the bike. My suggestion is to just give it a try, it isn’t for everyone, but it sure does make you feel like you have accomplished something and the end of the day.

How to Deploy VNC using Group Policy

May 13th, 2009 Wayne Zimmerman

Do you spend too much time running from desk to desk just to help someone make a shortcut or change the default printer? This could be the solution for you. Using UltraVNC you can remotely view and control their workstation from your desk. This can save you time from running around everywhere, and make your users happier faster by solving their problems on the spot. You can also make your boss happy be making it authenticate with Active Directory. That will ensure that everyone that has the remote support access uses their own username and password, and it is easily managed with Active Directory Groups. VNC works very simply by installing a server on every workstation which allows it to share out the desktop to other clients / viewer programs. By installing the VNC Server on all your workstations it will allow you to connect using the client / viewer application and provide hands on support directly from your workstation.

Requirements

Making the MSI using VNCed
Now that you have the required software, the first thing we need to do is uncompress the VNCed UltraVNC MSI Creator to a folder on your desktop. Once completed, run the run.bat and it should popup a GUI interface you can use to configure different parts of the UltraVNC Server.VNCed UltraVNC MSI Maker
Using this interface you can adjust and explore what options you have to choose from to customize your UltraVNC Deployment for your environment. The defaults here are a pretty good start and you can click on each item to get a description of what it will change. You may want to install this to a test computer a few times before rolling it out.
At this time you also need to configure if you will be using if you will be using Active Directory Authentication or just a plain password.

– To setup the plain password just fill out the password item and leave the newMSLogon unchecked.
– To setup Active Directory Authentication check the newMSLogon and you will need to make a file to select for aclImportFile. This file can either be generated based on the UltraVNC Instructions or you can use my file by creating a text file called: MSACL.ini and pasting allow 0x00000003 "..\Domain Admins in to it. That will allow anyone in the Domain Admins group to have full access to any machine setup using this MSI.

Once you have finished configuring the options for UltraVNC hit the Generate UltraVNC MSI button at the bottom. This will generate your UltraVNC.msi in the folder in which VNCed was extracted to. This file is what you will use to deploy UltraVNC to your workstations.

Using Group Policy to Deploy the MSI
First you will need to open either your Group Policy Management Console (gpmc.msc) and either modify your existing Workstation Group Policy or make a new one just for the deployment of this application depending on how you want to deploy it. By making a different GP to install, it can allow you deploy it just to a few machines, and only change the settings on those machines, where as the workstation method installs it to all workstations. This really up to the requirements of your environment. Either way you will need to look under Group Policy Object for your domain and create one or right click on one and edit it.Group Policy Software Installation
Now use the Tree on the Left to browse to Computer Configuration > Software Settings > Software Installation and right click on Software Installation and select New > Package… It will now prompt you with an open dialog box, go and select the MSI that we created earlier. If all goes well you should end up with something like the screenshot shows to the left. If all goes well now the only thing you have to do is link it to the OUs that you want it to effect if you created a new one , or you let your workstation group policy deploy to all the workstations the next time they restart.

Firewall ConfigurationGroup Policy Firewall Configuration for UltraVNC
If you run a firewall on your machine you will need to allow port 5900 open. If you only running the default Windows Firewall you can configure this using the same group policy that you deployed UltraVNC with. Just go to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile then select Windows Firewall: Define port exceptions select Enabled then click the Show… button and click Add and fill out the items to specification.

For any other questions you have feel free to leave a comment I will be happy to assist you with the deployment.

For any other detailed information about UltraVNC you should check out their website at http://www.uvnc.com

Ready for a Little Vaycay

May 11th, 2009 Wayne Zimmerman

Today I leave for parts of the country unknown (to me at least), I am headed to Washington DC. This swamp is home to our congress, president and many other crazy agencies that I’m sure are watching me type this blog post. We plan on checking out all the cool monuments that our tax dollars have purchased and maybe hassle our representative about some governmental issue that currently escapes me. In any case, I’m sure Jen and I will have a good time discovering the city and how to get around using their subway system. The one crown jewel for me on this trip I am looking forward to is the Smithsonian, it should be quite the experience at least that is what I am hoping for. The weather looks like it will be okay, we will have a few rainy days but there looks to be plenty of inside activities to do once we get there. We are technically staying across the river in Arlington, VA so we will get to commute in everyday as well. Here is wishing that all our luggage makes it and our flights are not delayed. Good Day.

How to Remotely Manage Workstation in Your Network

May 7th, 2009 Wayne Zimmerman

You would be surprised at how often I solve a users issue without having to leave my desk. Users typically calls me about issues about how they need an icon, need a printer job canceled, or can’t find the file they are looking for. Here are some helpful methods that you can use your environment to fix problems without leaving your desk.

Using Hidden Drive SharesHidden Remote Administration Share
This is the one of the easiest to use and the most flexible to help you manage files on remote workstations. By default Microsoft Windows shares hard disk drives as a hidden share that only administrators can access. When you are setting up your domain you basically centralize the user authentication so now you have an administrator account on all the computers in your domain. This does require that file and print sharing is turned on in the Windows Firewall but for most environments this is most likely already on. To enable it from command line just type netsh firewall set service type = fileandprint mode = enable in command line window or run box. To configure it using Group Policy follow the these instructions

  1. Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

  2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.

  3. In the details pane, double-click Windows Firewall: Allow file and printer sharing exception.

  4. In the Windows Firewall: Allow file and printer sharing exception dialog box, on the Settings tab, click Enabled or Disabled.

To access these shares you need to go to the UNC path of the computer followed by the drive letter and a dollar sign. Ex: \\computername\C$ and bam there is the entire drive of that computer. Now you can browse in the Documents and Settings and the user and add the icon on the desktop all from your computer. This should work for any Microsoft Windows since 2000 including server operating systems.

Remote Microsoft Management ConsoleRemote Computer Managment Console
If you are not familiar with Microsoft Management Console or MMC then you need to be. It is a unified management console that allows you to adjust not only settings on your computer but remote ones as well. To use this command remotely you need to enable “Remote Administration” in the Windows Firewall this can be done by running the following command: netsh firewall set service type = remoteadmin mode = enable or you can enable it using group policy by following these Microsoft steps: Microsoft Article

  1. Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

  2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.

  3. In the details pane, double-click Windows Firewall: Allow remote administration exception.

  4. In the Windows Firewall: Allow remote administration exception properties dialog box, on the Settings tab, click Enabled or Disabled.

Once you have the exception in place you can run different commands remotely either by accessing a menu with the console or starting it from command line to open a computer. To start the Computer Management Console from command line just type compmgmt.msc /computer:computername in your run box or at the command line and it should automatically open the Computer Management console to that remote computer. Now you can go though the different parts of the machines from your desktop without interrupting the user. You should be able to do most things that you could if you were running this locally on the PC except for the Device Manager which is in read-only mode.

Remote Registry EditingRemote Registry Editing
Another less know feature of the registry editor is the ability to open a remote computers registry and make changes. To open the registry editor type regedit in your run box or command line, once it has open go to the File Menu and select Connect Network Registry… then just type in the name of the computer in the box and it should just open as another computer in the tree view. There are a few things to be aware of when editing another computers registry, you cannot undo your changes, so be sure you know what you are doing or the next call might be about the computer you just hosed by changing something you shouldn’t have. Also, the current user hive is sort of hard to find. It is under HKEY_USERS then it is probably something like S-1-5-XX-XXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXXX, if you have multiple entries like this you will need to check the Volatile Environment key named SESSIONNAME, it is set to Console then that is the HKEY_CURRENT_USER hive. The local machine class is in the same place in both the remote registry and the local one.

Disable Windows Games Using Software Restriction Policy

May 6th, 2009 Wayne Zimmerman

Do you find that your users spend more time in freecell and minesweeper than actually doing work? Then one would say that it is time to block those applications from being started. To do this you can use the Software Restriction Policy that is Built in to Group Policy and your Domain. What you will need to do is create a new Group Policy, you could call it “No Windows Games” and then Edit it and drill down into Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies from there you will probably be presented with “No Software Restriction Policies Defined” now right click back on Software Restriction Polices in the tree view on the left and select Create New Policies. Now you should have the option for Additional Rules. This is where you need your restrictions. Here is the long article about what the different types of rules are, and what you can do with the from Microsoft, but since we just want to block Windows Games we just need to add a New Path Rules with the Disallowed option.

  • %SystemRoot%\system32\freecell.exe
  • %SystemRoot%\system32\mshearts.exe
  • %SystemRoot%\system32\sol.exe
  • %SystemRoot%\system32\spider.exe
  • %SystemRoot%\system32\winmine.exe
  • C:\Program Files\MSN Gaming Zone
  • C:\Program Files\Windows NT\Pinball\PINBALL.EXE

Once these restriction are in place you can link them to the OU or workstations to make them take effect. Your end result should look something like this:
No Windows Games Group Policy

Waiting on the HTC Touch Pro 2

May 5th, 2009 Wayne Zimmerman

Here in the past year I joined the smartphone crowd by the university paying for my data plan. I am currently with AT&T and enjoy their coverage and speed for the most part. It seems to be faster in larger cities but College Station is special in the fact that we have extra capacity in the summer and a lack of capacity the rest of the time. We do have 3G here for AT&T and on a good day my Blackjack can load up most webpages in just a few seconds, of course I have been using just the Internet Explorer WAP browser that comes with all Microsoft Windows Mobile Phones. Although I can’t get full webpages like on other phones like the G1 or iPhone I have been rather happy with it for the most part, but I am ready for an upgrade according to my contract and my preference.

I am very sure that I want a Windows Mobile phone, even with the limitations of the OS. Lots of people complain that the OS is not built for touch and generally hard to use. Well the way Windows Mobile works makes sense to me because I have been using it forever. I bought a Dell Axim X5 Advanced the day they came out, and ever since then I have been sold. It works just like Windows, I just don’t understand how people can’t understand that just like every other Windows computer you go to the Start Menu to find your apps. Then again most people that buy smartphones never added apps until an App Store made it too easy to buy applications. I hate any app store that has rules about what they will and will not allow in because a carrier may not want it running on their network or that it might compete against an application that is builtin to the Phone’s OS. This makes a very slippery slope of soon you won’t be able to use the apps you want on the hardware or network you want to use it on. But that could be a whole other post, I am unhappy that the Microsoft App Store has so many limitations that help protect it’s sub par media player and other software.

Anyways, it isn’t the software that sells me, it is the WVGA touch screen with the slideout keyboard. I think it will be cool to see what developers will be able to do with a full sized screen on a mobile device. The keyboard also looks large enough for me to handle, the one on the Blackjack is a little small and I keep finding that I mistype things because my fingers are a bit too big. I defiantly do not want an onscreen keyboard. I’ve support iPhones at work and find them to have the most horrid keyboard ever, I have a hard time typing configuration information for the device and I can only imagine if I had to type on it everyday and how bad that would be. The other thing I don’t like about Blackjack is that I have a hard time getting to certain numbers and symbols that are much easily found on the Touch Pro.

With my mind made up, I am waiting for the HTC Touch Pro 2 to come to AT&T whenever that might be, I am hoping for sometime this Summer when Windows Mobile 6.5 finally comes available. So until then just behold in the glory of the Touch Pro 2.HTC Touch Pro 2

Passing Parameters to VB Script to Map Network Drives

May 4th, 2009 Wayne Zimmerman

The other day I got an instant message from a fellow network administrator asking for a script that would map drives to by simply passing parameters from command line. This caused me to go into Google mode checking how parameters are passed in to Visual Basic Script and then applying the basic network drive mapping script. Now I feel that only the proper thing to do is share it with everyone out there that is looking for the same thing he was. This is a very simple script that does something equally simple. Hopefully this will simply some of the group policies that are out there.

Usage: mapme.vbs Z //server/share
This would result in passing Z as the drive letter and mapping it to the UNC path of //server/share

?Download mapme.vbs
Set objArgs = WScript.Arguments
Set objNetwork = WScript.CreateObject("WScript.Network")
objNetwork.MapNetworkDrive  objArgs(0) & ":" , objArgs(1)

Remove Temporary Files at Logoff

April 23rd, 2009 Wayne Zimmerman

Over time users tend to open a lot of items programs that write little files to be used just once to print a document or a small setting for a program. These items build up over time and cause your computer to run slower due to your antivirus solution scanning it, your hard drive taking longer to find a free space of disk to write your new file or has to spend more time gathering up fragments of your file from in between these temp files. The solution here is pretty simple, these files need to go, and probably the easiest solution is the remove them when the user logs off. This doesn’t require anymore time for the user and typically isn’t a problem since most computers are logged on and off once a day.

This script will remove the most common temporary folder for the user as well as remove any of the temporary internet files that they have gathered while surfing the web. When we implemented this script we noticed that the antivirus scan time and how many files it scanned were significantly reduced providing a better and faster workstation for your users. This script should be placed in the Group Policy for users as one of their logoff script.

?Download cleantemp.vbs
Const TEMPORARY_INTERNET_FILES = &H20&
dim intDepth
 
Set objShell = CreateObject("Shell.Application")
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
'Clean User Temporary Intenet Files
Set objNameSpace = objShell.Namespace(TEMPORARY_INTERNET_FILES)
Set objFolderItem = objNameSpace.Self
set objFolder=objFSO.GetFolder(objFolderItem.Path)
intDepth=0
RemoveFolder objFolder
 
'Clean User Temp Files
Const TemporaryFolder = 2
Set tempFolder = objFSO.GetSpecialFolder(TemporaryFolder)
RemoveFolder tempFolder
 
 
sub RemoveFolder(objFolder)
	' Recursively remove files and folders
	intDepth=intDepth+1
	on error resume next
	for each objFile in objFolder.Files
		objFile.Delete true
	next
	Err.Clear
	on error goto 0
	for each objSubfolder in objFolder.SubFolders
		RemoveFolder objSubFolder
	next
	intDepth=intDepth-1
	if intDepth<>0 then' Don't delete top-level folder
		on error resume next
		objFolder.Delete true 
		err.Clear
		on error goto 0
	end if
end sub
« Older Entries
Newer Entries »
Twitter Delicious Facebook Digg Stumbleupon Favorites More