Posts Tagged ‘User Accounts’

List All Active Directory User Accounts in a CSV

We all know maintaining hundreds of user accounts can be frustrating especially when it comes to audit time and you need a good list of information to pass on to an auditor. Well today I am your savory, this simple script will produce you a list of users with some detailed information that can make audits or documentation much easier. The script creates a Comma Separated Values file or CSV that you can edit in Microsoft Excel or any standard spreadsheet application so you can customize the information before adding it to your report or audit. Below are the specific fields that this script will provide detail on for your Active Directory Users.

User Details

  • Name
  • Description
  • Profile Path
  • Home Drive
  • Account Disabled
  • Password Required
  • User Changable Password
  • Password Expires
  • SmartCard Required
  • Login Count
  • Last Login (date)
  • Last Password Change (date)
  • Created (date)
  • Modified (date)

Script Configuration
Before running this script there is some minor configuration that must be done so it can communicate with your Active Directory setup.

  1. Find objConnection.Open "Active Directory Server" change Active Directory Server to the name of your Domain Controller
  2. Find objCommand.CommandText = _
    "SELECT Name, description, profilePath, homeDrive, distinguishedName,userAccountControl FROM 'LDAP://dc=subdomain,dc=domain,dc=suffix' WHERE objectCategory='user'"
    change subdomain, domain, and suffix to the name of your domain i.e. west consco com (respectively)
  3. Find Set logStream = objFSO.opentextfile("C:\domainusers.csv", 8, True) and change C:\domainusers.csv to the location where you want the file saved. Be sure to save it with the extension CSV
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2

Const ADS_UF_ACCOUNTDISABLE = &H0002 
Const ADS_UF_PASSWD_NOTREQD = &H0020 
Const ADS_UF_PASSWD_CANT_CHANGE = &H0040 
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000 
Const ADS_UF_SMARTCARD_REQUIRED = &H40000 
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Server"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

objCommand.CommandText = _
    "SELECT Name, description, profilePath, homeDrive, distinguishedName,userAccountControl FROM 'LDAP://dc=subdomain,dc=domain,dc=suffix' WHERE objectCategory='user'"  
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Set objFSO = CreateObject("scripting.filesystemobject")
Set logStream = objFSO.opentextfile("C:\domainusers.csv", 8, True)
logStream.writeline("Name,Description,Profile Path,Home Drive,Account Disabled,Password Required,User Changable Password,Password Expires,SmartCard Required,Login Count,Last Login,Last Password Change,Created,Modified")
Do Until objRecordSet.EOF

	strDN = objRecordset.Fields("distinguishedName").Value 
	Set objUser = GetObject ("LDAP://" & strDN)
	 
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_ACCOUNTDISABLE Then
		Text = "Yes"
	Else
		Text = "No"
	End If
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_PASSWD_NOTREQD Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If
	 
	If objRecordset.Fields("userAccountControl").Value AND ADS_PASSWORD_CANT_CHANGE Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If	 
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_DONT_EXPIRE_PASSWD Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_SMARTCARD_REQUIRED Then
		Text = Text & ",Yes"
	Else
		Text = Text & ",No"
	End If
	
	logStream.writeline(objRecordset.Fields("Name").Value & ","_
		& objRecordset.Fields("description").Value & ","_
		& objRecordset.Fields("profilePath").Value & ","_
		& objRecordset.Fields("homeDrive").Value & ","_
		& text & ","_
		& objUser.logonCount & ","_
		& objUser.LastLogin & ","_
		& objUser.PasswordLastChanged & ","_
		& objUser.whenCreated & ","_
		& objUser.whenChanged & ","_
		)
		
    objRecordSet.MoveNext
Loop
logStream.Close

How to Deploy VNC using Group Policy

Do you spend too much time running from desk to desk just to help someone make a shortcut or change the default printer? This could be the solution for you. Using UltraVNC you can remotely view and control their workstation from your desk. This can save you time from running around everywhere, and make your users happier faster by solving their problems on the spot. You can also make your boss happy be making it authenticate with Active Directory. That will ensure that everyone that has the remote support access uses their own username and password, and it is easily managed with Active Directory Groups. VNC works very simply by installing a server on every workstation which allows it to share out the desktop to other clients / viewer programs. By installing the VNC Server on all your workstations it will allow you to connect using the client / viewer application and provide hands on support directly from your workstation.

Requirements

Making the MSI using VNCed
Now that you have the required software, the first thing we need to do is uncompress the VNCed UltraVNC MSI Creator to a folder on your desktop. Once completed, run the run.bat and it should popup a GUI interface you can use to configure different parts of the UltraVNC Server.VNCed UltraVNC MSI Maker
Using this interface you can adjust and explore what options you have to choose from to customize your UltraVNC Deployment for your environment. The defaults here are a pretty good start and you can click on each item to get a description of what it will change. You may want to install this to a test computer a few times before rolling it out.
At this time you also need to configure if you will be using if you will be using Active Directory Authentication or just a plain password.

– To setup the plain password just fill out the password item and leave the newMSLogon unchecked.
– To setup Active Directory Authentication check the newMSLogon and you will need to make a file to select for aclImportFile. This file can either be generated based on the UltraVNC Instructions or you can use my file by creating a text file called: MSACL.ini and pasting allow 0x00000003 "..\Domain Admins in to it. That will allow anyone in the Domain Admins group to have full access to any machine setup using this MSI.

Once you have finished configuring the options for UltraVNC hit the Generate UltraVNC MSI button at the bottom. This will generate your UltraVNC.msi in the folder in which VNCed was extracted to. This file is what you will use to deploy UltraVNC to your workstations.

Using Group Policy to Deploy the MSI
First you will need to open either your Group Policy Management Console (gpmc.msc) and either modify your existing Workstation Group Policy or make a new one just for the deployment of this application depending on how you want to deploy it. By making a different GP to install, it can allow you deploy it just to a few machines, and only change the settings on those machines, where as the workstation method installs it to all workstations. This really up to the requirements of your environment. Either way you will need to look under Group Policy Object for your domain and create one or right click on one and edit it.Group Policy Software Installation
Now use the Tree on the Left to browse to Computer Configuration > Software Settings > Software Installation and right click on Software Installation and select New > Package… It will now prompt you with an open dialog box, go and select the MSI that we created earlier. If all goes well you should end up with something like the screenshot shows to the left. If all goes well now the only thing you have to do is link it to the OUs that you want it to effect if you created a new one , or you let your workstation group policy deploy to all the workstations the next time they restart.

Firewall ConfigurationGroup Policy Firewall Configuration for UltraVNC
If you run a firewall on your machine you will need to allow port 5900 open. If you only running the default Windows Firewall you can configure this using the same group policy that you deployed UltraVNC with. Just go to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile then select Windows Firewall: Define port exceptions select Enabled then click the Show… button and click Add and fill out the items to specification.

For any other questions you have feel free to leave a comment I will be happy to assist you with the deployment.

For any other detailed information about UltraVNC you should check out their website at http://www.uvnc.com

Remove Temporary Files at Logoff

Over time users tend to open a lot of items programs that write little files to be used just once to print a document or a small setting for a program. These items build up over time and cause your computer to run slower due to your antivirus solution scanning it, your hard drive taking longer to find a free space of disk to write your new file or has to spend more time gathering up fragments of your file from in between these temp files. The solution here is pretty simple, these files need to go, and probably the easiest solution is the remove them when the user logs off. This doesn’t require anymore time for the user and typically isn’t a problem since most computers are logged on and off once a day.

This script will remove the most common temporary folder for the user as well as remove any of the temporary internet files that they have gathered while surfing the web. When we implemented this script we noticed that the antivirus scan time and how many files it scanned were significantly reduced providing a better and faster workstation for your users. This script should be placed in the Group Policy for users as one of their logoff script.

Const TEMPORARY_INTERNET_FILES = &H20&
dim intDepth
 
Set objShell = CreateObject("Shell.Application")
Set objFSO = CreateObject("Scripting.FileSystemObject")

'Clean User Temporary Intenet Files
Set objNameSpace = objShell.Namespace(TEMPORARY_INTERNET_FILES)
Set objFolderItem = objNameSpace.Self
set objFolder=objFSO.GetFolder(objFolderItem.Path)
intDepth=0
RemoveFolder objFolder

'Clean User Temp Files
Const TemporaryFolder = 2
Set tempFolder = objFSO.GetSpecialFolder(TemporaryFolder)
RemoveFolder tempFolder

 
sub RemoveFolder(objFolder)
	' Recursively remove files and folders
	intDepth=intDepth+1
	on error resume next
	for each objFile in objFolder.Files
		objFile.Delete true
	next
	Err.Clear
	on error goto 0
	for each objSubfolder in objFolder.SubFolders
		RemoveFolder objSubFolder
	next
	intDepth=intDepth-1
	if intDepth<>0 then' Don't delete top-level folder
		on error resume next
		objFolder.Delete true 
		err.Clear
		on error goto 0
	end if
end sub

Remote Shutdown / Logoff Script using WMI

Have you ever been sitting at your desk working very hard trying to getting some business analytics report finished for your administrative team, only to be interrupted by the everyday user unable to log on the machine because someone else locked it. Then you have to get up and walk down there and manually login and unlock the workstation. Well this is now a thing of the past for you if you have enabled WMI and have a domain or common credentials on your network. This script will simply allow you to unlock a workstation with out getting up from your desk. Unfortunately, I didn’t write this script but I use it about every other day to unlock a workstation. It has a few good options to allow you to either Logoff / Reboot / Shutdown the workstation. This can also be helpful when the user has locked up the PC and can’t get it to restart, you can send a command from the workstation you are at for that one to restart. In way you end up using this script it will only save you time, I found it to be very reliable and super fast for resolving the locked computer situation. Also, please browse though the code as it is well commented and you can get a greater understanding of how it exactly works.

'/'|| Remote Shutdown.vbs
'||
'|| Created by Harvey Hendricks, MCSE, A+,
'|| March 2001
'||
'|| email: hhendrks@aramco.com
'|| hhend@swbell.net
'||
'||
'|| Based on techniques and ideas from:
'|| SMS admin, SMS Installer, & WMI forums -> http://www.myITforum.com/forums
'|| Win32 Scripting -> http://cwashington.netreach.net/
'|| Microsoft Windows Script Technologies -> http://msdn.microsoft.com/scripting
'|| Microsoft Online Library -> http://msdn.microsoft.com/library/default.asp
'|| Microsoft VBScript 5.5 documentation
'|| and Microsoft WMI SDK
'||
'||~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'|| SCRIPT LOGIC FLOW:
'|| Collects computername from user, calls function to ping the computername
'|| to determine if it is accessible, if not then display message and exit
'|| otherwise continue.
'|| Collects desired action to perform from the user, does error checking on
'|| the input to determine if it is acceptable, if not then display message
'|| and exit otherwise continue.
'|| Set variables and output messages based on the action chosen. Calls
'|| Win32Shutdown with the appropriate variable. Displays success message
'|| and exits
'||
'|| Uses WMI Win32Shutdown method from the Win32_OperatingSystem class
'|| to perform different logoff / powerdown / reboot functions
'||
'|| Testing found the following values to be effective on Win32Shutdown:
'|| Action decimal binary
'|| Logoff 0 0000
'|| Force Logoff 4 0100
'|| Reboot 2 0010
'|| Force Reboot 6 0110
'|| Powerdown 8 1000
'|| Force Powerdown 12 1100
'||
'|| Notice that the third bit from the right appears to be the "FORCE" bit.
'||
'|| A value of 1 will do a shutdown, ending at the "It is safe to turn
'|| off your computer" screen. I have no use for this and did not test it.
'||
'||
'||NOTES: - tested under Windows 2000 Pro. with ACPI compliant systems -
'|| SHOULD work under Windows NT4 without modification IF the
'|| system has compatible versions of WSH / WMI / VBscripting
'||
'||Logoff / Powerdown / Reboot:
'|| Does not work if a password protected screen saver is active or
'|| there is data to save. Either way the system waits for user input.
'||
'||Force Logoff / Force Powerdown / Force Reboot:
'|| Does not work if a password protected screen saver is active, will wait
'|| for user input. Otherwise will close open applications without saving data.
'||
'\/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


'/\/\/\/\/\/\/\/\/\/\/\/\/\/\ start function /\/\/\/\/\/\/\/\/\/\/\/\/\/'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\______________/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
function Ping(byval strName)
dim objFSO, objShell, objTempFile, objTS
dim sCommand, sReadLine
dim bReturn

set objShell = WScript.CreateObject("Wscript.Shell")
set objFSO = CreateObject("Scripting.FileSystemObject")

'Set default return value
bReturn = false

'Create command line to ping and save results to a temp file
sCommand = "cmd /c ping.exe -n 3 -w 1000 " & strName & " > temp.txt"

'Execute the command
objShell.run sCommand, 0, true

'Get the temp file
set objTempFile = objFSO.GetFile("temp.txt")
set objTS = objTempFile.OpenAsTextStream(1)

'Loop through the temp file to see if "reply from" is found,
'if it is then the ping was successful
do while objTs.AtEndOfStream <> true
sReadLine = objTs.ReadLine
if instr(lcase(sReadLine), "reply from") > 0 then
bReturn = true
exit do
end if
loop

'Close temp file and release objects
objTS.close
objTempFile.delete
set objTS = nothing
set objTempFile = nothing
set objShell = nothing
set objFSO = nothing

'Return value
Ping = bReturn
end function
'/\/\/\/\/\/\/\/\/\/\/\/\/\/\ end function /\/\/\/\/\/\/\/\/\/\/\/\/\/'\/\/\/\/\/\/\/\/\/\/\/\/\/\/\______________/\/\/\/\/\/\/\/\/\/\/\/\/\/\/



'/\/\/\/\/\/\/\/\/\/\/\ Start Main body of script /\/\/\/\/\/\/\/\/\/\/\/'\/\/\/\/\/\/\/\/\/\/\/\_________________________/\/\/\/\/\/\/\/\/\/\/\/\/
'Get computer name to operate on
ComputerName=InputBox("Enter the Machine name of the computer" & vbCRLF _
& "you wish to Shutdown / Reboot / Logoff", _
"Remote Shutdown / Reboot / Logoff", _
"ComputerName")

'if Cancel selected - exit
If (ComputerName = "") Then Wscript.Quit

'change the name to uppercase
ComputerName=UCase(ComputerName)

'ping the computername to see if it is accessible
bPingtest = ping(Computername)

If bPingtest = FALSE Then
y = msgbox ("'" & ComputerName & "' is not accessible!" & vbCRLF _
& "It may be offline or turned off." & vbCRLF _
& "Check the name for a typo." & vbCRLF, _
vbCritical, ComputerName & " NOT RESPONDING")
Wscript.Quit
end IF

'Get the action desired
Action=InputBox( _
"Select Action to perform on " & ComputerName & vbCRLF & vbCRLF _
& " 1 - Logoff" & vbCRLF _
& " 2 - Force Logoff ( NO SAVE )" & vbCRLF _
& " 3 - Powerdown" & vbCRLF _
& " 4 - Force Powerdown ( NO SAVE )" & vbCRLF _
& " 5 - Reboot" & vbCRLF _
& " 6 - Force Reboot ( NO SAVE )" & vbCRLF & vbCRLF _
& "NOTE:" & vbCRLF _
& " Using Force will close windows" & vbCRLF _
& " without saving changes!", _
"Select action to perform on " & ComputerName, "")

'if Cancel selected - exit
If (Action = "") Then Wscript.Quit

'error check input
If (INSTR("1234567",Action)=0) OR (Len(Action)>1) then
y = msgbox("Unacceptable input passed -- '" & Action & "'", _
vbOKOnly + vbCritical, "That was SOME bad input!")
Wscript.Quit
end if

' set flag to disallow action unless proper input is achieved, 1 => go 0 => nogo
flag = 0

'set variables according to computername and action
Select Case Action
Case 1 'Logoff
x = 0
strAction = "Logoff sent to " & ComputerName
flag = 1
Case 2 'Force Logoff
x = 4
strAction = "Force Logoff sent to " & ComputerName
flag = 1
Case 3 'Powerdown
x = 8
strAction = "Powerdown sent to " & ComputerName
flag = 1
Case 4 'Force Powerdown
x = 12
strAction = "Force Powerdown sent to " & ComputerName
flag = 1
Case 5 'Reboot
x = 2
strAction = "Reboot sent to " & ComputerName
flag = 1
Case 6 'Force Reboot
x = 6
strAction = "Force Reboot sent to " & ComputerName
flag = 1
Case 7 'Test dialog boxes
y = msgbox("Test complete", vbOKOnly + vbInformation, "Dialog Box Test Complete")
flag = 0
Case Else 'Default -- should never happen
y = msgbox("Error occurred in passing parameters." _
& vbCRLF & " Passed '" & Action & "'", _
vbOKOnly + vbCritical, "PARAMETER ERROR")
flag = 0
End Select

'check flag
' if equal 1 (TRUE) then perform Win32Shutdown action on remote PC
' and display a confirmation message
' if not equal 1 (FALSE) then skip the action and script ends
if flag then
Set OpSysSet=GetObject("winmgmts:{(Debug,RemoteShutdown)}//" _
& ComputerName & "/root/cimv2").ExecQuery( _
"Select * from Win32_OperatingSystem where Primary=true")
for each OpSys in OpSysSet
OpSys.Win32Shutdown(x)
y = msgbox(strAction,vbOKOnly + vbInformation,"Mission Accomplished")
next
end If

'Release objects
set OpSys = nothing
set OpSysSet = nothing

Showing Active Directory Location

I have a very simple script for you today that will allow you to configure settings based on where a users and computers are within your Active Directory. This is very helpful when you are determining internet settings, file / printer connections and even desktop icons, but before you do all that you need a simple script to look up what your location / membership is in the directory. It will provide you with at path that is easily searched with string commands and can help diagnose why some users don’t get all the correct settings. This script returns to popup events, the first one gives you computer location: cn=nameofcomputer,ou=admin,dc=domain,dc=local and user location cn=username,ou=it,dc=domain,dc=local these are the strings you would search to determine who got which settings. Later I will show you how to use these settings to add icons, map drives, and map printers.

Set Network = WScript.CreateObject("WScript.Network")
Set objNetwork = CreateObject("WScript.Network") 
 compname = Network.ComputerName
 domname  = "domain"

 Set oNet = CreateObject("Wscript.Network")
 Set oTrans = CreateObject("NameTranslate")
 oTrans.Init 1, domname
 oTrans.Set 3, domname &"\"& compname &"$"
 sAdsPath = oTrans.Get(1)
 Set oNet = Nothing
 Set oTrans = Nothing
 sAdsPath = LCase(sAdsPath)
wscript.echo "Computer Location: " & sAdsPath


Set objNetwork = CreateObject("WScript.Network") 
Set objUser = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)
colGroups = CurrentUser.memberOf
userlocation = lcase(objUser.UserName)

wscript.echo "User Location: "  & userlocation

List Local Accounts from Computers in Active Directory

When you finally take the plunge and decided that the only way to take your business to the next level is to setup a true client/server environment, here is a script to help you clean up those old accounts. When you convert to an Active Directory structure, you need to remove all the old local user accounts. This will reduce the security risks by removing accounts that you can’t force to conform to the rules setup by Group Policy. Also, if you were running these users as Administrators or Power Users and now have limited them down to a Standard user, without removing their old local accounts they may have elevated rights that they don’t need. Using this script you can query every computer in you Active Directory and get a list in CSV that you can use to know where that accounts are that need to be removed. In this script you can modify the output file so you can save the file where you want. You will also need to modify the Active Directory information to match your Domain configuration.

Tip: You can remotely connect other computers on your domain using “compmgmt.msc /computer:[remote computer]” from there you can manage user accounts in Local Users and Groups.

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "MYDomainController" 'put domain controller here

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name, Location from LDAP://DC=subdomain,DC=zim,DC=local' " _  'update this with your AD information
        & "Where objectClass='computer'"  
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
	LocalUsers objRecordSet.Fields("Name").Value, "C:\localaccounts.csv" 'adjust output file name as needed
    objRecordSet.MoveNext
Loop

Sub LocalUsers(strComputer, strFilename)
	On Error Resume Next
	Set StdOut = WScript.StdOut
	 
	Set objFSO = CreateObject("scripting.filesystemobject")
	Set logStream = objFSO.opentextfile(strFilename, 8, True)
	 
	Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
	If Err.Number Then
	      logStream.writeline(strComputer & ",Offline")
	      Err.Clear
	Else
		Set colAccounts = GetObject("WinNT://" & strComputer)
		colAccounts.Filter = Array("user")

		For Each objUser In colAccounts
		        logStream.writeline(strComputer & ",Online," & objUser.Name & "," & objUser.AccountDisabled) 
		Next
	End If

	logStream.Close
End Sub
Twitter Delicious Facebook Digg Stumbleupon Favorites More