Windows Server 2003 Administration

The goal of this blog is to facilitate a central script repository for Windows 2003. I have of course one motivation for writing this, it is because I’m lazy and I don’t want to clic daily too many times doing the same thing, so it is better to script a little.
In fact there are a couple of good sites with this kind of command line and scripting, but in my experience I had to google a lot to find the required information, specially for some complex queries against Active Directory. The Scripting guys and the Microsoft Script Repository concentrate in Windows 2000 and sometimes I receive a message "service unavailable" when I visit Microsoft's page,so I prefer to use the Help and Windows 2003 command tools.

Let’s practice and see some examples



1. Active Directory Administration: Embedded tools in XP and Windows 2003
Some queries don’t run if the domain functional level is not Windows 2003.

Dsquery

Powerfull tools and derivates:

Dsquery – Queries Active Directory according to specified criteria
Dsadd – Adds objects to Active Directory
Dsget – Gets information about the object and displays its properties
Dsmove – Moves objects in Active Directory
Dsmod – Modifies specific from objects in Active Directory
Dsrm – Deletes objects or a portion of them in Active Directory

Computer Accounts

The whole syntax is the same you will find in Windows Help, so it doesn’t make sense for me to me to copy the syntax in this blog.

Daily taks in workstations:

a) Create a workstation account:

dsadd computer "computername" -desc "description"

Real case:
dsadd computer "CN=computer2,OU=TORONTO,DC=TESTING,DC=COM"
-desc "MktPC" -loc "5th Floor”


b) Reset a computer account(reset workstation account):

If the workstations loses the trust to the domain, reset the account, you’ll see an entry in event viewer so you can proceed with this task surely.

dsmod computer "computername" -reset

Real case:

dsmod computer "CN=computer2,OU=TORONTO,DC=TESTING,DC=COM" –reset

c) You can also test the workstation security channel to the domain controller with this syntax too:

nltest.exe /server:PcMarketing /sc_query:TESTING.COM

You will have a similar output like this, if the channel is ok:

Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\DomainController02.TESTING.COM
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

d) Move a workstation account:

dsmove " computername " -newparent "NewParentDN"

Real case:

dsmove "CN=PCTEST, OU=LOSTPCs,DC=TESTING,DC=COM" -newparent "OU=SALES,OU=MKT,OU=BOSTON,DC=TESTING,DC=COM"

e) Let’s clean the Active Directory from inactive workstations:

If you use:

Dsquery computer –inactive 180

It will only run in Windows 2003 domain functional level and localizes inactive PCs in the last 180 days.

If you use:

Dsquery computer –stalepwd 180

You will have a listing of suspect workstations that did not renew their passwords in the last 180 days against the domain controller. It’s true, it can find some PCs that because of an operating system error, did not renew their passwords, but in most cases these are really few. Once you have have the script, you can delete or disable these workstation accounts.

If you want to list AND move rogue workstations, run this query:

for /F %a in ('dsquery computer -stalepwd 60') do @dsmove %a -newparent OU=PCs,OU=Disabled,DC=TESTING,DC=COM

these query puts these accounts in the OU “Disabled”, next you can modify the script to disable or delete these accounts.


f) Identify PCs in the “Computers” container:

Sometimes you check that some PCs have GPO conflicts or problems to download the GPO, it happens oft when they are for the first time added to the domain and not moved to their containers. So, identify and move them !!

dsquery computer cn=Computers,DC=TESTING,DC=COM>c:\PCsOUComputers.txt

the query puts the result to a txt file, so you can later import it to an Excel.

Tip:
You want to see who is logged on that PCs, so download the tool pslogged from: www.sysinternals.com,
Copy it in your system32 path and execute psloggedon \\PCName then run:

dsquery user -samid username | dsget user -fn -ln -display -office –desc

you identify so the user, location and other useful information to move that PC to the respective OU.

Note: Don´t forget that for most scripts deployed to the domain and PCs, you should have the necessary admin rights.

g) Get a listing on the fly from the workstations in the domain:

dsquery computer –limit 600

or the import to version:

dsquery computer –limit 600>c:\domainPCs.txt

Note: Limit 600 refers to the quantity of workstations in the domain.

User Accounts



Daily “User Tasks”:

a) Adding users as a batch creation:

for /L %d in (1,1,50) do dsadd user cn=user%d,ou=OUTEST,dc=TESTING,dc=COM -pwd 12345678910 -office "BOSTON" -title "Operator" -dept Ingen -mustchpwd yes -canchpwd yes -disabled yes

you get 50 dummy users to work in testing environments or modify them to production users.

The individual creation is simpler, here you get the syntax plus a login script option:

dsadd user cn=dummyuser,ou=OUTEST,dc=TESTING,dc=com -display DUMMY -pwd mypassword -office "BOSTON" -title "Operator" -dept Ingen -loscr scriptlogin.vbs -mustchpwd yes -canchpwd yes -disabled yes


b) User queries in the Active Directory_

dsquery user and dsget user are veru useful together:

Check the SAM account name, irst and last name:

dsquery user | dsget user –samid –fn –ln

The same query in a specific OU:

dsquery user "OU=Users,OU=Consulting,OU=BOSTON,OU=USA,DC=TESTING,DC=com" | dsget user -display –samid

Move a user from one OU to another:

dsquery user -name "USER1" | dsmove –newparent "OU=BOSTON,DC=TESTING,DC=COM"

Check which user accounts expire soon:

dsquery user OU=BOSTON,DC=TESTING,DC=COM | dsget user -samid -fn -ln -acctexpires

with this you work in a proactive environment and don´t bother to receive calls over the weekend.

With this you get inactive users or suspected from inactivity(output to txt).

dsquery user -stalepwd 90 –limit 1000>c:\users.txt

Note: 1000 is the object quantity and you can import the txt to Excel for better manipulation.

Find the group membership of a user:

dsquery user -samid John | dsget user -memberof –expand

or with a better output, in a double piping:

dsquery user -samid John | dsget user -memberof -expand | dsget group -samid

Reset the user password:

dsquery user -samid Cocoliso | dsmod user -pwd nuevopassword

Check which users don´t have a login script assigned:

dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(!scriptPath=*))" -limit 0 -attr sAMAccountName sn givenName pwdLast Set distinguishedName

Check which user names begin with z:

dsquery user -name z*

GROUPS

For the next scripts, please refer to the Microsoft Help if you have doubts in terms of groups in Active Directory:


Let’s practice some more and see more examples:

a) Creating groups:

Creating a security group with domain local scope:

dsadd group "cn=DL_ING, ou=ULM, dc=TESTING, dc=COM" -secgrp yes -scope L

Creating a security group with universal scope:

dsadd group "CN=INGES,OU=Caracas,DC=TESTING,DC=COM" -samid "ING" -secgrp no -scope u

b) Group membership

Check which users belong to the Consulting Group:

dsquery group -name Consulting | dsget group –members


Check which groups begin with g_, which scope they have and if they are security groups:

dsquery group -name g_* | dsget group -dn -scope –secgrp

Or check the membership of a group itself:

dsquery group -name G_Internet | dsget group -memberof


c) Changing Group membership

Change the group membership from the domain users group to a specific group, G_DomainUsers:

dsquery user -name * | dsmod group "CN=G_DomainUsers,CN=Users,DC=seattle,DC=cpandl,DC=com" - chmbr

d) Move the members of a group to another group:

dsget group "CN=GG_SALES,OU=OFC,DC=TESTING,DC=com" -members | dsmod group "CN=G_INGES,OU=La Habana,DC=TESTING,DC=com" -addmbr

e) Mantaining Groups:

Check the groups withouth members:

dsquery * -filter "&(objectCategory=group)(!member=*)" -limit 0 -attr whenCreated whenChanged groupType sAMAccountName distinguishedName memberOf


Check which users don´t belong to any group:

dsquery * domainroot -filter "(&(objectcategory=person)(Objectclass=user)(!memberof=*))"


SERVERS

Dsquery server

To find all domain controllers in the domain TESTING.COM that are global catalog servers:
dsquery server –domain TESTING.COM -isgc

Finds all DCs and display their relative distinguished names, type:

dsquery server -o rdn -forest

Finds all DCs in the site BOLIVIA and display their relative distinguished names, type:

dsquery server -o rdn -site BOLIVIA

Finds the DC in the forest that holds the schema operations master role:

dsquery server –forest –hasfsmo schema

Finds all DCS for TESTING.COM and display their DNS host name and site name

dsquery server -domain TESTING.COM | dsget server -dnsname –site




I’ll be updating these information and upload some other scripts that are useful for my daily job, I hope they are useful to all of you.