3/27/2009

Sysinternals Networking Utilities (AD restore)

After trying (in my opinion) the most important tools from the Category “System Information”, lets go to the next category, “Sysinternals Networking Utilities “.
One of the most typical problem, for AD administrators are deleted objects (tombstoned).

Let’s see one typical case, you have an executive user, say Bill Gates, with logon name bgates in the OU La Habana:



You delete accidentally this user (this is also valid for other AD objects, group, computer, etc). Normally, you should restore the AD completely from system state back up or other restore form with third party tools with all the risks, that the BKP is not functional, or you don´t have the BKP tape near you, etc. But, sysinternals has a good alternative, adrestore.

Download this tool:
http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx

and copy it to the windows\...\system32 path in the DC where you are restoring the object.

Now let’s DELETE this user Bill Gates. Inmediatley afther that, go to your DC, open a command prompt and type the following:



With these tool the deleted user, appears again in the original OU but the user account is disabled. Be sure to analyze other properties for these user account, sometimes you don´t become a fully restore, I mean, maybe you have to add the user to the respective AD groups and check for other account settings.



If you want to restore a specific user, group, computer, etc, type:

c:\> adrestore –r bgates

Have fun !!

3/12/2009

Logged Users in Domain – System Information(with Psexec)

Sometimes you don´t become any results with psloggedon \\remotePC on Windows Systems, I didn´t investigate further, so I used another tool from pstools, psexec, but we will have other posts exclusevily for this amazing tool, psexec. For now let’s use it in the context to find out who is logged on a remote system. The syntax:

C:\>PSEXEC \\remotesystem NETSH DIAG SHOW COMPUTER /V | FIND /i "username"

the little lab(for security reasons, hostnames and domain name are hidden)


Let’s see now psexec working with "net session" and against a server. You become not only the logged users, but also the PCs(IP Configuration) where users are loggedon. Great for my job !!!

3/06/2009

Logged Users in Domain – System Information

If you want to check which user is loggedon on to a PC or PCs in your windows domain, use the tool psloggedon from Russinovich. (Microsoft Windows User Management).Download it from Microsoft’s page:

http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

and copy it to your %windows%system32 path. Remember that you must be an administrator on the PC or remote system.

C:\Documents and Settings\Admin>psloggedon batman


loggedon v1.33 - See who's logged on
Copyright ⌐ 2000-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

RD\batman logged onto PC05 remotely.
RD\batman logged onto PC04 remotely.
RD\batman logged onto PC07 remotely.
RD\batman logged onto MYPC locally.
RD\batman logged onto S01 remotely.
RD\batman logged onto S02 remotely.

Let's see who is now remotely logged on PC08
C:\>psloggedon \\PC08


loggedon v1.33 - See who's logged on
Copyright ⌐ 2000-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Users logged on locally:
Error: could not retrieve logon time
NT AUTHORITY\SERVICIO LOCAL
Error: could not retrieve logon time
NT AUTHORITY\Servicio de red
06-Mar-2009 6:58:31 AM CONTOSO\intruder
Error: could not retrieve logon time
NT AUTHORITY\SYSTEM

Users logged on via resource shares:
06-Mar-2009 12:05:28 PM CONTOSO\Admin

we find the user "intruder", loggedon the remote system

3/03/2009

More psinfo - sysinternals

I insist with scanning a computer list or domain with low level tools.
With the new Windows XP SP3 and in cases for deployments or inventory reports, you can of course use Systems Management Server(if you have), MS-Inventory Analyzer, MS-Base Line Security Analyzer, the problems I had is that some tools stop responding when they don´t find a PC, or they scan all PCs from a range of IPs, which of course takes longer.
The scenario: You want to check in your domain or host list which PCs have the Windows SP2 or SP3. Also try this against a computer list:

c:>psinfo service @c:\hosts.txt

where hosts.txt is a text file that you create in the c drive, and should look simple like this:


the output shows the hostname and the number service pack version:

PsInfo v1.75 - Local and remote system information viewer
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\PC01:
Service pack: 2
System information for \\ PC02:
Service pack: 2
System information for \\ PC03:
Service pack: 2
System information for \\ PC04:
Service pack: 2

For reporting options and Excel import it does not look so great, so lets modify and print it in CSV format:

C:\ >psinfo service -c @c:\hosts.txt

PC01,2,
PC02,2,
PC03,3,
PC04,3,
………
………

Do you want to have the whole procedure automated and just import to Excel, type:

C:\ >psinfo service -c @c:\hosts.txt>c:\servicepackinventory.txt

Finally now scan your domain and have fun:

C:\ >psinfo service -c \\*>c:\servicepackinventory.txt