Batch files are not dead. Microsoft has said that batch files, and vbscript will be supported into the indefinite future. And I still write an occasional batch file because the really are quick and easy. I use the .CMD extension, instead of .BAT, but it does not really matter in execution.
Recently I was asked to write something that would allow for prestaging a computer account in Active Directory. The code works but is painfully slow. Still, you may find it useful in your environment. You could use it with a FOR command to run it against a list of machines overnight:
:: Alan Kaplan, loosely based on
:: ************* mandatory edits here ******************
rem omit LDAP://
set NewPCOU=OU=Windows 7,OU=Test Lab,DC=contoso,DC=com
rem this is the group to grant permission to join
:: ********** end edits ******************************
if %1z == z echo PC Accounts will be added to "%NewPCOU%"
if %1z == z echo Granting permissions to %UserOrGroup%
if %1z == z set /p PCName=Add what computer account? &goto AddPC
dsadd computer "%ComputerDN%"
Echo Granting Permissions to %UserOrGroup%
REM full control of object. This is really slow ....
dsacls "%ComputerDN%" /G %UserOrGroup%:GA
REM specific join computer rights
REM This is 6 times slower than full control
REM dsacls "%ComputerDN%" /G %UserOrGroup%:CALCGRSDDTRC;;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WP;description;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WP;sAMAccountName;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WP;displayName;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WP;userAccountControl;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WS;"Validated write to service principalname";
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WS;"Validated write to DNS host name";
echo %PCName% added to %NewPCOU%
echo Granted permissions to %UserOrGroup%
You will need to edit the script to make it work. I have set it to Full Permissions, but as you can see, you can switch to more granular permissions.
Over the past few months I have been spending more and more time working with PowerShell. I have gone to Windows 8 on my personal laptop, and am impressed by PowerShell 3.0. I have joined the Charlotte PowerShell User’s Group which meets monthly at the Charlotte Microsoft Campus. The Scripting Guy, Ed Wilson, together with his Teresa are regular attendees of the meetings, and at last month’s meeting I won a signed copy of Ed’s latest book, PowerShell 3.0 Step by Step. I shared some struggles I was having with PowerShell, and Ed gave me some practical advice about how to proceed. It was something I already knew — focus on a real world problem and don’t be concerned about writing elegant code.
For some time, I have been getting traffic for my GPO Reporter HTA. Unfortunately, this requires a component that was last available in Windows XP. I quit using XP (even VMs) last month, and the loss of the GPO Reporter soon became a problem. Fortunately, this month’s POSH meeting was led by Microsoft PFE Jason Walker who covered Active Directory and PowerShell. I decided to take another look at a PowerShell GPO Reporter.
I think I have done some interesting things in the coding of the new script, GPOReports.ps1, but it is hard to tell as I am still a PowerShell beginner. I have commented the code to make things easier to understand. This script requires PowerShell 3. Also note that you will need to install the Remote Server Administration Tools (RSAT) to get this to work, as it provides the ActiveDirectory PowerShell Module. It is available for Windows 7 and Windows 8. This is unsigned code, if you are a PowerShell noob, take a look at execution policy explanations about how to get it to run.
When ordering a case fan, do not rely on the picture. There are some case fans which are 4 inches square.
When ordering a CPU, note that a AMD 3+ CPU motherboard accepts AMD 3 and 3+ CPUs, but an AMD 3 motherboard only accepts AMD 3 sockets.
When re-using an HP Pentium 4 case for your new AMD motherboard, note that HP may not have followed conventions with wiring colors. In particular, note that you cannot turn a computer on and off with the red and black power switch wires connected to the speaker pins on these systems. Taking the time to look at the switch could save hours in troubleshooting.
The local administrator account password can become corrupted making the entire system looked hosed when it is not. Symptoms may include not being able to launch anything due to IE Security Zone restrictions, and yyyy appearing in the time field. Trying to fix the entire system when the problem is just a messed up profile is not a productive use of time.
If the secure channel is broken and the local administrator account is hosed, try logging in with cached administrative credentials. You only need to disconnect the system from the network to get past the warning of no account in AD. You can then delete the local administrator account profile, or create and elevate another local account.
Windows 8 changed the registry key for AHCI from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msahci to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\storahci\. This is important to know if are testing a script which automates the switch from IDE to AHCI for Windows 7 computers.
Finally, be humble. Even if you are an expert, remember that you, too, can make wrong assumptions and do some pretty stupid things.
I have already written a script to dump user information into a spreadsheet here, so why do it again? User AD Export.vbs is different in that it uses the modern LDAP interface (instead of the lame WinNT interface I used earlier), and is therefore much faster. It was written for a user audit, so it does not export things like phone numbers and addresses, but you do get the user’s name, display name, description, mail address, whether a smart card is required, SamAccount name, UPN, whether the account is disabled, the date created, date password last set, last logon, password age, expiration date, and AD path.
It will allow you to navigate to the starting OU in any domain in your forest. It does not require elevated rights to run, and exports the data to Excel.
NTUserInfo.vbs is a script based on Ralph Montgomery’s NTUser.wsf file. It gives a good summary about a user account, including user name, description, password status, and more. I have made a number of changes, including the ability to copy the results to the clipboard using IE. Rename from .txt to .vbs. New version 10/23/2009 allows entry of user name by samaccount name or UPN. This entry was originally posted on March 23, 2009. The new (3/3/13) alternative version, NTUserInfo_IE.vbs outputs to IE instead of a MSGBox. This way you can copy the information to your clipboard.
A lot of folks have been asking me why I haven’t written any PowerShell scripts. The answer is that I am pretty good at vbscript, and I couldn’t find anything that I wanted to do that I couldn’t do with vbscript.
Last week I spent some time waiting for a computer to reboot. I used ping -t to watch the replies, and then waited until I could use the Remote Desktop Connection (RDC) to connect using RDP. I thought to myself, “self — you sure have spent a lot of time waiting for systems to come up”. RDP2.ps1 is a PowerShell script that does the tedious watching for you. It will wait for both the system and the remote access interface to come up, and then will launch the RDC to the computer. You can run it interactively, or with the command line:
./rdp2.ps1 computername[:port] -WaitForReboot
The port is an option for nonstandard ports. -WaitForReboot does just that. If the system is still up when you launch the script, it will wait for it to reboot.
Like many first scripts, this is largely based on someone else’s work, see: http://poshtips.com/2013/02/12/check-rdp-availability-using-watch-rebootstatus-script/. I made a large number of changes in addition to launching the RDC. For those of you who have spent a lot of time with PowerShell, I am open to suggestions on how to make the code more elegant.
If you haven’t ever run a PowerShell script, you will find it is already installed on your Vista or later machine, and on Windows 2008/R2 servers. You must set the execution policy:
Revision note 3/4/2012: I have updated the script to make the MsgBox SystemModal — which is required for it to have focus.
There are a lot of ways a Windows Domain Controller can act weird. Recently I had some which replied to a ping, replied to DNS requests, but failed to reply to LDAP. Since LDAP services are pretty high on my list of expectations for a Directory Services, I wanted a lightweight to monitor LDAP. DC LDAP Ping.vbs is a script which enumerates the list of domain controllers in a domain, then binds to each in turn, measuring the time it takes to do so. You can set audible alarms, and run continuously if you like.