Show me the samid and upn name of all disabled user accounts in the domain.
C:\>dsquery user -disabled | dsget user -samid -upn
Show me the samid and upn of each user account in the domain and show me when the user account expires.
C:\>dsquery user | dsget user -samid -upn -acctexpires
Show me the samid and upn of each user account in the domain and show me when the user account expires. Send output to a file called c:\log.txt
C:\>dsquery user | dsget user -samid -upn -acctexpires > c:\log.txt
Show me the samid and upn name of each user account in the Production OU in the TEST.COM domain with a password age of 14 days or older and also show me if the account is flagged for "user must change password" and if the user account is allowed to change its password
C:\>dsquery user "OU=Production,DC=test,DC=com" -stalepwd 14 | dsget user -samid -upn -mustchpwd -canchpwd
Friday, December 31, 2010
Wednesday, December 29, 2010
Restoring objects with Microsoft ADRestore (previously Sysinternals)
Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality. If you run it from the command line you will be prompted to choose which object you want to restore, and since there could be quite a few tombstoned objects, this process might take some time as you answer NO to each and every prompt.
To add a little selectivity to the restore operation, you can run ADRestore with a parameter to narrow down the search. For example:
adrestore -r daniel
would search for all objects with "daniel" as part of its name.
The -r switch forces the program to prompt the user for each restoration. Otherwise, all the objects found matching said criteria will be automatically restored. The default (no criteria supplied) is that all tombstoned objects will be enumerated and restored.
Note that deleted items may no longer be members of specific organizational units or OUs. Restoring these objects from deleted status will not automatically restore them to their respective OUs; this will need to be done manually.
Recovering Deleted Items in Active Directory
Restoring objects with ADRestore.net
Guy Teverovsky, a fellow MVP from Israel, has written a cool tool that allows you to easily restore deleted AD objects. The tool is provided as freeware and has no kind of support, but from what I've seen, it works great. Some of the tools features include:
- Browsing the tombstones
- Domain Controller targeting
- Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway)
- User/Computer/OU/Container reanimation
- Preview of tombstone attributes
Enumerating tombstones
Previewing the tombstone attributes
Restoring a deleted user account
For more information on Guy's tool, please see Guy's blog entry announcing ADRestore.net
Tuesday, December 28, 2010
Windows Server : Managing the Terminal Services - RDP Permissions
Managing the terminal services includes various tasks such as assigning RDP permissions, configuring connection limits, session time limits, assigning session permissions, viewing process, monitoring sessions, logging off users, disconnect sessions, and resetting the terminal services. Terminal Services Manager is used to perform these administrative tasks. Ensure you have a thorough understanding of every task and the implications before you apply it on a production network. Improper configuration of permissions may result in assigning additional permissions to the users where not required and inadequate access where required.
RDP Permissions
Terminal Services Manager allows you to configure various RDP permissions. Permission sets such as Full Control, User Access, Guest Access, and Special Permissions can be assigned to users, clients, and groups. Each permission set has one or more permissions (see Tables 1 and 23). Figure 1 shows the RDP properties. Figure 2 shows the advanced security settings for RDP. Figure 3 shows RDP permissions.
| Permission[*] | Description |
|---|---|
| Full Control | Permission set providing Query Information, Set Information, Remote Control, Logon, Logoff, Message, Connect, Disconnect and Virtual Channels permissions |
| User Access | Permission set providing Query Information, Logon, and Connect permissions |
| Guest Access | Logon permission only |
| Logon | Logon to Terminal Server session |
Figure 1. RDP Properties
Saturday, December 11, 2010
windows xp service pack 3 access denied error
Procedure to follow
1) Download and then install the Subinacl.exe file from the following link
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en
2) Start Notepad
Copy and then paste the following text into Notepad.
cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
3) Save this file as sp3fix.bat
Double-click the sp3fix.bat file
to run the script.
Note This script file may take a long time to run. You must run this script as an administrator.
1) Download and then install the Subinacl.exe file from the following link
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en
2) Start Notepad
Copy and then paste the following text into Notepad.
cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
3) Save this file as sp3fix.bat
Double-click the sp3fix.bat file
to run the script.
Note This script file may take a long time to run. You must run this script as an administrator.
Tuesday, October 12, 2010
Microsoft DOS route command
Route
Command to manually configure the routes in the routing table.
Availability
The route.exe command is an external command that is available in the below Microsoft operating systems.
Windows 95
Windows 98
Windows ME
Windows 2000
Windows XP
Windows Vista
Windows 7
Syntax
ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway] [METRIC metric] [IF interface]
| -f | Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command. | |||||
| -p | When used with the ADD command, makes a route persistent across boots of the system. By default, routes are not preserved when the system is restarted. When used with the PRINT command, displays the list of registered persistent routes. Ignored for all other commands, which always affect the appropriate persistent routes. This option is not supported Windows'95. command | |||||
| command | One of these: PRINT Prints a route | |||||
| destination | Specifies the host. | |||||
| MASK | Specifies that the next parameter is the 'netmask' value. | |||||
| netmask | Specifies a subnet mask value for this route entry. If not specified, it defaults to 255.255.255.255. | |||||
| gateway | Specifies gateway. | |||||
| interface | the interface number for the specified route. ll symbolic names used for destination are looked up in the network database file NETWORKS. The symbolic names for gateway are looked up in the host name database file HOSTS. If the command is PRINT or DELETE. Destination or gateway can be a wildcard, (wildcard is specified as a star '*'), or the gateway argument may be omitted. If Dest contains a * or ?, it is treated as a shell pattern, and only matching destination routes are printed. The '*' matches any string, and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*. Diagnostic Notes: Examples: > route PRINT
If IF is not given, it tries to find the best interface for a given > route PRINT One way to use this would be as follows: You can't ping the server that you are connecting to, but you know the ip address to be 127.16.16.10 >route PRINT Interface List Active Routes: ** notice that no gateway for the current ip goes to 255.255.255.0, so it must be added. Now do the below command. >route ADD 127.16.0.0 MASK 255.255.255.0 **Then do the below command: >route print Active Routes: **Notice the ** ip address gives me the default gateway. |
Friday, August 27, 2010
Configure TCP/IP from the Command Prompt
In order to configure TCP/IP settings such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses and many other options you can use Netsh.exe.
Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh.exe also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh.exe can also save a configuration script in a text file for archival purposes or to help you configure other servers.
Netsh.exe is available on Windows 2000, Windows XP and Windows Server 2003.
You can use the Netsh.exe tool to perform the following tasks:
- Configure interfaces
- Configure routing protocols
- Configure filters
- Configure routes
- Configure remote access behavior for Windows-based remote access routers that are running the Routing and Remote Access Server (RRAS) Service
- Display the configuration of a currently running router on any computer
- Use the scripting feature to run a collection of commands in batch mode against a specified router.
What can we do with Netsh.exe?
With Netsh.exe you can easily view your TCP/IP settings. Type the following command in a Command Prompt window (CMD.EXE):
netsh interface ip show config
With Netsh.exe, you can easily configure your computer's IP address and other TCP/IP related settings. For example:
The following command configures the interface named Local Area Connection with the static IP address 192.168.0.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1:
netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1 1
(The above line is one long line, copy paste it as one line)
Netsh.exe can be also useful in certain scenarios such as when you have a portable computer that needs to be relocated between 2 or more office locations, while still maintaining a specific and static IP address configuration. With Netsh.exe, you can easily save and restore the appropriate network configuration.
First, connect your portable computer to location #1, and then manually configure the required settings (such as the IP address, Subnet Mask, Default Gateway, DNS and WINS addresses).
Now, you need to export your current IP settings to a text file. Use the following command:
netsh -c interface dump > c:'location1.txt
When you reach location #2, do the same thing, only keep the new settings to a different file:
netsh -c interface dump > c:'location2.txt
You can go on with any other location you may need, but we'll keep it simple and only use 2 examples.
Now, whenever you need to quickly import your IP settings and change them between location #1 and location #2, just enter the following command in a Command Prompt window (CMD.EXE):
netsh -f c:'location1.txt
or
netsh -f c:'location2.txt
and so on.
You can also use the global EXEC switch instead of -F:
netsh exec c:'location2.txt
Netsh.exe can also be used to configure your NIC to automatically obtain an IP address from a DHCP server:
netsh interface ip set address "Local Area Connection" dhcp
Would you like to configure DNS and WINS addresses from the Command Prompt? You can. See this example for DNS:
netsh interface ip set dns "Local Area Connection" static 192.168.0.200
and this one for WINS:
netsh interface ip set wins "Local Area Connection" static 192.168.0.200
Or, if you want, you can configure your NIC to dynamically obtain it's DNS settings:
netsh interface ip set dns "Local Area Connection" dhcp
BTW, if you want to set a primary and secondary DNS address, add index=1 and index=2 respectively to the lines of Netsh command.
As you now see, Netsh.exe has many features you might find useful, and that goes beyond saying even without looking into the other valuable options that exist in the command.
Friday, July 23, 2010
Troubleshoot Group Policy from the Command Line with GPRESULT
When you are trying to determine why policy is not being applied as expected, one of first things you should do is examine the Resultant Set of Policy (RSoP) for the user and computer experiencing problems with policy settings. Using the Gpresult command-line utility, you can view RSoP.
Gpresult provides details on the following:
* Special settings applied for folder redirection, software installation, disk quota, IPSec, and scripts
* The last time Group Policy was applied
* The domain controller from which policy was applied and the security group memberships for the computer and user
* The complete list of GPOs that were applied as well as the complete list of GPOs that were not applied because of filters
Gpresult has the following basic syntax:
gpresult /s ComputerName /user Domain\UserName
Here, ComputerName is the name of the computer that you want to log policy results for and Domain\UserName indicates the user that you want to log policy results for. For example, to view the RSoP for CorpPC85 and the user Tedg in the Cpandl domain, you would type the following command:
gpresult /s corppc85 /user cpandl\tedg
You can view more detailed output by using one of the two verbose options. The /v parameter turns on verbose output and results are displayed only for policy settings in effect. The /z parameter turns on verbose output with settings for policy settings in effect and all other GPOs that have the policy set. Because Gpresult output can be fairly long, you should create an HTML report using the /h parameter or an XML report using the /x parameter. Here are a couple examples using these parameters:
gpresult /s corppc85 /user cpandl\tedg /h gpreport.html
gpresult /s corppc85 /user cpandl\tedg /x gpreport.xml
Gpresult provides details on the following:
* Special settings applied for folder redirection, software installation, disk quota, IPSec, and scripts
* The last time Group Policy was applied
* The domain controller from which policy was applied and the security group memberships for the computer and user
* The complete list of GPOs that were applied as well as the complete list of GPOs that were not applied because of filters
Gpresult has the following basic syntax:
gpresult /s ComputerName /user Domain\UserName
Here, ComputerName is the name of the computer that you want to log policy results for and Domain\UserName indicates the user that you want to log policy results for. For example, to view the RSoP for CorpPC85 and the user Tedg in the Cpandl domain, you would type the following command:
gpresult /s corppc85 /user cpandl\tedg
You can view more detailed output by using one of the two verbose options. The /v parameter turns on verbose output and results are displayed only for policy settings in effect. The /z parameter turns on verbose output with settings for policy settings in effect and all other GPOs that have the policy set. Because Gpresult output can be fairly long, you should create an HTML report using the /h parameter or an XML report using the /x parameter. Here are a couple examples using these parameters:
gpresult /s corppc85 /user cpandl\tedg /h gpreport.html
gpresult /s corppc85 /user cpandl\tedg /x gpreport.xml
Friday, June 4, 2010
Using Remote Desktop via your Browser
In Windows Vista:
This is really simple and easy. Works with Windows Server 2003 and XP:
Using “Add or Remove Programs”, select “Add/Remove Components” and in “Application Server” select “Details”. You will find another list and in “Internet Information Services” select “Details” again and check “Remote Desktop Web Connection”.
When the installation starts you’ll be prompted to insert the Windows Server 2003 CD. After the installation is complete you are ready to use your Remote Desktop Connection in the default direction established in IIS: http://localhost/tsweb/
As a best practice, is always recommended that you set your permissions in IIS to not allow anonymous authentication, any other will be fine; and use HTTPS for the communication.
I
This is really simple and easy. Works with Windows Server 2003 and XP:
Using “Add or Remove Programs”, select “Add/Remove Components” and in “Application Server” select “Details”. You will find another list and in “Internet Information Services” select “Details” again and check “Remote Desktop Web Connection”.
When the installation starts you’ll be prompted to insert the Windows Server 2003 CD. After the installation is complete you are ready to use your Remote Desktop Connection in the default direction established in IIS: http://localhost/tsweb/
As a best practice, is always recommended that you set your permissions in IIS to not allow anonymous authentication, any other will be fine; and use HTTPS for the communication.
I
How To Change SID On Windows 7 And Windows Server 2008 R2 Using Sysprep
Sysprep on Windows Server 2008 R2 Datacenter edition, but same steps apply for Windows7 also.
First, click to Start->Run, type sysprep and press OK.
This will open sysprep folder which is located in c:\Windows\System32. Open sysprep application.
This will open System Preparation Tool 3.14 window. As a System Cleanup Action select Enter System Out-of-Box Experience (OOBE). Important: select Generalize if you want to change SID, it�s not selected by default. As Shutdown Options select Reboot.
It will take some time for sysprep to finish, so grab a cup of coffee and wait.
After rebooting you�ll have to enter some data, for example, Country or region, Time and currency and Keyboard input.
Also, you�ll have to accept EULA. And that�s it. After booting, in Server Manager you�ll see that everything is changed, if you had some settings set now they�re changed.
Now you can again use PsGetSid to check that your OS has new SID.
First, click to Start->Run, type sysprep and press OK.
This will open sysprep folder which is located in c:\Windows\System32. Open sysprep application.
This will open System Preparation Tool 3.14 window. As a System Cleanup Action select Enter System Out-of-Box Experience (OOBE). Important: select Generalize if you want to change SID, it�s not selected by default. As Shutdown Options select Reboot.
It will take some time for sysprep to finish, so grab a cup of coffee and wait.
After rebooting you�ll have to enter some data, for example, Country or region, Time and currency and Keyboard input.
Also, you�ll have to accept EULA. And that�s it. After booting, in Server Manager you�ll see that everything is changed, if you had some settings set now they�re changed.
Now you can again use PsGetSid to check that your OS has new SID.
Thursday, June 3, 2010
Start System Restore from a command prompt in Vista
You can start System Restore from a command prompt window if you can't start your computer in any mode other than safe mode with command prompt.
1. Start your computer in safe mode with command prompt. For more information, see Start your computer in safe mode.
2. At the command prompt, type rstrui.exe, and then press ENTER. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
Note
If you use System Restore when the computer is in safe mode, you can't undo the restore operation. However, you can run System Restore again and choose a different restore point if one exists.
1. Start your computer in safe mode with command prompt. For more information, see Start your computer in safe mode.
2. At the command prompt, type rstrui.exe, and then press ENTER. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
Note
If you use System Restore when the computer is in safe mode, you can't undo the restore operation. However, you can run System Restore again and choose a different restore point if one exists.
How to start System Restore by using the Command prompt
To start System Restore using the Command prompt, follow these steps:
- Restart your computer, and then press and hold F8 during the initial startup to start your computer in safe mode with a Command prompt.
- Use the arrow keys to select the Safe mode with a Command prompt option.
- If you are prompted to select an operating system, use the arrow keys to select the appropriate operating system for your computer, and then press ENTER.
- Log on as an administrator or with an account that has administrator credentials.
- At the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER.
- Follow the instructions that appear on the screen to restore your computer to a functional state.
Wednesday, April 21, 2010
Windows, Linux Howtos, CBTs [Urdu / English], Apps, Entertainment
http://usmanghani2010.blogspot.com/
Saturday, March 27, 2010
Force Terminal Services Clients to Disconnect when Idle
When you administrate servers running Windows Server 2000 or 2003, one of the most frustrating experiences is when sessions get cut off but the server still thinks they are active. You’ll get this error message, which you are sure to encounter at some point:
The terminal server has exceeded the maximum number of allowed connections.
You can help prevent this from happening by setting a policy on the server to automatically disconnect when idle.
To change this setting, go to Administrative Tools \ Terminal Services Configuration.
Click on Connections in the left hand pane, and then right click RDP-Tcp and select Properties. In the resulting window select the Sessions tab.
Check the boxes for “Override user settings” and change the idle session limit to something reasonable, like an hour. You can set it lower if you’d like.
Change the radio button to “Disconnect from session” when session limit is reached. This will make all sessions automatically mark as disconnected on the server. The session will be saved exactly as it was, but the server will mark it as disconnected so that you can log back into the session again.
Tuesday, March 9, 2010
Maths Tricks - Adding Time
Here is a nice simple way to add hours and minutes together:
Let's add 1 hr and 35 mins and 3 hr 55 mins together.
What you do is this:
make the 1 hr 35 mins into one number, which will give us 135 and do the same for the other number giving us 355
Now you want to add these two numbers together:
135
355
____
490
So we now have a sub total of 490. What you need to do to this and all sub totals is add the time constant of 40.
No matter what the hours and mins are, just add the 40 time constant to the sub total.
490 + 40 = 530
So we can now see our answer is 5 hrs and 30 mins!
Let's add 1 hr and 35 mins and 3 hr 55 mins together.
What you do is this:
make the 1 hr 35 mins into one number, which will give us 135 and do the same for the other number giving us 355
Now you want to add these two numbers together:
135
355
____
490
So we now have a sub total of 490. What you need to do to this and all sub totals is add the time constant of 40.
No matter what the hours and mins are, just add the 40 time constant to the sub total.
490 + 40 = 530
So we can now see our answer is 5 hrs and 30 mins!
Maths Tricks - Multiplay by 11
How do we multiply by eleven easily?
First we will try this by writing the answer backwards.
So, when always multiplying a large number by 11, the last number will always be the last number of the sum we are multiplying.
Let me explain.
176 is the number we are multiplying.
So the last number in out answer will be 6. If the sum was 143 the last number in our answer would be 3... get it?
So now what?
Easy, just add the next number to the last number, 7 + 6 = 13
So the next last number will be 3, carry the 1.
Add the 7 and 1 together, giving 8, then add the carried 1, 9 then write that number as our next part of the answer, 936
Then, the last number will be the first number in our sum, in this case 1.
So the answer is 1936.
Subscribe to:
Posts (Atom)