Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Batch Script’ Category

(2011-10-23) Configuring The NetBIOS Setting On A Windows Computer From The Command Line

Posted by Jorge on 2011-10-23


To configure the NetBIOS settings on any Windows computer you can use one of the following methods.

[Method 1]

Created a batch file and put the following in as its contents. This will target every NIC fulfilling the criteria as mentioned in the first line (the condition) of the FOR statement

@ECHO OFF
CLS
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /F "tokens=*" %%A IN ('REG QUERY "HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" ^| FIND/I "Tcpip_"') DO (
  SET REGPATH=%%A
  REG ADD "!REGPATH!" /V NetBiosOptions /T REG_DWORD /D 2 /F
)

[Method 2]

Use the following command lines to configure the NetBIOS settings on a per NIC basis. First query for the NetBIOS configuration of each available NIC in the system.

WMIC NICConfig Get Caption,Index,TcpipNetbiosOptions

image

Figure 1: NetBIOS Setting Configuration For Every NIC In The System

To configure the NetBIOS setting on a specific NIC you need to identity the NIC through its index number as shown in figure 1.

WMIC NICConfig Where Index=7 Call SetTcpipNetbios 2

The meaning of the possible values is:

  • 0 –> Use NetBIOS Setting From The DHCP server
  • 1 –> Enable NetBIOS Over TCP/IP
  • 2 –> Disable NetBIOS Over TCP/IP

image

Figure 2: Configuring The NetBIOS Setting O)n The NIC With Index 7 (Intel ® Pro/1000 MT Network Connection)

Check the new value shows

image

Figure 3: NetBIOS Setting Configuration For Every NIC In The System After Changing It For The Targeted NIC

The NIC properties show

image

Figure 4: NetBIOS Setting Configuration For The Targeted NIC After Changing It

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER:

https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

#########

http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Batch Script, Windows Client, Windows Server | Leave a Comment »

(2011-07-10) Transferring And Seizing FSMO Roles Through GUI, Command Line Or PowerShell

Posted by Jorge on 2011-07-10


AD uses a multi-master replication mechanism, meaning that updates can originate on any RWDC. For all kinds of services AD is highly redundant assuming you have more than one RWDC. Within AD some operations cannot operate using the multi-master principle, but rather use the single-master principle to ensure consistency. The roles for those operations are the so called Flexible Single Masters of Operations (FSMO). From a forest perspective two forest wide FSMO roles exist and from a domain perspective three domain wide FSMO roles exist. Below you will find which one is which.

When FSMOs become unavailable, depending on the scenario you may need to transfer or seize the corresponding FSMO role(s). With regards to FSMO role transfer or seizure, please see "Moving FSMO Roles From One DC To Another DC". After a seizure the old FSMO role owner should never be brought online again. It should at least be force demoted while not connected to the network and its metadata in the AD should be cleaned.

To transfer/seize FSMOs through a GUI you can use:

  • AD Schema Management MMC (For Schema FSMO)
  • AD Domain And Trusts MMC (For Domain Naming Master FSMO)
  • AD Users And Computers MMC (For PDC FSMO, RID FSMO and IM FSMO)

If you want to do this through the command line or PowerShell you can also use:

  • NTDSUTIL
    • NTDSUTIL
    • Roles
    • Connections
    • Connect to server <FQDN NEW DC>
    • Quit
    • To Transfer FSMOs
      • Schema FSMO –> Transfer schema master
      • Domain Naming FSMO –> Transfer naming master
      • PDC FSMO –> Transfer PDC
      • RID FSMO –> Transfer RID master
      • Infrastructure FSMO –> Transfer infrastructure master
    • To Seize FSMOs
      • Schema FSMO –> Seize schema master
      • Domain Naming FSMO –> Seize naming master
      • PDC FSMO –> Seize PDC
      • RID FSMO –> Seize RID master
      • Infrastructure FSMO –> Seize infrastructure master
    • Quit
    • Quit
  • ADMOD
    • To Transfer FSMOs
      • Schema FSMO (leverages "becomeSchemaMaster" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferschema
      • Domain Naming FSMO (leverages "becomeDomainMaster" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferdm
      • PDC FSMO (leverages "becomePdc" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferpdc:<domain SID> (<domain SID> can be found on the rooDSE of any DC in the objectSid attribute)
      • RID FSMO (leverages "becomeRidMaster" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferrid
      • IM FSMO (leverages "becomeInfrastructureMaster" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferim
    • To Seize FSMOs
      • Schema FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "CN=Schema,CN=Configuration,DC=<forest root domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      • Domain Naming FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "CN=Partitions,CN=Configuration,DC=<forest root domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      • PDC FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "DC=<domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      • RID FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "CN=RID Manager$,CN=System,DC=<domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      • IM FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "CN=Infrastructure,DC=<domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
  • Regular PowerShell CMDlets (leveraging ADSI)
    • To Transfer FSMOs
      • $objRootDSE = [ADSI]"LDAP://<FQDN NEW DC>/rootDSE"
      • Schema FSMO (leverages "becomeSchemaMaster" operational attribute) –> $objRootDSE.Put("becomeSchemaMaster", "1")
      • Domain Naming FSMO (leverages "becomeDomainMaster" operational attribute) –> $objRootDSE.Put("becomeDomainMaster", "1")
      • PDC FSMO (leverages "becomePdc" operational attribute) –> $objRootDSE.Put("becomePdc", (([adsi]"").objectsid)[0])
      • RID FSMO (leverages "becomeRidMaster" operational attribute) –> $objRootDSE.Put("becomeRidMaster", "1")
      • Infrastructure FSMO (leverages "becomeInfrastructureMaster" operational attribute) –> $objRootDSE.Put("becomeInfrastructureMaster", "1")
      • $objRootDSE.SetInfo()
    • To Seize FSMOs
      • Schema FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
        • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/CN=Schema,CN=Configuration,DC=<forest root domain>,DC=<tld>"
        • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        • $objDN.SetInfo()
      • Domain Naming FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
        • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/CN=Partitions,CN=Configuration,DC=<forest root domain>,DC=<tld>"
        • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        • $objDN.SetInfo()
      • PDC FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
        • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/DC=<domain>,DC=<tld>"
        • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        • $objDN.SetInfo()
      • RID FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
        • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/CN=RID Manager$,CN=System,DC=<domain>,DC=<tld>"
        • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        • $objDN.SetInfo()
      • IM FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
        • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/CN=Infrastructure,DC=<domain>,DC=<tld>"
        • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        • $objDN.SetInfo()
  • W2K8R2 AD PowerShell CMDlets
    • Import-Module ActiveDirectory
    • To Transfer FSMOs
      • Schema FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole SchemaMaster
      • Domain Naming FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole DomainNamingMaster
      • PDC FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole PDCEmulator
      • RID FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole RIDMaster
      • Infrastructure FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole InfrastructureMaster
    • To Seize FSMOs
      • Schema FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "CN=Schema,CN=Configuration,DC=<forest root domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      • Domain Naming FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "CN=Partitions,CN=Configuration,DC=<forest root domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      • PDC FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "DC=<domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      • RID FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "CN=RID Manager$,CN=System,DC=<domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      • IM FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "CN=Infrastructure,DC=<domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
  • Quest AD PowerShell CMDlets
    • Add-PSSnapin Quest.ActiveRoles.ADManagement
    • To Transfer FSMOs
      • I have not been able to achieve this with the Quest PowerShell CMDlets. Use the regular PowerShell CMDlets instead which leverage ADSI (see above)
    • To Seize FSMOs
      • Schema FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-QADObject -Identity "CN=Schema,CN=Configuration,DC=<forest root domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      • Domain Naming FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-QADObject -Identity "CN=Partitions,CN=Configuration,DC=<forest root domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      • PDC FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject -Identity "DC=<domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      • RID FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject -Identity "CN=RID Manager$,CN=System,DC=<domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      • IM FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject -Identity "CN=Infrastructure,DC=<domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}

For more information about FSMO roles see "Operations master roles" and "FSMO Roles".

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Batch Script, FSMO, PowerShell, Tooling/Scripting, VB Script | 1 Comment »

(2006-11-15) Finding Unused GPOs

Posted by Jorge on 2006-11-15


In time you may have gone crazy and created and used a lot of GPOs. Some may be disabled, not be linked, be orphaned in the SYSVOL or not have any setting configured. So how can you check which GPO does meets the criteria mentioned above without going into some GUI and check each and every GPO?

The answer is easy! GPMC is your friend! 😉

To find disabled GPOs in the AD domain (FindDisabledGPOs.wsf)

  • This will output all GPOs in the AD domain that are completely disabled, only computer is disabled or only user part is disabled
    • cscript FindDisabledGPOs.wsf /domain:<FQDN AD domain>

To find unlinked GPOs in the AD domain (FindUnlinkedGPOs.wsf)

  • This will output all GPOs in the AD domain that are not linked to any OU within the AD domain or the AD domain itself. It will not check sites or other AD domains in the forest.
    • cscript FindUnlinkedGPOs.wsf /domain:<FQDN AD domain>

To find unlinked GPOs in the AD domain (FindOrphanedGPOsInSYSVOL.wsf)

  • This will output all GPOs that exist in the SYSVOL but not in the AD domain anymore.
    • cscript FindOrphanedGPOsInSYSVOL.wsf /domain:<FQDN AD domain>

To find GPOs with NO settings defined in both the computer part and user part (GetReportsForAllGPOs.wsf)

  • This will create a report for EACH GPO in the AD domain (HTML and XML files).
    • cscript GetReportsForAllGPOs.wsf <location for reports> /domain:<FQDN AD domain>
  • The following wil check each HTML file for the string "No Settings Defined" and when found it will output the name of the GPO into the TXT file. Put the script in the same location as the GPO reports. Each GPO that lists "No Settings Defined" TWICE has no GPO settings configured.
    • GPOsWithSettingsOrNot.CMD (see contents of script below)
      • @ECHO OFF
      • CLS
      • IF EXIST "GPOsWithSettingsOrNot.txt" (DEL GPOsWithSettingsOrNot.txt)
      • FOR /F "tokens=*" %%A IN (‘DIR /B "*.HTML"’) DO (
      • FIND /i "No settings defined" "%%A" >> GPOsWithSettingsOrNot.txt
      • )
      • NOTEPAD GPOsWithSettingsOrNot.txt

The output of "GPOsWithSettingsOrNot.txt" looks like (red colored GPOs have no GPO Settings defined in both computer and user part):

———- CLIENTS POLICY.HTML

———- CUSTOM DOMAIN CONTROLLERS POLICY.HTML

———- DEFAULT DOMAIN CONTROLLERS POLICY.HTML
<div class="container"><div class="he4i">No settings defined.</div></div>

———- DEFAULT DOMAIN POLICY.HTML

———- DEFRAG SETTINGS.HTML
<div class="container"><div class="he4i">No settings defined.</div></div>

———- MEMBER SERVERS POLICY.HTML

———- NEW GROUP POLICY OBJECT.HTML
<div class="container"><div class="he4i">No settings defined.</div></div>
<div class="container"><div class="he4i">No settings defined.</div></div>

———- TEST.HTML
<div class="container"><div class="he4i">No settings defined.</div></div>
<div class="container"><div class="he4i">No settings defined.</div></div>

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Batch Script, VB Script | Leave a Comment »

(2006-05-17) Large Integers And VBS Or BATCH

Posted by Jorge on 2006-05-17


For a script I was writing, I needed to work with large integers.

 

Example code in VBS was to compare very large numeric numbers:

Dim LargestValue
LargestValue=0
AR = Array("134234","22342399999999999994","9","555555555577698","6","5")
For l = 0 to UBound(AR)
    If LargestValue < Int(AR(l)) then
       LargestValue = Int(AR(l))
    End If
Next
wscript.echo LargestValue

As you can see 22342399999999999994 is the largest value and it should be returned as such. Well it does, almost…

However, it does not say (and that is what I would like!):

22342399999999999994

but it says:

2.23424E+19

As soon as a numeric value gets a certain size it converts it to x.xxxxE+y

Example code in VBS was to compare very large numeric numbers:

@ECHO OFF
CLS
SETLOCAL ENABLEDELAYEDEXPANSION
SET LargestValue=0
FOR /F %%I IN (NUMBERS.TXT) DO (
 IF /I !LargestValue! LSS %%I (
  SET LargestValue=%%I
 )
)
ECHO !LargestValue!

In this case it does return the largest value as I want…

So I thought, lets do it in batch. So before continuing I thought "let’s do another test of creating an addition of very large numbers". The code would look like:

@ECHO OFF
CLS
SETLOCAL ENABLEDELAYEDEXPANSION
SET NUMBER1=4611689999999999999
SET NUMBER2=500000
SET /A NUMBERTOTAL=%NUMBER1% ++ %NUMBER2%
ECHO %NUMBERTOTAL%

now guess what the output was!….

it was:

Invalid number.  Numbers are limited to 32-bits of precision.

 

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Batch Script, Field Experiences, VB Script | 2 Comments »