Wednesday, July 17, 2013

The Poor Man's Site Management Tools

If you're an "I.T. Guy" you know about PS Tools from SysInternals (now part of Microsoft). These tools offer great power for remote administration and with great power comes great responsibility so please be aware of whose life and livelihood you're affecting when you perform remote tasks. There are some built-in tools that can make life easy, as long as you've prepared for it.

To prepare for this, your PCs should be similar, if not the same. The consistency of the PCs is a huge benefit, but don't let minor variations bother you, simply ensure that the account (AD account and local support account) are available and consistent across your organisation. I don't recommend giving your helpdesk staff "local admin" capabilities, but find that giving them an alternate account with super-powers that is not their default login is best. For example, John Doe's account is jdoe, but his admin account may be a-jdoe. Only the "a-" User ID has the abilities to add a computer to the domain, and is the local admin for user PCs. Separating this out offers some degree of auditing and not sharing passwords on these premium service accounts.

Generic accounts are NEVER preferred. Your account is your identity, you should never impersonate anyone, nor should you share your identity (user ID and credentials) with others.

Okay, sorry about the security lecture.

What I want to show you is how I use Windows tools to gather and distribute information to people across my office.

Collecting PC names:
@echo off
SET IPRoot=172.25.117.
SET iSubNet=1
IF NOT EXIST newPCList.csv ECHO "COMPUTERNAME", "MAC Address", "IP Address" > newPCList.csv
IF NOT EXIST newPCList.txt ECHO COMPUTERNAME > newPCList.txt
IF NOT EXIST newPCList.txt ECHO ============ > newPCList.txt
:START
SET /A iSubNet=%iSubNet% + 1
Echo Checking IP [%IPRoot%%iSubNet%]:
SET IPAddress=%IPRoot%%iSubNet%
NBTSTAT -A %IPRoot%%iSubNet% > fpcdata.txt
::echo Err: %ERRORLEVEL%
FOR /F "tokens=1,2,3,4* delims=<> " %%a in (fpcdata.txt) do call :subPI %%a %%b %%c %%d %%e
IF /I 0%iSubNet% LSS 255 GOTO START
GOTO :END
:subPI
SET varX=%2
SET varY=%1
set varW=%3
::ECHO DATA: 1:%1 2:%2 3:%3 4:%4 5:%5
::IF "%varX%"=="20" echo COMPUTERNAME: %varY% %IPAddress%
IF "%varX%"=="20" SET CN=%varY%
IF "%varX%"=="Address" echo %CN% [%varW%/%IPAddress%]
IF "%varX%"=="Address" echo %CN%, %varW%, %IPAddress% >> newPCList.csv
IF "%varX%"=="Address" echo %CN% >> newPCList.txt
::IF "%varX%"=="Address" pause
goto :eof
:END
goto :eof
This .cmd (batch) file scans the IP Address range my PCs are on, collects some essential information from the NBTSTAT.EXE program, and creates a .txt file and .csv listing the PCs found. This expects the PCs to be on, of course, but the result is a fairly accurate count of PCs on the network and a workable list to go from.

So, I have a list of PCs. What do I do now?

 Having a list is not the end of it, in fact you may need to run that routine over a few days then remove the duplicates from the list to get an accurate picture. Either way, after the list is complete you need to be able to work with all of those PCs. I have a batch file for that:
@echo off
SET target=\\%1\C$\ITAdmin\
FOR /F "skip=1" %%a in (newPCList.txt) do call :updatePC %%a
goto :eof
:updatePC
IF NOT EXIST \\%1\C$ GOTO :PCNotFound
IF EXIST \\%1\C$\Users GOTO :Win7
:WinXP
echo %1 is WinXP
goto :doUpdate
:Win7
echo %1 is Win7
goto :doUpdate
:doUpdate
IF NOT EXIST %target% MKDIR %target%
IF NOT EXIST %target%scripts MKDIR %target%scripts
ROBOCOPY deployme\setup %target%setup /XO /E /Z /MIR /R:3 /W:5
ROBOCOPY deployme\scripts %target%scripts /XO /E /Z /MIR /R:3 /W:5
REG ADD \\%1\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v PCInventory /f /d "C:\ITAdmin\scripts\WritePCInfo.vbs"
ECHO %DATE% %TIME%> %target%LastUpdate.txt
goto :eof
:PCNotFound
echo %DATE% %TIME%, %1 >> PCFailed.LOG
echo PC inaccessible: %1
goto :eof
(more to come...)
at No comments:

Monday, July 01, 2013

Streamlining The Logon Script

I am a firm believer in using groups to define rights and access, some people go over the top on this because they lack logical thinking, or the time to determine the logic required, but rights and access should ALWAYS (read as 'as much as possible) be handled by group membership.

To that end whether through the GPO, or the NETLOGON method of calling a logon script, group membership can determine what resources you connect to (i.e. printers and drive letters), as archaic as the drive letter is, it is still a logical manner for people to find their stuff. This topic may get covered by my other blog "My Life in I.T.," (http://bankingonthechaos.wordpress.com/) from a higher altitude, this blog covers what I believe is a streamlined logon script that can be implemented with simplicity and should run fairly quickly.

@echo off
:: net time /setsntp:192.168.10.99
:: net time /domain:mydomain /set /yes

cscript [full UNC path to script]LoginScript.vbs

Firstly, I tried to conform to the ideals of my current employer when I started this process, so the use of a command (.cmd) batch file is simply fluff, the commands, all two of them, might be best executed through calls from VBScript, but frankly they're remarked out ('::') anyway. Pointless lines in a pointless file. I don't have the rights to a test environment at present so I simply mimicked the NETLOGON methodology because the "powers that be" don't like to share information.

So, we can ignore the .cmd file and call cscript.exe, the command-line variant of wscript.exe, to execute the logon script.

The Script: LoginScript.vbs
' ====== Meatballs, the Logon Script in VBScript
' ====== By: C. Stevens, April 12th, 2013
' ====== Last Modified: 20130412 - evens
On Error Resume Next
set objShell = WScript.CreateObject( "WScript.Shell" )
Set objNetwork = CreateObject("WScript.Network")
Dim groupListD
Meatballs ' --------------- This is the main routine
Set objShell = Nothing
Set objNetwork = Nothing
WScript.Quit ' -------------------------------- END
This is simply clean, a good start, and a defined variable. We now define the routine I call Spaghetti, it's the substance of the meal, er, script. It's the functional part of making things easy to use, and re-use. This is what get's customized to your needs.
Sub Spaghetti
wscript.echo "-------------------------------------------"
wscript.echo "Making drives/printer connections..."
' ===== LOGIN MAPPINGS: START
' ---- DO NOT MODIFY ABOVE THIS LINE ----
 ~ STUFF ~
' ---- DO NOT MODIFY BELOW THIS LINE ----
' ===== LOGIN MAPPINGS: END
End Sub
We'll get to the "Stuff" later. This is like adding Parmesan Cheese to the meal, it's last and added to taste. What any great plate of Spaghetti needs is Meatballs! In reality you start with great meatballs, the pasta is just an excuse to have them, so you may notice we actually start by calling Meatballs, when then adds Spaghetti, or your past of choice.

Sub Meatballs
 ADSPath = EnvString("userdomain") & "/" & EnvString("username")
 Set userPath = GetObject("WinNT://" & ADSPath & ",user")
 wscript.echo ADSPath & " group membership:"
 wscript.echo "-------------------------------------------"
 If IsEmpty(groupListD) then
  Set groupListD = CreateObject("Scripting.Dictionary")
  groupListD.CompareMode = TextCompare
  For Each listGroup in userPath.Groups
   groupListD.Add listGroup.Name, "-"
   wscript.echo " " & listGroup.Name, "-"
  Next
 End if

 Spaghetti ' calls the Spaghetti routine. 

End Sub
 Meatballs' purpose is to retrieve the list of groups the user has from AD, build the list into a dictionary item called groupListD, then call the Spaghetti routine to work out the Stuff we need to connect for the user. Before we can top this meal off with cheese, we need some helpers in place, subroutines and functions that we'll use in Spaghetti to attach to the resources.

' *****************************************************
' This function returns a particular environment variable's value.
' for example, if you use EnvString("username"), it would return
' the value of %username%.
Function EnvString(variable)
  variable = "%" & variable & "%"
  EnvString = objShell.ExpandEnvironmentStrings(variable)
End Function

' *****************************************************
' This function connects a particular drive letter to the 
' specified UNC path. If the drive letter is already 
' connected to another UNC connection it will disconnect it
' and then try again using the function 'driveAlreadyConnected'
Sub ConnectDrive(driveLetter, UNCpath)
 ' Map network drive script
 driveLetter=left(driveLetter,1) & ":"
 if driveAlreadyConnected(driveLetter) then
  'wscript.echo "Already Connected to " & driveLetter
  objNetwork.RemoveNetworkDrive driveLetter
 end if
 objNetwork.MapNetworkDrive driveLetter, UNCPath, True
 if driveAlreadyConnected(driveLetter) then
  wscript.echo driveLetter & "... OK"
 else
  wscript.echo driveLetter & "... Failed!"
 end if
end Sub

' *****************************************************
' This function will check if the drive letter is in use and
' attempt to disconnect it, allowing for the desired connection
' be replace it. It is used by the ConnectDrive routine.
Function driveAlreadyConnected(strDL)
 Set CheckDrive = objNetwork.EnumNetworkDrives()
 driveAlreadyConnected = False
 For intDrive = 0 To CheckDrive.Count - 1 Step 2
  If CheckDrive.Item(intDrive) = strDL Then
   driveAlreadyConnected = True
  end if
 Next 
end Function
Don't sweat the small stuff...

The Stuff we ignored earlier fits between those two lines:
' ---- DO NOT MODIFY ABOVE THIS LINE ----
 and
' ---- DO NOT MODIFY BELOW THIS LINE ---- 
This is where the logic your organisation needs, your group memberships for the current user, will determine what resources they will be connected to. In the following example the group membership is by location. Frankly you could determine the location by IP Address if you have good information to go by, but in this example we'll use group membership. For the user's that are members of the Halifax group this is their code.
' HALIFAX
If CBool(groupListD.Exists(" Halifax Users")) then
 wscript.echo "Connecting Drive (HAL) G:, S:, KL..."
 ConnectDrive "G:", "\\halfile.mydomain.com\Groups"
 ConnectDrive "S:", "\\halfile.mydomain.com\Shared"
 ConnectDrive "K:", "\\FS01.mydomain.com\Shared"
 ConnectDrive "L:", "\\FS01.mydomain.com\Group"
end if
You can see how it works, it is downright simple. the wscript.echo is unnecessary and more for you and I reading the code, or during testing. The IF... THEN is the key to determining membership. It reads as, "if the groupListD list created earlier using Meatballs, contains the group "Halifax Users", then connect these drives."

You can add sections like this for each location, and it the beauty of Meatballs is it only checks with AD once, to grab the list of groups, the rest is simply a searching a local variable array (dictionary object).
' MONTREAL
If CBool(groupListD.Exists(" Montreal Users")) then
 wscript.echo "Connecting Drive (MTL) G:, S:, K:, L:, N:..."
 ConnectDrive "G:", "\\mtlfile.mydomain.com\Group"
 ConnectDrive "S:", "\\mtlfile.mydomain.com\Shared"
 ConnectDrive "K:", "\\FS01.mydomain.com\Shared"
 ConnectDrive "L:", "\\FS01.mydomain.com\Group"
 ConnectDrive "N:", "\\halfile.mydomain.com\Shared"
end if

' TORONTO (320 Bay Street Users)
If CBool(groupListD.Exists(" 320 Bay Users")) then
 wscript.echo "Connecting Drive (TOR) G: and S:..."
 ConnectDrive "G:", "\\FS01\Group"
 ConnectDrive "S:", "\\FS01\Shared"
end if
If you have specialty connections for certain roles that are not location based, but still based on group membership, add them in the same manner:
' ------ SPECIAL Connections
' ------ Human Resources (I: Drive)
If CBool(groupListD.Exists("Human Resources")) then
 wscript.echo "Connecting Drive H:..."
 ConnectDrive "H:", "\\FS01\HR"
end if
' --------------------------------------------- SPECIAL PROJECTS(M: Drive)
If CBool(groupListD.Exists("SPECIALProjects RW")) then
 wscript.echo "Connecting Drive M:..."
 ConnectDrive "M:", "\\FS01\CSTSpecial"
end if
If CBool(groupListD.Exists("SPECIALProjects RO")) then
 wscript.echo "Connecting Drive M:..."
 ConnectDrive "M:", "\\FS01\CSTSpecial"
end if

You can even add printers, though I do hope you have print servers in place in this case. You can make them location based selecting a local print server versus a remote one, or even the printer that's local to the site. Take some time to determine location based on other information, perhaps even the logon server and you can ensure the local printer is connected rather than one back home.

' ------ Connecting Printers -------------
' Example... These connections can take a while and slow down 
' the "logon" process.
' Note: This will not duplicate printers for the user.
objNetwork.AddWindowsPrinterConnection "\\PrintServer01\torORANGE01P"
objNetwork.SetDefaultPrinter "\\PrintServer01\torORANGE01P"

Anyway, that's my logon script in VB based on group memberships
at No comments:
Subscribe to: Posts (Atom)

There is no individual ownership when you are part of a team, it's the sum of the parts that makes you the RESILIENT team you need to be. 

  • Tired of loading that HP Photo and Imaging Director?
    You can eliminate the use of this middle-man tool by creating Desktop or Quick Launch toolbar shortcuts to the actual program easily, but it...
  • Powershell - Parsing Email Addresses
    I'll be honest, I'm not the best at RegEx but it's an incredible tool for breaking down data. If I used it every day I would lik...
  • (no title)
    There is no individual ownership when you are part of a team, it's the sum of the parts that makes you the RESILIENT team you need to be.