Sunday, January 09, 2005

COMMAND Scripted Tools for Network Administration

This is a very long post, sorry.

The following are tools useful in performing Security or Administrative functions, they consist of Windows2000 or WindowsNT Resource Kit tools wrapped into CMD (batch) files. Please use all due care when connecting to remote systems to minimize impact and risks. You must acquire the Resource Kits on your own.


CMD: Finding a PC on the network.

This uses the NET command to find a machine matching criteria. If you're looking for Bob Jackson's computer (JACKSONB01) you might type 'FINDSYS jack' to return a list. If you do not include a parameter, it will prompt for the partial.

FINDSYS.CMD
@echo off
SET userid=%1
if "%userid%" == "" SET /P userid=Please enter the users ID or partial:
net view | find /I "%userid%" > %temp%\finduser.txt
start notepad %temp%\finduser.txt

CMD: Creating an User's Network Drive (F:)

This tool was created because the administrative function of creating an F Drive takes time best spent doing other things. The user must already exist, but after the creation of the user, this process takes only seconds and can be given to anyone with authority to resolve problems or oversights.

CREATEF.CMD
@echo off
IF "%1" == "" GOTO SYNTAX
IF "%2" == "" GOTO SYNTAX
showgrps tcidmnnt\%1 | FIND /i "Invalid User Specified"
if errorlevel == 1 goto userfound
goto nouser
:userfound
mkdir \\servername\f$\users\%1
cacls \\servername\f$\users\%1 /E /G %1:F
rmtshare \\servername\%1=f:\users\%1
/GRANT everyone:"Full Control"
/REMARK:"by %username% on V#:%2"
DATE /T >> "\\servername\userdata\support\FDRIVE.LOG"
TIME /T >> "\\servername\userdata\support\FDRIVE.LOG"
echo Create F: Drive: %2 %1 >> "\\servername\userdata\support\FDRIVE.LOG"
echo Done.
showacls \\servername\f$\users\%1
goto end
:SYNTAX
echo Please use syntax: createf.cmd userid ticket#
goto end
:nouser
echo ERROR: User (%1) not found.
goto end
:end
pause

This tool can be used from the Start.Run or command-line and will create the F drive for a new user. You may need to wait a 1/2 hour for the server to know who the new user is after creation. The Syntax is 'CREATEF userid 00000' where 00000 is the Help Desk Ticket number. This requires Domain Admin or equivelant rights on the server and access to the following NT/NT Resource Kit tools: cacls.exe, rmtshare.exe, showgrps.exe

CMD: Make Remote Shares

Occationally I need to access a system that does not have the default shares (C$, D$, etc.). To make the connection process simple MKSHARES.CMD will establish the shares temporarily (until next re-boot). The syntax is 'MKSHARES computername'. Some machines do not have a D:, E, or Y: drive but the drives that do exist are created.

MKSHARES.CMD
@echo off
rmtshare \\%1\c$=c:\
rmtshare \\%1\d$=d:\
rmtshare \\%1\e$=e:\
rmtshare \\%1\y$=y:\

F Drive Clean Up Tool.

This is a tool designed to let you find those old and unused folders of users long gone. It checks the 'Domain Users' membership and reports the folders that don't exist as accounts.

KLEENUP.CMD
@echo off
Title F Drive Kleen-Up
echo Querying Domain...
echo Folders without Users > fldrlist.txt
showmbrs tcidmnnt\domain users | ~SPLIT LINE~
FIND /V "$" | SORT /O %TEMP%
\DOMAINU.TXT
echo Checking F Drives...
dir \\servername\f$\users /a:d /b > %TEMP%\usrfldrs.txt
echo Analyzing...
for /f %%u in (%TEMP%\usrfldrs.txt) do call chk4usr %%u
cls
start notepad fldrlist.txt
start \\servername\f$\users
CHK4USR.CMD
@echo off
type %TEMP%\DOMAINU.TXT| FIND /I "%1"
IF ERRORLEVEL 1 GOTO NOTFOUND
GOTO END
:NOTFOUND
echo %1 (Extra Folder)
echo %1 >> fldrlist.txt
GOTO END
:END

CMD: Checking a Remote Computer for Welchia Virus

This is more for Virus Hunting. When checking a remote machine that has been acting like a host to the Welchia virus, this tool will help determine the virus' presence in a non-invasive manner. Once the presence has been determined the removal can proceed through remote control and or manual removal. There is a need for the NT Resource Kit tool, rmtshare.exe to allow this to work. Please ensure this is in the SystemRoot folder. The tags 'found1' and 'found2' represent different strains of Welchia, the latest hitting mid-February.

CHK4WELCHIA.CMD
@echo off
rmtshare %1\welchia$=c:\winnt\system32
if exist %1\welchia$\wins\*.* goto found1
if exist %1\welchia$\drivers\svchost.exe goto found1
goto end
:found1
dir %1\welchia$\wins\*.*
pause
goto end
:found2
dir %1\welchia$\drivers\svchost.exe
pause
:end
rmtshare %1\welchia$ /d

Syntax:
CHK4WELCHIA \\computername

Try this Command line:

for /F "skip=1" %a in ('net view') do call CHK4WELCHIA %a

This should search through every machione on your network (that's visible with NET VIEW) and test for Welchia. An Alternate and more raw test would be the following:

for /F "skip=1" %a in ('net view') do IF EXIST ~SPLIT LINE~
%a\c$\winnt\system32\drivers\svchost.exe echo %a >> E:\targets.txt

This logs the hunt to a file. Any infected PC is noted and your staff can hunt these systems down and clean them up. The best protection is a up-to-date antivirus tools.


Duplicating Rights by Group from one user to another

This is essential to my job as there are moves on a regular basis as rights don't move with people.

  @echo off
REM SYNTAX: mirror DONOR RECIPIENT
FOR /F "tokens=2,3,4 delims=/ " %%a in ('echo %DATE%') do SET DSTAMP
=%%c-%%a-%%b
echo Preserving Original Group List for %2...
showgrps DOMAINNAME\%2 > E:\ID_%2_ORIG_%DSTAMP%.TXT
echo Obtaining Mirror List from %1...
showgrps DOMAINNAME\%1 > E:\ID_%2_MIRROR_%1_%DSTAMP%.TXT
echo Clearing Current groups for %2...
for /F "skip=1 tokens=1,2 delims=\" %%s in ('type E:
\ID_%2_ORIG_%DSTAMP%.TXT') do (IF "%%s" == " DOMAINNAME" ~SPLIT LINE~
echo Removing %2
from "%%t" & net group "%%t" %2 /DELETE /DOMAIN )
echo Mirroring %1 groups for %2...
for /F "skip=1 tokens=1,2 delims=\" %%s in ('type E:
\ID_%2_MIRROR_%1_%DSTAMP%.TXT') do (IF "%%s" == " DOMAINNAME" ~SPLIT LINE~
echo Adding %2
to "%%t" & net group "%%t" %2 /ADD /DOMAIN )

CMD: Connecting to the first available drive letter

Sometimes you NEED to use a drive, can't use a UNC path, must be a drive. So... Here's a tick that might help.

@echo off
CLS
color 2F
echo Initiating SMS Manual Installation...
SET DRIVE=
FOR /F "tokens=2 delims= " %%x in ('net use * \\SERVERNAME\sharename') do IF
NOT "%%x"=="error" IF NOT "%%x"=="command" IF NOT "%%x"=="network" echo
CONNECTED as %%x&SET DRIVE=%%x
ECHO %DRIVE%
REM DO what you want here...
NET USE %DRIVE% /D /Y

CMD: Opening a weekly report on a single click - UPDATED!!!!

The purpose of this batch file is to look for the last status report (Last-Week/This-Week/Next-Week Report or LTN) and open it. The functionality of the batch file counts on your date format being English(United States) but this is easily changed to suit your needs. The process is simple and not perfect but somewhat logical. The file system doesn't really care about the date so we disect it into parts and assign these to the variables YEAR, MONTH, DAY. If the file isn't dated with today's date then we subtract 1 from day and try again. If the day reaches 1 then we set the day to 32, subtract 1 from the month, subtracting 1 from the day again as a matter of logic puts us at 31 and try again. Even if the month has 28 days, this will still work. The COUNTER variable ensures this doesn't go on forever, I figure 10 is enough as a week is 7 days and the most offset from a month-end (31 vs 28) is 3 days.

When I first wrote this I found it didn't subtract properly... the simple answer is don't mess of the math with cosmetics. seperate the calculations from adding the leading zeros and all works fine.

This thing was created because I hate having to look for the file and the filename changes every week. Ya... real lazy. I connect it to an icon and can open my target file in a single click. That I like!

OpenLTN.CMD
@echo off
SET DOCPATH=F:\Reports\Weekly
for /f "tokens=2,3,4,5 delims=/ " %%a in ('date /t') do ~SPLIT LINE~
SET MONTH=%%a&SET DAY=%%b&SET YEAR=%%c
SET COUNTER=0
IF "%DAY%" EQU "08" SET DAY=8
IF "%MONTH%" EQU "08" SET MONTH=8
echo *%MONTH%*
pause
SET /A DDAY=%DAY%+3
SET /A MONTH=%MONTH%
echo %YEAR%-%MONTH%-%DDAY%
SET /A DDAY=%DDAY% + 1
ECHO %DDAY%
ECHO %MONTH%
echo Begin Search...
:START
SET /A MONTH=%MONTH%+0
SET /A DDAY=%DDAY%+0
IF %DDAY% EQU 1 SET DDAY=32
IF %DDAY% EQU 32 SET /A MONTH = %MONTH% - 1
IF %DDAY% GTR 0 SET /A DDAY=%DDAY%-1
SET /A DDAY=%DDAY% * 1

SET D=%DDAY%
IF %DDAY% LSS 10 SET D=0%DDAY%

SET M=%MONTH%
IF %MONTH% LSS 10 SET M=0%MONTH%

SET /A COUNTER=%COUNTER%+1
IF %COUNTER% EQU 60 GOTO NOTFOUND

echo Checking Date: %YEAR%-%MONTH%-%DDAY% (%YEAR%-%M%-%D%)
if exist "%DOCPATH%\%YEAR%_%M%_%D%.doc" start winword "%DOCPATH%\%YEAR%_%M%_%D%.doc"
if exist "%DOCPATH%\%YEAR%_%M%_%D%.doc" goto end

Goto START

:notfound
echo Can't find the blasted file... sorry.
pause

:end

There is no individual ownership when you are part of a team, it's the sum of the parts that makes you the RESILIENT team you need to be...