Labels

Sunday, September 28, 2008

Reading Shortcuts with PowerShell and VBS

This post provides a simple method of enumerating shortcuts and retrieving their properties, either using PowerShell or VBScript. There is nothing particularly clever here, but I had a need a while back to use the enumeration, and I wrote the simple powershell equivalent to see how easy it would be. Note that I couldn't easily see a managed code .Net method to process shortcuts, so I fell back on the wscript COM object. More than likely there is a better method (get it? :) than this.

Run the scripts:


powershell . .\ReadShortcut.ps1 -p \\%server%\%share%\folder\path
powershell . .\ReadShortcut.ps1 -f \\%server%\%share%\shortcut.lnk
cscript //nologo "ReadShortcut.vbs" \\%server%\%share%\folder\path
cscript //nologo "ReadShortcut.vbs" \\%server%\%share%\shortcut.lnk

#
param(
   [string] $path = "",
   [string] $file = ""
   )

$WshShell = new-object -comobject "WScript.Shell"       # Instantiate the wscript.shell COM object

if ($path -ne "") {
    $shortcuts = get-childitem -path $path -filter "*.lnk" -rec    # Find all .lnk files, recursing in to subdirectories
    $shortcuts | foreach-object {$WshShell.CreateShortcut($_.FullName) }  # For each file, pass the fullname to the COM object to open the shortcut and enumerate the properties
} elseif ($file -ne "") {
    $shortcut = get-item -path $file       # Get the single file
    if ($shortcut -ne $null) { $WshShell.CreateShortcut($shortcut) }   # If exists, read the shortcut properties
} else {
    write-output "No arguments specified, please use either -p to specify a path or -f for a specific .lnk file"
}

#-------#


'ReadShortcut.vbs
' Read a shortcut or a top-level directory of shortcuts and write the properties to stdout
If WScript.Arguments.UnNamed.Count = 1 Then
 strShortcut = WScript.Arguments.UnNamed(0)
Else
 WScript.Echo "Please supply the name of an lnk file or directory to read, eg c:\test.lnk or c:\shortcuts"
 WScript.Quit(1)
End If

Set objFSO = CreateObject("Scripting.FileSystemObject")

If objFSO.FolderExists(strShortCut) Then      ' Was a directory specified?
 Set objFolder = objFSO.getFolder(strShortcut)     ' Get the folder
 
 For Each objfile in objFolder.Files      ' For each file in the top-level directory
  If objfile.type = "Shortcut" Then     ' Is this file a shortcut?
   Call Readshortcut(objFile.Path, strProperties)   ' yes, read the properties
   dtmCreationDate = objFile.DateCreated
   WScript.Echo dtmCreationDate & "," & strProperties  ' output the results
  End If 
 Next
ElseIf objFSO.FileExists(strShortCut) Then      ' Was an individual file specified?
 Call Readshortcut(strShortcut, strProperties)     ' read the properties of the file
 WScript.Echo strProperties       ' output the results
Else           ' file-not-found
 WScript.Echo "Error: Could not read '" & strShortcut & "'"
 WScript.Quit(2)
End If
Set objFSO = Nothing

Function Readshortcut(ByRef strShortcut, ByRef strProperties)

 set objWshShell = WScript.CreateObject("WScript.Shell")    ' Create the shell object
 set objShellLink = objWshShell.CreateShortcut(strShortcut)   ' Execute the createshortcut method, which also retrieves an existing shortcut
 strProperties = strShortCut & "," & objShellLink.TargetPath & "," & objShellLink.WindowStyle & "," & objShellLink.Hotkey & "," & objShellLink.IconLocation & "," & objShellLink.Description & "," & objShellLink.Arguments & "," & objShellLink.FullName & "," & objShellLink.WorkingDirectory & """"

 ' This propertly can be set, but not read? - objShellLink.RelativePath
 Set objShellLink = Nothing
 Set objWshshell = Nothing
End Function

Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Saturday, September 27, 2008

Modifying DLL Resources

While it wouldn't be supported by Microsoft, there are a few methods you can use to modify the resources contained in DLLs - usually useful if you would like to change how a window or dialog box is displayed. The easiest way I've seen is with a program called reshacker.exe.

A practical example is when you might be trying to display a large legal notice text using the standard MS gina on XP - and you can't actually scroll down to view the whole message due to the lack of scroll bars in the legal notice text dialog box.

To add a dialog box to this display in msgina.dll in a XP SP2 machine, you could:

  1. Use reshacker to open msgina.dll, and modify the dialog number 2500 - with 1033 language in my case (en-au)
  2. Edit the control, allowing the WS_VSCROLL option
  3. Recompile the script and save the new DLL.
  4. You'll then either have to modify WFP behaviour, disable it, or to test this I overwrote the cached copy to fool Windows File Protection in system32\dllcache

Any new logon through the interactive console or TS to a workstation with a legal notice text should display it in a dialog box with a scroll bar.

Resource Hacker homepage:
http://angusj.com/resourcehacker/


Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Sunday, September 21, 2008

Automatically mapping printers

A while back I came across one of the new 'features' in server 2003 R2, a method of centrally managing printers through the ‘Print Management’ snap-in, and then deploying those printers to workstations or users through a GPO.

This sounds clever, but I believe it's really just an automated method of creating a computer startup/user logon script, which uses a control file to determine which printers are to be installed and then runs a commandline utility to install those printers (pushprinterconnections.exe).

This made me reconsider the approach to managing printers for workstations, and similar or better functionality could be provided by one or more of the methods below:

  1. Use policy to deploy all printers for a building/floor/subnet to workstations. This would be the least management, but probably the least effective as there could be dozens or hundreds of printers per building/floor/subnet.
  2. Have a startup script that automatically adds a default printer when a user first logs on. The default would have to be either based on AD subnets and a mapping file between these subnets and default printers, or possibly based on user information such as location and department, which would be used to query AD/printer names to map appropriate printers, eg a user location of 'Building 1/Floor 2' and department of 'Finance' for a user could easliy be translated to a printer called FINPRINT1 with an AD location of 'Building 1/Floor 2'.
  3. Have a process that exports MAC/PCs connected per floor switch, which would be used as a control file to automatically map printers based on floor. This would typically require assistance from your friendly data communications team.
  4. Use 'DHCP snooping' to further identify where clients are coming from. For example, DHCP relay agent option 82 can be used to insert the switch MAC address/subscriber VLAN/port, SNMP information to the DHCP request packet (when using layer 2 DHCP relay agents as opposed to layer 3 ip helpers). This information could potentially be parsed by the DHCP server to identify the switch/port clients are coming from by parsing the circuit-id/remote-id. The output could be used as a control file to automatically map printers based on floor.
  5. Use the information from 4 and information on floor patching to construct a virtual map of your floors/buildings, which would place one or more workstations close to one or more printers, and map them automatically.
  6. When you build each workstation (this wouldn't work for roaming devices), create a control file that indicates physically where this workstation is located using the Microsoft format for subnet locations, eg Building/Floor 1/West Corner/Pod 4. Populate printer locations to this degree, and then your logon script could search the AD for matching printers and map those that are closest. You could also use this information to create a shortcut called 'Find printers' that uses 'rundll32 dsquery,OpenSavedDsQuery %Config%.qds' to open a saved query file that you've populated with this location. You would then need processes in place to update this control file as the workstation moves, otherwise it becomes incorrect - worse than nothing at all.
  7. Do nothing clever and let users add their own printers

Of course the 'nothing clever' option normally wins out, but in a large organisation one of the options above could add real value, and if done correctly would not be high maintenance.

References:

Manage Printers with New Group Policy Features in Windows Server 2003 R2
http://www.microsoft.com/technet/technetmag/issues/2006/08/ManagePrinters/

RFC 3046 - DHCP Relay Agent Information Option
http://www.faqs.org/rfcs/rfc3046.html

Configuring the DHCP Option 82 for Subscriber Identification
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/swdhcp82.html



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Saturday, September 13, 2008

Simple string encryption with PowerShell

While looking for a method to obfuscate passwords in script files, I started with securestring input combined with the convertfrom-securestring and convertto-securestring functions. Unfortunately (or fortunately from a security perspective) the securestring seems relevant only for per session/user/process/computer (or a combination thereof).

From documentation these functions use Rijndael symmetric encryption, so I modified another example for a very simple, key-less passphrase-less encryption/decryption of a string. This isn’t even very good obfuscation, let alone encryption, but if you encrypted a password and then reproduce the last 10 lines to decrypt the encrypted string, it’s slightly better than storing passwords in very visible paintext (sort of). I guess this could be obfuscated further by reading the encrypted string from a secured file or registry key.

This could be made as complex as you like with keys and initialisation vectors, but unless you make people enter the key (and then why not just make them enter the password?), there would still be something in plaintext, so I didn’t think there was much point.

I'm still undecided on whether there is any benefit with such simple obfuscation, but I thought I'd post the script nonetheless.



$string = "LongStringToEncryptAsATest"
$string

$r = new-Object System.Security.Cryptography.RijndaelManaged  # use Rijndael symmetric key encryption
$c = $r.CreateEncryptor((1..16), (1..16))    # Set the key and initialisation vector to 128-bytes each of (1..16)
$ms = new-Object IO.MemoryStream
$cs = new-Object Security.Cryptography.CryptoStream $ms,$c,"Write" # Target data stream, transformation, and mode
$sw = new-Object IO.StreamWriter $cs
$sw.Write($String)       # Write the string through the crypto stream into the memory stream
$sw.Close()
$cs.Close()
$ms.Close()
$r.Clear()
[byte[]]$result = $ms.ToArray()      # Byte array from the encrypted memory stream
$encstring = [Convert]::ToBase64String($result)    # Convert to base64 for transport

$encstring         # The encrypted base64 string representation


$Encrypted = [Convert]::FromBase64String($encstring)   # Convert the encrypted string to a byte array
$r = new-Object System.Security.Cryptography.RijndaelManaged  # use Rijndael symmetric key encryption
$d = $r.CreateDecryptor((1..16), (1..16))    # Set the key and initialisation vector to 128-bytes each of (1..16)

$ms = new-Object IO.MemoryStream @(,$Encrypted)    # Create a memorystream from a single-element name/value pair hash table of the byte array
$cs = new-Object Security.Cryptography.CryptoStream $ms,$d,"Read" # Target data stream, transformation, and mode
$sr = new-Object IO.StreamReader $cs     # Read the string through the crypto stream from the encrypted memory stream
write-output $sr.ReadToEnd()      # Write the unencrypted string
$sr.Close()
$cs.Close()
$ms.Close()
$r.Clear()


Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Monday, September 8, 2008

Useful NTFS and security command-line operations

The commands below are a subset of the complete command list found in Useful command-lines, and provide different methods to query, modify and report on aspects of NTFS, including security, MFT, ABE, alternate data streams, security templates and SDDL.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).


Disable path parsing to access a file using UNC
type "\\?\UNC\server\share\path\file.txt"

Dump file and security attributes on an NTFS filesystem
filestat %file%

Show the ACL in SDDL format using cacls (2003)
cacls c:\ /s

Add authenticated users:R to the root (not OICI) using SDDL with cacls
cacls c:\ /S:"D:PAI(A;OICI;FA;;;BA)(A;;0x1200a9;;;AU)(A;OICI;FA;;;SY)"

Query Storage Report Management global settings (file screening and quotas)
reg query HKEY_LOCAL_MACHINE\Cluster\SRM\Settings\SrmGlobalSettings /v Data

Show the current mounted volumes on the local system
mountvol OR mountvol c:\ /l

Create a hardlink directory entry linking one file to another
fsutil hardlink create %NewFileLink% %ExistingFile%

create symbolic dir, file links, hard links and dir junctions Vista/2008
mklink

Add a string to an alternate stream stored as a $DATA attribute
echo this content will be stored in the file sub stream > test.txt:stream1

Add the contents of a file to an alternate data strem
type file.txt > test.txt:stream1

Create a new file in an alternate stream as part of a directory
md test & echo alternate stream > test:stream1

Display the stream
more <> test:test.exe

Run the executable in the alternate stream
cmd /c start .\test:test.exe

Retrieve the binary file from an alternate data stream (port of Unix Cat)
cat test:test.exe > note.exe

Remove an NTFS alternate data stream (does not maintain timestamps)
type test.txt>test1.txt

Delete an alternate data stream
streams -d test.txt

Dump NTFS info from the MFT for a File Record Segment (unix port)
ntfsinfo -d /dev/hda1 -i 36

Find cluster disk size and free space
echo clusnode1 > clusternodes.txt & echo clusnode2 >> clusternodes.txt & echo clusnode3 >> clusternodes.txt & echo clusnode4 >> clusternodes.txt & wmic /node:@clusternodes.txt path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name,Size,FreeSpace,VolumeName

Create a security template from the given directory for SDDL secedit processing
for /d %i in (%source%\*.*) do @for /f "tokens=2" %j in ('cacls.exe %i /S') do @echo Processing %~ni & echo "%i",2,%j >> Security.txt

Make test directories from a security template
for /f "tokens=1,2,3,* delims=\," %i in ('"find /i "dir1\dir2" template.inf"') do md "c:\temp\sectest\%j\%k

Reformat the target of a security template for offline testing
for /f "tokens=1,2,3,* delims=\," %i in ('"find /i "dir1\dir2" template.inf"') do @echo "c:\temp\sectest\%j\%k,%l

Remotely configure filesystem NTFS security using a secedit template
psexec \\%server% secedit /configure /db c:\windows\temp\%random%.sdb /cfg c:\windows\security\templates\%template%.inf /log c:\windows\temp\Configure.log


Disable automatic mounting of volumes added to a 2003 system
automount disable
Remove automatic mount points for volumes that no longer exist
automount scrub

Report the NTFS permissions for restore from a SDDL template
setacl -on c:\windows -ot file -actn list -rec cont_obj -lst f:sddl -bckp test.txt

List the file system filters and instances installed on the system
fltmc filters & fltmc instances

Run diskpart to list NTFS volumes remotely
psexec \\%server% cmd /c "echo list volume diskpart find /i "NTFS""

Find local disks other than C: and D: that are NTFS
wmic /node:"%server%" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name

Find local disks using powershell and output to CSV
Get-WmiObject -Namespace root\cimv2 -ComputerName %server% -Query "SELECT * from Win32_LogicalDisk WHERE FileSystem='NTFS' AND Description = 'Local Fixed Disk' AND Name != 'C:' AND Name != 'D:'" export-csv c:\disk.csv

Read directories from a security template, checking if they exist
for /f "skip=2 tokens=1 delims=," %i in ('"find /i "OICI" \\%server%\%Template%"') do @if not exist \\%server%\%drive%$%~pi echo \\%server%\%drive%%~pi

Query the NTFS attributes of a file
nfi "C:\windows\system32\notepad.exe"

Report and save the security on one or more NTFS Filesystem objects
ICACLS %object% /save %outputfile%

Reset the inherited DACL flag on an object to not protected, inherit below
setacl -on %Directory% -ot file -actn setprot -op dacl:np

Reset inherited permissions for specified NTFS objects
setacl -on %Directory%\*.* -ot file -actn rstchldrn -rst DACL

Check user home drive permissions from hmDir (top-level)
for /f %i in (%users.txt%) do @for /f "tokens=*" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do cacls "%m"

Check Access Based Enumeration is enabled on a top-level share
psexec \\%server% abecmd %share%

Check permissions are being inherited
for /f %i in (%users.txt%) do @for /f "tokens=1" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do @for /d %p in (%m\*.*) do @echo cacls "%p"

Check ownership of files
for /f %i in (%users.txt%) do @for /f "tokens=1" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do @dir %m /q/s

Process robocopy /l output to find files/data that would be copied
for /f "tokens=2,5 delims=_:" %i in (output.txt) do @If "!User!" NEQ "%i" (@Set User=%i&@Set Line=%i,%j) else (@Set Line=!Line!,%j & @Echo !Line!)

List ACLs in SDDL format
setacl -on %filepath% -ot file -actn list -lst f:sddl

Change the ownership of all subdirectories and files in a folder
subinacl /subdirectorie %Path%\*.* /setowner=%Domain%\%User%

Change the ownership of a folder
subinacl /file %Path% /setowner=%Domain%\%User%

Logical Disk Information
wmic /node:%server% path Win32_LogicalDisk

Physical Disk Information
wmic /node:%server% path Win32_DiskPartition



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Useful Windows Printer command-line operations

The commands below are a subset of the complete command list found in Useful command-lines, and perform various operations against printers on a Windows 200x server.

The commands are useful for querying information from one or more printers, as well as making changes to configuration items for printers, including queues, shares, AD information and drivers. Generally Microsoft Windows printing is relatively simple - but add MSCS clustering, the plethora of PCL unidrv versions out there and badly written third-party drivers - troubleshooting can be quite difficult.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).



Use a custom WMIC alias to report printer info from a cluster node in CSV
wmic /node:"%server%" spoolerjobs list /format:table

Use a custom WMIC alias to report sorted HTML printer info from a cluster node
wmic /node:"%server%" spoolerjobs list /format:htable:"datatype=number":"sortby=TotalJobsPrinted"

Use a custom WMIC alias to report a brief summary of printer statistics
wmic /node:"%server%" spoolerjobs list brief /format:htable:"datatype=number":"sortby=TotalJobsPrinted"

Use a custom WMIC alias and xsl to sort print jobs output descending HTML table
wmic /node:"%server%" spoolerjobs list brief /format:"htabledesc-sortby.xsl":"datatype=number":"orderby=descending":"sortby=TotalJobsPrinted" > test.html

Reset inheritance starting at a folder and recursing
icacls \\UNC\Path /reset /t /c

Open a saved printer query window
rundll32 dsquery,OpenSavedDsQuery %Config%.qds

Query HP printers for the page count using SNMP
for /f %i in (Printers.txt) do @echo %i & @snmputil walk %i public printmib.prtMarker.prtMarkerTable.prtMarkerEntry.prtMarkerLifeCount | find /i "value"

Query printers for job counts >= 1
wmic /node:"%server%" path Win32_PerfFormattedData_Spooler_PrintQueue Where "Jobs>=1" Get Name,Jobs,MaxJobsSpooling,JobErrors,OutOfPaperErrors

Query printer information from AD (speed, memory etc)
dsquery * %serverDN% -limit 0 -filter "(&(objectClass=printQueue)(objectCategory=printQueue))" -attr cn printerName driverName printCollate printColor printLanguage printSpooling driverVersion printStaplingSupported printMemory printRate printRateUnit printMediaReady

Export printer information from AD (speed, memory etc)
csvde -f Printers.csv -d %serverDN% -r "(&(objectClass=printQueue)(objectCategory=printQueue))" -l cn,printerName,location,driverName,printCollate,printColor,printLanguage,printSpooling,driverVersion,printStaplingSupported,printMemory,printRate,printRateUnit,printMediaReady

Modify a printer or all printers on a print server to use the winprint processor
setprinter \\%Server%[\%Printer%] 2 pPrintProcessor="WinPrint"

Query the unidrv DLL versions from a list of pingable computers in an OU
for /f %i in ('"dsquery computer %OU_DN% -limit 0 -o rdn"') do @for /f "tokens=3 delims=: " %m in ('"ping -n 1 %i find /i "reply from""') do @for /f "tokens=1-9" %q in ('"filever \\%~i\C$\windows\system32\spool\drivers\w32x86\3\uni*.dll find /i /v "\\%~i""') do @echo %i,%q,%r,%s,%t,%u,%v,%w,%x,%y

check printers are being published in the directory through setprinter
setprinter -show \\%server% 7

Run the 32-bit version of regsvr32 on an x64 platform to register the prnadmin DLL
c:\WINDOWS\SysWOW64\regsvr32 c:\admin\util\prnadmin.dll

Run the 32-bit version of cscript that accesses a 32-bit DLL on x64
c:\WINDOWS\SysWOW64\cscript portmgr.vbs

Use SetPrinter to capture all settings for a printer
for %i in (0 1 2 3 4 5 6 7 8 9) do setprinter -show \\%server%\%printer% %i

Report print queue current length and various performance statistics
wmic /node:"%server%" path Win32_PerfFormattedData_Spooler_PrintQueue Get Name,Jobs,TotalJobsPrinted,TotalPagesPrinted,MaxJobsSpooling,JobErrors,OutOfPaperErrors

List printer drivers on a physical or cluster Windows 2003 server
cscript drvmgr.vbs -l -c \\%server%

Print a test page to one or more printers
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do cscript prnctrl.vbs -t -b \\%PrintServer%\%i

Given a list of printers, create an LPR port for each
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @cscript portmgr.vbs -a -c \\%PrintServer% -p %i -h %k -t LPR -q %i

Given a list of printers, create a printer using the specified driver/port
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @cscript prnmgr.vbs -a -c \\%PrintServer% -b %i -m "%j" -r %i

Given a list of printers, set the location, share name and publish in AD
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @cscript prncfg.vbs -s -b \\%PrintServer%\%i -h %i -l "%l" +published

Given a list of printers, set glocal default printer properties to duplex
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @setprinter \\%PrintServer%\%i 8 "pDevMode=dmDuplex=2,dmCollate=1,dmFields=duplex collate"

Given a list of printers, set printer permissions to allow for queue management
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @c:\util\subinacl /printer \\%PrintServer%\%i /grant=%Domain%\%Group%=M

Find printer event log entries for the last 15 minutes
for /f %i in ('cscript //nologo c:\data\scripts\updated\time\finddatetime.vbs') do wmic /node:"%server%" path Win32_NTLogEvent WHERE "SourceName='Print' AND LogFile='System' AND EventCode=10 AND TimeGenerated > '%i'"

Find printer event log entries for the specified user
wmic /node:"%server" path Win32_NTLogEvent WHERE "SourceName='Print' AND LogFile='System' AND EventCode=10 AND User='%Domain%\\%Username%'" Get User,TimeGenerated,InsertionStrings

Automated Printer configuration
rundll32 printui.dll,PrintUIEntry /?

Create a port using prnadmin.dll on a cluster node
cscript portmgr.vbs -a -c \\%PrintServer% -p %Printer% -h %PrinterIP% -t raw -n 9100

Create a printer using prnadmin.dll on a cluster node
cscript prnmgr.vbs -a -c \\%PrintServer% -b %Printer% -m "HP Universal Printing PCL 6" -r %Printer%

Set printer configuration using prnadmin.dll on a cluster node
cscript prncfg.vbs -s -b \\%PrintServer%\%Printer% -h %Printer% -l "Building/Level 1" +published

Dump printer log entries
dumpel -s \\%PrintServer% -l System -e 10 -m Print -d 1

Add an x64 print driver to a cluster node
rundll32 printui.dll,PrintUIEntry /ia /c \\%PrintServer% /m "HP Color LaserJet 8550 PCL 5c" /h "x64" /v "Windows XP and Windows Server 2003" /f hpc8550t.inf

Add an x86 print driver to a cluster node
rundll32 printui.dll,PrintUIEntry /ia /c \\%PrintServer% /m "HP Color LaserJet 8550 PCL 5c" /h "x86" /v "Windows 2000, Windows XP and Windows Server 2003" /f hpc8550b.inf

Add to the permissions on a printer
subinacl /printer \\%PrintServer%\%Printer% /grant=%Domain%\%Group%=M

List the printers on a server
cscript "c:\Program Files\Windows Resource Kits\Tools\prnmgr.vbs" -l -c \\%PrintServer% find /i "printername"

Set the glocal default printer properties to allow duplexing
setprinter \\%PrintServer%\%i 8 "pDevMode=dmDuplex=2,dmCollate=1,dmFields=duplex collate"

Query the printers published against a specific computer account
dsquery * %ComputerDN%" -attr printShareName

Query all printers published in the Active Directory
dsquery * domainroot -filter "(objectCategory=printQueue)" -limit 0

Show the current default settings send down to clients from a printer
setprinter -show \\%printServer%\%Printer% 8

Find the print processor used by all printers on a print server
setprinter -show \\%server% 2 findstr /c:"pPrinterName" /c:"pPrintProcessor"

Check through SNMP whether a printer supports a duplexing media path
snmputil walk %printer% public printmib.prtMediaPath.prtMediaPathTable.prtMediaPathEntry.prtMediaPathDescription

Check through SNMP the printer device model
snmputil getnext %printer% public host.hrDevice.hrDeviceTable.hrDeviceEntry.hrDeviceDescr

View/Modify the ACL security on spooler pipe
pipesec \\%computer%\pipe\spoolss

Query printer tray configuration of printers on a cluster (HP UPD)
for /f %i in (Printers.txt) do @for /f "tokens=1,2,*" %m in ('"reg query \\%PrintServer%\HKEY_LOCAL_MACHINE\Cluster\Resources\%ClusterResourceGUID%\Parameters\Printers\%i\PrinterDriverData /v InputSlot 2>nul find /i "InputSlot" & if errorlevel 1 echo 1 2 NotFound"') do @echo %i,%o>>PrinterTrays.txt

Use SNMP to get the printer media path, indicating simplex/duplex capabilities
for /f %i in (Printers.txt) do @for /f "tokens=3,*" %m in ('"snmputil walk %i public printmib.prtMediaPath.prtMediaPathTable.prtMediaPathEntry.prtMediaPathDescription 2>nul find /i "value" & if errorlevel 1 echo 1 2 3 NotFound"') do @echo %i,%n



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Useful Windows MSCS Cluster command-line operations

The commands below are a subset of the complete command list found in Useful command-lines, and are command-line operations for Microsoft Windows MSCS server clusters. Most commands are based around the Microsoft cluster.exe utility, with some using WMI, defrag and diruse to provide information on cluster disk resources.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).


Find cluster disk size and free space in CSV format
wmic /node:"%server%","%server%","%server%","%server%" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name,Size,FreeSpace,VolumeName /format:csv

Find cluster disk size and free space in modified CSV format with thousand sep.
wmic /node:"%server%","%server%","%server%","%server%" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET Name,Size,FreeSpace,VolumeName /format:csv2

Report the windows MSCS cluster virtual groups
cluster /cluster:%cluster% group /prop | find /i "description" | find /i /v "pbx" | find /i /v "cluster"

Report folders being archived from Enterprise Vault EV FSA
sqlcmd -S sqlServer%\%instance% -o ArchivedFolders.txt -d %enterprisevaultdirectory% -W -s "," -Q "select FSVP.UncName, FSVP.VolumeName, FSFE.FolderPath, FSVP.UncName + '\' + FSVP.VolumeName + '\' + FSFE.FolderPath as 'Path' from dbo.FileServerFolderEntry FSFE inner join dbo.vw_FileServer_Volume_Policy FSVP on FSFE.VolumeEntryID = FSVP.VolumeEntryID"

Report folders from the one or more servers not being archived compared to FSA export
for %i in (\\%server%\share% \\%server%\share% ) do @for /f "tokens=1-4,*" %m in ('"dir %i\* /ad /tc | find "DIR" | find "-""') do @find /i "%q" ArchivedFolders.txt >nul & @If errorlevel 1 (echo %q,%i,%m %n %o) >> NotArchived.csv

Delete a cluster resource type
cluster restype "%resource_name%" /delete /type

Find cluster disk size and free space
echo clusnode1 > clusternodes.txt & echo clusnode2 >> clusternodes.txt & echo clusnode3 >> clusternodes.txt & echo clusnode4 >> clusternodes.txt & wmic /node:@clusternodes.txt path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name,Size,FreeSpace,VolumeName

show the MSCS cluster multicast address properties
cluster /cluster:%Cluster% network "%PublicNetwork%" /priv

Find the MSCS cluster resources
cluster /cluster:%Cluster% res /prop find /i "sr"

Find the disks currently owned by each cluster node
for %i in (%server1% %server2%) do @wmic /node:"%i" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name find /i "%server_prefix%"

In a 2003 cluster, find each disk volume and analyse file fragmentation
for /f "tokens=2,5,6,8" %i in ('"cluster /cluster:%cluster% resource /prop find /i "disk" find /i "description" find /i "%CommonTag%""') do echo \\%i\%k %j %l>> Defrag_%i_%j.txt && psexec \\%i defrag %k -a -v >> Defrag_%i_%j.txt

From cluster defrag analysis, print out details for each cluster volume
for /f "tokens=1,* delims=:" %i in ('"findstr /i /c:%server% /c:"Total files" /c:"Volume size" /c:"Used space" /c:"Percent free space" /c:"Total fragmented files" defrag*"') do @echo %j

Create a cluster file share:
cluster /cluster:%cluster% res "%share_res_name%" /create /group:"%group%" /type:"File Share"
cluster /cluster:%cluster% res "%share_res_name%" /priv path="%path%"
cluster /cluster:%cluster% res "%share_res_name%" /priv Sharename=%share_name%
cluster /cluster:%cluster% res "%share_res_name%" /priv Remark="File Share Remark"
cluster /cluster:%cluster% res "%share_res_name%" /prop Description="File Share Description"
cluster /cluster:%cluster% res "%share_res_name%" /priv security=Everyone,grant,F:security
cluster /cluster:%cluster% res "%share_res_name%" /AddDep:"%networkname_res%"
cluster /cluster:%cluster% res "%share_res_name%" /AddDep:"%disk_res%"
cluster /cluster:%cluster% res "%share_res_name%" /On

Create an ABE resource for the file share
cluster /cluster:%cluster% res "%shareabe_res_name%" /create /group:"%group%" /type:"Generic Application"
cluster /cluster:%cluster% res "%shareabe_res_name%" /priv CommandLine="cmd.exe /k abecmd.exe /enable %share_name%"
cluster /cluster:%cluster% res "%shareabe_res_name%" /priv CurrentDirectory="%SystemRoot%"
cluster /cluster:%cluster% res "%shareabe_res_name%" /priv InteractWithDesktop=0
cluster /cluster:%cluster% res "%shareabe_res_name%" /priv UseNetworkName=0
cluster /cluster:%cluster% res "%shareabe_res_name%" /prop SeparateMonitor=1
cluster /cluster:%cluster% res "%shareabe_res_name%" /prop Description="Access Based Enumeration for %share_name% File Share"
cluster /cluster:%cluster% res "%shareabe_res_name%" /AddDep:"%networkname_res%"
cluster /cluster:%cluster% res "%shareabe_res_name%" /AddDep:"%disk_res%"
cluster /cluster:%cluster% res "%shareabe_res_name%" /AddDep:"%share_res_name%"
cluster /cluster:%cluster% res "%shareabe_res_name%" /On



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Useful VMware ESX and VC command-line operations

The commands below are a subset of the complete command list found in Useful command-lines, and are a combination of ESX service console commands, PowerShell VI Toolkit or SQL commands (reading from a VirtualCenter database). Note that these have been tested on VI3 - ESX 3.0.x, VC 2.0.x, and some have also been used on VI3.5 - ESX 3.5 / VC 2.5.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).

ESX service console


Report the hosts controlled by a VirtualCentre instance
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select [Name] from vpxv_hosts order by [Name]"

Report the hosts controlled by a VirtualCentre instance
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select DNS_Name, IP_Address, PRODUCT_FULLNAME from vpx_host Order by DNS_Name"

Query the Virtual Centre/VC database for Virtual Machine LUN mapping and size
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VMS.Name, TDS.Name, Cast(Round(Sum(Cast(VDISK.CAPACITY as numeric))/1024/1024/1024, 1) as int) as 'Total Disk', Cast(Round(Sum(Cast(VDISK.FREE_SPACE as numeric))/1024/1024/1024, 1) as int) as 'Free Disk' from vpxv_vms VMS inner join vpxv_vm_datastore VVMDS on VMS.VMID = VVMDS.VM_ID inner join vpx_datastore TDS on VVMDS.DS_ID = TDS.ID inner join VPX_GUEST_DISK VDISK on VMS.VMID = VDISK.VM_ID group by VMS.Name, TDS.Name Order by TDS.Name, VMS.Name"

Allow Dell OpenManage Server Administrator traffic through ESX
esxcfg-firewall -o 1311,tcp,in,OpenManageRequest

Dump the VMware IP config
cat /proc/vmware/net/tcpip/ifconfig

View network traffic in the vswif service console interface
/usr/sbin/tcpdump -i vswif0 grep -v ssh

Check the Legato AAM HA agent
cat /opt/LGTOaam512/log/aam_config_util_addnode.log

VMware HA Legato AAM, list the cluster manager
/opt/LGTOaam512/bin/ftcli -domain vmware -timeout 60 -cmd "listrules"
(run 'FT_DIR=/opt/LGTOaam512' and then 'export FT_DIR' first)

VMware HA Legato AAM, list the cluster nodes
/opt/LGTOaam512/bin/ftcli -domain vmware -connect %node% -port 8042 -timeout 60 -cmd "listnodes"
(run 'FT_DIR=/opt/LGTOaam512' and then 'export FT_DIR' first)

Query ESX for SNMPD service firewall configuration
esxcfg-firewall -q snmpd

Query vmfs volumes for snapshot files from the console
ls -Ral /vmfs/volumes/*.* grep .vmsn

Change security on a file in the ESX service console
chmod u+rwx,g+rx,o+rx somefile

Register a Virtual Machine in ESX
vmware-cmd -s register "/path/to/vmx/or/vmtx"

unregister a Virtual Machine in ESX
vmware-cmd -s unregister "/path/to/vmx/or/vmtx"

Enable SSH client out on an ESX host firewall, permitting SCP as well
esxcfg-firewall -e sshClient

Query the ESX firewall to determine whether SSH client is allowed out
esxcfg-firewall -q grep sshClient

Query the VirtualCenter Database

Query VMs and their MAC addresses from the VC database
sqlcmd -S %sqlServer% -d %Database% -W -s "," -q "select ENT.Name, NET.MAC_Address from VPX_GUEST_NET_ADAPTER NET inner join VPX_ENTITY ENT on NET.VM_ID = ENT.ID"

Query the Virtual Centre/VC database for Virtual Machine Disk Totals
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VM.Name, Cast(Round(Sum(Cast(VDISK.CAPACITY as numeric))/1024/1024/1024, 1) as int) as 'Total Disk', Cast(Round(Sum(Cast(VDISK.FREE_SPACE as numeric))/1024/1024/1024, 1) as int) as 'Free Disk' from dbo.VPX_GUEST_DISK VDISK inner join VPXV_VMS VM on VDISK.VM_ID = VM.VMID group by VM.Name compute sum(Cast(Round(Sum(Cast(VDISK.CAPACITY as numeric))/1024/1024/1024, 1) as int))"

Query the Virtual Centre/VC database for Virtual Machine Disk information
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VM.Name, VDISK.* from dbo.VPX_GUEST_DISK VDISK inner join VPXV_VMS VM on VDISK.VM_ID = VM.VMID"

Query the Virtual Centre/VC database for Virtual Machine Disk Total
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Cast(Round(Sum(Cast(VDISK.CAPACITY as numeric))/1024/1024/1024, 1) as int) from dbo.VPX_GUEST_DISK VDISK"

Query VirtualCentre for hot migration events
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Create_Time as 'Relocation Start', UserName, VM_Name, Host_Name as 'Host Source', (select Host_Name from dbo.VPX_EVENT Where Chain_ID = EVTDEST.Chain_ID and event_type = 'vim.event.VmMigratedEvent') as 'Host Destination', ComputeResource_Name, DataCenter_Name from dbo.VPX_EVENT EVTDEST where event_type = 'vim.event.VmBeingHotMigratedEvent'"

Query VirtualCentre for migration events
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Create_Time as 'Relocation Start', UserName, VM_Name, Host_Name as 'Host Source', (select Host_Name from dbo.VPX_EVENT Where Chain_ID = EVTDEST.Chain_ID and event_type = 'vim.event.VmRelocatedEvent') as 'Host Destination', ComputeResource_Name, DataCenter_Name from dbo.VPX_EVENT EVTDEST where event_type = 'vim.event.VmBeingRelocatedEvent'"

Query VirtualCentre for DRS migration events
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Create_Time as 'Relocation Finished', VM_Name, Host_Name as 'Host Destination', (select Host_Name from dbo.VPX_EVENT Where Chain_ID = EVTDEST.Chain_ID and event_type = 'vim.event.VMBeingHotMigratedEvent') as 'Host Source', ComputeResource_Name, DataCenter_Name from dbo.VPX_EVENT EVTDEST where event_type = 'vim.event.DrsVmMigratedEvent'"

Query the Virtual Centre/VC database for Virtual Machine details
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select ENT.Name as 'Name', DNS_Name as 'DNS Name', Guest_OS as 'OS', Mem_Size_MB as 'Mem', Num_VCPU as 'CPU', Num_NIC as 'NIC', IP_Address as 'IP', NET.MAC_Address as 'MAC Address', VM.FILE_Name as 'VMX location' from vpx_vm VM inner join VPX_GUEST_NET_ADAPTER NET on VM.ID = NET.VM_ID inner join VPX_ENTITY ENT on VM.ID = ENT.ID where dns_name like '%'"

Query the Virtual Centre/VC database for Virtual Machine snapshots (GMT+10)
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select ENT.Name as 'Name', DNS_Name as 'DNS Name', Guest_OS as 'OS', Mem_Size_MB as 'Mem', IP_Address as 'IP', VM.FILE_Name as 'VMX location', VM.Suspend_Time as 'Suspend Time', VM.Suspend_Interval as 'Suspend Interval', VMS.Snapshot_Name as 'Snapshot Name', VMS.Snapshot_Desc 'Snapshot Description', DateAdd(Hour, 10, VMS.Create_Time) as 'Snapshot Time', VMS.Is_Current_Snapshot 'Current Snapshot' from vpx_vm VM inner join VPX_GUEST_NET_ADAPTER NET on VM.ID = NET.VM_ID inner join VPX_ENTITY ENT on VM.ID = ENT.ID inner join VPX_SNAPSHOT VMS on VM.ID = VMS.VM_ID

Query the Virtual Centre/VC database for Virtual Machine LUN attachments
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VMS.Name, TDS.Name from vpxv_vms VMS inner join vpxv_vm_datastore VVMDS on VMS.VMID = VVMDS.VM_ID inner join vpx_datastore TDS on VVMDS.DS_ID = TDS.ID Order by VMS.Name"

Query the Virtual Centre/VC database for Virtual Machine config LUN
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VMS.Name as 'VM Name', TDS.Name as 'Config Datastore', SubString(ConfigFileName, CharIndex('/', ConfigFileName, Len('sanfs://vmfs'))+1, 255) as 'Config Path' from vpxv_vms VMS inner join vpx_datastore TDS on TDS.Storage_URL = SubString(VMS.ConfigFileName, 1, CharIndex('/', VMS.ConfigFileName, Len('sanfs://vmfs'))) Order By 'Config Datastore'"

Query the Virtual Centre/VC database for volume total and free disk space
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Name, Cast(Round(Cast(Capacity as numeric)/1024/1024/1024, -1) as int) as 'Total Space', Cast(Round(Cast(Free_Space as numeric)/1024/1024/1024, -1) as int) as 'Free Space', Type from vpx_Datastore"

Find VM distribution on VMware cluster physical nodes
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "Select VH.DNS_NAME as 'Host', count(VM.HOST_ID) from vpx_vm VM inner join vpx_host VH on VM.HOST_ID = VH.ID group by VM.HOST_ID, VH.DNS_NAME order by 'Host'"

Query the Virtual Centre/VC database for VM CPU alarms
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select ALR.Created_Time, ENT.Name from vpx_alarm_runtime ALR inner join vpx_alarm AL on ALR.Alarm_ID = AL.Alarm_ID inner join vpx_entity ENT on ALR.Entity_ID = ENT.ID where AL.Name = 'Virtual Machine CPU Usage' order by created_time"

PowerShell VI Toolkit

Use the VI Toolkit Powershell snap-in to query for snapshots
Get-VM Get-Snapshot export-csv -path c:\temp\VMsnapshots.csv

Use the VI Toolkit Powershell snap-in to query for snapshot information
Get-VM Get-Snapshot foreach-object {$out= $_.VM.Name + "," + $_.Name + "," + $_.Description + "," + $_.PowerState; $out}

ESX Server Advanced Configuration Options

Hide LUNs with advanced ESX options
disk.MaskLUNs: vmhba0:0:4-5;vmhba1:0:4-5

Other

SNMP check against ESX
Snmputil.exe get %host% %community% .iso.org.dod.internet.private.enterprises.6876.1.1.0




Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Useful general command-line operations

The commands below are a subset of the complete command list found in Useful command-lines, and are the remainder of command-line operations that didn't fit into one of the other categories I've used.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).


Open the administrative tools start menu list
control admintools

Open the scheduled tasks special folder
control SCHEDTASKS

Disable hibernation
powercfg -h off

Show network interface statistics (packets/errors/bytes)
netstat -e

Find remote processes and the command-line parameters with PowerShell
Get-WmiObject win32_process | Format-Table ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId

Create an IIS virtual directory
cscript C:\WINDOWS\system32\iisvdir.vbs /create "Default Web Site" %Alias% %rootPath%

Use WMIC to get instances of a class and format the output as CSV
wmic path win32_process get name,commandline /format:csv

Find the current CPU utilisation for processes using WMI
wmic /node:"%computer%" path Win32_PerfFormattedData_PerfProc_Process get Name,PercentProcessorTime

Use JT to update a scheduled task's working directory
jt.exe /sac \\%computer%\c$\windows\Tasks\%Task%.job /sj WorkingDirectory = "%workingdir%"

Use WMIC aliases to format the output in CSV or XML
wmic process list /format:xml | wmic process list /format:csv

Use WMIC aliases to format the output in HTML TABLE, MOFCSV or XML
wmic process list /format:htable | wmic process list /format:HMOF

Use WMIC aliases to sort the output in HTML
wmic process list /format:htable:"sortby=Name" > test.html

Use WMIC aliases to filter and sort the output in CSV
wmic process get name /format:csv:"datatype=text":"sortby=Name"

Use WMIC remotely aliases to retrieve command-line process arugments
wmic /node:"%server%" process get name,CommandLine /format:csv:"sortby=Name"

Use WMIC wmic aliases to sort the result set by number
wmic Logon get /Format:htable:"datatype=number":"sortby=LogonType"

Check NULL sessions to see if user/group information can be enumerated
hunt.exe OR winfo.exe

Disable strict name checking for a machine
reg add \\%computer%\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters /v DisableStrictNameChecking /t reg_dword /d 0x1

List transports and if they are bound to NetBIOS (NetBT over TCP/IP)
browstat dumpnet

View the browse list using NetServerEnum to a domain or server
browstat view \Device\NetBT_Tcpip_{972F2574-31D4-4467-8BC0-70B3C57C1279} %domain%

Find remote cscript processes and the scripts they are running (arguments)
wmic /node:"%computer%" path win32_process Where "Caption Like '%cscript%' " get Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId

Connect to a named SQL instance through Management Studio
%server%\%instance_name%

Query an Enterprise Vault Directory database for file group information(view)
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select * from dbo.view_FileGroupAndFileGroupFile"

Query an Enterprise Vault Directory database for file group information(table)
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select FileGroupName, FileGroupDescription, FileSpecification from filegroupfile inner join Filegroup on FileGroupFile.FileGroupEntryID = FileGroup.FileGroupEntryID Order By FileGroupName"

Query an Enterprise Vault Directory database for index errors
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "Select ArchiveName, ArchiveStatus, IndexRootPath, Offline, Failed, Rebuilding, IndexedItems, FailedItems from IndexVolumeView where (rebuilding != 0) OR (Failed != 0) OR (Offline != 0)"

Extract events from a non-standard event log
wmic /node:"%computer%" path Win32_NTLogEvent WHERE "SourceName='%EventSource%' AND LogFile='%LogName%' AND EventCode=%eventcode%"

Start a process in low priority
cmd /c start "LowPriority" /BELOWNORMAL notepad "a file.txt"

Software Information for each server
for /f %i in (Output from 'Domain Controllers') do psinfo \\%i > ServerInfo_%i.txt & filever \\%i\admin$\explorer.exe \\%i\admin$\system32\vbscript.dll \\%i\admin$\system32\kernel32.dll \\%i\admin$\system32\wbem\winmgmt.exe \\%i\admin$\system32\oleaut32.dll >> ServerInfo_%i.txt

Check Terminal Services Delete Temp on Exit flag
For /f %i in (Output from 'Domain Controllers') do Reg query “\\%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v DeleteTempDirsOnExit

For each XP workstation, query the current site and what Group Policy info
@dsquery * domainroot -filter "(&(objectCategory=Computer)(operatingSystem=Windows XP Professional))" -limit 0 -attr cn > Workstations.txt & @For /f %i in (Workstations.txt) do @ping %i -n 1 >NUL & @if ErrorLevel 0 If NOT ErrorLevel 1 @Echo %i & for /f "tokens=3" %k in ('"reg query "\\%i\hklm\software\microsoft\windows\currentversion\group policy\history" /v DCName Find /i "DCName""') do @for /f %m in ('"nltest /server:%i /dsgetsite find /i /v "completed successfully""') do @echo %i,%k,%m

Time offsets from client diagnostics
@for %i in (*time*.txt) do @for /f "tokens=2 delims=:" %j in ('"find /i "NTP:" %i find /i "NTP:""') do @echo %i,%j

Find remote NIC bandwidth
wmic /node:%server% path Win32_PerfRawData_Tcpip_NetworkInterface GET Name,CurrentBandwidth

Find remote free physical memory
wmic /node:%Computer% path Win32_OperatingSystem GET FreePhysicalMemory

Find remote system information
SystemInfo /s %Computer%

Disk statistics, including the number of files on the filesystem
chkdsk /i /c

Query IIS web sites
iisweb /s %Server% /query "Default Web Site"

Check port state and connectivity
portqry -n %server% -e %endpoint% -v

Find the parent of a process
wmic path Win32_Process WHERE Name='%ProcessName%' GET Name,ParentProcessId

PSCP secure copy a file
pscp %file% %user%@%target%:/target/path

Accept a input and store in a variable
set /p <variable>=<prompt>

Remote Computer Management MMC
compmgmt.msc /computer=%1

Create a placeholder file
fsutil file createnew <filename><size>

Device Manager showing hidden devices
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1 & Devmgmt.msc

Echo both stdout and stderr to the same file
> output.txt 2<&1

For the first token in each line in A, compare the second token in B
for /f "tokens=1-3 delims=," %i in ('"find /i /v "<exclude>" a.txt"') do @for /f "tokens=1-3 skip=2 delims=," %m in ('"find /i "%i" b.txt"') do @if /i "%i"=="%m" @if /i "%j" NEQ "%n" @echo %i,%j,%n

For the first token in each line in A, find not in B
for /f "skip=2 delims=," %i in ('" find /i /v "<exclue>" a.txt"') do @find /i "%i" b.txt 1>nul 2>nul & @if errorlevel 1 echo %i

Find the DFS roots from Active Directory
dsquery * "CN=DFS Volumes,CN=File Replication Service,CN=System,DC=domainRoot"

Find the DFS roots using dfsutil
dfsutil /domain:%domain% /view

View info on a DFS root
dfsutil /root:<dfsroot> /view

Port Query testing network connectivity to the specified endpoint
portqry -n %target% -e 135

Test RPC endpoints
rpcdump /s %computer% /v /i

Extract a cabinet from an MSI stream
msidb -d "%msi%" -x "%cabinet name%" (get the cabinet name from the Media table using orca, and the filenames from the File table)


Add a system environment variable
setenv -a test %path%;%AdminRoot%\Utils

Lock the workstation from the commandline
%windir%\System32\rundll32.exe user32.dll, LockWorkStation

Perform idle time optimisation (eg. file placement optimisation)
rundll32.exe advapi32.dll,ProcessIdleTasks

Hardware Installation from an INF file
%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall

Refresh network configuration after policy changes (eg SearchList)
RunDLL32.EXE netshell.dll,NetSetupFinishInstall

Query SMS inventory information from the commandline
wmic /namespace:\\root\sms\site_%SiteCode% /node:%Computer% path SMS_G_System_SYSTEM_ENCLOSURE WHERE ResourceID='%RID%'

Find remote connections to a server
wmic /node:%server% path win32_serverconnection

Find remote sessions to a server
wmic /node:%server% path win32_serversession

Find security patches applicable on a machine with MBSA
wmic /node:%computer% path Win32_PatchState

For services that aren't running, find their start type
for /f "skip=4 tokens=1-3" %i in ('sclist \\%computer%') do @if "%i" NEQ "running" @for /f "tokens=4" %m in ('"sc \\%computer% qc %j find /i "START_TYPE""') do @echo %i,%j,%k,%m

For computers listed, if a service exists, start it
for /f %i in (computers.txt) do sclist \\%i find /i "%service_name%" && sc \\%i start "%service_name%"

Query a registry value of multiple computers
for %i in (PC1 PC2 PC3) do @Echo %i & reg query \\%i\hklm\software\%key% /v %Value% find /i "%Value%"


Query the creation date of multiple computer objects
dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)((cn=PC1)(cn=PC2)(cn=PC3)))" -attr CN whenCreated

Query SMS for the creation date of computer records
select Name0, Creation_Date0 from v_r_system where name0 in('PC1','PC2','PC3')

Find RIS servers hosting the specified image
for /f "tokens=2 skip=1 delims==, " %i in (RIS_Servers.txt) do @if exist \\%i\reminst\setup\english\%Source% @echo %i

Modify Outlook to allow access to blocked attachements
reg add HKU\S-1-5-21-2091930395-2002392527-14044502-274471\Software\Microsoft\Office\11.0\Outlook\Security /v Level1Remove /t reg_sz /d ".exe"

Open the Find Files Dialog Box
echo Set objShell = CreateObject("Shell.Application") > test.vbs && Echo objShell.FindFiles >> test.vbs && cscript test.vbs

View Software Installation controlled through AD, both current and history
gpsiviewer.exe

View Group Policy application times
gptime

Remote GP Update
rgprefresh

Find the tail of lines between two strings to display
for /f "delims=[]" %i in ('"find /i /N "Forwarders:" A.txt"') do for /f "delims=[]" %m in ('"find /i /N "Command completed successfully." A.txt"') do for /f %p in ('set /a %m-%i') do echo %p

Turn on RIS debugging
reg add \\%server%\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Binlsvc\Parameters /v Debug /t reg_dword /d 0x80FFFFFF & sc \\%server% stop binlsvc & sc \\%server% start binlsvc

Trigger a command to run on a specific event
eventtriggers /create /TR Test /L Security /EID 680 /T SUCCESSAUDIT /TK calc.exe

Create an XML file with the MD5 hashes of a set of files
FCIV

Find the shell extensions currently loaded
ShexView

Find server information
srvinfo.exe

LDAP Query from eDirectory
ldifde -d %rootDN% -s %NetwareServer% -f output.ldf -a "%UserDN%" *

csvde export form eDirectory
csvde -f OutputFile.csv -a "%UserDN%" * -r "(Objectclass=user)" -d "%rootDN%" -s NetwareServer%

Verify installed drivers
verifier.exe

Windows Updates Automatic Updates Detect now
wuauclt /detectnow

Test for ping and then query computers for network information
for /f %i in (pcs.txt) do @for /f "tokens=3 delims=: " %m in ('"ping -n 1 %i find /i "reply from""') @do for /f "tokens=*" %p in ('"@wmic /node:%i path Win32_PerfRawData_Tcpip_NetworkInterface GET find /i "1000" find /i /v "MS TCP Loopback interface""') do @echo %i,%m,%p

WireShark/ethereal filter to exclude 3389 RDP
!((tcp.srcport == 3389) (tcp.dstport == 3389))

Show NetBIOS SMB lanmanserver binding
net config server

Show NetBIOS SMB lanmanworkstation binding
net config redirector

Find the session connection for a username and find the client workstation
for /f "tokens=2 delims=\" %i in ('"dsquery user -name %user% dsget user -hmdir find /i "%user%""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%user%'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %user% %n %i %m %o

Doskey macro to find session connection information for a user/workstation
FU=for %g in ($1 $2 $3 $4 $5 $6 $7 $8 $9) do @for /f "tokens=2 delims=\" %i in ('"dsquery user -name %g dsget user -hmdir find /i "%g""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%g'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %g %n %i %m %o

Refresh per user settings such as desktop wallpaper
RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters ,1 ,True

Query RDP sessions on a 2003 server
query session

Shadow an existing TS or console session (Ctrl -* to end the shadow)
shadow %session%

Run a command in the winlogon secure desktop of winsta0\winlogon
psexec /x /d /s cmd

Remotely Run a command in the winlogon secure desktop of winsta0\winlogon
psexec /s \\%computer% cmd /c c:\windows\temp\psexec /x /d /s cmd

Update the wallpaper on the winlogon secure desktop winsta0\winlogon
psexec /accepteula /x /s RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters

Run commands automatically when a command prompt is started
reg add "hklm\software\microsoft\Command Processor" /v AutoRun /t reg_sz /d "doskey /macrofile=macros.txt"

Export the groups a user in eDirectory is a member of
ldifde -f output.txt -s %NetwareServer% -a "%AccountDN%" * -d %rootDN% -r "(&(Objectclass=user)(((cn=User1)(cn=User2))))" -l cn,groupMembership

Produce a list of files that should be purged based in minage
robocopy /l %Source% %Temp%\Purge%Random% *.* /minage:6 /FP /NJS /NJH /E /TS /NS

Find the install date from a list of servers
for %i in (%Server1% %Server2%) do psinfo \\%i 2>nul findstr /i /c:"Install date" /c:"%ComputerName%"

Use findstr with regular expressions to find start of line + space + 'New Dir'
findstr /i "^.*New.Dir" Dirs.txt

Use delayed environment varialble substitution in a for loop
for /f "delims=:" %i in ('"findstr /i /n "^.*New.Dir" PurgeFiles.txt"') do Set Directory=0000%i & Echo !Directory:~-5!

Query Windows Update logs from contactable machines in an OU
for /f %i in ('"dsquery computer %DN% -o rdn"') do @for /f "tokens=3 delims=: " %m in ('"ping -n 1 %i find /i "reply from""') do dumpel -s %i -l system -e 19 20 -m "Windows Update Agent"

Produce a flat list of files, with the last-write date
dir %Directory% /tw/s find /i "/" find /i /v "DIR" > Output.txt

Given a control file and a text file, output control entries that aren't found
for /f "tokens=1-3" %i in (%ControlFile%) do @find /i "%i" %TextFile% >NUL & @if errorlevel 1 echo %i

Given a control file and a text file, show whether or not control is in text
for /f "tokens=1-3" %i in (%ControlFile%) do @find /i "%i" %TextFile% >NUL & @if errorlevel 0 if not errorlevel 1 (echo %i Member) else (echo %i NotMember)

Query a specific eDirectory group for its members
ldifde -f output.txt -s %NetwareServer% -a "%AccountDN%" * -d %rootDN% -l cn,member

Export a Operations Manager 2007 sealed management pack to an unsealed XML
. c:\windows\temp\MpToXml.ps1 "%SealedMP%.mp" c:\windows\temp

Join output split across two lines using delayed variable expansion (cmd /v:on)
for /f "tokens=3,4" %i in ('"findstr /i /c:"printDuplexSupported" /c:"Share Name" PrintersRegQuery.txt"') do @if "%i"=="REG_SZ" (@Set Printer=%j) else (@Echo !Printer!,%i)

Open an Excel document in read-only mode from the commandline
start excel /h /e %xls%

Extract B if A is found in B, otherwise report blank
for /f "tokens=1-3 delims=," %i in (a.txt) do @find /i "%i" b.csv >nul & If errorlevel 0 if not errorlevel 1 (for /f "tokens=4 delims=," %m in ('"find /i "%i" b.csv find /i "%i""') do @echo %i,%m,%j,%k) else (Echo %i,none,%j,%k)

Query SMS for computers on a particular subnet
wmic /namespace:\\root\sms\site_%sitecode% /node:"%site_Server%" path SMS_R_System WHERE "IPSubnets='%subnet%' AND Active=1'" get name

Query SMS for computers in a specific AD site
wmic /namespace:\\root\sms\site_%sitecode% /node:"%site_Server%" path SMS_R_System WHERE "ADSiteName='BNE' AND Active=1'" get name

Find the owner of a process using WMI - see who's logged on remotely
wmic /node:"%computer%" PROCESS where "caption='explorer.exe'" getowner

Convert a file to/from base64 to transmit a binary file through filters
http://www.motobit.com/util/base64-decoder-encoder.asp

Disable path parsing when listing a directory
dir "\\?\c:\folder"

Find network information for a computer from SMS
wmic /namespace:\\root\sms\site_%sitecode% /node:"%siteserver%" path SMS_R_System WHERE Name='%computer%' get name,adsitename,IPAddresses,IPSubnets,MACAddresses

Send a Wake-on-lan magic packet on a local subnet
wolcmd 00157283E57F 192.168.0.10 255.255.255.0 7

Get the lanmanserver description using SNMP
Snmputil.exe get %server% %community% .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svDescription.0z

Query the performance counters stored in a log file
relog.exe file.blg -q

Report multiple named instances of SQL on a remote server
reg query "\\%server%\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL

Query the group membership cache used by Group Policy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership

Check the first x characters from A against B, report differences (cmd /v:on)
for /f "tokens=1-4 delims=," %i in (%Source%) do @set VarA=%i & Set VarB=%j& if /i "!VarA:~0,4!" NEQ "!VarB:~0,4!" echo %i,%j,%k,%l mismatch


Check local profiles, reporting whether they are local administrators or not
for /f %i in ('"dir /b/ad "c:\Documents and Settings""') do @for /f %m in ('"psgetsid %i 2>Nul | find /i "s-1""') do @reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\%m\GroupMembership" 2>nul | find /i "S-1-5-32-544" 1>nul & @if errorlevel 1 (@echo %i Not an Administrator or group policy entry not found) else (@echo %i Is an Administrator)

View the User Accounts control panel applet
Control Userpasswords2

Roll daily logs into monthly logs (command runs each day)
for /f "tokens=3,4 delims=/ " %i in ('echo %date%') do copy c:\logs\daily\logfile_%j%i??.csv c:\logs\monthly\logfile_%j%i.csv /y

List the file screen groups for File Server Resource Manager (FSRM)
filescrn filegroup list

Directory listing of all files in bare format, excluding the the dir objects
dir \\%server%\%share%\*.* /a-d/s/b

Master an ISO Image from a source directory
oscdimg -m -h -n . %Target%.iso

Enable Netlogon debugging
nltest /dbflag:0x2080FFFF

Start a remote process using Powershell/WMI
$computer = "."; ([WMICLASS]"\\$computer\root\CIMv2:win32_process").Create("notepad.exe")

Find remote drivers installed on a computer
devcon -m:\\%computer% status *

Create a floppy image from the given path
bfi.exe -v -f=test.img %path%

Extract files from a floppy image (Gilles Vollant extract.exe)
extract -e %imgfile%



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Useful DNS, DHCP and WINS command-line operations

The commands below are a subset of the complete command list found in Useful command-lines, and are command-line operations for core network services - DNS, WINS and DHCP. Most of these commands are queries, useful for once-off or repeated information gathering for reporting, trending, troubleshooting or diagnostics.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).

DNS command-line operations

Query DNS forest-wide partition replica
dsquery * "DC=ForestDNSZones,dc=forestRootDomain

Add a CNAME record to DNS
dnscmd %server% /recordadd %zone% %AliasName% CNAME %HostnameAliasing%

Query zone resource records on a Microsoft DNS server
wmic /namespace:\\root\microsoftdns /node:%server% path MicrosoftDNS_ResourceRecord WHERE ContainerName='%zone_name%'

nslookup with debug information
nslookup -debug %IP%

DSQuery authorised DHCP Servers
Dsquery * "cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain" -attr dhcpServers

Enumerate all records from a DNS zone
dnscmd /enumrecords @ /additional /continue > DNS_all.txt

Lookup SRV records from DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.{domainRoot}

DNS Information
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do dnscmd %i /info

DNS Zone Detailed information
dnscmd /zoneinfo %userdnsdomain%

DNS Zones in AD
for /f %i in ('dsquery server -o rdn') do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)

Enumerate DNS Server Zones
for /f %i in ('dsquery server -o rdn') do dnscmd %i /enumzones

Print DNS Zones
dnscmd DNSServer /zoneprint DNSZone

Add a host record in DNS
dnscmd %dnsserver% /recordadd %zone% %relative_name% A %ip%

Find aging records from an enumerated zone
find /i "aging:" DNS_all.txt > DNS_aging.txt

DNS Scavenging check, based on the output of aging records from dnscmd.exe
cscript DNSScavengeTest.wsf /f:DNS_aging.txt

Query DNS objects from the directory
dsquery * DC=,CN=MicrosoftDNS,cn=System,dc=

Start DNS scavenging
dnsmd /startscavenging

Delete a host record from DNS
dnscmd %server% /recorddelete %zone% @ A %IP%

Determine the DNS suffix search list set through policy for a computer
reg query "\\%Computer%\HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows NT\DNSClient" /v SearchList

Query for the zones hosted on a Microsoft DNS server
wmic /namespace:\\root\microsoftdns /node:%server% path MicrosoftDNS_Zone

Find DNS Forwarder information from dnscmd output
for %b in (DNS*.txt) do @for /f "skip=2 delims=[]" %i in ('"find /i /N "Forwarders:" %b"') do @for /f "skip=2 delims=[]" %m in ('"find /i /N "Command completed successfully." %b"') do @for /f %p in ('set /a %m-%i') do echo tail -%p %b

List primary reverse lookup zones from a DNS server
dnscmd %server% /EnumZones /secondary /reverse

List allowed secondary servers for the specified zone
dnscmd %server /zoneinfo %ip%.in-addr.arpa SecondaryServers


DHCP command-line operations

Netsh authorised DHCP Servers
netsh dhcp show server

DHCP server information
netsh dhcp server \\DHCP_SERVER show all

DHCP server dump
netsh dhcp server \\DHCP_SERVER dump > dhcp.txt

Last 50 leases on DHCP servers
for /f %i in (DHCPServers.txt) do echo %i && tail -50 \\%i\c$\WINNT\system32\dhcp\DhcpSrvLog.Tue

Active DHCP leases
For /f %i in (DHCPServers.txt) do for /f “delims=- ” %j in ('"netsh dhcp server \\%i show scope find /i "active""') do netsh dhcp server \\%i scope %j show clientsv5 >> DHCPClients_%i.txt

DHCP clients from all servers
Find /i “255.” DHCPClients_*.txt find /i “255.” > DHCPClientsAll.txt

DHCP Server Active Scope Info
For /f %i in (DHCPServers.txt) do netsh dhcp server \\%i show scope find /i "active" >> DHCPInfo_%i.txt

Find Subnets from DHCP clients
FindSubnets.bat 'Output from Active DHCP leases'

Resolve DHCP clients hostnames
for /f "tokens=1,2,3 delims=," %i in (Output from 'Find Subnets from DHCP clients') do @for /f "tokens=2 delims=: " %m in ('"nslookup %j find /i "Name:""') do echo %m,%j,%k,%i

Find two online PCs per subnet
Echo. > TwoClientsPerSubnet.txt & for /f "tokens=1,2,3,4 delims=, " %i in ('"find /i "pc" 'Output from Resolve DHCP clients hostnames'"') do for /f "tokens=3 skip=1 delims=: " %m in ('"Find /i /c "%l" TwoClientsPerSubnet.txt"') do If %m LEQ 1 for /f %p in ('"ping -n 1 %i find /i /c "(0% loss""') do If %p==1 Echo %i,%j,%k,%l >> TwoClientsPerSubnet.txt

Find unique Subnets
for /f "delims=" %i in (Output from FindSubnets) do @Find /i "%i" UniqueSubnets.txt 1>nul 2>nul & @if ErrorLevel 1 echo %i >> UniqueSubnets.txt

Find DHCP Scopes not in AD
for /f "tokens=1,2" %i in (Output from 'Find Unique Subnets') do @for /f "skip=2 delims==" %m in ('find /i "%j" SubnetMaskShorthand.txt') do @find /i "%i/%m" Output from 'AD Subnet and Site Information' >NUL & @If ErrorLevel 1 for /f "skip=1 tokens=2 delims=:" %p in ('find /i /c "%i %j" Output from 'Find Subnets from formatted output'') do @Echo %i/%m,%p

DHCP Clients Per AD Site
for /f "tokens=1,2,3 delims=/ " %i in (Output from 'AD Subnet and Site Information') do @For /f "skip=2 tokens=1,2 delims==" %m in ('find /i "%j=" SubnetMaskShorthand.txt') do @For /f "skip=1 tokens=2 delims=:" %p in ('find /i /c "%i,%n" Output from 'Find Subnets from DHCP clients') Do @Echo %i/%m,%p,%k

DHCP Servers Per AD Site
for /f "tokens=1,2 delims=/" %i in (SiteClientCounts.txt) do @for %k in ("Output from ‘DHCP Server Active Scope Info’") do @find /i "%i" "%k" >nul & If ErrorLevel 0 if Not ErrorLevel 1 echo %i/%j,%~nk

Total DHCP Scopes
find /i "subnet" "Output from DHCP server information" find /i "subnet"

WINS command-line operations

WINS serer information
Netsh wins server \\WINS_SERVER dump > wins.txt

WINS Statistics
for /f "tokens=1,2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show statistics >> WINSConfig_%j.txt

WINS Record counts per server
for /f "tokens=1,2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show reccount %i >> WINSRecordCount.txt

WINS Server Information
for /f "tokens=2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show info >> WINSConfig_%i.txt

WINS Server Dump
for /f "tokens=2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i dump > WINSConfig_%i.txt

WINS Static Records per Server
netsh wins server \\LocalWINSServer show database servers={} rectype=1

Use WMI to find the WINS entries for DNS-enabled NICs on a list of servers
for /f %i in (servers.txt) do @for /f "skip=1" %m in ('"wmic /node:%i path Win32_NetworkAdapterConfiguration WHERE FullDNSRegistrationEnabled=True get WINSPrimaryServer"') do @echo %i,%m

Set the WINS entry for the specified network
psexec \\%server% netsh interface ip set wins "Local Area Connection" static %WINSIP%



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Useful Active Directory command-line operations

The commands below are a subset of the complete command list found in Useful command-lines, and are command-line operations that perform queries, diagnostics or modifications to objects in an Active Directory. These commands can be useful for once-off or repeated tasks, and defining a source for bulk imports/modifications to objects.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).


Query a user from AD using WMI
wmic /node:"%DC%" /namespace:\\root\directory\LDAP path ds_user where "ds_cn='%username%'" GET ds_displayName,DS_UserPrincipalName,ds_cn,ds_name,ds_whenCreated

Show all replicated attributes in the AD Schema
dsquery * cn=schema,cn=configuration,DC=forestRootDomain -filter "(&(objectClass=attributeSchema)(objectCategory=attributeSchema)(!systemFlags:1.2.840.113556.1.4.803:=1))" -limit 0

Show an AD schema attribute
dsquery * cn=pwd-last-set,cn=schema,cn=configuration,DC=forestRootDomain

Given a list of user CNs, find them in the directory and report homeDirectory
for /f %i in (Users.txt) do @for /f "tokens=*" %m in ('"dsquery user -name %i"') do @for /f %p in ('"dsquery * %m -attr homeDirectory -l | find /i "\\" & if errorlevel 1 Echo NoHomeDirectory"') do @echo %i,%m,%p

Identify the DN of an Active Directory group
dsquery group -name %GroupName%

Find the current group scope of a security group
dsget group %GroupDN% -scope -secgrp

Change a group's scope to universal, a stepping stone for conversion
dsmod group %GroupDN% -scope u

Change a universal group's scope to global or local
dsmod group %GroupDN% -scope l | g

Modify the UPN for a user
dsmod user "%userdN%" -upn user@domain

After identifying one or more accounts without a UPN, set the UPN for each
for /f "skip=1 tokens=1,2-3" %i in (NoUPN.txt) do dsmod user "%j %k" -upn %i@%upnsuffix%

Find all user accounts with a UPN, and count the DNs returned
dsquery * domainroot -filter "&(objectclass=user)(objectcategory=person)(userprincipalname=*)" -s %server% | find /i /c "user"

Find all user accounts without a UPN, and count the DNs returned
dsquery * domainroot -filter "&(objectclass=user)(objectcategory=person)(!(userprincipalname=*))" -s %server% | find /i /c "user"

Identify user accounts without a UPN to be corrected
dsquery * %OU% -filter "&(objectclass=user)(objectcategory=person)(!(userprincipalname=*))" -s %server% -scope onelevel -attr name distinguishedname > NoUPN.txt

Determine whether an attribute is replicated in AD through bitwise AND
dsquery * cn=%AttributeName%,cn=schema,cn=configuration,dc=forestRootDomain -filter "!(&(systemFlags:1.2.840.113556.1.4.803:=1))"

Find customised Service Connection Points of type RISServer
dsquery * -filter "&((objectClass=ConnectionPoint)(objectCategory=ServiceConnectionPoint)(keywords=RISServer))" -attr serviceDNSName

Find intellimirror SCPs fpr RIS servers
dsquery * -filter "&((objectClass=ConnectionPoint)(objectCategory=IntellimirrorSCP)(netbootServer=*))" -attr netbootServer

Query for the display specifiers in the AD user class
dsquery * "CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,%forestrootDomain%" -attr *

Find computers and their description from the AD
dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer))" "%rootDN%" -attr cn description

Use LDP to search for tombstoned objects in AD
Base DN: CN=Deleted Objects,%domainRoot%, Filter: (isDeleted=*), Extended Search, Add control: 1.2.840.113556.1.4.417

Bulk modify of mailbox permissions
admodcmd -dn "%DN%" -f "(&(objectclass=user)(CN=%userFilter%*))" -addtomailboxrights %Domain%\%Group% ACE_MB_FULL_ACCESS

Check user attributes from AD (division, department, home drive, email)
for /f "tokens=1-3" %i in (%users.txt%) do @for /f "tokens=*" %m in ('"@dsquery user -name %i"') do @for /f "tokens=1-10" %q in ('"@dsquery * %m -attr CN department division mail homeDirectory homedrive find /i /v "homeDirectory""') do @echo %q,%r,%s,%t,%u,%v,%w,%x,%y >> UserInformation.csv

Set a Service Principal Name for an alias against the host computer account
setspn -A HOST/%alias%.domain.com %server%

Find the computer object advertising a specific SPN
dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(servicePrincipalName=*SPN*))" -attr cn servicePrincipalName distinguishedName

Export group objects from AD to a CSV file
adfind -b "domainRoot" -f "objectclass=group" cn samaccountname -csv

Servers in the directory and their description
dsquery * dc=common,dc=local -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*server*))" -limit 0 -attr cn description

Forest/Domain Functional Levels
ldifde -d cn=partitions,cn=configuration,dc=%domain% -r "((systemFlags=3)(systemFlags=-2147483648))" -l msds-behavior-version,dnsroot,ntmixeddomain,NetBIOSName -p subtree -f con (see http://support.microsoft.com/kb/322692 and http://support.microsoft.com/kb/224386)

Forest/Domain Functional Levels
dsquery * cn=partitions,cn=configuration,dc=%domain% -filter "((systemFlags=3)(systemFlags=-2147483648))" -attr msDS-Behavior-Version Name dnsroot ntmixeddomain NetBIOSName (see http://support.microsoft.com/kb/322692 and http://support.microsoft.com/kb/224386)

Lookup SRV records from DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.{domainRoot}

Find when the AD was installed
dsquery * cn=configuration,DC=forestRootDomain -attr whencreated -scope base

Enumerate the trusts from the specified domain
dsquery * "CN=System,DC=domainRoot" -filter "(objectClass=trustedDomain)" -attr trustPartner flatName

Modify ACLs using dsacls (account ACL, not mailbox rights)
dsacls "%userDN%" /G "%Domain%\%Group%:CA;Send As"

Information on existing GPO’s
dsquery * "CN=Policies,CN=System,domainRoot" -filter "(objectCategory=groupPolicyContainer)" -attr displayName cn whenCreated gPCFileSysPath

FSMO Roles
ntdsutil roles Connections "Connect to server %logonserver%" Quit "select Operation Target" "List roles for conn server" Quit Quit Quit

Domain Controllers
Nltest /dclist:%userdnsdomain%

Domain Controller IP Configuration
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do psexec \\%i ipconfig /all >> DC_IPConfig.txt

Stale computer accounts
dsquery computer domainroot -stalepwd 180 -limit 0 > ComputerAccounts+180.txt

Stale user accounts
dsquery user domainroot -stalepwd 180 -limit 0 > UserAccounts+180.txt

Disabled user accounts
dsquery user domainroot -disabled -limit 0 > UserAccountsDisabled.txt

AD Database disk usage
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do dir \\%i\d$\ntds >> NTDS_Size_%userdomain%.txt

Global Catalog Servers from DNS
dnscmd %logonserver% /enumrecords %userdnsdomain% _tcp find /i "3268"

Global Catalog Servers from AD
dsquery * "CN=Configuration,DC=forestRootDomain" -filter "(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))"

Users with no logon script
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(!scriptPath=*))" -limit 0 -attr sAMAccountName sn givenName pwdLastSet distinguishedName

User accounts with no pwd required
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))"

User accounts with no pwd expiry
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

User accounts that are disabled
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))"

User accounts with no password expiry and not disabled
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

Tombstoned AD objects
Adrestore.exe (sysinternals utility)

Garbage Collection and tombstone
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,DC=forestRootDomain" -attr garbageCollPeriod tombstoneLifetime

DSQuery authorised DHCP Servers
Dsquery * "cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain" -attr dhcpServers

Group Policy Verification Tool
gpotool.exe /checkacl /verbose

AD OU membership
dsquery computer -limit 0

AD OU membership
dsquery user -limit 0

List Service Principal Names
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do setspn -L %i

Compare DC Replica Object Count
dsastat –s:DC1;DC2;... –b:Domain –gcattrs:objectclass –p:999

Check AD ACLs
acldiag dc=domainTree

NTFRS Replica Sets
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do ntfrsutl sets %i

NTFRS DS View
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do ntfrsutl ds %i

Domain Controllers per site
Dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -filter (objectCategory=Server)

DNS Zones in AD
for /f %i in ('dsquery server -o rdn') do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)

Subnet information
Dsquery subnet –limit 0

List Organisational Units
Dsquery OU

ACL on all OUs
For /f “delims=” %i in ('dsquery OU') do acldiag %i >> ACLDiag.txt

Domain Trusts
nltest /domain_trusts /v

AD Subnet and Site Information
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn siteObject description location

AD Site Information
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn description location -filter (objectClass=site)

Printer Queue Objects in AD
dsquery * domainroot -filter "(objectCategory=printQueue)" -limit 0

Group Membership with user details
dsget group "groupDN" -members dsget user -samid -fn -mi -ln -display -empid -desc -office -tel -email -title -dept -mgr

Site Links and Cost
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn cost description replInterval siteList -filter (objectClass=siteLink)

Time gpresult
timethis gpresult /v > GPResult_%ComputerName%.txt 2<&1 Check time against Domain w32tm /monitor /computers:ForestRootPDC > %temp%\Time.txt

Domain Controller Diagnostics
dcdiag /s:%logonserver% /v /e /c

Domain Replication Bridgeheads
repadmin /bridgeheads

Replication Failures from KCC
repadmin /failcache

Inter-site Topology servers per site
Repadmin /istg * /verbose

Replication latency
repadmin /latency /verbose

Queued replication requests
repadmin /queue *

Show connections for a DC
repadmin /showconn *

Replication summary
Repadmin /replsummary

Show replication partners
repadmin /showrepl * /all

All DCs in the forest
repadmin /viewlist *

ISTG from AD attributes
dsquery * "CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr interSiteTopologyGenerator

Return the object if KCC Intra/Inter site is disabled for each site
Dsquery site dsquery * -attr * -filter "((Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))"

Find all connection objects
dsquery * forestRoot -filter (objectCategory=nTDSConnection) –attr distinguishedName fromServer whenCreated displayName

Find all connection schedules
adfind -b "cn=Configuration,DC=forestRootDomain" -f "objectcategory=ntdsConnection" cn Schedule -csv

Copy all Group Policy .pol files
for /f "tokens=1-8 delims=\" %i in ('dir /b /s \\%dc%\sysvol\%userdnsdomain%\policies\*.pol') do @echo copy \\%i\%j\%k\%l\%m\%n\%o %m_%n.pol

Extract the registry entries from each Group Policy pol file
for %i in (*.pol) do regview %i > %i.txt

Find policy changes for each policy
for /f "tokens=1,2 delims=," %i in (Output from 'Extract policy registry entries') do for /f "tokens=2 delims=:" %k in ('"find /i /c "valuename" %~nj*.txt find /i "%~nj""') do @echo %i,%j,%k

Domain Controller Netlogon entries
for /f %i in ('dsquery server /o rdn') do echo %i & reg query \\%i\hklm\system\currentcontrolset\services\netlogon\parameters

Find site links that contain two sites with Domain Controllers
for /f "tokens=1,2 delims=-" %i in (Sites.txt) do @find /i "%i" DCs.txt >nul & if errorlevel 0 if not errorlevel 1 @find /i "%j" DCs.txt find /i /v "----------"

Find policy display name given the GUID
dsquery * "CN=Policies,CN=System,DC=domainRoot" -filter (objectCategory=groupPolicyContainer) -attr Name displayName

Find empty groups
dsquery * -filter "&(objectCategory=group)(!member=*)" -limit 0 -attr whenCreated whenChanged groupType sAMAccountName distinguishedName memberOf

Find a DC for each trusted domain
for /f "skip=1" %i in ('"dsquery * CN=System,DC=domainRoot -filter (objectClass=trustedDomain) -attr trustPartner"') do nltest /dsgetdc:%i

Verify automatic external LDAP referrals are working
dsquery * dc=other,dc=domain -s %localDC%

Check winlogon notification packages on DCs
for /f %i in ('dsquery server /o rdn') do @for /f "tokens=4" %m in ('"reg query \\%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages" find /i "Notification""') do @echo %i,%m

Find out if a user account is currently enabled or disabled
dsquery user DC=%userdnsdomain:.=,DC=% -name %username% dsget user -disabled -dn

Find 2003 servers in the domain
dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))" -limit 0

Open DS query window
rundll32 dsquery,OpenQueryWindow

Check for a schema attribute
dsquery * "CN=Schema,CN=Configuration,DC=forestRoot" -filter "(&((cn=%ObjectName*)((objectCategory=classSchema)(objectCategory=attributeSchema))))"

Find servers and the description recorded with the computer account
dsquery * %domainRoot% -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))" -limit 0 -attr cn distinguishedName Description

Find DCs in the specified site from AD
dsquery * "CN=%SiteName%,CN=Sites,CN=Configuration,DC=root,DC=local" -filter "&(objectClass=server)(objectCategory=server)"

Dump account lockout eventlog entries from all DCs for the last five days
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do echo dumpel.exe -e 644 -l Security -m Security -s %i -c -d 5

Query for universal groups
dsquery * dc=%forestRootDomain% -filter "(&(objectCategory=group)(groupType=-2147483640))"

Find the link speed when connecting to the domain
linkspeed /s %domain%

Determine users that aren’t in a group
for /f "tokens=1-3" %i in (%users.txt%) do @for /f "tokens=*" %m in ('"@dsquery user -name %i"') do @echo %m & @dsget user %m -memberof -expand @findstr /i /c:"%m" /c:"%GROUP%" & echo.

Query group membership
dsquery group -name %GROUP% dsget group -members -expand > %GROUP%.members

Check whether users are in a group (from 'Query group membership')
for /f "skip=1 tokens=1-3" %i in (%users.txt%) do @find /i "%i" %GROUP%.members >NUL & @if errorlevel 1 echo %i

Check whether users are in a group or not (from 'Query group membership')
for /f "tokens=1-3" %i in (%users.txt%) do @find /i "%i" %GROUP%.members >NUL & @if errorlevel 0 if not errorlevel 1 (echo %i Member) else (echo %i NotMember)

Return the DN of a list of users
for /f %i in (%users.txt%) do @dsquery user -name %i


Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

Sunday, September 7, 2008

Useful command-lines

There are currently 425 commands in this post that I've found useful in some way over the years. Note that many of the command-line calls may require Microsoft utilities (such as dsquery, ldifde, dnscmd), or custom written scripts that can be posted when requested.

Most of the commands are for the windows-based command interpreter, with a few PowerShell and ESX service console commands creeping in. They range from diagnostics, troubleshooting and simply automating recurring tasks.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).

The idea is that almost anything is possible from the command-line, and there are very few things that aren't possible in a single line (especially with delayed environment variable expansion - see cmd /?).


FSMO Roles
ntdsutil roles Connections "Connect to server %logonserver%" Quit "select Operation Target" "List roles for conn server" Quit Quit Quit
Domain Controllers
Nltest /dclist:%userdnsdomain%

Domain Controller IP Configuration
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do psexec \\%i ipconfig /all >> DC_IPConfig.txt

Stale computer accounts
dsquery computer domainroot -stalepwd 180 -limit 0 > ComputerAccounts+180.txt

Stale user accounts
dsquery user domainroot -stalepwd 180 -limit 0 > UserAccounts+180.txt

Disabled user accounts
dsquery user domainroot -disabled -limit 0 > UserAccountsDisabled.txt

User logon statistics
cscript FindUserLogonCount.wsf (custom written VBScript)

AD Database disk usage
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do dir \\%i\d$\ntds >> NTDS_Size_%userdomain%.txt

Global Catalog Servers from DNS
dnscmd %logonserver% /enumrecords %userdnsdomain% _tcp find /i "3268"

Global Catalog Servers from AD
dsquery * "CN=Configuration,DC=forestRootDomain" -filter "(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))"

Users with no logon script
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(!scriptPath=*))" -limit 0 -attr sAMAccountName sn givenName pwdLastSet distinguishedName

User accounts with no pwd required
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))"

User accounts with no pwd expiry
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

User accounts that are disabled
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))"

User accounts with no password expiry and not disabled
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

DNS Information
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do dnscmd %i /info

DNS Zone Detailed information
dnscmd /zoneinfo %userdnsdomain%

Tombstoned AD objects
Adrestore.exe (sysinternals utility)

Garbage Collection and tombstone
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,DC=forestRootDomain" -attr garbageCollPeriod tombstoneLifetime

Netsh authorised DHCP Servers
netsh dhcp show server

DSQuery authorised DHCP Servers
Dsquery * "cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain" -attr dhcpServers

DHCP server information
netsh dhcp server \\DHCP_SERVER show all

DHCP server dump
netsh dhcp server \\DHCP_SERVER dump > dhcp.txt

WINS serer information
Netsh wins server \\WINS_SERVER dump > wins.txt

Group Policy Verification Tool
gpotool.exe /checkacl /verbose

AD OU membership
dsquery computer -limit 0

AD OU membership
dsquery user -limit 0

List Service Principal Names
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do setspn -L %i

Compare DC Replica Object Count
dsastat –s:DC1;DC2;... –b:Domain –gcattrs:objectclass –p:999

Check AD ACLs
acldiag dc=domainTree

NTFRS Replica Sets
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do ntfrsutl sets %i

NTFRS DS View
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do ntfrsutl ds %i

Domain Controllers per site
Dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -filter (objectCategory=Server)

DNS Zones in AD
for /f %i in ('dsquery server -o rdn') do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)

Enumerate DNS Server Zones
for /f %i in ('dsquery server -o rdn') do dnscmd %i /enumzones

Subnet information
Dsquery subnet –limit 0

List Organisational Units
Dsquery OU

ACL on all OUs
For /f “delims=” %i in ('dsquery OU') do acldiag %i >> ACLDiag.txt

Domain Trusts
nltest /domain_trusts /v

Print DNS Zones
dnscmd DNSServer /zoneprint DNSZone

Last 50 leases on DHCP servers
for /f %i in (DHCPServers.txt) do echo %i && tail -50 \\%i\c$\WINNT\system32\dhcp\DhcpSrvLog.Tue

Active DHCP leases
For /f %i in (DHCPServers.txt) do for /f “delims=- ” %j in ('"netsh dhcp server \\%i show scope find /i "active""') do netsh dhcp server \\%i scope %j show clientsv5 >> DHCPClients_%i.txt

DHCP clients from all servers
Find /i “255.” DHCPClients_*.txt find /i “255.” > DHCPClientsAll.txt

DHCP Server Active Scope Info
For /f %i in (DHCPServers.txt) do netsh dhcp server \\%i show scope find /i "active" >> DHCPInfo_%i.txt

Find Subnets from DHCP clients
FindSubnets.bat 'Output from Active DHCP leases'

Resolve DHCP clients hostnames
for /f "tokens=1,2,3 delims=," %i in (Output from 'Find Subnets from DHCP clients') do @for /f "tokens=2 delims=: " %m in ('"nslookup %j find /i "Name:""') do echo %m,%j,%k,%i

Find two online PCs per subnet
Echo. > TwoClientsPerSubnet.txt & for /f "tokens=1,2,3,4 delims=, " %i in ('"find /i "pc" 'Output from Resolve DHCP clients hostnames'"') do for /f "tokens=3 skip=1 delims=: " %m in ('"Find /i /c "%l" TwoClientsPerSubnet.txt"') do If %m LEQ 1 for /f %p in ('"ping -n 1 %i find /i /c "(0% loss""') do If %p==1 Echo %i,%j,%k,%l >> TwoClientsPerSubnet.txt

Find unique Subnets
for /f "delims=" %i in (Output from FindSubnets) do @Find /i "%i" UniqueSubnets.txt 1>nul 2>nul & @if ErrorLevel 1 echo %i >> UniqueSubnets.txt

AD Subnet and Site Information
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn siteObject description location

Find DHCP Scopes not in AD
for /f "tokens=1,2" %i in (Output from 'Find Unique Subnets') do @for /f "skip=2 delims==" %m in ('find /i "%j" SubnetMaskShorthand.txt') do @find /i "%i/%m" Output from 'AD Subnet and Site Information' >NUL & @If ErrorLevel 1 for /f "skip=1 tokens=2 delims=:" %p in ('find /i /c "%i %j" Output from 'Find Subnets from formatted output'') do @Echo %i/%m,%p

AD Site Information
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn description location -filter (objectClass=site)

Printer Queue Objects in AD
dsquery * domainroot -filter "(objectCategory=printQueue)" -limit 0

Group Membership with user details
dsget group "groupDN" -members dsget user -samid -fn -mi -ln -display -empid -desc -office -tel -email -title -dept -mgr

DHCP Clients Per AD Site
for /f "tokens=1,2,3 delims=/ " %i in (Output from 'AD Subnet and Site Information') do @For /f "skip=2 tokens=1,2 delims==" %m in ('find /i "%j=" SubnetMaskShorthand.txt') do @For /f "skip=1 tokens=2 delims=:" %p in ('find /i /c "%i,%n" Output from 'Find Subnets from DHCP clients') Do @Echo %i/%m,%p,%k

DHCP Servers Per AD Site
for /f "tokens=1,2 delims=/" %i in (SiteClientCounts.txt) do @for %k in ("Output from ‘DHCP Server Active Scope Info’") do @find /i "%i" "%k" >nul & If ErrorLevel 0 if Not ErrorLevel 1 echo %i/%j,%~nk

Total DHCP Scopes
find /i "subnet" "Output from DHCP server information" find /i "subnet"

Site Links and Cost
dsquery * "CN=Sites,CN=Configuration,DC=forestRootDomain" -attr cn cost description replInterval siteList -filter (objectClass=siteLink)

Time gpresult
timethis gpresult /v > GPResult_%ComputerName%.txt 2<&1 Check time against Domain w32tm /monitor /computers:ForestRootPDC > %temp%\Time.txt

Domain Controller Diagnostics
dcdiag /s:%logonserver% /v /e /c

Domain Replication Bridgeheads
repadmin /bridgeheads

Replication Failures from KCC
repadmin /failcache

Inter-site Topology servers per site
Repadmin /istg * /verbose

Replication latency
repadmin /latency /verbose

Queued replication requests
repadmin /queue *

Show connections for a DC
repadmin /showconn *

Replication summary
Repadmin /replsummary

Show replication partners
repadmin /showrepl * /all

All DCs in the forest
repadmin /viewlist *

ISTG from AD attributes
dsquery * "CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain" -attr interSiteTopologyGenerator

Return the object if KCC Intra/Inter site is disabled for each site
Dsquery site dsquery * -attr * -filter "((Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))"

Find all connection objects
dsquery * forestRoot -filter (objectCategory=nTDSConnection) –attr distinguishedName fromServer whenCreated displayName

Find all connection schedules
adfind -b "cn=Configuration,DC=forestRootDomain" -f "objectcategory=ntdsConnection" cn Schedule -csv

Software Information for each server
for /f %i in (Output from 'Domain Controllers') do psinfo \\%i > ServerInfo_%i.txt & filever \\%i\admin$\explorer.exe \\%i\admin$\system32\vbscript.dll \\%i\admin$\system32\kernel32.dll \\%i\admin$\system32\wbem\winmgmt.exe \\%i\admin$\system32\oleaut32.dll >> ServerInfo_%i.txt

Check Terminal Services Delete Temp on Exit flag
For /f %i in (Output from 'Domain Controllers') do Reg query “\\%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v DeleteTempDirsOnExit

For each XP workstation, query the current site and what Group Policy info
dsquery * domainroot -filter "(&(objectCategory=Computer)(operatingSystem=Windows XP Professional))" -limit 0 -attr cn > Workstations.txt & @For /f %i in (Workstations.txt) do @ping %i -n 1 >NUL & @if ErrorLevel 0 If NOT ErrorLevel 1 @Echo %i & for /f "tokens=3" %k in ('"reg query "\\%i\hklm\software\microsoft\windows\currentversion\group policy\history" /v DCName Find /i "DCName""') do @for /f %m in ('"nltest /server:%i /dsgetsite find /i /v "completed successfully""') do @echo %i,%k,%m

Time offsets from client diagnostics
for %i in (*time*.txt) do @for /f "tokens=2 delims=:" %j in ('"find /i "NTP:" %i find /i "NTP:""') do @echo %i,%j

Information on existing GPO’s
dsquery * "CN=Policies,CN=System,domainRoot" -filter "(objectCategory=groupPolicyContainer)" -attr displayName cn whenCreated gPCFileSysPath

Copy all Group Policy .pol files
for /f "tokens=1-8 delims=\" %i in ('dir /b /s \\%dc%\sysvol\%userdnsdomain%\policies\*.pol') do @echo copy \\%i\%j\%k\%l\%m\%n\%o %m_%n.pol

Extract the registry entries from each Group Policy pol file
for %i in (*.pol) do regview %i > %i.txt

Find policy changes for each policy
for /f "tokens=1,2 delims=," %i in (Output from 'Extract policy registry entries') do for /f "tokens=2 delims=:" %k in ('"find /i /c "valuename" %~nj*.txt find /i "%~nj""') do @echo %i,%j,%k

Domain Controller Netlogon entries
for /f %i in ('dsquery server /o rdn') do echo %i & reg query \\%i\hklm\system\currentcontrolset\services\netlogon\parameters

Find site links that contain two sites with Domain Controllers
for /f "tokens=1,2 delims=-" %i in (Sites.txt) do @find /i "%i" DCs.txt >nul & if errorlevel 0 if not errorlevel 1 @find /i "%j" DCs.txt find /i /v "----------"

WINS Statistics
for /f "tokens=1,2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show statistics >> WINSConfig_%j.txt

WINS Record counts per server
for /f "tokens=1,2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show reccount %i >> WINSRecordCount.txt

WINS Server Information
for /f "tokens=2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i show info >> WINSConfig_%i.txt

WINS Server Dump
for /f "tokens=2 delims=," %i in (WINSServers.txt) do netsh wins server \\%i dump > WINSConfig_%i.txt

WINS Static Records per Server
netsh wins server \\LocalWINSServer show database servers={} rectype=1

Find policy display name given the GUID
dsquery * "CN=Policies,CN=System,DC=domainRoot" -filter (objectCategory=groupPolicyContainer) -attr Name displayName

Find empty groups
dsquery * -filter "&(objectCategory=group)(!member=*)" -limit 0 -attr whenCreated whenChanged groupType sAMAccountName distinguishedName memberOf

Find remote NIC bandwidth
wmic /node:%server% path Win32_PerfRawData_Tcpip_NetworkInterface GET Name,CurrentBandwidth

Find remote free physical memory
wmic /node:%Computer% path Win32_OperatingSystem GET FreePhysicalMemory

Find remote system information
SystemInfo /s %Computer%

Disk statistics, including the number of files on the filesystem
chkdsk /i /c

Query IIS web sites
iisweb /s %Server% /query "Default Web Site"

Check port state and connectivity
portqry -n %server% -e %endpoint% -v

Forest/Domain Functional Levels
ldifde -d cn=partitions,cn=configuration,dc=%domain% -r "((systemFlags=3)(systemFlags=-2147483648))" -l msds-behavior-version,dnsroot,ntmixeddomain,NetBIOSName -p subtree -f con (see http://support.microsoft.com/kb/322692 and http://support.microsoft.com/kb/224386)

Forest/Domain Functional Levels
dsquery * cn=partitions,cn=configuration,dc=%domain% -filter "((systemFlags=3)(systemFlags=-2147483648))" -attr msDS-Behavior-Version Name dnsroot ntmixeddomain NetBIOSName (see http://support.microsoft.com/kb/322692 and http://support.microsoft.com/kb/224386)

Find the parent of a process
wmic path Win32_Process WHERE Name='%ProcessName%' GET Name,ParentProcessId

Lookup SRV records from DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.{domainRoot}

Find when the AD was installed
dsquery * cn=configuration,DC=forestRootDomain -attr whencreated -scope base

Enumerate the trusts from the specified domain
dsquery * "CN=System,DC=domainRoot" -filter "(objectClass=trustedDomain)" -attr trustPartner flatName

Find a DC for each trusted domain
for /f "skip=1" %i in ('"dsquery * CN=System,DC=domainRoot -filter (objectClass=trustedDomain) -attr trustPartner"') do nltest /dsgetdc:%i

Verify automatic external LDAP referrals are working
dsquery * dc=common,dc=local

Check the password filter is installed on all DCs
for /f %i in ('dsquery server /o rdn') do @for /f "tokens=4" %m in ('"reg query \\%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages" find /i "Notification""') do @echo %i,%m

List ACLs in SDDL format
setacl -on %filepath% -ot file -actn list -lst f:sddl

PSCP secure copy a file
pscp %file% %user%@%target%:/target/path

Find out if a user account is currently enabled or disabled
dsquery user DC=%userdnsdomain:.=,DC=% -name %username% dsget user -disabled -dn

Find 2003 servers in the domain
dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))" -limit 0

Open DS query window
rundll32 dsquery,OpenQueryWindow

Add a host record in DNS
dnscmd %dnsserver% /recordadd %zone% %relative_name% A %ip%

Accept a input and store in a variable
set /p <variable>=<prompt>

Remote Computer Management MMC
compmgmt.msc /computer=%1

Create a placeholder file
fsutil file createnew <filename> <size>

Device Manager showing hidden devices
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1 & Devmgmt.msc

Logical Disk Information
wmic /node:%server% path Win32_LogicalDisk

Physical Disk Information
wmic /node:%server% path Win32_DiskPartition

Echo both stdout and stderr to the same file
> output.txt 2<&1

Servers in the directory and their description
dsquery * -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*server*))" -limit 0 -attr cn description

Enumerate all records from a DNS zone
dnscmd %server% /enumrecords %zone% @ /additional /continue > DNS_all.txt

Find aging records from an enumerated zone
find /i "aging:" DNS_all.txt > DNS_aging.txt

DNS Scavenging check, based on the output of aging records from dnscmd.exe
cscript DNSScavengeTest.wsf /f:DNS_aging.txt

For the first token in each line in A, compare the second token in B
for /f "tokens=1-3 delims=," %i in ('"find /i /v "<exclude>" a.txt"') do @for /f "tokens=1-3 skip=2 delims=," %m in ('"find /i "%i" b.txt"') do @if /i "%i"=="%m" @if /i "%j" NEQ "%n" @echo %i,%j,%n

For the first token in each line in A, find not in B
for /f "skip=2 delims=," %i in ('" find /i /v "<exclue>" a.txt"') do @find /i "%i" b.txt 1>nul 2>nul & @if errorlevel 1 echo %i

Query DNS objects from the directory
dsquery * DC=<zone>,CN=MicrosoftDNS,cn=System,dc=<domainroot>

Start DNS scavenging
dnsmd /startscavenging

Find the DFS roots from Active Directory
dsquery * "CN=DFS Volumes,CN=File Replication Service,CN=System,DC=domainRoot"

Find the DFS roots using dfsutil
dfsutil /domain:%domain% /view

View info on a DFS root
dfsutil /root:<dfsroot> /view

Port Query testing network connectivity to the specified endpoint
portqry -n %target% -e 135

Test RPC endpoints
rpcdump /s %computer% /v /i

Extract a cabinet from an MSI stream
msidb -d "%msi%" -x "%cabinet name%" (get the cabinet name from the Media table using orca, and the filenames from the File table)

Delete a host record from DNS
dnscmd %server% /recorddelete %zone% @ A %IP%

Add a CNAME record to DNS
dnscmd %server% /recordadd %zone% %AliasName% CNAME %HostnameAliasing%

Add a system environment variable
setenv -a test %path%;%AdminRoot%\Utils

Check for a schema attribute
dsquery * "CN=Schema,CN=Configuration,DC=forestRoot" -filter "(&((cn=%ObjectName*)((objectCategory=classSchema)(objectCategory=attributeSchema))))"

Determine the DNS suffix search list set through policy for a computer
reg query "\\%Computer%\HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows NT\DNSClient" /v SearchList

Find servers and the description recorded with the computer account
dsquery * %domainRoot% -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))" -limit 0 -attr cn distinguishedName Description

Find DCs in the specified site from AD
dsquery * "CN=%SiteName%,CN=Sites,CN=Configuration,DC=root,DC=local" -filter "&(objectClass=server)(objectCategory=server)"

Lock the workstation from the commandline
%windir%\System32\rundll32.exe user32.dll, LockWorkStation

Perform idle time optimisation (eg. file placement optimisation)
rundll32.exe advapi32.dll,ProcessIdleTasks

Hardware Installation from an INF file
%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall

Refresh network configuration after policy changes (eg SearchList)
RunDLL32.EXE netshell.dll,NetSetupFinishInstall

Query SMS inventory information from the commandline
wmic /namespace:\\root\sms\site_%SiteCode% /node:%Computer% path SMS_G_System_SYSTEM_ENCLOSURE WHERE ResourceID='%RID%'

Determine whether an attribute is replicated in AD
dsquery * cn=%AttributeName%,cn=schema,cn=configuration,dc=forestRootDomain -filter "!(&(systemFlags:1.2.840.113556.1.4.803:=1))"

Find customised Service Connection Points of type RISServer
dsquery * -filter "&((objectClass=ConnectionPoint)(objectCategory=ServiceConnectionPoint)(keywords=RISServer))" -attr serviceDNSName

Find intellimirror SCPs fpr RIS servers
dsquery * -filter "&((objectClass=ConnectionPoint)(objectCategory=IntellimirrorSCP)(netbootServer=*))" -attr netbootServer

Find remote connections to a server
wmic /node:%server% path win32_serverconnection

Find remote sessions to a server
wmic /node:%server% path win32_serversession

Find security patches applicable on a machine with MBSA
wmic /node:%computer% path Win32_PatchState

For services that aren't running, find their start type
for /f "skip=4 tokens=1-3" %i in ('sclist \\%computer%') do @if "%i" NEQ "running" @for /f "tokens=4" %m in ('"sc \\%computer% qc %j find /i "START_TYPE""') do @echo %i,%j,%k,%m

For computers listed, if a service exists, start it
for /f %i in (computers.txt) do sclist \\%i find /i "%service_name%" && sc \\%i start "%service_name%"

Query a registry value of multiple computers
for %i in (PC1 PC2 PC3) do @Echo %i & reg query \\%i\hklm\software\%key% /v %Value% find /i "%Value%"

Query the creation date of multiple computers
dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)((cn=PC1)(cn=PC2)(cn=PC3)))" -attr CN whenCreated

Query SMS for the creation date of computer records
select Name0, Creation_Date0 from v_r_system where name0 in('PC1','PC2','PC3')

Find RIS servers hosting the specified image
for /f "tokens=2 skip=1 delims==, " %i in (RIS_Servers.txt) do @if exist \\%i\reminst\setup\english\%Source% @echo %i

Modify Outlook to allow access to blocked attachements
reg add HKU\S-1-5-21-2091930395-2002392527-14044502-274471\Software\Microsoft\Office\11.0\Outlook\Security /v Level1Remove /t reg_sz /d ".exe"

Open the Find Files Dialog Box
echo Set objShell = CreateObject("Shell.Application") > test.vbs && Echo objShell.FindFiles >> test.vbs && cscript test.vbs

Query for the zones hosted on a Microsoft DNS server
wmic /namespace:\\root\microsoftdns /node:%server% path MicrosoftDNS_Zone

Query zone resource records on a Microsoft DNS server
wmic /namespace:\\root\microsoftdns /node:%server% path MicrosoftDNS_ResourceRecord WHERE ContainerName='%zone_name%'

Query DNS forest-wide partition replica
dsquery * "DC=ForestDNSZones,dc=forestRootDomain

View Software Installation controlled through AD, both current and history
gpsiviewer.exe

View Group Policy application times
gptime

Remote GP Update
rgprefresh

Find the tail of lines between two strings to display
for /f "delims=[]" %i in ('"find /i /N "Forwarders:" A.txt"') do for /f "delims=[]" %m in ('"find /i /N "Command completed successfully." A.txt"') do for /f %p in ('set /a %m-%i') do echo %p

Find DNS Forwarder information from dnscmd output
for %b in (DNS*.txt) do @for /f "skip=2 delims=[]" %i in ('"find /i /N "Forwarders:" %b"') do @for /f "skip=2 delims=[]" %m in ('"find /i /N "Command completed successfully." %b"') do @for /f %p in ('set /a %m-%i') do echo tail -%p %b

Dump account lockout eventlog entries from all DCs for the last five days
for /f %i in ('dsquery server -domain %userdnsdomain% -o rdn') do echo dumpel.exe -e 644 -l Security -m Security -s %i -c -d 5

List primary reverse lookup zones from a DNS server
dnscmd %server% /EnumZones /secondary /reverse

List allowed secondary servers for the specified zone
dnscmd %server /zoneinfo %ip%.in-addr.arpa SecondaryServers

Turn on RIS debugging
reg add \\%server%\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Binlsvc\Parameters /v Debug /t reg_dword /d 0x80FFFFFF & sc \\%server% stop binlsvc & sc \\%server% start binlsvc

Query for universal groups
dsquery * dc=%forestRootDomain% -filter "(&(objectCategory=group)(groupType=-2147483640))"

Trigger a command to run on a specific event
eventtriggers /create /TR Test /L Security /EID 680 /T SUCCESSAUDIT /TK calc.exe

Create an XML file with the MD5 hashes of a set of files
FCIV

Find the shell extensions currently loaded
ShexView

Find server information
srvinfo.exe

LDAP Query from eDirectory
ldifde -d %rootDN% -s %NetwareServer% -f output.ldf -a "%UserDN%" *

csvde export form eDirectory
csvde -f OutputFile.csv -a "%UserDN%" * -r "(Objectclass=user)" -d "%rootDN%" -s NetwareServer%

Dump the VMware IP config
cat /proc/vmware/net/tcpip/ifconfig

View network traffic in the vswif service console interface
/usr/sbin/tcpdump -i vswif0 grep -v ssh

Query for the display specifiers in the AD user class
dsquery * "CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,%forestrootDomain%" -attr *

Query VMs and their MAC addresses from the VC database
sqlcmd -S %sqlServer% -d %Database% -W -s "," -q "select ENT.Name, NET.MAC_Address from VPX_GUEST_NET_ADAPTER NET inner join VPX_ENTITY ENT on NET.VM_ID = ENT.ID"

Check the Legato AAM HA agent
cat /opt/LGTOaam512/log/aam_config_util_addnode.log

VMware HA Legato AAM, list the cluster manager
/opt/LGTOaam512/bin/ftcli -domain vmware -timeout 60 -cmd "listrules"
(run 'FT_DIR=/opt/LGTOaam512' and then 'export FT_DIR' first)

VMware HA Legato AAM, list the cluster nodes
/opt/LGTOaam512/bin/ftcli -domain vmware -connect %node% -port 8042 -timeout 60 -cmd "listnodes"
(run 'FT_DIR=/opt/LGTOaam512' and then 'export FT_DIR' first)

Query the Virtual Centre/VC database for Virtual Machine Disk Totals
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VM.Name, Cast(Round(Sum(Cast(VDISK.CAPACITY as numeric))/1024/1024/1024, 1) as int) as 'Total Disk', Cast(Round(Sum(Cast(VDISK.FREE_SPACE as numeric))/1024/1024/1024, 1) as int) as 'Free Disk' from dbo.VPX_GUEST_DISK VDISK inner join VPXV_VMS VM on VDISK.VM_ID = VM.VMID group by VM.Name compute sum(Cast(Round(Sum(Cast(VDISK.CAPACITY as numeric))/1024/1024/1024, 1) as int))"

Query the Virtual Centre/VC database for Virtual Machine Disk information
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VM.Name, VDISK.* from dbo.VPX_GUEST_DISK VDISK inner join VPXV_VMS VM on VDISK.VM_ID = VM.VMID"

Query the Virtual Centre/VC database for Virtual Machine Disk Total
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Cast(Round(Sum(Cast(VDISK.CAPACITY as numeric))/1024/1024/1024, 1) as int) from dbo.VPX_GUEST_DISK VDISK"

show the MSCS cluster multicast address properties
cluster /cluster:%Cluster% network "%PublicNetwork%" /priv

Find the MSCS cluster resources
cluster /cluster:%Cluster% res /prop find /i "sr"

Query VirtualCentre for hot migration events
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Create_Time as 'Relocation Start', UserName, VM_Name, Host_Name as 'Host Source', (select Host_Name from dbo.VPX_EVENT Where Chain_ID = EVTDEST.Chain_ID and event_type = 'vim.event.VmMigratedEvent') as 'Host Destination', ComputeResource_Name, DataCenter_Name from dbo.VPX_EVENT EVTDEST where event_type = 'vim.event.VmBeingHotMigratedEvent'"

Query VirtualCentre for migration events
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Create_Time as 'Relocation Start', UserName, VM_Name, Host_Name as 'Host Source', (select Host_Name from dbo.VPX_EVENT Where Chain_ID = EVTDEST.Chain_ID and event_type = 'vim.event.VmRelocatedEvent') as 'Host Destination', ComputeResource_Name, DataCenter_Name from dbo.VPX_EVENT EVTDEST where event_type = 'vim.event.VmBeingRelocatedEvent'"

Query VirtualCentre for DRS migration events
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Create_Time as 'Relocation Finished', VM_Name, Host_Name as 'Host Destination', (select Host_Name from dbo.VPX_EVENT Where Chain_ID = EVTDEST.Chain_ID and event_type = 'vim.event.VMBeingHotMigratedEvent') as 'Host Source', ComputeResource_Name, DataCenter_Name from dbo.VPX_EVENT EVTDEST where event_type = 'vim.event.DrsVmMigratedEvent'"

Use WMI to find the WINS entries for DNS-enabled NICs on a list of servers
for /f %i in (servers.txt) do @for /f "skip=1" %m in ('"wmic /node:%i path Win32_NetworkAdapterConfiguration WHERE FullDNSRegistrationEnabled=True get WINSPrimaryServer"') do @echo %i,%m

Set the WINS entry for the specified network
psexec \\%server% netsh interface ip set wins "Local Area Connection" static %WINSIP%

Report the NTFS permissions for restore from a SDDL template
setacl -on c:\windows -ot file -actn list -rec cont_obj -lst f:sddl -bckp test.txt

Remotely configure filesystem NTFS security using a secedit template
psexec \\%server% secedit /configure /db c:\windows\temp\%random%.sdb /cfg c:\windows\security\templates\%template%.inf /log c:\windows\temp\Configure.log

List the file system filters and instances installed on the system
fltmc filters & fltmc instances

Verify installed drivers
verifier.exe

Create a cluster file share
cluster /cluster:%Cluster% res "Share" /create /group:"VFP" /type:"File Share" & cluster /cluster:%Cluster% res "Share" /priv path="?:\%Path%" & cluster /cluster:%Cluster% res "Share" /priv Sharename=%ShareName% & cluster /cluster:%Cluster% res "Share" /priv Remark="File Share" & cluster /cluster:%Cluster% res "Share" /prop Description="File Share" & cluster /cluster:%Cluster% res "Share" /priv security=Everyone,grant,F:security & cluster /cluster:%Cluster% res "Share" /AddDep:"VFP" & cluster /cluster:%Cluster% res "Share" /AddDep:"VFP Disk07" & cluster /cluster:%Cluster% res "Share" /On

Create a generic cluster application for ABE
cluster /cluster:%Cluster% res "ABE" /create /group:"VFP" /type:"Generic Application" & cluster /cluster:%Cluster% res "ABE" /priv CommandLine="cmd.exe /k abecmd.exe /enable %Share%" & cluster /cluster:%Cluster% res "ABE" /priv CurrentDirectory="%SystemRoot%" & cluster /cluster:%Cluster% res "ABE" /priv InteractWithDesktop=0 & cluster /cluster:%Cluster% res "ABE" /priv UseNetworkName=0 & cluster /cluster:%Cluster% res "ABE" /prop SeparateMonitor=1 & cluster /cluster:%Cluster% res "ABE" /prop Description="Access Based Enumeration for File Share" & cluster /cluster:%Cluster% res "ABE" /AddDep:"VFP" & cluster /cluster:%Cluster% res "ABE" /AddDep:"VFP Disk" & cluster /cluster:%Cluster% res "ABE" /AddDep:"Share" & cluster /cluster:%Cluster% res "ABE" /On

Automated Printer configuration
rundll32 printui.dll,PrintUIEntry /?

Create a port using prnadmin.dll on a cluster node
cscript portmgr.vbs -a -c \\%PrintServer% -p %Printer% -h %PrinterIP% -t raw -n 9100

Create a printer using prnadmin.dll on a cluster node
cscript prnmgr.vbs -a -c \\%PrintServer% -b %Printer% -m "HP Universal Printing PCL 6" -r %Printer%

Set printer configuration using prnadmin.dll on a cluster node
cscript prncfg.vbs -s -b \\%PrintServer%\%Printer% -h %Printer% -l "Building/Level 1" +published

Query the Virtual Centre/VC database for Virtual Machine details
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select ENT.Name as 'Name', DNS_Name as 'DNS Name', Guest_OS as 'OS', Mem_Size_MB as 'Mem', Num_VCPU as 'CPU', Num_NIC as 'NIC', IP_Address as 'IP', NET.MAC_Address as 'MAC Address', VM.FILE_Name as 'VMX location' from vpx_vm VM inner join VPX_GUEST_NET_ADAPTER NET on VM.ID = NET.VM_ID inner join VPX_ENTITY ENT on VM.ID = ENT.ID where dns_name like '%'"

Windows Updates Automatic Updates Detect now
wuauclt /detectnow

Test for ping and then query computers for network information
for /f %i in (pcs.txt) do @for /f "tokens=3 delims=: " %m in ('"ping -n 1 %i find /i "reply from""') @do for /f "tokens=*" %p in ('"@wmic /node:%i path Win32_PerfRawData_Tcpip_NetworkInterface GET find /i "1000" find /i /v "MS TCP Loopback interface""') do @echo %i,%m,%p

Dump printer log entries
dumpel -s \\%PrintServer% -l System -e 10 -m Print -d 1

Add an x64 print driver to a cluster node
rundll32 printui.dll,PrintUIEntry /ia /c \\%PrintServer% /m "HP Color LaserJet 8550 PCL 5c" /h "x64" /v "Windows XP and Windows Server 2003" /f hpc8550t.inf

Add an x86 print driver to a cluster node
rundll32 printui.dll,PrintUIEntry /ia /c \\%PrintServer% /m "HP Color LaserJet 8550 PCL 5c" /h "x86" /v "Windows 2000, Windows XP and Windows Server 2003" /f hpc8550b.inf

Change the ownership of all subdirectories and files in a folder
subinacl /subdirectorie %Path%\*.* /setowner=%Domain%\%User%

Change the ownership of a folder
subinacl /file %Path% /setowner=%Domain%\%User%

WireShark/ethereal filter to exclude 3389 RDP
!((tcp.srcport == 3389) (tcp.dstport == 3389))

Show NetBIOS SMB lanmanserver binding
net config server

Show NetBIOS SMB lanmanworkstation binding
net config redirector

Find the session connection for a username and find the client workstation
for /f "tokens=2 delims=\" %i in ('"dsquery user -name %user% dsget user -hmdir find /i "%user%""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%user%'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %user% %n %i %m %o

Doskey macro to find session connection information for a user/workstation
FU=for %g in ($1 $2 $3 $4 $5 $6 $7 $8 $9) do @for /f "tokens=2 delims=\" %i in ('"dsquery user -name %g dsget user -hmdir find /i "%g""') do @for /f "skip=1 tokens=1-3" %m in ('"wmic /node:"%i" path win32_serversession WHERE "UserName Like '%g'" Get ComputerName,ActiveTime,IdleTime"') do @for /f "tokens=2" %q in ('"ping -a %n -n 1 find /i "pinging""') do @echo %q %g %n %i %m %o

Hide LUNs with advanced ESX options
disk.MaskLUNs: vmhba0:0:4-5;vmhba1:0:4-5

Find the link speed when connecting to the domain
linkspeed /s %domain%

Add to the permissions on a printer
subinacl /printer \\%PrintServer%\%Printer% /grant=%Domain%\%Group%=M

List the printers on a server
cscript "c:\Program Files\Windows Resource Kits\Tools\prnmgr.vbs" -l -c \\%PrintServer% find /i "printername"

Refresh per user settings such as desktop wallpaper
RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters ,1 ,True

Find computers and their description from the AD
dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer))" "%rootDN%" -attr cn description

Query RDP sessoins on a 2003 server
query session

Shadow an existing TS or console session (Ctrl -* to end the shadow)
shadow %session%

Run a command in the winlogon secure desktop of winsta0\winlogon
psexec /x /d /s cmd

Run a command in the winlogon secure desktop of winsta0\winlogon
psexec /s \\%computer% cmd /c c:\windows\temp\psexec /x /d /s cmd

Update the wallpaper on the winlogon secure desktop winsta0\winlogon
psexec /accepteula /x /s RunDll32.exe USER32.DLL,UpdatePerUserSystemParameters

Run commands automatically when a command prompt is started
reg add "hklm\software\microsoft\Command Processor" /v AutoRun /t reg_sz /d "doskey /macrofile=macros.txt"

Export the groups a user in eDirectory is a member of
ldifde -f output.txt -s %NetwareServer% -a "%AccountDN%" * -d %rootDN% -r "(&(Objectclass=user)(((cn=User1)(cn=User2))))" -l cn,groupMembership

Replace ldifde output to join separated lines by removing CRLF
cscript SearchReplace.vbs /f:CSQProcurement_Groups.txt "\r\n ;"

Reformat ldifde output to show user per line per group membership
cscript //nologo FindGroups.vbs /f:output.txt

nslookup with debug information
nslookup -debug %IP%

Set the glocal default printer properties to allow duplexing
setprinter \\%PrintServer%\%i 8 "pDevMode=dmDuplex=2,dmCollate=1,dmFields=duplex collate"

Query the printers published against a specific computer account
dsquery * %ComputerDN%" -attr printShareName

Query all printers published in the Active Directory
dsquery * domainroot -filter "(objectCategory=printQueue)" -limit 0

Produce a list of files that should be purged based in minage
robocopy /l %Source% %Temp%\Purge%Random% *.* /minage:6 /FP /NJS /NJH /E /TS /NS

Find the install date from a list of servers
for %i in (%Server1% %Server2%) do psinfo \\%i 2>nul findstr /i /c:"Install date" /c:"%ComputerName%"

Use findstr with regular expressions to find start of line + space + 'New Dir'
findstr /i "^.*New.Dir" Dirs.txt

Use delayed environment varialble substitution in a for loop
for /f "delims=:" %i in ('"findstr /i /n "^.*New.Dir" PurgeFiles.txt"') do Set Directory=0000%i & Echo !Directory:~-5!

Query Windows Update logs from contactable machines in an OU
for /f %i in ('"dsquery computer %DN% -o rdn"') do @for /f "tokens=3 delims=: " %m in ('"ping -n 1 %i find /i "reply from""') do dumpel -s %i -l system -e 19 20 -m "Windows Update Agent"

Query ESX for SNMPD service firewall configuration
esxcfg-firewall -q snmpd

SNMP check against ESX
Snmputil.exe get %host% %community% .iso.org.dod.internet.private.enterprises.6876.1.1.0

Produce a flat list of files, with the last-write date
dir %Directory% /tw/s find /i "/" find /i /v "DIR" > Output.txt

Given a control file and a text file, output control entries that aren't found
for /f "tokens=1-3" %i in (%ControlFile%) do @find /i "%i" %TextFile% >NUL & @if errorlevel 1 echo %i

Given a control file and a text file, show whether or not control is in text
for /f "tokens=1-3" %i in (%ControlFile%) do @find /i "%i" %TextFile% >NUL & @if errorlevel 0 if not errorlevel 1 (echo %i Member) else (echo %i NotMember)

Query a specific eDirectory group for its members
ldifde -f output.txt -s %NetwareServer% -a "%AccountDN%" * -d %rootDN% -l cn,member

Modify printer ACLs to add security on all printers for a print server
subinacl /printer \\%PrintServer%\* /grant=/grant=%Domain%\%Group%=M

Export a Operations Manager 2007 sealed management pack to an unsealed XML
. c:\windows\temp\MpToXml.ps1 "%SealedMP%.mp" c:\windows\temp

Use LDP to search for tombstoned objects in AD
Base DN: CN=Deleted Objects,%domainRoot%, Filter: (isDeleted=*), Extended Search, Add control: 1.2.840.113556.1.4.417

Bulk modify of mailbox permissions
admodcmd -dn "%DN%" -f "(&(objectclass=user)(CN=%userFilter%*))" -addtomailboxrights %Domain%\%Group% ACE_MB_FULL_ACCESS

Modify ACLs using dsacls (account ACL, not mailbox rights)
dsacls "%userDN%" /G "%Domain%\%Group%:CA;Send As"

Print a test page to one or more printers
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do cscript prnctrl.vbs -t -b \\%PrintServer%\%i

Given a list of printers, create an LPR port for each
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @cscript portmgr.vbs -a -c \\%PrintServer% -p %i -h %k -t LPR -q %i

Given a list of printers, create a printer using the specified driver/port
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @cscript prnmgr.vbs -a -c \\%PrintServer% -b %i -m "%j" -r %i

Given a list of printers, set the location, share name and publish in AD
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @cscript prncfg.vbs -s -b \\%PrintServer%\%i -h %i -l "%l" +published

Given a list of printers, set glocal default printer properties to duplex
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @setprinter \\%PrintServer%\%i 8 "pDevMode=dmDuplex=2,dmCollate=1,dmFields=duplex collate"

Given a list of printers, set printer permissions to allow for queue management
for /f "tokens=1-4 delims=," %i in (%Printer.txt%) do @c:\util\subinacl /printer \\%PrintServer%\%i /grant=%Domain%\%Group%=M

Run the 32-bit version of regsvr32 on an x64 platform to register a DLL
c:\WINDOWS\SysWOW64\regsvr32 c:\admin\util\prnadmin.dll

Run the 32-bit version of cscript that accesses a 32-bit DLL on x64
c:\WINDOWS\SysWOW64\cscript portmgr.vbs

Show the current default settings send down to clients from a printer
setprinter -show \\%printServer%\%Printer% 8

Determine users that aren’t in a group
for /f "tokens=1-3" %i in (%users.txt%) do @for /f "tokens=*" %m in ('"@dsquery user -name %i"') do @echo %m & @dsget user %m -memberof -expand @findstr /i /c:"%m" /c:"%GROUP%" & echo.

Query group membership
dsquery group -name %GROUP% dsget group -members -expand > %GROUP%.members

Check whether users are in a group (from 'Query group membership')
for /f "skip=1 tokens=1-3" %i in (%users.txt%) do @find /i "%i" %GROUP%.members >NUL & @if errorlevel 1 echo %i

Check whether users are in a group or not (from 'Query group membership')
for /f "tokens=1-3" %i in (%users.txt%) do @find /i "%i" %GROUP%.members >NUL & @if errorlevel 0 if not errorlevel 1 (echo %i Member) else (echo %i NotMember)

Return the DN of a list of users
for /f %i in (%users.txt%) do @dsquery user -name %i

Check user attributes from AD (division, department, home drive, email)
for /f "tokens=1-3" %i in (%users.txt%) do @for /f "tokens=*" %m in ('"@dsquery user -name %i"') do @for /f "tokens=1-10" %q in ('"@dsquery * %m -attr CN department division mail homeDirectory homedrive find /i /v "homeDirectory""') do @echo %q,%r,%s,%t,%u,%v,%w,%x,%y >> UserInformation.csv

Check user home drive permissions from hmDir (top-level)
for /f %i in (%users.txt%) do @for /f "tokens=*" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do cacls "%m"

Check Access Based Enumeration is enabled on a top-level share
psexec \\%server% abecmd %share%

Check permissions are being inherited
for /f %i in (%users.txt%) do @for /f "tokens=1" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do @for /d %p in (%m\*.*) do @echo cacls "%p"

Check ownership of files
for /f %i in (%users.txt%) do @for /f "tokens=1" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do @dir %m /q/s

Run diskpart to list NTFS volumes remotely
psexec \\%server% cmd /c "echo list volume diskpart find /i "NTFS""

Find local disks other than C: and D: that are NTFS
wmic /node:"%server%" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name

Find local disks using powershell and output to CSV
Get-WmiObject -Namespace root\cimv2 -ComputerName %server% -Query "SELECT * from Win32_LogicalDisk WHERE FileSystem='NTFS' AND Description = 'Local Fixed Disk' AND Name != 'C:' AND Name != 'D:'" export-csv c:\disk.csv

Find the disks currently owned by each cluster node
for %i in (%server1% %server2%) do @wmic /node:"%i" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name find /i "%server_prefix%"

In a 2003 cluster, find each disk volume and analyse file fragmentation
for /f "tokens=2,5,6,8" %i in ('"cluster /cluster:%cluster% resource /prop find /i "disk" find /i "description" find /i "%CommonTag%""') do echo \\%i\%k %j %l>> Defrag_%i_%j.txt && psexec \\%i defrag %k -a -v >> Defrag_%i_%j.txt

From cluster defrag analysis, print out details for each cluster volume
for /f "tokens=1,* delims=:" %i in ('"findstr /i /c:%server% /c:"Total files" /c:"Volume size" /c:"Used space" /c:"Percent free space" /c:"Total fragmented files" defrag*"') do @echo %j

Use SetPrinter to capture all settings for a printer
for %i in (0 1 2 3 4 5 6 7 8 9) do setprinter -show \\%server%\%printer% %i

Find the print processor used by all printers on a print server
setprinter -show \\%server% 2 findstr /c:"pPrinterName" /c:"pPrintProcessor"

check printers are being published in the directory through setprinter
setprinter -show \\%server% 7

Report print queue current length and various performance statistics
wmic /node:"%server%" path Win32_PerfFormattedData_Spooler_PrintQueue Get Name,Jobs,TotalJobsPrinted,TotalPagesPrinted,MaxJobsSpooling,JobErrors,OutOfPaperErrors

List printer drivers on a physical or cluster Windows 2003 server
cscript drvmgr.vbs -l -c \\%server%

Find printer event log entries for the last 15 minutes
for /f %i in ('cscript //nologo c:\data\scripts\updated\time\finddatetime.vbs') do wmic /node:"%server%" path Win32_NTLogEvent WHERE "SourceName='Print' AND LogFile='System' AND EventCode=10 AND TimeGenerated > '%i'"

Find printer event log entries for the specified user
wmic /node:"%server" path Win32_NTLogEvent WHERE "SourceName='Print' AND LogFile='System' AND EventCode=10 AND User='%Domain%\\%Username%'" Get User,TimeGenerated,InsertionStrings

Query the unidrv DLL versions from a list of pingable computers in an OU
for /f %i in ('"dsquery computer %OU_DN% -limit 0 -o rdn"') do @for /f "tokens=3 delims=: " %m in ('"ping -n 1 %i find /i "reply from""') do @for /f "tokens=1-9" %q in ('"filever \\%~i\C$\windows\system32\spool\drivers\w32x86\3\uni*.dll find /i /v "\\%~i""') do @echo %i,%q,%r,%s,%t,%u,%v,%w,%x,%y

Read directories from a security template, checking if they exist
for /f "skip=2 tokens=1 delims=," %i in ('"find /i "OICI" \\%server%\%Template%"') do @if not exist \\%server%\%drive%$%~pi echo \\%server%\%drive%%~pi

Modify a printer to use the winprint processor
setprinter \\%Server%\%Printer% 2 pPrintProcessor="WinPrint"

Join output split across two lines using delayed variable expansion (cmd /v:on)
for /f "tokens=3,4" %i in ('"findstr /i /c:"printDuplexSupported" /c:"Share Name" PrintersRegQuery.txt"') do @if "%i"=="REG_SZ" (@Set Printer=%j) else (@Echo !Printer!,%i)

Process robocopy /l output to find files/data that would be copied
for /f "tokens=2,5 delims=_:" %i in (output.txt) do @If "!User!" NEQ "%i" (@Set User=%i&@Set Line=%i,%j) else (@Set Line=!Line!,%j & @Echo !Line!)

Query the Virtual Centre/VC database for Virtual Machine snapshots (GMT+10)
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select ENT.Name as 'Name', DNS_Name as 'DNS Name', Guest_OS as 'OS', Mem_Size_MB as 'Mem', IP_Address as 'IP', VM.FILE_Name as 'VMX location', VM.Suspend_Time as 'Suspend Time', VM.Suspend_Interval as 'Suspend Interval', VMS.Snapshot_Name as 'Snapshot Name', VMS.Snapshot_Desc 'Snapshot Description', DateAdd(Hour, 10, VMS.Create_Time) as 'Snapshot Time', VMS.Is_Current_Snapshot 'Current Snapshot' from vpx_vm VM inner join VPX_GUEST_NET_ADAPTER NET on VM.ID = NET.VM_ID inner join VPX_ENTITY ENT on VM.ID = ENT.ID inner join VPX_SNAPSHOT VMS on VM.ID = VMS.VM_ID

Query vmfs volumes for snapshot files from the console
ls -Ral /vmfs/volumes/*.* grep .vmsn

Query the Virtual Centre/VC database for Virtual Machine LUN attachments
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VMS.Name, TDS.Name from vpxv_vms VMS inner join vpxv_vm_datastore VVMDS on VMS.VMID = VVMDS.VM_ID inner join vpx_datastore TDS on VVMDS.DS_ID = TDS.ID Order by VMS.Name"

Query the Virtual Centre/VC database for Virtual Machine config LUN
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VMS.Name as 'VM Name', TDS.Name as 'Config Datastore', SubString(ConfigFileName, CharIndex('/', ConfigFileName, Len('sanfs://vmfs'))+1, 255) as 'Config Path' from vpxv_vms VMS inner join vpx_datastore TDS on TDS.Storage_URL = SubString(VMS.ConfigFileName, 1, CharIndex('/', VMS.ConfigFileName, Len('sanfs://vmfs'))) Order By 'Config Datastore'"

Query the Virtual Centre/VC database for volume total and free disk space
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select Name, Cast(Round(Cast(Capacity as numeric)/1024/1024/1024, -1) as int) as 'Total Space', Cast(Round(Cast(Free_Space as numeric)/1024/1024/1024, -1) as int) as 'Free Space', Type from vpx_Datastore"

Open an Excel document in read-only mode from the commandline
start excel /h /e %xls%

Query printer information from AD (speed, memory etc)
dsquery * %serverDN% -limit 0 -filter "(&(objectClass=printQueue)(objectCategory=printQueue))" -attr cn printerName driverName printCollate printColor printLanguage printSpooling driverVersion printStaplingSupported printMemory printRate printRateUnit printMediaReady

Export printer information from AD (speed, memory etc)
csvde -f Printers.csv -d %serverDN% -r "(&(objectClass=printQueue)(objectCategory=printQueue))" -l cn,printerName,location,driverName,printCollate,printColor,printLanguage,printSpooling,driverVersion,printStaplingSupported,printMemory,printRate,printRateUnit,printMediaReady

Extract B if A is found in B, otherwise report blank
for /f "tokens=1-3 delims=," %i in (a.txt) do @find /i "%i" b.csv >nul & If errorlevel 0 if not errorlevel 1 (for /f "tokens=4 delims=," %m in ('"find /i "%i" b.csv find /i "%i""') do @echo %i,%m,%j,%k) else (Echo %i,none,%j,%k)

Query SMS for computers on a particular subnet
wmic /namespace:\\root\sms\site_%sitecode% /node:"%site_Server%" path SMS_R_System WHERE "IPSubnets='%subnet%' AND Active=1'" get name

Query SMS for computers in a specific AD site
wmic /namespace:\\root\sms\site_%sitecode% /node:"%site_Server%" path SMS_R_System WHERE "ADSiteName='BNE' AND Active=1'" get name

Find the owner of a process using WMI - see who's logged on remotely
wmic /node:"%computer%" PROCESS where "caption='explorer.exe'" getowner

Convert a file to/from base64 to transmit a binary file through filters
http://www.motobit.com/util/base64-decoder-encoder.asp

Check through SNMP whether a printer supports a duplexing media path
snmputil walk %printer% public printmib.prtMediaPath.prtMediaPathTable.prtMediaPathEntry.prtMediaPathDescription

Check through SNMP the printer device model
snmputil getnext %printer% public host.hrDevice.hrDeviceTable.hrDeviceEntry.hrDeviceDescr

Disable path parsing when listing a directory
dir "\\?\c:\folder"

Find VM distribution on VMware cluster physical nodes
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "Select VH.DNS_NAME as 'Host', count(VM.HOST_ID) from vpx_vm VM inner join vpx_host VH on VM.HOST_ID = VH.ID group by VM.HOST_ID, VH.DNS_NAME order by 'Host'"

Find network information for a computer from SMS
wmic /namespace:\\root\sms\site_%sitecode% /node:"%siteserver%" path SMS_R_System WHERE Name='%computer%' get name,adsitename,IPAddresses,IPSubnets,MACAddresses

Send a Wake-on-lan magic packet on a local subnet
wolcmd 00157283E57F 192.168.0.10 255.255.255.0 7

Query the NTFS attributes of a file
nfi "C:\windows\system32\notepad.exe"

Query the Virtual Centre/VC database for VM CPU alarms
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select ALR.Created_Time, ENT.Name from vpx_alarm_runtime ALR inner join vpx_alarm AL on ALR.Alarm_ID = AL.Alarm_ID inner join vpx_entity ENT on ALR.Entity_ID = ENT.ID where AL.Name = 'Virtual Machine CPU Usage' order by created_time"

Get the lanmanserver description using SNMP
Snmputil.exe get %server% %community% .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svDescription.0z

Query the performance counters stored in a log file
relog.exe file.blg -q

View/Modify the ACL security on spooler pipe
pipesec \\%computer%\pipe\spoolss

Report multiple named instances of SQL on a remote server
reg query "\\%server%\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL

Query the group membership cache used by Group Policy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership

Report and save the security on one or more NTFS Filesystem objects
ICACLS %object% /save %outputfile%

Reset the inherited DACL flag on an object to not protected, inherit below
setacl -on %Directory% -ot file -actn setprot -op dacl:np

Reset inherited permissions for specified NTFS objects
setacl -on %Directory%\*.* -ot file -actn rstchldrn -rst DACL

Check the first x characters from A against B, report differences (cmd /v:on)
for /f "tokens=1-4 delims=," %i in (%Source%) do @set VarA=%i & Set VarB=%j& if /i "!VarA:~0,4!" NEQ "!VarB:~0,4!" echo %i,%j,%k,%l mismatch

Set a Service Principal Name for an alias against the host computer account
setspn -A HOST/%alias%.domain.com %server%

Find the computer object advertising a specific SPN
dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(servicePrincipalName=*SPN*))" -attr cn servicePrincipalName distinguishedName

Register a Virtual Machine in ESX
vmware-cmd -s register "/path/to/vmx/or/vmtx"

unregister a Virtual Machine in ESX
vmware-cmd -s unregister "/path/to/vmx/or/vmtx"

Export group objects from AD to a CSV file
adfind -b "domainRoot" -f "objectclass=group" cn samaccountname -csv

Check local profiles, reporting whether they are local administrators or not
for /f %i in ('"dir /b/ad "c:\Documents and Settings""') do @for /f %m in ('"psgetsid %i 2>Nul | find /i "s-1""') do @reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\%m\GroupMembership" 2>nul | find /i "S-1-5-32-544" 1>nul & @if errorlevel 1 (@echo %i Not an Administrator or group policy entry not found) else (@echo %i Is an Administrator)

View the User Accounts control panel applet
Control Userpasswords2

Roll daily logs into monthly logs (command runs each day)
for /f "tokens=3,4 delims=/ " %i in ('echo %date%') do copy c:\logs\daily\logfile_%j%i??.csv c:\logs\monthly\logfile_%j%i.csv /y

Query printer tray configuration of printers on a cluster (HP UPD)
for /f %i in (Printers.txt) do @for /f "tokens=1,2,*" %m in ('"reg query \\%PrintServer%\HKEY_LOCAL_MACHINE\Cluster\Resources\%ClusterResourceGUID%\Parameters\Printers\%i\PrinterDriverData /v InputSlot 2>nul | find /i "InputSlot" & if errorlevel 1 echo 1 2 NotFound"') do @echo %i,%o>>PrinterTrays.txt

Use SNMP to get the printer media path, indicating simplex/duplex capabilities
for /f %i in (Printers.txt) do @for /f "tokens=3,*" %m in ('"snmputil walk %i public printmib.prtMediaPath.prtMediaPathTable.prtMediaPathEntry.prtMediaPathDescription 2>nul| find /i "value" & if errorlevel 1 echo 1 2 3 NotFound"') do @echo %i,%n

List the file screen groups for File Server Resource Manager (FSRM)
filescrn filegroup list

Directory listing of all files in bare format, excluding the the dir objects
dir \\%server%\%share%\*.* /a-d/s/b

Enable SSH client out on an ESX host firewall, permitting SCP as well
esxcfg-firewall -e sshClient

Query the ESX firewall to determine whether SSH client is allowed out
esxcfg-firewall -q | grep sshClient

Use the VI Toolkit Powershell snap-in to query for snapshots
Get-VM | Get-Snapshot | export-csv -path c:\temp\VMsnapshots.csv

Use the VI Toolkit Powershell snap-in to query for snapshot information
Get-VM | Get-Snapshot | foreach-object {$out= $_.VM.Name + "," + $_.Name + "," + $_.Description + "," + $_.PowerState; $out}

Master an ISO Image from a source directory
oscdimg -m -h -n . %Target%.iso

Enable Netlogon debugging
nltest /dbflag:0x2080FFFF

Change security on a file in the ESX service console
chmod u+rwx,g+rx,o+rx somefile

Start a remote process using Powershell/WMI
$computer = "."; ([WMICLASS]"\\$computer\root\CIMv2:win32_process").Create("notepad.exe")

Find remote drivers installed on a computer
devcon -m:\\%computer% status *

Create a floppy image from the given path
bfi.exe -v -f=test.img %path%

Extract files from a floppy image (Gilles Vollant extract.exe)
extract -e %imgfile%

Dump file and security attributes on an NTFS filesystem
filestat %file%

Check NULL sessions to see if user/group information can be enumerated
hunt.exe OR winfo.exe

Identify the DN of an Active Directory group
dsquery group -name %GroupName%

Find the current group scope of a security group
dsget group %GroupDN% -scope -secgrp

Change a group's scope to universal, a stepping stone for conversion
dsmod group %GroupDN% -scope u

Change a universal group's scope to global or local
dsmod group %GroupDN% -scope l | g

Modify the UPN for a user
dsmod user "%userdN%" -upn user@domain

Find all user accounts with a UPN, and count the DNs returned
dsquery * domainroot -filter "&(objectclass=user)(objectcategory=person)(userprincipalname=*)" -s %server% | find /i /c "user"

Find all user accounts without a UPN, and count the DNs returned
dsquery * domainroot -filter "&(objectclass=user)(objectcategory=person)(!(userprincipalname=*))" -s %server% | find /i /c "user"

Identify user accounts without a UPN to be corrected
dsquery * %OU% -filter "&(objectclass=user)(objectcategory=person)(!(userprincipalname=*))" -s %server% -scope onelevel -attr name distinguishedname > NoUPN.txt

After identifying one or more accounts without a UPN, set the UPN for each
for /f "skip=1 tokens=1,2-3" %i in (NoUPN.txt) do dsmod user "%j %k" -upn %i@%upnsuffix%

Show all replicated attributes in the AD Schema
dsquery * cn=schema,cn=configuration,DC=forestRootDomain -filter "(&(objectClass=attributeSchema)(objectCategory=attributeSchema)(!systemFlags:1.2.840.113556.1.4.803:=1))" -limit 0

Show an AD schema attribute
dsquery * cn=pwd-last-set,cn=schema,cn=configuration,DC=forestRootDomain

Bitwise AND the system-flags of a schema attribute to show if replicated
dsquery * cn=pwd-last-set,cn=schema,cn=configuration,DC=forestRootDomain -filter "!(&(systemFlags:1.2.840.113556.1.4.803:=1))"

Given a list of user CNs, find them in the directory and report homeDirectory
for /f %i in (Users.txt) do @for /f "tokens=*" %m in ('"dsquery user -name %i"') do @for /f %p in ('"dsquery * %m -attr homeDirectory -l | find /i "\\" & if errorlevel 1 Echo NoHomeDirectory"') do @echo %i,%m,%p

Disable strict name checking for a machine
reg add \\%computer%\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters /v DisableStrictNameChecking /t reg_dword /d 0x1

Query printers for job counts >= 1
wmic /node:"%server%" path Win32_PerfFormattedData_Spooler_PrintQueue Where "Jobs>=1" Get Name,Jobs,MaxJobsSpooling,JobErrors,OutOfPaperErrors

List transports and if they are bound to NetBIOS (NetBT over TCP/IP)
browstat dumpnet

View the browse list using NetServerEnum to a domain or server
browstat view \Device\NetBT_Tcpip_{972F2574-31D4-4467-8BC0-70B3C57C1279} %domain%

Show the ACL in SDDL format using cacls
cacls c:\ /s

Add authenticated users:R to the root (not OICI) using SDDL with cacls
cacls c:\ /S:"D:PAI(A;OICI;FA;;;BA)(A;;0x1200a9;;;AU)(A;OICI;FA;;;SY)"

Query Storage Report Management global settings (file screening and quotas)
reg query HKEY_LOCAL_MACHINE\Cluster\SRM\Settings\SrmGlobalSettings /v Data

Show the current mounted volumes on the local system
mountvol OR mountvol c:\ /l

Find remote cscript processes and the scripts they are running (arguments)
wmic /node:"%computer%" path win32_process Where "Caption Like '%cscript%' " get Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId

Connect to a named SQL instance through Management Studio
%server%\%instance_name%

Query an Enterprise Vault Directory database for file group information(view)
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select * from dbo.view_FileGroupAndFileGroupFile"

Query an Enterprise Vault Directory database for file group information(table)
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select FileGroupName, FileGroupDescription, FileSpecification from filegroupfile inner join Filegroup on FileGroupFile.FileGroupEntryID = FileGroup.FileGroupEntryID Order By FileGroupName"

Query an Enterprise Vault Directory database for index errors
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "Select ArchiveName, ArchiveStatus, IndexRootPath, Offline, Failed, Rebuilding, IndexedItems, FailedItems from IndexVolumeView where (rebuilding != 0) OR (Failed != 0) OR (Offline != 0)"

Extract events from a non-standard event log
wmic /node:"%computer%" path Win32_NTLogEvent WHERE "SourceName='%EventSource%' AND LogFile='%LogName%' AND EventCode=%eventcode%"

Start a process in low priority
cmd /c start "LowPriority" /BELOWNORMAL notepad "a file.txt"

Create a hardlink directory entry linking one file to another
fsutil hardlink create %NewFileLink% %ExistingFile%

create symbolic dir, file links, hard links and dir junctions Vista/2008
mklink

Add a string to an alternate stream stored as a $DATA attribute
echo this content will be stored in the file sub stream > test.txt:stream1

Add the contents of a file to an alternate data strem
type file.txt > test.txt:stream1

Create a new file in an alternate stream as part of a directory
md test & echo alternate stream > test:stream1

Display the stream
more < test.txt:stream1

Add an executable as an alternate stream attached to a directory
type c:\windows\system32\notepad.exe > test:test.exe

Run the executable in the alternate stream
cmd /c start .\test:test.exe

Retrieve the binary file from an alternate data stream (port of Unix Cat)
cat test:test.exe > note.exe

Remove an NTFS alternate data stream (does not maintain timestamps)
type test.txt>test1.txt

Delete an alternate data stream
streams -d test.txt

Dump NTFS info from the MFT for a File Record Segment (unix port)
ntfsinfo -d /dev/hda1 -i 36

Find cluster disk size and free space
echo clusnode1 > clusternodes.txt & echo clusnode2 >> clusternodes.txt & echo clusnode3 >> clusternodes.txt & echo clusnode4 >> clusternodes.txt & wmic /node:@clusternodes.txt path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name,Size,FreeSpace,VolumeName

Query HP printers for the page count using SNMP
for /f %i in (Printers.txt) do @echo %i & @snmputil walk %i public printmib.prtMarker.prtMarkerTable.prtMarkerEntry.prtMarkerLifeCount | find /i "value"

Create a security template from the given directory for SDDL secedit processing
for /d %i in (%source%\*.*) do @for /f "tokens=2" %j in ('cacls.exe %i /S') do @echo Processing %~ni & echo "%i",2,%j >> Security.txt

Make test directories from a security template
for /f "tokens=1,2,3,* delims=\," %i in ('"find /i "dir1\dir2" template.inf"') do md "c:\temp\sectest\%j\%k

Reformat the target of a security template for offline testing
for /f "tokens=1,2,3,* delims=\," %i in ('"find /i "dir1\dir2" template.inf"') do @echo "c:\temp\sectest\%j\%k,%l

Disable automatic mounting of volumes added to a 2003 system
automount disable

Remove automatic mount points for volumes that no longer exist
automount scrub

Allow Dell OpenManage Server Administrator traffic through ESX
esxcfg-firewall -o 1311,tcp,in,OpenManageRequest

Query the replicated lastLogonTimestamp attribute for password changes
dsquery user -inactive 8 -limit 0

Delete a cluster resource type
cluster restype "%resource_name%" /delete /type

Query the Virtual Centre/VC database for Virtual Machine LUN mapping and size
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select VMS.Name, TDS.Name, Cast(Round(Sum(Cast(VDISK.CAPACITY as numeric))/1024/1024/1024, 1) as int) as 'Total Disk', Cast(Round(Sum(Cast(VDISK.FREE_SPACE as numeric))/1024/1024/1024, 1) as int) as 'Free Disk' from vpxv_vms VMS inner join vpxv_vm_datastore VVMDS on VMS.VMID = VVMDS.VM_ID inner join vpx_datastore TDS on VVMDS.DS_ID = TDS.ID inner join VPX_GUEST_DISK VDISK on VMS.VMID = VDISK.VM_ID group by VMS.Name, TDS.Name Order by TDS.Name, VMS.Name"

Open the administrative tools start menu list
control admintools

Open the scheduled tasks special folder
control SCHEDTASKS

Disable hibernation
powercfg -h off

Show network interface statistics (packets/errors/bytes)
netstat -e

Find remote processes and the command-line parameters with PowerShell
Get-WmiObject win32_process | Format-Table ExecutablePath,Caption,CommandLine,CreationDate,WorkingSetSize,ProcessId

Create an IIS virtual directory
cscript C:\WINDOWS\system32\iisvdir.vbs /create "Default Web Site" %Alias% %rootPath%

Use WMIC aliases to format the output in CSV or XML
wmic process list /format:xml | wmic process list /format:csv

Use WMIC aliases to format the output in HTML TABLE, MOFCSV or XML
wmic process list /format:htable | wmic process list /format:HMOF

Use WMIC aliases to sort the output in HTML
wmic process list /format:htable:"sortby=Name" > test.html

Use WMIC aliases to filter and sort the output in CSV
wmic process get name /format:csv:"datatype=text":"sortby=Name"

Use WMIC remotely aliases to retrieve command-line process arugments
wmic /node:"%server%" process get name,CommandLine /format:csv:"sortby=Name"

Use WMIC wmic aliases to sort the result set by number
wmic Logon get /Format:htable:"datatype=number":"sortby=LogonType"

Use a custom WMIC alias to report printer info from a cluster node in CSV
wmic /node:"%server%" spoolerjobs list /format:table

Use a custom WMIC alias to report sorted HTML printer info from a cluster node
wmic /node:"%server%" spoolerjobs list /format:htable:"datatype=number":"sortby=TotalJobsPrinted"

Use a custom WMIC alias to report a brief summary of printer statistics
wmic /node:"%server%" spoolerjobs list brief /format:htable:"datatype=number":"sortby=TotalJobsPrinted"

Use a custom WMIC alias and xsl to sort print jobs output descending HTML table
wmic /node:"%server%" spoolerjobs list brief /format:"htabledesc-sortby.xsl":"datatype=number":"orderby=descending":"sortby=TotalJobsPrinted" > test.html

Query a user from AD using WMI
wmic /node:"%DC%" /namespace:\\root\directory\LDAP path ds_user where "ds_cn='%username%'" GET ds_displayName,DS_UserPrincipalName,ds_cn,ds_name,ds_whenCreated

Use WMIC to get instances of a class and format the output as CSV
wmic path win32_process get name,commandline /format:csv

Find cluster disk size and free space in CSV format
wmic /node:"%server%","%server%","%server%","%server%" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name,Size,FreeSpace,VolumeName /format:csv

Find cluster disk size and free space in modified CSV format with thousand sep.
wmic /node:"%server%","%server%","%server%","%server%" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET Name,Size,FreeSpace,VolumeName /format:csv2

Report the hosts controlled by a VirtualCentre instance
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select [Name] from vpxv_hosts order by [Name]"

Report the hosts controlled by a VirtualCentre instance
sqlcmd -S %sqlServer% -d %Database% -W -s "," -Q "select DNS_Name, IP_Address, PRODUCT_FULLNAME from vpx_host Order by DNS_Name"

Report the windows MSCS cluster virtual groups
cluster /cluster:%cluster% group /prop | find /i "description" | find /i /v "pbx" | find /i /v "cluster"

Report folders being archived from Enterprise Vault EV FSA
sqlcmd -S sqlServer%\%instance% -o ArchivedFolders.txt -d %enterprisevaultdirectory% -W -s "," -Q "select FSVP.UncName, FSVP.VolumeName, FSFE.FolderPath, FSVP.UncName + '\' + FSVP.VolumeName + '\' + FSFE.FolderPath as 'Path' from dbo.FileServerFolderEntry FSFE inner join dbo.vw_FileServer_Volume_Policy FSVP on FSFE.VolumeEntryID = FSVP.VolumeEntryID"

Report folders from the one or more servers not being archived compared to FSA export
for %i in (\\%server%\share% \\%server%\share% ) do @for /f "tokens=1-4,*" %m in ('"dir %i\* /ad /tc | find "DIR" | find "-""') do @find /i "%q" ArchivedFolders.txt >nul & @If errorlevel 1 (echo %q,%i,%m %n %o) >> NotArchived.csv

Find the current CPU utilisation for processes using WMI
wmic /node:"%computer%" path Win32_PerfFormattedData_PerfProc_Process get Name,PercentProcessorTime

Use JT to update a scheduled task's working directory
jt.exe /sac \\%computer%\c$\windows\Tasks\%Task%.job /sj WorkingDirectory = "%workingdir%"

Reset inheritance starting at a folder and recursing
icacls \\UNC\Path /reset /t /c

Open a saved printer query window
rundll32 dsquery,OpenSavedDsQuery %Config%.qds

Disable path parsing to access a file using UNC
type "\\?\UNC\server\share\path\file.txt"



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.


Read more!

All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 13 years, and I know just about enough to realise that I don’t know very much.