Labels

Sunday, June 14, 2020

More useful command-lines #4


While PowerShell is usually the tool of choice these days, old habits die hard.  I still record
command-lines I find useful in the old-fashioned command prompt. 

This is the fourth edition of useful command lines, adding another 467 commands. Note that many of the command-line may require Microsoft utilities (such as dsquery, wmic, dnscmd), or resource kits, sysinternals or other third-party binaries.


Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).


I hope this will help some of the other non-clickers out there.


See the previous three posts for more command-line operations:



Disable IPV6 on Windows Server 2008
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t reg_dword /d 0xFFFFFFFF

Verify a certificate chain
certutil -verify -urlfetch test.cer

Query the roles and features installed on a Windows Server 2008 installation
ServerManagerCmd -query

Create a performance monitor log to gather local counters
logman create counter SystemPerformance -cf c:\temp\counters.txt -b "29/04/2010 0:00:00" -e "29/04/2010 23:59:59" -r -rf 24:00:00 -cnf 24:00:00 -o c:\perflogs\%computername% -f bin -si 00:00:15

Check the access permissions on files/directories/registry keys (sysinternals)
accesschk.exe

GUI View virtual/physical memory maps of processes (sysinternals)
vmmap.exe

View Win32 and Kernel-mode Debug output (sysinternals)
dbgview.exe

Use 2008R2 logman to create a data collector set from a saved XML
logman import -xml c:\admin\Control\Performance.xml -n Performance

Use 2008R2 logman to start a performance data collector set
logman start Performance

Display license/activation details on a KMS client for the current license
cscript c:\windows\system32\slmgr.vbs /dlv

Find 2008 servers in the domain
dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=Windows Server 2008*))" -limit 0

Set the KMS server used for activation
cscript slmgr.vbs /skms %kmsServer%

Trigger software activation
cscript slmgr.vbs /ato

Find the owners of all processes on a remote system
wmic /node:%server% PROCESS where "caption like '%'" getowner

Find contacts that are members of distribution groups
dsquery * -filter "(&(objectClass=Contact)(objectCategory=Person)(memberof=*))" -attr distinguishedname memberof -limit 0

Query a group of XenApp/terminal servers for TS logons
wmic /node:server01,server02,server03 path Win32_PerfFormattedData_TermService_TerminalServices Get ActiveSessions,InactiveSessions,TotalSessions

Enable user mode verbose logging
reg add "\\server01\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v UserenvDebugLevel /t reg_dword /d 0x30002

Enable Kerberos debugging
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v LogLevel /t reg_dword /d 1

Enable NTFRS debugging
reg add HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters /v "Debug Log Severity" /t reg_dword /d 0x4

Enabled Group Policy Client Side Extension (CSE) debugging
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GpExtensions\{827d319e-6eac-11d2-a4ea-00567f79f83a}" /v ExtensionDebugLevel /t reg_dword /d 0x2

Enabled Group Policy foldre redirection debugging
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v FdeployDebugLevel /d reg_dword /d 0x0000000F

Check whether a user's token size is too large
ntdsutil "group membership evaluation" "run domain user"

Use ntdsutil with escaped double-quotes when the SAMID has spaces
ntdsutil "group membership evaluation" "run domain \"User 01\"" quit quit

2008 server print backup recovery and maintenance, query printers
c:\Windows\System32\spool\tools\printbrm -q

Set the managed by attribute of an object on a particular DC
cscript SetManagedBy.vbs dc01 "CN=GroupName,CN=Users,DC=domain,DC=local" "CN=UserOrGroup,DC=domain,DC=local"

Set the ACE required for the tick-box allowing a manager of an object
dsacls.exe "CN=GroupName,CN=Users,DC=domain,DC=local" /G domain\user:WP;member

Test whether a Domain Controller is responding over LDAPS
adfind -b "dc=domain,dc=local" -h dc01 -ssl

Find AD/DNS registered KMS servers
nslookup -type=srv _VLMCS._tcp.domain.local

Query a number of Citrix/XenApp/Terminal servers for users
for %i in (server01 server02 server03) do @for /f %m in ('"quser /server:%i | find /i "ica" /c"') do @echo %i,%m

Query Citrix farm information
qfarm

Set 2003 page file information
cscript C:\WINDOWS\system32\pagefileconfig.vbs /change /s %server% /I 6144 /M 6144 /VO C:

Set 2008 page file information
wmic pagefileset create name="C:\\pagefile.sys" & wmic pagefileset set InitialSize=614,MaximumSize=6144

View the certificate stores available to the current user
reg query HKCU\Software\Microsoft\SystemCertificates

View the properties of an exported certificate
certutil /dump ExportedCert.pfx

Find the MTU size on a Windows 2003+ server
netsh interface ip show int

Read the registry to find network adapter configuration (MTU jumbo)
reg query \\server01\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} /s | find /i "reg" | findstr /i /c:DriverDesc /c:ProviderName /c:"jumbo"

Use WMI to find the MTU of a network interface (2008 and later)
wmic /node:%server% path win32_networkadapterconfiguration get MACAddress,MTU,IPAddress

Report drive geometry using WMI
wmic path Win32_DiskDrive Get DeviceID,TotalSectors ,Size

Query Citrix session information
queryds /table:Conn_Sessions

Find the committed bytes in use percentage from a remote computer
wmic /node:%server% path Win32_PerfFormattedData_PerfOS_Memory get PercentCommittedBytesInUse

Find the Citrix XenApp metaframe load level for a Citrix server
wmic /node:%server% /namespace:\\root\Citrix path MetaFrame_Server_LoadLevel

Find the applications running on a Citrix server
wmic /node:server01 /namespace:\\root\Citrix path MetaFrame_ApplicationsRunningOnServer

Find Citrix server information
wmic /node:server01 /namespace:\\root\Citrix path MetaFrame_Server

From a list of computers, find the remote NIC bandwidth / speed
for /f  %i in (c:\temp\servers_20100601.txt) do wmic /node:%i path Win32_PerfRawData_Tcpip_NetworkInterface Where "Name!='MS TCP Loopback interface'" Get Name,CurrentBandwidth > %i_bandwidth.txt

Find Exchange Servers from Active Directory
dsquery * "CN=Configuration,DC=domain,DC=local" -filter "(&(objectClass=msExchExchangeServer)(objectCategory=msExchExchangeServer))"

Transfer single-master FSMO roles to the connected DC
ntdsutil roles Connections "Connect to server dc01" quit "Transfer %role%"

Query for the NetBIOS 1B domain master browser and PDC record
nblookup /x 1b DOMAIN

Query for the DNS PDC SRV Service Record
nslookup -type=srv _ldap._tcp.pdc._msdcs.domain.local

Check the role for a domain member
wmic /node:dc01 path win32_computersystem get DomainRole  (0 Standalone WS, 1 Member WS, 2 Standalone Server, 3 Member Server, 4 Backup Domain Controller, 5 Primary Domain Controller)

Load performance counters from the specified DLL
lodctr %file%

Find a list of computers sorted by creation date
dsquery * "OU=Workstations,OU=Resources,DC=domain,DC=local" -limit 0 -filter "(&(objectClass=Computer)(objectCategory=Computer))" -attr whenChanged CN | sort

Find the display specifier used when creating new users through the GUI
dsquery * "CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=domain,DC=local" -attr createDialog

Delete a computer record from SCCM through the WMI provider
wmic /namespace:\\root\sms\site_sc1 /node:"server01" path  SMS_R_System WHERE Name='server02' DELETE

Recompile service control manager logs to fix missing SCM event log entries
psexec \\server01 /s mofcomp %windir%\system32\wbem\scm.mof

Export feature/role information using 2008 server manager (shows defaults)
servermanagercmd -query c:\temp\roles.xml

Find trust account metadata for a trusted domain
repadmin /showmeta "CN=DOMTRUST$,CN=Users,DC=domain,DC=local"

Set read-only permissions to the current folder with non-progagated inheritance
icacls . /grant Users:(NP)(R)  - in this example adding (NP) is not strictly necessary, just ommitting (OI)(CI) assumes this folder only (NP).  The SDDL export of two commands reports the same (with NP and without)

Query system devices and drivers
wmic /node:server01 path win32_systemdriver

Find machines from a specific manufacturer
wmic /node:server01 path win32_computersystem where "Manufacturer like '%Dell%'" get Manufacturer,Model,Name

Run a remote sysinternals utility with psexec specifying accepteula twice
psexec -accepteula \\server01 c:\temp\handle.exe "-accepteula"

Use delayed expansion (cmd /v:on) to parse reg.exe output and produce CSV
for /f "tokens=1,* delims=_" %i in ('dir /b *.txt') do @set test="%~nj"& (@for /f "skip=2 tokens=3" %m in ('"find /i "reg_" %i_%j | findstr /c:AutoReboot /c:CrashDumpEnabled /c:DumpFile /c:LogEvent /c:MinidumpDir /c:Overwrite /c:SendAlert | sort"') do @set test=!test!,"%m")& @echo !test!

Enable the option to generate a STOP error on demand for a USB 2008 server
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters /v CrashOnCtrlScroll /t reg_dword /d 0x1

Generate a STOP error with a sysinternals test faulty app
NotMyFault.exe /crash

Gather file system cache and other memory information from a group of servers
for /f %i in ('dsquery computer -desc *file* -name server* -o rdn') do @for /f "skip=1 tokens=1-8" %m in ('"wmic /node:%i path Win32_PerfFormattedData_PerfOS_Memory get CacheBytes,CacheBytesPeak,SystemCacheResidentBytes,AvailableMBytes,PoolPagedBytes,PoolNonpagedBytes,FreeSystemPageTableEntries,PercentCommittedBytesInUse"') do @echo %i,%m,%n,%o,%p,%q,%r,%s,%t

Analyse Windows memory allocation (sysinternals). Metafile for FS cache
RAMMap and VMMap

Install IIS7 and management tools on 2008
servermanagercmd -install Web-WebServer Web-Mgmt-Tools

Install File services and FSRM on 2008
servermanagercmd -install File-Services FS-FileServer FS-Resource-Manager

Find the cluster size of a disk volume
wmic /node:%server% path win32_volume Get DriveLetter,BlockSize,Label

Find mail enabled users and contacts from an AD and export to CSV
csvde -f c:\temp\mailEnabled_20100816.csv -l samaccountname,cn,givenName,sn,displayname,mail,proxyAddresses,mailnickname,legacyExchangeDN,lastLogonTimestamp -r "(&(|((objectClass=Contact)(objectClass=User)))(objectCategory=Person)(mailnickname=*))"

Find Exchange private mailbox stores from AD
dsquery * "CN=Configuration,DC=domain,DC=local" -filter "(&(objectClass=msExchPrivateMDB)(objectCategory=msExchPrivateMDB))"

Modify security descriptor for access to the application event log
HKLM\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppLogSD%,2

Query alternate recipients for Exchange forwarding addresses
dsquery * -filter "(&(objectClass=*)(altRecipient=*))" -attr cn altrecipient

Use IPMI to query the event log of a Dell server BMC
ipmiutil sel -N 192.168.1.10 -U root -P calvin -F lan2

Query a dnsNode object in AD for a reverse lookup zone
dsquery * "DC=10,DC=192.168.1.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" -attr *

List Print Drivers on a 2008 R2 server
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -l

Install an x64 2008 R2 version 3 printer driver
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -a -v 3 -e "Windows x64" -m "RICOH Aficio 3245C PCL 6" -i c:\src\Drivers\Ricoh3245C\r40479en\disk1\OEMSETUP.INF -h c:\src\Drivers\Ricoh3245C\r40479en\disk1

Install an x86 XP version 3 printer driver to a 2008 R2 server
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -a -v 3 -e "Windows NT x86" -m "RICOH Aficio 3245C PCL 6" -i c:\src\Drivers\Ricoh3245C\r40485en\disk1\OEMSETUP.INF -h c:\src\Drivers\Ricoh3245C\r40485en\disk1

Create a TCP/IP port using RAW over TCP 9100
cscript prnport.vbs -a -s server01 -r IP_192.168.1.10 -h 192.168.1.20 -o raw -n 9100

Create a printer, using the specified printer and port on a 2008 R2 server
cscript prnmngr.vbs -a -p DJW391 -m "RICOH Aficio 3245C PCL 6" -r IP_192.168.1.10

Share and publish a printer on a 2008 R2 server
cscript prncnfg.vbs -t -p DJW391 -h DJW391 +shared +published

Query IIS virtual directories using WMI
wmic /node:server01 /namespace:\\root\MicrosoftIISv2 path IIsWebVirtualDir

Enumerate 2008 R2 event logs
wevtutil.exe el

Get the configuration of a 2008 R2 event log
wevtutil.exe gl Microsoft-Windows-PrintService/Operational

Enable print information job logging with 10MB log file
wevtutil.exe sl Microsoft-Windows-PrintService/Operational /e /ms:10485760

Set AD acls for full control of computer objects, inherited to sub-objects
dsacls "OU=Workstations,OU=Resources,DC=domain,DC=local" /I:S /G DOMAIN\group01:GA;;computer

Set AD acls for creating/deleting computer objects, inherited to this and sub
dsacls "OU=Workstations,OU=Resources,DC=domain,DC=local" /I:T /G DOMAIN\group01:CCDC;computer

Check whether an executable is x86, WAMD64, W32i64 etc (2003 support.cab)
filever.exe %filename%

LDAP filter to return mail-enabled users that are members of a particular group
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(mailnickName=*)(memberOf=CN=group01,OU=Groups,DC=domain,DC=local))"

Find dynamic distribution lists in the directory and the LDAP filter used
dsquery * -filter "(objectClass=msExchDynamicDistributionList)" -attr distinguishedName msExchDynamicDLFilter

Find groups a user is a member of using extended match operator for the chain
dsquery * -filter "(&(objectClass=Group)(member:1.2.840.113556.1.4.1941:=CN=user01,DC=domain,DC=local))" -scope subtree

Find foreign security principals and group membership, resolving the name
dsquery * CN=ForeignSecurityPrincipals,DC=domain,DC=local -filter "(&(objectClass=foreignSecurityPrincipal)(memberOf=*))" -attr msDS-PrincipalName memberof

Find constructed token groups for the specified user
dsquery * "CN=user01,DC=domain,DC=local" -attr tokenGroupsGlobalAndUniversal -s dc01 -scope base

Find constructed last modified for the specified object
dsquery * "CN=user01,DC=domain,DC=local" -attr modifyTimeStamp -s dc01

Find the constructed canonincal name for the specified user object
dsquery * -filter (samaccountname=user01) -attr canonicalName -s dc01

Find software that's installed using WMI
wmic path win32_product

Find file/directory information using WMI
wmic path win32_directory where "Name = 'c:\\temp'"

Join a computer to a domain
netdom join %computername% /domain:test.com /userd:administrator /passwordd:password /reb

Find a list of servers from AD and then query them for disk space
for /f %i in ('dsquery computer -name server* -o rdn') do @wmic /node:%i path Win32_LogicalDisk Get Name,Size,FreeSpace,VolumeName /format:csv | find /i /v "a:,," | find /i /v "d:,," | find /i "dv"

Find uptime of a computer and lanman workstation statistics
net stats workstation

Find uptime of a computer and lanmanserver statistics
net stats srv

Find size and free space of logical disks of a remote machine
wmic /node:"server01" path Win32_LogicalDisk WHERE "Size > 0" GET SystemName,Name,Size,FreeSpace,VolumeName /format:csv

ODBC data source administrator on 2008 R2
odbcad32.exe

Create a 64-bit DSN on 2008 R2
odbcconf.exe /Lv c:\admin\logs\SQLNativeClientInstall.log /A {CONFIGSYSDSN "SQL Server Native client 10.0" "DSN=VMware VirtualCenter|Description=Test instance of vCenter|Server=sqlserver01\instance01|Database=VirtualCenter"}

Create a 32-bit DSN on 2008 R2
c:\windows\syswow64\odbcconf.exe /Lv c:\admin\logs\SQLNativeClientInstall.log /A {CONFIGSYSDSN "SQL Server Native client 10.0" "DSN=VMUM|Description=Update Manager Test Instance|Server=sqlserver01\instance01|Database=VMUM"}

Check the NTP announceflags of each DC to find reliable time servers
for /f %i in ('"nltest /dclist: | find /i "[ds]""') do reg query \\%i\hklm\system\currentcontrolset\services\w32time\config /v announceflags

Set the logon as a service right on a remote computer
ntrights -m \\%computer% -u %domain%\%user% +r SeServiceLogonRight

Set a remote service to run as a doman user account (remove interact)
sc \\%computer% config %service% obj= "%domain%\%username%" password= "password" type= own

Find the server holding the PDC single-master operations role
dsquery server -hasfsmo pdc

Add and install a Plug and Play driver package (enough for 2008 to change vga)
pnputil -i -a "c:\program files\common files\vmware\Drivers\wddm_video\vm3d.inf"

Find vCenter alerts
dumpel -s server01 -l application -d 1 -m "Categor01"

Find the latest .Net framework version from a list of computers
for /f %i in (c:\temp\servers_20101020.txt) do @ping -n 1 %i >nul & if errorlevel 0 if not errorlevel 1 @for /f "tokens=*" %m in ('"reg query "\\%i\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" 2>nul |find /i "hkey" > c:\temp\dotnet.txt & tail -1 c:\temp\dotnet.txt"') do @for /f "tokens=3" %q in ('"reg query "\\%i\%m" /v version 2>nul| find /i "reg_sz" & if errorlevel 1 echo 1 2 NotFound"') do @echo %i,%m,%q

Query Citrix or terminal server session information
qwinsta /server:%computer%

Reset a remote Citrix or terminal server session
rwinsta %sessionname% /server:%computer%

Reset a local Citrix or terminal server session
reset %sessionname%

Find host header bindings from the IIS metabase
findstr /i "^.*:[0-9]*:.*$" \\%server%\c$\windows\system32\inetsrv\metabase.xml

Export events, changing the date from EN-US to EN-AU
for /f "tokens=1-3,* delims=/ " %i in ('"dumpel -s \\server01 -l application -e 3041 -m "MSSQL$DB01" -d 50"') do @echo %j/%i/%k %l

Use IPMI to read sensors on a Dell R900 server
ipmiutil sensor -N 192.168.1.10 -U root -P calvin -F lan2

Find the sector and cluster size for an NTFS volume
fsutil fsinfo ntfsinfo h:\

Enumerate SRV records from the specified location in a DNS zone
dnscmd dc01 /enumrecords domain.local._tcp.dc._msdcs.domain.local. /type SRV

Export an AD-integrated zone to file
dnscmd server01 /ZoneExport domain.local domain.local.dns

Find driver file information for the specified devices
devcon drivernodes *RDP_MOU* & devcon driverfiles *RDP_MOU*

Create a custom Active Directory partition for DNS records
DnsCmd dc01 /CreateDirectoryPartition manualDNS_msdcs.domain.local

Add an additional DC for partition replication
DnsCmd dc01 /EnlistDirectoryPartition  manualDNS_msdcs.domain.local

Convert a file-based primary to an AD integrated primary in a custom partition
dnscmd /ZoneResetType _msdcs.domain.local /DsPrimary /OverWrite_Ds /DirectoryPartition manualDNS_msdcs.domain.local

Enumerate the partitions in an Active Directory
DnsCmd /EnumDirectoryPartitions

Find CAs published in AD
dsquery * "cn=enrollment services,cn=public key services,cn=services,cn=configuration,dc=domain,dc=local

Find user accounts with SID history
adsquery * -filter "(&(objectClass=User)(objectCategory=Person)(sidhistory=*))" -attr name sidhistory

Check the local _msdcs records on a Domain Controller
\\%computer%\c$\windows\system32\config\netlogon.dns

Find secure channel information about trusted domains/forests
wmic /namespace:\\root\MicrosoftActiveDirectory path Microsoft_DomainTrustStatus

Find services that are set to automatically start but are currently stopped
wmic /node:server01 path win32_service  where "State='Stopped' AND StartMode='Auto'"

Find trusts of type forest
dsquery * "CN=System,DC=domain,dc=local" -filter "(&(objectClass=trustedDomain)(trustAttributes:1.2.840.113556.1.4.803:=8))" -attr stPartner flatName trustAttributes

Add an Active Directory service record for GC lookups
dnscmd dc01 /recordadd _msdcs.domain.local.  _ldap._tcp.site01._sites.gc._msdcs.domain.local. SRV 0 100 3268 dc01.domain.local.

Modify the default intra-site change notification for replication
repadmin /notifyopt dc1 dc2 "DC=domain,DC=local" /first:10

Find the options for a site link (1 for change notifications)
dsquery * "CN=SiteLink01,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local"  -attr Options

Modify a site link to use change notifications
admod -b "CN=SiteLink01,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local" options::1

Delete one or more user profiles
delprof /p /c:\\%computer%

Write an ISO image to CD/DVD
isowriter -r e: -e "file.iso"

Find mail-enabled public folders that aren't hidden from the GAL
dsquery * -filter "(&(objectClass=publicFolder)(mailnickName=*))" -attr cn mail msExchHideFromAddressLists -limit 0 | find /i "false"

Query servers from an SMS/SCCM database
wmic /namespace:\\root\sms\site_a01 /node:"server01" path SMS_R_System WHERE "ADSiteName = 'S01' and OperatingSystemNameandVersion like '%server%'" get name,adsitename,IPAddresses,MACAddresses /format:CSV

Find serial numbers from physical servers
wmic /node:@physical.txt path Win32_SystemEnclosure get SerialNumber /format:csv

Find the number of mail-enabled active users who have a home drive on a server
for /f "tokens=*" %i in ('dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(mailnickname=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(homeDirectory=*%server%*))" -limit 0 ^| find /i /c "cn="') do @echo %i

Find the canonical name (constructed attribute) of a list of users
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(homeDirectory=*arisrv*))" -attr canonicalName

Query and decode password last set for user accounts, output in csv without DN
adfind -b "DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(homeDirectory=*server01*))" canonicalName pwdlastset -tdc -csv -excl -nodn

Find an account and decode all attributes (pwdlastset, useraccountcontrol etc)
adfind -s base -b "CN=user01,OU=Accounts,DC=domain,DC=local" -h dc01 -alldc

Find the canonical name of a filtered list of OUs
dsquery * -filter "(&(objectClass=organizationalUnit)(name=*server*))" -attr canonicalName

Purge Kerberos tickets for the currently running user
klist purge

From a list of computers, report whether they respond to a ping or not
for /f %i in (c:\temp\Servers.csv) do for /f "tokens=3 delims=: " %m in ('ping -n 1 %i ^| find /i "reply from" ^& if errorlevel 1 echo 1:2:NoReply') do echo %i,%m

Query 2008 or later for the OS architecture (x86 or x64)
wmic /node:server01 path Win32_OperatingSystem Get OSArchitecture

Query 2003 or earlier for the OS architecture (x86 or x64)
wmic /node:server01 path Win32_OperatingSystem Get Caption

Delete the policy restriction to run perfmon.msc
reg delete HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{C96401CF-0E17-11D3-885B-00C04F72C717}

Update the WINS DHCP Option Value
netsh dhcp server \\server01 scope 192.168.10.0 set optionvalue 044 IPADDRESS 192.168.10.10 192.168.20.10

List Components installed on a 2008 R2 core installation
ocsetup ServerManager-PSH-Cmdlets, Import-Module Servermanager; Get-WindowsFeature

Rename a computer
netdom renamecomputer oldserver01 /newname newserver01 /reboot

Show current firewall rules
netsh advfirewall firewall show rule name=all

Enable DNS logging
dnscmd /config /loglevel 0xffffffff

Disable EDNS0 probes
dnscmd /Config /EnableEDnsProbes 0

Update the master for a secondary DNS zone
dnscmd /zoneresetmasters zone.local 192.168.10.10 192.168.10.11

Disable TCP window size auto-tuning on 2008 servers
netsh interface tcp set global autotuning=disabled

Show global TCP settings on 2008 servers
netsh interface tcp show global

Allow storage of credentials (requirse reboot)
reg add hklm\system\currentcontrolset\control\lsa /v disabledomaincreds /d 0x0 /t reg_dword

Tell Exchange to filter messages sent through authenticated connections (SCL)
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter /v CheckAuthSessions /d 0x1 /t reg_dword

Check if Access Based Enumeration (ABE) is enabled on a DFS namspace
dfsutil property abe \\domain.local\shared

Find groups of type distribution
dsquery * -filter "(&(objectClass=Group)(objectCategory=Group)(!groupType:1.2.840.113556.1.4.803:=2147483648))"

Set variables for the current date
for /f "tokens=2-9 delims=/:. " %i in ('echo %date% %time%') do Set DateTime=%k%j%i&Set DateTimeLong=%k%j%i%l%m%n

Find people that have logged on today
for /f "tokens=2-9 delims=/:. " %i in ('echo %date% %time%') do Set Today=%k/%j/%i& adfind -default -f "(&(objectClass=User)(objectCategory=Person))" -csv -noDN -alldc Name lastlogontimestamp | find /i "%today%"

Set the secure list of IPs allowed to transfer a DNS zone
dnscmd dc01 /zoneresetsecondaries domain.local /SecureList 192.168.10.10 192.168.10.11

Use portqry to perform a NetBIOS adapter status request (retrieves MAC)
portqry -n server01 -e 137 -p udp

Find the Exchange schema version
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper

Find the NTDS.DIT file size on Domain Controllers in the local domain
for /f %i in ('dsquery server -o rdn') do @for /f "tokens=1-5" %m in ('"dir \\%i\c$\windows\ntds\ntds.dit | find /i "dit""') do @echo %i,%m,%n %o,"%p",%q

Find Active Directory schema attributes with the specified display Name
dsquery * "CN=Schema,CN=Configuration,DC=domain,DC=local" -filter (lDAPDisplayName=info)

Find groups with the info/comment set
dsquery * -filter "(&(objectClass=Group)(objectCategory=Group)(info=*))" -attr Name Info

Refresh 2008 R2 network configuration after policy changes (eg SearchList)
psexec \\server01 gpupdate

Check the disk timeout value for SCSI Request block storport I/O requests
reg query \\%server%\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk /v TimeOutValue

Find a DC in the closest site available by site cost    nltest /dsgetdc:domain.
ocal /TRY_NEXT_CLOSEST_SITE                  

Query the SPF record for a DNS zone from the specified DNS server
nslookup -type=txt server.mail.com 192.168.10.10

Enabled Event log tracing for Windows for nltest.exe processes using DCLocator
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DCLocator\Tracing\nltest.exe"

Start an ETW session for the DCLocator GUID
"C:\WinDDK\7600.16385.1\Tools\tracing\amd64\tracelog.exe" -start "nltest" -guid #cfaa5446-c6c4-4f5c-866f-31c9b55b962d -f c:\temp\nltesttrace1.evt -flag 0x0a024332 -level 0x4

Stop an ETW session
tracelog -stop nltest

Parse ETW data and generate a HTML report
tracerpt nltesttrace.etl -o -report

Use LogParser to parse an ETW DCLocator report
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -i etw -o csv "select * from \temp\nltesttrace.etl"

Query the status of an NBL load balanced cluster
nlb query & cluster.domain.local:clusterhost2

Extract Windows Server 2008 R2 events by source
dumpel -l application -d 1 -m Microsoft-Windows-Defrag

Redirect output to the clipboard (2003 or later binary)
echo test | clip

Find users who will need to reset their password at next logon
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(pwdLastSet=0))"

Decode Exchange 2003 permissions through msExchMailboxSecurityDescriptor
adfind -b "CN=user01,DC=domain,DC=local" -alldc -sddc+ -resolvesids

Refresh certificates from NTDS store on 2008 Domain Controllers
adfind -h dc01 -sc rsc

Find Exchange servers from Active Directory
dsquery * "CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local" -scope onelevel

Browse directly to a different mailbox with OWA
https://vip.domain.local/owa/user01@domain.local

Find the Operating System from a list of computers
wmic /node:@c:\temp\exchange.txt path win32_operatingsystem get CSName,Name

Export a certificate as Base64 encoded
certutil -split -store my server01.domain.local & certutil -encode Blob0_0.crt server01.domain.local.txt

Create a self-signed root authority on a server (prompts for password)
makecert -r -pe -n "CN=Test Root Authority" -ss my -sr LocalMachine -a sha1 -sky signature TestCA.cer -sv TestCA.pvk

Add a self-signed root to the trusted root CA store
certutil -addstore root TestCA.cer

Create a server authentication cert using the self-signed root for local DC
makecert -pe -n "CN=dc01.test.local" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 dc01.test.local.cer

Create a server authentication cert using the self-signed root for a second DC
makecert -pe -n "CN=dc02.Test.local" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 dc02.Test.local.cer

Export the dc02 cert with private key for transfer to another computer
certutil.exe -privatekey -exportpfx "dc02.test.local" dc02.test.local.pfx

On dc02, install the root trusted cert and the server cert
certutil -addstore root TestCA.cer & certutil -importPFX dc02.test.local.pfx

Delete certificates from the personal store on the local computer
certutil -delstore my dc02.test.local & certutil -delstore my TestVCA

Shows DHCP reserved IPs from a DHCP scope
netsh dhcp server \\server01 scope 192.168.10.0 show reservedip

Find users that are listed in the managedBy field of one or more groups
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(managedObjects=*))" -attr name managedobjects

Find Collections from SMS using WMIC
wmic /namespace:\\root\sms\site_org path sms_collection where "Name like '%OSD%'"

Deny a user the right to view another user in AD
dsacls "CN=user01,DC=domain,DC=local" /d domain\user02:GR;;

Find groups and decode the group type
adfind -b "dc=domain,dc=local" -f "(&(objectClass=Group)(mailnickname=*))" -h dc01 name groupType -alldc -csv

Find the token size and groups a user is a member of
tokensz /compute_tokensize /dump_groups

From a resource server, find the token size and group membership (SIDHistory)
tokensz /compute_tokensize /user:user01 /domain:domain /password:Password1 /dump_groups

Using OWA for Exchange 2003, view/recover deleted items in any folder
http://exchange01/exchange/user@domain.local/?cmd=showdeleted

Find group and their group type (security, distribution, universal etc)
adfind -b "dc=domain,dc=local" -f "(&(objectClass=Group)(objectCategory=Group))" -h dc01 name groupType -alldc -csv > c:\temp\quest\SecurityGroupTypes_20110826.csv

Find groups of type security in the directory
adfind -b "dc=domain,dc=local" -f "(&(objectClass=Group)(objectCategory=Group)(name=@*)(groupType:1.2.840.113556.1.4.803:=-2147483648))" grouptype -alldc

Find tables in the specified SQL database
sqlcmd -S server01\QMMINSTANCE -d MMEXProject -W -s "," -Q "SELECT * from sys.tables"

Query a Quest QMM 8,7 database for collections and members
sqlcmd -S server01\QMMINSTANCE -d MMEXProject -W -s "," -Q "SELECT COL.CollectionName,srv.Name,MO.DisplayName from MEMBERSOFCOLLECTION MO inner join collections COL on COL.ID = MO.CollectionID inner join server srv on srv.ID = MO.ServerID Where MO.CollectionID != 0"

Find accounts in the directory created today
for /f "tokens=1-8 delims=/:. " %i in ('echo %date% %time%') do Set Today=%l%k%j000000 & adfind -b dc=domain,dc=local -f "(&(objectClass=User)(objectCategory=Person)(whenCreated>=%today%.0Z))" -csv

View a DFS namespace on 2008 R2
dfscmd /view \\domain.local\shared /full

Find the Outlook mail control panel CPL file
reg query "HKEY_CURRENT_USER\Control Panel\MMCPL"

Mount a shadow copy volume through the filesystem (vssadmin list shadows)
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy242\ (the trailing back-slash is important)

From a list of computers, find the srvcomment
for /f %i in (servers.txt) do @for /f "tokens=1,2,*" %m in ('"reg query \\%i\hklm\system\currentcontrolset\services\lanmanserver\parameters /v srvcomment 2>nul| find /i "srvcom" & if errorlevel 1 echo 1 2 {None}"') do @echo %i,%o

From a list of computers, find the AD computer account description
for /f %i in (servers.txt) do adfind -b "dc=domain,dc=local" -f "(&(objectClass=Computer)(objectCategory=Computer)(name=%i))" -csv -nocsvheader -nodn Name,description

Find an immediate but not very accurate way to count of files on a volume
fsutil fsinfo ntfsinfo C: & echo Divide Mft Valid Data Length / Bytes Per FileRecord Segment

Export a mailbox from 2003 Exchange that's greater than 2GB
cscript ExMBspanPst.vbs user01

Install Active Directory Administration tools for 2008 R2
servermanagercmd -install RSAT-ADDS

Robocopy in restartable mode (this slows down copy 10-20x)
robocopy . c:\dest /z

Mailbox-enable an AD user account in Exchange 2003
exchmbx -b "%userDN%,OU=domain,DC=local" -cr Exchange01:sg1:db1

Add to an SMS/SCCM collection
cscript c:\data\scripts\sms\AddDirectMembership.wsf server01 /c:"Collection01" /s:server01

Find a list of files and their size and date modified
for /f "tokens=*" %i in ('dir /s /a-d /b *.*') do echo "%i","%~zi","%~ti">> C:\Admin\Logs\DirList.txt

Parse a number of robocopy log files, showing the filename and total size/files
for %i in (\\server\c$\logs\robocopy*.log) do for /f "tokens=*" %m in ('"tail "%i" | findstr /i /c:" files :" /c:" bytes :""') do echo %i   %m

From a list of users, return which groups they have managedBy set for
adfind -b "DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(managedObjects=*))" managedObjects -list

Save ACLs in SDDL format
icacls g: /save ACLs.txt /t /c

Find msExchMasterAccountSid and decode to readable SID
adfind -b dc=domain,dc=local -f "(&(objectCategory=user)(msExchUserAccountControl=0)(msExchMasterAccountSid=*))" msExchMasterAccountSid distinguishedName -alldc -csv -nodn

View the DFS referral cache on the DFS client
dfsutil cache referral

Check Windows Server 2008 hardware installation/device/driver log files
C:\WINDOWS\INF\setupapi.dev.log

Remove the 'Authentication' tab from ncpa.cpl properties (kb950725)
sc \\%server% stop dot3svc

Check which .Net framework edition an assembly has been compiled for
c:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\x64\ildasm.exe

Use back-quoted for loops including special characters with ^ as escape for |
for %i in (*.xml) do for /f "tokens=* usebackq skip=1" %m in (`find /i "Install the telnet client on a Windows 2008 R2 server
servermanagercmd -install Telnet-Client

Enumerate DFS targets
wmic /node:server01 path win32_dfstarget get ServerName,LinkName,ShareName

View DFS referrals for XP/2003 clients
dfsutil /PKTINFO

Find DNS scavenging events from a 2008 R2 server
wmic /node:"server01" path Win32_NTLogEvent WHERE "SourceName='Microsoft-Windows-DNS-Server-Service' AND LogFile='DNS Server' AND EventCode=2501"

Check whether AD Bridge All Site Links is enabled or not (0x2)
dsquery * "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,dc=domain,dc=local" -attr options -scope base

Check whether Domain Controllers are responding on LDAPS
for /f %i in ('dsquery server -o rdn') do adfind -h %i:636 -default -s base

Display a tree-like structure using the canonical name of OUs
dsquery * -filter "(&(objectClass=OrganizationalUnit)(objectCategory=OrganizationalUnit))" -attr canonicalName | sort

Quickly count the number of files on a drive
c:\util\ndff.exe c:

Query information from the Dell WMI namespace (doesn't show disk status though)
wmic /node:%server% /namespace:\\root\cimv2\dell path dell_cmdevice

Check the firewall status for the domain profile from a number of servers
for /f %i in (Servers_20120117.txt) do @for /f "tokens=3" %m in ('"reg query \\%i\hklm\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall | find /i "enablefire" & if errorlevel 1 echo 1,2,NotFound"') do @echo %i,%m

Report directory usage of a directory and subdirectories
du -c -v c:\temp

Dump loaded DLLs and versoin information
listdlls  -v

Find TCP network connections on a remote machine using SNMP
snmputil walk localhost public .1.3.6.1.2.1.6.13.1.1

Query events from a 2008 event log
wevtutil qe System /q:"*[System[Provider[@Name='EventLog']]]" /e:events > events.xml

Create an eventlog entry
eventcreate /T ERROR /ID 1000 /L APPLICATION /D "Test"

Find proxy addresses filtered by SMTP type from a user account
adfind -b %i name mail displayName proxyaddresses -list -nocsvheader -mvfilter proxyaddresses=smtp

Query the SCP used by Autodiscover in Exchange 2007
dsquery * "CN=domain.local,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=domain,DC=local" -attr *

Parse IIS logs for OWA connections
findstr "SEARCH.\/exchange/.*\/Inbox" ex120130.log

Query SCCM sites and site servers
wmic /namespace:\\root\sms\site_S01 /node:server01 path SMS_Site

Query SCCM folders
wmic /namespace:\\root\sms\site_S01 /node:"server01" path  SMS_ObjectContainerNode

Query the IPMI WMI classes for Baseboard Management Controller (BMC) info
wmic /node:server01 /namespace:\\root\hardware path NumericSensor

Query the IPMI WMI classes for recent SEL events
wmic /node:server01 /namespace:\\root\hardware path LogRecord Where "MessageTimestamp > '20120110144951.000000+600'" Get MessageTimestamp,Description

Run Dell omreport to check disk status information from remote servers
for /f %i in (c:\temp\servers.txt) do psexec \\%i "C:\Program Files (x86)\Dell\SysMgt\oma\bin\omreport.exe" storage pdisk controller=0 > %i_physicaldisk.txt

Query IPMI for drive information (sometimes can tell disk failure)
wmic /node:server01 /namespace:\\root\hardware path Sensor Where "Name like 'Drive%'" Get Name,Description,CurrentState

Query a number of workstations for cross-forest logons
for /f %i in (c:\temp\servers.txt) do @dumpel -s %i -l application -m Userenv -e 1109 >> WorkstationCrossForestLogons.txt

Delete shadow copies (allows deleting backup shadows)
diskshadow delete shadows ID {shadowID}

Delete Internet Explorer policy restrictions prevending showing option tabs
reg delete "hku\S-1-5-21-3554533865-731492840-16770200-2139\software\policies\microsoft\internet explorer\control panel"

Find the Exchange 2007 AutoDiscover binding URL
dsquery * "CN=server01,CN=Autodiscover,CN=Protocols,CN=server01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,dc=domain,dc=local" -attr *

Find the owner of an AD object
dsacls "CN={9596758E-5ADC-4639-A3A4-812835D92F6F},CN=Policies,CN=System,dc=domain,dc=local" /A

Find the default security descriptor applied to OU objects
adfind -b "CN=Organizational-Unit,CN=Schema,CN=Configuration,dc=domain,dc=local" defaultSecurityDescriptor

Automatic analysis of a memory dump created from a bugcheck/stop error
C:\Program Files\Debugging Tools for Windows (x64)\dumpchk.exe SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols memory.dmp

Use SCCM Remote Control (requires rc.exe and rdpencom.dll)
rc 1 server01 \\sccm01

IIS logs on 2008 R2 IIS7 servers
\\%server%\c$\inetpub\logs\logfiles\W3SVC1\u_ex120317.log

Query IIS logs for OWA activity
logparser "SELECT cs-username, Count(*) AS OWAHits from c:\temp\u_ex120317.log WHERE cs-uri-stem LIKE '%OWA%' AND cs-username IS NOT NULL GROUP BY cs-username ORDER BY OWAHits Desc" -rtp:-1

Use LogParser to read event logs
"c:\Program Files\Log Parser 2.2\logparser" -i:evt "Select * from \\server01\system Where EventID = 1"

Use LogPartser to parse IIS logs for OWA statistics
logparser "SELECT cs-username, Count(*) AS OWAHits from \\server01\C$\INETPUB\LOGS\LOGFILES\W3SVC1\u_ex12031*.log WHERE cs-uri-stem LIKE '/owa/%' AND cs-username IS NOT NULL GROUP BY cs-username ORDER BY OWAHits Desc" -rtp:-1

Export local security policy with rights merged with domain policy
secedit /export /cfg security_domain.txt /mergedpolicy /areas user_rights

Export local security policy, including local and domain policy settings
secedit /export /cfg security.txt /areas user_rights

List all DFSR replication groups
dfsradmin rg list /attr:all

List all DFSR replication group memberships
dfsradmin Membership list /rgname:domain\share\dfs01 /attr:all

List all DFSR replication connections
dfsradmin conn list /rgname:domain\share\dfs01

Forcefully take ownership of files
takeown /f *.* /A /R

Query FEP forefront endpoint protection infection status
wmic /namespace:\\root\Microsoft\SecurityClient path AntimalwareInfectionStatus

Query the local anti-virus product
wmic /namespace:\\root\SecurityCenter path AntiVirusProduct

Query the local firewall product
wmic /namespace:\\root\SecurityCenter path FirewallProduct

Query an SCCM client for console user information
wmic /namespace:\\root\cimv2\sms path sms_systemconsoleuser

Query an SCCM client for top console user
wmic /namespace:\\root\cimv2\sms path sms_systemconsoleusage

Query profile last login information
wmic /node:server01 path Win32_NetworkLoginProfile get Name,LastLogon

Show the SDDL string for an ACL (redirect to console)
icacls \\server\share\directory /save con

Export ETL files to CSV
tracerpt MPTrace-04162012-125657.bin -o test.csv -of csv

Find the primary SMTP address and samaccountname from all mail-enabled users
adfind -b DC=domain,DC=local -f "(&(objectclass=User)(objectCategory=Person)(mailnickname=*))" samaccountname proxyaddresses -csv -nodn -mvfilter proxyaddresses=SMTP -mvfiltercs  > mailPrimary_20120310.txt

Use the SQL stored procedure to return column name and data type information
Sp_help TableName

Install the PowerShell Active Directory module on a 2008 R2 server
servermanagercmd -install RSAT-AD-PowerShell

Query the MX records for the specified domain
nslookup -type=mx domain.com 192.168.10.10

Query the managedObjects (managedBy back) to show managed groups
dsquery * "CN=user01,DC=domain,DC=local" -attr managedObjects

ADLDS LDAP debugging (logged to event viewer)
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_Test\Diagnostics /v "15 Field Engineering" /d 0x5 /t reg_dword & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_Test\Parameters" /v "Expensive Search Results Threshold" /d 0x1 /t reg_dword

Produce a sorted lits of OUs
adfind -b dc=domain,dc=local -f "(&(objectClass=OrganizationalUnit)(objectCategory=OrganizationalUnit))" canonicalName description -csv -nocsvheader -nodn | sort > OU_ORG_20120614.csv

View all settings from a single window
md c:\temp\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Anonymous bind to AD to query an object (operations error?)
adfind -b DC=domain,DC=local -h dc01 -f "(&(objectClass=User)(objectCategory=Person)(samaccountname=user01))" -u  -simple

Check whether SID filter (SID History) will be allowed across forest trusts
Netdom trust domain.local /domain domain.local /EnableSIDHistory

Query SCCM site information from Active Directory
dsquery * "CN=System Management,CN=System,DC=domain,DC=local" -filter (objectClass=mSSMSSite) -attr mSSMSSiteCode mSSMSAssignmentSiteCode mSSMSRoamingBoundaries

Query SCCM management point information from Active Directory
dsquery * "CN=System Management,CN=System,DC=domain,DC=local" -filter (objectClass=mSSMSManagementPoint) -attr mSSMSSiteCode mSSMSMPName

Query SCCM Service Locator Points (stored as SCPs) from Active Directory
dsquery * "CN=System Management,CN=System,DC=domain,DC=local" -filter (objectClass=mSSMSServerLocatorPoint) -attr mSSMSSiteCode mSSMSMPName

Find disabled user accounts without msExchMasterAccountSid set
adfind -b dc=domain,dc=local -f "(&(objectClass=User)(objectCategory=Person)(msExchUserAccountControl=2)(!(msExchMasterAccountSid=*)))" msExchMasterAccountSid distinguishedName -alldc -csv -nodn

Find enabled user accounts that have msExchMasterAccountSid set
adfind -b dc=domain,dc=local -f "(&(objectClass=User)(objectCategory=Person)(msExchUserAccountControl=0)(msExchMasterAccountSid=*))" msExchMasterAccountSid distinguishedName -alldc -csv -nodn

Restore the default domain controllers and default domain policy
dcgpofix /target:both

Query token groups for a resource forest access
ntdsutil "group membership evaluation" "set account dc dc01" "set resource dc rdc01" "run domain user01"

Query token suze for a resource forest access request (run on resource server)
tokensz /compute_tokensize /user:usetest /domain:dom /password:Passw0rd /dump_groups

Query group membership for the current access token
whoami /groups

Query SCCM packages and export to a CSV file
wmic /namespace:\\root\sms\site_org /node:"sccm01" path SMS_package get * /format:csv > sms_packages.csv

Use netdom to query the local FSMO role holders
netdom query fsmo

Query IIS logs to find Exchange OWA connections
echo SELECT cs-username, Date INTO STDOUT FROM \\server01\c$\inetpub\logs\LogFiles\W3SVC1\*,\\server02\c$\inetpub\logs\LogFiles\W3SVC1\* WHERE (cs-username IS NOT NULL) AND (sc-status = 200) AND (cs-uri-stem = '/owa/') AND (c-ip like '10.6%') GROUP BY Date, cs-username > c:\temp\WebAccess.sql & "c:\Program Files\Log Parser 2.2\LogParser.exe" file:c:\temp\WebAccess.sql -i:IISW3C -o:CSV > OWA_ExternalAccess_20120828.csv

Reset the EV client
cd "C:\Program Files\Microsoft Office\Office14" & "c:\Program Files\Enterprise Vault\EVClient\ResetEVClient.exe

Query SCCM Asset Intelligence user last logon information
sqlcmd -S sql01\sccm -d sccm -W -s "," -Q "SET NOCOUNT ON;Select distinct v_R_System.Netbios_Name0 AS 'Computer', v_R_System.AD_Site_Name0 AS 'AD Site', v_GS_SYSTEM_CONSOLE_USER.SystemConsoleUser0 AS 'Console User',v_GS_SYSTEM_CONSOLE_USER.NumberOfConsoleLogons0 AS 'Console Logons',v_GS_SYSTEM_CONSOLE_USER.TotalUserConsoleMinutes0 AS 'Total Minutes on Console',v_GS_SYSTEM_CONSOLE_USER.LastConsoleUse0 AS 'Last Console Use' from v_R_System INNER JOIN v_GS_SYSTEM_CONSOLE_USER ON v_GS_SYSTEM_CONSOLE_USER.ResourceID = v_R_System.ResourceID" > c:\temp\SCCM_AI_ConsoleUsers_20121030.txt

Find the FIM 2010 Service/Portal database server and name
reg query \\fimservice\hklm\System\CurrentControlSet\Services\FIMService | find /i "database"

Find the FIM 2010 Synchronisation Service database informtaion
reg query \\fimsync\hklm\System\CurrentControlSet\Services\FIMSynchronizationService\Parameters

Find the database recovery model for SQL databases on the specified server
sqlcmd -S sql01\db01 -d master -W -s "," -Q "SELECT name AS [Database Name], recovery_model_desc AS [Recovery Model] FROM sys.databases"

Performance Collector and viewer for ETW/ETL files
PerfView.exe

Clear DNS server cache
dnscmd dc01 /clearcache

Reset a locked user account
dsmod user -disabled no "CN=user1,OU=Users,DC=domain,dc=local"

Find DNS unconditional forwarders for a DNS server
dnscmd /info

Find full access and send-as mailbox rights for Exchange 2003
adfind -b "CN=user1,OU=Users,DC=domain,dc=local" msExchMailboxSecurityDescriptor ntsecuritydescriptor -alldc -sddc++ -resolvesids -mvfilter msExchMailboxSecurityDescriptor="FULL MBX";ntsecuritydescriptor="Send As"

Grant the AD right to poll for directory changes
dsacls "DC=domain,dc=local" /G "domain\group:CA;Replicating Directory Changes"

Find PCNS targets in Active Directory
dsquery * "CN=System,DC=domain,DC=local" -filter "(objectclass=mS-MIIS-PCNS-Target)" -attr *

Regular expression for numbers with spaces or brackets
'^[\d() -]+$'

Dump PCNS successfull password change logs
dumpel -s fimsync -l application -e 6902 -d 2 -m FIMSynchronizationService > c:\temp\PCNS_SuccessfulChanges.txt

Access terminal services shared drives
\\tsclient\c\temp

Query the logical names from a file backup set
RESTORE FILELISTONLY FROM disk='e:\temp\DB1.BAK'

Restore a SQL database, moving the files to new locations
RESTORE DATABASE "DB1" FROM DISK='e:\temp\DB1.BAK' WITH MOVE 'DB1' TO 'e:\MSSSQL\Data\db1.mdf', MOVE 'DB1_log' TO 'f:\MSSSQL\Log\DB1_log.ldf'; GO

Create a scheduled task that runs every day between 6am-6pm
SCHTASKS /Create /S fimservice /RU domain\user /RP Password /SC DAILY /MO 1 /TN "Repeated task" /TR ".\task.bat" /ST 06:00 /DU 12:00

Audit mailbox folder permissions (works on Ex2007 to mailbox servers)
PFDAVAdmin.exe

Custom pfdavadmin filter to only export calendar permissions
(&(0x3001001E=Calendar))

Parse IIS logs on Exchange 2007 for OWA access
"c:\Program Files\Log Parser 2.2\LogParser.exe" file:c:\temp\WebAccess.sql -i:IISW3C -o:CSV > OWA_InternalAccess_20120828.csv (sql: SELECT cs-username, Date INTO STDOUT FROM \\server01\c$\inetpub\logs\LogFiles\W3SVC1\*,\\server02\c$\inetpub\logs\LogFiles\W3SVC1\* WHERE (cs-username IS NOT NULL) AND (sc-status = 200) AND  (cs-uri-stem = '/owa/') AND  (c-ip like '10.6%')  GROUP BY Date, cs-username)

View FIM trace logs
svcTraceViewer.exe (win 7 sdk)

Boot disk to reset the local administrator password
cd080802.zip

Start Outlook with RPC diagnostics
"C:\Program Files\Microsoft Office\Office14\outlook.exe" /rpcdiag

Reset the protected flag on an AD ACL
dsacls "CN=user01,DC=domain,DC=local" /P:N

Find the Exchange autodiscover SRV record from DNS
nslookup -type=srv _autodiscover._tcp.domain.local

Verify a certificate's validity and CRL check
certutil -v -f -urlfetch -verify certificate.cer

Display the certificate URL cache entries
certutil /urlcache

Delete all certificate URL cache entries
certutil /urlcache * delete

Start the GUI to access the stored usernames (manage passwords) applet
control userpasswords2 (then click on 'manage passwords')

Add a stored credential for a SQL instance to use with trused windows auth
cmdkey /add:sql01.domain.com:49709 /user:domain\user01 /pass

Enable Internet Explorer add-on management (if disabled by policy)
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v NoExtensionManagement /d 0x0

tracert with increased buffer size and higher timeout
c:\util\ftrace.exe -l 2048 -d -w 5000 host.domain

tracert with increased buffer size and lower timeout with 10 pings per hop
c:\util\ftrace.exe -l 2048 -d -w 500 -i 10 host.domain

Use outlook.exe to remove connected calendars and hidden messages (migration)
outlook.exe /resetnavpane

Find the domain/forest functinoal levels
adfind -sc modes

Find the major revision of the forest
dsquery * CN=ActiveDirectoryUpdate,CN=ForestUpdates,CN=Configuration,dc=domain,dc=local -attr revision

Find the ADDS Domain Controller capabilities from the directory
for /f "tokens=*" %i in ('dsquery server') do @adfind -b "CN=NTDS Settings,%~i" msDS-Behavior-Version -s base -csv -alldc -nocsvheader

Unlock a user account
dsmod user "CN=user01,DC=domain,DC=local" -disabled no

Check FIM performance counters and re-enable
lodctr.exe /q:FIMSynchronizationService && lodctr.exe /e:FIMSynchronizationService

Find the CLR version used by all processes running on the local computer
clrver -all

List the assemblies in the Global Assembly Cache on the local computer
gacutil -l

Query for global security groups
dsquery * -filter "(&(objectClass=Group)(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483646))" -limit 0

Query for local security groups
dsquery * -filter "(&(objectClass=Group)(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483644))" -limit 0

Query for universal security groups
dsquery * -filter "(&(objectClass=Group)(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483640))" -limit 0

Query Exchange 2010 EAS informatino from AD objects
dsquery * "CN=ExchangeActiveSyncDevices,CN=user01,OU=Users,DC=domain,DC=local" -filter (objectClass=msExchActiveSyncDevice) -attr msExchDeviceUserAgent msExchFirstSyncTime msExchDeviceModel msExchDeviceFriendlyName

VSS administration on 2003 (VSS 7.2 SDK)
vshadow.exe

Resynchronise performance counters with WMI
WINMGMT.EXE /RESYNCPERF

Query for an AD object using Ambiguous Name Resolution (ANR)
set dsquery * -filter (anr=martin)

Find attributes in the Partial Attribute Set replicated to Global Catalog DCs
adfind -b "CN=Schema,CN=Configuration,DC=domain,DC=local" -f "(&(objectclass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -csv > gc_pas.txt

Check the telephone number attribute for index information (searchFlags)
adfind -b "CN=Telephone-Number,CN=Schema,CN=Configuration,DC=domain,DC=local" -alldc

Open a specific folder with OWA (still requires full access to the mailbox)
https://owa.domain.local:443/owa/default.aspx?cmd=contents&module=calendar

Query AD with LDAP server controls
adfind -b CN=group1,OU=Groups,DC=domain,DC=local whenchanged -h 192.168.10.10 -alldc -srvctls 1.2.840.113556.1.4.417;1.2.840.113556.1.4.529;1.2.840.113556.1.4.2065  (LDAP_SERVER_SHOW_DELETED_OID, LDAP_SERVER_EXTENDED_DN_OID, LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID)

Install the system.web.security.singlesignon.dll class on 2008 R2 for claims
servermanagercmd -install ADFS-Claims

Show cached/stored credentials GUI
rundll32.exe keymgr.dll, KRShowKeyMgr

Start a system command prompt interacting with the specified RDP session
psexec \\server01 /s /i 2 /d cmd

Parse Exchange IIS logs to find ActiveSync connections
 "c:\Program Files\Log Parser 2.2\LogParser.exe" "SELECT cs-username, Count(*) AS EASHits from \\cas01\c$\inetpub\logs\LogFiles\W3SVC1\u_ex130919.log,\\cas02\c$\inetpub\logs\LogFiles\W3SVC1\u_ex130919.log WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%' AND cs-username IS NOT NULL GROUP BY cs-username ORDER BY EASHits Desc" -i:IISW3C -o:CSV > c:\temp\2010_EAS2_20130919.csv

Parse Exchange IIS logs to find ActiveSync connections per device
 "c:\Program Files\Log Parser 2.2\LogParser.exe" "SELECT cs-username AS UserID, cs(User-Agent) AS DeviceType, count (*) FROM \\cas01\c$\inetpub\logs\LogFiles\W3SVC1\u_ex130919.log,\\cas02\c$\inetpub\logs\LogFiles\W3SVC1\u_ex130919.log WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%' AND cs-username IS NOT NULL GROUP BY UserID, DeviceType ORDER BY UserID" -i:IISW3C -o:CSV > c:\temp\2010_EAS2ByDevice_20130919.csv

Show the replication metadata for the specified AD object
repadmin /showobjmeta dc01 "CN=group1,OU=Groups,DC=lands,DC=domain,DC=local"

Show pending file rename operations
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations

Use the LDAP in chain matching rule to recursively find members of a group
dsquery * -filter "(memberOf:1.2.840.113556.1.4.1941:=CN=group1,OU=Groups,DC=lands,DC=domain,DC=local)" -s dc01

Open the 'choose profile' dialog box
start outlook /profiles

Use mfcmapi to view the message class and details of items
mfcmapi | Session | Logon and Display Store Table

Exchange 2010 exfolders (pfdavadmin replacement)
"\\cas01\c$\Program Files\Microsoft\Exchange Server\V14\Bin\ExFolders.exe"

Query for Exchange 2010 user mailboxes
adfind -b "OU=Shared Mailboxes,DC=domain,DC=local" -s onelevel -f "(&(objectClass=User)(objectCategory=Person)(msExchVersion=44220983382016))" samaccountname useraccountcontrol msexchmasteraccountsid -alldc -csv > SharedMailboxes_20131205.csv

Query lastlogon from every Domain Controller
repadmin /showattr * "CN=user01,OU=Users,DC=domain,DC=local" /attrs:lastLogon

Set the unconditional DNS forwarders for a server
dnscmd dns01 /ResetForwarders 192.168.10.1 192.168.10.2

Query NTFS journal USN (buggy)
usnjournalproject.exe

Query the fine-grained password policy settings from AD
dsquery * "CN=Password Settings Container,CN=System,DC=domain,DC=local"

Download symbols for windbg debugging
symchk /r c:\windows\system32\*.dll SRV*c:\windows\temp\symbols*http://msdl.microsoft.com/download/symbols

Find Outlook Auto Mapping attributes for links/backlinks
dsquery * -filter "(&(objectclass=user)(objectcategory=person)(|(msexchdelegatelistbl=*)(msexchdelegatelistlink=*))(extensionattribute5=DSITIA-Science))" -attr displayname msexchdelegatelistbl msexchdelegatelistlink

Access a shadow copy using a previous versions token pathname extension
dir \\server01\data\@GMT-2014.06.29-23.00.07\dir1

Extract an ISO file with 7ZIP
"C:\Program Files\7-Zip\7z.exe" x -y -oC:\temp\ISOFiles c:\downloads\cd1.iso

Modify the current power configuration to disable standby for AC power
powercfg -x -standby-timeout-ac 0

Query tombstoned AD objects
adfind -b dc=domain,dc=local -showdel -f isdeleted=TRUE > deletedObjects_20141014.txt

Query the current credential providers (gina/winlogon notification replacement)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication" /s

Show a list of supported scenarios for netsh ETL tracing
netsh trace show scenarios

Query SCOM Audit Collection Services (ACS) database for 2008 creation events
select top 10 * from adtserver.dvall5 where EventId = 4720

Purge kerberos tickets from the system login ID
klist -li 0x3e7 purge

Disable hybrid sleep in the balanced power plan
powercfg -SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 238c9fa8-0aad-41ed-83f4-97be242c8f20 94ac6d29-73ce-41a6-809f-6363ba21b47e 0

Disable sleep in the balanced power plan
powercfg -SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 238c9fa8-0aad-41ed-83f4-97be242c8f20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 0

Disable hibernate in the balanced power plan
powercfg -SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 238c9fa8-0aad-41ed-83f4-97be242c8f20 9d7815a6-7ee4-497e-8888-515a05f02364 0

Disable NLA in an .RDP file for remote desktop/terminal services
enablecredsspsupport:i:0

Rename an AD object
dsmove "CN=user1,OU=Users,DC=domain,DC=local" -newname user2 -s dc01

Query an entire SQL database and all tables for the specified string
c:\util\QuerySQLDatabase.sql

Access a SharePoint server using a non-standard port using UNC
\\teamsite@5001\folder1\folder2\folder3

Perform a network capture on a Server 2012 server
Netsh Trace start capture = yes (followed by: Netsh Trace stop)

Show the domain-wide password policy
net accounts /domain

Check if pending reboot required prevents software installation (eg SQL 2008)
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

Find the SharePoint content databases and server
stsadm -o enumcontentdbs -url http://localhost

Query virtual directories on an IIS 7.x server (web or FTP)
appcmd list vdir & appcmd list site

Add an alternate computer name to AD
netdom COMPUTERNAME servernew /add serverold.domain.local

List the audit policy categories available
auditpol /list /category /v

List the audit policy subcategories available for the specifid category
auditpol /list /subcategory:"Object Access"

Modify the LM compatibility level to NTLMv2 only for RDP 8.1 (no reboot req.)
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA /v LMCompatibilityLevel /d 0x3 /t reg_dword

Show process permissions and token information
accesschk -p explorer.exe -f

Query the volume shadow copies available
volrest \\server01\Test1_20151007

List the certificate enrolment policy templates
certutil -template

Add a firewall rule to allow TCP:8080 inbound
netsh advfirewall firewall add rule name="Allow Tomcat In" dir=in protocol=TCP localport=8080 action=allow

Run a manual sync with ADConnect
"C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"

MIISClient console for ADConnect
"C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"

Enable logging dropped local firewall connections
netsh advfirewall set domainprofile logging droppedconnections enable

Create a virtual RAM disk (not accessible through VIclient)
imdisk -a -s 536870912 -m R: -o rem -p "/fs:ntfs /q /y"

Create a virtual floppy disk backed by file (flp can be mounted through vi)
imdisk -a -s 1440K -f c:\temp\test1.flp -m R: -o fd -o shared -p "/fs:fat /q /y"

Return AD search index information on a query
adfind -b dc=domain,dc=local -f "(&(objectClass=User)(objectCategory=Person)(extensionattribute2=test))" samaccountname -stats+only

Extract cabinet files from patches (MSP)
msix patch.msp /out .

Find the supported SASL mechanisms of a directory
adfind -rootdse -s dc01

LDAP client tracing
reg add HKLM\System\CurrentControlSet\Services\ldap\tracing\Microsoft.IdentityServer.ServiceHost.exe & logman create trace ldap -p {099614a5-5dd7-4788-8bc9-e29f43db28fc} 0x1FFFDFF3 -o .\ldap.etl & logman start ldap & pause &   logman stop ldap & tracerpt.exe ldap.etl -o ldap2.csv -of CSV

Evalute SID count and token size for a user
dsmgmt "group membership evaluation" "run lands user01" quit quit

Run AdminSDHolder / SDProp process on PDC emulator
admod -sc runpag -h dc01.domain.local

Change the owner of a database to a SQL login
ALTER AUTHORIZATION ON DATABASE::Orchestrator TO [sa];

Enable RDP remotely
reg add "\\pc\HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /d 0x0 /t reg_dword & sc \\pc stop termservice & sc \\pc start termservice

Find attributes marked as confidential
dsquery * CN=Schema,CN=Configuration,DC=domain,DC=local -filter "(searchFlags:1.2.840.113556.1.4.803:=128)

Query LAPS password and expiration
dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(ms-mcs-admpwd=*))" -s dc01 -attr name ms-mcs-admpwd ms-Mcs-AdmPwdExpirationTime

Query global and universal groups an account is a memberof
adfind -b "CN=user01,OU=Users,DC=domain,DC=local" -s base  TokenGroupsGlobalAndUniversal

Query for expiring user accounts
adfind -b "OU=Users,DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(!(|(accountExpires=9223372036854775807)(accountExpires=0))))" samaccountName accountexpires -alldc -csv > ExpiringAccounts_20170410.csv

Show current SQL server processes and blocks/locks
EXEC sp_who2

Start a process as the 'Network Service' account on an RDP session
psexec \\pc /i 3 /u "nt authority\network service" cmd.exe

Decrypt a bitlocked encrypted volume
manage-bde -off c:

Find the per-service SID for a service
sc showsid dnscache

Apply permissions to a per-service SID
icacls file.txt /grant *S-1-5-80-1458370022-919992539-2723553652-3559830572-560683627:(D,WDAC)

Export a task to XML
schtasks /query /xml /tn "daily delta sync" > "c:\temp\Daily.xml"

Create a task from XML
schtasks /create /xml "c:\temp\Daily.xml" /ru domain\svc_account /rp * /tn "Daily Delta Sync"

Upgrade from standard to datacentre 2008 R2 using KMS datacentre key
dism /online /set-edition:ServerDatacenter /productkey:74YFP-3QFB3-KQT8W-PMXWJ-7M648 /AcceptEula

Find the .Net Framework 3.5 version installed
reg query "\\server01\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5

Find the .Net 2.0 CLR version (used by .Net 3.5)
filever \\server01\c$\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

check the HTTP listener session status
netsh http show servicestate view="session"

Enable http.sys verbose ETW tracing
logman start httptrace -p Microsoft-Windows-HttpService 0xFFFF -o c:\temp\httptrace.etl -ets

Kill a TCP connection
wkillcx.exe 192.168.10.10:5725

Modify the default TTL you seen when pinging a machine (default 128)
netsh int ipv4 set glob defaultcurhoplimit=63

Wait for a crashdump for the specified process and write a full dump
Procdump.exe -t -ma -o Microsoft.ResourceManagement.Service.exe C:\CrashDumps

Enable SCHANNEL informational logging
reg add \\server01\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL /v EventLogging /d 0x7  /t reg_dword

Show the current firewall profile
netsh advfirewall show currentprofile

Show Win 10 Azure device registration status
dsregcmd.exe /status

Disable NetBIOS over TCP/IP
wmic nicconfig get caption,index,TcpipNetbiosOptions & wmic nicconfig where index=7 call SetTcpipNetbios 2

Query stored credentials
vaultcmd /listcreds:"Windows Credentials" /all

Find registry hives loaded
reg query \\server01\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

Query ETL providers
logman query providers

Find the certificate a host is using for https
nmap.exe -n -Pn -p443 outlook.office.com --script ssl-cert

Query DNS Conditional fowarders
reg query "\\dc01\hklm\software\microsoft\windows nt\currentversion\DNS Server\Zones\domain.local"

Temporarily disable policy and allow basic auth for WinRM
reg add "HKLM\Software\Policies\Microsoft\Windows\WinRM\client" /v AllowBasic /d 0x1 /t reg_dword & winrm set winrm/config/service/auth '@{Basic="true"}'

Find the public key token of a DLL
"c:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6 Tools\sn" -T c:\temp\MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.dll

Grant permissions to the private keys of a certificate using RK tools
WinHttpCertCfg.exe -g -c LOCAL_MACHINE\My -s "Server Data Encryption" -a "domain\svc_service"

Start an elevated command prompt as another user
runas /user:domain\user01 "powershell.exe -command \"start-process -verb runas cmd\""

Find tokenGroups to show SIDs of groups a person is a member of
adfind -b "CN=user01,OU=Users,DC=domain,DC=local" -s base tokengroups

Find the SDDL for the specified event log on a remote computer
wevtutil gl /r:dc01 security

Update the SDDL for the specified event log on a remote computer
psexec \\dc01 wevtutil sl Security /ca:O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;NS)

Show the ephemeral dynamic RPC port range currently configured
netsh int ipv4 show dynamicport tcp

Show the Windows Firewall filters matching run-time IDs in event logs
Netsh.exe WFP Show State

Query BitLocker recovery information confidential attribute from AD
dsquery * -filter "(&(objectClass=msFVE-RecoveryInformation))"

Check the schema to see if an attribute is confidential (searhcFlags=0x128)
adfind -b "CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=domain,DC=local" -alldc searchflags

Redirect the output of a command to the clipboard
dsquery user -samid user01 | clip

sysinternals TCP network connectivity check
psping fimservice:5725

Query the triggers for a service (ie stop when not domain joined)
sc qtriggerinfo w32time

View SharePoint log files, and Outlook trace files
ulsviewer.exe

List the certificate templates from a CA
certutil -CATemplates -config "CA1.domain.local\Internal Issuing CA 1 SHA256"

View the alternate data streams in a file
streams

Query the DNS block list
dnscmd dc1.domain.local /info /globalqueryblocklist

Export security policy on a 2016 Core DC
secedit /export /cfg c:\windows\temp\security.inf /log c:\windows\temp\sec.log

Query accounts configured with unconstrained delegation
dsquery * -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=524288))"

Query for people who don't have domain users as primary group
adfind -b "OU=Users,DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(!primarygroupID=513))" samaccountname -csv

Revert Windows 10 to the old Alt+Tab experience
reg add HKEY_USERS\S-1-5-21-123660284-1234560955-123430997-1234\Software\Microsoft\Windows\CurrentVersion\Explorer /v AltTabSettings /t reg_dword /d 0x1

Set the number of explorer thumbnails to 1 so they're stacked with 2+ instances
reg add HKEY_USERS\S-1-5-21-123660284-1234560955-123430997-1234\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband /v NumThumbnails /t reg_dword /d 0x1

Wayne's World of IT (WWoIT). 

Posted by Wayne Martin at 10:17 AM DiggIt!Add to del.icio.us
Labels:

No comments:

Post a Comment


All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 20 years, and I know just about enough to realise that I don’t know very much.