Labels

Sunday, June 14, 2020

More useful command-lines


While PowerShell is usually the tool of choice these days, old habits die hard.  I still record
command-lines I find useful in the old-fashioned command prompt. 

This is the fourth edition of useful command lines, adding another 467 commands. Note that many of the command-line may require Microsoft utilities (such as dsquery, wmic, dnscmd), or resource kits, sysinternals or other third-party binaries.


Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).


I hope this will help some of the other non-clickers out there.


See the previous three posts for more command-line operations:



Disable IPV6 on Windows Server 2008
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t reg_dword /d 0xFFFFFFFF

Verify a certificate chain
certutil -verify -urlfetch test.cer

Query the roles and features installed on a Windows Server 2008 installation
ServerManagerCmd -query

Create a performance monitor log to gather local counters
logman create counter SystemPerformance -cf c:\temp\counters.txt -b "29/04/2010 0:00:00" -e "29/04/2010 23:59:59" -r -rf 24:00:00 -cnf 24:00:00 -o c:\perflogs\%computername% -f bin -si 00:00:15

Check the access permissions on files/directories/registry keys (sysinternals)
accesschk.exe

GUI View virtual/physical memory maps of processes (sysinternals)
vmmap.exe

View Win32 and Kernel-mode Debug output (sysinternals)
dbgview.exe

Use 2008R2 logman to create a data collector set from a saved XML
logman import -xml c:\admin\Control\Performance.xml -n Performance

Use 2008R2 logman to start a performance data collector set
logman start Performance

Display license/activation details on a KMS client for the current license
cscript c:\windows\system32\slmgr.vbs /dlv

Find 2008 servers in the domain
dsquery * domainroot -filter "(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=Windows Server 2008*))" -limit 0

Set the KMS server used for activation
cscript slmgr.vbs /skms %kmsServer%

Trigger software activation
cscript slmgr.vbs /ato

Find the owners of all processes on a remote system
wmic /node:%server% PROCESS where "caption like '%'" getowner

Find contacts that are members of distribution groups
dsquery * -filter "(&(objectClass=Contact)(objectCategory=Person)(memberof=*))" -attr distinguishedname memberof -limit 0

Query a group of XenApp/terminal servers for TS logons
wmic /node:server01,server02,server03 path Win32_PerfFormattedData_TermService_TerminalServices Get ActiveSessions,InactiveSessions,TotalSessions

Enable user mode verbose logging
reg add "\\server01\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v UserenvDebugLevel /t reg_dword /d 0x30002

Enable Kerberos debugging
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v LogLevel /t reg_dword /d 1

Enable NTFRS debugging
reg add HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters /v "Debug Log Severity" /t reg_dword /d 0x4

Enabled Group Policy Client Side Extension (CSE) debugging
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GpExtensions\{827d319e-6eac-11d2-a4ea-00567f79f83a}" /v ExtensionDebugLevel /t reg_dword /d 0x2

Enabled Group Policy foldre redirection debugging
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v FdeployDebugLevel /d reg_dword /d 0x0000000F

Check whether a user's token size is too large
ntdsutil "group membership evaluation" "run domain user"

Use ntdsutil with escaped double-quotes when the SAMID has spaces
ntdsutil "group membership evaluation" "run domain \"User 01\"" quit quit

2008 server print backup recovery and maintenance, query printers
c:\Windows\System32\spool\tools\printbrm -q

Set the managed by attribute of an object on a particular DC
cscript SetManagedBy.vbs dc01 "CN=GroupName,CN=Users,DC=domain,DC=local" "CN=UserOrGroup,DC=domain,DC=local"

Set the ACE required for the tick-box allowing a manager of an object
dsacls.exe "CN=GroupName,CN=Users,DC=domain,DC=local" /G domain\user:WP;member

Test whether a Domain Controller is responding over LDAPS
adfind -b "dc=domain,dc=local" -h dc01 -ssl

Find AD/DNS registered KMS servers
nslookup -type=srv _VLMCS._tcp.domain.local

Query a number of Citrix/XenApp/Terminal servers for users
for %i in (server01 server02 server03) do @for /f %m in ('"quser /server:%i | find /i "ica" /c"') do @echo %i,%m

Query Citrix farm information
qfarm

Set 2003 page file information
cscript C:\WINDOWS\system32\pagefileconfig.vbs /change /s %server% /I 6144 /M 6144 /VO C:

Set 2008 page file information
wmic pagefileset create name="C:\\pagefile.sys" & wmic pagefileset set InitialSize=614,MaximumSize=6144

View the certificate stores available to the current user
reg query HKCU\Software\Microsoft\SystemCertificates

View the properties of an exported certificate
certutil /dump ExportedCert.pfx

Find the MTU size on a Windows 2003+ server
netsh interface ip show int

Read the registry to find network adapter configuration (MTU jumbo)
reg query \\server01\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} /s | find /i "reg" | findstr /i /c:DriverDesc /c:ProviderName /c:"jumbo"

Use WMI to find the MTU of a network interface (2008 and later)
wmic /node:%server% path win32_networkadapterconfiguration get MACAddress,MTU,IPAddress

Report drive geometry using WMI
wmic path Win32_DiskDrive Get DeviceID,TotalSectors ,Size

Query Citrix session information
queryds /table:Conn_Sessions

Find the committed bytes in use percentage from a remote computer
wmic /node:%server% path Win32_PerfFormattedData_PerfOS_Memory get PercentCommittedBytesInUse

Find the Citrix XenApp metaframe load level for a Citrix server
wmic /node:%server% /namespace:\\root\Citrix path MetaFrame_Server_LoadLevel

Find the applications running on a Citrix server
wmic /node:server01 /namespace:\\root\Citrix path MetaFrame_ApplicationsRunningOnServer

Find Citrix server information
wmic /node:server01 /namespace:\\root\Citrix path MetaFrame_Server

From a list of computers, find the remote NIC bandwidth / speed
for /f  %i in (c:\temp\servers_20100601.txt) do wmic /node:%i path Win32_PerfRawData_Tcpip_NetworkInterface Where "Name!='MS TCP Loopback interface'" Get Name,CurrentBandwidth > %i_bandwidth.txt

Find Exchange Servers from Active Directory
dsquery * "CN=Configuration,DC=domain,DC=local" -filter "(&(objectClass=msExchExchangeServer)(objectCategory=msExchExchangeServer))"

Transfer single-master FSMO roles to the connected DC
ntdsutil roles Connections "Connect to server dc01" quit "Transfer %role%"

Query for the NetBIOS 1B domain master browser and PDC record
nblookup /x 1b DOMAIN

Query for the DNS PDC SRV Service Record
nslookup -type=srv _ldap._tcp.pdc._msdcs.domain.local

Check the role for a domain member
wmic /node:dc01 path win32_computersystem get DomainRole  (0 Standalone WS, 1 Member WS, 2 Standalone Server, 3 Member Server, 4 Backup Domain Controller, 5 Primary Domain Controller)

Load performance counters from the specified DLL
lodctr %file%

Find a list of computers sorted by creation date
dsquery * "OU=Workstations,OU=Resources,DC=domain,DC=local" -limit 0 -filter "(&(objectClass=Computer)(objectCategory=Computer))" -attr whenChanged CN | sort

Find the display specifier used when creating new users through the GUI
dsquery * "CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=domain,DC=local" -attr createDialog

Delete a computer record from SCCM through the WMI provider
wmic /namespace:\\root\sms\site_sc1 /node:"server01" path  SMS_R_System WHERE Name='server02' DELETE

Recompile service control manager logs to fix missing SCM event log entries
psexec \\server01 /s mofcomp %windir%\system32\wbem\scm.mof

Export feature/role information using 2008 server manager (shows defaults)
servermanagercmd -query c:\temp\roles.xml

Find trust account metadata for a trusted domain
repadmin /showmeta "CN=DOMTRUST$,CN=Users,DC=domain,DC=local"

Set read-only permissions to the current folder with non-progagated inheritance
icacls . /grant Users:(NP)(R)  - in this example adding (NP) is not strictly necessary, just ommitting (OI)(CI) assumes this folder only (NP).  The SDDL export of two commands reports the same (with NP and without)

Query system devices and drivers
wmic /node:server01 path win32_systemdriver

Find machines from a specific manufacturer
wmic /node:server01 path win32_computersystem where "Manufacturer like '%Dell%'" get Manufacturer,Model,Name

Run a remote sysinternals utility with psexec specifying accepteula twice
psexec -accepteula \\server01 c:\temp\handle.exe "-accepteula"

Use delayed expansion (cmd /v:on) to parse reg.exe output and produce CSV
for /f "tokens=1,* delims=_" %i in ('dir /b *.txt') do @set test="%~nj"& (@for /f "skip=2 tokens=3" %m in ('"find /i "reg_" %i_%j | findstr /c:AutoReboot /c:CrashDumpEnabled /c:DumpFile /c:LogEvent /c:MinidumpDir /c:Overwrite /c:SendAlert | sort"') do @set test=!test!,"%m")& @echo !test!

Enable the option to generate a STOP error on demand for a USB 2008 server
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters /v CrashOnCtrlScroll /t reg_dword /d 0x1

Generate a STOP error with a sysinternals test faulty app
NotMyFault.exe /crash

Gather file system cache and other memory information from a group of servers
for /f %i in ('dsquery computer -desc *file* -name server* -o rdn') do @for /f "skip=1 tokens=1-8" %m in ('"wmic /node:%i path Win32_PerfFormattedData_PerfOS_Memory get CacheBytes,CacheBytesPeak,SystemCacheResidentBytes,AvailableMBytes,PoolPagedBytes,PoolNonpagedBytes,FreeSystemPageTableEntries,PercentCommittedBytesInUse"') do @echo %i,%m,%n,%o,%p,%q,%r,%s,%t

Analyse Windows memory allocation (sysinternals). Metafile for FS cache
RAMMap and VMMap

Install IIS7 and management tools on 2008
servermanagercmd -install Web-WebServer Web-Mgmt-Tools

Install File services and FSRM on 2008
servermanagercmd -install File-Services FS-FileServer FS-Resource-Manager

Find the cluster size of a disk volume
wmic /node:%server% path win32_volume Get DriveLetter,BlockSize,Label

Find mail enabled users and contacts from an AD and export to CSV
csvde -f c:\temp\mailEnabled_20100816.csv -l samaccountname,cn,givenName,sn,displayname,mail,proxyAddresses,mailnickname,legacyExchangeDN,lastLogonTimestamp -r "(&(|((objectClass=Contact)(objectClass=User)))(objectCategory=Person)(mailnickname=*))"

Find Exchange private mailbox stores from AD
dsquery * "CN=Configuration,DC=domain,DC=local" -filter "(&(objectClass=msExchPrivateMDB)(objectCategory=msExchPrivateMDB))"

Modify security descriptor for access to the application event log
HKLM\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppLogSD%,2

Query alternate recipients for Exchange forwarding addresses
dsquery * -filter "(&(objectClass=*)(altRecipient=*))" -attr cn altrecipient

Use IPMI to query the event log of a Dell server BMC
ipmiutil sel -N 192.168.1.10 -U root -P calvin -F lan2

Query a dnsNode object in AD for a reverse lookup zone
dsquery * "DC=10,DC=192.168.1.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" -attr *

List Print Drivers on a 2008 R2 server
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -l

Install an x64 2008 R2 version 3 printer driver
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -a -v 3 -e "Windows x64" -m "RICOH Aficio 3245C PCL 6" -i c:\src\Drivers\Ricoh3245C\r40479en\disk1\OEMSETUP.INF -h c:\src\Drivers\Ricoh3245C\r40479en\disk1

Install an x86 XP version 3 printer driver to a 2008 R2 server
cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs -a -v 3 -e "Windows NT x86" -m "RICOH Aficio 3245C PCL 6" -i c:\src\Drivers\Ricoh3245C\r40485en\disk1\OEMSETUP.INF -h c:\src\Drivers\Ricoh3245C\r40485en\disk1

Create a TCP/IP port using RAW over TCP 9100
cscript prnport.vbs -a -s server01 -r IP_192.168.1.10 -h 192.168.1.20 -o raw -n 9100

Create a printer, using the specified printer and port on a 2008 R2 server
cscript prnmngr.vbs -a -p DJW391 -m "RICOH Aficio 3245C PCL 6" -r IP_192.168.1.10

Share and publish a printer on a 2008 R2 server
cscript prncnfg.vbs -t -p DJW391 -h DJW391 +shared +published

Query IIS virtual directories using WMI
wmic /node:server01 /namespace:\\root\MicrosoftIISv2 path IIsWebVirtualDir

Enumerate 2008 R2 event logs
wevtutil.exe el

Get the configuration of a 2008 R2 event log
wevtutil.exe gl Microsoft-Windows-PrintService/Operational

Enable print information job logging with 10MB log file
wevtutil.exe sl Microsoft-Windows-PrintService/Operational /e /ms:10485760

Set AD acls for full control of computer objects, inherited to sub-objects
dsacls "OU=Workstations,OU=Resources,DC=domain,DC=local" /I:S /G DOMAIN\group01:GA;;computer

Set AD acls for creating/deleting computer objects, inherited to this and sub
dsacls "OU=Workstations,OU=Resources,DC=domain,DC=local" /I:T /G DOMAIN\group01:CCDC;computer

Check whether an executable is x86, WAMD64, W32i64 etc (2003 support.cab)
filever.exe %filename%

LDAP filter to return mail-enabled users that are members of a particular group
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(mailnickName=*)(memberOf=CN=group01,OU=Groups,DC=domain,DC=local))"

Find dynamic distribution lists in the directory and the LDAP filter used
dsquery * -filter "(objectClass=msExchDynamicDistributionList)" -attr distinguishedName msExchDynamicDLFilter

Find groups a user is a member of using extended match operator for the chain
dsquery * -filter "(&(objectClass=Group)(member:1.2.840.113556.1.4.1941:=CN=user01,DC=domain,DC=local))" -scope subtree

Find foreign security principals and group membership, resolving the name
dsquery * CN=ForeignSecurityPrincipals,DC=domain,DC=local -filter "(&(objectClass=foreignSecurityPrincipal)(memberOf=*))" -attr msDS-PrincipalName memberof

Find constructed token groups for the specified user
dsquery * "CN=user01,DC=domain,DC=local" -attr tokenGroupsGlobalAndUniversal -s dc01 -scope base

Find constructed last modified for the specified object
dsquery * "CN=user01,DC=domain,DC=local" -attr modifyTimeStamp -s dc01

Find the constructed canonincal name for the specified user object
dsquery * -filter (samaccountname=user01) -attr canonicalName -s dc01

Find software that's installed using WMI
wmic path win32_product

Find file/directory information using WMI
wmic path win32_directory where "Name = 'c:\\temp'"

Join a computer to a domain
netdom join %computername% /domain:test.com /userd:administrator /passwordd:password /reb

Find a list of servers from AD and then query them for disk space
for /f %i in ('dsquery computer -name server* -o rdn') do @wmic /node:%i path Win32_LogicalDisk Get Name,Size,FreeSpace,VolumeName /format:csv | find /i /v "a:,," | find /i /v "d:,," | find /i "dv"

Find uptime of a computer and lanman workstation statistics
net stats workstation

Find uptime of a computer and lanmanserver statistics
net stats srv

Find size and free space of logical disks of a remote machine
wmic /node:"server01" path Win32_LogicalDisk WHERE "Size > 0" GET SystemName,Name,Size,FreeSpace,VolumeName /format:csv

ODBC data source administrator on 2008 R2
odbcad32.exe

Create a 64-bit DSN on 2008 R2
odbcconf.exe /Lv c:\admin\logs\SQLNativeClientInstall.log /A {CONFIGSYSDSN "SQL Server Native client 10.0" "DSN=VMware VirtualCenter|Description=Test instance of vCenter|Server=sqlserver01\instance01|Database=VirtualCenter"}

Create a 32-bit DSN on 2008 R2
c:\windows\syswow64\odbcconf.exe /Lv c:\admin\logs\SQLNativeClientInstall.log /A {CONFIGSYSDSN "SQL Server Native client 10.0" "DSN=VMUM|Description=Update Manager Test Instance|Server=sqlserver01\instance01|Database=VMUM"}

Check the NTP announceflags of each DC to find reliable time servers
for /f %i in ('"nltest /dclist: | find /i "[ds]""') do reg query \\%i\hklm\system\currentcontrolset\services\w32time\config /v announceflags

Set the logon as a service right on a remote computer
ntrights -m \\%computer% -u %domain%\%user% +r SeServiceLogonRight

Set a remote service to run as a doman user account (remove interact)
sc \\%computer% config %service% obj= "%domain%\%username%" password= "password" type= own

Find the server holding the PDC single-master operations role
dsquery server -hasfsmo pdc

Add and install a Plug and Play driver package (enough for 2008 to change vga)
pnputil -i -a "c:\program files\common files\vmware\Drivers\wddm_video\vm3d.inf"

Find vCenter alerts
dumpel -s server01 -l application -d 1 -m "Categor01"

Find the latest .Net framework version from a list of computers
for /f %i in (c:\temp\servers_20101020.txt) do @ping -n 1 %i >nul & if errorlevel 0 if not errorlevel 1 @for /f "tokens=*" %m in ('"reg query "\\%i\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" 2>nul |find /i "hkey" > c:\temp\dotnet.txt & tail -1 c:\temp\dotnet.txt"') do @for /f "tokens=3" %q in ('"reg query "\\%i\%m" /v version 2>nul| find /i "reg_sz" & if errorlevel 1 echo 1 2 NotFound"') do @echo %i,%m,%q

Query Citrix or terminal server session information
qwinsta /server:%computer%

Reset a remote Citrix or terminal server session
rwinsta %sessionname% /server:%computer%

Reset a local Citrix or terminal server session
reset %sessionname%

Find host header bindings from the IIS metabase
findstr /i "^.*:[0-9]*:.*$" \\%server%\c$\windows\system32\inetsrv\metabase.xml

Export events, changing the date from EN-US to EN-AU
for /f "tokens=1-3,* delims=/ " %i in ('"dumpel -s \\server01 -l application -e 3041 -m "MSSQL$DB01" -d 50"') do @echo %j/%i/%k %l

Use IPMI to read sensors on a Dell R900 server
ipmiutil sensor -N 192.168.1.10 -U root -P calvin -F lan2

Find the sector and cluster size for an NTFS volume
fsutil fsinfo ntfsinfo h:\

Enumerate SRV records from the specified location in a DNS zone
dnscmd dc01 /enumrecords domain.local._tcp.dc._msdcs.domain.local. /type SRV

Export an AD-integrated zone to file
dnscmd server01 /ZoneExport domain.local domain.local.dns

Find driver file information for the specified devices
devcon drivernodes *RDP_MOU* & devcon driverfiles *RDP_MOU*

Create a custom Active Directory partition for DNS records
DnsCmd dc01 /CreateDirectoryPartition manualDNS_msdcs.domain.local

Add an additional DC for partition replication
DnsCmd dc01 /EnlistDirectoryPartition  manualDNS_msdcs.domain.local

Convert a file-based primary to an AD integrated primary in a custom partition
dnscmd /ZoneResetType _msdcs.domain.local /DsPrimary /OverWrite_Ds /DirectoryPartition manualDNS_msdcs.domain.local

Enumerate the partitions in an Active Directory
DnsCmd /EnumDirectoryPartitions

Find CAs published in AD
dsquery * "cn=enrollment services,cn=public key services,cn=services,cn=configuration,dc=domain,dc=local

Find user accounts with SID history
adsquery * -filter "(&(objectClass=User)(objectCategory=Person)(sidhistory=*))" -attr name sidhistory

Check the local _msdcs records on a Domain Controller
\\%computer%\c$\windows\system32\config\netlogon.dns

Find secure channel information about trusted domains/forests
wmic /namespace:\\root\MicrosoftActiveDirectory path Microsoft_DomainTrustStatus

Find services that are set to automatically start but are currently stopped
wmic /node:server01 path win32_service  where "State='Stopped' AND StartMode='Auto'"

Find trusts of type forest
dsquery * "CN=System,DC=domain,dc=local" -filter "(&(objectClass=trustedDomain)(trustAttributes:1.2.840.113556.1.4.803:=8))" -attr stPartner flatName trustAttributes

Add an Active Directory service record for GC lookups
dnscmd dc01 /recordadd _msdcs.domain.local.  _ldap._tcp.site01._sites.gc._msdcs.domain.local. SRV 0 100 3268 dc01.domain.local.

Modify the default intra-site change notification for replication
repadmin /notifyopt dc1 dc2 "DC=domain,DC=local" /first:10

Find the options for a site link (1 for change notifications)
dsquery * "CN=SiteLink01,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local"  -attr Options

Modify a site link to use change notifications
admod -b "CN=SiteLink01,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local" options::1

Delete one or more user profiles
delprof /p /c:\\%computer%

Write an ISO image to CD/DVD
isowriter -r e: -e "file.iso"

Find mail-enabled public folders that aren't hidden from the GAL
dsquery * -filter "(&(objectClass=publicFolder)(mailnickName=*))" -attr cn mail msExchHideFromAddressLists -limit 0 | find /i "false"

Query servers from an SMS/SCCM database
wmic /namespace:\\root\sms\site_a01 /node:"server01" path SMS_R_System WHERE "ADSiteName = 'S01' and OperatingSystemNameandVersion like '%server%'" get name,adsitename,IPAddresses,MACAddresses /format:CSV

Find serial numbers from physical servers
wmic /node:@physical.txt path Win32_SystemEnclosure get SerialNumber /format:csv

Find the number of mail-enabled active users who have a home drive on a server
for /f "tokens=*" %i in ('dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(mailnickname=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(homeDirectory=*%server%*))" -limit 0 ^| find /i /c "cn="') do @echo %i

Find the canonical name (constructed attribute) of a list of users
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(homeDirectory=*arisrv*))" -attr canonicalName

Query and decode password last set for user accounts, output in csv without DN
adfind -b "DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(homeDirectory=*server01*))" canonicalName pwdlastset -tdc -csv -excl -nodn

Find an account and decode all attributes (pwdlastset, useraccountcontrol etc)
adfind -s base -b "CN=user01,OU=Accounts,DC=domain,DC=local" -h dc01 -alldc

Find the canonical name of a filtered list of OUs
dsquery * -filter "(&(objectClass=organizationalUnit)(name=*server*))" -attr canonicalName

Purge Kerberos tickets for the currently running user
klist purge

From a list of computers, report whether they respond to a ping or not
for /f %i in (c:\temp\Servers.csv) do for /f "tokens=3 delims=: " %m in ('ping -n 1 %i ^| find /i "reply from" ^& if errorlevel 1 echo 1:2:NoReply') do echo %i,%m

Query 2008 or later for the OS architecture (x86 or x64)
wmic /node:server01 path Win32_OperatingSystem Get OSArchitecture

Query 2003 or earlier for the OS architecture (x86 or x64)
wmic /node:server01 path Win32_OperatingSystem Get Caption

Delete the policy restriction to run perfmon.msc
reg delete HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{C96401CF-0E17-11D3-885B-00C04F72C717}

Update the WINS DHCP Option Value
netsh dhcp server \\server01 scope 192.168.10.0 set optionvalue 044 IPADDRESS 192.168.10.10 192.168.20.10

List Components installed on a 2008 R2 core installation
ocsetup ServerManager-PSH-Cmdlets, Import-Module Servermanager; Get-WindowsFeature

Rename a computer
netdom renamecomputer oldserver01 /newname newserver01 /reboot

Show current firewall rules
netsh advfirewall firewall show rule name=all

Enable DNS logging
dnscmd /config /loglevel 0xffffffff

Disable EDNS0 probes
dnscmd /Config /EnableEDnsProbes 0

Update the master for a secondary DNS zone
dnscmd /zoneresetmasters zone.local 192.168.10.10 192.168.10.11

Disable TCP window size auto-tuning on 2008 servers
netsh interface tcp set global autotuning=disabled

Show global TCP settings on 2008 servers
netsh interface tcp show global

Allow storage of credentials (requirse reboot)
reg add hklm\system\currentcontrolset\control\lsa /v disabledomaincreds /d 0x0 /t reg_dword

Tell Exchange to filter messages sent through authenticated connections (SCL)
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter /v CheckAuthSessions /d 0x1 /t reg_dword

Check if Access Based Enumeration (ABE) is enabled on a DFS namspace
dfsutil property abe \\domain.local\shared

Find groups of type distribution
dsquery * -filter "(&(objectClass=Group)(objectCategory=Group)(!groupType:1.2.840.113556.1.4.803:=2147483648))"

Set variables for the current date
for /f "tokens=2-9 delims=/:. " %i in ('echo %date% %time%') do Set DateTime=%k%j%i&Set DateTimeLong=%k%j%i%l%m%n

Find people that have logged on today
for /f "tokens=2-9 delims=/:. " %i in ('echo %date% %time%') do Set Today=%k/%j/%i& adfind -default -f "(&(objectClass=User)(objectCategory=Person))" -csv -noDN -alldc Name lastlogontimestamp | find /i "%today%"

Set the secure list of IPs allowed to transfer a DNS zone
dnscmd dc01 /zoneresetsecondaries domain.local /SecureList 192.168.10.10 192.168.10.11

Use portqry to perform a NetBIOS adapter status request (retrieves MAC)
portqry -n server01 -e 137 -p udp

Find the Exchange schema version
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper

Find the NTDS.DIT file size on Domain Controllers in the local domain
for /f %i in ('dsquery server -o rdn') do @for /f "tokens=1-5" %m in ('"dir \\%i\c$\windows\ntds\ntds.dit | find /i "dit""') do @echo %i,%m,%n %o,"%p",%q

Find Active Directory schema attributes with the specified display Name
dsquery * "CN=Schema,CN=Configuration,DC=domain,DC=local" -filter (lDAPDisplayName=info)

Find groups with the info/comment set
dsquery * -filter "(&(objectClass=Group)(objectCategory=Group)(info=*))" -attr Name Info

Refresh 2008 R2 network configuration after policy changes (eg SearchList)
psexec \\server01 gpupdate

Check the disk timeout value for SCSI Request block storport I/O requests
reg query \\%server%\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk /v TimeOutValue

Find a DC in the closest site available by site cost    nltest /dsgetdc:domain.
ocal /TRY_NEXT_CLOSEST_SITE                  

Query the SPF record for a DNS zone from the specified DNS server
nslookup -type=txt server.mail.com 192.168.10.10

Enabled Event log tracing for Windows for nltest.exe processes using DCLocator
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DCLocator\Tracing\nltest.exe"

Start an ETW session for the DCLocator GUID
"C:\WinDDK\7600.16385.1\Tools\tracing\amd64\tracelog.exe" -start "nltest" -guid #cfaa5446-c6c4-4f5c-866f-31c9b55b962d -f c:\temp\nltesttrace1.evt -flag 0x0a024332 -level 0x4

Stop an ETW session
tracelog -stop nltest

Parse ETW data and generate a HTML report
tracerpt nltesttrace.etl -o -report

Use LogParser to parse an ETW DCLocator report
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -i etw -o csv "select * from \temp\nltesttrace.etl"

Query the status of an NBL load balanced cluster
nlb query & cluster.domain.local:clusterhost2

Extract Windows Server 2008 R2 events by source
dumpel -l application -d 1 -m Microsoft-Windows-Defrag

Redirect output to the clipboard (2003 or later binary)
echo test | clip

Find users who will need to reset their password at next logon
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(pwdLastSet=0))"

Decode Exchange 2003 permissions through msExchMailboxSecurityDescriptor
adfind -b "CN=user01,DC=domain,DC=local" -alldc -sddc+ -resolvesids

Refresh certificates from NTDS store on 2008 Domain Controllers
adfind -h dc01 -sc rsc

Find Exchange servers from Active Directory
dsquery * "CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local" -scope onelevel

Browse directly to a different mailbox with OWA
https://vip.domain.local/owa/user01@domain.local

Find the Operating System from a list of computers
wmic /node:@c:\temp\exchange.txt path win32_operatingsystem get CSName,Name

Export a certificate as Base64 encoded
certutil -split -store my server01.domain.local & certutil -encode Blob0_0.crt server01.domain.local.txt

Create a self-signed root authority on a server (prompts for password)
makecert -r -pe -n "CN=Test Root Authority" -ss my -sr LocalMachine -a sha1 -sky signature TestCA.cer -sv TestCA.pvk

Add a self-signed root to the trusted root CA store
certutil -addstore root TestCA.cer

Create a server authentication cert using the self-signed root for local DC
makecert -pe -n "CN=dc01.test.local" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 dc01.test.local.cer

Create a server authentication cert using the self-signed root for a second DC
makecert -pe -n "CN=dc02.Test.local" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test Root Authority" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 dc02.Test.local.cer

Export the dc02 cert with private key for transfer to another computer
certutil.exe -privatekey -exportpfx "dc02.test.local" dc02.test.local.pfx

On dc02, install the root trusted cert and the server cert
certutil -addstore root TestCA.cer & certutil -importPFX dc02.test.local.pfx

Delete certificates from the personal store on the local computer
certutil -delstore my dc02.test.local & certutil -delstore my TestVCA

Shows DHCP reserved IPs from a DHCP scope
netsh dhcp server \\server01 scope 192.168.10.0 show reservedip

Find users that are listed in the managedBy field of one or more groups
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(managedObjects=*))" -attr name managedobjects

Find Collections from SMS using WMIC
wmic /namespace:\\root\sms\site_org path sms_collection where "Name like '%OSD%'"

Deny a user the right to view another user in AD
dsacls "CN=user01,DC=domain,DC=local" /d domain\user02:GR;;

Find groups and decode the group type
adfind -b "dc=domain,dc=local" -f "(&(objectClass=Group)(mailnickname=*))" -h dc01 name groupType -alldc -csv

Find the token size and groups a user is a member of
tokensz /compute_tokensize /dump_groups

From a resource server, find the token size and group membership (SIDHistory)
tokensz /compute_tokensize /user:user01 /domain:domain /password:Password1 /dump_groups

Using OWA for Exchange 2003, view/recover deleted items in any folder
http://exchange01/exchange/user@domain.local/?cmd=showdeleted

Find group and their group type (security, distribution, universal etc)
adfind -b "dc=domain,dc=local" -f "(&(objectClass=Group)(objectCategory=Group))" -h dc01 name groupType -alldc -csv > c:\temp\quest\SecurityGroupTypes_20110826.csv

Find groups of type security in the directory
adfind -b "dc=domain,dc=local" -f "(&(objectClass=Group)(objectCategory=Group)(name=@*)(groupType:1.2.840.113556.1.4.803:=-2147483648))" grouptype -alldc

Find tables in the specified SQL database
sqlcmd -S server01\QMMINSTANCE -d MMEXProject -W -s "," -Q "SELECT * from sys.tables"

Query a Quest QMM 8,7 database for collections and members
sqlcmd -S server01\QMMINSTANCE -d MMEXProject -W -s "," -Q "SELECT COL.CollectionName,srv.Name,MO.DisplayName from MEMBERSOFCOLLECTION MO inner join collections COL on COL.ID = MO.CollectionID inner join server srv on srv.ID = MO.ServerID Where MO.CollectionID != 0"

Find accounts in the directory created today
for /f "tokens=1-8 delims=/:. " %i in ('echo %date% %time%') do Set Today=%l%k%j000000 & adfind -b dc=domain,dc=local -f "(&(objectClass=User)(objectCategory=Person)(whenCreated>=%today%.0Z))" -csv

View a DFS namespace on 2008 R2
dfscmd /view \\domain.local\shared /full

Find the Outlook mail control panel CPL file
reg query "HKEY_CURRENT_USER\Control Panel\MMCPL"

Mount a shadow copy volume through the filesystem (vssadmin list shadows)
mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy242\ (the trailing back-slash is important)

From a list of computers, find the srvcomment
for /f %i in (servers.txt) do @for /f "tokens=1,2,*" %m in ('"reg query \\%i\hklm\system\currentcontrolset\services\lanmanserver\parameters /v srvcomment 2>nul| find /i "srvcom" & if errorlevel 1 echo 1 2 {None}"') do @echo %i,%o

From a list of computers, find the AD computer account description
for /f %i in (servers.txt) do adfind -b "dc=domain,dc=local" -f "(&(objectClass=Computer)(objectCategory=Computer)(name=%i))" -csv -nocsvheader -nodn Name,description

Find an immediate but not very accurate way to count of files on a volume
fsutil fsinfo ntfsinfo C: & echo Divide Mft Valid Data Length / Bytes Per FileRecord Segment

Export a mailbox from 2003 Exchange that's greater than 2GB
cscript ExMBspanPst.vbs user01

Install Active Directory Administration tools for 2008 R2
servermanagercmd -install RSAT-ADDS

Robocopy in restartable mode (this slows down copy 10-20x)
robocopy . c:\dest /z

Mailbox-enable an AD user account in Exchange 2003
exchmbx -b "%userDN%,OU=domain,DC=local" -cr Exchange01:sg1:db1

Add to an SMS/SCCM collection
cscript c:\data\scripts\sms\AddDirectMembership.wsf server01 /c:"Collection01" /s:server01

Find a list of files and their size and date modified
for /f "tokens=*" %i in ('dir /s /a-d /b *.*') do echo "%i","%~zi","%~ti">> C:\Admin\Logs\DirList.txt

Parse a number of robocopy log files, showing the filename and total size/files
for %i in (\\server\c$\logs\robocopy*.log) do for /f "tokens=*" %m in ('"tail "%i" | findstr /i /c:" files :" /c:" bytes :""') do echo %i   %m

From a list of users, return which groups they have managedBy set for
adfind -b "DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(managedObjects=*))" managedObjects -list

Save ACLs in SDDL format
icacls g: /save ACLs.txt /t /c

Find msExchMasterAccountSid and decode to readable SID
adfind -b dc=domain,dc=local -f "(&(objectCategory=user)(msExchUserAccountControl=0)(msExchMasterAccountSid=*))" msExchMasterAccountSid distinguishedName -alldc -csv -nodn

View the DFS referral cache on the DFS client
dfsutil cache referral

Check Windows Server 2008 hardware installation/device/driver log files
C:\WINDOWS\INF\setupapi.dev.log

Remove the 'Authentication' tab from ncpa.cpl properties (kb950725)
sc \\%server% stop dot3svc

Check which .Net framework edition an assembly has been compiled for
c:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\x64\ildasm.exe

Use back-quoted for loops including special characters with ^ as escape for |
for %i in (*.xml) do for /f "tokens=* usebackq skip=1" %m in (`find /i "Install the telnet client on a Windows 2008 R2 server
servermanagercmd -install Telnet-Client Enumerate DFS targets wmic /node:server01 path win32_dfstarget get ServerName,LinkName,ShareName View DFS referrals for XP/2003 clients dfsutil /PKTINFO Find DNS scavenging events from a 2008 R2 server wmic /node:"server01" path Win32_NTLogEvent WHERE "SourceName='Microsoft-Windows-DNS-Server-Service' AND LogFile='DNS Server' AND EventCode=2501" Check whether AD Bridge All Site Links is enabled or not (0x2) dsquery * "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,dc=domain,dc=local" -attr options -scope base Check whether Domain Controllers are responding on LDAPS for /f %i in ('dsquery server -o rdn') do adfind -h %i:636 -default -s base Display a tree-like structure using the canonical name of OUs dsquery * -filter "(&(objectClass=OrganizationalUnit)(objectCategory=OrganizationalUnit))" -attr canonicalName | sort Quickly count the number of files on a drive c:\util\ndff.exe c: Query information from the Dell WMI namespace (doesn't show disk status though) wmic /node:%server% /namespace:\\root\cimv2\dell path dell_cmdevice Check the firewall status for the domain profile from a number of servers for /f %i in (Servers_20120117.txt) do @for /f "tokens=3" %m in ('"reg query \\%i\hklm\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile /v EnableFirewall | find /i "enablefire" & if errorlevel 1 echo 1,2,NotFound"') do @echo %i,%m Find 1031 outgoing SMTP messages from Exchange 2003 message tracking logs findstr /i "\<1031>" "\\server01\d$\Program Files\Exchsrvr\exch01.log\20120122.log" | find /i /v "postmaster@" | find /i /c "1031" Report directory usage of a directory and subdirectories du -c -v c:\temp Dump loaded DLLs and versoin information listdlls -v Find TCP network connections on a remote machine using SNMP snmputil walk localhost public .1.3.6.1.2.1.6.13.1.1 Query events from a 2008 event log wevtutil qe System /q:"*[System[Provider[@Name='EventLog']]]" /e:events > events.xml Create an eventlog entry eventcreate /T ERROR /ID 1000 /L APPLICATION /D "Test" Find proxy addresses filtered by SMTP type from a user account adfind -b %i name mail displayName proxyaddresses -list -nocsvheader -mvfilter proxyaddresses=smtp Query the SCP used by Autodiscover in Exchange 2007 dsquery * "CN=domain.local,CN=Microsoft Exchange Autodiscover,CN=Services,CN=Configuration,DC=domain,DC=local" -attr * Parse IIS logs for OWA connections findstr "SEARCH.\/exchange/.*\/Inbox" ex120130.log Query SCCM sites and site servers wmic /namespace:\\root\sms\site_S01 /node:server01 path SMS_Site Query SCCM folders wmic /namespace:\\root\sms\site_S01 /node:"server01" path SMS_ObjectContainerNode Query the IPMI WMI classes for Baseboard Management Controller (BMC) info wmic /node:server01 /namespace:\\root\hardware path NumericSensor Query the IPMI WMI classes for recent SEL events wmic /node:server01 /namespace:\\root\hardware path LogRecord Where "MessageTimestamp > '20120110144951.000000+600'" Get MessageTimestamp,Description Run Dell omreport to check disk status information from remote servers for /f %i in (c:\temp\servers.txt) do psexec \\%i "C:\Program Files (x86)\Dell\SysMgt\oma\bin\omreport.exe" storage pdisk controller=0 > %i_physicaldisk.txt Query IPMI for drive information (sometimes can tell disk failure) wmic /node:server01 /namespace:\\root\hardware path Sensor Where "Name like 'Drive%'" Get Name,Description,CurrentState Query a number of workstations for cross-forest logons for /f %i in (c:\temp\servers.txt) do @dumpel -s %i -l application -m Userenv -e 1109 >> WorkstationCrossForestLogons.txt Delete shadow copies (allows deleting backup shadows) diskshadow delete shadows ID {shadowID} Delete Internet Explorer policy restrictions prevending showing option tabs reg delete "hku\S-1-5-21-3554533865-731492840-16770200-2139\software\policies\microsoft\internet explorer\control panel" Find the Exchange 2007 AutoDiscover binding URL dsquery * "CN=server01,CN=Autodiscover,CN=Protocols,CN=server01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,dc=domain,dc=local" -attr * Find the owner of an AD object dsacls "CN={9596758E-5ADC-4639-A3A4-812835D92F6F},CN=Policies,CN=System,dc=domain,dc=local" /A Find the default security descriptor applied to OU objects adfind -b "CN=Organizational-Unit,CN=Schema,CN=Configuration,dc=domain,dc=local" defaultSecurityDescriptor Automatic analysis of a memory dump created from a bugcheck/stop error C:\Program Files\Debugging Tools for Windows (x64)\dumpchk.exe SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols memory.dmp Use SCCM Remote Control (requires rc.exe and rdpencom.dll) rc 1 server01 \\sccm01 IIS logs on 2008 R2 IIS7 servers \\%server%\c$\inetpub\logs\logfiles\W3SVC1\u_ex120317.log Query IIS logs for OWA activity logparser "SELECT cs-username, Count(*) AS OWAHits from c:\temp\u_ex120317.log WHERE cs-uri-stem LIKE '%OWA%' AND cs-username IS NOT NULL GROUP BY cs-username ORDER BY OWAHits Desc" -rtp:-1 Use LogParser to read event logs "c:\Program Files\Log Parser 2.2\logparser" -i:evt "Select * from \\server01\system Where EventID = 1" Use LogPartser to parse IIS logs for OWA statistics logparser "SELECT cs-username, Count(*) AS OWAHits from \\server01\C$\INETPUB\LOGS\LOGFILES\W3SVC1\u_ex12031*.log WHERE cs-uri-stem LIKE '/owa/%' AND cs-username IS NOT NULL GROUP BY cs-username ORDER BY OWAHits Desc" -rtp:-1 Export local security policy with rights merged with domain policy secedit /export /cfg security_domain.txt /mergedpolicy /areas user_rights Export local security policy, including local and domain policy settings secedit /export /cfg security.txt /areas user_rights List all DFSR replication groups dfsradmin rg list /attr:all List all DFSR replication group memberships dfsradmin Membership list /rgname:domain\share\dfs01 /attr:all List all DFSR replication connections dfsradmin conn list /rgname:domain\share\dfs01 Forcefully take ownership of files takeown /f *.* /A /R Query FEP forefront endpoint protection infection status wmic /namespace:\\root\Microsoft\SecurityClient path AntimalwareInfectionStatus Query the local anti-virus product wmic /namespace:\\root\SecurityCenter path AntiVirusProduct Query the local firewall product wmic /namespace:\\root\SecurityCenter path FirewallProduct Query an SCCM client for console user information wmic /namespace:\\root\cimv2\sms path sms_systemconsoleuser Query an SCCM client for top console user wmic /namespace:\\root\cimv2\sms path sms_systemconsoleusage Query profile last login information wmic /node:server01 path Win32_NetworkLoginProfile get Name,LastLogon Show the SDDL string for an ACL (redirect to console) icacls \\server\share\directory /save con Export ETL files to CSV tracerpt MPTrace-04162012-125657.bin -o test.csv -of csv Find the primary SMTP address and samaccountname from all mail-enabled users adfind -b DC=domain,DC=local -f "(&(objectclass=User)(objectCategory=Person)(mailnickname=*))" samaccountname proxyaddresses -csv -nodn -mvfilter proxyaddresses=SMTP -mvfiltercs > mailPrimary_20120310.txt Use the SQL stored procedure to return column name and data type information Sp_help TableName Install the PowerShell Active Directory module on a 2008 R2 server servermanagercmd -install RSAT-AD-PowerShell Query the MX records for the specified domain nslookup -type=mx domain.com 192.168.10.10 Query the managedObjects (managedBy back) to show managed groups dsquery * "CN=user01,DC=domain,DC=local" -attr managedObjects ADLDS LDAP debugging (logged to event viewer) reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_Test\Diagnostics /v "15 Field Engineering" /d 0x5 /t reg_dword & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_Test\Parameters" /v "Expensive Search Results Threshold" /d 0x1 /t reg_dword Produce a sorted lits of OUs adfind -b dc=domain,dc=local -f "(&(objectClass=OrganizationalUnit)(objectCategory=OrganizationalUnit))" canonicalName description -csv -nocsvheader -nodn | sort > OU_ORG_20120614.csv View all settings from a single window md c:\temp\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} Anonymous bind to AD to query an object (operations error?) adfind -b DC=domain,DC=local -h dc01 -f "(&(objectClass=User)(objectCategory=Person)(samaccountname=user01))" -u -simple Check whether SID filter (SID History) will be allowed across forest trusts Netdom trust domain.local /domain domain.local /EnableSIDHistory Query SCCM site information from Active Directory dsquery * "CN=System Management,CN=System,DC=domain,DC=local" -filter (objectClass=mSSMSSite) -attr mSSMSSiteCode mSSMSAssignmentSiteCode mSSMSRoamingBoundaries Query SCCM management point information from Active Directory dsquery * "CN=System Management,CN=System,DC=domain,DC=local" -filter (objectClass=mSSMSManagementPoint) -attr mSSMSSiteCode mSSMSMPName Query SCCM Service Locator Points (stored as SCPs) from Active Directory dsquery * "CN=System Management,CN=System,DC=domain,DC=local" -filter (objectClass=mSSMSServerLocatorPoint) -attr mSSMSSiteCode mSSMSMPName Find disabled user accounts without msExchMasterAccountSid set adfind -b dc=domain,dc=local -f "(&(objectClass=User)(objectCategory=Person)(msExchUserAccountControl=2)(!(msExchMasterAccountSid=*)))" msExchMasterAccountSid distinguishedName -alldc -csv -nodn Find enabled user accounts that have msExchMasterAccountSid set adfind -b dc=domain,dc=local -f "(&(objectClass=User)(objectCategory=Person)(msExchUserAccountControl=0)(msExchMasterAccountSid=*))" msExchMasterAccountSid distinguishedName -alldc -csv -nodn Restore the default domain controllers and default domain policy dcgpofix /target:both Query token groups for a resource forest access ntdsutil "group membership evaluation" "set account dc dc01" "set resource dc rdc01" "run domain user01" Query token suze for a resource forest access request (run on resource server) tokensz /compute_tokensize /user:usetest /domain:dom /password:Passw0rd /dump_groups Query group membership for the current access token whoami /groups Query SCCM packages and export to a CSV file wmic /namespace:\\root\sms\site_org /node:"sccm01" path SMS_package get * /format:csv > sms_packages.csv Use netdom to query the local FSMO role holders netdom query fsmo Query IIS logs to find Exchange OWA connections echo SELECT cs-username, Date INTO STDOUT FROM \\server01\c$\inetpub\logs\LogFiles\W3SVC1\*,\\server02\c$\inetpub\logs\LogFiles\W3SVC1\* WHERE (cs-username IS NOT NULL) AND (sc-status = 200) AND (cs-uri-stem = '/owa/') AND (c-ip like '10.6%') GROUP BY Date, cs-username > c:\temp\WebAccess.sql & "c:\Program Files\Log Parser 2.2\LogParser.exe" file:c:\temp\WebAccess.sql -i:IISW3C -o:CSV > OWA_ExternalAccess_20120828.csv Reset the EV client cd "C:\Program Files\Microsoft Office\Office14" & "c:\Program Files\Enterprise Vault\EVClient\ResetEVClient.exe Query SCCM Asset Intelligence user last logon information sqlcmd -S sql01\sccm -d sccm -W -s "," -Q "SET NOCOUNT ON;Select distinct v_R_System.Netbios_Name0 AS 'Computer', v_R_System.AD_Site_Name0 AS 'AD Site', v_GS_SYSTEM_CONSOLE_USER.SystemConsoleUser0 AS 'Console User',v_GS_SYSTEM_CONSOLE_USER.NumberOfConsoleLogons0 AS 'Console Logons',v_GS_SYSTEM_CONSOLE_USER.TotalUserConsoleMinutes0 AS 'Total Minutes on Console',v_GS_SYSTEM_CONSOLE_USER.LastConsoleUse0 AS 'Last Console Use' from v_R_System INNER JOIN v_GS_SYSTEM_CONSOLE_USER ON v_GS_SYSTEM_CONSOLE_USER.ResourceID = v_R_System.ResourceID" > c:\temp\SCCM_AI_ConsoleUsers_20121030.txt Find the FIM 2010 Service/Portal database server and name reg query \\fimservice\hklm\System\CurrentControlSet\Services\FIMService | find /i "database" Find the FIM 2010 Synchronisation Service database informtaion reg query \\fimsync\hklm\System\CurrentControlSet\Services\FIMSynchronizationService\Parameters Find the database recovery model for SQL databases on the specified server sqlcmd -S sql01\db01 -d master -W -s "," -Q "SELECT name AS [Database Name], recovery_model_desc AS [Recovery Model] FROM sys.databases" Performance Collector and viewer for ETW/ETL files PerfView.exe Clear DNS server cache dnscmd dc01 /clearcache Reset a locked user account dsmod user -disabled no "CN=user1,OU=Users,DC=domain,dc=local" Find DNS unconditional forwarders for a DNS server dnscmd /info Find full access and send-as mailbox rights for Exchange 2003 adfind -b "CN=user1,OU=Users,DC=domain,dc=local" msExchMailboxSecurityDescriptor ntsecuritydescriptor -alldc -sddc++ -resolvesids -mvfilter msExchMailboxSecurityDescriptor="FULL MBX";ntsecuritydescriptor="Send As" Grant the AD right to poll for directory changes dsacls "DC=domain,dc=local" /G "domain\group:CA;Replicating Directory Changes" Find PCNS targets in Active Directory dsquery * "CN=System,DC=domain,DC=local" -filter "(objectclass=mS-MIIS-PCNS-Target)" -attr * Regular expression for numbers with spaces or brackets '^[\d() -]+$' Dump PCNS successfull password change logs dumpel -s fimsync -l application -e 6902 -d 2 -m FIMSynchronizationService > c:\temp\PCNS_SuccessfulChanges.txt Access terminal services shared drives \\tsclient\c\temp Query the logical names from a file backup set RESTORE FILELISTONLY FROM disk='e:\temp\DB1.BAK' Restore a SQL database, moving the files to new locations RESTORE DATABASE "DB1" FROM DISK='e:\temp\DB1.BAK' WITH MOVE 'DB1' TO 'e:\MSSSQL\Data\db1.mdf', MOVE 'DB1_log' TO 'f:\MSSSQL\Log\DB1_log.ldf'; GO Create a scheduled task that runs every day between 6am-6pm SCHTASKS /Create /S fimservice /RU domain\user /RP Password /SC DAILY /MO 1 /TN "Repeated task" /TR ".\task.bat" /ST 06:00 /DU 12:00 Audit mailbox folder permissions (works on Ex2007 to mailbox servers) PFDAVAdmin.exe Custom pfdavadmin filter to only export calendar permissions (&(0x3001001E=Calendar)) Parse IIS logs on Exchange 2007 for OWA access "c:\Program Files\Log Parser 2.2\LogParser.exe" file:c:\temp\WebAccess.sql -i:IISW3C -o:CSV > OWA_InternalAccess_20120828.csv (sql: SELECT cs-username, Date INTO STDOUT FROM \\server01\c$\inetpub\logs\LogFiles\W3SVC1\*,\\server02\c$\inetpub\logs\LogFiles\W3SVC1\* WHERE (cs-username IS NOT NULL) AND (sc-status = 200) AND (cs-uri-stem = '/owa/') AND (c-ip like '10.6%') GROUP BY Date, cs-username) View FIM trace logs svcTraceViewer.exe (win 7 sdk) Boot disk to reset the local administrator password cd080802.zip Start Outlook with RPC diagnostics "C:\Program Files\Microsoft Office\Office14\outlook.exe" /rpcdiag Reset the protected flag on an AD ACL dsacls "CN=user01,DC=domain,DC=local" /P:N Find the Exchange autodiscover SRV record from DNS nslookup -type=srv _autodiscover._tcp.domain.local Verify a certificate's validity and CRL check certutil -v -f -urlfetch -verify certificate.cer Display the certificate URL cache entries certutil /urlcache Delete all certificate URL cache entries certutil /urlcache * delete Start the GUI to access the stored usernames (manage passwords) applet control userpasswords2 (then click on 'manage passwords') Add a stored credential for a SQL instance to use with trused windows auth cmdkey /add:sql01.domain.com:49709 /user:domain\user01 /pass Enable Internet Explorer add-on management (if disabled by policy) reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v NoExtensionManagement /d 0x0 tracert with increased buffer size and higher timeout c:\util\ftrace.exe -l 2048 -d -w 5000 host.domain tracert with increased buffer size and lower timeout with 10 pings per hop c:\util\ftrace.exe -l 2048 -d -w 500 -i 10 host.domain Use outlook.exe to remove connected calendars and hidden messages (migration) outlook.exe /resetnavpane Find the domain/forest functinoal levels adfind -sc modes Find the major revision of the forest dsquery * CN=ActiveDirectoryUpdate,CN=ForestUpdates,CN=Configuration,dc=domain,dc=local -attr revision Find the ADDS Domain Controller capabilities from the directory for /f "tokens=*" %i in ('dsquery server') do @adfind -b "CN=NTDS Settings,%~i" msDS-Behavior-Version -s base -csv -alldc -nocsvheader Unlock a user account dsmod user "CN=user01,DC=domain,DC=local" -disabled no Check FIM performance counters and re-enable lodctr.exe /q:FIMSynchronizationService && lodctr.exe /e:FIMSynchronizationService Find the CLR version used by all processes running on the local computer clrver -all List the assemblies in the Global Assembly Cache on the local computer gacutil -l Query for global security groups dsquery * -filter "(&(objectClass=Group)(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483646))" -limit 0 Query for local security groups dsquery * -filter "(&(objectClass=Group)(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483644))" -limit 0 Query for universal security groups dsquery * -filter "(&(objectClass=Group)(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483640))" -limit 0 Query Exchange 2010 EAS informatino from AD objects dsquery * "CN=ExchangeActiveSyncDevices,CN=user01,OU=Users,DC=domain,DC=local" -filter (objectClass=msExchActiveSyncDevice) -attr msExchDeviceUserAgent msExchFirstSyncTime msExchDeviceModel msExchDeviceFriendlyName VSS administration on 2003 (VSS 7.2 SDK) vshadow.exe Resynchronise performance counters with WMI WINMGMT.EXE /RESYNCPERF Query for an AD object using Ambiguous Name Resolution (ANR) set dsquery * -filter (anr=martin) Find attributes in the Partial Attribute Set replicated to Global Catalog DCs adfind -b "CN=Schema,CN=Configuration,DC=domain,DC=local" -f "(&(objectclass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -csv > gc_pas.txt Check the telephone number attribute for index information (searchFlags) adfind -b "CN=Telephone-Number,CN=Schema,CN=Configuration,DC=domain,DC=local" -alldc Open a specific folder with OWA (still requires full access to the mailbox) https://owa.domain.local:443/owa/default.aspx?cmd=contents&module=calendar Query AD with LDAP server controls adfind -b CN=group1,OU=Groups,DC=domain,DC=local whenchanged -h 192.168.10.10 -alldc -srvctls 1.2.840.113556.1.4.417;1.2.840.113556.1.4.529;1.2.840.113556.1.4.2065 (LDAP_SERVER_SHOW_DELETED_OID, LDAP_SERVER_EXTENDED_DN_OID, LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID) Install the system.web.security.singlesignon.dll class on 2008 R2 for claims servermanagercmd -install ADFS-Claims Show cached/stored credentials GUI rundll32.exe keymgr.dll, KRShowKeyMgr Start a system command prompt interacting with the specified RDP session psexec \\server01 /s /i 2 /d cmd Parse Exchange IIS logs to find ActiveSync connections "c:\Program Files\Log Parser 2.2\LogParser.exe" "SELECT cs-username, Count(*) AS EASHits from \\cas01\c$\inetpub\logs\LogFiles\W3SVC1\u_ex130919.log,\\cas02\c$\inetpub\logs\LogFiles\W3SVC1\u_ex130919.log WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%' AND cs-username IS NOT NULL GROUP BY cs-username ORDER BY EASHits Desc" -i:IISW3C -o:CSV > c:\temp\2010_EAS2_20130919.csv Parse Exchange IIS logs to find ActiveSync connections per device "c:\Program Files\Log Parser 2.2\LogParser.exe" "SELECT cs-username AS UserID, cs(User-Agent) AS DeviceType, count (*) FROM \\cas01\c$\inetpub\logs\LogFiles\W3SVC1\u_ex130919.log,\\cas02\c$\inetpub\logs\LogFiles\W3SVC1\u_ex130919.log WHERE cs-uri-stem LIKE '%Microsoft-Server-ActiveSync%' AND cs-username IS NOT NULL GROUP BY UserID, DeviceType ORDER BY UserID" -i:IISW3C -o:CSV > c:\temp\2010_EAS2ByDevice_20130919.csv Show the replication metadata for the specified AD object repadmin /showobjmeta dc01 "CN=group1,OU=Groups,DC=lands,DC=domain,DC=local" Show pending file rename operations reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations Use the LDAP in chain matching rule to recursively find members of a group dsquery * -filter "(memberOf:1.2.840.113556.1.4.1941:=CN=group1,OU=Groups,DC=lands,DC=domain,DC=local)" -s dc01 Open the 'choose profile' dialog box start outlook /profiles Use mfcmapi to view the message class and details of items mfcmapi | Session | Logon and Display Store Table Exchange 2010 exfolders (pfdavadmin replacement) "\\cas01\c$\Program Files\Microsoft\Exchange Server\V14\Bin\ExFolders.exe" Query for Exchange 2010 user mailboxes adfind -b "OU=Shared Mailboxes,DC=domain,DC=local" -s onelevel -f "(&(objectClass=User)(objectCategory=Person)(msExchVersion=44220983382016))" samaccountname useraccountcontrol msexchmasteraccountsid -alldc -csv > SharedMailboxes_20131205.csv Query lastlogon from every Domain Controller repadmin /showattr * "CN=user01,OU=Users,DC=domain,DC=local" /attrs:lastLogon Set the unconditional DNS forwarders for a server dnscmd dns01 /ResetForwarders 192.168.10.1 192.168.10.2 Query NTFS journal USN (buggy) usnjournalproject.exe Query the fine-grained password policy settings from AD dsquery * "CN=Password Settings Container,CN=System,DC=domain,DC=local" Download symbols for windbg debugging symchk /r c:\windows\system32\*.dll SRV*c:\windows\temp\symbols*http://msdl.microsoft.com/download/symbols Find Outlook Auto Mapping attributes for links/backlinks dsquery * -filter "(&(objectclass=user)(objectcategory=person)(|(msexchdelegatelistbl=*)(msexchdelegatelistlink=*))(extensionattribute5=DSITIA-Science))" -attr displayname msexchdelegatelistbl msexchdelegatelistlink Access a shadow copy using a previous versions token pathname extension dir \\server01\data\@GMT-2014.06.29-23.00.07\dir1 Extract an ISO file with 7ZIP "C:\Program Files\7-Zip\7z.exe" x -y -oC:\temp\ISOFiles c:\downloads\cd1.iso Modify the current power configuration to disable standby for AC power powercfg -x -standby-timeout-ac 0 Query tombstoned AD objects adfind -b dc=domain,dc=local -showdel -f isdeleted=TRUE > deletedObjects_20141014.txt Query the current credential providers (gina/winlogon notification replacement) reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication" /s Show a list of supported scenarios for netsh ETL tracing netsh trace show scenarios Query SCOM Audit Collection Services (ACS) database for 2008 creation events select top 10 * from adtserver.dvall5 where EventId = 4720 Purge kerberos tickets from the system login ID klist -li 0x3e7 purge Disable hybrid sleep in the balanced power plan powercfg -SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 238c9fa8-0aad-41ed-83f4-97be242c8f20 94ac6d29-73ce-41a6-809f-6363ba21b47e 0 Disable sleep in the balanced power plan powercfg -SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 238c9fa8-0aad-41ed-83f4-97be242c8f20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 0 Disable hibernate in the balanced power plan powercfg -SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 238c9fa8-0aad-41ed-83f4-97be242c8f20 9d7815a6-7ee4-497e-8888-515a05f02364 0 Disable NLA in an .RDP file for remote desktop/terminal services enablecredsspsupport:i:0 Rename an AD object dsmove "CN=user1,OU=Users,DC=domain,DC=local" -newname user2 -s dc01 Query an entire SQL database and all tables for the specified string c:\util\QuerySQLDatabase.sql Access a SharePoint server using a non-standard port using UNC \\teamsite@5001\folder1\folder2\folder3 Perform a network capture on a Server 2012 server Netsh Trace start capture = yes (followed by: Netsh Trace stop) Show the domain-wide password policy net accounts /domain Check if pending reboot required prevents software installation (eg SQL 2008) reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired Find the SharePoint content databases and server stsadm -o enumcontentdbs -url http://localhost Query virtual directories on an IIS 7.x server (web or FTP) appcmd list vdir & appcmd list site Add an alternate computer name to AD netdom COMPUTERNAME servernew /add serverold.domain.local List the audit policy categories available auditpol /list /category /v List the audit policy subcategories available for the specifid category auditpol /list /subcategory:"Object Access" Modify the LM compatibility level to NTLMv2 only for RDP 8.1 (no reboot req.) reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA /v LMCompatibilityLevel /d 0x3 /t reg_dword Show process permissions and token information accesschk -p explorer.exe -f Query the volume shadow copies available volrest \\server01\Test1_20151007 List the certificate enrolment policy templates certutil -template Add a firewall rule to allow TCP:8080 inbound netsh advfirewall firewall add rule name="Allow Tomcat In" dir=in protocol=TCP localport=8080 action=allow Run a manual sync with ADConnect "C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe" MIISClient console for ADConnect "C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe" Enable logging dropped local firewall connections netsh advfirewall set domainprofile logging droppedconnections enable Create a virtual RAM disk (not accessible through VIclient) imdisk -a -s 536870912 -m R: -o rem -p "/fs:ntfs /q /y" Create a virtual floppy disk backed by file (flp can be mounted through vi) imdisk -a -s 1440K -f c:\temp\test1.flp -m R: -o fd -o shared -p "/fs:fat /q /y" Return AD search index information on a query adfind -b dc=domain,dc=local -f "(&(objectClass=User)(objectCategory=Person)(extensionattribute2=test))" samaccountname -stats+only Extract cabinet files from patches (MSP) msix patch.msp /out . Find the supported SASL mechanisms of a directory adfind -rootdse -s dc01 LDAP client tracing reg add HKLM\System\CurrentControlSet\Services\ldap\tracing\Microsoft.IdentityServer.ServiceHost.exe & logman create trace ldap -p {099614a5-5dd7-4788-8bc9-e29f43db28fc} 0x1FFFDFF3 -o .\ldap.etl & logman start ldap & pause & logman stop ldap & tracerpt.exe ldap.etl -o ldap2.csv -of CSV Evalute SID count and token size for a user dsmgmt "group membership evaluation" "run lands user01" quit quit Run AdminSDHolder / SDProp process on PDC emulator admod -sc runpag -h dc01.domain.local Change the owner of a database to a SQL login ALTER AUTHORIZATION ON DATABASE::Orchestrator TO [sa]; Enable RDP remotely reg add "\\pc\HKEY_LOCAL_MACHINE\software\policies\microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /d 0x0 /t reg_dword & sc \\pc stop termservice & sc \\pc start termservice Find attributes marked as confidential dsquery * CN=Schema,CN=Configuration,DC=domain,DC=local -filter "(searchFlags:1.2.840.113556.1.4.803:=128) Query LAPS password and expiration dsquery * -filter "(&(objectClass=Computer)(objectCategory=Computer)(ms-mcs-admpwd=*))" -s dc01 -attr name ms-mcs-admpwd ms-Mcs-AdmPwdExpirationTime Query global and universal groups an account is a memberof adfind -b "CN=user01,OU=Users,DC=domain,DC=local" -s base TokenGroupsGlobalAndUniversal Query for expiring user accounts adfind -b "OU=Users,DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(!(|(accountExpires=9223372036854775807)(accountExpires=0))))" samaccountName accountexpires -alldc -csv > ExpiringAccounts_20170410.csv Show current SQL server processes and blocks/locks EXEC sp_who2 Start a process as the 'Network Service' account on an RDP session psexec \\pc /i 3 /u "nt authority\network service" cmd.exe Decrypt a bitlocked encrypted volume manage-bde -off c: Find the per-service SID for a service sc showsid dnscache Apply permissions to a per-service SID icacls file.txt /grant *S-1-5-80-1458370022-919992539-2723553652-3559830572-560683627:(D,WDAC) Export a task to XML schtasks /query /xml /tn "daily delta sync" > "c:\temp\Daily.xml" Create a task from XML schtasks /create /xml "c:\temp\Daily.xml" /ru domain\svc_account /rp * /tn "Daily Delta Sync" Upgrade from standard to datacentre 2008 R2 using KMS datacentre key dism /online /set-edition:ServerDatacenter /productkey:74YFP-3QFB3-KQT8W-PMXWJ-7M648 /AcceptEula Find the .Net Framework 3.5 version installed reg query "\\server01\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5 Find the .Net 2.0 CLR version (used by .Net 3.5) filever \\server01\c$\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll check the HTTP listener session status netsh http show servicestate view="session" Enable http.sys verbose ETW tracing logman start httptrace -p Microsoft-Windows-HttpService 0xFFFF -o c:\temp\httptrace.etl -ets Kill a TCP connection wkillcx.exe 192.168.10.10:5725 Modify the default TTL you seen when pinging a machine (default 128) netsh int ipv4 set glob defaultcurhoplimit=63 Wait for a crashdump for the specified process and write a full dump Procdump.exe -t -ma -o Microsoft.ResourceManagement.Service.exe C:\CrashDumps Enable SCHANNEL informational logging reg add \\server01\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL /v EventLogging /d 0x7 /t reg_dword Show the current firewall profile netsh advfirewall show currentprofile Show Win 10 Azure device registration status dsregcmd.exe /status Disable NetBIOS over TCP/IP wmic nicconfig get caption,index,TcpipNetbiosOptions & wmic nicconfig where index=7 call SetTcpipNetbios 2 Query stored credentials vaultcmd /listcreds:"Windows Credentials" /all Find registry hives loaded reg query \\server01\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist Query ETL providers logman query providers Find the certificate a host is using for https nmap.exe -n -Pn -p443 outlook.office.com --script ssl-cert Query DNS Conditional fowarders reg query "\\dc01\hklm\software\microsoft\windows nt\currentversion\DNS Server\Zones\domain.local" Temporarily disable policy and allow basic auth for WinRM reg add "HKLM\Software\Policies\Microsoft\Windows\WinRM\client" /v AllowBasic /d 0x1 /t reg_dword & winrm set winrm/config/service/auth '@{Basic="true"}' Find the public key token of a DLL "c:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6 Tools\sn" -T c:\temp\MicrosoftServices.IdentityManagement.WorkflowActivityLibrary.dll Grant permissions to the private keys of a certificate using RK tools WinHttpCertCfg.exe -g -c LOCAL_MACHINE\My -s "Server Data Encryption" -a "domain\svc_service" Start an elevated command prompt as another user runas /user:domain\user01 "powershell.exe -command \"start-process -verb runas cmd\"" Find tokenGroups to show SIDs of groups a person is a member of adfind -b "CN=user01,OU=Users,DC=domain,DC=local" -s base tokengroups Find the SDDL for the specified event log on a remote computer wevtutil gl /r:dc01 security Update the SDDL for the specified event log on a remote computer psexec \\dc01 wevtutil sl Security /ca:O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;NS) Show the ephemeral dynamic RPC port range currently configured netsh int ipv4 show dynamicport tcp Show the Windows Firewall filters matching run-time IDs in event logs Netsh.exe WFP Show State Query BitLocker recovery information confidential attribute from AD dsquery * -filter "(&(objectClass=msFVE-RecoveryInformation))" Check the schema to see if an attribute is confidential (searhcFlags=0x128) adfind -b "CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=domain,DC=local" -alldc searchflags Redirect the output of a command to the clipboard dsquery user -samid user01 | clip sysinternals TCP network connectivity check psping fimservice:5725 Query the triggers for a service (ie stop when not domain joined) sc qtriggerinfo w32time View SharePoint log files, and Outlook trace files ulsviewer.exe List the certificate templates from a CA certutil -CATemplates -config "CA1.domain.local\Internal Issuing CA 1 SHA256" View the alternate data streams in a file streams Query the DNS block list dnscmd dc1.domain.local /info /globalqueryblocklist Export security policy on a 2016 Core DC secedit /export /cfg c:\windows\temp\security.inf /log c:\windows\temp\sec.log Query accounts configured with unconstrained delegation dsquery * -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=524288))" Query for people who don't have domain users as primary group adfind -b "OU=Users,DC=domain,DC=local" -f "(&(objectClass=User)(objectCategory=Person)(!primarygroupID=513))" samaccountname -csv Revert Windows 10 to the old Alt+Tab experience reg add HKEY_USERS\S-1-5-21-123660284-1234560955-123430997-1234\Software\Microsoft\Windows\CurrentVersion\Explorer /v AltTabSettings /t reg_dword /d 0x1 Set the number of explorer thumbnails to 1 so they're stacked with 2+ instances reg add HKEY_USERS\S-1-5-21-123660284-1234560955-123430997-1234\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband /v NumThumbnails /t reg_dword /d 0x1
Wayne's World of IT (WWoIT). 

No comments:


All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 20 years, and I know just about enough to realise that I don’t know very much.