This comes up a lot, that internal admins or management wants the ability to track user's logons, only auditing is to complex to navigate.
The traditional way is to enable event log auditing of logons. In order to accomplish this, your domain will need to be configured to audit logon events. To do this, you'd create a GPO and set "Audit account logon events" to both success and failure. This is done under "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy." Once this is configured, you can utilize the tool ADAudit+ to generate reports based on this information. http://www.manageengine.com/products/active-directory-audit/user-logon-audit-reports.html#workstation.
Another simple approach can be done via login scripts.
- Create a shared folder on the network. Everyone should have full access to this share. In my example, I'll use "access"
- In that folder, create a folder called User and a folder called Computer (just whichever one you want to use).
- Create a Login.bat batch file-
Name- Login.bat
Option 1 -
rem The following line creates a rolling log file of usage by workstation
echo Log In %Date% %TIME% %USERNAME% >>
\\server\access\computer\%COMPUTERNAME%.log
Option 2 -
rem The following line creates a rolling log file of usage by user
echo Log In %Date% %TIME% %COMPUTERNAME% >> \\server\access\user\%USERNAME%.log
- Create a Logout.bat batch file-
Name- Logout.bat
Option 1 -
rem The following line creates a rolling log file of usage by workstation
echo Log Off %Date% %TIME% %USERNAME% >> \\server\access\computer\%COMPUTERNAME%.log
Option 2 -
rem The following line creates a rolling log file of usage by user
echo Log Off %Date% %TIME% %COMPUTERNAME% >> \\server\logs\user\%USERNAME%.log
- Put these files in the Access shared folder.
- Create a GPO, Under "User Configuration\Windows Settings\Scripts", add login.bat to the Logon Scripts box and logout.bat to the Logout Scripts box.
Thursday, February 27, 2014
Using cleanmgr.exe (Disk Cleanup) to cleanup old service packs and system files in Windows Server 2008 R2
Windows 7 and Windows 2008 R2 include a cool feature as part of the disk cleanup wizard that allows you to remove old service pack backup files to free up space on your C: drive / partition. Unfortunately it means installing the Desktop Experience which, besides having a bunch of crap you don't need, requires a reboot.
There is another (and better) way!
Simply copy cleanmgr.exe to C:\Windows\System32. from-
C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe
and copy cleanmgr.exe.mui to C:\Windows\System32\en-US.
C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9cb6194b257cc63\cleanmgr.exe.mui
(You can also just go into C:\windows\winsxs and search for those two files.)
Now you can simply run cleanmgr.exe (you may need to navigate to it and run as administrator if you have UAC turned on) and select "Service Pack Backup Files".
There is another (and better) way!
Simply copy cleanmgr.exe to C:\Windows\System32. from-
C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe
and copy cleanmgr.exe.mui to C:\Windows\System32\en-US.
C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9cb6194b257cc63\cleanmgr.exe.mui
(You can also just go into C:\windows\winsxs and search for those two files.)
Now you can simply run cleanmgr.exe (you may need to navigate to it and run as administrator if you have UAC turned on) and select "Service Pack Backup Files".
Wednesday, February 19, 2014
How to upgrade an ASA OS remotely using FTP.
Sometimes I'm required to upgrade a Cisco ASA's OS remotely. Most Cisco admins are familiar with upgrading the OS using TFTP. Because TFTP uses UDP, remotely sending the OS via TFTP is not a good idea. (I'd tell you a joke about UDP, but you might not get it.)
To upgrade via FTP-
I use a FileZilla active mode FTP server. So first, disable passive mode.
configure terminal
no ftp mode passive
Then, use this copy command-
copy ftp://<Username>:<Password>@<IP Address>/asa825-k8.bin disk0:/asa825-k8.bin
So in my case- (using a fake invalid IP)
copy ftp://cisco:Passw0rd@107.12.631.147/asa825-k8.bin disk0:/asa825-k8.bin
Next you're going to want to check the checksum. If you go to cisco.com, support, and find your product's software downloads, you can see the checksum by hovering over the file.
Use the command-
verify /md5 disk0:/asa825-k8.bin 97951eea5b35e0544ca9242e6818b39f
Once the checksum is verified, simply change your boot command-
boot system disk0:/asa825-k8.bin
..and remove any old boot system commands.
To upgrade via FTP-
I use a FileZilla active mode FTP server. So first, disable passive mode.
configure terminal
no ftp mode passive
Then, use this copy command-
copy ftp://<Username>:<Password>@<IP Address>/asa825-k8.bin disk0:/asa825-k8.bin
So in my case- (using a fake invalid IP)
copy ftp://cisco:Passw0rd@107.12.631.147/asa825-k8.bin disk0:/asa825-k8.bin
Next you're going to want to check the checksum. If you go to cisco.com, support, and find your product's software downloads, you can see the checksum by hovering over the file.
verify /md5 disk0:/asa825-k8.bin 97951eea5b35e0544ca9242e6818b39f
Once the checksum is verified, simply change your boot command-
boot system disk0:/asa825-k8.bin
..and remove any old boot system commands.
Use your ipad as a second monitor!
This is great for road warriors who are already carrying a laptop and an iPad.
Need a 2nd monitor that's light and easy? You can leverage your iPad as a 2nd monitor for your computer in Extended Desktop mode!
AirDisplay from Avatron.
http://www.avatron.com/apps/air-display/
Installs a tool on your PC/Mac, and an app on IOS. Cost is $10. Works over WIFI. Pretty slick.
Tuesday, February 18, 2014
Why is my NIC labeled "Local Area Connection 2" or why am I getting the message "IP address you have entered for this network adapter is already assigned to another adapter"?
Say you notice that your network adapter is labeled "Local Area Connection 2" or you get a message that says "The IP address you have entered for this network adapter is already assigned to another adapter" when attempting to assign a static IP address.
This happens because you have a previous 'removed' network adapter that hasn't been removed in Windows. This may be a little confusing, especially on virtualized machines. Each NIC has a unique MAC address, so whenever a new one is installed a new adapter is created in Windows. Removing the old ones is actually pretty simple.
- Go to your Command Prompt. (In 2008 and above, you need to right click on the command prompt icon and run as administrator)
- From the command prompe, type
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
and hit Enter.
- Then (again from the command prmopt) type
START DEVMGMT.MSC
and hit Enter.
- Device manager will start, in device manager click the View menu and select "Show hidden devices".
- Now under Network Adapters you will see the old network adapter and can remove it.
This happens because you have a previous 'removed' network adapter that hasn't been removed in Windows. This may be a little confusing, especially on virtualized machines. Each NIC has a unique MAC address, so whenever a new one is installed a new adapter is created in Windows. Removing the old ones is actually pretty simple.
- Go to your Command Prompt. (In 2008 and above, you need to right click on the command prompt icon and run as administrator)
- From the command prompe, type
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
and hit Enter.
- Then (again from the command prmopt) type
START DEVMGMT.MSC
and hit Enter.
- Device manager will start, in device manager click the View menu and select "Show hidden devices".
- Now under Network Adapters you will see the old network adapter and can remove it.
Monday, February 17, 2014
Why is Windows 8, 8.1, 2012, 2012 R2 not rebooting during the automatic updates maintenance window???
Have you had a client want to throw their computer out the
window because Windows 8 rebooted right in the middle of their important
conference call for no apparent reason?
And they wonder, weird, I had my computer sitting idle all night doing
nothing, why didn’t it reboot then?
Well, some idiot at Microsoft designed it this way. The thinking was something like, ‘I guess we
don’t want to reboot at 3 AM in case something is open, so we’ll wait until 3
days after updates are installed, then start annoying the user with a restart
timer once there is activity on the PC, which will force a reboot if ignored.” The hilarious thing is, this affects 2012
Server. So admins who enabled automatic updates
suddenly find production servers rebooting in the middle of the day! Nice job, Microsoft!
There is a fix. In
2012 R2 and 8.1 there is a group policy setting to change this behavior-
Computer Configuration\Administrative
Templates\Windows Components\Windows Update\Always automatically restart at the
scheduled time
On windows 8 and 2012, you need to install the update rollup
http://support.microsoft.com/kb/2883201
By default this behavior will still exist though unless you
change that GPO.
Thursday, February 13, 2014
Configuring Telnet or SSH access across a VPN tunnel on a Cisco ASA (8.4+ - 9.1)
Want to enable telnet / ssh management of a Cisco ASA across
a VPN tunnel?
In 8.2 and below, you simply use the command:
management-access inside
You may have noticed in post 8.4 that no longer works. In post 8.4, you need to add the route-lookup
command to your VPN nat statement.
management-access inside
nat (inside,outside) source static LocalSubnet LocalSubnet
destination static RemtoeSubnet RemoteSubnet route-lookup
Of course, you need to enable telnet or ssh-
ssh 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside
(But don't use telnet, it's ghetto and insecure.)
Wednesday, February 12, 2014
Moving DHCP from one server to another and keeping all leases.
Moving DHCP from one server (2003-2012) to another,
preserving all settings AND MOST IMPORTANTLY leases!
1. Log on to the
source DHCP server by using an account that is a member of the local
Administrators group.
2. Click Start,
click Run, type cmd in the Open box, and then click OK.
3. Type netsh dhcp server
export C:\dhcp.txt all , and then press ENTER.
Configure the DHCP server service on the new server.
1. Click Start,
click Administrative Tools, click Server Manager. If needed acknowledge User
Account Control.
2. In Roles Summary
click Add Roles, click Next, check DHCP server, and then click Next.
Import the DHCP database
1. Copy the exported
DHCP database file to the local hard disk of the new server.
2. Verify that the
DHCP service is started on the new server.
3. Click Start,
click Run, type cmd in the Open box, and then click OK.
4. At the command
prompt, type netsh dhcp server import c:\dhcp.txt all , and then press ENTER,
where c:\dhcp.txt is the full path and file name of the database file that you
copied to the server.
Friday, February 7, 2014
How to log into Windows Server 2008-2012 DC without knowing domain name OR how to log into a machine without knowing the local computer name.
Have you
ever tried to RDP into a Windows Server 2008-2012 server and either a) wanted
to log into a DC and didn't know the domain name or b) wanted to log as using
the local ‘administrator’ account but don’t know the PCs name?
In either scenario, simply put .\administrator
If it’s a
domain controller, you’ll log in as the domain\administrator, if it’s not you’ll
log into the local administrator account.
Thursday, February 6, 2014
Some cool websites (IT Tools)-
How about some cool websites?
Want to
install and be able to update a bunch of common programs with one installer?
Want to
monitor up to 100 domains for free, monitor for expiration date, DNS changes,
etc.?
Need to
mount an ISO on Windows 7? (Or, 8 of
them?)
Need to
boot off of a CD or USB stick to scan a computer for viruses?
Need to
extract ANY type of archive?
Want to
know EVERYTHING about a computer?
Want to
export mailboxes from an Exchange database file to a PST?
Wednesday, February 5, 2014
Turning on RDP Remotely (Windows XP and Windows 7)
Ever take a
late night call from a user who is trying to remote into their office computer
and you need to enable RDP remotely so they can get in remotely? Assuming a domain environment it is pretty easy. This was easy in Windows XP, you could remote
connect to the registry and turn it on.
Win 7 blocks that.
For Windows
7-
From the
server,
psexec
\\machinename reg add "hklm\system\currentcontrolset\control\terminal
server" /f /v fDenyTSConnections /t REG_DWORD /d 0
One minor
issue, this doesn’t poke a hole in the windows firewall. You’ll need to temporarily disable it, log in,
add RDP to the profile, then turn it back on.
From the server-
netsh -r
ComputerName -u Username -p Password -c advfirewall set allprofiles state off
That will
shut off the firewall. You can now RDP
into the box and open RDP in the GUI in Windows Firewall, then turn it back on.
For Windows
XP-
Just go
into Regedit, File, Connect Network Registry.
Once connected go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server
Change
fDenyTSConnection to 0
If you need
to turn off windows firewall, you can go to Computer Management, connect to the
box, and stop the windows firewall service.
(DO NOT attempt this in Windows 7).
Saturday, February 1, 2014
Adam's tips-
Great SFTP server- Crush FTP. Has a nice web interface to file shares as well, easy to configure.
http://www.crushftp.com/features.html
==============================================================
Some pretty sweet tools-
http://www.cjwdev.co.uk/Software.html
Notably-
AD Photo Edit- Allows easy upload of photos into AD
AD Info- A cool AD reporting tool for users, computers, groups, printers, etc.
Service Credential Manager- Changes service accounts on multiple servers at once. Great for changing an admin password, it can automatically search out and update
Group Manager- A tool that allows users to administer groups they are assigned as the manager of.
AD Permission Reporter- Provides a report on your AD pertmissions
As well as a bunch of other tools.
==============================================================
SO if you ever need to set up a windows DHCP server but can’t authorize it because no AD server is available? Works on 2008-2008R2 (not sure about 2012).
Here is a handy registry key to bypass authorization-
Add this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\DHCPServer\Parameters
Name: DisableRogueDetection
Type: REG_DWORD
Data: 0x1
and restart the server (only restarting the service will not help)
==============================================================
Need a tiny TFTP server that doesn't require anything be installed? TFTPD32 is your answer.
http://www.firewall.cx/downloads/doc_download/19-4-tftpd-32-.html
https://a5-downloads.phpnuke.org/en/c74258/tftpd32-free-download-full-review
==============================================================
On a Cisco ASA, ever need to see either the client IPSec VPN or Site to Site (L2L) tunnel Pre-Shared-key (pre shared key)?
Use this command-
more system:running-config
It will show you the config with the preshared key/
==============================================================
Ever need to grab your Public IP from the command line in Linux?
content=$(wget ipecho.net -q -O -)
echo $content
==============================================================
Ever need to change the MTU size in windows? Below will change it to 1452.
netsh interface ipv4 show subinterfaces
netsh interface ipv4 set subinterface "Local Area Connection" mtu=1458 store=persistent
Doing a ping larger than 1458 with the -f (no fragment command) should now fail-
ping 8.8.8.8 -f -l 1472
==============================================================
Want to enable DNS Lookup on your Cisco ASA?
dns domain-lookup outside
dns server-group Default DNS
name-server 8.8.8.8
==============================================================
Want to measure bandwidth from individual users on an ASA?
What to explore QOS issues?
Spot inappropriate internet use on an ASA/
http://www.fireplotter.com/index.php?option=com_content&view=article&id=3&Itemid=154
Product is FREE for watch only mode. I'd be happy to assist getting it up and running if you have this need.
==============================================================
Ever run into that quirky VMware issue on a Dell PowerEdge server where you try to create a datastore and your vsphere client disconnects you? You need to delete the Dell diagnostics partition on the disk.
1. Enable SSH via console
2. Connect to VM host via SSH
3. Run the following to get a list of current LUN paths:
esxcli storage core path list
4. Record the ‘Device’ value for the device that shows ‘Unavailable or path is unclaimed’ at ‘Adapter Transport Details’ or ‘Target Transport Details’
5. Run the following to change the label on the partition:
partedUtil mklabel /dev/disks/<device> msdos
6. Retry datastore creation operation in vSphere
==============================================================
Ever need to download software that was pre-installed on a Dell system?
==============================================================
Ever need to get the Cisco IPSec Client working on Windows 8?
There is a work-around.
1. Press Windows Key+R to open the run prompt > regedit {enter}
2. Navigate to;HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>CVirtA
Locate the DisplayName > Edit its value > Delete all the text to the LEFT of "Cisco Systems VPN Adapter for 64bit Windows."
==============================================================
Want to easily review blue screens (BSOD)?
==============================================================
Ever need to turn on RDP on Windows 7 remotely?
psexec \\machinename reg add "hklm\system\
==============================================================
Ever need to check if inheritable permission is checked on all AD accounts? This script will do that, just save it as a .vbs files-
Option Explicit
Dim objRootDSE, strDNSDomain, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strNTName, strDN, intNtSecDescCntrl
Dim objUser, objSecurityDescriptor, strInheritable
Const SE_DACL_PROTECTED = &H1000
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("
' Use ADO to search Active Directory.
Set adoConnection = CreateObject("ADODB.
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoRecordset = CreateObject("ADODB.Recordset"
adoRecordset.ActiveConnection = adoConnection
' Search entire domain.
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,
' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
' Run the query.
adoRecordset.Source = strQuery
adoRecordset.Open
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strNTName = adoRecordset.Fields("
strDN = adoRecordset.Fields("
strDN = Replace(strDN, "/", "\/")
Set objUser = GetObject("LDAP://" & strDN)
Set objSecurityDescriptor = objUser.Get("
intNtSecDescCntrl = objSecurityDescriptor.Control
If (intNtSecDescCntrl And SE_DACL_PROTECTED) <> 0 Then
strInheritable = "Allow inheritable permissions disabled"
Else
strInheritable = "Allow inheritable permissions enabled"
End If
Wscript.Echo strNTName & ";" & strDN & ";" & strInheritable
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close