Page 1 of 1 1
Topic Options
#19381 - 2002-04-03 05:01 AM I have a Challenge.
mustangman Offline
Lurker

Registered: 2002-04-03
Posts: 3
Loc: Dallas, Tx
I have a challenge for you all. I work in a highly volatile enviorment where machines are "re-imaged" constantly and just maintaining the images is a constant battle. But then there are the machines that are not re-imaged EVER and they present the bulk of the problems. I am a newbie to kix and more importantly programming. I do however understand how the kix language works I will just need to work on my programming logic and start playing. On to the problem, we have recently invoked a password scheme that uses a combination of MAC address of the local NIC and day of the week (we might possibly use another variable besides the day of the week). For instance Monday = All### Tuesday = People### Wednesday = Need### and so on. Is it possible to create a script that will change the Local Admin password based on these variables running the script as part of the logon initially and then only when a new computer is added to the domain? This is a big one I know but any help would be greatly appreciated. Also can you take the administrators from a "clean" machine with only those who should be a local admins and apply those admins to all the machines in the domain while removing those who should not be admins (like the users). Thanks again.
_________________________
Network Catch-All Type:1. Most despised words: Do you think we could do that today?

Top
#19382 - 2002-04-03 05:19 AM Re: I have a Challenge.
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Welcome to the board.
I'm trying to wrap my mind around your password scheme. Are you saying you want to change the local administrator password every day? Isn't that sorta overkill? You could change the password, but I'd advise it be done from an admin script and not the logon. There are permission issues with doing it in the logon. Also, you would want to record the change otherwise you'd have no idea what the password is. If done within the logon, the user would have access to the log file and could mess with it.

I assume the local administrator accound is not used and that users are not in the local administrators group.

Are these machines NT4 or W2K or XP? If NT4, do they have ADSI Provider installed?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#19383 - 2002-04-03 05:26 AM Re: I have a Challenge.
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Given that you can have the logon script execute in the context of an Administrator account. You can accomplish what you want. I think that the most difficult request is knowing that the computer was just added to the domain and cleaning up the Administrators group.

Change Admin PW: My preference would be to code it using ADSI. Change local admin password Your desire to have this done as part of the initial logon will require some additional work to tell the script it is an initial logon. Or you could just execute a configuration script after logon.

Changing the membership of the Admnistrators group. remove/add members Again, if you have the ability to use ADSI, I would code it directly and not use and external executable.
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#19384 - 2002-04-03 05:35 AM Re: I have a Challenge.
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
If you want a method to rotate Admin passwords, I have written a complete Administrator password management system in Perl. You can find part #1 and part #2 in the December 2001 and January 2002 issues of the Journal "NT Update" @ www.xephon.com. The article includes all source code include SQL database table structure that maintain the computer data including passwords.

[ 03 April 2002, 05:37: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#19385 - 2002-04-03 03:29 PM Re: I have a Challenge.
mustangman Offline
Lurker

Registered: 2002-04-03
Posts: 3
Loc: Dallas, Tx
First off thank you for your help. Sorry I don't think I gave you enough info. These are on a mixture of NT 4.0sp6 and 2ksp2 machines. Secondly the password wouldn't be changed everyday. There would be an initial 2 weeks that the script would run as a logon to ensure that EVERY machine received the change and then it would become an administrative script. I would just simply create a user account for adding new computers to the network and then the script would carry out whatever changes needed to be made via a batch menu. Or would I run the admin script remotely? If so how do I do that? Lastly I haven't looked at it yet but I think that Howard nailed it on his last post. I am not sure if we are able to use ADSI and if not if our security guy will allow it. (Why do you think I am doing this [Smile] I will let you know what I come up with and will post the code I eventually hammer out.
_________________________
Network Catch-All Type:1. Most despised words: Do you think we could do that today?

Top
#19386 - 2002-04-03 04:25 PM Re: I have a Challenge.
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
One other approach that I have implemented to perform Administrative operations on NT clients is listed below. This system works well and you do not have to include special code in your logon script for a specified period in the hopes of hitting all computers.

The Bullock methodology:

1. Setup a hidden share on a central server with subdirectories for each distinct process you want to perform/execute.

2. Write code that will:
a. checks for a custom defined registry key/value
b. if the value does not exist or is incorrect write a file named as the @wksta.flg to the specific directory created in item #1

3. Write your Admin script to perform your specific function.
a. run as a service from a production server for optimal ease and uptime.
b. this program reads the files in the directory and takes action on the computer specified by the file name.
c. on successful completion, write the correct registry key/value so that the logon script does not recreate the flag file.
d. Record the action to a log file or database

4. Add a service account to the local administrators group so that your process has the necessary permissions to complete the task.

5. Implement the key checking/flag genration code in the logon script.

This methodology then only processes computers that have just come onto the network. It guarantees that a process is only run once. And it does not generate noise when the Admin script is target to all computers and some are not online. This process can run for any period of time and has very low overhead on the client and the server where the Admin script runs.

We use SMS as well, but some areas of the company have yet to implement SMS and others have elected not to participate. The logon script however has 97% coverage on 40,000 accounts. This methodology can be leverage quickly and inexpensively.

Comments & criticisms welcome.

[ 03 April 2002, 16:28: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#19387 - 2002-04-03 05:45 PM Re: I have a Challenge.
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
to use ADSI for an admin script, you will only need to install it on the admin pc.

ADSI will need to be installed on NT4.0, it comes with w2k.

now having said that you do not need adsi to change a local admin password via a logon script.

you just have to be able to run this command.

code:
shell '%comspec% /c net administrator $password > nul'

with local admin rights.

Top
#19388 - 2002-04-03 07:39 PM Re: I have a Challenge.
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
What is the prize for this challenge?

Please see this post for enumerating the groups (Bryce's code piece)
Multiple INGROUP()

Here is some code that should work for some of it...
code:
$x=(@DOMAIN+"\"+@USERID)
$CleanAdmin = "net localgroup administrators /del $x"
IF INGROUP("\\@WKSTA\Administrators")
shell '%comspec% /c $CleanAdmin >nul'
ENDIF

It will remove specified username from the local admin group, but won't remove your Domain Admins when they logon with their Domain Admin accounts, but it will if they logon with another account that is a member of the local admin, so you would need to modify it some to prevent specified members from not being removed. Possibly by using a GLOBAL group membership of those not to remove from local admin groups.

James Bond post [Wink]

[ 03 April 2002, 19:52: Message edited by: NTDOC ]

Top
#19389 - 2002-04-04 03:56 AM Re: I have a Challenge.
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
i missed the bit about removing non allowed users from the local administrator group.

here is some code to help you out [Smile]

code:
$allowed_admins = "administrator, @userid"

;get a listing of all members of the local administraotr group
$localadminusers = groupmembers("@domain/@wksta","Administrators",18)

;get a connection to the localadmin group
$localadmingroup = getobject("WinNT://@domain/@wksta/administrators,group")


for each $admin in $localadminusers
if instr($allowed_admins,$admin.name) = 0
;a user has been found that is not in the $allowed_users list,
;and will now be removed.

? "Removing " + $admin.name + " from " + $localadmingroup.name
;to make this code work, you will have to uncomment the following line.
;$localadmingroup.remove($admin.adspath)
endif
next

this code needs the UDF GroupMembers()

Bryce

[ 04 April 2002, 03:57: Message edited by: Bryce ]

Top
#19390 - 2002-04-04 04:59 AM Re: I have a Challenge.
mustangman Offline
Lurker

Registered: 2002-04-03
Posts: 3
Loc: Dallas, Tx
No prize except knowing you are smarter than me. It will take some time to process all of this as I am BRAND NEW to all of this and I don't have anything to start with so I am doing this with a mixture of cut and paste and my own code. We'll see what happens. Thanks for all of your help.
_________________________
Network Catch-All Type:1. Most despised words: Do you think we could do that today?

Top
#19391 - 2002-04-04 10:49 AM Re: I have a Challenge.
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Mr. Mustang.... Bryce (your fellow TEXAN [remember the Alamo] has done all the hard work for you - and quite a good job at that. Good Job Bryce

Simply copy the code from the CODE section and paste into WORD, then copy again inside WORD and paste it into NOTEPAD or your favorite Text Editor and run the code. It will not do anything except show you what it will do.

You need to supply a list of allowed users beyond what the @userid supplies otherwise it will remove everyone except the currently logged in user.

code:
BREAK ON
$allowed_admins = "administrator, @userid"

;get a listing of all members of the local administraotr group
$localadminusers = groupmembers("@domain/@wksta","Administrators",18)

;get a connection to the localadmin group
$localadmingroup = getobject("WinNT://@domain/@wksta/administrators,group")


for each $admin in $localadminusers
if instr($allowed_admins,$admin.name) = 0
;a user has been found that is not in the $allowed_users list,
;and will now be removed.

? "Removing " + $admin.name + " from " + $localadmingroup.name
;to make this code work, you will have to uncomment the following line.
;$localadmingroup.remove($admin.adspath)
endif
next


Function Groupmembers($target, $group, optional $flag)
;NAME GroupMembers
;
;ACTION Returns an array of all group members of the specified group
;
;SYNTAX GroupMembers(Target, Group, [FLAG])
;
;PARAMETERS Target
; The Domain name or Workstation to work with. For faster workstation
; execution, include the Domain Name that the workstation is a meber of.
;
; "Kixtart/beanbag" would be working with the workstation Beanbag in the
; Kixtart domain
;
; Group
; The Group you want to query
;
; [FLAGS]
; To use the flags options add the numbers of the desired flags toghthers and
; Use that number in the flag field.
;
; Filter :(only one filter flag at a time please)
; 1 = all
; 2 = Users only
; 4 = Groups only
;
; ADSI Information(return ADSI information "pick only one")
; 8 = ADSPath field
; 16 = ADSI Object Handle
;
;RETURNS an array containing , if the ADSPath option is used the ADSPath
; will also be returned |.
;
;REMARKS ADSI com object must be installed.
;
;EXAMPLES ;this return all members of the Domain Admins group in the kixtart domain.
; $members = groupmembers("kixtart","Domain admins")
;
; ;this will will return all groups in the local administrators group on
; ;the Workstation beanbad in the kixtart domain. Also the
; $groups = groupmembers("kixtart/beanbag","Administratoos","group")
DIM $temparray[8], $member, $i, $chunk, $flag, $ADSIFlag, $filterFlag
$chunk = ubound($temparray)
$flag = val($flag)
$i = 0
$group = getobject("WinNT://$target/$group")
if vartype($group) <> 9 exit(@error) endif
select
case $flag & 1
$filterflag = 1
case $flag & 2
$filterflag = 2
case $flag & 4
$filterflag = 4
case 1
$filterflag = 1
endselect
select
case $flag & 8
$ADSIFlag = 8
case $flag & 16
$ADSIFlag = 16
endselect
for each $member in $group.members
select
case $filterflag = 2 AND $member.class = "user"
if substr($member.name,len($member.name),1) <> "$"
$temparray[$i] = $member.name
select
case $adsiflag = 8
$temparray[$i] = $member.adspath
case $adsiflag = 16
$temparray[$i] = $member
endselect
$i = $i + 1
endif
case $filterflag = 4 AND $member.class = "Group"
if substr($member.name,len($member.name),1) <> "$"
$temparray[$i] = $member.name
select
case $adsiflag = 8
$temparray[$i] = $member.adspath
case $adsiflag = 16
$temparray[$i] = $member
endselect
$i = $i + 1
endif
case $filterflag = 1
if substr($member.name,len($member.name),1) <> "$"
$temparray[$i] = $member.name
select
case $adsiflag = 8
$temparray[$i] = $member.adspath
case $adsiflag = 16
$temparray[$i] = $member
endselect
$i = $i + 1
endif
case $filterflag
;bit bucket
endselect
if $i = ubound($temparray)
redim preserve $temparray[Ubound($temparray)+$chunk]
endif
next
if $i <> 0
redim preserve $temparray[$i-1]
$groupmembers=$temparray
endif
endfunction


Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 466 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.046 seconds in which 0.017 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org