Active Directory

1. To quickly list all the groups in your domain, with members, run this command:

dsquery group -limit 0 | dsget group -members –expand

2. To find all users whose accounts are set to have a non-expiring password, run this command:

dsquery * domainroot -filter “(&(objectcategory=person)(objectclass=user)(lockoutTime=*))” -limit 0

3. To list all the FSMO role holders in your forest, run this command:

netdom query fsmo

4. To refresh group policy settings, run this command:

gpupdate

5. To check Active Directory replication on a domain controller, run this command:

repadmin /replsummary

6. To force replication from a domain controller without having to go through to Active

Directory Sites and Services, run this command:

repadmin /syncall

7. To see what server authenticated you (or if you logged on with cached credentials) you can run either of these commands:

set l

echo %logonserver%

8. To see what account you are logged on as, run this command:

whoami

9. To see what security groups you belong to, run this command:

whoami /groups

10. To see the domain account policy (password requirements, lockout thresholds, etc) run this command:

net accounts

Windows Networking

11. To quickly reset your NIC back to DHCP with no manual settings, run this command:

netsh int ip reset all

12. To quickly generate a text summary of your system, run this command:

systeminfo | more

13. To see all network connections your client has open, run this command:

net use

14. To see your routing table, run either of these commands:

route print

netstat -r

15. Need to run a trace, but don’t have Netmon or Wireshark, and aren’t allowed to install either one? Run this command:

netsh trace start capture=yes tracefile=c:\capture.etl

netsh trace stop

16. To quickly open a port on the firewall, run this command, changing the name, protocol, and port to suit. This example opens syslog:

netsh firewall set portopening udp 161 syslog enable all

17. To add an entry to your routing table that will be permanent, run the route add command with the –p option. Omitting that, the entry will be lost at next reboot:

route add 0.0.0.0 mask 0.0.0.0 172.16.250.5 –p

18. Here’s a simple way to see all open network connections, refreshing every second:

netstat –ano 1

19. You can add a | findstr value to watch for only a specific connection, like a client ip.addr or port:

netstat –ano | findstr 216.134.217.20

20. You can use the shutdown to shutdown or reboot a machine, including your own, in a simple scheduled task like this:

shutdown –r –t 0 –m \\localhost

21. To make planned DNS changes go faster, reduce the TTL on the DNS records you plan on changing to 30 seconds the day before changes are to be made. You can set the TTL back to normal after you confirm the changes have been successful.

22. Set a short lease on DHCP scopes that service laptops, and set Microsoft Option 002 to release a DHCP leas on shutdown. This helps to ensure your scope is not exhausted and that machines can easily get on another network when the move to a new site.

Windows 7

23. Want to enable the local administrator account on Windows 7? Run this command from an administrative command prompt. It will prompt you to set a password:

net user administrator * /active:yes

24. You can do the same thing during install by pressing SHIFT-F10 at the screen where you set your initial user password.

Windows 7 supports several useful new keyboard shortcuts:

25. Windows Key+G

Display gadgets in front of other windows.

26. Windows Key++ (plus key)

Zoom in, where appropriate.

27. Windows Key+- (minus key)

Zoom out, where appropriate.

28. Windows Key+Up Arrow

Maximize the current window.

29. Windows Key+Down Arrow

Minimize the current window.

30. Windows Key+Left Arrow

Snap to the left hand side of the screen

31. Windows Key+Right Arrow

Snap to the right hand side of the screen.

32. To quickly launch an application as an administrator (without the right-click, run as administrator), type the name in the Search programs and files field, and then press Ctrl-Shift-Enter.

Here are some tips that can save you from buying commercial software:

33. Need to make a quick screencast to show someone how to do something? The Problem Steps Recorder can create an MHTML file that shows what you have done by creating a screen capture each time you take an action. Click the Start button and type ‘psr’ to open the Problem Steps Recorder.

34. Need to burn a disc? The isoburn.exe can burn ISO and IMG files. You can right click a file and select burn, or launch it from the command line.

35. Windows 7 includes a screen scraping tool called the Snipping Tool. I have tons of users request a license for SnagIt, only to find this free tool (it’s under Accessories) does what they need.

36. You can download this bootable security scanner from Microsoft that will run off a USB key, which is very useful if you suspect a machine has a virus.

37. A great way to save all your command line tools and make them available across all your computers is to install Dropbox, create a folder to save all your scripts and tools, and add that folder to your path. That way, they can be called from the command line or any other scripts, and if you update a script, it will carry across to any other machine you have.

Windows 2008

38. You can free up disk space on your servers by disabling hibernate. Windows 2008 will create a hiberfil.sys equal to the amount of RAM. This is very useful with VMs that have lots of RAM but smaller C: drives. To disable hibernation, and reclaim that space, run this command:

powercfg -h off

39. You can get to the complete collection of Sysinternals tools online. You can even invoke them from the run command. Use the url: http://live.sysinternals.com or the UNC path: \\live.sysinternals.com\tools.

40. Speaking of the Sysinternals tools, almost any command line in this article can be run remotely on another machine (as long as you have administrative rights) using the psexec command included in the Sysinternals tools.

41. You can kill RDP sessions at the command line when you find that all the RDP sessions to a server are tied up.

regsvr32 query.dll [enter] You only have to do this the first time.

query session /server:servername [enter]

reset session # /server:servername [enter]

42. You can create a list of files and display the last time they were accessed, which is very useful when a network drive is low on space and users swear they have to have that copy of Office 2003 on the network. My advice? If they haven’t touched it in two years, burn it to DVD or write it to tape and then delete it from disk:

dir /t:a /s /od >> list.txt [enter]

43. The Microsoft Exchange Err command is one of the best all around troubleshooting tools you will find, as it can decode any hex error code you find as long as the products are installed on the machine. Download it from here.

44. You can see all the open files on a system by running this command:

openfiles /query

45. You can pull all the readable data out of a corrupt file using this command:

recover filename.ext

46. Need to pause a batch file for a period of time but don’t have the sleep command from the old resource kit handy? Here’s how to build a ten second delay into a script:

ping -n 10 127.0.0.1 > NUL 2>&1

47. If your Windows website has stopped responding, or is throwing a 500 error, and you are not sure what to do, you can reset IIS without having to reboot the whole server. Run this command:

iisreset

48. You can use && to string multiple commands together; they will run sequentially.

49. If you find yourself restarting services frequently, you can use that && trick to create a batch file called restart.cmd and use it to restart services:

net stop %1 && net start %1

50. You can download a Windows port of the wget tool from here, and use it to mirror websites using this command:

wget -mk http://www.example.com/

Linux

51. You can list files sorted by size using this command:

ls –lSr

52. You can view the amount of free disk space in usable format using this command:

df –h

53. To see how much space /some/dir is consuming:

du -sh /some/dir

54. List all running processes containing the string stuff:

ps aux | grep stuff

55. If you have ever run a command but forgot to sudo, you can use this to rerun the command:

sudo !!

56. If you put a space before a command or response, it will be omitted from the shell history.

57. If you really liked a long command that you just ran, and want to save it as a script, use this trick:

echo “!!” > script.sh

With 57 tips in this bag of tricks, you’re bound to find something useful. Have your own tips to share? Leave us a comment!

Importing Data from AD

In Part 2 we  discussed how to export data from a working Active Directory installation. That was the easy part, now the real fun begins as we discuss how to import data to your Active Directory installation. It is strongly suggested to try this out on a test scenario, and try this out as much as need until you are certain that you know what the different switches do, as this will affect your installation of AD.

There are a few things that need to be done before you can import data to your Active Directory installation. First of all you have to create a CSV file with all the details of your users, which requires some basic knowledge of LDAP properties, manipulation of strings in Excel and some basic knowledge of scripting (which will later allow you to enable all the accounts you have created with a simple double click!).

First things first, what are LDAP Properties? Very simple, LDAP, or more fully Lightweight Directory Access Protocol, is an application protocol for querying and modifying directory services running over TCP/IP. A directory is a set of objects with attributes organized in a logical and hierarchical manner, or in plain English the properties of a user when you right click in Active Directory Users and Computers. There are countless options you can add, but for the sake of clarity we will stick to the 8 of the most basic ones you need to work with as described below:

Now that we know what the fields we need are, we can start creating a CSV file. The easiest way to do this is by using a spreadsheet application, in this case Microsoft Excel, which has a built-in function that will create a CSV file by separating the columns with commas. Let us start creating our template in Excel. We will just create the first row and fill in the rest by clicking and dragging

It is very important that before you start you make sure that you have created the Organizational unit you will add the users to, as CSVDE is unable to create Organizational Units. For this example the OU that has been created is named Test.

Below you have an example, simply fill in the first row in your sheet (the ones in bold). Next fill in only the givenName and SN columns.

Now the real fun starts, as the rest of the columns will be filled using string manipulation formulas that are built-in in excel. First of all we must know what naming convention we will adhere to; in this case it will be the first letter of the first name and the entire surname.

Let us start off easy, by concatenating the contents of two different cells so as to create the name and CN fields:

=B2&” “&C2       

This will concatenate cells B2 and C3 with a space in the middle.

The sAMAccountName for our user will be jdoe, and will be created as follows:

=LOWER(LEFT(B2,1) & (C2))        

This will take the first letter on the left of cell B2  ‘LEFT(B2,1)’ and concatenate to the whole contents  of cell C2 using the ampersand (&) and make sure it is all in lowercase (LOWER).

The process is similar for the userPrincipalName, but using the result of a previous formula:

=D2&”@testdom.com”                

This will concatenate the contents of cell D2 and append the name of the domain to it.

Finally the most complicated part, creating the Distinguished Name, which will use a combination of all the previous formulas to create a valid DN:

Now fill in the rest of the names and surnames and simply click and drag the other cells to completely fill the table for all your users.

To create a CSV file simply press F12 (Save As…) and select CSV (Comma Separated) as file type, click save and click ok on the prompt that pops up, which warns you that all formatting will be lost and that it won’t let you save multiple books.

The one CSVDE switch we will use to import is the -i switch. This will load the data from any CSV file that has been specified in the command, import the data into Active Directory, and you can also output a report log to a specified file.

The command to import is:

CSVDE -i -k -f test.csv

Let us break down the different switches:

-i                             The import switch which tells CSVDE that it has to import not the standard export.

-k                            Tells CSVDE to ignore all errors and continue importing data.

-f <filename>    Specifies the file name of the CSV file to be imported.

Now launch Active Directory Users and Computers so as to verify the users have been created.

Tip: Before running the CSVDE command, browse to the location of the CSV file so at to avoid typing long UPN path names which make for needless errors. eg. If the CSV file is stored in the Administrator’s documents make sure you have browsed to C:\Documents and Settings\Administrator\ before running the CSVDE command.

However, CSVDE has a limitation; it does not offer the functionality to enable the accounts that have just been created. Do not worry though, you will not have to enable the hundreds of accounts you have added one by one. There are various scripts available online that, with little editing, can help you enable all these accounts, along with the various flavours of the LDAP Property UserAccountControl, this gives you some flexibility on how and what exactly you can do. A good set of scripts and explanations of how they work and how to edit them can be found at the Computer Performance website.

In the first article of this series we discussed what CSVDE is and why you should use it. I will now discuss how to export data from Active Directory and how to import it in Microsoft Excel using CSVDE as well as touch on some basic data manipulation commands.

Exporting Data from AD

The easiest way to learn CSVDE is through a baptism by fire - try out the commands yourself. However, most of you will think “How can I experiment with AD without ruining my setup?” The easiest way to do this is by learning to use the export commands, which simply exports data and does not in any way modify the setup that there is in place.

When using the CSVDE tool, the command will always be formatted as follows:
CSVDE <-switch>  or  CSVDE <-switch> <switch requirement>

Example:
CSVDE –f users.csv runs the default CSVDE function, exporting all data to a file users.csv

CSVDE -f onlyusers.csv -r “(&(objectClass=user)(objectCategory=person))” exports only the specified details to users.csv.

The easiest way to view the data that has been exported by CSVDE is to locate the CSV file that was created, and open it using your favourite spreadsheet utility (all of them work, but here all examples will refer to Microsoft Excel). Note that CSVDE always exports to or imports from the current directory you are browsing in command prompt, thus if you are currently in c:\ it will save the files to c:\.

There a various switches that can be used and here’s a complete list with a full description. Here we will only discuss a few of the commands.
 
The most commonly used export switches:

• -f  Specifies file name to export to:
  CSVDE –f example.csv
  Note: Try not to use this switch alone, as it will export too much data for it to be comprehensible and thus useful to us.
• -d Specifies a particular Object to export, such as an OU:
  CSVDE -d “OU=<ouname>,DC=<domainname>,dc=com” -f example.csv
  
• -r Specifies which rows you want to export, such as users using the objectClass or object category:
   CSVDE –f example.csv –r objectClass=Person
  You can even combine multiple objects in your filter:
  CSVDE -f userdata2.csv -r “(&(objectCategory=person)(objectclass=user))”
  
• -L Specifies which LDAP fields, or columns, will be exported, separated by a comma:
   CSVDE –f example.csv –l “DN, objectClass, givenName, sn, name”
  IMPORTANT!
  Do not mix –l with –i as they are used for two completely different things, thus since CSVDE is not case sensitive it would be wise to use –L to avoid confusion.
• -m Used to exclude Active Directory properties such as the ObjectGUID, objectSID, pwdLastSet  and samAccountType attributes.
• -n Used to exclude binary values from the exported CSV file.

Thus, for example let us imagine you are an administrator, and you have been contacted by HR to produce a list of all the users in the Sales OU, with their Full Name, Logon and full distinguished name and without other junk such as binary data and so on. The command used to produce such a CSV file would be:

CSVDE -d “OU=Test,dc=bernard8,dc=com” -m -n -f testou.csv -r objectclass=user -l “name, userPrincipalName,dn”

In this case the first line of the CSV file would read:

DN,name,userPrincipalName

“CN=John Smith,OU=Test,DC=test,DC=com”,John Smith,jsmith@test.com

For some reason CSVDE sorts the LDAP fields in its own way no matter how you enter the data.

Now you should be confident enough with CSVDE to be ready to try the import switch, which we will discuss in part 3 of this article.

What is CSVDE and why should I use it?

Comma Separated Value Data Exchange (CSVDE) actually comes built-in Windows 2003 Server installations (normally in %windir%/system32 directory). A comma-separated value (CSV) file is usually a plain text file, with the data contained in rows and columns separated by commas (,). This makes it relatively easy to decipher and most common spreadsheet applications (such as Microsoft Excel or OpenOffice Calc) can open it without making any modifications to the file and display it organized neatly in rows and columns.

CSVDE can be used both to export data about a current Active Directory Configuration, the easiest thing that will in no way effect your working configuration, and to import data into a new installation of Active Directory, which is not recommended unless you are doing so on a test setup or is closely familiar with the intricacies of CSVDE. When importing data using CSVDE, it will directly affect your system since data is being added and manipulated. Ideally this should be first tried out in a test scenario which does not affect a live installation.

In the next article we will discuss how to export data from Active Directory and how to import it in Microsoft Excel using CSVDE as well as touch on some basic data manipulation commands. Finally in the last part, we will also discuss how to create a template using an Excel worksheet, create a CSV file and how to import data into Active Directory.