Pau Lo
asked on
Global workstation user review
Is there any tool or technique that can return in a single report for every local workstation joined to the domain local users, account status (i.e. active or disabled) and group memeberships? They are predominantly running XP.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry no spare budget for commercial tools right now
There is also a free version available. Check if you can get use of it:
http://www.lansweeper.com/
http://www.lansweeper.com/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes would be interested that would help us lots.
OK, so I'm starting to write a script and test it :)
Krzysztof
Krzysztof
ASKER
I did wondered about spiceworks for this task - but not sure if it has a report capable of listing all for all? And stuff like:
If you have any idea how to identify those that would help.
workstations where guest is enabled
workstations where autologon is enabled
workstations where local accounts have blank passwords etc
workstations where autologon is enabled
workstations where local accounts have blank passwords etc
If you have any idea how to identify those that would help.
So, for that you can use logon/startup script or PsExec to execute it for remote PC (requires admin rights)
net local guest | find /i "Account is active" (check how this line is called in OS in your language)
reg query "HKLM\SOFTWARE\Microsoft\W indows NT\CurrentVersion\Winlogon " /v AutoAdminLogon (value 0x1 means that autologon is active)
for the last one, I have no idea :(
Krzysztof
net local guest | find /i "Account is active" (check how this line is called in OS in your language)
reg query "HKLM\SOFTWARE\Microsoft\W
for the last one, I have no idea :(
Krzysztof
OK, I found the best solution :)
Microsoft Baseline Security Analyzer (MBSA)
http://technet.microsoft.com/en-us/security/cc184924
It's free and allows for checks:
local user accounts, blank passwords and guest account status and of course other checks :). Can you check if it's enough for you?
Krzysztof
Microsoft Baseline Security Analyzer (MBSA)
http://technet.microsoft.com/en-us/security/cc184924
It's free and allows for checks:
local user accounts, blank passwords and guest account status and of course other checks :). Can you check if it's enough for you?
Krzysztof
ASKER
Problem is we have over 2000 devices to audit.
Does it test for autologon?
Other issue is it doesnt list other powerful security groups such as power users or backup ops
Does it test for autologon?
Other issue is it doesnt list other powerful security groups such as power users or backup ops
2000 is no problem, it can scan IP range or computers list. For autologon I'm not sure, maybe it is (as security issue)
Download it, install and scan your workstation to check if that report is acceptable by you :)
As you can see, there is no one tool for all of that requirements :/
Probably PowerShell script would be more appropriately but I'm not PS expert :(
You may also ask another question in PowerShell, VB Script zones ?
Krzysztof
Download it, install and scan your workstation to check if that report is acceptable by you :)
As you can see, there is no one tool for all of that requirements :/
Probably PowerShell script would be more appropriately but I'm not PS expert :(
You may also ask another question in PowerShell, VB Script zones ?
Krzysztof
ASKER
I think MBSA will be a decent enough start.
Its a shame spiceworks only supports up to 250 devices or that would have helped.
Its a shame spiceworks only supports up to 250 devices or that would have helped.
ASKER
Daft question - but where could we find IP ranges across our 2000 workstations?
Can you do a report to just list IP ranges for workstations as opposed infrastructure devices/servers?
Can you do a report to just list IP ranges for workstations as opposed infrastructure devices/servers?
ASKER
>>2000 is no problem, it can scan IP range or computers list
Where can you scan just a list?
I can only see domain or IP address range as options?
Thanks
Where can you scan just a list?
I can only see domain or IP address range as options?
Thanks
You can scan whole IP range if you wish :) or particular domain
Depends on your requirements. That can be selected in MBSA before you start scanning
Krzysztof
Depends on your requirements. That can be selected in MBSA before you start scanning
Krzysztof
OK, I checked. MBSA checks also autologon for a workstation :)
Krzysztof
Krzysztof
ASKER
Cool - do you know any easy way to report exact numbers of workstations in a domain? You used to suggest some very clever commands that could do such things. Ideally if could get a total count and hostname that would help me no end.
Have you ever run this tool per domain in a large enterprise? Did it cause performance probs?
Have you ever run this tool per domain in a large enterprise? Did it cause performance probs?
Yes, I did it in my company. There were no performance issue but it took some time :/ (over 2000 workstations)
To get all of your worlstations in a domain you can use dsquery and dsget together (run on a DC or workstation with Administrative Tools installed)
dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt
or
dsquery * -filter "&(&(objectClass=Computer) (objectCat egory=Comp uter))" -attr name >>c:\all-wks.txt
import text file into Excel, remove unnecessary lines and voila! :)
Krzysztof
To get all of your worlstations in a domain you can use dsquery and dsget together (run on a DC or workstation with Administrative Tools installed)
dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt
or
dsquery * -filter "&(&(objectClass=Computer)
import text file into Excel, remove unnecessary lines and voila! :)
Krzysztof
ASKER
Do you know how long it took to do the mbsa scans for your 2000 comps? Thanks
It depends on scan options, basic scan should take no more than 4 hrs.
Krzysztof
Krzysztof
ASKER
Cheers ISiek
for
dsquery * -filter "&(&(objectClass=Computer) (objectCat egory=Comp uter))" -attr name >>c:\all-wks.txt
How do I amend that query to limit all results?
And
How do you switch that to servers?
Cheers
for
dsquery * -filter "&(&(objectClass=Computer)
How do I amend that query to limit all results?
And
How do you switch that to servers?
Cheers
ASKER
dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt
returns an error dsget failed: the server is not operational
any ideas?
returns an error dsget failed: the server is not operational
any ideas?
Oh sorry, for that you need to place one more swithc "-limit 0" to display all entries (by default only first 100 are displayed)
so, full syntax looks like
dsquery * -filter "&(&(objectClass=Computer) (objectCat egory=Comp uter))" -limit 0 -attr name >>c:\all-wks.txt
and that error from second suntax, where do you run this command (on a DC or workstation)?
Krzysztof
so, full syntax looks like
dsquery * -filter "&(&(objectClass=Computer)
and that error from second suntax, where do you run this command (on a DC or workstation)?
Krzysztof
Does this fixed syntax work for you? What about that dsquery/dsget structure ? Does it still fail? What is your Domain Functional Level and on which OS do you run those commands?
Thanks in advance for feedback.
Krzysztof
Thanks in advance for feedback.
Krzysztof
ASKER
I run them from XP and domain functional level is 2003
ASKER
ANd run it from workstation but do have admin tools installed
You need to have Administrative Tools installed on your workstation to be able to use them. You can find it on a Server in %WINDIR%\SYSTEM32\adminpak .msi
If you cannot install it on your workstation, please ask administrator or log in to DC (if you are able to do that :) )
Krzysztof
If you cannot install it on your workstation, please ask administrator or log in to DC (if you are able to do that :) )
Krzysztof
ASKER
weirdly - if I paste that:
dsquery * -filter "&(&(objectClass=Computer) (objectCat egory=Comp uter))" -limit 0 -attr name >>c:\all-wks.txt
Into a command prompt it just seems to ignore it and not execute then go back to C:>
without running anything
dsquery * -filter "&(&(objectClass=Computer)
Into a command prompt it just seems to ignore it and not execute then go back to C:>
without running anything
ASKER
I have admin tools installed have run dsqueries from here before no problems
Ok, so this should work :) I tested it before posting :/ I will check that once again when I go back home
Krzysztof
Krzysztof
Is it possible to use PowerShell in your environment? There is completely free PowerShell module for AD from Quest, which is more flexible and easier in use.
If you can download it and install on your workstation, please let me know. I will post a syntax for PS here
Krzysztof
If you can download it and install on your workstation, please let me know. I will post a syntax for PS here
Krzysztof
So, can we do something more for you? Use PowerShell or other help?
I don't know why DS syntax doesn't work for you. In my env works fine, but we can try to use PowerShell instead of that :)
You may download Quest PS module for AD (completely free) from
http://www.quest.com/powershell/activeroles-server.aspx
Krzysztof
I don't know why DS syntax doesn't work for you. In my env works fine, but we can try to use PowerShell instead of that :)
You may download Quest PS module for AD (completely free) from
http://www.quest.com/powershell/activeroles-server.aspx
Krzysztof
ASKER
Hey, could you do some beginner steps how to use this new tool to acheive what I am after - is it possible to draw all this info in a single report?
Yes it is, but I need to check how to do that :)
Can you post here once again (in short) your needs, please?
After that I would try to create single PS script for that.
Thank you in advance
Krzysztof
Can you post here once again (in short) your needs, please?
After that I would try to create single PS script for that.
Thank you in advance
Krzysztof
ASKER
Ok thanks:
Is there any tool or technique that can return in a single report for every local workstation joined to the domain local users, account status (i.e. active or disabled) and group memeberships? They are predominantly running XP.
Is there any tool or technique that can return in a single report for every local workstation joined to the domain local users, account status (i.e. active or disabled) and group memeberships? They are predominantly running XP.
ASKER
Also wondered if you had any suggestions on tools /techniques for a global user access/data security review in a windows environment. 4000 or so users. Areas to cover etc. Mix of fat/thin client, probably 80% still on traditional workstations.
ASKER