Global workstation user review

Can youy go into some more detail on how this would help return this kind of data across a large domain?

Sorry no spare budget for commercial tools right now

There is also a free version available. Check if you can get use of it:
http://www.lansweeper.com/

Yes would be interested that would help us lots.

OK, so I'm starting to write a script and test it :)

Krzysztof

I did wondered about spiceworks for this task - but not sure if it has a report capable of listing all for all? And stuff like:


If you have any idea how to identify those that would help.

So, for that you can use logon/startup script or PsExec to execute it for remote PC (requires admin rights)

net local guest | find /i "Account is active" (check how this line is called in OS in your language)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon (value 0x1 means that autologon is active)

for the last one, I have no idea :(

Krzysztof

OK, I found the best solution :)
Microsoft Baseline Security Analyzer (MBSA)
http://technet.microsoft.com/en-us/security/cc184924

It's free and allows for checks:
local user accounts, blank passwords and guest account status and of course other checks :). Can you check if it's enough for you?

Krzysztof

Problem is we have over 2000 devices to audit.

Does it test for autologon?

Other issue is it doesnt list other powerful security groups such as power users or backup ops

2000 is no problem, it can scan IP range or computers list. For autologon I'm not sure, maybe it is (as security issue)

Download it, install and scan your workstation to check if that report is acceptable by you :)

As you can see, there is no one tool for all of that requirements :/
Probably PowerShell script would be more appropriately but I'm not PS expert :(

You may also ask another question in PowerShell, VB Script zones ?

Krzysztof

I think MBSA will be a decent enough start.

Its a shame spiceworks only supports up to 250 devices or that would have helped.

Daft question - but where could we find IP ranges across our 2000 workstations?

Can you do a report to just list IP ranges for workstations as opposed infrastructure devices/servers?

>>2000 is no problem, it can scan IP range or computers list

Where can you scan just a list?

I can only see domain or IP address range as options?

Thanks

You can scan whole IP range if you wish :) or particular domain
Depends on your requirements. That can be selected in MBSA before you start scanning

Krzysztof

OK, I checked. MBSA checks also autologon for a workstation :)

Krzysztof

Cool - do you know any easy way to report exact numbers of workstations in a domain? You used to suggest some very clever commands that could do such things. Ideally if could get a total count and hostname that would help me no end.

Have you ever run this tool per domain in a large enterprise? Did it cause performance probs?

Yes, I did it in my company. There were no performance issue but it took some time :/ (over 2000 workstations)

To get all of your worlstations in a domain you can use dsquery and dsget together (run on a DC or workstation with Administrative Tools installed)

dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt

or

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -attr name >>c:\all-wks.txt

import text file into Excel, remove unnecessary lines and voila! :)

Krzysztof

Do you know how long it took to do the mbsa scans for your 2000 comps? Thanks

It depends on scan options, basic scan should take no more than 4 hrs.

Krzysztof

Cheers ISiek

for

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -attr name >>c:\all-wks.txt

How do I amend that query to limit all results?

And

How do you switch that to servers?

Cheers

dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt

returns an error dsget failed: the server is not operational

any ideas?

Oh sorry, for that you need to place one more swithc "-limit 0" to display all entries (by default only first 100 are displayed)

so, full syntax looks like

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -limit 0 -attr name >>c:\all-wks.txt

and that error from second suntax, where do you run this command (on a DC or workstation)?

Krzysztof

Does this fixed syntax work for you? What about that dsquery/dsget structure ? Does it still fail? What is your Domain Functional Level and on which OS do you run those commands?

Thanks in advance for feedback.

Krzysztof

I run them from XP and domain functional level is 2003

ANd run it from workstation but do have admin tools installed

You need to have Administrative Tools installed on your workstation to be able to use them. You can find it on a Server in %WINDIR%\SYSTEM32\adminpak.msi

If you cannot install it on your workstation, please ask administrator or log in to DC (if you are able to do that :) )

Krzysztof

weirdly - if I paste that:

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -limit 0 -attr name >>c:\all-wks.txt

Into a command prompt it just seems to ignore it and not execute then go back to C:>

without running anything

I have admin tools installed have run dsqueries from here before no problems

Ok, so this should work :) I tested it before posting :/ I will check that once again when I go back home

Krzysztof

Is it possible to use PowerShell in your environment? There is completely free PowerShell module for AD from Quest, which is more flexible and easier in use.

If you can download it and install on your workstation, please let me know. I will post a syntax for PS here

Krzysztof

So, can we do something more for you? Use PowerShell or other help?
I don't know why DS syntax doesn't work for you. In my env works fine, but we can try to use PowerShell instead of that :)

You may download Quest PS module for AD (completely free) from
http://www.quest.com/powershell/activeroles-server.aspx

Krzysztof

Hey, could you do some beginner steps how to use this new tool to acheive what I am after - is it possible to draw all this info in a single report?

Yes it is, but I need to check how to do that :)
Can you post here once again (in short) your needs, please?
After that I would try to create single PS script for that.

Thank you in advance

Krzysztof

Ok thanks:

Is there any tool or technique that can return in a single report for every local workstation joined to the domain local users, account status (i.e. active or disabled) and group memeberships? They are predominantly running XP.

Also wondered if you had any suggestions on tools /techniques for a global user access/data security review in a windows environment. 4000 or so users. Areas to cover etc. Mix of fat/thin client, probably 80% still on traditional workstations.