Solved

Domain in Distress - Have little control over computers

Posted on 2008-06-20
7
344 Views
Last Modified: 2013-12-09
On this Domain, everytime I try to access a computer it either tells me that I have no access, or its not turned on. They are turned on.
I have modified the Domain Computers to allow for Domains Admin to pass though. But I may have to further modify that to all OU's.
I try to execute a script and it just doesn't work.

Part one - Goes through and modify the registry and changes the locks on the Sysmantec AntiVirus Software in order to be uninstalled.

Part two - Goes through and uninstalls the software.

My problem is that the admin$ which access these tools in order to remove symantec is missing on most of the computers.
It seems that the IT personnel before me didn't want to admins to access or be able to remote into the users computers. So they modified the computers in order to prevent remote access.
We have to access computers via VNC which uses the Explorer GUI interface and requests permission, ok that works but the normal windows remote stuff doesn't

Here is what i can do:

1. I can remote into the registry
2. I can remote into the computer manager which gives me access to many things.
    a.  Shares - or to look at shares
    b. Services
    c. Event Logs

I see that the ADMIN$ is missing on all the computers, and i found this article below -

Has enyone ever tangled with something like this before?

 
RESOLUTION
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows


To verify whether a computer is affected by this issue, follow these steps:1. Examine the AutoShareServer and AutoShareWks registry values to make sure that they are not set to 0: a.  Click Start, click Run, type regedit, and then press ENTER.
b.  Locate and then click the following registry sub-key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
c.  If the AutoShareServer and AutoShareWks DWORD values in the LanmanServer\Parameters sub-key are configured with a value data of 0, change that value to 1.

Note If these values do not exist, you do not have to create them because the default behavior is to automatically create the administrative shares.  
d.  Quit Registry Editor.  
 
2. Restart the computer. Typically, computers that are running Windows Server 2003, Windows XP, Windows 2000, or Windows NT 4.0 automatically create the administrative shares during startup.  
3. After the computer restarts, verify that the administrative shares are active. To examine the shares, use the net share command. To do this, follow these steps: a.  Click Start, click Run, type cmd, and then press ENTER.  
b.  At the command prompt, type net share, and then press ENTER.  
c.  Look for the Admin$, C$, and IPC$ administrative shares in the list of shares.  
 


'Remove Symantec Remotely and Silently

'Results are stored in a log file: symantec.log
 

'--------------- Create Log File ----------------
 

'Open up the path to save the information into a text file

Dim Stuff, myFSO, WriteStuff, timeStamp

timeStamp = Time()
 

Set myFSO = CreateObject("Scripting.FileSystemObject")

Set WriteStuff = myFSO.OpenTextFile("symantec.log", 2, True)
 

Dim objShell: Set objShell=CreateObject("Wscript.Shell")
 

Dim startMsg

startMsg = "STARTING SCRIPT, YO!" & vBCrLF & "You do not neet to click OK until it is done." &_

           vbcrlf & "When the script is done, it will say DONE, YO! Check symantec.log for results."
 

objShell.Popup startMsg, 3

'WScript.Echo startMsg
 

WriteStuff.WriteLine("Starting Script, yo!" & vbcrlf)
 

'-------------------- Grab computer names from Computer.txt and store in array ----------------
 

strComputers = ""
 

On Error Resume Next
 

'Initialize global constants and variables.

Const FOR_READING = 1

g_strHostFile = "computers.txt"
 

'Read computer names for install from text file.

Set objFSO = CreateObject("Scripting.FileSystemObject")
 

If objFSO.FileExists(g_strHostFile) Then

  Set objTextStream = objFSO.OpenTextFile(g_strHostFile, FOR_READING)

Else

  WScript.Echo "ERROR: Input file " & g_strHostFile & " not found."

  WScript.Quit

End If
 

'Loop through list of computers and perform tasks on each.

Do Until objTextStream.AtEndOfStream

  readingInComputer= objTextStream.ReadLine

'  Wscript.Echo VbCrLf & readingInComputer 

 

 strComputers = strComputers + readingInComputer +","

Loop
 

objTextStream.Close
 

arrComputers = Split(strComputers , ",")

 
 

'----------------------------- Symnantec Piece---------------------------------

'Pre condition:  arrComputers must be populated from Computer.txt
 
 

'------- Insert all Available Keys Here-------------------

Dim strSymantecKeys

strSymantecKeys="{33CFCF98-F8D6-4549-B469-6F4295676D83},{33CFCF98-F8D6-4549-B469-6F4295676D83}"

'---------------------------------------------------------

Const HKEY_LOCAL_MACHINE = &H80000002
 

arrSymantecKeys = Split(strSymantecKeys, ",")
 
 

For Each strComputer in arrComputers
 

On Error Resume Next

       '---- If computername is blank then exit loop ---

        If strComputer = "" Then 

           exit for

        End If

 

 '----------- Set Uninstall Password & LockUnloadSvcs Registry Key Values-------
 

 Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
 

 'objShell.Popup "Error = " & err.number & "!!!", 1
 

 ' ----If getObject fails, server is offline or doesn't exist -------------

 If err.number <> 0 then

      err.clear
 

        objShell.Popup "ERROR: "& strComputer & " is offline or access is denied", 1

      'wscript.echo "ERROR: "& strComputer & " is offline or access is denied"

      

      'write to log file

      WriteStuff.WriteLine(timeStamp & "  " & strComputer & " - ERROR! It is offline or doesn't exist.")

      On Error GoTo 0 
 

 '------ Else GO ahead and remove Registry Keys ---------------------

 Else

   On Error GoTo 0 
 

'   strKeyPath = "SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security"

'   ValueName = "LockUnloadServices" 
 

'   objReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, ValueName, strValue
 

'   If strValue<>0 Then

'      objReg.setDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, ValueName, 1

      'WScript.Echo strComputer & ": LockUnloadServices set to: " & strValue

'   End If
 

'   ValueName = "UseVPUninstallPassword" 
 

'   objReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, ValueName, strValue
 

'   If strValue<>0 Then

'     objReg.setDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, ValueName, 1

     'WScript.Echo strComputer & ": UninstallPW set to: " & strValue

'   End If
 

   '----- Run MSIEXEC to remove Symantec -------------
 

  For Each strSymantecKey in arrSymantecKeys

	

      'objshell.run "c:\pstools\psexec \\" & strComputer & " MsiExec.exe /norestart /q 

     

      objShell.run "c:\pstools\psexec \\" & strComputer & " MsiExec.exe /norestart /q /x " & strSymantecKey & " REMOVE=ALL", 8, true

     

  Next
 

  'Print to log file

   WriteStuff.WriteLine(timeStamp & " - " & strComputer & " - Symantec Removed.")
 

  'objShell.Popup strComputer & " - Symantec Removed", 1

  'WScript.Echo strComputer & " - Symantec Removed"
 
 

 End If
 
 

SET objReg=Nothing

 

 

Next
 
 

'Write to log file and close it

WriteStuff.WriteLine(vbcrlf & "Script is Done, yo!")

WriteStuff.Close

SET WriteStuff = NOTHING

SET myFSO = NOTHING

SET objShell = NOTHING
 

'Let user know the script is done!

WScript.Echo "SCRIPT IS DONE, YO!!!"

Open in new window

0
Comment
Question by:mark_randolph
  • 4
7 Comments
 
LVL 1

Author Comment

by:mark_randolph
ID: 21830912
Can anyone help?
0
 
LVL 6

Expert Comment

by:JapyDooge
ID: 21830994
Are you sure there are'nt firewalls enabled on those machines? They can be blocking your requests.

We for our company decided to disable all internally firewalls on all computers (only virus scanning) and put a expensive firewall in front of our proxy server.
0
 
LVL 1

Author Comment

by:mark_randolph
ID: 21836139
I did find a TECHNET article that delt with a group policy that allow a GPO to disable and I did that to well hopefully works.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:mark_randolph
ID: 22012176
All the computers were locked down, the administrative shares were disabled so no extenal commands could be executed. I refined the script, and completed the task. Interesting to disable the internal firewalls on all the PC's. I don't think that we will do such a thing. Too risky...
But thanks to all those that added there two cents.
0
 
LVL 1

Author Comment

by:mark_randolph
ID: 22326973
The solution was that the windows 2000 machine and the GPO where not adjusted right. Meaning back before the GPO was the way to modify nedworks the Administrators at the time constructed local policy's. They really messed with operation and ease of handling.
Modify GPO
Remove Local policy
and added a script to place the local shares back on the window 2000 machines
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 22444435
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now