Solved

Global workstation user review

Posted on 2011-09-21
39
277 Views
Last Modified: 2012-05-12
Is there any tool or technique that can return in a single report for every local workstation joined to the domain local users, account status (i.e. active or disabled) and group memeberships? They are predominantly running XP.
0
Comment
Question by:pma111
  • 19
  • 16
  • 2
  • +1
39 Comments
 
LVL 17

Assisted Solution

by:sgsm81
sgsm81 earned 100 total points
ID: 36572425
Have you considered running dsquery
0
 
LVL 3

Author Comment

by:pma111
ID: 36572437
Can youy go into some more detail on how this would help return this kind of data across a large domain?
0
 
LVL 17

Assisted Solution

by:Nik
Nik earned 100 total points
ID: 36572484
We use LAN Sweeper in our environment. It is a very powerful tool that will give you more info than you'll ever need :)
For what it offers, it is not very expensive too.
0
 
LVL 3

Author Comment

by:pma111
ID: 36572489
Sorry no spare budget for commercial tools right now
0
 
LVL 17

Expert Comment

by:Nik
ID: 36572499
There is also a free version available. Check if you can get use of it:
http://www.lansweeper.com/
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 300 total points
ID: 36573062
For now, I can think of using net user to prepare some script and put results into a text file on a publicly available share.
Each user can use that command

Please check on your workstation with

net user
you will get all local users from the workstation

net user <local-user-name-from-list>
will give you full detals about the user.

I would try to prepare something useful, but I need some time :) (if you're interested)

Regards,
Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36573070
Yes would be interested that would help us lots.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36573077
OK, so I'm starting to write a script and test it :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36573080
I did wondered about spiceworks for this task - but not sure if it has a report capable of listing all for all? And stuff like:

workstations where guest is enabled
workstations where autologon is enabled
workstations where local accounts have blank passwords etc

If you have any idea how to identify those that would help.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36573126
So, for that you can use logon/startup script or PsExec to execute it for remote PC (requires admin rights)

net local guest | find /i "Account is active" (check how this line is called in OS in your language)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon (value 0x1 means that autologon is active)

for the last one, I have no idea :(

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36573135
OK, I found the best solution :)
Microsoft Baseline Security Analyzer (MBSA)
http://technet.microsoft.com/en-us/security/cc184924

It's free and allows for checks:
local user accounts, blank passwords and guest account status and of course other checks :). Can you check if it's enough for you?

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36573145
Problem is we have over 2000 devices to audit.

Does it test for autologon?

Other issue is it doesnt list other powerful security groups such as power users or backup ops
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36573160
2000 is no problem, it can scan IP range or computers list. For autologon I'm not sure, maybe it is (as security issue)

Download it, install and scan your workstation to check if that report is acceptable by you :)

As you can see, there is no one tool for all of that requirements :/
Probably PowerShell script would be more appropriately but I'm not PS expert :(

You may also ask another question in PowerShell, VB Script zones ?

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36573167
I think MBSA will be a decent enough start.

Its a shame spiceworks only supports up to 250 devices or that would have helped.
0
 
LVL 3

Author Comment

by:pma111
ID: 36573175
Daft question - but where could we find IP ranges across our 2000 workstations?

Can you do a report to just list IP ranges for workstations as opposed infrastructure devices/servers?
0
 
LVL 3

Author Comment

by:pma111
ID: 36573190
>>2000 is no problem, it can scan IP range or computers list

Where can you scan just a list?

I can only see domain or IP address range as options?

Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36573210
You can scan whole IP range if you wish :) or particular domain
Depends on your requirements. That can be selected in MBSA before you start scanning

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36573223
OK, I checked. MBSA checks also autologon for a workstation :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36573241
Cool - do you know any easy way to report exact numbers of workstations in a domain? You used to suggest some very clever commands that could do such things. Ideally if could get a total count and hostname that would help me no end.

Have you ever run this tool per domain in a large enterprise? Did it cause performance probs?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36573292
Yes, I did it in my company. There were no performance issue but it took some time :/ (over 2000 workstations)

To get all of your worlstations in a domain you can use dsquery and dsget together (run on a DC or workstation with Administrative Tools installed)

dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt

or

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -attr name >>c:\all-wks.txt

import text file into Excel, remove unnecessary lines and voila! :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36573369
Do you know how long it took to do the mbsa scans for your 2000 comps? Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36573394
It depends on scan options, basic scan should take no more than 4 hrs.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36573418
Cheers ISiek

for

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -attr name >>c:\all-wks.txt

How do I amend that query to limit all results?

And

How do you switch that to servers?

Cheers
0
 
LVL 3

Author Comment

by:pma111
ID: 36573522
dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt

returns an error dsget failed: the server is not operational

any ideas?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36575939
Oh sorry, for that you need to place one more swithc "-limit 0" to display all entries (by default only first 100 are displayed)

so, full syntax looks like

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -limit 0 -attr name >>c:\all-wks.txt

and that error from second suntax, where do you run this command (on a DC or workstation)?

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586215
Does this fixed syntax work for you? What about that dsquery/dsget structure ? Does it still fail? What is your Domain Functional Level and on which OS do you run those commands?

Thanks in advance for feedback.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586338
I run them from XP and domain functional level is 2003
0
 
LVL 3

Author Comment

by:pma111
ID: 36586341
ANd run it from workstation but do have admin tools installed
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586345
You need to have Administrative Tools installed on your workstation to be able to use them. You can find it on a Server in %WINDIR%\SYSTEM32\adminpak.msi

If you cannot install it on your workstation, please ask administrator or log in to DC (if you are able to do that :) )

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586346
weirdly - if I paste that:

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -limit 0 -attr name >>c:\all-wks.txt

Into a command prompt it just seems to ignore it and not execute then go back to C:>

without running anything
0
 
LVL 3

Author Comment

by:pma111
ID: 36586355
I have admin tools installed have run dsqueries from here before no problems
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586465
Ok, so this should work :) I tested it before posting :/ I will check that once again when I go back home

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36588893
Is it possible to use PowerShell in your environment? There is completely free PowerShell module for AD from Quest, which is more flexible and easier in use.

If you can download it and install on your workstation, please let me know. I will post a syntax for PS here

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708312
So, can we do something more for you? Use PowerShell or other help?
I don't know why DS syntax doesn't work for you. In my env works fine, but we can try to use PowerShell instead of that :)

You may download Quest PS module for AD (completely free) from
http://www.quest.com/powershell/activeroles-server.aspx

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36708324
Hey, could you do some beginner steps how to use this new tool to acheive what I am after - is it possible to draw all this info in a single report?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36708531
Yes it is, but I need to check how to do that :)
Can you post here once again (in short) your needs, please?
After that I would try to create single PS script for that.

Thank you in advance

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36708668
Ok thanks:

Is there any tool or technique that can return in a single report for every local workstation joined to the domain local users, account status (i.e. active or disabled) and group memeberships? They are predominantly running XP.
0
 
LVL 3

Author Comment

by:pma111
ID: 36708671
Also wondered if you had any suggestions on tools /techniques for a global user access/data security review in a windows environment. 4000 or so users. Areas to cover etc. Mix of fat/thin client, probably 80% still on traditional workstations.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now