[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 289
  • Last Modified:

Global workstation user review

Is there any tool or technique that can return in a single report for every local workstation joined to the domain local users, account status (i.e. active or disabled) and group memeberships? They are predominantly running XP.
0
pma111
Asked:
pma111
  • 19
  • 16
  • 2
  • +1
3 Solutions
 
SteveIT ManagerCommented:
Have you considered running dsquery
0
 
pma111Author Commented:
Can youy go into some more detail on how this would help return this kind of data across a large domain?
0
 
NikCommented:
We use LAN Sweeper in our environment. It is a very powerful tool that will give you more info than you'll ever need :)
For what it offers, it is not very expensive too.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
pma111Author Commented:
Sorry no spare budget for commercial tools right now
0
 
NikCommented:
There is also a free version available. Check if you can get use of it:
http://www.lansweeper.com/
0
 
Krzysztof PytkoActive Directory EngineerCommented:
For now, I can think of using net user to prepare some script and put results into a text file on a publicly available share.
Each user can use that command

Please check on your workstation with

net user
you will get all local users from the workstation

net user <local-user-name-from-list>
will give you full detals about the user.

I would try to prepare something useful, but I need some time :) (if you're interested)

Regards,
Krzysztof
0
 
pma111Author Commented:
Yes would be interested that would help us lots.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, so I'm starting to write a script and test it :)

Krzysztof
0
 
pma111Author Commented:
I did wondered about spiceworks for this task - but not sure if it has a report capable of listing all for all? And stuff like:

workstations where guest is enabled
workstations where autologon is enabled
workstations where local accounts have blank passwords etc

If you have any idea how to identify those that would help.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, for that you can use logon/startup script or PsExec to execute it for remote PC (requires admin rights)

net local guest | find /i "Account is active" (check how this line is called in OS in your language)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon (value 0x1 means that autologon is active)

for the last one, I have no idea :(

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, I found the best solution :)
Microsoft Baseline Security Analyzer (MBSA)
http://technet.microsoft.com/en-us/security/cc184924

It's free and allows for checks:
local user accounts, blank passwords and guest account status and of course other checks :). Can you check if it's enough for you?

Krzysztof
0
 
pma111Author Commented:
Problem is we have over 2000 devices to audit.

Does it test for autologon?

Other issue is it doesnt list other powerful security groups such as power users or backup ops
0
 
Krzysztof PytkoActive Directory EngineerCommented:
2000 is no problem, it can scan IP range or computers list. For autologon I'm not sure, maybe it is (as security issue)

Download it, install and scan your workstation to check if that report is acceptable by you :)

As you can see, there is no one tool for all of that requirements :/
Probably PowerShell script would be more appropriately but I'm not PS expert :(

You may also ask another question in PowerShell, VB Script zones ?

Krzysztof
0
 
pma111Author Commented:
I think MBSA will be a decent enough start.

Its a shame spiceworks only supports up to 250 devices or that would have helped.
0
 
pma111Author Commented:
Daft question - but where could we find IP ranges across our 2000 workstations?

Can you do a report to just list IP ranges for workstations as opposed infrastructure devices/servers?
0
 
pma111Author Commented:
>>2000 is no problem, it can scan IP range or computers list

Where can you scan just a list?

I can only see domain or IP address range as options?

Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
You can scan whole IP range if you wish :) or particular domain
Depends on your requirements. That can be selected in MBSA before you start scanning

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, I checked. MBSA checks also autologon for a workstation :)

Krzysztof
0
 
pma111Author Commented:
Cool - do you know any easy way to report exact numbers of workstations in a domain? You used to suggest some very clever commands that could do such things. Ideally if could get a total count and hostname that would help me no end.

Have you ever run this tool per domain in a large enterprise? Did it cause performance probs?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, I did it in my company. There were no performance issue but it took some time :/ (over 2000 workstations)

To get all of your worlstations in a domain you can use dsquery and dsget together (run on a DC or workstation with Administrative Tools installed)

dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt

or

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -attr name >>c:\all-wks.txt

import text file into Excel, remove unnecessary lines and voila! :)

Krzysztof
0
 
pma111Author Commented:
Do you know how long it took to do the mbsa scans for your 2000 comps? Thanks
0
 
Krzysztof PytkoActive Directory EngineerCommented:
It depends on scan options, basic scan should take no more than 4 hrs.

Krzysztof
0
 
pma111Author Commented:
Cheers ISiek

for

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -attr name >>c:\all-wks.txt

How do I amend that query to limit all results?

And

How do you switch that to servers?

Cheers
0
 
pma111Author Commented:
dsquery computer -name * -limit 0 | dsget computer -samid >>c:\all-wks.txt

returns an error dsget failed: the server is not operational

any ideas?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Oh sorry, for that you need to place one more swithc "-limit 0" to display all entries (by default only first 100 are displayed)

so, full syntax looks like

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -limit 0 -attr name >>c:\all-wks.txt

and that error from second suntax, where do you run this command (on a DC or workstation)?

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Does this fixed syntax work for you? What about that dsquery/dsget structure ? Does it still fail? What is your Domain Functional Level and on which OS do you run those commands?

Thanks in advance for feedback.

Krzysztof
0
 
pma111Author Commented:
I run them from XP and domain functional level is 2003
0
 
pma111Author Commented:
ANd run it from workstation but do have admin tools installed
0
 
Krzysztof PytkoActive Directory EngineerCommented:
You need to have Administrative Tools installed on your workstation to be able to use them. You can find it on a Server in %WINDIR%\SYSTEM32\adminpak.msi

If you cannot install it on your workstation, please ask administrator or log in to DC (if you are able to do that :) )

Krzysztof
0
 
pma111Author Commented:
weirdly - if I paste that:

dsquery * -filter "&(&(objectClass=Computer)(objectCategory=Computer))" -limit 0 -attr name >>c:\all-wks.txt

Into a command prompt it just seems to ignore it and not execute then go back to C:>

without running anything
0
 
pma111Author Commented:
I have admin tools installed have run dsqueries from here before no problems
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Ok, so this should work :) I tested it before posting :/ I will check that once again when I go back home

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Is it possible to use PowerShell in your environment? There is completely free PowerShell module for AD from Quest, which is more flexible and easier in use.

If you can download it and install on your workstation, please let me know. I will post a syntax for PS here

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, can we do something more for you? Use PowerShell or other help?
I don't know why DS syntax doesn't work for you. In my env works fine, but we can try to use PowerShell instead of that :)

You may download Quest PS module for AD (completely free) from
http://www.quest.com/powershell/activeroles-server.aspx

Krzysztof
0
 
pma111Author Commented:
Hey, could you do some beginner steps how to use this new tool to acheive what I am after - is it possible to draw all this info in a single report?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes it is, but I need to check how to do that :)
Can you post here once again (in short) your needs, please?
After that I would try to create single PS script for that.

Thank you in advance

Krzysztof
0
 
pma111Author Commented:
Ok thanks:

Is there any tool or technique that can return in a single report for every local workstation joined to the domain local users, account status (i.e. active or disabled) and group memeberships? They are predominantly running XP.
0
 
pma111Author Commented:
Also wondered if you had any suggestions on tools /techniques for a global user access/data security review in a windows environment. 4000 or so users. Areas to cover etc. Mix of fat/thin client, probably 80% still on traditional workstations.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 19
  • 16
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now