Mumblestiltskin

Thursday, December 01, 2011

Allow non admin user to run a scheduled task on Windows 2008+ server

This is all stemmed from an initial requirement in that I want a sql job to run a windows scheduled task. To do this I had to setup xp_cmdshell on SQL server, I don’t want to go into the pros/cons of xp_cmdshell Smile , but to try to reduce risk I setup xp_cmdshell to use a proxy account, which is a reduced level windows user.

However in doing this I discovered that the user could not run the scheduled tasks. This in the end turned out to be that the scheduled tasks are only visible to the user that created them or a user with same permissions or higher. So the existing tasks having been created by an administrator were not accessible to this lower user.

After trying many thing to get this working I settled on this solution. This may or may not be the correct way but it works for me. Smile

So I logged into windows using the lower user, then created a basic task in task scheduler. This task did nothing except fire up cmd.

Once this task had been created, I then logged in as an administrator and modified the task to fully do what I wanted. Including the option run as another user (which you cannot set using the low end user).
So in essence once the initial task is setup by the user it appears that you can use an admin account to change the options that cannot be changed with the low level user.
In addition if you don’t set the run as another user option you will have to ensure that the non admin account has appropriate access to the objects it will try and access.

With this done, you will find that the task can now be executed by the low level user, and hence the xp_cmdshell procedure can be run within a reduced security user and run the scheduled task I desired.

In addition it must be noted that any higher level user (administrator) can see and run all scheduled tasks including the low level user generated tasks.

Now if I can just figure out how to assign rights to allow non admin users to manage scheduled tasks, that would be great…

Wednesday, November 30, 2011

Netgear Switch – Setup routing between VLANs on same switch.

Scenario: I wanted to create 2 VLANs. 1 VLAN would be major VLAN (i.e. most ports), then a second smaller VLAN (less ports). I wanted to be able to route traffic between these VLANS.

Caveat: I am not a Netgear expert and the stuff written here are my experiences/research to setup the required scenario. For my future reference and hopefully might help someone else.

Initial switch setup

I will not cover the initial setup but just list how the switch was configured prior to me starting this process.

All 24 ports assigned to VLAN1 as untagged, it was running over one subnet 192.168.1.0/24 with a default gateway of 192.168.1.1.

Note: The Learned routes will not appear until devices are connected to the switch on the member ports. So if you have nothing listed do not be alarmed, unless you have something connected to one of the ports and are expecting it to appear!!

VLAN IDs

VLAN subnets

VLAN1: 192.168.1.0/24
VLAN8: 192.168.8.0/24

VLAN switch Ports assignment

VLAN1: untagged ports 1 – 22
with VLAN Routing interface of 192.168.1.253
VLAN8: untagged ports 23 – 24
with routing interface of 192.168.8.1

PVID: Port VLAN ID

PVID is the Port VLAN ID, basically this will tag all traffic arriving at the member ports with that ID. So the PVID for the port should match the VLAN ID to which the port is a member.

Note: like I mentioned earlier with the Learned Routes, if the learned routes do not appear in the routing configuration you will not be able to ping VLAN interface routing IP. This threw me for a while as I was expecting to be able to ping it, it was only when I connected equipment to the member ports that the learned routes appeared and I was able to then to ping the VLAN IPs. My guess is that it is all to do with routing and that when the ports (interfaces) are not connected the unit sees them as down, and therefore it is not active. I have not tested that but I am pretty certain that would be why.

So with that all that done you should find that the unit should happily route traffic between the VLANs.

Multiple switches

Now if you wanted to this between separate switches, I am guessing you would setup the VLANs on each switch and have to add static routes using the VLAN IPs as next hops for the VLAN networks.

Sunday, November 13, 2011

SQL Server–Shrink Transaction Log without taking database offline

We have a database that captures a large amount of data every day. Whilst the data is important, it is not critical so it is backed up on a daily basis but we do not perform transaction log backups on it, as this would be expensive and is just not warranted (to lose one days worth of data is acceptable).

With this setup this means that the transaction log is not given a checkpoint, and so never shrinks. So to shrink it we need to issue 2 commands.

BACKUP LOG <db name> WITH TRUNCATE_ONLY

basically truncates the entire log file all data lost.
DBCC SHRINKFILE(<logical transaction log name>,1000)
Where 1000 is the size in MB to shrink the log file to, in this case 1GB.

Tuesday, November 08, 2011

VHD compacting error–limitation in file system

I had used the sysinternal tool (disk2vhd) to create a VHD image of one my desktop machines that I wanted to virtualise.

I got this VM up and running in Hyper-V, and after removing a number of programs and files, I wanted to compact the VHD file. So using Hyper-V to manage the disk, I went to compact the disk. When I got this error

I have truncated the error message

System failed to compact ‘……….vhd’ ….. due to a file system limitation.

Anyway after a quick web search I discovered this was probably due to snapshots in the VHD. So I run up the VM and ran the following command.

vssadmin delete shadows /all

It must also be noted that I think vssadmin is being replaced with diskshadow (edit: diskshadow is only available currently on windows 2008 server) so I think you can do the same thing with that program.

diskshadow

DISKSHADOW> delete shadows all

References:

http://www.expta.com/2010/06/unable-to-compact-vhd-due-to-file.html

http://technet.microsoft.com/en-us/library/cc772172%28WS.10%29.aspx

http://angrytechnician.wordpress.com/2011/02/23/vssadmin-is-dead-long-live-diskshadow/

Sunday, November 06, 2011

Batch File: Force delete of share

I have recently found that there is a way to force delete a share. It was causing me grief in batch files as it was moaning there was an file in use and would want user input (Y/N).

You can actually use /Y in the command to force the yes, this is not list in the command help.

net share %Sharename% \\%COMPUTERNAME% /Y /DELETE

Someone else experienced this issue and has kindly forwarded this reference links, so I include them here. Thanks.

The MS docs that don't tell us:
http://technet.microsoft.com/en-us/library/bb490712.aspx
Expert's Exchange had the answer in 2008 but hides it at the bottom of the page:
http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Batch/Q_23154208.html
also just answered it on SuperUser:
http://superuser.com/questions/285543/net-share-xyz-delete-fails-if-a-file-is-in-use-on-that-share/

Tuesday, November 01, 2011

Windows–Auto hide taskbar stops working

For a while I used to get an issue where the taskbar I had, that was set to autohide would suddenly stop auto hiding.

This was bloody annoying, only recourse would be to log off or restart.

However the other day I went searching for a solution and discovered a little program someone has written to sort out this problem.

Turns out the task bar stops hiding because it thinks it is still displaying a balloon tip. So by displaying another balloon tip and then having this close properly it fixes the problem.

The program, when run, just displays a balloon tip for a few seconds and then closes. The task bar is then reset and the auto hide functionality works. Hoorah.

The program is called Task Bar Slapper, available here

http://www.filefactory.com/file/ag932d0/n/Taskbar_Slapper.exe

Wednesday, October 05, 2011

Running command on multiple computers

Just a quick note to show how to run a command against multiple computers.

Have a file with a list of computer names (1 name per line).

net time example

FOR /F "eol=# tokens=1 delims=," %A IN (.\serverlist.txt) DO net time \\%A>>c:\output_command_netime.txt

So the command above will run the net time command on each of the servers in the file serverlist.txt. Each server name is passed to the command through the variable %A.

server1

server2

server3

serve…

The output in this command is redirected into a file called output_command_netime.txt. It must be said that the output is appended to the file, so if you this multiple times, be away it will just add to the existing file. Just delete/rename the file if you want a new file on next run.

More examples

examine the state of a service

FOR /F "eol=# tokens=1 delims=," %A IN (.\serverList.txt) DO sc \\%A query w32time>>c:\output_command_sc_query2.txt

start a service

FOR /F "eol=# tokens=1 delims=," %A IN (.\serverList.txt) DO sc \\%A start w32time>>c:\output_command_sc_start.txt

stop a service

FOR /F "eol=# tokens=1 delims=," %A IN (.\serverList.txt) DO sc \\%A stop w32time>>c:\output_command_sc_stop.txt

Tuesday, October 04, 2011

Cisco PIX

This posting is mainly for myself, so I have reference when I come back to configure this firewall. I am not a cisco person. This is not the whole story here, just highlights for me. Surprised smile Please do not take any of this as golden as it is just notes for me and maybe incorrect at this time.

I had to configure a cisco pix the other day, it was setup for natting. Now I had to add ntp and dns access.

So I assumed I would have to setup an access list and assign it.

However in doing this I broke existing connectivity.

It appears that by setting up global natting the firewall then allows all access via this nat.

When I applied my access list to allow connectivity to the new service, it actually stopped existing access.

So by applying the access rule, it then stopped the default all access and only allowed access to the rules I had setup. So to get service back I had to either unbind the access-list which restored the all access or add the rules as and when (my preferred option).

setup named objects

name <ip> <name>

setup object-group

object-group <object group name>

description <description>

network-object host <name – as configured with name>

setup access-list (early versions of pix only allow numbered (id) access lists)

access-list <acl id> permit <protocol> any object-group <object group name> eq <port>

bind acl to interface

access-group <id> in interface inside

Global nat (apply to all traffic)

global (outside) 1 <start ext ip range>-<finish ext ip range> netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Monday, October 03, 2011

IIS7–Self Signed Server Certificate

I had to create a self signed certificate to run on an exchange web access site.

After looking around I have found the following Microsoft tool

selfSSL7.exe (it is for IIS7, there is an selfSSL for IIS 6).

Ref: http://blogs.iis.net/thomad/archive/2010/04/16/setting-up-ssl-made-easy.aspx

This tool allows you create a certificate for a specified common name, something the GUI in IIS7 does not allow you to do (as it adds the server name).

I had issue running it on the server where IIS was installed, it kept moaning about .net framework issue. I was nervous about messing about on the server with .net so I put selfSSL7.exe on to another IIS7 server.

The command I ran was this, it was for blinkdinkyowa.blinkydinky.net (an example name), with a Key of length 2048, valid for 365 days. It is also exported the file to a pfx file, which would allow me to import to the correct server.

selfssl7 /N cn=blinkdinkowa.blinkydinky.net /K 2048 /V 365 /X /F .\blinkdinkowa.blinkydinky.net .pfx /W <password>

So on the correct server I opened IIS, clicked on the server, and open server certificates. Right clicked and imported the pfx file.

In addition I opened an mmc, with the certificates snap in and imported the certificate into the Trusted Root Certification Authorities. This just allows the server to trust the certificate.

I then jumped into the website bindings in IIS7, and set the https binding to use the new certificate.

Tuesday, September 20, 2011

Picasa UNCs (Network Shares)

I have a central server, running a RAID5 array. I store all my important files here including my pictures. The server is backed up in addition to the RAID5 array.

Now we also have a number of laptops in the house, including my wifes. I wanted to keep all the pictures central, but allowing my wife to view them all from her laptop.

Easy I thought, I’ll just add a UNC to folder manager in picasa… lol. Nope Picasa does not support UNCs, after traipsing the net and trying to modify the watchedfolders.txt file for picasa (with limited success). Something reminded me of what I did to share a USB drive from within a existing local folder (its in another blog post). I used mklink.

mklink comes with Vista and 7. It allows to create file and folder links within existing folders, and as a bonus it allows for uncs to be used.

So with Picasa running on the laptop looking at the local pictures folder, I then created a directory junction using mklink that pointed to the server share.

Picasa now sees that folder as nothing more than a subfolder and as such just scans through the folders. Smile

C:\Users\<username>\Pictures>mklink /d <~NewFolderName> \\<Servername>\<servershare>

Now I use ~ at the beginning of files and folders to ensure they appear at the top of any listing. Just reminds me that the folders/files have special significance. (So is you don’t want a tilde on the folder name just leave it out here.

I hope that helps someone.. I am currently sitting here waiting for picasa to finish cycling through the folders…. Surprised smile

Friday, September 02, 2011

Ubuntu: Rhythmbox: clear out library

After importing some folders I wanted to clear out some entries, and reimport. I am sure there should be an option to do this in the GUI but it appears there is not.

Library management is pretty poor in my opinion.

Anyway to do this I had to delete the following file, and restart rhythmbox.

~/.local/share/rhythmbox/rhythmdb.xml

~ is linux shorthand for your user folder /home/ /home//.local/share/rhythmbox/

This works for ubuntu 11.04 and Rhythmbox 0.13.3. It has been known for them to keep moving the the file around, so if you have a different version this may be in a different location. The file should be the same so you should be able to search for it.

Monday, August 15, 2011

Getting round restricted Windows filenames (unc)

I recently had an issue with restricted filenames.

Normally windows will not let you create a file that has one of the restricted filenames, this is a hangover from windows past.

CON, AUX, COM1, COM2, COM3, COM4, LPT1, LPT2, LPT3, PRN, NUL

One of the systems used a UNC reference to access storage on a remote server share. By using the UNC the access allowed the system to create a file called con.xxxxx.doc, this file was in fact an uploaded user file.

The problem came when a backup process tried to access the file locally and compress and encrypt it. The process failed because of the file name.

So what to do. In the end I used the same trick that allowed the file to be created. I just referenced the file using a unc (\\servername\c$\…. etc..) rather than locally (c:\…. etc..)

Thursday, August 11, 2011

Waiting for System Event Notification Service………..

Found this article and its response while experiencing an issue while logging out of a administration RDP session to an win2k8 R2.

I had tried stopping the SENS service which did hung, as described. But I think there is a timeout and the session did finally sort itself out.

I include the content for this article response more for my sanity in the future…

The system event notification issue isn’t an issue with Windows Live messenger… Read below on what I have found.

The fix for this issue is very simple.

First we will examine what causes the issue to begin with. The cause is the COM+ Event Service detects a bad code and hangs. When you go to services.msc you won’t see the service hang but believe me it is. If you try to stop the server you will then see it hang and you won’t be able to get it back started. You can’t kill the process via taskmgr because its a svchost.exe service so you’ll never know which one to kill unless you download a little program call Processor Explorer from Sysinternals.

1. Open Eventviewer and select Application and filter the list so all you see are Error logs

2. Scroll through al Error logs till you come to one EventSystem (EventID=4621) (The COM+ Event System could not remove the EventSystem.EventSubscription object {C986B80D-E6CE-4FB0-9A44-F19BF27C165A}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The HRESULT was 800706be.)

3. Ok now open Process Explorer and sort by process name

4. Find the list of svhost.exe and start right clicking each and selecting Properties.

5. After hitting Properties on each services make sure you are selecting the Services tab and look for the svchost.exe process that has the EventSystem service which its display name is COM+ Event System

6. Now close the box and right click on the svchost.exe process and select Restart

7. Instantly once the service shuts down and restarts you will notice in your taskmgr that the users that were hung are now gone and they can now login and logout as they please

8. There are some services that won’t start back up after restarting this service so make sure you go back into services.msc and sort services by automatic and start up the ones that aren’t running.

This should resolve your issue until you get another SystemEvent error in Event View, but then just follow these steps and you are fine. The greatest thing about this fix is it doesn’t require a reboot like all the millions of thread out there about this issue, because the issue isn’t resolved by a reboot.

I am definitely interested in hearing if this has worked for you so please let me know.

Thanks
Jeff

There is also a large thread on the Microsoft forums about this, and it may be worth going through this if you don’t have any joy here.

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/65634267-8550-4b96-b6d1-6e020859aee7/

Wednesday, August 03, 2011

Transfer contacts from symbian s60 5th edition to android, and removing duplicates (google contacts)

I recently had to find a way to easily transfer my contacts on my old phone , a samsung i8910 (OmniaHD) to Galaxy SII.

After trying to do this for a while (my pcstudio kept crashing, maybe to do with me using a custom firmware from faenil, n205). So that meant I couldn;t easily get to my contacts from my pc.

Initially I tried a number of different Samsung pcstudio applications, all to no avail.

Then in desperation I went to the phone and looked at the contacts. It turns out that you mark all the contacts, and then send them via bluetooth as VCards. So thats what I did. In 1 hit, the contacts were onto my new phone. Surprised smile

So I had set up my phone to sync with my googlemail account, what this meant was that I had a number of duplicates, when I copied over from the i8910. So how to merge these??

Turns out this is easy. Sync with google, to ensure duplicates make it to your google account. Then go to contacts.google.com. Click on My Contacts, then in the right frame click ‘Find Duplicates’. You will get a list, you can then select them and merge them.

Fan bloody tastic…. Smile

Samsung MTP device–Kies Driver Install Failure–Galaxy SII

I have just brought a Samsung galaxy SII.

However I have tried o install the Kies software in 2 locations and in both locations the utility has failed to install properly.

The software installs ok, however when I tried to connect the phone via usb, the driver installation would fail on SAMSUNG MTP device.

Now a quick search on Google turned up this article, dated 8th September 2010 and was was for the original Galaxy S. Surely I thought, it couldn’t be the same issue. however I followed the instructions on the blog post and it has worked in both locations.

Its to do with the length of file extension, being over 18 characters. By removing these files from the phone it will allow the driver install to complete successfully.

Anyway he is the article, it references small utility that allows you to search the phone for the offending extensions.

http://arvindgaba.com/computer/samsung-galaxy-s/mtp-usb-device-failed-to-install-for-samsung-galaxy-s-kies-resolved/

Sunday, July 31, 2011

Setup server to accept SMB v1 connections on DNS address (disableStrictNameChecking)

I have been tidying up a clients infrastructure, and in doing this I have been creating dns entries for certain services. For example I want to take the backup location away from the server name and to a more generic backup name dns address.

note: the environment is isolated and all servers standalone there is no active directory setup. If you are in a windows domain environment you may have to look at setting SPNs. I include some links at the bottom that may help you here.

i.e.

from: \\<servername>
to: \\db-backup.testdomain.com

Now I thought I could just create a new dns entry and point it to the server ip, then using the dns entry in the unc. Now this worked fine for windows 2008 and windows 7 machines and it turns out this is because they are happily using smb v2.

What I found was that the windows 2000 / windows 2003 server then failed to connect to the windows 2008 server. \\<ipAddress> and \\<servername> worked fine but the newly created dns entry would not work. It would resolve fine on the 2003 server but trying to connect via explorer using the unc with the new dns address just failed to connect.

In the end I found that this is because the communication is trying to use SMB v1. To allow this connectivity you have to change a registry setting on the server you are trying to connect to.

So on my windows 2008 server I had to change the following.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

Value name: DisableStrictNameChecking
Data type: REG_DWORD
Radix: Decimal
Value: 1

Once the server had been restarted, I was able to connect to the server using the dns address.

Below I try to visualise the problem

note: the disableStrictNameCheck will need to be disabled on every server you want to connect to that using smb1. So in essence unless everything is win2k8 and win7 you will have to do this.

References

http://support.microsoft.com/kb/281308

http://support.microsoft.com/kb/870911

http://homeworksblog.wordpress.com/2010/08/06/connecting-smb-share-with-cname/

http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc961723.aspx

Wednesday, July 27, 2011

IIS 7–resetting site to root inheritance

I wanted to reset some sites, on a multiple site IIS server, to pick up their logging settings from the root.

After some digging around I have found that you have to edit the “applicationhost.config” to achieve this.

The file can be found here

%windir%\System32\inetsrv\config

Site information is held within this XML file, find the site section with the corresponding site name you are looking for. In this example “Default Web Site”.

<site name="Default Web Site" id="1" serverAutoStart="true">
                <application path="/">
                    <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\defaultwebsite" />
                </application>
                <bindings>
                    <binding protocol="http" bindingInformation="*:80:testy.test.commy" />
                </bindings>
                <logFile logFormat="W3C" directory="E:\weblogs" />
            </site>

Now just delete the <logfile ….> entry completely and save.

You should now find in the IIS gui that the logging settings are now picking up the root settings. Hoorah!

Monday, July 25, 2011

Linking Folders (mklink)–(Or adding adding a remote folder within another folder ;o) )

Sounds easy right? Just copy or move it! Buts that's not what I wanted.

I had a server where it had some usb attached storage that I wanted to be available within an existing shared folder… ok let me try and make it clearer..

I had a share on a server called “pictures”, which was a share of a local folder d:\pictures, i could access this share with a unc address

\\servername\pictures

This would show me the content of d:\pictures.

Now I had a lot of archive pictures on a usb drive and ideally I would of like them to be all accessible via the share (i did not really want to have to created another share).

So how do I do this in windows. Well from Vista / Windows 2008 server there is a command called mklink. This command allows you to add a reference to another folder within a folder.

So we have d:\pictures and in there we have a range of folders and files. Now out usb drive is attached and using the drive letter z:\. So I want to allow the contents of z:\ to be visible within d:\pictures. So I use the following command form the command prompt within the d:\pictures folder.

mklink /D /J externalStorage1 Z:\

Now if I dir in the d:\pictures folder, I will see a new folder called externalStorage1 and if I change directory to externalStorage1 I can see the contents of the z:\ drive. In addition if I browse the share remotely

\\servername\pictures

you will find that you can see and access externalstorage1.

excellent.

Note: You must use /J to create what they call a directory junction (a hard link to a folder), there are hard and soft links and I will leave you to work out the differences. However I will say that if you don’t use /J and you will find that the link will not work when viewing across the network share.

WD LiveWire Powerline Device – Connect multiple devices (more than original 2)

I have not actually tried this but I have just brought 2 of these devices and I want to eventually connect more.

Now I got the 2 units working straight from the box and they are great, I cannot knock them.

However so I am led to believe, to add more devices you will need to configure the devices. This is done with a utility on the cd you get supplied with the units.

You are going to configure the device plugged to the computer (you install the software on) as the “Local Device” device. The others will then become remote devices.

Click “ADD”, to add new devices.
You will have to locate the password for the additional units, which are marked P/W on the bottom of each device.
You will have to enter the password and give the device a name.
Then hit the “OK” button.
All the devices should reboot, and within 60 seconds, the utility should scan and locate all the devices on your system.
note: If the utility does not locate all the devices within 60 seconds, it means that the devices did not reboot. You will then have to unplug ALL the devices, and then re-plug them into the wall, and then close and reopen the utility. It should now work.

References:

http://westerndigitalreviews.com/western-digital-wd-livewire-powerline-av-network-kit-2/

Wednesday, July 20, 2011

Installing multiple certificates on multiple remote servers

note: While doing this I had a strange issue where the certutil (running via psexec ) started complaining about arguments “Expected no more than 1 args, received x”). The command was running fine before, it just stopped working and returning this error. In the end I wiped the certutil command file (CertUtilCommands.bat) and built it from scratch, running certutil –f initially which got a dump output, then built up to the full command, doing this got the whole process working again. Its a strange one and I cannot explain it but this got it working again)

Disclaimer: While I believe all will work below, I cannot guarantee it. Please ensure you test before trying anything (which is of course what everyone does).

In my first article about installing certificates to multiple servers I used ps exec to install one certificate in pfx format.

The time arose that I had to renew this certificate, but the supplier had also changed one of their upstream server certificate so I had to install that to. So what I have done is reworked my first article and built a mechanism that allows the certutil commands to be contained in one file.

Now I wanted to attach a file to this blog post with all the necessary files, however that was not possible as blogger will not allow me to attach files… Sad smile …

So below I show the folder structure, describe folder purpose and then I give the file contents for all the batch files.

Folders

pstools is available from Microsoft here
CertutilFiles, this folder contains the certuil files needed to be copied to the remote machine. These files should be from a Win2k3 server (see image below).

CertFiles – This is where to put the certificate files (*.crt, *.pfx) etc that you want to install.
reports – this is an empty folder that will contain outputs of stdout for the commands run. May help if issues encountered.

Files

serverlist.txt – a basic list of the servers you want to run the commands on. This will obviously need to be changed to your server list.

server1
server2

cc.bat – this is the primary file (run cc from the command prompt). It will prompt you for information.

ECHO OFF
:InputServerList
SET /p vserverList=Please enter filename of server list (default="serverlist.txt") :- 

IF "%vserverList%"=="" (
    SET vserverList=serverlist.txt
)

SET voptions=

SET /p vuser=Please enter username (default="<system account - will not have network access on remote machine>") :- 

IF NOT "%vuser%" == "" (
    SET voptions=-u %vuser%
) ELSE (
    GOTO nouser
)

SET /p vpassword=Please enter password :- 

SET voptions=%voptions% -p %vpassword%
GOTO userset

:noUser
SET voptions=-s

:userset


MD reports

FOR /F "eol=# tokens=1 delims=," %%A IN (.\%vserverList%) DO START CMD /C "startcerts.bat %%A %voptions% %vuser%>reports\output_command_%%A.txt"

startcerts.bat – This sets up a windows share on the local machine, this will allow the remote server to copy the files. The local computer IP is passed to the remote server, (IP passed only if nslookup works locally resolving the computer name to an IP), if this fails the computer name is passed. (If the computername is passed to the remote server then it will need to be resolvable at the remote server.).

The share will be removed at the end of the process.

note: I have found that psexec has issue with some antivirus software (returning all pipes busy error). If you encounter this then you should stop the antivirus software for the duration of the script. I include a net stop and net start command in the batch file, you will need to add the service name.

note:the script had issue trying to connect back to itself so I have now catered for that scenario by removing the credentials, in the psexec command, if the machine is connecting to itself.

SET Sharename=installcerts2%1
SET localserverip=

FOR /F "skip=4 tokens=2 delims=:" %%A IN ('2^>NUL nslookup %COMPUTERNAME%') DO (
    SET localserverip=%%A
)

IF "%localserverip%" == "" (
    SET localserverip=%COMPUTERNAME%
)

REM if localmachine name = remote machine reset options to run on local machine
IF /I "%1" == "%COMPUTERNAME%" (
    SET voptions=
)

net share %Sharename%=%CD% /GRANT:everyone,READ

REM stop antivirus service, have found on win2k8 servers that this will prevent psexec from running, returning all pipes busy error.
net stop "<antivirus service>"

CALL .\PsTools\psexec \\%1 %voptions% -f -c certRemoteSetup.bat %localserverip% %Sharename%

CALL .\PsTools\psexec \\%1 -s -f -c CertUtilCommands.bat

CALL .\PsTools\psexec \\%1 %voptions% -f -c certRemoteClearUp.bat

REM stop antivirus service, have found on win2k8 servers that this will prevent psexec from running, returning all pipes busy error.
net start "<antivirus service>"

openfiles /disconnect /A %3

net share %Sharename% \\%COMPUTERNAME% /DELETE

certRemoteSetup.bat – This copies the files in the folders certutilfiles and certfiles to the local windows temp folder (%windir%/temp). Only issue I have found here is that if the computer name of the local machine cannot be resolved from the remote server then the copy will fail as it cannot find the files to run.

xcopy /Y \\%1\%2\CertutilFiles\*.* %windir%\Temp\CertInstall\
xcopy /Y \\%1\%2\CertFiles\*.* %windir%\Temp\CertInstall\

CertUtilCommands.bat – This is the file that will need to be edited for your specific requirements.

C:
CD %windir%\Temp\CertInstall\

Certutil -f -addstore Authroot .\<certificate1filename>.crt

Certutil -f -addstore CA .\<certificate2filename>.crt

certutil -f -p <password> -importpfx .\<certificate3filename>.pfx

certRemoteClearUp.bat – Delete all copied files and remove directory

DEL /Q /S %windir%\Temp\CertInstall\*.* 
RD /Q /S %windir%\Temp\CertInstall

IIS full url redirection

I had to recently redirect a renamed site in IIS.

IIS provides some easy to use options to configure this. However what I found was that it would lose the query string part of the url.

However I have found that to keep the URL you set a URL permanent redirection to an exact URL, but include $S$Q on the end of the URL string.

i.e. http://siteurl$S$Q

This will redirect to the exact siteURL but append the complete query string.

Cheers

Monday, July 18, 2011

Installing multiple certificates to specific stores on remote machines

I won’t go into how I loop through and pass the commands to remote servers as I do that in this article. All I do he is add more certutil info, and also some info about navigating the certificate store from within powershell.

So in my case I needed to import a certificate into the Intermediate Certification Authorities Store. Now I knew I could use this command

Certutil –f –addstore <store Name> <intermediate CA name>.crt

However I needed to know the programmatic name for the store (not the one nicely listed in windows), in the end I worked it out but using PowerShell and the cert: drive. Browsing around until I came across some certificates that I knew where in the store.

As it turns out the CA store is the “Intermediate Certification Authorities” store. So the command will be

Certutil –f –addstore CA <intermediate CA name>.crt

Powershell: Cert Drive

Within PowerShell you can actual change to a directory called cert:, this is in fact a representation of the certificate store. (example below

PS C:> cd cert:

PS cert:>

Location   : CurrentUser
StoreNames : {SmartCardRoot, UserDS, AuthRoot, CA...}

Location   : LocalMachine
StoreNames : {SmartCardRoot, AuthRoot, CA, Trust...}

PS cert:>cd localmachine

PS cert:\localmachine> dir

Name : SmartCardRoot

Name : AuthRoot

Name : CA

Name : Trust

Name : Disallowed

Name : My

Name : Root

Name : TrustedPeople

Name : TrustedDevices

Name : Remote Desktop

Name : TrustedPublisher

Name : REQUEST

Monday, July 11, 2011

Multiple Standalone Windows Servers: DNS Suffix List

note: I am not sure what causes windows to reload this list, but I currently believe if you run ipconfig /flushdns and gpupdate /force this seems to reload the values. OK, in addition to this if they don’t work I have found that if disable and enable one your network adapters this will force the change to be picked up. I had teamed NICs, so was able to disable/enable a secondary adapter so not losing connectivity.

Recently I wanted to add a dns suffix to a range of windows servers, whilst this would have been easy had the servers existed in a domain. All the servers had were standalone so Group policy was not an option.

After searching the internet for a while I was still no clearer in what was the best option for configuring standalone servers. I did not want to mess with primary dns suffixes or have to setup specific connection specific dns suffixes.

I wanted a solution that would apply to all connections on the servers, and a solution I was able to apply remotely to all servers.

After messing with local policies, manual settings and registry settings. The best solution I found was a registry entry.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
String Value (REG_SZ): SearchList=dnssuffix1,dnssuffix2,dnss……

So I created a registry file with the necessary entries (see below)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"SearchList"="dnssuffix1,dnssuffix2,dnssuffix3"

So a quick script using psexec and this was run on all servers.

Job Done…

Thursday, July 07, 2011

SQL Server- Creating Multiple logins at one time for multiple databases

I recently had to create a whole number of logins for a range of databases. So I developed this script that would loop through all the user databases on a server and create a login based on database name, create a random password for that login, assign the login to the appropriate database (user) and assign appropriate database roles.

It can be run multiple times and will only create logins/users that don’t exist. It will however apply the database roles to every user it is specified to create. (i.e it will apply to users it created in previous runs).

In addition the script creates a custom database role, to allow execute permissions for running stored procedures and functions.

The script will output username and passwords created

DECLARE @username varchar(50)
DECLARE @dbRole varchar(50)
DECLARE @vpassword varchar(8)
DECLARE @SQL varchar(max)
DECLARE @DatabaseName varchar(MAX)
DECLARE @output varchar(max)
SET @output = ''
DECLARE @uniquepassword uniqueidentifier
SET @uniquepassword = NEWID()
SET @dbRole = 'db_executor'
DECLARE my_cursor CURSOR FOR
SELECT CAST([Name] AS varchar(MAX)) AS databasename
FROM sys.sysdatabases
--only user databases
WHERE DBID>4 AND [NAME] NOT LIKE '$'
OPEN my_cursor
FETCH NEXT FROM my_cursor
INTO @DatabaseName
WHILE @@FETCH_STATUS = 0
BEGIN
	SELECT @uniquepassword = NEWID()
	SELECT @vpassword = LEFT(@uniquepassword, 8)
--Check if login exists, if not create login for server
	IF NOT EXISTS(SELECT name FROM master.dbo.syslogins WHERE name = @DatabaseName)
	BEGIN
		SET @SQL = 'USE MASTER; CREATE LOGIN ' + @DatabaseName + ' WITH PASSWORD = ''' + @vpassword + ''', DEFAULT_DATABASE=[' + @DatabaseName + '], DEFAULT_LANGUAGE=[English], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF';
		EXECUTE(@SQL);
		SET @output = @output + CHAR(13) + CHAR(10) + 'LOGIN:' + CHAR(9) + CHAR(9) + @DatabaseName;
		SET @output = @output + CHAR(13) + CHAR(10) + 'PASSWORD:' + CHAR(9) + @vpassword;
	END
--Check if user exists, if not create user in database
	SET @SQL = 'USE ' + @DatabaseName + ';
	IF NOT EXISTS(SELECT ' + @DatabaseName + '.sys.database_principals.name FROM ' + @DatabaseName + '.sys.database_principals WHERE ' + @DatabaseName + '.sys.database_principals.name = ''' + @DatabaseName + ''')
	BEGIN
		USE ' + @DatabaseName + ';
		CREATE USER ' + @DatabaseName + ' FOR LOGIN ' + @DatabaseName + '
	END'
	EXECUTE(@SQL);
--Check if db_executor role exists, if not create role in database and then assign execute permissions
	SET @SQL = 'USE ' + @DatabaseName + ';
	IF NOT EXISTS(SELECT 1 FROM ' + @DatabaseName + '.sys.database_principals WHERE ' + @DatabaseName + '.sys.database_principals.name = ''' + @dbRole + ''' AND [TYPE] = ''R'')
	BEGIN
		CREATE ROLE ' + @dbRole + ';	
	END
	GRANT EXECUTE TO ' + @dbRole + ';'
	EXECUTE(@SQL);
	SET @SQL = 'USE ' + @DatabaseName + '; EXEC sp_addrolemember @rolename = ''db_datareader'' , @membername = ''' + @DatabaseName + '''';
	EXECUTE(@SQL);
	SET @SQL = 'USE ' + @DatabaseName + '; EXEC sp_addrolemember @rolename = ''db_datawriter'' , @membername = ''' + @DatabaseName + '''';
	EXECUTE(@SQL);
	SET @SQL = 'USE ' + @DatabaseName + '; EXEC sp_addrolemember @rolename = ''db_executor'' , @membername = ''' + @DatabaseName + '''';
	EXECUTE(@SQL);
	
	FETCH NEXT FROM my_cursor
	INTO @DatabaseName
END
CLOSE my_cursor
DEALLOCATE my_cursor
/*This output statement will contain the usernames and passwords created for the users*/
SELECT @output