Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:33 pm Titlul subiectului:
Hack 74 Grant Administrative Access to a Domain Controller
Here's a hack that will help you secure any domain controllers you have running at a remote site.
Active Directory has introduced many new levels of complexity to server and security management. For example, if you would like to grant a remote site administrator the rights to install software or services on a domain controller, that person would have to be a domain administrator. Granting that person domain administrator rights introduces the possibility of that user creating new accounts with administrative rights. Obviously, this is not an ideal situation.
The following steps show how to grant a user the same level of rights as an administrator of a member server or a workstation on a domain controller, while preventing that user from having rights to Active Directory.
Please note that this hack does not eliminate all possible security risks, and the users who are granted these rights need to be highly trusted
Log onto a domain controller with full domain administrator rights. Make sure your Active Directory domain is in native mode.
Inside of Active Directory Users and Computers, create a global security group called DCAdmins. Add all users/groups that will need administrative access to the domain controllers to this group.
Create another global security group called DenyDCAdmins.
Add the DCAdmins group to the DenyDCAdmins group.
Inside of Active Directory Users and Computers, right-click on the domain name and choose Properties. Click on the Security tab (if the Security tab is not available, go to the View menu and choose Advanced).
Click on Add and choose the DenyDCAdmins group. Once the group has been selected, click on the Deny checkbox next to Full Control in the Permissions area, as shown in Figure 8-4.
Figure 8-4. Denying Full Control permission for the DenyDCAdmins global group
Now, all users or groups that are members of the DCAdmins group have full administrative access to all domain controllers but do not have any access to Active Directory.
These users won't even be able to browse Active Directory to apply permissions on shares or files. It is generally a best practice for these users to have two accounts: one for administering the domain controllers and another for day-to-day use.
Overall, this is a great approach to limit security for remote administrators and operations teams that need to be able to make changes on domain controllers. I highly recommend trying this approach before blanketing your Active Directory environment with unnecessary domain administrators. _________________ www.clanah.net
CONTACT ME IF YOU WANA JOIN THE CLAN!!!
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:34 pm Titlul subiectului:
Hack 74 Grant Administrative Access to a Domain Controller
Here's a hack that will help you secure any domain controllers you have running at a remote site.
Active Directory has introduced many new levels of complexity to server and security management. For example, if you would like to grant a remote site administrator the rights to install software or services on a domain controller, that person would have to be a domain administrator. Granting that person domain administrator rights introduces the possibility of that user creating new accounts with administrative rights. Obviously, this is not an ideal situation.
The following steps show how to grant a user the same level of rights as an administrator of a member server or a workstation on a domain controller, while preventing that user from having rights to Active Directory.
Please note that this hack does not eliminate all possible security risks, and the users who are granted these rights need to be highly trusted
Log onto a domain controller with full domain administrator rights. Make sure your Active Directory domain is in native mode.
Inside of Active Directory Users and Computers, create a global security group called DCAdmins. Add all users/groups that will need administrative access to the domain controllers to this group.
Create another global security group called DenyDCAdmins.
Add the DCAdmins group to the DenyDCAdmins group.
Inside of Active Directory Users and Computers, right-click on the domain name and choose Properties. Click on the Security tab (if the Security tab is not available, go to the View menu and choose Advanced).
Click on Add and choose the DenyDCAdmins group. Once the group has been selected, click on the Deny checkbox next to Full Control in the Permissions area, as shown in Figure 8-4.
Figure 8-4. Denying Full Control permission for the DenyDCAdmins global group
Now, all users or groups that are members of the DCAdmins group have full administrative access to all domain controllers but do not have any access to Active Directory.
These users won't even be able to browse Active Directory to apply permissions on shares or files. It is generally a best practice for these users to have two accounts: one for administering the domain controllers and another for day-to-day use.
Overall, this is a great approach to limit security for remote administrators and operations teams that need to be able to make changes on domain controllers. I highly recommend trying this approach before blanketing your Active Directory environment with unnecessary domain administrators.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:35 pm Titlul subiectului:
Hack 75 Secure Backups
Protect critical business information by restricting who can back up and restore it.
In a small organization, a single administrator might be responsible for backing up and restoring data stored on servers. In a large enterprise, however, it's more likely that administrative responsibilities will be delegated among various groups. Windows 2000 and Windows Server 2003 include special built-in groups for such purposes, but we'll also see how creating custom groups can give you even greater control over who can back up and restore your data.
Using Backup Operators
There are actually two different Backup Operators groups in Windows 2000 and Windows Server 2003: a local group and a domain local group. What's the difference between local and domain local groups? Local groups are defined in the SAM database on a member server or workstation, while domain local groups are stored in Active Directory on domain controllers. As a result, member servers and workstations have a built-in local group named Backup Operators, and membership of this group is modified by using Local Users and Groups in the Computer Management console.
By contrast, domain controllers have a built-in domain local group also named Backup Operators, and membership in the group is modified using the Active Directory Users and Groups (ADUC) console (the group is located within the Built-in container for each domain).
In the GUI, the domain local Backup Operators group is actually labeled as "Built-in local" instead of "Built-in domain local." This is an error in the GUI.
So, what exactly can members of the Backup Operators group do? First, they can back up any file or folder on the server on which the group resides. This means that if you belong to the Backup Operators group on a member server, you can back up and restore files on that member server (and only that member server). But if you belong to the Backup Operators group on a domain controller, you can back up and restore files on any server in the domain. Backup Operators can also perform certain other tasks, such as interactively logging on to the console of the server and shutting the server down. And members of the built-in Server Operators group can do everything Backup Operators can, in addition to being able to create and manage shared folders and printers.
So, who belongs to the Backup Operators group? By default, nobody. The idea is that these users have a powerful ability—to make copies of sensitive business data and restore these copies to another machine—so you should think carefully before you make anyone a member of this group.
How do Backup Operators get these abilities? By the user rights assigned to them. User rights indicate authorization or privilege to perform some task and are assigned by using Group Policy (in an Active Directory environment) or Local Security Policy (on standalone servers in a workgroup). In a Group Policy Object (GPO), user rights are found under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment (see Figure 8-5).
Figure 8-5. User rights displayed in Group Policy
By default both the Backup Operators and Administrators built-in groups are assigned the following user rights:
Back up files and directories
Restore files and directories
Again, on a domain controller, the Server Operators group also has these rights by default. What's interesting about these two privileges is that they override any NTFS permissions that files and directories might have. Thus, even if the Backup Operators group is explicitly denied Read permission to a folder, members of this group can still back up the folder and its contents. In other words, user rights take precedence over permissions.
Mind you, there is a hack that enables a user to back up files and folders on a machine without assigning them the preceding rights. The trick is to assign them, at a minimum, the following special NTFS permissions on the file or folder:
Traverse folder/execute file
List folder/read data
Read attributes
Read extended attributes
Read permissions
You might use this method to grant a user the ability to back up copies of sensitive documents to a local folder on his workstation. By assigning these permissions, users can back up the contents of the folder but can't read the files stored in it. The rational for using this approach, instead of assigning the necessary rights to the user, is that for security reasons you might want to ensure that the user has as few rights as possible, in case the user's account is compromised by an intruder. In other words, though this approach is more complicated, it can help guard against elevation of privilege attacks.
Restricting Access to Backups
A company's disaster recovery plan often overlooks the fact that those who perform backups shouldn't necessarily be the ones who restore from backups when things go wrong. That's because performing a backup is a routine administrative task that should be done regularly and delegated to some responsible user, but restoring a backup can actually provide the user with access to the backed-up data itself. For example, by restoring a backup job to a rogue server on the network and then running cracking tools locally on the server, the user could gain access to sensitive data and compromise the company's business.
The solution is to ignore the built-in Backup Operators group and create two new security groups instead. For instance, you might name them something mundane, like Backup Group and Restore Group, or something more creative if you prefer. Then, assign the right to "Back up files and directories" to Backup Group and "Restore files and directories" to Restore Group. Don't assign any other rights to these two groups.
Now, assign selected users to each group as desired. Typically, the membership of Backup Group is be more inclusive than Restore Group and should include both junior administrators (who have actual responsibility for day-to-day backups) and senior administrators (who can be there in a pinch if things go wrong). Of course, the junior administrators should not be members of the default Domain Admins group; if they are, they will automatically have the "Restore files and directories" privilege as well.
The Restore Group, however, should have only senior administrators—the most trusted members of your IT department—as members. Whether or not they are all domain administrators is another question; best practice suggests that membership in Domain Admins should be as highly restricted as possible, and potential members of this group should be carefully screened during your company's hiring process. If you think one bad apple spoils the bunch, wait till you see what one corrupt administrator can do to your business!
If you assign the "Back up files and directories" right to a group and then find that a user who belongs to this group has difficulty backing up one or more volumes, check the disk quota restrictions on those volumes to ensure they aren't restricting the user from accessing those volumes.
Another approach you can use to secure your backups is to take advantage of a setting available on the Backup Job Information dialog box (see Figure 8-6). This dialog box appears after you start the Backup utility, select the volumes or folders you want to back up, and click the Start Backup button. By selecting the checkbox labeled "Allow only the owner and the Administrator access to the backup data," you configure permissions on the backup job so that only the individual who created the backup and the default administrator account can restore the backup.
Figure 8-6. Allowing only the backup owner and administrator to restore the backup
While this approach is easier than the approach I described earlier, it doesn't provide the same level of security as separating those who can restore data from those who back it up. Also, you can enable this setting only if you are backing up to a new tape or overwriting an old one; if you're appending your backup set to an existing tape, the setting is not available. In other words, the restriction offered by this setting is applied on a tape-by-tape basis, not a job-by-job basis. So, the lesser degree of security offered by this approach, coupled with its lack of flexibility, leads me to suggest you avoid using this setting and instead use the two-group approach I described previously. _________________ www.clanah.net
CONTACT ME IF YOU WANA JOIN THE CLAN!!!
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:36 pm Titlul subiectului:
Hack 76 Find Computers with Automatic logon Enabled
Having automatic logon enabled on a computer can be a security risk. Here's a quick way to find out which machines on your network have automatic logon enabled.
While enabling automatic logon [Hack #4] in Chapter 1 can be useful in certain scenarios, such as a test network, it can also be a security risk, especially if it is enabled on a computer without the administrator's knowledge. Here is a quick and dirty way to locate all machines that have automatic logon enabled in their Registry.
You'll need the following tools:
The regfind.exe utility, which is available from the Windows NT/2000 resource kits.
A list of machines to search, which can be obtained in many different ways (including an SMS report, server manager, etc.). The list should be a plain text file named serverlist.txt in the following format:
server1
server2
server3
server4
etc...
A user account that has administrative rights to the Registry on the machines being queried. Typically, a domain administrator account will work just fine.
Create a batch file that will use the provided list and kick off regfind. For this we will use the FOR DOS command (all on one line—text is wrapped here to fit the constraints of the page):
for /F %%A in (serverlist.txt) do (regfind.exe -m \\%%A -p "hkey_local_machine\software\
microsoft\windows nt\currentversion\winlogon" -n "Autoadminlogon" >results.txt)
You can see that we are simply parsing the serverlist.txt file for each server name, then instructing regfind to locate that Registry key. There are two caveats, though. First, the results can be hard to read while the search is going on. It is recommended that you pipe the results to a text file (the preceding example does this). Second, regfind is case-sensitive. This can make the search a bit longer, but it's still fairly easy. Instead of just a one-line batch file, you simply have a few more (almost identical) lines. A larger sample of the completed batch file looks something like this (again, all on one line—beware of line wrap):
for /F %%A in (serverlist.txt) do (c:\work\adminlogon\regfind.exe -m \\%%A
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:41 pm Titlul subiectului:
Hack 77 Security FAQ
Rod Trent, CEO of myITforum.com, shares his answers to common security questions.
At myITforum.com (http://www.myitforum.com), we often get questions regarding general network-security issues, and I try to answer them in the form of a Security FAQ. Here's a short selection of the most common questions we receive, along with my responses. You can find more security tips at myITforum.com.
Steps to Computer Security
What can I do to make sure my computer is secure?
It depends on whether you are a consumer or a business.
Consumers
Consumers should start by using an Internet firewall on all PCs and laptops. An Internet firewall can help prevent outsiders from getting to your computer through the Internet. If you use Windows XP, enable the built-in firewall feature on that platform. You should also update your computer regularly, either by using the Automatic Updates feature or by regularly visiting the Windows Update web site to download the latest Microsoft security updates. Also, make sure your antivirus software is up-to-date; installing, configuring and maintaining your antivirus software is absolutely essential.
Businesses
Businesses should follow a similar but more involved procedure. Start by verifying the configuration of your firewalls for both Internet and intranet. By auditing your firewall configurations, you ensure they comply with your company's security policy. Firewalls are your first line of defense, and best practice requires blocking all ports that are not actually being used by applications on your network. Business should also protect their networks by requiring employees to follow the precautions outlined by Microsoft (http://www.microsoft.com/protect/) on both their home PCs and laptops, especially if they use these machines to connect to your enterprise. PCs and laptops that VPN or RAS into your network must be protected by a properly configured firewall.
Businesses must also keep their systems up-to-date with the latest security patches from Microsoft. To do so, subscribe to Microsoft's free security notification service and use Microsoft update services to automatically obtain patches for your network, see [Hack #78] for more information. Finally, business should invest in antivirus software, because such protection is absolutely essential for keeping sensitive business data safe from attackers.
Vulnerability Types
Q: What are the vulnerability types that I need to monitor against?
A: There are three basic types of vulnerability:
Administrative vulnerability
The failure to observe administrative best practices, such as using a weak password or logging onto an account that has more user rights than the user requires to perform a specific task.
Product vulnerability
A security-related bug in a product that is addressed by a security bulletin/hotfix or a service pack.
Physical vulnerability
The failure to provide physical security for a computer. Physical vulnerability can include leaving an unlocked workstation running in an area that is accessible to unauthorized users, leaving a server room unlocked or open, or losing a laptop or leaving it at a customer site.
Strong Password Policy
Q: What is the best practice to follow when creating policies for user passwords?
A: Each company's security-level needs are different, but in general, strong passwords should be at least six characters long, should not contain all or part of the user's account name, and should contains at least three of the four following categories of characters: uppercase letters, lowercase letters, Base 10 digits, and nonalphanumeric symbols found on the keyboard, such as !, @, and #.
How Microsoft Handles Security
Q: Is there any documentation on how Microsoft handles security against worms and viruses?
A: Yes. Microsoft has released a "Security at Microsoft" white paper on how they handle security issues (http://www.microsoft.com/downloads/details.aspx?FamilyID=73f1ba8e-a15c-4c05-be87-8d21b1372485). This paper describes what Microsoft's Corporate Security Group does to prevent malicious or unauthorized use of digital assets at Microsoft. This asset protection takes place through a formal risk-management framework, risk-management processes, and clear organizational roles and responsibilities. The basis of the approach is recognition that risk is an inherent part of any environment and that risk should be proactively managed. The principles and techniques described in Microsoft's white paper can be employed to manage risk at any organization.
Reporting Security Incidents to Microsoft
Q: How can I report a security incident or vulnerability to Microsoft?
Reporting Security Incidents to Government Authorities
Q: We've just had a security incident. Who can I call to report it?
A: The FBI encourages the public to report any suspected violations of U.S. federal law. Never think that your security incident is insignificant. Your incident might be part of a larger attack or the beginning of a larger attack. You can find your local FBI Field Division information at http://www.fbi.gov/contact/fo/fo.htm.
Getting Government Security Clearance
Q: How can you apply for security clearance for a government job?
A: In our daily newsletter at myITforum.com (http://www.myitforum.com/newsletter.asp), we sometimes post open positions for jobs in the government sector that require special security clearance before applying. Several folks have wondered what it takes to get the security clearance, and a list of good tidbits of information were posted to the myITforum.com Off-Topic list (http://www.topica.com/lists/myOTforum/). Here are some additional places you can find information on government security clearance:
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:42 pm Titlul subiectului:
Hack 78 Microsoft Security Tools
Here's a quick guide to various tools from Microsoft to help secure your systems against attack.
This list represents my personal take on the wide variety of security tools currently offered by Microsoft. It includes tools for security assessment, patch management, security scanning, system updating, lockdown, auditing, intrusion detection, virus protection, and system cleaning. There's also a brief list of RFCs that every security professional (including those who work with platforms other than Windows) should become familiar with.
I plan to update this list at myITforum.com (http://www.myitforum.com) as new items become available. If you have any suggestions to add to the list, drop me a note at myITforum@cinci.rr.com.
Assessment, Patch Management, and Software Update Services and Tools
The Microsoft Baseline Security Analyzer (MBSA) (http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp) is a popular security tool that scans single systems or multiple systems across a network for common system misconfigurations and missing security updates.
Software Update Services (SUS) (http://www.microsoft.com/windowsserversystem/sus/default.mspx) simplifies the process of keeping Windows-based systems up-to-date with the latest critical updates. See [Hack #89] in Chapter 9 for tips on using this tool.
QChain (http://support.microsoft.com/default.aspx?scid=KB;EN-US;296861) allows administrators to script the installation of several patches without requiring multiple reboots. To use this tool, you create a batch file to update your security configuration with hotfixes. Note that QChain is not required if you are running Windows 2000 Service Pack 3 or later, or more recent versions of Windows, such as XP and 2003.
Finally, the KB 824146 Scanning Tool (http://support.microsoft.com/default.aspx?scid=kb;en-us;827363) can be used to identify computers on networks that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed.
Automatic Scan and Update Tools for Windows and Office
To keep your operating system up-to-date with patches, use the Windows Update web site (http://windowsupdate.microsoft.com), which scans your computer and provides a selection of updates tailored for your operating system, software, and hardware. For updating Microsoft Office products, use the Microsoft Office Product Updates web site (http://office.microsoft.com/officeupdate/default.aspx).
Lockdown, Auditing, and Intrusion Detection Tools
The IIS Web Server Lockdown Wizard (http://www.microsoft.com/technet/security/tools/tools/locktool.asp) works by reducing the attack surface of Internet Information Services and includes URLScan to provide multiple layers of protection against attackers. Note that this tool is designed only for IIS 5 (Windows 2000); because IIS 6 (Windows Server 2003) has this functionality built into it, a download isn't necessary for that platform.
The UrlScan Security Tool (http://www.microsoft.com/technet/security/tools/tools/URLScan.asp) helps prevent potentially harmful HTTP requests from reaching IIS web servers. This tool also is designed mainly for IIS 5, because much (but not all) of the functionality of UrlScan is built into IIS 6.
EventCombMT is available as part of the Security Guide Scripts Download (http://www.microsoft.com/downloads/details.aspx?FamilyID=9989D151-5C55-4BD3-A9D2-B95A15C73E92). This multithreaded tool parses event logs from many servers at the same time, which is highly useful for monitoring your event logs for signs of intrusion.
The Cipher Security Tool for Windows 2000 (http://www.microsoft.com/technet/security/tools/tools/cipher.asp) permanently overwrites deleted data on hard drives. It's basically a replacement for the cipher command used to manage the Encrypting File System (EFS) from the command line.
Virus Protection and Cleaner Tools
The Office 2000 Update Service Pack 3 (http://www.microsoft.com/downloads/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE) includes the Outlook 2000 SR1 E-mail Security Update (OESU), which prevents users from accessing several potentially dangerous file types when sent as email attachments. It also increases the default security zone settings within Outlook.
The SQL Server 2000 Security Tools (http://www.microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600) can help you determine whether your computer or environment is vulnerable to the Slammer worm.
Top Security RFCs
Finally, here are some Request For Comment (RFC) documents that every security professional should become familiar with. These RFCs apply to any enterprise networking environment—pure Microsoft, mixed Windows/Unix, or pure Unix:
RFC 2196 Site Security Handbook (ftp://ftp.rfc-editor.org/in-notes/rfc2196.txt)
Describes how to develop security policies and procedures for sites connected to the Internet
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:44 pm Titlul subiectului:
Use Run As to Perform Administrative Tasks
Use Run As to protect your administrator workstation from Trojans and other nasties.
If you're lazy, like I am, you probably use the default administrator account on your desktop workstation for browsing the Web, checking your email, and managing the servers on your company's network.
Not a good idea.
What if you unknowingly visited a web page that executed a script that downloaded a Trojan to your machine? Your administrator account would be compromised, and the attacker would have total access to your workstation and possibly to your whole network! To avoid such dangers, administrators should always have two user accounts: a regular (user-level) account for ordinary activities, such as web browsing and messaging, and an administrator-level account, used only for performing administrative tasks. This way, when you are reading your email and suddenly remember you have to reschedule a backup, you can simply log off, log back on using your administrator account, perform the task, log off again, and log on again as a regular user.
Who am I kidding? That's too much to expect of a lazy system administrator.
How Run As Works
The Run As service (called Secondary Logon service in Windows Server 2003 and Windows XP) is a hack designed to enable you to run programs by using alternate credentials while you're logged on using another account. For example, if you are an administrator and are logged on to your desktop using your regular user account, you won't be able to run administrative tools such as Computer Management, because they require administrator credentials to run properly. (Actually, you can open Computer Management as an ordinary user; you just can't do much with it.) Using Run As, however, you can run Computer Management as an administrator while remaining logged on as an ordinary user.
There are two ways to use Run As: using the GUI or from the command line. To use the GUI method, first find the program you want to run in Windows Explorer or My Computer. Then, for executables (*.exe files), hold down the Shift key, right-click the program's icon, and select Run to open the Run As Other User dialog box shown in Figure 1-1. For MMC consoles (*.msc files) and Control Panel utilities (*.cpl files), you do the same thing but don't need to hold down the Shift key.
Figure 1-1. Using Run As to run a program using administrator credentials
Once you specify the appropriate alternate credentials and click OK, the program you selected runs in the security context of those alternate credentials until you close or terminate the program. If you prefer, the alternative credentials can also be entered as domain\user or user@domain, which in Figure 1-1 would be MTIT\Administrator or Administrator@mtit.com for an example domain named mtit.com (replace these credentials with the name of your own domain). The advantage of doing it the way shown in Figure 1-1 is that, if your computer is a member server, you can specify a local user account by entering the name of the computer in the Domain field.
Using Run As from the command line is just as easy, but you need to know the path to the program (unless the program file is located within the system path). For example, the Computer Management console file compmgmt.msc is located in the \system32 directory. To run it as Administrator in the MTIT domain, simply type the following at a command prompt:
runas /user:MTIT\Administrator "mmc %windir\system32\compmgnt.msc"
You'll be prompted for a password for the account, after which Computer Management will open. Note that you can also type this command directly into the Run box (accessed by StartRun).
Limitations of Run As
While Run As is useful, it has some limitations. First, the alternate credentials you specify must have the Log On Locally user right on the computer. Since Run As is usually used with administrator credentials (which have that right by default), this is usually an issue only in certain circumstances. For example, say you grant a few knowledgeable users a second user account that belongs to the Power Users group, to allow them to update device drivers and perform other minor maintenance on their desktop computers. If you try to reduce the attack surface of your network by removing the right to Log On Locally from the Power Users group using Group Policy, then these users won't be able to perform such tasks.
Also, there are certain tasks you can't perform directly using Run As, such as opening the Printers folder to administer a printer that is connected to your machine. The reason for this is that the special folders such as Printers and Network and Dial-up Connections are opened indirectly by the operating system, not by a command. You also can't use Run As to open Windows Explorer and access the filesystem on your computer as administrator, because the Windows shell explorer.exe is already running as your current desktop environment and Windows allows only one GUI shell to run at a time.
Finally, Run As also might not work if the program you are trying to run is located on a network share, because the credentials used to access the share might be different than the credentials used to run the program.
Most limitations have workarounds of some sort, if you try hard enough to find them. So, let's see if we can figure out ways to get around these limitations (except for the Log On Locally limitation, which is absolute).
Running programs without an executable
Say you want to change some settings for the Local Area Connection in the Network and Dial-up Connections folder. If you try doing this as an ordinary user, you'll get a message saying "The controls on this properties sheet are disabled because you do not have sufficient privileges to access them." Here's how to access these settings as an administrator without logging out of your regular account. Right-click on the task bar and open Task Manager. Then, switch to the Processes tab, select explorer.exe, and click End Process to kill the desktop but leave Task Manager running. Now, switch to the Applications tab, click New Task, type runas /user:MTIT\Administrator explorer.exe to run the Windows Explorer shell in an administrator context, and click OK. Finally, move Task Manager out of the way and type your password into the command-prompt window.
A new desktop will now appear, running in the security context of your administrator account. You can now change the settings of your Local Area Connection, modify the properties of a printer in the Printers folder, browse the filesystem, or do anything you want to do as administrator. But be sure to leave Task Manager running, because it is your only connection to your original desktop! You can minimize it so it won't be in the way.
Once you're finished performing your administrative tasks, you can return to your original desktop (the one running under the security context of your regular account) as follows. Maximize Task Manager so that you'll have access to it when your desktop disappears again. Then, to log off of your administrator session, click StartShut Down and select Log Off.
Do not try to log off by pressing Ctrl-Alt-Del and clicking Log Off, because this will log off the session for your regular user account.
Your administrator desktop has now disappeared, but Task Manager is still running (in the security context of your regular account), so switch to the Applications tab, click New Task, type runas /user:MTIT\Administrator explorer.exe, and click OK. Your desktop has returned.
At this point, you might ask, "Why should I go to all that trouble? It would be faster just to log off as a regular user and log on as an administrator." True, but any applications you have running as a regular user would then have to be terminated. Doing it the way shown here, however, leaves all your desktop applications running in the background.
Running programs from network shares
Here's how to get around the limitation of running programs from network shares with appropriate credentials. To run a program named test.exe found in the TOOLS share on server SRV230, use StartRun to open a command-prompt window as administrator, type runas /user:MTIT\Administrator cmd to open a command shell in administrator context, and then map a drive to the shared folder by typing net use Z:\\SRV230\TOOLS. Now, switch to the Z: drive and run the program as desired. This lets you connect to the shared folder using domain administrator credentials and run the program under the same credentials. This approach is also useful for installing applications from a network distribution point.
Run As Shortcuts
To make your life easier, instead of having to type stuff at the command line, you can use Run As to create a shortcut that will run a program under alternate credentials. For example, to run the Computer Management console from a Run As shortcut, right-click on your desktop, select NewShortcut, and type %windir%\system32\compmgmt.msc as the command string. Name your shortcut Computer Management and click OK. Then, right-click on the shortcut, select Properties to open its properties sheet, and on the Shortcut tab select the checkbox labeled "Run program as other user" (on Windows Server 2003, click the Advanced button on the Shortcut tab to configure this). Now, whenever you double-click on the shortcut to run Computer Management, the Run As Other User dialog box (see Figure 1-1) will appear. Just type in your administrator password to run Computer Management in administrator context.
There's another way to create Run As shortcuts that you might find even easier to use. Just right-click on your desktop, select NewShortcut, and type the following command string:
%windir%\system32\runas.exe /user:MTIT\Administrator "mmc %windir%\system32\compmgmt.msc"
Save the shortcut with the name Computer Management. Now, when you double-click the shortcut, a command-prompt window opens, prompting you for the password for the MTIT\Administrator account. Type the password, press Enter, and Computer Management starts in administrator context.
What if you get tired of typing your administrator password each time you want to run a Run As shortcut? On Windows Server 2003, there's a way to get around that. Just create a new shortcut with this command string:
system32\compmgmt.msc"
Notice the /savecred switch in this string. This option first appeared in Windows XP. The first time you double-click on the shortcut, a command-prompt window opens to prompt you for the password for the alternate credentials, just like before. The next time you double-click on the shortcut, however, you are not prompted for the password; it was stored on your machine the first time you ran the shortcut. Now you no longer have to type a password each time you use your Run As shortcut. Time-saver, right? Yes, but it's also a possible security hole: once the credentials for your administrator account are stored locally on the machine, they can be used to run any command-line program using administrator credentials.
Here's a scenario to illustrate what I mean. Let's say you need to run an administrative tool on a user's desktop machine without logging the user off the machine. You ask the user to take a coffee break. Then, you open a command-prompt window and use runas with /savecred to start the tool (you use /savecred because you might have to run several administrative tools and you don't want to have to type your complex 24-character password repeatedly). When you're finished, you close all the tools you started and walk away. When the user returns to her desktop, she opens a command prompt and types runas /user:MTIT\Administrator /savecred cmd. A command-prompt window opens, displaying administrator credentials in the title bar. The user now knows that she can use this approach to run any program on her machine using administrator credentials.
What did you do wrong as administrator in this scenario? Two things: you used /savecred on a user's desktop machine, which saved your administrator password locally on the machine, and you haven't renamed the default administrator account. If you had changed the name of this account to something complex and unknown to ordinary users, the runas /user:MTIT\Administrator /savecred cmd command the user typed wouldn't work.
What do you do if you have used /savecred on an unsecured machine without thinking about the consequences? Just delete your stored credentials on the machine by opening Stored User Names and Passwords in the Control Panel. _________________ www.clanah.net
CONTACT ME IF YOU WANA JOIN THE CLAN!!!
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:51 pm Titlul subiectului:
Hack 3 Find and Replace Registry Keys from a Command Line
Using the Regfind utility, you can easily search the Registry for a value, regardless of the key, and replace it.
Regfind (from the Windows 2000 Server Resource Kit) can be an invaluable tool when you need change a Registry key that you know the value for but when do not necessarily know the full path. Recently tasked with changing the hardcoded DNS server IP on all the servers in our organization, I was pleasantly surprised when I located this gem. The problem with trying to change the DNS server entry in the Registry is that all the IP parameters are broken up by a hashed ID. The ID references several things, but most of them have to do with the network card. Regfind allows you to search a set of subkeys in the Registry for a specific value and, when found, replace it. Another real beauty of this program is that it will work remotely; all you need to do is supply it with a list of machines and let it go. Using a list of computer names (generated from SMS, Server Manager, or AD Users and Computers), combined with two batch files, you can make sweeping changes in a dynamic environment.
The Code
Here's an example of how to change the DNS server entry on all servers in your organization. First, create a batch file called Regchange2.bat with the following syntax:
regfind -m \\%1 -p HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\parameters "OLDIP" -r "NEWIP"
You will obviously want to replace OLDIP with the old DNS server IP and replace NEWIP with the new DNS server IP.
Now, create a second batch file called regchange1.bat with the following syntax:
for /F %%A in (servers.txt) do (call regchange2.bat %%A)
This searches the servers.txt file for computer names and passes them to the regchange2.bat file as a command-line argument.
Now you need to create a list file for your batch files to use. Create a listing of servers that need to have their DNS IP's changed and save that list as servers.txt. An SMS report or a copy/paste from the server manager will suffice, or you can create the file manually if you like.
Running the Hack
Now, simply run the regchange1.bat batch file by calling it from a logon script and watch all your servers have their IP settings changed!
This is just one simple example of how to use Regfind. There are many command-line arguments, so please examine those to meet your needs.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:52 pm Titlul subiectului:
Hack 3 Find and Replace Registry Keys from a Command Line
Using the Regfind utility, you can easily search the Registry for a value, regardless of the key, and replace it.
Regfind (from the Windows 2000 Server Resource Kit) can be an invaluable tool when you need change a Registry key that you know the value for but when do not necessarily know the full path. Recently tasked with changing the hardcoded DNS server IP on all the servers in our organization, I was pleasantly surprised when I located this gem. The problem with trying to change the DNS server entry in the Registry is that all the IP parameters are broken up by a hashed ID. The ID references several things, but most of them have to do with the network card. Regfind allows you to search a set of subkeys in the Registry for a specific value and, when found, replace it. Another real beauty of this program is that it will work remotely; all you need to do is supply it with a list of machines and let it go. Using a list of computer names (generated from SMS, Server Manager, or AD Users and Computers), combined with two batch files, you can make sweeping changes in a dynamic environment.
The Code
Here's an example of how to change the DNS server entry on all servers in your organization. First, create a batch file called Regchange2.bat with the following syntax:
regfind -m \\%1 -p HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\parameters "OLDIP" -r "NEWIP"
You will obviously want to replace OLDIP with the old DNS server IP and replace NEWIP with the new DNS server IP.
Now, create a second batch file called regchange1.bat with the following syntax:
for /F %%A in (servers.txt) do (call regchange2.bat %%A)
This searches the servers.txt file for computer names and passes them to the regchange2.bat file as a command-line argument.
Now you need to create a list file for your batch files to use. Create a listing of servers that need to have their DNS IP's changed and save that list as servers.txt. An SMS report or a copy/paste from the server manager will suffice, or you can create the file manually if you like.
Running the Hack
Now, simply run the regchange1.bat batch file by calling it from a logon script and watch all your servers have their IP settings changed!
This is just one simple example of how to use Regfind. There are many command-line arguments, so please examine those to meet your needs. _________________ www.clanah.net
CONTACT ME IF YOU WANA JOIN THE CLAN!!!
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:53 pm Titlul subiectului:
< Day Day Up >
Hack 5 Wait for and Optionally Terminate a Process
If you've wondered how to write code that waits for a process to finish before terminating it, here's the answer.
I have seen a number of discussions regarding the need for a VB script that waits for a process to finish. The script in this hack does this and more: it waits for a process to finish and optionally terminates the process if it has not finished within a specified amount of time.
This code is a modified form of what I use to control my software deployments, and it has two purposes. First, the code is designed to be certain that the deployment script waits until the initiated software setup executable is fully finished before proceeding. Even though the majority of recent software releases do not require this functionality when being deployed, it is still required for some legacy installations. Second, the code can perform a forceful termination of an application if this functionality is required.
This script accepts three arguments: the name of the executable to wait for or terminate, the amount of time to wait before terminating the specified executable, and (optionally) a switch specifying that the script should run silently. Note that the script uses Windows Management Instrumentation (WMI) for the process-management tasks, so make sure you're running the latest WMI version on your machine.
The Code
The script consists of several sections, which are described inline in the following sections.
Main routine
First, command-line switches are read in the main body area:
Call WaitForProcess (strProcess, intWaitTime, strSilent)
Check if process is running
Next, the ProcessIsRunning function determines if a process is running:
Set colProcessList = GetObject("Winmgmts:").ExecQuery _
("Select * from Win32_Process Where Name ='" & strProcess & "'")
For Each objProcess in colProcessList
objProcess.Terminate( )
Next
Set colProcessList = Nothing
End Function
Wait for process to terminate
Finally, in the WaitForProcess subroutine, the user interface is set up, the script waits while the process is active, and the process termination is initiated. I created three versions of the subroutine in an effort to demonstrate a few methods for displaying status messages. For example, here's how to display these messages using the command console:
'we don't want it taking up a lot of screen space.
If c > 25 Then c = 1 Else c = c + 1
End If
'Increment the seconds counter
w = w + intPause + intPopupTimer
'Pause
Wscript.Sleep(intPause * 1000)
Loop
Set objWshShell = Nothing
End If
End Sub
The resulting dialog box is shown in Figure 1-10.
Figure 1-10. Displaying status messages in a dialog box
Note that if you are assembling a standalone script, it should contain sections 1, 2, 3, and one option from section 4. If you would rather incorporate this code into your existing script, you need only sections 2, 3, and one option from section 4. You'll also need to add the call statement that is at the end of the main routine section. All the code sections are self-contained, which makes them easy to import into existing scripts.
Running the Hack
To use this hack, type the code into Notepad (with Word Wrap disabled) and save it with a .vbs extension as WaitForProcess.vbs. Or, if you don't want to tire your fingers out, download it from the O'Reilly web site instead.
Here are a few sample command-line examples. This will wait indefinitely until Notepad is closed:
cscript WaitForProcess.vbs notepad.exe -1
This will wait silently and indefinitely until Notepad is closed:
cscript WaitForProcess.vbs notepad.exe -1 S
And this will wait 10 seconds before Notepad is forcefully closed:
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:54 pm Titlul subiectului:
Hack 6 Shut Down a Remote Computer
Here's a nifty way to use a script to shut down remote machines.
Sometimes, you need to be able to shut down a server remotely. This script pings the computer in question prior to sending the Win32Shutdown method. It operates on remote PCs and has been tested on systems running Windows 2000. It will probably work on NT4 systems with the proper WHS/WMI/VB scripting, though it has not been tested on such systems.
Using the Win32Shutdown method, the script provides you with the option of logging off the current user of the machine, powering the machine down, or rebooting it. In addition, each of these options can be forced so that the action occurs even if applications are running. Use this option carefully, though, because it might cause the logged-on user to lose his work if he has open files. Note that forced log off/power down/reboot will not work if the screen saver is password-protected and is currently active.
The Code
Make sure you have the latest scripting engines on the workstation you run this script from. You can download the latest scripting engines at the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28001169). Note that, when working with the Active Directory Services Interface (ADSI), you must have the same applicable rights as you need to use the built-in administrative tools. Also, for VB scripts that interact with Windows Management Instrumentation (WMI), apply the most current version of the WMI agents.
Type the following code into a text editor such as Notepad (making sure to have Word Wrap disabled) and save it with a .vbs extension. Alternatively, you can download the RemoteShutdown.vbs script from the O'Reilly web site at http://www.oreilly.com/catalog/winsvrhks/.
vbOKOnly + vbCritical, "That was SOME bad input!")
Wscript.Quit
end if
'set flag to disallow action unless proper input achieved, 1 => go 0 => nogo
flag = 0
'set variables according to computername and action
Select Case Action
Case 1 'Logoff
x = 0
strAction = "Logoff sent to " & ComputerName
flag = 1
Case 2 'Force Logoff
x = 4
strAction = "Force Logoff sent to " & ComputerName
flag = 1
Case 3 'Powerdown
x = 8
strAction = "Powerdown sent to " & ComputerName
flag = 1
Case 4 'Force Powerdown
x = 12
strAction = "Force Powerdown sent to " & ComputerName
flag = 1
Case 5 'Reboot
x = 2
strAction = "Reboot sent to " & ComputerName
flag = 1
Case 6 'Force Reboot
x = 6
strAction = "Force Reboot sent to " & ComputerName
flag = 1
Case 7 'Test dialog boxes
y = msgbox("Test complete", vbOKOnly + vbInformation, "Dialog Box Test Complete")
flag = 0
Case Else 'Default -- should never happen
y = msgbox("Error occurred in passing parameters." _
& vbCRLF & " Passed '" & Action & "'", _
vbOKOnly + vbCritical, "PARAMETER ERROR")
flag = 0
End Select
'check flag
' if equal 1 (TRUE) then perform Win32Shutdown action on remote PC
' and display a confirmation message
' if not equal 1 (FALSE) then skip the action and script ends
if flag then
Set OpSysSet=GetObject("winmgmts:{(Debug,RemoteShutdown)}//" _
& ComputerName & "/root/cimv2").ExecQuery( _
"Select * from Win32_OperatingSystem where Primary=true")
for each OpSys in OpSysSet
OpSys.Win32Shutdown(x)
y = msgbox(strAction,vbOKOnly + vbInformation,"Mission Accomplished")
next
end If
'Release objects
set OpSys = nothing
set OpSysSet = nothing
Running the Hack
To run the hack, simply double-click on the RemoteShutdown.vbs file in Windows Explorer (or a shortcut to this file on your desktop) and type the name of the remote computer you want to log off from, power down, or reboot. This name can be the NetBIOS name, DNS name, or IP address of the remote machine. You will then be presented with an input box that displays a menu of options:
1 - Logoff
2 - Force Logoff
3 - Powerdown
4 - Force Powerdown
5 - Reboot
6 - Force Reboot
Simply type the number for the action you want to perform and press Enter.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:55 pm Titlul subiectului:
Rename Mapped Drives
Renaming drive mappings can be done in several ways, but automating the process is most efficient using a script.
Occasionally, an administrator might need to change drive-mapping names to hide share paths or to make the drive name user-friendly. This is an easy operation when done manually through a console, but when you try to automate this task, it becomes a little more difficult. Because mapped drives are not partitions on the local hard disk, common DOS commands, such as label, can't be used. Most drive-mapping commands, such as net use, don't have a way to customize the name of the mapped drive either.
One common way to perform this task is to hack the following Registry key and add the _LabelFromReg string value:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\%key%
Here, the %key% variable is the drive letter to be changed.
There is a whole host of ways to make this method work, either by editing the Registry directly, via script, or by importing a .reg file using regedit /c. All of these methods require many steps and some require external files, so they might not fit into every administrative scheme. But there's an easier approach.
The Code
As it turns out, our old friend VBScript can be used to make this task a little more seamless. This simple script can be used on mapped drives as well as local partitions:
mDrive = "drive letter"
Set oShell = CreateObject("Shell.Application")
oShell.NameSpace(mDrive).Self.Name = "AnyName"
Running the Hack
To use this hack, simply edit the script to change the drive letter and drive name as desired. For example, if E: is a mapped drive that has the label Budgets on 172.16.33.14, and you want to change the label on the mapped drive to simply Budgets, change this line:
mDrive = "drive letter"
to this:
mDrive = "e:\"
Then, change this line:
oShell.NameSpace(mDrive).Self.Name = "AnyName"
to this:
oShell.NameSpace(mDrive).Self.Name = "Budgets"
Finally, run the script by creating a shortcut to it and double-clicking on the shortcut, by calling it from a logon script, or by any other method suitable for your environment.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:57 pm Titlul subiectului:
Execute a Command on Each Computer in a Domain
This handy script lets you easily run any command on a specified subset of computers in your domain.
Running the same command on multiple computers in your domain can be tedious indeed, but such a scenario is common in an administrator's life. I've written this hack to make this chore easier. The script traverses member systems of a domain, executing a command against each system that has a name that matches a particular specification you specify in the command line. Note that regular expressions are legal in this script, which makes it a powerful and flexible addition to the administrator's toolkit.
The Code
To use this script, type it into a text editor such as Notepad (make sure Word Wrap is disabled) and save it with a .vbs extension as ExecuteAll.vbs. Alternatively, if you don't want to wear your fingers out, you can download the script from the O'Reilly web site.
'Script Name: ExecuteAll.vbs
Option Explicit
Dim oDomain, oService, oItem, oShell
Dim strDomain, strSpec, strCommand, intButton
Dim oArgs, strFinalCommand, oRegEx, boolConfirm
' Prepare to execute commands & do popups
Set oShell = CreateObject("WScript.Shell")
GetArguments
' Access the domain so we can traverse objects
WScript.Echo "Accessing NT Domain " & strDomain
Set oDomain = GetObject("WinNT://" & strDomain)
' Initiate our regular expression support
Set oRegEx = New RegExp
oRegEx.Pattern = strSpec
oRegEx.IgnoreCase = True
' Traverse each computer (WinNT) object in the domain
WScript.Echo "Searching for " & strSpec
oDomain.Filter = Array("Computer") ' only look at computers
If (boolConfirm = False) Or (intButton = vbYes) Then
WScript.Echo " Executing: " & strFinalCommand
execute strFinalCommand
End If
End If
Next
' All done; clean up
Set oItem = Nothing
Set oRegEx = Nothing
Set oDomain = Nothing
Set oShell = Nothing
Set oArgs = Nothing
'
' Glean the arguments for our run from the command line, if provided.
' If any are missing, prompt for input. A blank input signals an abort.
'
' /Y is an optional last argument
Sub GetArguments
Dim i, strConfirm, intButton
Set oArgs = WScript.Arguments
boolConfirm = True ' assume always confirm
strDomain = "" ' domain to be traversed
strSpec = "" ' name specification to be matched
strCommand = "" ' command to be executed on each match
strConfirm = "" ' track prompting for confirmation setting
' Look for our optional 4th argument
If oArgs.Length = 4 Then
If UCase(oArgs.Item(3)) = "/Y" Then
boolConfirm = False
strConfirm = "/Y" ' don't prompt below
End If
End If
' Look for any specified arguments, in order
If oArgs.Length >= 1 Then strDomain = oArgs(0)
If oArgs.Length >= 2 Then strSpec = oArgs(1)
If oArgs.Length >= 3 Then strCommand = oArgs(2)
' Prompt for any arguments not specified on the command line
If strDomain = "" Then
strDomain = InputBox _
("Enter the name of the NT Domain to be traversed", _
"NT Domain")
End If
If strDomain = "" Then WScript.Quit
strDomain = UCase(strDomain)
If strSpec = "" Then
strSpec = InputBox _
("Enter your name specification for the computer(s) " & _
"that will be matched within the " & strDomain & " Domain." & _
vbCrlf & "Regular Expressions are acceptable.", _
"Name Specification")
End If
If strSpec = "" Then WScript.Quit
If strCommand = "" Then
strCommand = InputBox _
("Enter the command to be executed on each computer matching " & _
strSpec & " within the " & strDomain & " Domain." & _
vbCrlf & "$n will be substituted for the computer name.", _
"Command to Execute")
End If
If strCommand = "" Then WScript.Quit
If strConfirm = "" Then
intButton = oShell.Popup("Confirm each command prior to execution?",,_
"Confirm?", vbYesNo + vbQuestion)
If intButton = vbNo Then
boolConfirm = False
End If
End If
End Sub
' Execute a command. Each is always run under a new instance of the command
' processor. This allows the use of built-in commands and I/O redirection.
'
' We won't wait for command completion.
Sub Execute(strCommand)
Dim RetVal
strCommand = "%COMSPEC% /c " & strCommand
RetVal = oShell.Run(strCommand, 1, False)
End Sub
Running the Hack
Here is the syntax for running the script:
ExexcuteAll.vbs <DomainToTraverse> <ComputerSpecification> <Command> [/Y]
When the script runs, the matched system's name will be substituted for the occurrence of $n in the command to be performed. By default, each command instance is confirmed before it is executed, but you can specify /Y to always answer Yes instead.
Here's an example of how to run the script:
ExexcuteAll.vbs MYDOMAIN WKSATL* "del \\$n\admin$\activitylog.txt"
This example traverses the MYDOMAIN domain, looking for computer names that start with WKSATL* (note the wildcard) and deletes the activitylog.txt file from the C:\Winnt folder.
—Hans Schefske _________________ www.clanah.net
CONTACT ME IF YOU WANA JOIN THE CLAN!!!
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:58 pm Titlul subiectului:
Add, Remove, or Retrieve Environment Variables
Environment variables can easily be added, removed, or retrieved using the script in this hack.
Using VBScript to work with the Windows system environment can be pretty simple. This hack shows how to use a script to read variables, add new variables, remove variables, and recurse through all of them. Just take a look through the script and read the comments to see how to perform each task. Note that there are four types of values in the Windows Script Host (WSH) environment—System, User, Volatile, and Process—and the script uses all of them.
strval=""
Running the Hack
To run the script, open a command prompt, change to the directory where the script is saved, and type cscript.exe GetEnvVars.vbs. Here is an example of typical output from the script on a Windows 2000 machine:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
PROCESSOR_IDENTIFIER=x86 Family 6 Model 5 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0502
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=SNOOPY
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT
User Environment:
TEMP=%USERPROFILE%\Local Settings\Temp
TMP=%USERPROFILE%\Local Settings\Temp
Volatile Environment:
LOGONSERVER=\\SNOOPY
APPDATA=C:\Documents and Settings\Administrator\Application Data
By the way, if you add a new variable via the command prompt, you will not see it when you try to read it via the script. You can read only the new values created via the same scripting type you used to create them. Although I've tested this only to a limited extent, it seems to be true. Try it for yourself; just open a command prompt, type Set DUDE=Dudeworks, and press Enter to set the new environment variable. Now, when you execute GetEnvVars.vbs, and you'll notice that it does not list that new variable. However, if you type SET at the command prompt, you will see it.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 4:59 pm Titlul subiectului:
< Day Day Up >
Hack 10 Extend Group Policy
Group Policy is a powerful tool for managing Windows systems, but by configuring ADM files you can extend its capabilities even further.
One day, one of my customers gave me a phone call to say that "the Group Policy Plan we made was pretty nice, but there's something missing, and if we had this we could really impress our boss." From that day on, my life wasn't the same, because this comment led to me discover the true power of Group Policy through customizing ADM files.
But first you need to understand the basics of ADM files.
ADM Files
An ADM file is an ASCII file that defines the Group Policy settings; every checkbox, drop-down menu, and folder in the Group Policy window is defined in this file. The ADM file can also be hacked with any text editor to extend the built-in settings of Group Policy, or you could even build a custom ADM to import to your own Group Policies files. This customization feature makes Group Policy a more powerful tool to manage computers.
The default Group Policy Object (GPO) created in Active Directory is composed of three ADM files: conf.adm, inetres.adm, and system.adm. The conf.adm file holds all the policy settings for Microsoft NetMeeting. The inetres.adm file holds some of the settings for the Windows Components section under both Computer and User Configuration portions of Group Policy. Finally, the system.adm file has additional settings for the Windows Components and System sections under Administrative Template in both the Computer and User Configuration portions of the Group Policy.
These ADM files are located in the %winnt%\inf folder, and every other ADM file that is installed on your machine will be put into that location as well. Also, many products that Microsoft has released for Windows 2000/XP have their own ADM files. For example, the Microsoft Office XP Resource Kit has a corresponding ADM file for each product of the Office suite. For instance, an ADM file called word10.adm adds policy settings that affect Word XP on clients computers.
Hacking ADM Files
How do you to find the policy you want to edit? And how do you change it? In the following example, I want to find and edit the "Save Word files as" policy in the word10.adm file. This policy defines the way a file is saved by default in Word XP. I usually add the option to save the Word file in a format that appears in a local version of Word but doesn't appear in the ADM.
Figure 1-11 shows what the policy looks like.
Figure 1-11. Editing a policy setting
As you can see, the policy setting is found in the Save folder and its name is "Save Word files as." Now, if I want to find this policy in the appropriate ADM file, I simply need to look for "Save Word files as." To do this, just open the correct ADM file (which in this case is word10.adm) and do a text search for the string "Save Word files as". You'll find the following section of the ADM file:
NAME "Word 6.0/95 - Japanese (*.doc)" VALUE"MSWord6JExp"
NAME "Word 6.0/95 - Korean (*.doc)" VALUE "MSWord95KExp"
NAME "Word 97-2002 & 6.0/95 - RTF" VALUE "MSWord6RTFExp"
NAME "Works 4.0 for Windows (*.wps)" VALUE "MSWorksWin4"
NAME "Works 3.0 for Windows (*.wps)" VALUE "MSWorksWin3"
END ITEMLIST
NOSORT
END PART
END POLICY
As you can see, the first line, Policy "Save Word files as", defines the name of the policy as it appears in Figure 1-11, while everything under that line defines the policy settings until the last line, END POLICY, closes the policy. Looking at this further, KEYNAME defines the path to the affected key in the Registry, PART defines the way the policy box will appear in the GUI (in this case, a drop-down menu list), VALUENAME defines the name of the affected value in the Registry, NAME defines the name of each option as it appears in the drop-down list, and VALUE specifies the actual data that will be inserted into the affected value that is defined by VALUENAME.
So, if I want to add another option to be displayed in the drop-down list of this policy, all I need to do is add the following line wherever I want (within the section bounded by ITEMLIST and END ITEMLIST):
NAME "Word 97-2002 & 6.0/95 Hebrew Converter\doc" VALUE "MSWord6HBRExp"
Figure 1-12 shows the result of what will be added to the policy drop-down list in the GUI.
Figure 1-12. Adding an option to a drop-down list
Easy, isn't it? With this method, you can manipulate virtually any Registry key that is in the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives to extend Group Policy.
If you'd like to learn more about hacking ADM files, see http://www.microsoft.com/windows2000/en/server/help/sag_spconcepts_34.htm from the Windows 2000 Server online documentation. Note that occasionally you might not see the results of your hack; see article 228723 in the Knowledge Base on TechNet for more information (http://support.microsoft.com/default.aspx?scid=kb;en-us;228723).
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:00 pm Titlul subiectului:
< Day Day Up >
Hack 11 Disable EFS
While the Encrypted File System of Windows 2000/XP can be useful for protecting data, your best approach might actually be to disable it.
The Encrypted File System (EFS) feature was first introduced in Windows 2000 and is also available in Windows XP Professional. EFS provides a much higher level of security than the one offered by NTFS alone, which can be circumvented without much effort as long as physical access to the computer is allowed. EFS is extremely easy to use and is available without any special configuration because it is enabled by default. Even though it seems that with all these advantages EFS should quickly find its place in everyone's environment, implementating it properly is a fairly complex task.
The Problem
Your two primary concerns are the ability to recover encrypted files and the protection of private keys used for encryption, which are associated with each user's account and the recovery agent's account. Recovery of encrypted files might be a fairly common occurrence. Because the private keys necessary for decryption are stored in the user's profile, if the profile gets deleted or corrupted, the user can no longer access their encrypted files. The process of recovery involves simply logging on as an account that is designated as a data recovery agent. By default, this account is a local administrator on a standalone computer and a domain administrator in a domain environment. Because the private keys for data recovery agents are also stored as part of their profiles, it is recommended that private keys for data recovery agents should be exported from the computer that contains them and stored in a secure place until a recovery needs to be performed.
Currently, without using any custom solution, backup and storage of a user's private keys (without backing up the entire profile) tends to be a time-consuming process. In addition, using nondefault recovery agents (which is the recommended procedure) requires installation of the Certificate Authority feature, which also needs to be managed properly. If you are not ready to handle all these additional tasks, your best bet might simply be to temporarily disable EFS on users' machines.
The Solution
In the Windows 2000 domain environment, launch the Group Policy MMC snap-in and select the Group Policy Object (GPO) linked to your domain. Then, drill down to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesEncrypted Data Recovery Agents, right-click on the folder labeled Encrypted Data Recovery Agents, and select Delete Policy to delete the default recovery policy. Then, right-click on Encrypted Data Recovery Agents again and select Initialize Empty Policy. This will remove users' ability to use EFS on any Windows 2000 system that belongs to the domain. In absence of EFS recovery agent, Windows 2000 clients will refuse to encrypt any files or folders.
However, you might be in for a surprise if you try to use the same approach in Windows XP, because Microsoft changed the default EFS behavior to allow a Windows XP client to use encryption even if no Data Recovery Agent is available (the same is true for Windows Server 2003). Fortunately, there are several new ways of preventing this, which we'll look at now.
Disabling EFS for a file
Windows XP offers greater flexibility in configuring the scope of reach of EFS. If your intention is to disable EFS for a single file, you can simply assign the system attribute to the file. Although this is not the most elegant solution, it does provide a quick workaround. In order to apply the system attribute to a file, use the attrib command with +s parameter. For example, to apply the system attribute to the info1.txt file, type the following at the command prompt:
attrib +s info1.txt
Disabling EFS for a folder
If you instead want to prevent EFS on the folder level, you can create a desktop.ini file in the folder. The desktop.ini file should contain the following two lines:
[Encryption]
Disable=1
This will affect the folder itself and all of its files. However, it does not have any impact on its subfolders and their content.
Disabling EFS for a system
Finally, if you prefer, you can disable EFS on the system level. This can be accomplished by editing the Registry. Set the following entry of DWORD type to the value 1:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration
It is easier, however, to use Group Policy for this purpose. Start by launching Local Security Policy from the Administrative Tools menu. Next, double-click on the Public Key Policies folder. You will see a subfolder named Encrypting File System. Right-click on it and select Properties from the context-sensitive menu. You will notice a checkbox labeled "Allow users to encrypt files using Encrypting File System (EFS)," as shown in Figure 1-13.
Figure 1-13. Disabling EFS in Windows XP/2003
Unchecking this box will disable EFS altogether on the system. Note that this setting can be also used to together with Group Policy to disable EFS for all computers residing in any of Active Directory containers—sites, domains, or organizational units.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:01 pm Titlul subiectului:
< Day Day Up >
Hack 12 Get Event Log Information
Need to check on the size and configuration settings of your event logs? Use this script instead of the GUI; it's faster!
Monitoring event logs is an essential part of an administrator's job. Unfortunately, viewing event log settings and log file sizes from the GUI is cumbersome, and it would be useful to have an easier way to obtain this information.
That's exactly what this hack is all about. You can run the script on Windows NT/2000 and later to obtain the current file size, maximum file size, and number of records, and you can overwrite settings on the Application, System, and Security logs.
The Code
Type the following script into Notepad (make sure Word Wrap is disabled) and save it with a .vbs extension as loginfo.vbs. Or, if you like, you can download the script from the O'Reilly web site.
Option Explicit
On Error Resume Next
Dim strMoniker
Dim refWMI
Dim colEventLogs
Dim refEventLog
Dim strSource
'moniker string stub - security privilege needed to get
'numrecords for Security log
strMoniker = "winMgmts:{(Security)}!"
'append to moniker string if a machine name has been given
WScript.Echo "Could not connect to the WMI service."
WScript.Quit
End If
'get a collection of Win32_NTEventLogFile objects
Set colEventLogs = refWMI.InstancesOf("Win32_NTEventLogFile")
If Err <> 0 Then
WScript.Echo "Could not retrieve Event Log objects"
WScript.Quit
End If
'iterate through each log and output information
For Each refEventLog In colEventLogs
WScript.Echo "Information for the " & _
refEventLog.LogfileName & _
" log:"
WScript.Echo " Current file size: " & refEventLog.FileSize
WScript.Echo " Maximum file size: " & refEventLog.MaxFileSize
WScript.Echo " The Log currently contains " & _
refEventLog.NumberOfRecords & " records"
'output policy info in a friendly format using OverwriteOutDated,
'as OverWritePolicy is utterly pointless.
'note "-1" is the signed interpretation of 4294967295
Select Case refEventLog.OverwriteOutDated
Case 0 WScript.Echo _
" Log entries may be overwritten as required"
Case -1 WScript.Echo _
" Log entries may NEVER be overwritten"
Case Else WScript.Echo _
" Log entries may be overwritten after " & _
refEventLog.OverwriteOutDated & " days"
WScript.Echo
End Select
Next
Set refEventLog = Nothing
Set colEventLogs = Nothing
Set refWMI = Nothing
Running the Hack
To run the script, use Cscript.exe, the command-line version of the Windows Script Host (WSH). Simply type cscript loginfo.vbs at a command prompt from the directory in which the script resides. Here is a sample of typical output when the script runs on a Windows 2000 machine:
C:\>cscript loginfo.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Information for the Security log:
Current file size: 65536
Maximum file size: 524288
The Log currently contains 166 records
Log entries may be overwritten after 7 days
Information for the Application log:
Current file size: 524288
Maximum file size: 524288
The Log currently contains 2648 records
Log entries may be overwritten as required
Information for the System log:
Current file size: 524288
Maximum file size: 524288
The Log currently contains 2648 records
Log entries may be overwritten after 7 days
Note that when you run this script on a domain controller it displays information concerning the Directory Service, File Replication Service, and DNS logs as well.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:02 pm Titlul subiectului:
< Day Day Up >
Hack 13 Shortcut to Remote Assistance
Remote Assistance is a helpful feature for troubleshooting Windows XP systems, but it's a pain for ordinary users to use. This hack creates a helpful shortcut to this feature.
Windows XP provides a Remote Assistance feature, but you have to walk through several screens to get to it. This can be a problem for users who are not technically savvy, and you might find yourself spending a lot of time explaining to them how to use the feature. However, there's a really cool workaround. Place a shortcut to this feature on users' desktops. This will provide them with quicker access to the screen where they can type in the remote computer's IP address to ask for remote assistance. This approach will make life easier for both you and your users.
First, right-click on the desktop and choose NewShortcut. Then, in the Create Shortcut box, type the following URL into the Location Box:
Escalation/Unsolicited/unsolicitedrcui.htm
as shown in Figure 1-14.
Figure 1-14. Creating a shortcut to the Remote Assistance feature
Click Next and name the shortcut something descriptive, like "Remote Assistance" (Figure 1-15).
Figure 1-15. Naming the shortcut
When the shortcut creation is finished, you'll have an icon on your desktop for Remote Assistance (Figure 1-16).
Figure 1-16. Desktop icon for Remote Assistance
When you double-click on this icon, you'll be whisked away to the Remote Assistance feature, as shown in Figure 1-17. Simply type the computer name or IP address of the computer you want to connect to for remote assistance.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:02 pm Titlul subiectului:
< Day Day Up >
Hack 14 Desktop Checker
Here's a useful script to quickly display the configuration of a remote system for troubleshooting or inventory purposes.
This handy script will attempt to gather various Windows NT/2000/XP/2003 operating-system attributes and display them in a coherent way to assist in troubleshooting. I highly suggest modifying the customization variables located within the script. To edit this text file, just open it with Notepad (leave Word Wrap turned off). Even if you have no experience with VBScript, you should find the changes quite easy to make. Please read the comments for different sections to make the tool viable for your organization.
This tool was intended to use only standard API calls and nothing from third-party COM objects. This keeps the tool lightweight and portable as only a text file. I suggest putting the tool into a local directory by itself so that the HTML pages it creates don't get out of hand. If a machine does not have WMI 1.5, then a lot of info might be missing. You will get similar results if you don't have administrator rights on the remote box. This script will not work on any Windows 9x operating systems.
MsgBox "The " & Title & " script is done.",vbokonly + _
vbsystemmodal,Title
End If
Set WshShell = Nothing
Set WshFso = Nothing
Set WshNet = Nothing
Set OutPutFile = Nothing
Wscript.Quit(0)
End Function
Running the Hack
To run this hack, simply double-click on the DesktopChecker.vbs file in Windows Explorer (or on a shortcut to the file on your desktop). Then, type the name of the remote computer you want to query using either its NetBIOS name, DNS name, or IP address. At this point, Internet Explorer will open and display a page titled "myITforum Helpdesk Diagnostic Tool," followed by a series of dialog boxes that show the progress of the script (you don't need to click OK to close these dialog boxes, because they close automatically). Once the final dialog box appears—"The myITforum Helpdesk Diagnostic Tool script is done"—click OK and refresh the web page to view the information.
Here's some sample output generated when the script was run on a workstation using Domain Admin credentials. The target machine is a Windows Server 2003 machine named SRV230. The output of the script is in the form of an HTML page named srv230.htm, which is created in the same directory where the script itself resides, but the output has been reformatted here as text to make it easier to include in this book.
myITforum - Helpdesk Diagnostic Tool
Account running this script is MTIT2\administrator @ 12/3/2003 11:40:37 AM from
workstation
SRV235
Information on remote machine \\SRV230
To see information as it loads hit the REFRESH button on your web browser.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:04 pm Titlul subiectului:
< Day Day Up >
Hack 15 Top Five Tools
Here's one IT professional's take on five third-party tools for Windows 2000 every system administrator should have.
There can be no doubt that with every release of Microsoft's operating system the need for third-party utilities becomes less and less. One major complaint about NT was its lack of disk quotas, something Unix has included since day one. A number of companies noticed this oversight and produced a product that did the trick. The release of Windows 2000 saw disk quotas become part of the OS, thus making the need to purchase this type of software an irrelevance for the majority of companies.
Whether you agree with Microsoft's policy of continually adding features to its products that were once available only from other sources is one for debate. But in my role as a network administrator, I still find a need to seek out additional software to help make my job a lot easier. I'm sure everyone has their favorite must-have utilities, but these are my top five must-have add-on products for Windows 2000.
Server Monitor Lite
Server Monitor Lite is an invaluable monitoring product that allows you to monitor your servers centrally and get notified if a problem occurs. I use this utility to ping all my servers periodically, watch for low disk space, keep an eye on critical services, and make sure the company intranet is still accessible for my users. For more information, see http://www.purenetworking.net/Products/ServerMonitor/ServerMonitor.htm.
Lost Password Recovery
Have you inherited systems for which nobody knows the local administrator password, or do you have users that need access to Word, Excel, or Access documents that are password-protected and nobody knows the password? Well, this handy little product will save the day. It lets you reset the password on a huge array of systems. For more information, see http://www.lostpassword.com.
Data Replicator
Do you need to copy files from one system to another on a regular basis? Data Replicator makes this job much easier—it allows you to watch files or folders for changes, and then replicate them to another location. You can copy files across a LAN, WAN, or via FTP, which makes Data Replicator a great alternative to traditional backup software. For more information, see http://www.purenetworking.net/Products/DataReplicator/DataReplicator.htm.
Virtual Network Computing (VNC)
Take control of your remote servers from the comfort of your desk. VNC lets you control Windows, Unix, and Mac machines. For more information, see http://www.realvnc.com.
Network View
With this handy tool, you'll never need to draw out your network. It automatically generates a network diagram for you within minutes. For more information, see http://www.networkview.com.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:05 pm Titlul subiectului:
< Day Day Up >
Hack 16 myITforum.com
One of the best resources around for administrators who deploy and manage Windows-based networks, myITforum.com is best described by its CEO and founder, Rod Trent.
myITforum.com (http://www.myitforum.com) is the leading systems administration web site and community. It was created to be the Internet's premiere knowledge and information forum for IT professionals. The web site provides IT administrators the opportunity to gain better insight about what they do by learning/sharing from other IT experts throughout the world. Through the web site, myITforum.com users give tips, share insight, and download utilities and tools to assist them in managing their IT enterprises. Whether you oversee 10 nodes or 100,000 nodes, myITforum.com can help you manage your environment.
myITforum.com is managed by Rod Trent (myself!), a Microsoft MVP and author of the best-selling books Microsoft SMS Installer, Admin911: SMS, and IIS 5.0: A Beginner's Guide. Rod Trent is the leading authority on Microsoft SMS and an annual presenter and keynote presenter at the annual Microsoft Management Summit (http://www.microsoft.com/management/training/mms.mspx). He has over 18 years of IT experience, 8 of which have been dedicated to SMS. In addition to his best-selling books, Rod has written thousands of articles on technology topics in many publications, on the Web, and in the form of Microsoft white papers, case studies, and technical guides. Rod is also a principal in NetImpress, Inc. (http://www.netimpress.com), a technology publishing company.
History
myITforum.com's roots lead back to the now defunct Swynk.com web site. Swynk.com was founded and operated by Stephen Wynkoop until 1999. Stephen had developed a web site that allowed administrators all over the world to gain support for their everyday IT tasks. myITforum.com was built on the success of the Systems Management Server (SMS) section of Swynk.com. The success of the SMS section led to an urgency to keep the ever-growing community alive when it was evident that the parent company of Swynk.com was not going to support it. Swynk.com had become much more than simply content and articles, and it became evident that the web site had outgrown its electronic boundaries. It had become a live community that was represented both on the Web and in the real IT world. So, the SMS community from Swynk.com migrated to its web site location: http://www.myitforum.com.
Since the move, myITforum.com has grown by leaps and bounds, primarily due to the opportunities it presents to administrators all over the world to interact with their fellow administrators and peers. The members of the myITforum.com community are the most caring folks found in any corner of the Internet. They give their time, experience, and knowledge selflessly to help create a brain trust of smarter administrators who become efficient and proficient IT professionals.
Scope
While myITforum.com was based on Microsoft Systems Management Server, it has grown far beyond this one topic. To be an SMS administrator, an IT professional must be proficient in far more than just SMS. SMS administrators are required to support many different applications, operating systems, and technologies. Because of this requirement and myITforum.com's ability to grow quickly with the community needs, myITforum.com expanded its topic base to include many more areas in the IT world. myITforum.com supports Altiris products, Microsoft Operations Manager (MOM), VBScript, SMS 1.2/2.0/2003, Windows, SQL Server, Networking, Active Directory, security and patch management, antivirus technologies, Windows Mobile technologies, web technologies, and deployment technologies such as Windows Installer.
MyITforum.com supports these many topics through articles, email discussion lists, and web-based forums Figure 1-18 shows the myITforum.com home page. The articles posted to the web site are quite a bit different than the articles you find in other publications. Instead of information from individuals you can't be sure have ever worked in IT, the myITforum.com articles are from real IT workers from real IT experiences. The premise is that if you are faced with a real-world situation, someone out there has probably already been through it and has the solution all wrapped up. By sharing their experiences through articles, the myITforum.com columnists provide a central location for IT administrators all of the world to get solutions to problems they might be facing, without having to spend days or weeks working through a tough situation. If it's a problem, someone has already faced it and succeeded, and the solution is probably outlined on myITforum.com.
Figure 1-18. Home page of myITforum.com
In addition to providing these web resources for the myITforum.com community, myITforum.com has transcended the confines of the Internet. Because real IT professionals make up the myITforum.com community, myITforum.com has reached beyond the Web to aid real people in setting up real-world local communities. myITforum.com has been instrumental in setting up over 17 user groups all over the world. From the U.S. to Canada to Israel to Australia, myITforum.com has provided valuable time and resources to set up and manage some of the most successful user group communities in the real world. myITforum.com provides many things to the user groups, including a free web site for the group's web presence, contacts with vendors for speaking services, and an intermediary link between Microsoft and the user group for planning, support, and meeting facilities.
Over time, myITforum.com has also become a successful liaison between employers and prospective employees. Offered as a free service, myITforum.com has helped place hundreds of qualified employees into IT jobs. During the last few years, when the economy has caused layoffs and outsourcing, myITforum.com has stood as a central beacon for employers and employees to connect with each other. So, in addition to providing a central repository for connecting with peers, myITforum.com has become an informal meeting place, where workers find employment and employers locate the top candidates for open positions.
It has been noted that if you attend any IT event, anywhere in the world, you will find at least one myITforum.com community member. myITforum.com's influence reaches into almost every nook of the IT world, primarily because it provides what IT professionals need to advance to a higher level in their profession, but also because it provides a level of sharing that can't be experienced anywhere else. myITforum.com is a real community comprised of real people with real personalities. Participating in myITforum.com is like meeting with friends. myITforum.com is an ever-evolving, ever-growing community meeting place that extends experience and knowledge that is more valuable than sitting through a weeklong training class. At the end of the day, myITforum.com is the one location for everything IT.
—Rod Trent
< Day Day Up > _________________ www.clanah.net
CONTACT ME IF YOU WANA JOIN THE CLAN!!!
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:06 pm Titlul subiectului:
< Day Day Up >
Hack 17 Retrieve the List of Old Domain Computer Accounts
Finding inactive computer accounts in Active Directory is a chore—unless, of course, you script it.
If you need to quickly retrieve a list of old (inactive) computer accounts in the domain, VBScript is your utility of choice. The script in this hack first asks for the domain name (Figure 2-1), then prompts for the number of days for active computer accounts (Figure 2-2), and then, finally, displays the old computer accounts that are found in the domain.
Figure 2-1. Specifying the name of your domain
Figure 2-2. Specifying number of days for cutoff
The computer accounts shown have not been active during the days you specified. For example, when we run the script we can see that the computer account for the machine named SRV111 has a password whose age is beyond the cutoff, so the script recommends that you delete this account to be safe (Figure 2-3).
Figure 2-3. Recommending an account that should be deleted
This is a great, quick way to find those computers that could be having trouble authenticating, or those that have been brought down but remain in the domain's list.
The Code
Type the following code into Notepad (make sure Word Wrap is turned off), and save it with a .vbs extension as DeleteOldComputers.vbs:
On Error Resume Next
DomainString=Inputbox("Enter the domain name","Check Active Computers","DomainName")
if DomainString="" then
wscript.echo "No domain specified or script cancelled."
wscript.quit
end if
numDays=InputBox("What is the number of days to use as a cutoff for" & _
"Active Computer Accounts?","Check Active Computers","XX")
if numDays="" then
wscript.echo "No cutoff date specified or script cancelled."
wscript.quit
end if
Set DomainObj = GetObject("WinNT://"&DomainString)
if err.number<>0 then
wscript.echo "Error connecting to " & DomainString
wscript.quit
end if
DomainObj.Filter = Array("computer")
Wscript.echo "Computer Accounts in " & DomainString & " older than " & _ numDays & " days."
wscript.echo "**DELETE** " & Computer.Name & " Password Age is " & _ RefreshTime & " days."
End If
Next
set DomainObj=Nothing
set Shell=Nothing
Wscript.quit
Running the Hack
To run this script, use Cscript.exe, the command-line script engine for the Windows Script Host (WSH). Here's some sample output when the script is run to delete computer accounts older than 90 days in the MTIT domain:
C:\>cscript.exe DeleteOldComputers.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Computer Accounts in mtit older than 90 days.
**DELETE** NEWTEST1 Password Age is 151 days.
**DELETE** QWER Password Age is 151 days.
**DELETE** SRV211 Password Age is 97 days.
**DELETE** SRV212 Password Age is 154 days.
—Rod Trent
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:07 pm Titlul subiectului:
< Day Day Up >
Hack 18 Automate Creation of OU Structure
Here's a snappy method for creating a standard hierarchy of organizational units (OUs) for a domain.
If you manage deployment of Active Directory in a medium-sized or large organization, you probably are spending a significant amount of time trying to maintain consistency in the Active Directory hierarchy. Even within a single domain, it typically makes sense to keep your organizational units (OUs) structured according to some agreed-upon rules. Regardless of whether your top-tier OU design is based on functional, business, geographic, or some other criteria, you will likely benefit from keeping the lower tiers arranged in the same fashion. This way, for example, you can formulate standard operating procedures that will apply across the entire organization. You can also attempt to automate some of the common administrative tasks, such as user, group, or computer account creation; script delegations and permission assignments; and group policy object management on the OU level.
One of the ways to make sure that the structure will remain consistent throughout Active Directory deployment is to script the OU-creation process. The script in this hack creates a sample OU hierarchy. The assumption is that the top-level OUs are created manually, while the lower layers are always the same. The structure follows Microsoft best practices and includes two second-tier OUs: Accounts and Resources. The Accounts OU is further divided into Users, ServiceAccounts, Groups, and Admins. Resources consists of Workstations and Servers. It is fairly easy to extend this structure (for example, you could create separate OUs for different server types, such as File, Print, or TerminalServices, beneath the Servers OU). The script performs some error checking to verify that the respective organizational units haven't been created yet.
The Code
The following VBScript is a Windows script (*.wsf) file, a text document that contains Extensible Markup Language (XML) code. Using a text editor such as Notepad (with Word Wrap turned off) type the following code and save it as CreateOU.wsf:
</job>
Running the Hack
To execute the script, open a command prompt, change to the directory in which CreateOUs.wsf resides, and type cscript.exe //nologo CreateOUs.wsf "OUName", where OUName is the name of the top-level OU. If OUName does not already exist, you'll get an error. To illustrate how this script works, I first created an OU named Boston in the mtit.com domain and then ran cscript.exe //nologo CreateOUs.wsf "Boston" from the command line. Figure 2-4 shows the result in Active Directory Users and Computers.
Figure 2-4. OU hierarchy for Boston
—Marcin Policht
< Day Day Up > _________________ www.clanah.net
CONTACT ME IF YOU WANA JOIN THE CLAN!!!
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:07 pm Titlul subiectului:
< Day Day Up >
Hack 19 Modify All Objects in the OU
Use this script to quickly change specific properties of all objects within an organizational unit.
Using GUI tools such as Active Directory Users and Computers to modify the properties of objects stored in Active Directory is a slow process. In Windows 2000, you have to open the properties sheet for each object, switch to the appropriate tab, and make the change; then, you must do it over and over again for other objects. In Windows Server 2003, you can open the properties of multiple objects simultaneously, but not all tabs are available when you do this and only a small number of settings can be modified in this way. It would be nice if there were a faster way of doing this. Using VBScript, this is indeed possible.
The sample script in this hack shows how you can modify the properties of all objects in a specific OU. This particular script modifies the state, address, postal code, and city for all User objects in the Boston OU in the mtit.com domain, but it can easily be customized to modify other properties of objects. This script is particularly useful if you've planned your implementation of Active Directory so that users in the same OU have certain sets of similar properties, such as their business address information.
The Code
Type the following script into Notepad (with Word Wrap disabled) and save it with a .vbs extension as ModifyUsers.vbs. Be sure to customize the second line to specify the OU and domain for your own environment, and customize the Put statements to use the address information appropriate for users in your OU.
Dim oContainer
Set oContainer=GetObject("LDAP://OU=Boston,DC=mtit,DC=com")
ModifyUsers oContainer
'cleanup
Set oContainer = Nothing
WScript.Echo "Finished"
Sub ModifyUsers(oObject)
Dim oUser
oObject.Filter = Array("user")
For Each oUser in oObject
oUser.Put "st","Your State"
oUser.Put "streetAddress","Your Address"
oUser.Put "postalCode","Your Zip"
oUser.Put "l","Your City"
oUser.SetInfo
Next
End Sub
Running the Hack
To run the script, simply create a shortcut to it and double-click on the shortcut. A dialog box will appear, indicating that the script ran successfully. Figure 2-5 shows what the Address tab of the properties sheet for user Bob Smith (who is in the Boston OU) looks like after running the script.
Figure 2-5. Result of running the ModifyUsers.vbs script
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:09 pm Titlul subiectului:
< Day Day Up >
Hack 20 Delegate Control of an OU to a User
Rather than use the Delegation of Control Wizard, use this script to delegate authority over an organizational unit (OU) to a particular user.
By delegating administrative responsibilities, you can eliminate the need for multiple administrative accounts that have broad authority (such as over an entire domain). Although you likely will still use the predefined Domain Admins group for administration of the entire domain, you can limit the accounts that are members of the Domain Admins group to highly trusted administrative users.
Administrative control can be granted to a user or group by using the Delegation of Control wizard. The Delegation of Control wizard allows you to select the user or group to which you want to delegate control, the organizational units and objects you want to grant those users the right to control, and the permissions to access and modify objects.
The Code
While using the wizard to do this is straightforward, there is a quick and easy way to achieve the same effect through VBScript. Just open a text editor such as Notepad (making sure that Word Wrap is disabled), type the following script, and save it with a .vbs extension as DelegateOU.vbs:
Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network,DC=MY,DC=Domain,
DC=com")
Set sec = ou.Get("ntSecurityDescriptor")
Set acl = sec.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.AccessMask = ADS_RIGHT_DS_CREATE_CHILD Or ADS_RIGHT_DS_DELETE_CHILD
Set sec = Nothing
When you run this script, the result is to delegate to the user the ability to create and delete users in the MY.DOMAIN.COM/NETWORK/SERVICES/USERS/TEST organizational unit.
The first line you need to customize to make this work in your own environment is this one:
Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network," & _
DC=MY,DC=Domain,DC=com")
You must insert the distinguished name (DN) of the OU to which you want to delegate this right in the LDAP URL section of the command line. For example, if you want the delegated user to be able to add and delete users in the OU called UR.DOMAINHERE.COM/HR/USERS, the line would need to look like this:
Set ou = GetObject("LDAP:// OU=Users,OU=HR,DC=Ur,DC=Domainhere,DC=com")
Here is another line you need to modify for your environment:
ace.Trustee = "MY\Jsmith" User to delegate to
In the section in double quotes ("MY\Jsmith"), you must insert the username for the user to whom you want to delegate the right to add and delete users. For example, if the user that you want to be able to ADD and DELETE users is called Janedoe, the line would look like this:
ace.Trustee = "UR\Janedoe" 'Who is the beneficiary of this ace
Make sure you have the latest scripting engines on the workstation you run this script from; you can download current scripting engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169). When working with the Active Directory Services Interface (ADSI), you must have the same applicable rights you need to use the built-in administrative tools.
Running the Hack
To run the script, simply create a shortcut to the script and double-click on the shortcut. The script itself does the rest.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:09 pm Titlul subiectului:
< Day Day Up >
Hack 21 Send OU Information in Active Directory to an HTML Page
Here's a terrific way to quickly display all the organizational units (OUs) in a domain.
If your Active Directory (AD) domains have a lot of OUs in them, it's easy to lose track of them, especially if you have OUs nested within OUs. This handy script generates an HTML page of all OUs in your current AD domain showing their path, description, and creation date. This information not only tells you which OUs you have in your domain, it also tells you which OUs contain other OUs, so you can easily create a map of the OU structure of your domain.
The Code
Just open Notepad or some other text editor (with Word Wrap disabled), type the following script, and save it with a .vbs extension as OU2HTML.vbs:
On Error Resume Next
Dim Root,Domain,wshNetwork
Dim oFileSys,fh
Set Root = GetObject("LDAP://RootDSE")
DomainPath = Root.Get("DefaultNamingContext")
Set Domain = GetObject("LDAP://" & DomainPath)
set wshNetwork=CreateObject("Wscript.Network")
myDomain=wshNetwork.UserDomain
htmlfile=myDomain & "-OUs.htm"
Set oFileSys=CreateObject("Scripting.FileSystemObject")
End Function
Running the Hack
To run the script, simply create a shortcut to the script, double-click on the shortcut, and follow the prompts provided by the dialog boxes the script generates. When the script runs, it creates an HTML page in the same directory in which the script itself is located. The name of this HTML page is domain-OUs.htm, where domain is the name of your domain. Figure 2-6 shows a sample HTML page created for a test domain named mtit.com.
Figure 2-6. OUs in the mtit.com domain
It's easy to see from the Path column in Figure 2-6 that the Local and National OUs are contained within the Sales OU.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:14 pm Titlul subiectului:
Hack 1. Install PHP
Install the PHP language on Windows, Mac OS X, and Linux, and for both Apache and Internet Information Server.
Installing PHP is the first step in using this book, and on most operating systems, it's a very easy thing to do. PHP installation starts with going to the PHP web site (http://www.php.net/) and downloading either the source code or the binaries, along with documentation.
1.2.1. Installing PHP on Windows
On Windows, you need to start your PHP installation by downloading the PHP binaries for PHP Version 5. Use the .msi installer to make it easy on yourself, and specify the installation directory as c:\php5. With your PHP installation in place, you can run the PHP interpreter from a Windows DOS prompt:
If the php executable is not found, you need to add c:\php5\bin to your path. Use the Advanced tab of the system control panel, and click on the Environment Variables button. From there, edit the Path variable, adding c:\php5\bin to whatever path you already have in place.
You will need to close any open command prompt windows and then open a new command prompt window to ensure that these changes take effect.
Command-line access to PHP is great, but you really want to have PHP installed in and integrated with your web server. On Windows, you have two options for this integration. The first is to install the Apache Web Server and configure it for PHP; the second is to install the Internet Information Services (IIS) web server and to install PHP into that environment.
In either case, you need to copy the php.ini file to your Windows directory, c:\windows. Edit the c:\windows\php.ini file and change the extension_dir line to read as follows:
extension_dir = "c:\php5\ext"
Further, uncomment lines such as this one:
extension=php_mysql.dll
This line enables access to the MySQL database.
You might want to uncomment several other libraries in this file to enable access to other libraries; see the PHP documentation for more on specific libraries.
Now go back to the PHP site (http://www.php.net/) and download the collection of PECL modules. Save these DLL files into the c:\php5\ext directory (the same directory you just referenced in php.ini). These extensions are required if you want access to SQL databases or if you want to use graphics functions (you will want to use both of these at some point).
1.2.1.1. Installing PHP in Apache.
Go to the Apache web site (http://www.apache.org/) and download Version 1.3 of Apache, which is precompiled for Windows. This comes as an MSI installer, and that's the easiest way to install Apache. Once you've got Apache installed, the next step is to fix the http.conf file in the Apache conf directory (c:\Program Files\Apache Group\Apache\conf if you installed Apache in the default location).
Add the following lines to the end of the httpd.conf file:
The documents directory for this installation is htdocs (making the complete path c:\Program Files\Apache Group\Apache\htdocs). To test it, create a test.php file in the htdocs directory and put this code in the file:
<?php
phpinfo();
?>
Use your web browser to surf to the page; you should see something like Figure 1-1.
From here, you can use the code from all of the hacks in this book.
1.2.1.2. Installing PHP in IIS.
After installing PHP to the c:\php5 directory, you can integrate PHP into IIS through php5isapi.dll. Start by launching the IIS control panel. Then create a new virtual directory as shown in Figure 1-2.
Make sure to set the Execute permission correctly (detailed in Figure 1-3).
Next, right-click on the virtual directory and select Properties. Then, in the Properties dialog, click on the Configuration button. This will bring up the Application Mappings dialog, where you can associate the .php extension with php5isapi.dll. This dialog is shown in Figure 1-4.
Click on the Add button to create a new mapping, and set the executable to c:\php5\php5isapi.dll.
If you use the Browse button when creating a new mapping, you will need to change the file type to the DLL setting so that you can see the file.
Set the extension to .php. The result should look like Figure 1-5.
Click OK (and confirm all the dialogs on the way out). Then navigate to the documents directory that you specified when you created the virtual directory. Create a new file called test.php with these contents:
<?php
phpinfo();
?>
Figure 1-1. The PHP test page on an Apache/Windows install
Figure 1-2. Creating a virtual directory
Figure 1-3. Setting the Execute permission of the virtual directory
Figure 1-4. The Application Mappings dialog to set the .php file mapping
Then, navigate your browser to that file on localhost; you should see something like Figure 1-1.
Figure 1-5. The mapping settings for PHP 5
1.2.2. Installing PHP on Mac OS X
PHP is preinstalled on all versions of OS X. All you need to do is enable it. That process starts with becoming the super user using the sudo command:
% sudo tcsh
In the super-user shell, you can modify system files. The next step is to edit the httpd.conf file in /etc/httpd using your text editor of choice (vi, emacs, etc.). Find and uncomment this line:
LoadModule php4_module libexec/httpd/libphp4.so
In addition, uncomment this line:
AddModule mod_php4.c
Then save the file and restart the built-in Apache server:
% apachectl restart
The default documents directory for the Apache Web Server on Mac OS X is /Library/WebServer/Documents. To test that PHP is responding correctly, create a test script in the documents directory:
<?php
phpinfo();
?>
Finally, surf to the test page so you can view the PHP status page (shown in Figure 1-6).
However, all is not well; the preinstalled version of PHP on Mac OS X is Version 4, which has a very limited set of modules. Notably missing are any graphics modules! To get Version 5 of PHP, you can either download the source and then compile and install it or find a precompiled binary package.
Figure 1-6. The test page on OS X
I recommend using a precompiled binary package since it's much easier. When you compile PHP from source, you need to also download, compile, and install a variety of other libraries that PHP uses, such as the graphics libraries. That can be a very time-consuming process.
Marc Liyanage has an OS X binary package of PHP 5 with a bunch of nice libraries preinstalled on his web site (http://www.entropy.ch/software/macosx/php/). To install it, simply download the package installer and launch it (don't you love Mac OS X sometimes?).
After installing the PHP 5 package, you will need to move the PHP 4 executables out of their default locations. Use these commands to move php and pear to php4 and pear4:
Verifying an Apache Web Server installation means going back to the test page we created earlier; Figure 1-7 shows the PHP page verifying that PHP 5 is running.
Figure 1-7. The test page after installing PHP 5
1.2.3. Installing PHP on Linux
The process of installing PHP on Linux actually begins with determining whether PHP is already installed (in many cases, it is). First, you should check for the presence of the Apache Web Server on your installation. Is the machine serving pages? If not, check for the presence of the Apache httpd executable:
my-host$ find / -name httpd
If you find the Apache binary, make sure it's run as part of your machine's startup process. If Apache is not installed, installing the web server is your first step toward installing PHP. Go to the Apache web site (http://apache.org/) and download and install the server.
I strongly recommend installing Version 1.3 of the server, and not using Version 2.0. Most hosting sites on the Internet provide Apache 1.3, which is a stable and proven technology. Apache 2, while newly developed, has threading features that PHP doesn't use.
Once Apache is installed, the next step is to check for an existing PHP installation. Create a file called index.php and place it in the Apache documents directory. The contents of the file should be:
<?php
phpinfo();
?>
Surf to the machine with your web browser and look at index.php. If you see something like Figure 1-7, you have a working PHP installation. If you see just the text of the index.php file, PHP is either not installed or not active.
Check your Apache httpd.conf configuration file. If you see lines like this:
# LoadModule php4_module libexec/httpd/libphp4.so
enable those lines by removing the hash symbol at the start of the line. If the file contains no lines that are relevant to PHP, you will have to install PHP from source.
Installing from source means downloading the source .tgz file from http://www.php.net/. Follow the installation instructions contained on the PHP site. You already have Linux running, so this should be a breeze.
I recommend installing PHP 5, as it's the most current version and it has language features that support writing more robust applications.
With PHP installed, you should be able to navigate to the index.php page that you built earlier in this process and see output like Figure 1-7.
1.2.4. Checking Your ISP Installation
To check the specifics of your ISP's PHP installation, you need to create a test page on your ISP server and surf your browser over to it. The contents of the test page should be:
<?php
phpinfo();
?>
With this file up on your server, you should be able to surf to it in your browser and see something like Figure 1-7. This will give you a complete listing of how the PHP interpreter was compiled, as well as what modules are installed.
Two of the most common problems are lack of a database interface and lack of graphics tools. You should make sure that your ISP account has these installed. If you don't have these libraries installed, file a service ticket with your ISP to add these features (you shouldn't get much resistance; these are standard PHP libraries, useful to all PHP programmers).
If you do not already have an ISP, make sure that any prospective ISPs have what you need installed before signing up. A small survey of hosting sites taken during the writing of this book indicated that most sites support both PHP 4 and PHP 5, but that many of them support PHP 5 as a CGI extension, which is slower than having it installed directly into the Apache Web Server. If PHP 5 is important to you, ensure that the site supports PHP 5 directly as an Apache plug-in, and not via CGI.
1.2.5. Installing MySQL
PHP is just one part of what is called the LAMP architecture. LAMP stands for Linux, Apache, PHP (Python, Perl, or Ruby), and MySQL. The LAMP architecture is extremely popular because it's easy to install, easy to learn, very stable, and, best of all, free. Each piece of the LAMP puzzle contributes a major portion to the whole. Linux is the operating system upon which all the pieces run. Apache is the super-stable web server. PHP is the easy-to-use scripting language. And MySQL is where all of the data is stored. Because any reasonably complex web application will have some structured data storage requirements, most Unix ISPs offer Apache, PHP, and MySQL, which means that your code will not only be easy to develop, but also will run almost anywhere.
Installing MySQL is very easy. Binary installers are available for Windows, Mac OS X, and some flavors of Linux; these are the easiest ways to get MySQL running quickly.
Additionally, the source code compiles easily on all the Unix platforms. To build MySQL from source, first download the latest source code .tgz file from the official MySQL site (http://www.mysql.com/). Unpack that file and follow the instructions in the documentation on building the source and installing it. This will require super-user access, and access to the command line.
1.2.6. Managing the Databases
Once MySQL is installed, you will want to create a database to hold the tables for your web application. To create a new database, use the following command:
You will have to change the username and password to whatever is appropriate for your installation. dbname needs to change to whatever name you want for your database.
Most of the hacks in this book create a database for use in the hack. These databases are given different names so that they don't overlap each other. Ideally, each PHP application should be using a different MySQL database.
Removing a database is just as easy:
% mysqladmin --user=root --password=password drop foo
Dropping the database is potentially a very bad thing to do.
Any data stored in the database will be destroyed.
Do you really want to drop the 'foo' database [y/N] y
Database "foo" dropped
%
In this case, I'm dropping the database named foo. By default, MySQL prompts to see whether you really want to drop the table. You can disable the prompt by adding the -f directive:
% mysqladmin --user=root --password=password drop -f foo
Database "foo" dropped
This directive is particularly handy when automating database updates.
After creating a database, the next step is to add tables and data to it. The easiest way to do that is simply to redirect the SQL file that has the database schema into the mysql client application. Here is an example:
The first command creates a database named btest, and the second loads it up with the table definitions and data in books.sql.
You can accomplish this schema and data loading in several ways, but I find this process to be the most convenient.
If you don't like to use command lines, you can always manage the database through the phpMyAdmin (http://www.phpmyadmin.net) web application. This user-friendly application allows you to add and remove databases, create and alter tables, query data, and even insert and update data through the web interface.
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Mar Iul 10, 2007 5:15 pm Titlul subiectului:
Hack 2. Install PEAR Modules
Access the vast PEAR source code repository to find cool functionality to add to your PHP applications.
The PEAR library is a set of user-contributed PHP modules that are structured in a common way so that they can be downloaded, installed, and versioned consistently. PEAR is so fundamental to PHP that it now comes as a standard part of the PHP installation.
To find out what is available in the PEAR library, surf on over to the PEAR site (http://pear.php.net/). There you can find the list of modules or search by module name. When you find a module you want to install, simply run the pear program on your command line.
On Windows, the invocation looks like this:
C:\> pear install DB
downloading DB-1.7.6.tgz …
Starting to download DB-1.7.6.tgz (124,807 bytes)
............................done: 124,807 bytes
install ok: DB 1.7.6
In this case, I am installing the PEAR module named DB [Hack #35], an object-oriented database wrapper that is used extensively in this book.
On Windows, you might need to make sure that the pear.bat batch file, located in the bin directory of your PHP installation directory, is on the path. In addition, the directory where the PEAR modules are installed is often not created by default. In that case, you need to use Windows Explorer or the command line to create the PEAR directory. If you installed PHP in c:\php5, the PEAR directory is c:\php5\pear. You might also need to add this directory to the modules path in the c:\windows\php.ini file.
On Unix systems, including Mac OS X, running the pear program is just as easy:
Here I am installing the HTTP_Client PEAR module [Hack #84]. You'll have to use the sudo command because the PEAR module will be installed system-wide.
To get a list of available PEAR modules, run the list-all command:
Because this is not making any changes to system-wide files, super-user access is not required.
Some PEAR modules are listed as unstable. This means that they are currently in development. Asking PEAR to install them will result in an error message:
% sudo pear install Services_Amazon
No release with state equal to: 'stable' found for 'Services_Amazon'
Here, the Amazon Web Services module is so newand possibly unstablethat it's marked as alpha or beta. So you need to force PEAR to install the module using the -f directive:
% sudo pear install -f Services_Amazon
Warning: Services_Amazon is state 'beta' which is less stable than state
'stable'
downloading Services_Amazon-0.2.0.tgz …
Starting to download Services_Amazon-0.2.0.tgz (8,086 bytes)
.....done: 8,086 bytes
install ok: Services_Amazon 0.2.0
Another option is to request a specific version of the module:
Don't confuse list with list-all; the first lists installed modules, and the second lists available modules.
Becoming fluent with PEAR is critical to making the best use of PHP. The libraries built into PHP are fine, but the additional PEAR modules make PHP a true rapid application development environment.
1.3.1. Installing PEAR Modules on Your ISP
Because you don't have super-user access on an ISP machine, you will need to be a little cleverer about how you install PEAR modules. The first step is to establish a library directory where the PEAR modules will go. You do this by creating the directory on your ISP machine. Then you use the ini_set command to add the directory onto the include path, as shown in the following code fragment:
This code should go into your PHP page or into a common PHP header that is included on every page.
This adds the directory /users/jherr/mylibs to the list of paths that the include and require directives will search. You must do this before attempting to require or include any installed PEAR modules.
After creating the library directory and tweaking the include path, you can download the PEAR module you want to install from the PEAR site (http://pear.php.net/). Unpack it and place the source files in the library directory you just specified (/users/jherr/mylibs in this example).
Data înscrierii: 08 Iun 2005 Mesaje: 1745 Locație: IS
Trimis: Joi Ian 15, 2009 4:40 pm Titlul subiectului:
Salut
Doresc sa-mi instalez un XP 64 bit pe un laptop. Trebuie cumva sa fac ceva modificari in bios? _________________ Toti ne nastem egali.... unii se nasc insa, mai egali decat altii...
Data înscrierii: 13 Mai 2007 Mesaje: 341 Locație: 23August
Trimis: Vin Ian 16, 2009 4:22 pm Titlul subiectului:
trebuie sa te asiguri ca ai un procesor care functioneaza 64bit
ex.: AMD ATHLON64, AMD SEMPRON 64, Intel DualCore, Intel Core2Duo, Intel Core2Duo quadCore _________________ www.clanah.net
CONTACT ME IF YOU WANA JOIN THE CLAN!!!
Nu puteți crea un subiect nou în acest forum Nu puteți răspunde în subiectele acestui forum Nu puteți modifica mesajele proprii din acest forum Nu puteți șterge mesajele proprii din acest forum Nu puteți vota în chestionarele din acest forum
Întrebări frecvente
Căutare
Lista membrilor
Grupuri de utilizatori
Înregistrare
Profil
Autentificare pentru mesaje private
Intrare
Toti ne nastem egali.... unii se nasc insa, mai egali decat altii...