HowTo: Export a list of all computers in an AD OU

June 11, 2009 — Julie

To export a list of all computers and non domain controller servers in an Active Directory OU, use dsquery.exe.  For example, to export all computers in mydomain.com’s servers OU to machines.txt :

DSQUERY COMPUTER “OU=servers,DC=mydomain,DC=com” -o rdn -limit 1000 > c:\machines.txt
 
Use -limit when you want to return more than the default 100 results.  Note that -rdn will producte the relative distinguished name (which means no OU=,DC= in the name).
 
Full dsquery syntax:
 
Syntax:     dsquery computer [{<StartNode> | forestroot | domainroot}]
           [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}]
           [-name <Name>] [-desc <Description>] [-samid <SAMName>]
           [-inactive <NumWeeks>] [-stalepwd <NumDays>] [-disabled]
           [{-s <Server> | -d <Domain>}] [-u <UserName>]
           [-p {<Password> | *}] [-q] [-r] [-gc]
           [-limit <NumObjects>] [{-uc | -uco | -uci}]
 
 
Parameters:
Value                       Description
{<StartNode> | forestroot | domainroot}
                           The node where the search will start:
                           forest root, domain root, or a node
                           whose DN is <StartNode>.
                           Can be “forestroot”, “domainroot”
                           or an object DN.
                           If “forestroot” is specified, the search is done
                           via the global catalog. Default: domainroot.
-o {dn | rdn | samid}       Specifies the output format.
                           Default: distinguished name (DN).
-scope {subtree | onelevel | base}
                           Specifies the scope of the search:
                           subtree rooted at start node (subtree);
                           immediate children of start node only (onelevel);
                           the base object represented by start node (base).
                           Note that subtree and domain scope
                           are essentially the same for any start node
                           unless the start node represents a domain root.
                           If forestroot is specified as <StartNode>,
                           subtree is the only valid scope.
                           Default: subtree.
-name <Name>                Finds computers whose name matches the value
                           given by <Name>, e.g., “jon*” or “*ith”
                           or “j*th”.
-desc <Description>         Finds computers whose description matches
                           the value given by <Description>,
                           e.g., “jon*” or “*ith” or “j*th”.
-samid <SAMName>            Finds computers whose SAM account name
                           matches the filter given by <SAMName>.
-inactive <NumWeeks>        Finds computers that have been inactive (stale)
                           for at least <NumWeeks> number of weeks.
-stalepwd <NumDays>         Finds computers that have not changed their
                           password for at least <NumDays> number of days.
-disabled                   Finds computers with disabled accounts.
{-s <Server> | -d <Domain>}
                           -s <Server> connects to the domain controller
                           (DC) with name <Server>.
                           -d <Domain> connects to a DC in domain <Domain>.
                           Default: a DC in the logon domain.
-u <UserName>               Connect as <UserName>. Default: the logged in
                           user. User name can be: user name,
                           domain\user name, or user principal name (UPN).
-p <Password>               Password for the user <UserName>.
                           If * then prompt for password.
-q                          Quiet mode: suppress all output to
                           standard output.
-r                          Recurse or follow referrals during search.
                           Default: do not chase referrals during search.
-gc                         Search in the Active Directory global catalog.
-limit <NumObjects>         Specifies the number of objects matching the
                           given criteria to be returned, where <NumObjects>
                           is the number of objects to be returned.
                           If the value of <NumObjects> is 0, all
                           matching objects are returned.
                           If this parameter is not specified, by default
                           the first 100 results are displayed.
{-uc | -uco | -uci}         -uc Specifies that input from or output
                           to pipe is formatted in Unicode.
                           -uco Specifies that output to pipe or file is
                           formatted in Unicode.
                           -uci Specifies that input from pipe or file is
                           formatted in Unicode.
 
Remarks:
The dsquery commands help you find objects in the directory that match
a specified search criterion: the input to dsquery is a search criteria
and the output is a list of objects matching the search. To get the
properties of a specific object, use the dsget commands (dsget /?).
 
If a value that you supply contains spaces, use quotation marks
around the text (for example, “CN=John Smith,CN=Users,DC=microsoft,DC=com”).
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).
 
Examples:
To find all computers in the current domain whose name starts with “ms”
and whose description starts with “desktop”, and display their DNs:
 
   dsquery computer domainroot -name ms* -desc desktop*
 
To find all computers in the organizational unit (OU) given
by ou=sales,dc=micrsoft,dc=com and display their DNs:
 
   dsquery computer ou=sales,dc=microsoft,dc=com
 
See also:
dsquery computer /? – help for finding computers in the directory.
dsquery contact /? – help for finding contacts in the directory.
dsquery subnet /? – help for finding subnets in the directory.
dsquery group /? – help for finding groups in the directory.
dsquery ou /? – help for finding organizational units in the directory.
dsquery site /? – help for finding sites in the directory.
dsquery server /? – help for finding servers in the directory.
dsquery user /? – help for finding users in the directory.
dsquery quota /? – help for finding quotas in the directory.
dsquery partition /? – help for finding partitions in the directory.
dsquery * /? – help for finding any object in the directory by using a
generic LDAP query.
 
Directory Service command-line tools help:
dsadd /? – help for adding objects.
dsget /? – help for displaying objects.
dsmod /? – help for modifying objects.
dsmove /? – help for moving objects.
dsquery /? – help for finding objects matching search criteria.
dsrm /? – help for deleting objects.
dsquery failed:The parameter is incorrect.
type dsquery /? for help.
Posted in Windows. Tags: , , , , . 1 Comment »

Howto: Enable debug logging for Backup Exec for Windows Servers

April 29, 2009 — Julie

You can temporarily enable Backup Exec debug logging by adding the -debug start parameter to the Backup Exec Remote Agent for Windows Servers service. This is a temporary setting that will be reset when the services are cycled or at the next server reboot.  To enable debug logging permanently, see the second section that details editing the reqistry.

To temporarily enable Backup Exec debug logging on Windows 2000, Windows XP, Windows 2003 and Windows 2008:
 
1. Go to Start > Programs > Administrative Tools > Services

2. Select the Backup Exec Remote Agent for Windows Servers service, and click Stop. When prompted, click Yes to shut down the service.

3. Select and right-click on the Backup Exec Remote Agent for Windows Servers service, and then select Properties

4. In the Startup Parameters box, type -debug.  Click Start in the Properties page to start the service. Click OK 

5. Select and right-click the Backup Exec Job Engine service, and then select Properties

6. In the Startup Parameters box, type -debug. Click Start in the Properties page. Click OK to close. 
 
To permanently enable Backup Exec debug logging on Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 and Windows 2008:
 
1. Stop all Backup Exec for Windows Servers services

2. Run REGEDIT.EXE

3. a. Backup Exec 10d or below: Browse to HKey_Local_Machine\Software\VERITAS\Backup Exec\Engine\Logging

     b. Backup Exec 11d or above: Browse to HKey_Local_Machine\Software\Symantec\Backup Exec for Windows\Backup Exec\Engine\Logging


4. Change the value of CreateDebugLog to 1 to enable debug logging

5. Quit the registry editor

6. Start the Backup Exec for Windows Servers services

After the Backup Exec Job Engine and Backup Exec Remote Agent for Windows Servers service are started, two log files will be created in the Backup Exec \Logs directory, which is located in one of the following directories:
 
  • Backup Exec 10d or below:  \Program Files\Veritas\Backup Exec\NT\Logs
  • Backup Exec 11d or above:  \Program Files\Symantec\Backup Exec\Logs
The name of the log files will follow the format of <ServerName>-BENGINEXX.Log for the Backup Exec Job Engine service, and <ServerName>-BEREMOTEXX.LOG for the Backup Exec Remote Agent for Windows Servers service. The XX will increment each time the services are started with the -debug option, so that a new log file is created.
 
Posted in backup. Tags: , , , , , , , . Leave a Comment »

How to completely disable DEP in Windows Server 2003

March 19, 2009 — Julie

To completely disable DEP in Windows Server 2003, perform the following with administrative credentials:

1. Open Windows Explorer

2. Tools > Folder Options > View

3. Uncheck Hide Protected operating system files (Recommended) and Hide extensions for known file types

4. Click apply > OK

5. Browse to C:\

6. Right click on boot.ini, select properties and ensure the “read-only” tab is unchecked and click OK

7. Edit boot.ini

8. Modify the  /noexecute=

For example, set  /noexecute=AlwaysOff to disasble DEP entirely

9. File > Save, close boot.ini file

10. Right click on boot.ini, select properties and ensure the “read-only” tab is checked and click OK

11. Reboot the computer

For more about DEP see MS KB875352
Posted in Windows. Tags: , , , , . 7 Comments »

Howto: Export IIS 7.0 web server configuration

March 5, 2009 — Julie

To export a backup copy of your IIS 7.0 configuration on a Windows 2008 Server:

Open Server Manager

Expand Roles – Web Server (IIS) – Internet Information Services (IIS) Manager

Highlight the web server name

From the Management category, double click Shared Configuration

Under Actions, select Export Configuration. Accept or change the default export path of C:\Windows\system32\inetsrv\config\export

Click the Connect As button, and enter administrative credentials. If the server is a domain member, you may need to enter your credentials in the format domain\username or username@domain.com

Enter the encryption keys password twice and press OK

You should now have three files in the C:\Windows\system32\inetsrv\config\export directory: administration.config, applicationHost.config, and configEncKey.key. Save the files in a safe place.

Posted in backup. Tags: , , , , , , . Leave a Comment »

Howto: Backup IIS 7.0 web server configuration

March 4, 2009 — Julie

To backup your IIS 7.0 configuration on a Windows 2008 Server, you just need to make a copy of the \windows\system32\inetsrv\config directory (and subdirectories) and save it in a safe location.

You can also use the appcmd.exe utility to create the backup via the command line. The syntax to create a backup is:

%windir%\system32\inetsrv\appcmd.exe add backup “Backup Name”

to restore the backup, the syntax is:

%windir%\system32\inetsrv\appcmd.exe restore backup “Backup Name”

to remove a backup, the syntax is:

%windir%\system32\inetsrv\appcmd.exe delete backup “Backup Name”

For additional details on appcmd.exe see Bill’s IIS blog, or check out Mike’s IIS 7.0 Server-side blog for information on backing up and restoring IIS 7.0 shared configuration.

Posted in backup. Tags: , , , . Leave a Comment »

Howto: Authenticate to eDirectory via the Novell Client, command line style

February 23, 2009 — Julie

I have a backup script that runs on a Windows 2003 server that requires Novell client authentication.  Here’s how to authenticate to eDirectory via the command line, which means it’s scriptable!  The syntax is:

c:\windows\system32\LOGINW32.EXE  .user.ou.o /PWD password /CONT

Alternatively, you could map a drive to an eDirectory server (Netware, SLES Linux or Windows), which would force background authentication.  Here’s that syntax:


net use x: \\server\vol /user:.user.ou.o password


Posted in edirectory. Tags: , , , , , . 2 Comments »

A Portable Remote Desktop Connection (mstsc.exe)

January 30, 2009 — Julie

I ran across Claus’s link to the makeuseof.com article that shows how to run Microsoft’s Remote Desktop Connection program as a portable application from a USB drive.

This lead me to think about how this could be of value in my environment.  I frequently hop from server to server using Microsoft’s Terminal Services client, mstsc.exe, which is built into Windows XP, Windows 2003 and newer operating systems.

My Windows 2000 servers can be accessed though RDP, but since do not have the updated client on them, I had not been able to run mstsc from the Windows 2000 server itself.
 
The makeuseof.com article lists four files that need to be copied in order to run Remote Desktop from a USB drive:  mstsc.exe and mstscax.dll, plus mstsc.exe.mui and mstscax.dll.mui.
 
I copied the first two files from my Windows XP SP2 machine up to my Windows 2000 server.  The second two .mui files did not exist on my Windows XP machine, probably due to the version of the OS I am running.
 
Once the files were copied up to my server I double clicked mstsc.exe, and was able to use the Windows 2000 server as a Terminal Services Client.  This will allow me to break my reliance on VNC and Terminals as Remote Desktop Clients on older OSs.
Posted in remote access. Tags: , , , , , . 1 Comment »

Howto: Disable the clicking sound in Internet Explorer and Windows Explorer

January 29, 2009 — Julie

The clicking sound that Windows plays when you click on a link in Internet Explorer or open a folder in Windows Explorer can get annoying. 

Here’s how to disable the sound in Windows XP:

  1. Click Start > Control Panel > Sounds and Audio Devices
  2. Click the Sounds tab
  3. Scroll down the list under Program Events. Under the Windows Explorer section, highlight Start Navigation.
  4. Under the Sounds box, select (None) > OK, close Control Panel

Here’s how to disable the sound in Windows Vista:

  1. Click Start > Control Panel > Sound
  2. Click the Sounds tab
  3. Scroll down the list under Program. Under the Windows Explorer section, highlight Start Navigation.
  4. Under the Sounds box, select (None) > OK, close Control Panel

You should no longer hear the clicking noise when you select links in Internet Explorer or open directories in Windows Explorer.

Posted in Internet Explorer, Windows, howto. Tags: , , , , , , , . 4 Comments »

Howto: Use msizap to remove orphaned cached Windows Installer Data Files to increase free disk space

January 19, 2009 — Julie

Msizap is a command-line tool that can delete the configuration data that Windows Installer maintains for products that it installs, including the directories, files, registry subkeys, and registry entries in which Windows Installer stores configuration data.

Running msizap.exe with the G parameter removes orphaned cached Windows Installer data files for all users. Running this command on an old Windows XP machine allowed me to reduce the size of the C:\Windows\Installer directory from 3.6GB down to 875MB.

This computer had so many orphaned files due to the constant installation and uninstallation of software such as Java, Flash, Acrobat Reader, and other utility software over the years. Yes, orphaned files persist on your hard drive despite following proper uninstall procedures.

To run msizap, login to the machine as an administrative user and launch a command window. Navigate to the directory that contains msizap.exe, then type the following command:

msizap !G

The G option removes the orphaned cache files, the exclamation point forces a ‘yes’ response to any prompt.

While removing orphaned files should not have any negative impact on your Windows installation, be aware that msizap is a powerful tool that can cause problems if used incorrectly.

Msizap can be downloaded as a part of the Microsoft Windows Server 2003 Support Tools or the Windows Installer CleanUp Utility. I was unable to find the Windows Installer CleanUp Utility by searching Microsoft’s download site, so note that as of today the file’s name is msicuu2.exe if you the above link goes dead in the future.

If you don’t want to install the Windows Installer CleanUp Utility, use a program such as Universal Extractor (aka UniExtract) to extract the individual files. Once you extract the files, you’ll notice msizap.exe does not exist, but you will find MsiZapA.exe and MsiZapU.exe.

There are two versions of MSIZAP.EXE: MsiZapA.exe (for use in Windows 95, Windows 98 and Windows ME), and MsiZapU.exe (for use in Windows NT, Windows 2000, Windows XP, and Windows Server 2003). The appropriate executable should be renamed MsiZap.exe.

Current msizap.exe options are as follows:

Usage: msizap T[WA!] {product code}
msizap T[WA!] {msi package}
msizap *[WA!] ALLPRODUCTS
msizap PWSA?!

* = remove all Windows Installer folders and regkeys;
adjust shared DLL counts; stop Windows Installer service
T = remove all info for given product code
P = remove In-Progress key
S = remove Rollback Information
A = for any specified removal, just change ACLs to Admin Full Control
W = for all users (by default, only for the current user)
M = remove a managed patch registration info
G = remove orphaned cached Windows Installer data files (for all users)
? = verbose help
! = force ‘yes’ response to any prompt

For more information on the Windows Installer Cleanup Utility and msizap.exe see KB290301.

Posted in Windows, howto. Tags: , , , , , . 2 Comments »
« Older posts