Hey, Scripting Guy! Quick-Hits Friday: The Scripting Guys Respond to a Bunch of Questions (03/13/09)
ScriptingGuy1
How Can I Get Active Directory Information About Currently Logged-On Users?
Hey, Scripting Guy! I need your help. How do I get currently logged-on users from Active Directory?
– HS
Hi HS,
There is no way to accurately obtain this information, because a logon can come in many different forms. As I sit in my house in Charlotte, North Carolina, in the United States, I am logged on to my domain. But I have done so in two ways. In the first manner, I logged on to my laptop by using cached credentials. In the second manner, I logged on to the domain by making a VPN connection back to Redmond, Washington. But on my other computer, I am also logged on to the domain again. This is because we have an extranet where I upload my daily “Hey, Scripting Guy!” articles to scripting guy Craig Liebendorfer so that he can edit them and help me appear literate (he also has a great sense of humor).
If I am reclining around the swimming pool enjoying a nice cup of Earl Grey tea, I will have my Windows Smart Phone with me, and may very well use it to check my e-mail, manage my Outlook contacts, and remind myself of upcoming appointments. If I do that, it makes a connection back to the mother ship to retrieve information. Again this action requires a logon to the domain. If I go into the office in Charlotte, I may log on to the domain via either the wireless network or the traditional Category 5 ethernet network. It is this last type of connection that we traditionally think of as a logon.
As you can see from these possible logon scenarios, you would need to first determine what kind of activity constitutes a logon onto the domain, and then go to the appropriate location to retrieve the logon information. Some places where you can retrieve this information include the security event logs on the domain controllers (if you select to audit logon events), and the WINS database, which will pick up name registration events from more traditional logons.
How Can I Run Administrator Privileges Without Exposing the Administrator Account?
Hey, Scripting Guy! I hope you’re in the right mood to answer my question, especially after reading my question in poor English. I am wondering, can you show me how to utilize the script, WSH in particular, to install an application that requires administrator privileges without exposing the administrator account itself? In a real case scenario, let’s say I have a small/medium network with 100 computers. I need to apply a non-Microsoft product patch (for Microsoft products I use WSUS) for all my workstations. This installation requires administrator privilege to run, but none of the users has administrator privilege on their computer. My goal is to run a script as a login script, so there is no need for me to travel around to my users’ PCs.
How can you help me with this dilemma? In the time of world recession, scripting is the best companion to complete this task. I believe that!
– NS
Hi NS,
There are two things that might help. The first would be to use Group Policy to deploy the patch. If the patch is an MSI file, this is simple. If it is not an MSI file, you could perhaps create an MSI file that wraps the executable patch. Visual Studio 2008 makes creating MSI files fairly easy. The second option would be to use EPAL (Elevatated Privileges Application Launcher). Download it here.
Can I Pattern-Match on the Absence of Text?
Hey, Scripting Guy! Is there a way to pattern-match on the complete absence of any text, when text would normally be present?
– CW
Hi CW,
It depends. In VBScript, I have used the isnull function, as well as empty quotation marks (“”). In Windows PowerShell, you can use the $null automatic variable.
Troubleshooting a Script That Returns Only Information About the Second Server in a Serverlist.txt File
Hey, Scripting Guy! I have a problem with my script. It only returns the second server in my list. Strange. Here is exactly what I have in my code:
$a = Get-Content "C:\serverlist.txt"
foreach ($i in $a)
{
"$i `n=========================="
Get-WMIObject -class Win32_BIOS -Credential $cred`
-computername $i | Out-File c:\test.txt
}
– JP
Hi JP,
This is a common issue. You need to capture the data where it is produced:
$a = Get-Content "C:\fso\Computers.txt"
foreach ($i in $a)
{
"$i `n==========================" >> "C:\fso\report.txt"
Get-WMIObject -class Win32_BIOS -computername $i >>`
"C:\fso\report.txt"
}
Troubleshooting a Modified Script Repository Script
Hey, Scripting Guys! I had looked at the Script Repository and found, “List All Computer Accounts in Active Directory”. The example runs and displays all of the computers’ names and locations. I tried to also have their descriptions displayed, but the added code makes the script fail. Below is the modified example. Can you see where I made a mistake? When I run the script, I get a “Type mismatch” error. If I remove the line “Wscript.Echo objRecordSet.Fields(“Description”).Value” the script runs without a problem.
Const ADS_SCOPE_SUBTREE = 1000
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select Name, Location, Description from 'LDAP://ehsd.east-haven.k12.ct.us/DC=ehsd,`
DC=east-haven,DC=k12,DC=ct,DC=us' Where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Wscript.Echo "Computer Name, Computer Location, Computer Description"
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value
Wscript.Echo objRecordSet.Fields("Location").Value
Wscript.Echo objRecordSet.Fields("Description").Value
objRecordSet.MoveNext
Loop
– JT
Hi JT,
The description attribute is a Unicode string and should be able to be echoed out. However, I suspect your problem is that the description attribute is not populated everywhere. When working with ADO, a missing attribute value will often generate an error. There are two approaches to this. The first approach is to test to see if the attribute is null (there is an isnull function) Of course, it might not be null, but merely empty. In that case, you could use = “”. To see if the attribute is null, you can use a construction similar to the one here:
If(isnull(objRecordSet.Fields(“Description”).Value Then Wscript.Echo “Description is empty” ELSE Wscript.Echo objRecordSet.Fields(“Description”).Value End If
When you detect the missing attribute, you could print out the fact that it is empty.The other approach is to simply use on error resume next at the beginning of the script. It would look like the following:
On Error Resume Next
Place the command on the first line in your script. I would do this first to eliminate other possibilities. Query a section of your Active Directory where you know you have populated the description attribute, and see what happens.
How Can I Unlock a Server, Pass It a User Name and Password, and Schedule a Task or Run a Scheduled Task?
Hey, Scripting Guy! I need to make a scheduled task work, but the scheduled task needs the server to be unlocked and a user to be logged on to work. Can you tell me if there is a way to use VBScript to create a script that will unlock the server and pass it the user name and password, so I can then schedule the task?
– CJ
Hi CJ,
This community script, written in JScript, will unlock a remote workstation. It uses the Sysinternals tool called PsShutdown to do it. If a scheduled task is created using a system account, the scheduled job will run without anyone needing to be logged on. You may want to see about changing the way the scheduled job is run.
Important note: Having a remote computer logged on, and unlocked in the middle of the night with almost no one around could be a huge security risk! If it were me, I would investigate lots of options before unlocking the server to run the scheduled job.
Can I Continue to Use DelProf on Windows Server 2008
Hey, Scripting Guy! Can you confirm that the W2K3 Version of Delprof will work on W2K8 (delete profiles on W2K8 Box), or is there a newer version?
– BJ
Hi BJ,
We have this functionality via Group Policy now:
UserProfiles.admx Machine System\User Profiles HKLM\Software\Policies\Microsoft\Windows\System!CleanupProfiles
Delete user profiles older than a specified number of days on system restart. This requires at least Windows Vista. This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed. If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. In case you are on pre-Service Pack 1, be aware of the issue talked about in KB 945122: User profiles are unexpectedly deleted after you configure the “Delete user profiles older than a specified number of days on system restart” Group Policy setting on a Windows Vista-based computer.
Crikey! Full mail bag this week. Hope these answers help you. This brings another Quick-Hits Friday article to a close. Have an enjoyable weekend, and we will see you Monday. If you get curious about what’s coming up on the Script Center, you can now follow us on Twitter: http://www.twitter.com/ScriptingGuys.
Ed Wilson and Craig Liebendorfer, Scripting Guys
Light
Dark
0 comments