Here is the script that will help system admins to automatically check the windows NTP settings on multiple computers through registry. For this to work, you need to enable Remote Powershell on client computers. If remote powershell is not enabled on each of the servers to be checked, you can find my post here to enable it.
What this script will do: This scipt will,
1) check the necessary ports (5985 or 5986), if winRM is enabled for Remote Powershell. 2) Check the current NTP values.in registry with the pre-defined values in script. If not matched, you can correct instantly. 3) Select the standard TimeZone of servers by the occurrence of mostly used values. 4) If the appropriate time zone not found, your machine time zone will be used as standard time zone. And compare each server with the standard timezone. If not matched, you can prompted to correct. 5) It select the standard time by the occurrence of current time values on each server.(compare up to minutes’ detail) 6) If the appropriate current time is not found, your machine time will be used as standard time. And compare each server with the standard time. If not matched, you are prompted to correct. 7) It will detect the stopped time service and prompted you to start the service.
Sometimes, you need to make sure all your servers have internet access or not, especially after network change or for monthly auditing purpose. With powershell, you can achieve this by using .Net call to sockets. And, I found the script on this site to work as a baseline and use Mr. stevethethread’s code to colorize the output. You will need to save the list of servers in Server.txt in the same directory as script, and change the port number in the script as needed. Continue reading “Powershell: Check the Internet Accessibility for Multiple Computers”
Update: The purpose in this blogpost is about giving permission of specific windows service to specific monitoring user. So, you can replace step-6 (setting DNS service permission to specific account that will monitor service) with easier methods in my new blog post.
There are three methods for monitoring windows servers:
By installing Agents (such as Zabbix,SCOM Agents).
SNMP v1,v2, v3 regardless of platforms.
WMI Monitor for windows servers.
And today, I’m going to make the WMI monitoring in a couple of steps, plus how to monitor the missing windows services that is unavailable in the default monitor method. Here, I’ll use the Microsoft DNS Server as a monitoring client for DNS Service + basic resource monitoring.
Things that I used in this tutorial:
Server 2012R2x64bit, named as “DNS-test.contoso.com”
Solarwind Server and Application Monitor(in a Trial version), on the server named as “monitor.contoso.com”
Note:Although you can give the full administrator permission for WMI monitoring if you want to save yourself from some headaches, it’s highly not a recommended way to do so. Therefore, let’s see how we can do with the principle of least privileges for WMI monitoring.
Read This Please: Some part of this tutorial contains modifying system services’ security permission (here is the DNS service) which might be critical if it is in production systems . I tested solely purposed for my lab. And, I’m not guaranteed that it works on your environment with the expected results.
Step-1:Install the pre-requisites, and what’s next …?
Install Windows Server 2012R2 and DNS Role (you can use any other OS versions starting from Server 2003SP2)
Also, I installed the trial version of SolarWinds Server and Application Monitor for testing purpose. However, you can use any monitoring software that supports WMI Monitoring method.
These installation steps are easy enough, so I don’t go into details.
Step-2: Permission is needed for WMI to allow remote users.
I created one user account for monitoring services, “monitoruser” and added it to the group “performance monitor users”, since I’m planning to give the permission to that group and not directly to that user.
After that we have to give the permission to query the wmi classes, which is the Microsoft Management Framework,since Windows 2000 to touch system classes and hardware in an abstract model.
So, I give the permission here. See the figure-2.
In the Run box type wmimgmt
In the console, right-click Properties > Security > Root >> CIMV2 > Add Performance Monitor Users > Check the Enable Account and Remote Enable
OK, Save the settings
In the console, right-click Properties > Security > Root >> MicrosoftDNS > Add Performance Monitor Users > Check the Enable Account and Remote Enable
OK, Save the settings.
Note:Most Windows Services and namespace lies in CIMV2, so it is necessary to give the permission to access these components.
Step-3: Give some permissions to DCOM also.
In this step, we will give the permission to access the DCOM, the Distributed Component Object Model which is used to communicate the software components among Distributed Computers.
In the Run box type dcomcnfg and press enter.
In the console, Right-click My Computer > Properties > COM Security and give permissions to Access Permissions and Launch and Activation Permission (red rectangles in Figure-3)
Add Performance Monitor Users group and give Local Access and Remote Access permissions for both properties.(Fig-4)
OK, Save the settings.
As of now, we can monitor the system processes and CPU, Memory, Network of computers. But, to monitor the state of service, we need to add one setting. This step comes since Server 2003SP2 as Microsoft fixed it as a security issue. You can check at the Microsoft KB article here. So, type the below command in the elevated command prompt as an Administrator, as shown in Figure-5.
Step-4: Let’s start Monitoring, let’s see if it works ?
Now, Let’s add the server node to our monitoring software, I assumed that the solarwinds is already installed. The username is ‘admin’ and blank password.
So, you can add the node as shown in figure-6.
In next page you can choose for basic monitoring as shown in figure-7.
The next page is about the specified service or roles that you want to monitor. I choose the DNS serverand test it.
Oops, it has some alerts ! It is about DNS service cannot be monitored although DNS service is running…
It is because we have to monitor the DNS service and it seems it’s not available to our pre-configured user, monitoruser (which is in the special group to be able to monitor ;P ). See the figure-8.
For this we can check if our user has the necessary permission using the windows built-in tools in the next step.
Step-5: Always check if the monitoring user has necessary permission to do something
Microsoft has a tool to view or modify CIM classes or WMI classes, using WQL queries. From there, you can query the system services or DCOM objects. We are going to use it now.
Run > wbemtest > Connect and put the parameters. In the namespace field, use \servernamerootcimv2. Use usernames and passwords for monitoring user and Connect. See my figure-9.
Type select * from win32_services in the query field. And it should return the list of available services to our monitoring user. See figure-10 and figure-11.
Check if the service we want to monitor is listed in the results. Here, we want to monitor DNS Server of which the service name is DNS. (you can check the service name as Run > services.msc and check the properties of that service).
We do not find the “DNS” but instead we find the Dnscache which is the DNS Client service.
So, we can conclude that DNS service is unavailable to service control manager even we have given permission just before Step-4. So, we have to specifically change the security settings for DNS service.
Step-6: Modifying the Security Permission of Service
Please take this step carefully because every syntax in these commands are sensitive to changes and may affect the system adversely unless you have a saved copy of previous settings. You can refer to figure-12.
1)From the elevated command prompt, check the service settings of DNS service by the following command.
sc sdshow dns
2)Copy the output exactly as it is to notepad
3)Put the following parameter between the end of the first bracket and the start of the second bracket. (A;;CCLCSWLOCRRC;;;AU)
4)So, the new line would be (please note that it’s just a single line): D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5)Change the the DNS service security by adding some commands to the above parameters (note that it’s a single line).
Note: Let me explain a bit on this command. sc sdshow dns is to show the security descriptor of the service. And then, we put our monitor group (aliased as AUfor Performance Monitor Users) with the necessary permission in line 3.
The capital A in the first letter is for Allow. The capital D: in the 4th line is Discretionary ACL (DACL).
The capital S: in the first of the last bracket means System Access Control List(SACL). Each alias CC, LC, SW, LO, CR, RC has a special meaning for access permission. You can find more about the access lists from the below 2 links.
I have been looking for ways for automatic domain join so that the end-users can do by themselves without special knowledge. There are serveral scripts I found on google that make it work, but none of them seems to be an all-in-one solution.Moreover, I don’t want to do usernames/password put in text files that are delivered to each user. So, I decided to make a complete script for automatic-domain-join of users.
What this script will do: 1) Test the DNS Server is reacheable and if OK, change the users’ DNS setting to point to Domain Controller. 2) Prompt for username/password to join to domain, no need to put username/pass with the script file. 3) Users can choose their own OU for their domain-join-process, so Admin doesn’t need to move thier computer objects to specific OU after domain join. ( the one I liked most & the reason why I wrote this script xP ).
Things you need to do: 1) Modify the Admin section of the script to your needs
2) Delegate All OUs to create computer objects for domain users so that they themselves can join to the domain. (This is the one that took my most time troubleshooting the access denied error.) I would recommend to create the new security group, delegate the permission to that group and put the domain users into the group. Because it’s more safer to delete (rather than revoke delegation permission) that security group after all users are joined to domain.
3) Some Clients may need to enable powershell script execution policy to remotesigned, so that powershell scripts can execute. You can do it by another batch script that call the powershell script ,,, etc… etc..
1) Delegating OU Permission Only the the Admin and Account Operator roles have permissions to create computer & users objects in any OU. We need some little right for users to perform themselves. But granting Account Operator roles to every domain users is a the one we should never do. So, I will give only necessary permissions.
Step1: From Active Directory Users and Computers, Choose the parent OU you want to delegate.
Step2: Delegate the security group to create computer objects in Active Directory.
Step3: On the next page, choose Create a custom task to delegate.
Step4: Choose Computer Objects and check the “Create selected objects in this folder” as shown in Fig-3.
Step 5: Customize the permission Here I select the Write and Create all child objects. Others default.
So far, we finished about delegating permission. Now, the client can run the script on his computer. See Fig-5.
Today, I need to find the registered services of some running processes & its installed path. Here we can use some third-party tools, such as Process Explorer, Process Hacker and find each process’s associated service. But, I want to use the built-in options, so WMI with Powershell is the way to go. I also checked the windows task manager and it only listed the service & it’s associated service name, not the process name. So, I need to do some scripting to get it through. It’s the sample output.
Empower yourself with the ability to perform administrative tasks on multiple servers remotely, even while users are logged in or away. PowerShell remoting, available since PowerShell version 2 and above, opens up a world of possibilities for system administrators.
If you’re using Windows 7, 2008R2, or newer, PowerShell remoting is already at your fingertips. However, for legacy environments like Server 2003 and Windows XP, a few additional steps are required. You’ll need to install the Server 2003 Service Pack 2 and the Windows Management Framework.
Things to do on the destination computer
This is the computer on which you want to execute the remote commands. On this machine, run PowerShell as an administrator and execute the command.
Set-ExecutionPolicy RemoteSigned
Then, initialize WinRM with the following command:
winrm quickconfig -quiet
On the source computer, you’ll also need to start the WinRM service temporarily to configure settings. Remember to add the destination computers to the trusted hosts list for communication. This ensures a secure connection between local and remote systems. Other words, in trustedhosts list, you can define the destination computers by IP addresses separated by commas or using wildcard as follows. (Note: if you use the HTTPs, you need to generate the certificate and add to each computer, so it would be more efficient to enroll the certificate via GPO in domain environment. I’ll write the other article for this scenario)
Things to do on Source Computer
This is the computer that will initiate the connection. In the elevated PowerShell session of source computer, type:
You can execute remote scripts on multiple computers, you can put the computers names as IPs or hostnames in text file. Here is the one I show as example.
Tired of spending hours manually querying DNS records? A few days ago, I had to query over 100 DNS records to determine if both forward and reverse records were working properly. Making the nslookup over 100 records is a time-consuming and daunting task for a system administrator. Therefore, I decided to write a powershell script to automate the job.
You will need to put the hostnames in hostnames.txt file in the same directory as the script file and run the script.
While third-party tools like VMware Standalone Converter and Starwind V-2-V exist for converting VDI to VMDK or VHD, leveraging VirtualBox’s native capabilities offers a speedy alternative. You can follow our step-by-step guide, applicable to both Windows and Linux environments, and optimize your virtualization workflow effortlessly. Go to virtualbox install directory in windows command prompt and type the following command.
VBoxManage.exe clonehd c:\DiskVirtualold-disk.vdi c:\DiskVirtualnew-disk.vmdk –format vmdk –type normal –variant standard
Now, you can attach the converted vdisk to the VM of your choice.
In windows system administration, understanding how to stop windows services which is not responding or hanged is a crucial skill. Whether you’re troubleshooting a misbehaving process or aiming to optimize system resources, knowing the ins and outs of service management can significantly impact your computing experience.
In this example, let’s forcefully stop the windows time service by killing the associated process.
First, query the service PID via NT service controller.
sc queryex <servicename> eg. sc queryex w32time Note: you can find the service name from services.msc in Run box. Here w32time for Windows Time Service.
2) Note the PID of the service. Here our process ID is 904
You might sometimes encounter grayed-out services, particularly in scenarios like antivirus programs where certain services are intentionally safeguarded against tampering for security purposes, can pose challenges in managing your system effectively. However, there are strategies you can employ to navigate this hurdle and regain control over these services.
Option 1 – Startup Config
1) type “msconfig” in Run box 2) in the service tab, uncheck the service 3) reboot the computer
Option 2 – Registry Modification
The second method involves accessing the Windows Registry, the central repository of system settings, and making targeted modifications to alter the startup type of the grayed-out services. 1) Go to HKLMSYSTEMCurrentControlSetServices 2) Double-Click the Start SubKey 3) Change the DWORD value to 0 to 4 according to your startup option. 2 for Automatic & 4 for Disabled.
Below are Start values and description according to the technet article.
Value
Description
0
Boot (loaded by kernel loader). Components of the driver stack for the boot (startup) volume must be loaded by the kernel loader.
1
System (loaded by I/O subsystem). Specifies that the driver is loaded at kernel initialization.
2
Automatic (loaded by Service Control Manager). Specifies that the service is loaded or started automatically.
3
Manual. Specifies that the service does not start until the user starts it manually, such as by using Device Manager.
4
Disabled. Specifies that the service should not be started.