Keeping Windows Time Synchronized

Over the years I have managed a few applications that are time sensitive in recording when certain things were logged. This has caused issues when some computers update time and some get behind. Users have trouble understanding why they did something at one time but it was recorded as another. I did find a few commands that can help remedy this problem.

To check Windows Time Service configuration.

w32tm /query /configuration

To configure a standalone server or domain controller for an external time source.

w32tm /config /update /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8" /syncfromflags:MANUAL

To force update to time source.

w32tm /resync

Source: WindowsTimeService < Support < NTP.
Source: Microsoft Technet: Windows Time Service Tools and Settings

Read More

Allow User To Run Applicaton as Administrator Without a Password

A few days ago I came across a software application that just wouldn’t execute correctly without the user being an administrator on the computer. Since all of my users run as basic / limited users they were unable to use program. After contacting the vendor and looking for all type of rights that we could grant the user so the could execute the program properly we were unable to fix it without making the user an administrator. So rather than making them an administrator or giving them the administrator password I made a little application that calls the other application as a run as but has the administrator credentials complied in. I realize that you can probably decompile the application and get the password, but for many users that is too much work, or they lack the expertise, so I view this as a small security issue. To further protect the account I made one that only exists on that computer. Below is the code that you can use to build a similar application it is only a few lines but it can solve a headache and keep a password relatively secure.

This is a VB.NET application
This application will produce an error if it is unable to login as that account or if the target program cannot be found.

Public Class Form1
    Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim DomainName As String
        Dim UserName As String
        Dim Password As String
        Dim SysPassword As System.Security.SecureString = New System.Security.SecureString()
        DomainName = System.Environment.GetEnvironmentVariable("ComputerName")
        UserName = "administrator"
        Password = "supersecretpassword"

        For Each c As Char In Password
            SysPassword.AppendChar(c)
        Next
        SysPassword.MakeReadOnly()

        Try
            System.Diagnostics.Process.Start("notepad.exe", UserName, SysPassword, DomainName)
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try
        Me.Close()
    End Sub
End Class

Read More

Report Workstation Uptime in a CSV using Active Directory and VBS

Have you ever been left wondering which computers on your domain have been neglected by their user and not restarted in forever? This is a question that come up in my office every once and a while. One of the easiest ways to solve this problem is to ask WMI for when the computer was last restarted and subtract it from the current time. Also, while asking WMI questions you might as well ask which user is currently logged on the PC that way you know who to blame. This is exactly what the following script does for your domain. It grabs the list of workstations from the domain then queries WMI for the last time the computer is restarted and does some conversion and math and makes you an nice CSV that you can play with.

Script Configuration
Before running this script there is some minor configuration that must be done so it can communicate with your Active Directory setup.

  1. Find objConnection.Open “Active Directory Server” change Active Directory Server to the name of your Domain Controller
  2. Find objCommand.CommandText = _
    “Select Name, Location from ‘LDAP://OU=Workstations,DC=west,DC=domain,DC=edu’ ” _
    & “Where objectClass=’computer'”
    change subdomain, domain, and suffix to the name of your domain i.e. west domain edu (respectively)
  3. Find GetUptime objRecordSet.Fields(“Name”).Value, “C:\uptime.csv” and change C:\uptime.csv to the location where you want the file saved. Be sure to save it with the extension CSV
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Server" 

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name, Location from 'OU=Workstations,DC=west,DC=domain,DC=edu' " _
        & "Where objectClass='computer'"  
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
	GetUptime objRecordSet.Fields("Name").Value, "C:\uptime.csv"
    objRecordSet.MoveNext
Loop

Sub GetUptime(strComputer, strFilename)
	On Error Resume Next
	Set StdOut = WScript.StdOut
	 
	Set objFSO = CreateObject("scripting.filesystemobject")
	Set logStream = objFSO.opentextfile(strFilename, 8, True)
	 
	Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
	If Err.Number Then
	      logStream.writeline(strComputer & ",Offline")
	      Err.Clear
	Else
		Set objWMIService = GetObject _
			("winmgmts:\\" & strComputer & "\root\cimv2")
		Set colOperatingSystems = objWMIService.ExecQuery _
			("Select * from Win32_OperatingSystem")
		For Each objOS in colOperatingSystems
			dtmBootup = objOS.LastBootUpTime
			dtmLastBootupTime = WMIDateStringToDate(dtmBootup)
			dtmSystemUptime = DateDiff("h", dtmLastBootUpTime, Now()) 
		Next
		Set objWMIService = GetObject _
			("winmgmts:\\" & strComputer & "\root\cimv2")
		Set colComputerSys = objWMIService.ExecQuery _
			("Select UserName from Win32_ComputerSystem")
		For Each objCS in colComputerSys
			username = objCS.UserName
			logStream.writeline(strComputer & ",Online," & dtmSystemUptime & "," & dtmLastBootupTime & "," & username) 
		Next
				
	End If
	logStream.Close
End Sub
Function WMIDateStringToDate(dtmBootup)
    WMIDateStringToDate = CDate(Mid(dtmBootup, 5, 2) & "/" & _
         Mid(dtmBootup, 7, 2) & "/" & Left(dtmBootup, 4) _
         & " " & Mid (dtmBootup, 9, 2) & ":" & _
         Mid(dtmBootup, 11, 2) & ":" & Mid(dtmBootup, _
         13, 2))
End Function

Read More

How to Remove Old Cached Roaming Profiles from Workstations

Earlier this year I was tasked with cleaning up the workstations on our network to help reduce the amount of time needed for our daily virus scan to complete. One of the issues I took on was cleaning up old cached profiles from the use of roaming profiles. This was not something I wanted to do manually for the 150 PCs that we have across our building, so I made a script that would look for profiles that had not been modified in the last 90 days and wasn’t a system account (localservice, networkservice, default user, all users). Also, an advantage of using a script to do this is it can produce a report of what it will remove without actually doing it. That way you can be sure that you are not deleting things that you do want to keep.

This script does depending on file and print sharing being turned on for the workstation so the script can access the administrative shares on each computer. It does make the assumption that your profiles are saved in the default windows location C:\Documents and Settings\%username% and that you are the administrator for the domain.

Configuration

  1. Be sure to update the LDAP string ‘LDAP://OU=workstations,DC=subdomain,DC=domain,DC=com’ to match your Active Directory structure. The script needs to know where all the workstation are in Active Directory
  2. Find objConnection.Open “DomainController” and modify the put your Domain Controller in place of DomainController
  3. Find OldProfile objRecordSet.Fields(“Name”).Value, “C:\deletedprofiles.csv” and modify the filename to save the file where you and and named what you want, just be sure to leave the extension as CSV so it will open properly with your spreadsheet application.
  4. Most Importantly – Comment out fsoFolder.DeleteFolder objSubfolder, TRUE if you just want a report of what it will delete when run, if not it is currently setup to remove the unwanted profiles
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "shs-login"

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name, Location from 'LDAP://OU=workstations,DC=subdomain,DC=domain,DC=com' " _
        & "Where objectClass='computer'"  
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
	OldProfile objRecordSet.Fields("Name").Value, "C:\deletedprofiles.csv"
    objRecordSet.MoveNext
Loop

Sub OldProfile(strComputer, strFilename)
	On Error Resume Next
	Set StdOut = WScript.StdOut
	 
	Set objFSO = CreateObject("scripting.filesystemobject")
	Set logStream = objFSO.opentextfile(strFilename, 8, True)
	 
	Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
	If Err.Number Then
	      logStream.writeline(strComputer & ",Offline")
	      Err.Clear
	Else
		On Error Resume Next
		Set objShell = CreateObject("Shell.Application")
		Set fsoFolder = CreateObject("Scripting.FileSystemObject")

		root = "\\" & strComputer &"\C$\Documents and Settings"

		Set objFolder = fsoFolder.GetFolder(root)
		Set colSubfolders = objFolder.Subfolders
		
			For Each objSubfolder in colSubfolders
				If (lcase(objSubfolder.Name) <> "localservice" AND lcase(objSubfolder.Name) <> "networkservice"_
					AND lcase(objSubfolder.Name) <> "default user" AND lcase(objSubfolder.Name) <> "all users") then
						
						If (DateDiff("D", objSubfolder.DateLastModified, Date()) > 90) then
							logStream.writeline(strComputer & ",Online,Delete," & objSubfolder & "," & objSubfolder.DateLastModified)
							fsoFolder.DeleteFolder objSubfolder, TRUE
						else
							logStream.writeline(strComputer & ",Online,Active," & objSubfolder & "," & objSubfolder.DateLastModified)
						End If
						
				else
					logStream.writeline(strComputer & ",Online,System," & objSubfolder & "," & objSubfolder.DateLastModified)
				End If
			Next
	End If
	logStream.Close
End Sub

Read More

How To Securely Wipe A Hard Drive

There always comes a time when you are replacing the old with the new, but the real question is what to do with the old. Usually computers get resold, given away or recycled, however all of these things could lead to a compromise in information security. The easiest way to prevent this from happening is to wipe the hard drive with a DoD Compliant wipe. The easiest way to get this done is to use a great free program called Darik’s Boot and Nuke. This program allows you to boot a computer and nuke the hard drive from being recovered using computer forensics. However rather than just burning this one program on a CD I would suggest downloading the Ultimate Boot CD. This CD contains tons of great utilities for troubleshooting and working on PCs and should be a part of any administrators toolkit.

  • Well to get started wiping your old PCs hard drive, you will need to burn the Ultimate Boot CD to a CD and boot to it by either changing the boot order in the bios or getting to a boot menu where you can select which device to boot.
  • The first screen you should see once you have successfully booted to the CD will ask you to press enter to boot to the UBCD.
  • Next you need to select “Hard Drive Tools” then “Wiping Tools” and finally “Darik’s Boot and Nuke V1.0.7”. Once there it will take a minute to load, if it doesn’t it may not support your hardware / hard drive. However I haven’t run across a computer that it wouldn’t wipe.
  • Once it loads up hit the (M) key to select method and change it to your preference, I typically use the “DoD 5220.22-M” method because this is what the military uses, and if it is good enough for them it is good enough for me.
  • Once selected, be sure to press the space bar and select the drive or drives you wish to wipe and then press F10 which will let wiping commence.

Now go grab some dinner with a friend or a frosty adult beverage at the local tavern because it will be a while before it is complete (depending on the size of your drive).

Here are some screen shots that should help you step though the different screen just in case you get lost.

Read More