Administration for the smallest (Part 1: restore order)
Every time I am surprised when familiar admins who are absolutely no problem working in linux are lost and do not know what to do when faced with the administration of the AD domain.
For most experienced administrators, this article is unlikely to be useful, but ...
So, you got a job. The conditions are good, the salary is big, the secretaries are smiling, the guards are friendly, and the coffee is free, but the previous sysadmin was a third-year student at the technical college of agriculture and left 50 computers with names like “NOVENKIY”, “SPORTSMEN”, “UVALEN”, “23FG34” ". Well, it is also worth noting that half of the computers in AD are dead. And those who are named after the employees are named after those who have not been working in the company for a long time.
Among other things, this type of hand has done a bunch of nasty things "for security." And you absolutely do not understand how and where to start. And it is best to start with restoring order.
For starters, the best way is to download the OldCmp utility - using it we will sift out computers that have not been registered in the system for more than 30 days.
')
oldcmp -disable -unsafe -forreal -llts-sage 30
With this team we disable those machines that nobody logged in for 30 days. For domains under windows 2003, you can use a command that processes not logins, but changing the password of a computer within a domain (not a user, but specifically a computer)
oldcmp -disable -unsafe -forreal -age 50
If within two or three weeks (you need to leave this time on “vacationers”) nobody has addressed you - you can delete disabled computers:
oldcmp -delete -age 0 -onlydisabled -forreal
So, we have only those computers that have been used in the last 30 days.
How to be with renaming?
Here, too, everything is simple. First we need to download utilities from Microsoft: PsTools , and also Support Tools .
Now, in order to correctly rename computers, it is best to use the system of unique identifiers pasted on the computer. Since we are not familiar with all people in the company - it’s best to ask HR (or anyone) a list of employees by department - this can help us in distributing computers (and users afterwards) into AD folders.
By the way, yes, create the folder Companyname_Computers in the AD tree, and in it - the subfolders with the name - the name of the department. This small action will save you from many problems in the future.
To find out which computer belongs to whom we will use the PsLoggedOn utility. The syntax is very simple. We will use it in this form:
psloggedon -l \\ computername
At the exit we will receive a list of users who are logged on to the computer. If the utility is not executed, the remote registry editing service is disabled. We turn it on using the PsService command.
psservice \\ computername start remoteregistry
After we get the username of the user logged in to the system, we transfer the computer to the appropriate AD folder and in the Description we mark the name of the user who is sitting at this computer.
Also, I recommend that all administrators in the new company use the PsPasswd utility to change the password of the local administrator to something you know.
pspasswd \\ camputername Administrator Password
Now it’s time to use the NetDom utility .
This utility from the Support Tools package we downloaded earlier can do a lot of things. We will use it to rename the computer.
In general, the team should look like this:
netdom renamecomputer computername / newname: newcomputer / userd: domainname \ adminname / passwordd: *
This program, unlike PsTools, does not know how to execute from under the current user and the admin name must be specified manually. In order not to keep the password in clear text - we inserted an asterisk in the passwordd field - the password will be requested.
After we renamed the computer - we need to mark a new name on the list with users, opposite the employee's last name, in order to just go through the departments and paste the names of the computers on their buildings (I mean computers, not employees).
For ease of use, I created a batch file, maybe it will be convenient for you:
Do not forget to fill in the first fields inside the batch file before Set / p TARGET - you don’t need to fill out anything further.
Well, do not forget about the marks on the list and the transfer of users and computers to the appropriate folders - we will need them for the next steps.
So, we start the batch file, enter the computer name, and find out who lives in the cottage, then make a mark in the list against the user's name and transfer the computer to the folder we need in the AD tree, then enter the new computer name, your password and joyfully click any button after completion of the procedure.
After all computers are renamed, we take our leaf with users and computer names, stickers with computer names and in 20 minutes go around the office by department, glue papers on computer cases.
After that, when someone calls you, you just ask to read the name of the computer on its case, after which ... Well, this is the topic of the next article :)
For most experienced administrators, this article is unlikely to be useful, but ...
So, you got a job. The conditions are good, the salary is big, the secretaries are smiling, the guards are friendly, and the coffee is free, but the previous sysadmin was a third-year student at the technical college of agriculture and left 50 computers with names like “NOVENKIY”, “SPORTSMEN”, “UVALEN”, “23FG34” ". Well, it is also worth noting that half of the computers in AD are dead. And those who are named after the employees are named after those who have not been working in the company for a long time.
Among other things, this type of hand has done a bunch of nasty things "for security." And you absolutely do not understand how and where to start. And it is best to start with restoring order.
Deletion
For starters, the best way is to download the OldCmp utility - using it we will sift out computers that have not been registered in the system for more than 30 days.
')
oldcmp -disable -unsafe -forreal -llts-sage 30
With this team we disable those machines that nobody logged in for 30 days. For domains under windows 2003, you can use a command that processes not logins, but changing the password of a computer within a domain (not a user, but specifically a computer)
oldcmp -disable -unsafe -forreal -age 50
If within two or three weeks (you need to leave this time on “vacationers”) nobody has addressed you - you can delete disabled computers:
oldcmp -delete -age 0 -onlydisabled -forreal
So, we have only those computers that have been used in the last 30 days.
How to be with renaming?
Theoretical part
Here, too, everything is simple. First we need to download utilities from Microsoft: PsTools , and also Support Tools .
Now, in order to correctly rename computers, it is best to use the system of unique identifiers pasted on the computer. Since we are not familiar with all people in the company - it’s best to ask HR (or anyone) a list of employees by department - this can help us in distributing computers (and users afterwards) into AD folders.
By the way, yes, create the folder Companyname_Computers in the AD tree, and in it - the subfolders with the name - the name of the department. This small action will save you from many problems in the future.
To find out which computer belongs to whom we will use the PsLoggedOn utility. The syntax is very simple. We will use it in this form:
psloggedon -l \\ computername
At the exit we will receive a list of users who are logged on to the computer. If the utility is not executed, the remote registry editing service is disabled. We turn it on using the PsService command.
psservice \\ computername start remoteregistry
After we get the username of the user logged in to the system, we transfer the computer to the appropriate AD folder and in the Description we mark the name of the user who is sitting at this computer.
Also, I recommend that all administrators in the new company use the PsPasswd utility to change the password of the local administrator to something you know.
pspasswd \\ camputername Administrator Password
Now it’s time to use the NetDom utility .
This utility from the Support Tools package we downloaded earlier can do a lot of things. We will use it to rename the computer.
In general, the team should look like this:
netdom renamecomputer computername / newname: newcomputer / userd: domainname \ adminname / passwordd: *
This program, unlike PsTools, does not know how to execute from under the current user and the admin name must be specified manually. In order not to keep the password in clear text - we inserted an asterisk in the passwordd field - the password will be requested.
After we renamed the computer - we need to mark a new name on the list with users, opposite the employee's last name, in order to just go through the departments and paste the names of the computers on their buildings (I mean computers, not employees).
... And on the side of a bow
For ease of use, I created a batch file, maybe it will be convenient for you:
@echo off
Set DomainName=
Set DomainAdminName=
Set LocalAdminName=
Set LocalPass=
Set PsToolsFolder=
Set SupportToolsFolder=
Set /P TARGET= Enter computer name:
%PsToolsFolder%\psservice \\%TARGET% start remoteregistry
%PsToolsFolder%\psloggedon -l \\%TARGET%
%PsToolsFolder%\pspasswd \\%TARGET% %LocalAdminName% %LocalPass%
echo " "
echo " "
echo " "
Set /P NEWNAME= Set new name of PC:
%SupportToolsFolder%\netdom renamecomputer %TARGET% /newname:%NEWNAME% /userd:%domainname%\%domainadminname% /passwordd:*
echo " "
echo " "
echo " "
echo " "
Set /P Ok= PressAnyKey to exitDo not forget to fill in the first fields inside the batch file before Set / p TARGET - you don’t need to fill out anything further.
Well, do not forget about the marks on the list and the transfer of users and computers to the appropriate folders - we will need them for the next steps.
Fastening
So, we start the batch file, enter the computer name, and find out who lives in the cottage, then make a mark in the list against the user's name and transfer the computer to the folder we need in the AD tree, then enter the new computer name, your password and joyfully click any button after completion of the procedure.
After all computers are renamed, we take our leaf with users and computer names, stickers with computer names and in 20 minutes go around the office by department, glue papers on computer cases.
After that, when someone calls you, you just ask to read the name of the computer on its case, after which ... Well, this is the topic of the next article :)
Source: https://habr.com/ru/post/129271/
All Articles