Find and/or cleanup old computer accounts in AD

Find and/or cleanup old computer accounts in AD

Dsquery is a command-line tool that is built into Windows Server 2008. 
It is available if you have the Active Directory Domain Services (AD DS) server role installed. 
To use dsquery, you must run the dsquery command from an elevated command prompt. 
To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

To find inactive computer accounts (number is inactivity in weeks):
dsquery computer -inactive 2

To find computers with stale passwords (number is stale in days)
dsquery computer -stalepwd 45

There is also a combination to disable / delete the accounts:
combined with dsmod/dsrm

dsquery computer -inactive 4 | dsmod computer -disabled yes
dsquery computer -stalepwd 45 | dsrm computer

You can get additional info on both of these tools with dsquery computer /? ,dsmod computer /?, and dsrm computer /?

SCRIPTS: How to use RunDll32.exe

RunDll32.exe is a interesting tool that can be used in scripting..

  • rundll32.exe inetcpl.cpl ResetIEtoDefaults http://source.winehq.org/WineAPI/inetcpl.html
  • RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1DeleteCookies = 2,
    DeleteHistoryFiles = 8,
    DeleteFormData = 16,
    DeletePasswords = 32,
    DeleteHistory = 193,
    DeleteALLHistory = 255,
    DeleteTrackingInfo = 2048,
    PreserveFavourites = 8192,
    DeleteDownloadHistory = 16384,
    DeleteEverything = 22783
    Delete History = 1
    Delete Cookies = 2
    Delete Temporary Internet Files = 18
    Delete Form Data = 16
    Delete Passwords = 32
    Delete All = 255
    Delete All + files & settings stored by Addons = 4351
  • rundll32 shell32,Control_RunDLL Run The Control Panel
    rundll32 shell32,Control_RunDLL X Start applet X of Control Panel
    (“X” = any CPL filename)
    rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,4 Regional setting, Date tabrundll32 shell32,OpenAs_RunDLL \dir\filename.txt Open The ‘Open With…’ Window
    rundll32 shell32,ShellAboutA Info-Box Open ‘About Window Window’
    rundll32 shell32,Control_RunDLL desk.cpl Open Display Properties
    rundll32 user,cascadechildwindows Cascade All Windows
    rundll32 user,tilechildwindows Minimize All Child-Windows
    rundll32 user,repaintscreen Refresh Desktop
    rundll32 keyboard,disable Lock The Keyboard
    rundll32 mouse,disable Disable Mouse
    rundll32 user,swapmousebutton Swap Mouse Buttons
    rundll32 user,setcursorpos Set Cursor Position To (0,0)
    rundll32 user,wnetconnectdialog Show ‘Map Network Drive’ Window
    rundll32 user,wnetdisconnectdialog Show ‘Disconnect Network Disk’ Window
    rundll32 user,disableoemlayer Display The BSOD (blue screen of death)Window
    rundll32 diskcopy,DiskCopyRunDll Show Copy Disk Window
    rundll32 rnaui.dll,RnaWizard Run ‘Internet Connection Wizard’
    rundll32 shell32,SHFormatDrive Run ‘Format Disk (A)’ Window
    rundll32 shell32,SHExitWindowsEx -1 Cold Restart Of Windows Explorer
    rundll32 shell32,SHExitWindowsEx 1 Shut Down Computer
    rundll32 shell32,SHExitWindowsEx 0 Logoff Current User
    rundll32 shell32,SHExitWindowsEx 2 Windows9x Quick Reboot
    rundll32 krnl386.exe,exitkernel Force Windows 9x To Exit (no confirmation)
    rundll32 rnaui.dll,RnaDial “MyConnect” Run ‘Net Connection’ Dialog
    rundll32 msprint2.dll,RUNDLL_PrintTestPage Choose & Print Test Page Of Current Printer
    rundll32 user,setcaretblinktime Set New Cursor Rate Speed
    rundll32 user, setdoubleclicktime Set New DblClick Speed (Rate)
    rundll32 sysdm.cpl,InstallDevice_Rundll Hardware installation wizard
    rundll32 user,MessageBeep Default beep sound
    rundll32 user32.dll,MessageBeep Default beep sound (XP)
    rundll32 shell32.dll,Control_RunDLL appwiz.cpl Add/remove programs
    rundll32 shell32.dll,Control_RunDLL timedate.cpl,,0 Date/time settings
    rundll32 shell32.dll,Control_RunDLL odbccp32.cpl ODBC settings

    rundll32.exe url.dll,FileProtocolHandler http:\\www.rgagnon.com
    rundll32.exe url.dll,FileProtocolHandler c:\mypdf.pdf
    Open the associated application
    rundll32 amovie.ocx,RunDll /play /close c:\mymovie.mpg
    Play multimedia (movie or sound)

    Rundll32.exe powrprof.dll,SetSuspendState Sleep Put the computer in Sleep mode
    Privacy (IE)
    rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 8 Internet temporary files
    rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 2 Cookies
    rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 1 History
    rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 16 Forms Data
    rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 32 Passwords
    rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 Delete everything
    The Windows Fax viewer is used to view a variety of graphic format like .bmp, .dib, .emf, .gif, .jpeg, .png, .tif or .wmf extensions
    rundll32.exe shimgvw.dll,ImageView_Fullscreen
    “C:\Documents and Settings\username\My Documents\logo.bmp”

Uptime Scanner

Uptime Scanner

</pre>
Const ForReading = 1, ForWriting = 2, ForAppending = 3
Const CONVERT_TO_LOCAL_TIME = True

Set FileSystemObject = CreateObject("Scripting.FileSystemObject")
CurrentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))
Set DeviceListFile = FileSystemObject.OpenTextFile(CurrentDirectory & "\serverlistall.txt", ForReading)

Do Until DeviceListFile.AtEndOfStream
 Devicename = DeviceListFile.ReadLine
 If Trim(Devicename) <> "" Then
 Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
 dtmStartDate.SetVarDate dateadd("n", -10, now)' CONVERT_TO_LOCAL_TIME

Set winmgmts = GetObject("winmgmts:\\" & Devicename & "\root\cimv2")
 Set Win32_OperatingSystem = winmgmts.ExecQuery ("Select * from Win32_OperatingSystem")
 For each Instance in Win32_OperatingSystem
 Wscript.Echo Devicename & ", " & UtcDateToString(Instance.LastBootUpTime)
 Next
 End if
Loop
DeviceListFile.Close

Function UtcDateToString(UtcFormattedDate)
 UtcDateToString = CDate(Mid(UtcFormattedDate, 5, 2) & "/" & Mid(UtcFormattedDate, 7, 2) & "/" & Left(UtcFormattedDate, 4) & " " & Mid (UtcFormattedDate, 9, 2) & ":" & Mid(UtcFormattedDate, 11, 2) & ":" & Mid(UtcFormattedDate, 13, 2))
End Function

EventLog Scanner (WMI)

EventLog Scanner (WMI)

 

 


Const ForReading = 1, ForWriting = 2, ForAppending = 3
Const CONVERT_TO_LOCAL_TIME = True

Set FileSystemObject = CreateObject("Scripting.FileSystemObject")
CurrentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))
Set DeviceListFile = FileSystemObject.OpenTextFile(CurrentDirectory & "\DeviceList.txt", ForReading)

Do Until DeviceListFile.AtEndOfStream
 Devicename = DeviceListFile.ReadLine
 If Trim(Devicename) <> "" Then
 LastBootUpTime=""
 Set winmgmts = GetObject("winmgmts:\\" & Devicename & "\root\cimv2")
 Set Win32_OperatingSystem = winmgmts.ExecQuery ("Select * from Win32_OperatingSystem")
 For each Instance in Win32_OperatingSystem
 LastBootUpTime = Instance.LastBootUpTime
 Next

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & Devicename & "\root\cimv2")
 Set colEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Type = 'Error' and Logfile = 'System' and TimeWritten > '" & LastBootUpTime & "'")
 For each objEvent in colEvents
 Ignore = False
 'Drop your ignore strings in here. Just copy a line and drop your message over the top. Leave out anything non generic so you get better hits.

 If Instr(objEvent.Message, "Contact the administrator to install the driver before you log in again.") > 0 Then Ignore=True
 If Instr(objEvent.Message, "Remote Desktop Session Host server was unable to retrieve") > 0 Then Ignore=True
 If Instr(objEvent.Message, "An SSL 3.0 connection request was received from a remote client application") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The Kerberos client received a KRB_AP_ERR_MODIFIED") > 0 Then Ignore=True
 If Instr(objEvent.Message, "DCOM was unable to communicate with the computer") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The processing of Group Policy failed. Windows could not search the Active Directory organization unit hierarchy") > 0 Then Ignore=True
 If Instr(objEvent.Message, "The following fatal alert was generated: 40. The internal error state is 107.") > 0 Then Ignore=True 'This relates to securechannel falures. It happens intermittantly.

If Ignore = False Then Wscript.Echo Devicename & ", " & UtcDateToString(objEvent.TimeWritten) & ", " & objEvent.Message
 Next
 End if
Loop
DeviceListFile.Close

Function UtcDateToString(UtcFormattedDate)
 UtcDateToString = CDate(Mid(UtcFormattedDate, 5, 2) & "/" & Mid(UtcFormattedDate, 7, 2) & "/" & Left(UtcFormattedDate, 4) & " " & Mid (UtcFormattedDate, 9, 2) & ":" & Mid(UtcFormattedDate, 11, 2) & ":" & Mid(UtcFormattedDate, 13, 2))
End Function