Categories
file sharing Operating Systems

Poor mans file audit on Windows Server 2008 R2 – with an easy search function and GUI

I needed a way to audit file deletions on our Windows 2008 R2 Server, but didn’t need to make pretty reports for our C levels, it was just for techs to track down who deleted what. So I used the built in Windows File Audit with GPO.

We also have about 1800 people who use this share, so we had to keep a watchful eye on how many logs were generated, and then script out deletions after a certain period, we chose 14 days is about how far back we want to retain.

Task 1 was to enable the GPO for the server to start actually recording the file deletions in Event Viewer.
Following this guide: http://www.morgantechspace.com/2013/11/Enable-File-System-Auditing-in-Windows.html
You can enable the GPO to start actually logging the deletions attempts.

Task 2 was to separate the security logs into it’s own directory, for easy pruning.
I then had to go to the file server and enable this: http://blogs.technet.com/b/askds/archive/2009/08/04/tracking-a-remote-file-deletion-back-to-the-source.aspx
So that I can start logging. You are essentially enabled file auditing. I only chose to enable the Success of file deletions, nothing else, as that was all the data I want logged.

Task 3 was to script automated deletions of the evtx files after 14 days of age.

I wrote this to do my automated deletions. You will make a cmd, or bat file on your desktop with these contents:
REM Remove Security older than 14 days
forfiles /p "C:\Windows\System32\winevt\Logs\Security" /s /m *.* /c "cmd /c Del @path" /d -14

You can adjust the 14 days to be whatever you like. Then add it to task schedule to automate and run once a day.

Task 4 was to find a way to prune through 2-3GB of evtx files easily.
SOURCE: https://martin77s.wordpress.com/2010/01/16/evtlogparser/
You will need to install LogParser.msi first.
Then run EVTLOGPARSER.EXE – it is portable after the LogParser.msi is installed.
You can then add the security directory directly: \\SERVERNAME\c$\Windows\System32\winevt\Logs\Security
and query eventid 4663 AND/OR under message, search for your file deleted, partials should work.

Categories
Operating Systems Powershell

Windows 10 not searching desktop applications with cortona

Out of the blue, my start -> search stopped functioning, it would just be blank.

I reinstalled Cortana using the following procedure:

Open an elevated Command Prompt window (press win + X, and then press A)
Type start powershell and press enter
Run the command (in one line):
Get-AppXPackage -Name Microsoft.Windows.Cortana | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”}
After 30 seconds the problem was solved on my machine. Incredible.

Source: http://answers.microsoft.com/en-us/windows/forum/windows_10-win_cortana/cortana-not-finding-desktop-apps-when-searching/f612e995-6664-4b91-b6ae-96790e763858

Categories
Powershell

Adding User Principal Names in Active Directory via PowerShell for Federation

I wanted to update the UPN or User Principal Names in our AD, as we had a couple thousand users that had been in our AD for over 10 years, in the NT days. So they were created without UPN’s.

This will print out the list of users and output it to a file so you can review who will be changed. We did not want to change the admin users so I added a notlike clause.

get-aduser -Filter * -SearchBase ‘CN=Users,dc=vivithemage,dc=com’ | where {($_.userprincipalname -eq $null) -and ($_.name -notlike “*admin*”)} | format-table samaccountname,givenname,surname | Out-File c:\test\UPN-prechange2.txt

Reviewed the list, looked good, so I can now run this to make the blanket change, while manually specifying the domain name:

get-aduser -Filter * -SearchBase ‘CN=Users,dc=vivithemage,dc=com’ | where {($_.userprincipalname -eq $null) -and ($_.name -notlike “*admin*”)} | foreach { Set-ADUser $_ -UserPrincipalName (“{0}@{1}” -f $_.name,”vivithemage.com”)}

Lots of help from this article: http://blogs.technet.com/b/heyscriptingguy/archive/2013/08/13/add-user-principal-names-in-active-directory-via-powershell.aspx
and ss64.com

Categories
Operating Systems

power shell script unmounting system reserved

I need a powershell way to remove the system reserved drive letter, as there is no reason for our users to actually use that, and access it. In powershell drop this code in:

$target = (Get-Volume -FileSystemLabel “System Reserved”).DriveLetter+ “:”
$volume = Get-WmiObject Win32_Volume -Filter “DriveLetter=’$target'”

if ($null -ne $volume)
{
$volume.DriveLetter = $null
$volume.Put()
}

Save it, make sure it’s a ps1 file and execute, it will remove the Drive Letter, and unmount it.

Categories
Cisco

Copy cisco running config with putty

I wanted to do a quick backup of my running config without needing to setup a TFTP server.

You will first want to get to enabled mode

router$ enable

Then run terminal length 0, as this will let the screen spit out all data without pruning with the ‘—-more—-‘ from output.

router# terminal length 0

The next step is configuring your putty session as follows:

Right-click the window title and choose ‘Change Settings’
On the left, select ‘Logging’ under ‘Session’
Select the ‘All session output’ radio button and choose a destination file
Click “Apply”
Now send a ‘show running-config’ command and the config will be sent to your log file.

router# sh run

Categories
Windows 7

Disable Windows Startup Repair as Default Option

I was having issues where my older raid card would not get recognized on the first boot, causing windows to reboot, then BSOD. So 50% of the time I would reboot and would be stuck on the repair screen, so I wanted to disable it. Apparently you can through the bcdedit!

bcdedit /set {default} recoveryenabled No

Categories
Operating Systems Powershell Uncategorized Windows 7

copy a file into all user directories via bat files for windows 7 or xp using a wildcard

I needed to copy one file into all of the user directories on computers. I ended up creating a for loop, print it, then use that list as a variable to throw in, worked great. This was one of the few things I could not find on google, so hopefully this hits a few keywords for people when they’re searching. IT IS POSSIBLE! This can be done in BAT, CMD, OR just dump it into a command pronpt changing your own directories/variables as needed.

REM this prints all users in C:\Users\ and then copies the EssUser.cfg file to the PartsDoc Dir
FOR /D %%G IN (c:\Users\*.*) DO xcopy /Y /H /R "E:\PartsDoc Updates\EssUser.cfg" "%%G\Documents\CLAAS\PartsDoc\"

Categories
Operating Systems server 2012

How to change license from server 2012 r2 eval with MAK key

I found out you can do this pretty simply. I wanted to change my 2012 R2 Standard Eval ISO to use my 2012 R2 Standard MAK key. I ran this in an elevated command prompt:

DISM /online /Set-Edition:ServerStandard /ProductKey:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx /AcceptEula

replacing the x’s with your key, hit enter and it should work with a requested reboot right after it completes.

Categories
Windows 7

creating large, empty files in windows

I ran this in Windows 7, but using fsutil you have a LOT of options.

fsutil file createnew c:\testfile.txt 150000000

this created a 150mb empty file so I can use for testing. If you run fsutil you will see you have a lot more options:

8dot3name 8dot3name managment
behavior Control file system behavior
dirty Manage volume dirty bit
file File specific commands
fsinfo File system information
hardlink Hardlink management
objectid Object ID management
quota Quota management
repair Self healing management
reparsepoint Reparse point management
resource Transactional Resource Manager management
sparse Sparse file control
transaction Transaction management
usn USN management
volume Volume management

Categories
Windows 7

setting up putty to be used as a socks5 proxy over ssh

This was taken from: http://www.ocf.berkeley.edu/~xuanluo/sshproxywin.html

I am posting this for my own knowledge, just incase that site ever goes down.

Run PuTTY. It starts in the “Session” screen; fill in the settings for your SSH connection. The fields “Host Name” and “Port” are pretty self-explanatory. You can enter the username too by filling the “Host Name” field in the “user@host” format. Make sure “SSH” is selected in “Connection type:”.
Go to the “Connection” -> “SSH” -> “Tunnels” screen to configure our tunnel.
Under “Add new forwarded port:”, enter some big integer of your choice to enter for the “Source port” field. (The first thousand or so ports are sometimes reserved by the operating system; so pick something bigger.) Here I will use arbitrarily choose 1080 (the SOCKS port).
Leave the “Destination” field blank.
Select the “Dynamic” radio button.
Click the “Add” button. You should see a line in the text box that reads “D1080” (or whatever number you chose).
(For those interested, this is the “-D” option in OpenSSH.)
(Optional:) By default the a login session is opened in the terminal, which usually runs a “shell”, allowing you to run commands on the command line on the remote computer. If you absolutely do not wish to use this, you may be able to disable it via the following:
Go to the “Connection” -> “SSH” screen.
Check the “Don’t start a shell or command at all” box.
(For those interested, this is the “-N” option in OpenSSH.)
(Optional:) At this point, it is a good idea to create a saved session, so you do not have to go through this process every time. If you wish to do so, go back to the “Session” screen; enter a name for the session and click “Save”.
Now you can open the connection. Click the “Open” button at the bottom.
The session window will open. If this is your first time connecting, it will ask you to add the key; “yes” is recommended. Enter the password when prompted. (You may also set it up to authenticate using public key instead of password, but that is beyond the scope of this tutorial.)
The login session is now connected. As long as the session is open, you will now have a SOCKS proxy running on on the local computer (localhost) at port 1080 (or whatever port you chose).

Example: Mozilla Firefox browser
Go to “Tools” menu -> “Options”
Go to “Advanced” screen -> “Network” tab
In the “Connection” section, click the “Settings…” button
Select the “Manual proxy configuration” radio button
Make sure “Use this proxy server for all protocols” is unchecked
Make sure the “HTTP Proxy”, “SSL Proxy”, “FTP Proxy”, “Gopher Proxy” fields are cleared
For “SOCKS Host”, enter “127.0.0.1”, and for “Port” enter 1080 (or whatever port you chose)
Select the “SOCKS v5” radio button
Click OK. Click OK.
Preventing DNS leaks is supported in Firefox 1.5.0.2 and above. Do the following:
Go to the URL “about:config”
Find the setting “network.proxy.socks_remote_dns” and set it to “true”
Example: Internet Explorer browser
Go to “Tools” menu -> “Internet Options”
Go to “Connections” tab
Click the “LAN Settings” button
In the “Proxy server” section, make sure the “Use a proxy server for your LAN…” box is checked
Click the “Advanced” button
Make sure “Use the same proxy server for all protocols” is unchecked
Make sure the “HTTP”, “Secure”, “FTP” fields are cleared
For “Socks”, enter “127.0.0.1” as the address, and for “Port” enter 1080 (or whatever port you chose)
Click OK. Click OK. Click OK.
I don’t know of any built-in support for preventing DNS leaks

I take ZERO credit for this writeup, again, this is just for my knowledge if I need to reference it again.