Experienced little things Windows admin
I always had a desire to write a series of posts where a little interesting little things and tasks that had to be addressed in the daily routine of the system administrator would be outlined.
Perhaps some of the above will be useful to other system administrators.
I must say right away that I have the Windows environment and the Active Directory domain as the source data, and the OS is mainly WindowsXP - Server2003. Well, the companies served were mostly medium-sized (from 30 to 500 users).
Let's start, perhaps, with the often-encountered task of determining which user is working on which computer.
To solve this problem, various techniques have been tried:
As a result, we “ built our own lunapark with VBS and users ”, and wrote 2 small logon-logof scripts that are run by group policy at the whole domain level when a user logs in and logs out, respectively.
Explanations of the code are probably not needed, the script is elementary, I’ll only tell you about the pros of the script, which in my situation significantly outweighed the minuses (which I will also discuss).
To be continued .
PS I forgot to add. In operating mode, the system looks something like this:
Perhaps some of the above will be useful to other system administrators.
I must say right away that I have the Windows environment and the Active Directory domain as the source data, and the OS is mainly WindowsXP - Server2003. Well, the companies served were mostly medium-sized (from 30 to 500 users).
Let's start, perhaps, with the often-encountered task of determining which user is working on which computer.
To solve this problem, various techniques have been tried:
- naming machines by user names (tedious. After a couple of months, you begin to forget to rename the computer, and the system rolls into chaos)
- strict accounting of where you can go somewhere in a separate Excel and setting the rights to logon only to a specific machine, etc. (pure water paranoia, was one of the clients. VERY boring and dreary)
- Using third-party utilities from bginfo and psloggedon from Sysinternals, to all kinds of Hyena and Ideal Administrator (most of them cost money, do not always work correctly, or are too open, for example, in the case of BgInfo on the desktop, information becomes visible that I would not want to be seen absolutely that’s all, it’s paranoia, but I don’t want crowds of unknown people in the sales department or at the reception to recognize the internal name of the computer, user, IP, etc. just by looking at the screen.
As a result, we “ built our own lunapark with VBS and users ”, and wrote 2 small logon-logof scripts that are run by group policy at the whole domain level when a user logs in and logs out, respectively.
LOGON-Option
Dim adsinfo, ThisComp, oUser
' Определяем объекты
Set adsinfo = CreateObject("adsysteminfo")
Set ThisComp = GetObject("LDAP://" & adsinfo.ComputerName)
Set oUser = GetObject("LDAP://" & adsinfo.UserName)
' Заносим данные в AD
' В поле Department компьютера пишем имя пользователя, и время входа
Thiscomp.put "Department", "Logged on: " + oUser.cn + " " + CStr(Now)
ThisComp.Setinfo
'В поле Department учетки пользователя пишем имя компьютера и время входа
oUser.put "Department", "Logged on: " + ThisComp.cn + " " + CStr(Now)
oUser.Setinfo
wscript.quitLOGOFF-Variant
Dim adsinfo, ThisComp, oUser
' Определяем объекты
Set adsinfo = CreateObject("adsysteminfo")
Set ThisComp = GetObject("LDAP://" & adsinfo.ComputerName)
Set oUser = GetObject("LDAP://" & adsinfo.UserName)
' Заносим данные в AD
' В поле Department компьютера пишем имя пользователя, и время входа
Thiscomp.put "Department", "Logged off: " + oUser.cn + " " + CStr(Now)
ThisComp.Setinfo
'В поле Department пользователя пишем имя компьютера и время входа
oUser.put "Department", "Logged off: " + ThisComp.cn + " " + CStr(Now)
oUser.Setinfo
wscript.quitExplanations of the code are probably not needed, the script is elementary, I’ll only tell you about the pros of the script, which in my situation significantly outweighed the minuses (which I will also discuss).
pros
- with such a script, it’s enough to configure the AD snap-in to display one additional column (in our department) and you can clearly see where someone is working at the moment when he is logged in, or if no one is working on the computer, then who last worked on it, and when logged out
- No third-party software is involved, the load on the system (user login time) increases very slightly
- The presence of old objects of user computers in AD is easily and clearly monitored (by the date of the last login)
- Data is centrally stored in AD and no additional storage is needed (file, folder, database, etc.). Data is duplicated in the User and Computer objects, i.e. you can track the situation "twice under the same logged on to different computers."
- The least used (for us and for all those organizations with which I worked) are the AD fields common to objects and the computer. This is a plus, because if the fields were different, you would have to add the display of extra columns in the AD snap-in
- It is easy to adjust the script as you wish (select other fields for storing data, write additionally in a text file, exclude individual users or computers from processing (for example, terminal servers), etc.)
Minuses
- The history of entries, i.e. only the current state is recorded. If you need a history of entries, then temporarily you can add several lines of code to write information also in a network file, and if you need it constantly, then it is better to think about another accounting method.
- It is required to issue additional Write \ Modify permission to the Department field of Computer and User in AD objects for all domain users. The minus in my situation is doubtful, but I will not deny it - it is.
To be continued .
PS I forgot to add. In operating mode, the system looks something like this: