Category: VBScript


Examples:

  • .at matches any three-character string ending with “at”, including “hat”, “cat”, and “bat”.
  • [hc]at matches “hat” and “cat”.
  • [^b]at matches all strings matched by .at except “bat”.
  • [^hc]at matches all strings matched by .at other than “hat” and “cat”.
  • ^[hc]at matches “hat” and “cat”, but only at the beginning of the string or line.
  • [hc]at$ matches “hat” and “cat”, but only at the end of the string or line.
  • \[.\] matches any single character surrounded by “[” and “]” since the brackets are escaped, for example: “[a]” and “[b]”.
  • s.* matches any number of characters preceded by s, for example: “saw” and “seed”.

regexp1 regexp2

regex simulator: http://regex.lumadis.be/test_regex.php?lang=fr

tutorials about regexp:

http://en.wikipedia.org/wiki/Regular_expression

http://www.regular-expressions.info/quickstart.html

http://www.expreg.com/

 

http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx

Symptom:

Logon Script from AD User Profile Tab Not Working:

When specifying the logon script via the user account ensure you do not enter a full UNC path or DFS path.

\\domain.local\scripts\logon.bat does not work.

logon.bat does does work.

The logon script field in the user account properties automatically points to the netlogon directory.

Workaround:
if you want absolutely start a logon script using a UNC path or DFS path, on the logon script field,
the idea is to use a script “launcher” that will call the other script located on UNC or DFS path,
in our example, on the logon script field enter:
launcher.bat
copy launcher.bat under \\domain.local\netlogon
the launcher.bat should contain:
@echo off
call \\domain.local\scripts\logon.bat
one advantage to use this launcher is: for security reason you don’t give the right to the end-users
to update the NETLOGON share, you can share the \\domain.local\scripts and give the rights to
update this directory.

If you use batch files to automate tasks on a Vista/Windows 7/Windows 2008,2008r2 computer, you have probably encountered situations when you needed to start a program ELEVATED (as Administrator).

For example, if you want to share a folder automatically from a batch file, you would use the “net share” command. However, unlike many other programs that ask for the administrator’s approval, net share does not do that and simply returns the error code 5 (“access denied”) if it was started by a standard user.

How to force that program to start elevated from a batch file?

There are multiple elevate.exe programs available for free on Internet, I selected two of them:

<http://code.kliu.org/misc/elevate/>

Usage:  elevate [(-c | -k) [-n] [-u]] [-w] command

Options:
  -c  Launches a terminating command processor; equivalent to “cmd /c command”.
  -k  Launches a persistent command processor; equivalent to “cmd /k command”.
  -n  When using -c or -k, do not pushd the current directory before execution.
  -u  When using -c or -k, use Unicode; equivalent to “cmd /u”.
  -w  Waits for termination; equivalent to “start /wait command”.

Notes:
  Both the hyphen (e.g., -w) and slash (e.g., /w) forms of switches are valid.

  When -k is specified, command is optional.  Omitting command in this case will  simply open an elevated command prompt.

  Normally, an elevated command processor will not honor the current directory  of an unelevated parent process, thus potentially creating problems with
  relative paths.  To address this problem, when the -c or -k switches are used,  elevate will issue a pushd command to the new command processor to ensure that
  it uses the current directory of its parent process.  Specifying the -n switch  will disable this feature.

Examples:
  elevate taskmgr
  elevate -k
  elevate /w HashCheckInstall.exe
  elevate -k sfc /scannow
  elevate /c del %SystemRoot%\Temp\*.*
  elevate -c -w copy foo*.* bar

Why this utility?

There are other similar utilities available; for example:
* http://wintellect.com/cs/blogs/jrobbins/archive/2007/03/27/elevate-a-process-at-the-command-line-in-vista.aspx
* http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/

* http://www.winability.com/files/elevate.zip

Copy the file Elevate.exe into a folder where Windows can always find it (such as C:/Windows). To use it in a batch file, just prepend the command you want to execute as administrator with the elevate command, like this:

  elevate net share ...
  elevate -noui "c:\batch.bat"

and it should run the command net share as administrator. Of course, it does not relieve the administrator from the duty to approve the request (unless you have enabled the guiet mode of UAC or disabled the UAC altogether).

The syntax of the Elevate command is as follows:

  elevate [-opt1] [-opt2...] [path\]file[.exe] [param1 [param2...]]

Where -optN can be one of the following:

  -?         - Display the help screen and exit
  -info      - Open the web page with more information (the web page you are reading now!) and exit
  -wait4idle - Wait for the target process to initialize before returning
  -wait4exit - Wait for the target process to finish before returning
  -noui      - Don't display any messages, even if an error occurs

After the options, the following arguments should be entered:

  file       - The file name of the program to launch elevated
  paramN     - Optional parameters (as expected by the program being launched)

For example, if for some reason you want to run Notepad as administrator, and continue only after you exit Notepad, you would use a command like this:

  elevate   -wait4exit   notepad

If you use the elevate command while being logged in to Windows as a user that does not have a split token, that is as a non-administrator or a guest user, it will ask for the administrator’s password to continue. If you use it as the true administrator (that is, if UAC is disabled, or it you’ve launched the batch file itself as administrator), then no administrator’s approval would be required and it would launch the program as usual.

Can Elevate.exe be used on a Windows XP or Windows 2000 computer, even though they do not have UAC or users with the split tokens? Yes, it can! In such a case, if the batch file is executed by the administrator, then Elevate.exe runs the program as usual, without requiring any additional approval. If run by a restricted user, Elevate.exe has the same effect as the Runas  command of Windows XP/2000: it gives the user an option to enter a different user’s credentials to lunch the program.

The return code of the elevate command depends on the result of its execution and whether you have specified the -wait4exit option or not. If the -wait4exit option is NOT specified, then elevate returns code 0 if it started the target process successfully, or an error code as reported by Windows. For example, if Windows could not find the target file, it usually returns code 2. If the file was found, but the administrator did not approve the request to start the program elevated, the return code is 5. And so on.

However, if you have specified the -wait4exit option on the command line, then if the target process was started successfully, the elevate command would wait for it to finish and return the exit code from that process. The returned value in such a case depends on the program being launched be the elevate command. As with other commands, you can access the return code in a batch file via the ERRORLEVEL variable.

Tip: how to extend the shell context menu for directories by an ‘Open Elevated Console here’ entry by adding the following registry entries:

[HKEY_CLASSES_ROOT\Directory\shell\Open Elevated Console here]
@=”Open Ele&vated Console here”

[HKEY_CLASSES_ROOT\Directory\shell\
           Open Elevated Console here\command]
@=”c:\\path\\to\\elevate.exe  /K \”title %1 && color 1a && cd /D %1\””

The objective is to allow WMI queries on a computer for a non-admin user/group ?

the group to allow is mydomain\wmiquery-users

the scripts requires, dcomperm.exe and wmisecurity.exe

Authorize WMI users and set Permissions on Win7, Win2008 R2:http://technet.microsoft.com/en-us/library/cc771551.aspx

example of PS code:http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/

Download the wmisecurity.exe from codeproject site:http://www.codeproject.com/KB/system/WmiSecurity.aspx

Download the dcomperm.exe from: http://cid-62b84429c3a8a991.skydrive.live.com/self.aspx/SharePoint/DComPerm.zip

 1st step: Set up DCOM permissions:

@echo off
CLS
echo.
echo Windows computers – Set up DCOM Permissions – Oct 2011
echo __________________________________________________________________________________
echo.
==========================================================================>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Show current DCOM permissinos – current values on %computername% BEFORE…
echo List machine access permission list…
dcomperm -ma list
echo List machine launch permission list…
dcomperm -ml list
echo List machine default permission list…
dcomperm -dl list
echo.
echo Show current DCOM permissinos – current values on %computername% BEFORE…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
pause
echo.
echo ————————————————————————
echo Set new DCOM permissions – new values on %computername%…
echo Set machine access permission list…
dcomperm -ma set MYDOMAIN\wmiquery-users permit level:l,r
echo Set machine launch permission list…
dcomperm -ml set MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra
echo Set machine default permission list…
dcomperm -dl remove MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra
echo.
echo Set new DCOM permissions – new values on %computername%…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma set MYDOMAIN\wmiquery-users permit level:l,r >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml set MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -dl remove MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo.
echo ————————————————————————-
echo Show current DCOM permissinos – current values on %computername% AFTER…
echo List machine access permission list…
dcomperm -ma list
echo List machine launch permission list…
dcomperm -ml list
echo List machine default permission list…
dcomperm -dl list
echo.
echo Show current DCOM permissinos – current values on %computername% AFTER…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo.
goto end
:end

2nd step: Set up WMI Security:

@echo off
CLS
echo.
echo Windows computers – Set up WMI Security – Oct 2011
echo _________________________________________________________________________
echo.
echo ————————————————————————————->.\logs\Set-WMISecurity_%computername%.txt
echo Set up WMI Security on %computername%…>>.\logs\Set-WMISecurity_%computername%.txt
WmiSecurity /C=%computername% /A /N=Root /M=”MYDOMAIN\wmiquery-users:REMOTEACCESS” /R
WmiSecurity /C=%computername% /A /N=Root /M=”MYDOMAIN\wmiquery-users:REMOTEACCESS” /R >>.\logs\Set-WMISecurity_%computername%.txt

goto end
:end

Just open up a cmd.exe and change the ip range..

C:\>FOR /L %x in (1,1,255) do ping -n 1 192.168.2.%x | find /I “reply” >> c:\temp\result.txt

The above command uses a FOR loop to ping each device and looks for “Reply” in the output. If there is a “Reply” then the host is up.. Results will be written to C:\temp\results.txt

Or the PowerShell version: C:\> 1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send(“192.168.2.$_”) } | where-object {$_.Status -eq “success”} | select Address

Here’s a script that uses alternate credentials in order to search Active Directory:

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject(“ADODB.Connection”)

Set objCommand =   CreateObject(“ADODB.Command”)

objConnection.Provider = “ADsDSOObject”

objConnection.Properties(“User ID”) = “fabrikam\kenmyer”

objConnection.Properties(“Password”) = “A2sXrco1Fq1#om!”

objConnection.Properties(“Encrypt Password”) = TRUE

objConnection.Properties(“ADSI Flag”) = 3

objConnection.Open “Active Directory Provider”

Set objCommand.ActiveConnection = objConnection

objCommand.Properties(“Page Size”) = 1000

objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE

objCommand.CommandText = _

“SELECT Name FROM ‘LDAP://DC=fabrikam,DC=com’ WHERE ” _

& “objectCategory=’user'”

Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst

Do Until objRecordSet.EOF

Wscript.Echo objRecordSet.Fields(“Name”).Value

objRecordSet.MoveNext

Loop

Like we said, for today we’re going to focus on these four lines of code, the four lines where we specify the alternate credentials:

objConnection.Properties(“User ID”) = “fabrikam\kenmyer”

objConnection.Properties(“Password”) = “A2sXrco1Fq1#om!”

objConnection.Properties(“Encrypt Password”) = TRUE

objConnection.Properties(“ADSI Flag”) = 3

Note that these four lines of code are required only if you want to conduct the search under alternate credentials; that is, only if you want to bind to Active Directory using a user account other than the one you used when logging on to Windows. If you want to do a search using your current logon credentials all you have to do is remove these four lines of code and the script is good to go.

As you can probably tell (the object reference objConnection is a dead giveaway), these four lines of code involve four properties of the ADO (ActiveX Data Objects) Connection object. The properties User ID and Password should be self-explanatory: these are simply the user name and the password for the account you want to use when binding to Active Directory. In this example, we’ve specified the User ID using the domain\user name syntax. However, we could also specify the user name as the logon name itself (e.g., jdalbera) or as the user’s UPN (Universal Principal Name): jdalbera@fabrikam.com. That’s entirely up to you.

As for the password, we’ve hard-coded the password into the script for educational purposes. Needless to say, however, that’s not the way we recommend that you do things. Instead, you should probably have the script prompt you for a password each time the script is run. If you’re not sure how to do that, well, don’t worry about it: as we are wont to do, we’ll simply refer you somewhere else. (In this case, a previous Hey, Scripting Guy! column on prompting for – and masking – passwords.)

That leaves us with just two properties to dispose of. Setting Encrypt Password to True simply tells the script to encrypt the password when sending it across the network; by default, this value is set to False. The ADSI Flag property, meanwhile, is a bitmask property used to specify authentication options. The value 3 is actually a bitmask value composed of two separate properties:

Constant Value Description
ADS_SECURE_AUTHENTICATION 1 Requests secure authentication. When this flag is set, Active Directory will use Kerberos, and possibly NTLM, to authenticate the client.
ADS_USE_ENCRYPTION 2 Requires ADSI to use encryption for data exchange over the network.

You can find more information about the ADSI Flag property in the ADSI SDK.