The morning of a system administrator

A system administrator’s responsibilities typically include a number of tasks, such as performing backups of data, applying fixes/updates, monitoring software/hardware, troubleshooting problems and many others, that he/she must fulfill during a day. So I once asked myself how my working day should begin? What information regarding my network I’d like to have at hand right after having come to office?

I have formulated the following questions I want to have answered every morning:

1) Were there any unexpected server reboots?

2) Is there any server that lacks of a disk space?

3) What are the sizes of my MS SQL Server databases?

4) Were there any connectivity problems with our Internet connection?

5) Were there any Active Directory modifications?

6) Were there any password resets?

Please pay attention to the fact that I need to have the aforementioned questions already answered by the time I enter the office. The answers to the questions 1-4 I get by means of the vbs-scripts that send me corresponding reports in the e-mail messages, while the answers to the last two questions are the text-file reports generated by the cmd-scripts containing MS Log Parsers commands, wich are executed by servers’ scheduled tasks (by cscript).

In this article I’d like to share with you these vbs and cmd scripts.

1) ServerReboots.vbs

2) FreeSpaceWatcher.vbs

3) SQLdbSpaceWatcher.vbs

4) InternetConnection.vbs

For unknown reason I can’t correctly attach the last two cmd-scripts, so I post them here: you can copy/paste the code into the txt-file and then change .txt extention to the .cmd

5) GroupModifications.cmd

———————–The  Begining of the script  —————————————–

rem #################################################################################

rem            Any modifications to the group membership.       ID 632/633/636/637/660/661

rem    LorParser.exe is executed once per a domain controller, so in my case there are two LogParser lines: for dc1 and for dc2.
rem    Please adjust the script according to your needs (e.g. to the number of your DCs).

rem    Default output folder – C:\CMD

rem    V2 18.05.2011    Author: Michael Firsov
rem #################################################################################

rd C:\cmd\Groups /s /q

md C:\cmd\Groups

rem Added to Global Group
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserADDED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  ToGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   ADDED-BY-User FROM \\dc1\security WHERE eventid = 4728  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC1-AddedToGlobalGroup.txt
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserADDED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  ToGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   ADDED-BY-User FROM \\dc2\security WHERE eventid = 4728  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC2-AddedToGlobalGroup.txt

rem Added to Local Group
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserADDED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  ToGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   ADDED-BY-User FROM \\dc1\security WHERE eventid = 4732  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC1-AddedToLocalGroup.txt
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserADDED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  ToGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   ADDED-BY-User FROM \\dc2\security WHERE eventid = 4732  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC2-AddedToLocalGroup.txt

rem Added to Universal Group
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserADDED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  ToGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   ADDED-BY-User FROM \\dc1\security WHERE eventid = 4756  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC1-AddedToUniversallGroup.txt
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserADDED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  ToGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   ADDED-BY-User FROM \\dc2\security WHERE eventid = 4756  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC2-AddedToUniversallGroup.txt

rem Removed from Global Group
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserDELETED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  FromGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   DELETED-BY-User FROM \\dc1\security WHERE eventid = 4728  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC1-REMOVEDfromGlobalGroup.txt
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserDELETED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  FromGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   DELETED-BY-User FROM \\dc2\security WHERE eventid = 4728  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC2-REMOVEDfromGlobalGroup.txt

rem Removed from Local Group
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserDELETED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  FromGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   DELETED-BY-User FROM \\dc1\security WHERE eventid = 4733  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC1-REMOVEDfromLocalGroup.txt
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserDELETED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  FromGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   DELETED-BY-User FROM \\dc2\security WHERE eventid = 4733  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC2-REMOVEDfromLocalGroup.txt

rem Removed from Universal Group
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserDELETED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  FromGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   DELETED-BY-User FROM \\dc1\security WHERE eventid = 4757  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC1-REMOVEDfromUniversalGroup.txt
“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS ADDitionTime,  EventID, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,1,’|’),’%%{}’,”)) AS UserDELETED,  resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,2, ‘|’) ,’%%{}’,”)) AS  FromGROUP, resolve_sid(replace_chr(EXTRACT_TOKEN(Strings,5, ‘|’),’%%{}’,”)) AS   DELETED-BY-User FROM \\dc2\security WHERE eventid = 4757  ORDER BY ADDitionTime DESC ” > C:\cmd\Groups\DC2-REMOVEDfromUniversalGroup.txt

————————- The End  of the script  ———————————————

 

6) PassResets.cmd

———————–The  Begining of the script  —————————————–

 

rem #################################################################################

rem                        Password resets for DC1 and DC2.
rem
rem                    ID 4723:     ‘Win2000 – Both password changed AND password reset !!!
rem                    ID 4724:     ‘Win2003 – Password reset ONLY !!!

rem    LorParser.exe is executed once per a domain controller, so in my case there’re are two LogParser lines: for dc1 and for dc2.
rem    Please adjust the script according to your needs (e.g. to the number of your DCs).

rem    Default output folder – C:\CMD

rem    V1    21.05.2010    Author: Michael Firsov
rem #################################################################################

rd C:\cmd\Passwords /s /q

md C:\cmd\Passwords

“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS PasswordChangeTime,  EventID, EXTRACT_TOKEN(Strings,0,’|’) AS FOR-ACCOUNT,  RESOLVE_SID(EXTRACT_TOKEN(Strings,3, ‘|’)) AS  BY-USER FROM \\dc1\security WHERE eventid = 4723 OR eventid = 4724 ORDER BY PasswordChangeTime DESC” > C:\cmd\Passwords\DC1-passChanges.txt

“C:\Program Files (x86)\Log Parser 2.2\LogParser.exe”  -I:EVT -o:csv -tabs:ON “select  TimeGenerated AS PasswordChangeTime,  EventID, EXTRACT_TOKEN(Strings,0,’|’) AS FOR-ACCOUNT,  RESOLVE_SID(EXTRACT_TOKEN(Strings,3, ‘|’)) AS  BY-USER FROM \\dc2\security WHERE eventid = 4723  OR eventid = 4724 ORDER BY PasswordChangeTime  DESC” > C:\cmd\Passwords\DC2-passChanges.txt

————————- The End  of the script  ———————————————

Attention: should you have any problems with running these scripts please make sure these symbols ” ‘ ( ) | are from the correct code page.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: