Windows Tips &amp Tricks UPDATE, November 14, 2005, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add Windows_TipsandTricks_UPDATE@list.windowsitpro.com to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

Download a Tool that will Benefit any Sys Admin
http://www.tntsoftware.com/wintip111405

Create connected SharePoint web parts in minutes.
http://www.xcelsius.com/winitmag


Sponsor: TNT

Download a Tool that will Benefit any Sys Admin Are you searching for an affordable real-time monitoring toolset that will support your proactive system management objectives? Start NOW and download ELM Enterprise Manager from TNT Software. Within an hour, you will experience for yourself why ELM is recognized as the tool that will benefit any System Administrator. Before the 30 Day full feature trial is completed, the Monitoring, Alerting and Reporting will have saved you time and provided you the data for prompt corrective action. Be Proactive; and download ELM Enterprise Manager from the link below:
http://www.tntsoftware.com/wintip111405


FAQs

  • Q. What are the new well-known security principals that Windows Server 2003 introduces?
  • Q. What's a good way to protect service accounts from abuse?
  • Q. How can I use a VBScript script to ping a machine?
  • Q. How can I dump out the mailbox permissions on a Microsoft Exchange Server box or bulk change multiple users' attributes at once?


Sponsor: Infommersion

Your company's never shared its data like this before. Crystal Xcelsius for SharePoint allows you to display your existing business data as stunning charts, graphs, interactive analytic models and reports; then deploy them to your SharePoint portal as connected web parts for collaborative presentation and analysis - all with point-and-click ease. Crystal Xcelsius for SharePoint's Visual Modeling lets your end users identify critical data relationships, analyze what-if scenarios, and peer into the company's possible future performance - just by moving visual sliders and dials on their screen. Ensure your SharePoint end users are sharing critical business intelligence, instead of just swapping files. Learn how today at:
http://www.xcelsius.com/winitmag


FAQs

Q. What are the new well-known security principals that Windows Server 2003 introduces?

A. Well-known security principals are security principals with a common SID on every system. Windows 2003 introduced several new well-known security principals, which are listed in the Table .

--------------------

Q. What's a good way to protect service accounts from abuse?

A. Often, administrators create specific accounts for certain services to run under (although more products are now taking advantage of Local System to avoid this requirement). The concern is that these service accounts have a password that's known by certain people and can be a cause for concern because users can log on as this account, making it hard to track their activities. When an administrator leaves, his or her account might be disabled but service accounts might not have their passwords changed. One way to protect these accounts is to stop users from being able to use them to log on. You can do so by removing the following rights from these accounts:

  • Log on locally. This right lets you log on at the console with the account.
  • Access this computer from the network. This right enables access to resources (e.g., a shared folder) on other computers (although if the service needs to access remote resources you can't disable this right).
  • Log on through Terminal Services. This right lets you log on via Windows 2000 Server Terminal Services.

Under usual circumstances, service accounts require only the "Log on as a service" right, so ensure that they have this permission, but again, if the service requires remote access to other resources, it might need the "Access this computer from the network" right. The easiest way to remove the three rights is to create a group and place all the service-type accounts in this group. Then create a Group Policy Object (GPO) that denies the rights discussed and apply it at a level that will affect all user accounts, (e.g., the domain), as the figure shows. A deny always overrides an allow. Often, administrators create specific accounts for certain services to run under (although more products are now taking advantage of Local System to avoid this requirement). The concern is that these service accounts have a password that's known by certain people and can be a cause for concern because users can log on as this account, making it hard to track their activities. When an administrator leaves, his or her account might be disabled but service accounts might not have their passwords changed. One way to protect these accounts is to stop users from being able to use them to log on. You can do so by removing the following rights from these accounts:

  • Log on locally. This right lets you log on at the console with the account.
  • Access this computer from the network. This right enables access to resources (e.g., a shared folder) on other computers (although if the service needs to access remote resources you can't disable this right).
  • Log on through Terminal Services. This right lets you log on via Windows 2000 Server Terminal Services.

Under usual circumstances, service accounts require only the "Log on as a service" right, so ensure that they have this permission, but again, if the service requires remote access to other resources, it might need the "Access this computer from the network" right. The easiest way to remove the three rights is to create a group and place all the service-type accounts in this group. Then create a Group Policy Object (GPO) that denies the rights discussed and apply it at a level that will affect all user accounts, (e.g., the domain), as the figure shows. A deny always overrides an allow.

Q. How can I use a VBScript script to ping a machine?

A. The Windows Management Instrumentation (WMI) classes in Windows XP and later provide a Win32_PingStatus object that you can use to ping a machine. The following script, which you can download at http://www.windowsitpro.com/content/content/49082/vbpinging.zip uses this object to ping a passed hostname or IP address. Because of space constraints, some lines wrap to two lines.

    <p>
Option Explicit    </p><p>
Dim strHost    </p><p>
' Check that all arguments required have been passed.  If Wscript.Arguments.Count
strHost = Wscript.Arguments(0)    </p><p>
if Ping(strHost) = True then      Wscript.Echo "Host " & strHost & " contacted"  Else      Wscript.Echo "Host " & strHost & " could not be contacted"  end if    </p><p>
Function Ping(strHost)    </p><p>
    dim objPing, objRetStatus    </p><p>
    set objPing = GetObject("winmgmts:\{impersonationLevel=impersonate\}").ExecQuery _        ("select * from Win32_PingStatus where address = '" & strHost & "'")    </p><p>
    for each objRetStatus in objPing          if IsNull(objRetStatus.StatusCode) or objRetStatus.StatusCode0 then      Ping = False              'WScript.Echo "Status code is " & objRetStatus.StatusCode          else              Ping = True              'Wscript.Echo "Bytes = " & vbTab & objRetStatus.BufferSize              'Wscript.Echo "Time (ms) = " & vbTab & objRetStatus.ResponseTime              'Wscript.Echo "TTL (s) = " & vbTab & objRetStatus.ResponseTimeToLive          end if      next  End Function   </p>

You can modify this script to do whatever you need. Notice that I've commented out some lines (') that give more information about the ping attempt, but you can leave the lines in if the information would be useful to you. Run the script by using the following command:

  D:\projects\VBScripts>cscript vbping.vbs savdalex01   which will give the following sample output:

Host savdalex01 contacted

You can find more information about Win32_PingStatus at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/win32_pingstatus.asp .

Q. How can I dump out the mailbox permissions on a Microsoft Exchange Server box or bulk change multiple users' attributes at once?

A. It's possible to delegate permissions to other users' mailboxes. If you want to dump these permissions to a file, you can use the admodify.net tool, which you can download at http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2 . This tool has two main purposes: It can dump out the mailbox permissions, and it can bulk change multiple accounts.

  1. After you download admodify.net, extract the file to a folder and run the ADModify.exe image. On the main application window, click the Modify Attributes button (even though you're not modifying anything).
  2. Select the domain and domain controller (DC) and click the green arrow button to display a domain tree list, as the figure shows. Expand the list and select the container or organizational unit (OU) you want to export and click Add To List. In the right pane, select all the users. Click Next.
  3. Select the Mailbox Rights tab and select the "Export Mailbox Rights" box, as the figure shows. Click Go. You'll notice on this screen that you can bulk change information on multiple users at once, but in this case we're changing nothing and instead just listing mailbox rights.
  4. Click OK and open the newly created mbxrights.xml file (it will be in the same folder as the admodify.net tool). This file, which the figure shows, is a dump of the mailbox rights.

Notice in this example that DPrince has Read permissions to the Clark Kent mailbox. Remember that applications such as Microsoft Excel can read XML so importing this XML file into Excel will give a column-based view of the data as the figure shows, which might be easier to manipulate. This tool can also bulk enable and disable Messaging API (MAPI) for clients, which might prove useful for many companies going through migrations or upgrades.

Hot Release (advertisement)

  • Ensure Data Protection and High Availability for Microsoft Exchange

  • Having a mission-critical, data protection solution that is cost-effective, hardware independent and scalable is something every IT manager should consider. In this free white paper get all you need to know about ensuring data protection and high availability for Exchange. This is one paper you can't afford to miss!
    http://www.windowsitpro.com/go/whitepapers/NSI/exchange?code=tthot1114

    Contact Us
    Here's how to reach us with your comments and questions:

    This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.
    https://store.pentontech.com/index.cfm?s=1&promocode=eu205xxb