|
|
|||||||
Hello everyone, I'm new to kix start and I was wondering if I could get some help... I have a problem with computers on our network that weren't syspreped, and they won't register with our WSUS server properly. I have found the following script which fixes the issue, but it's a .bat file i think. What I need to do is authenticate as a domain administrator, and then make the following changes....all quiet to the regular domain users. reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f cls @echo Triggering detection after resetting WSUS client identity net stop wuauserv net start wuauserv wuauclt /resetauthorization /detectnow So far all i have is how to delete the registry keys.... Have no idea about authenticating as a domain admin... |
||||||||
|
|
|||||||
Welcome to the board. To avoid having members repeatedly correct you, the product with which you are working is KiXtart not "kix start". The approach you should take with your script is to write an "Admin" script that you would execute from a central console and it would connect to each remote computer and delte the keys or values in question. You would execute the script as a domain admin which would then have the appropriate access on each computer. |
||||||||
|
|
|||||||
There are a few UDFs in the library that deal with remote registry manipulation. RegUpdate() - Local/Remote registry datatype update is one to review. |
||||||||
|
|
|||||||
I'm sorry, i forgot to mention that I'm running active directory with group policies. So the script would be encrypted with kixcrypt and then shared in the netlogon folder of our domain. (encrypted to protect the domain admin username/password) Thanks |
||||||||
|
|
|||||||
Hello and welcome to the board. Here is some code to get you started. Code is untested so don't just run it as is, but review it and change as needed. The Remote execute is not in the script but I've given you a link and you can search the board as well for other examples. |
||||||||
|
|
|||||||
This is run from YOUR computer, not from the LOGON folder. You must have Admin rights on the remote systems as well. |
||||||||
|
|
|||||||
Quote: Encrypted script will be decrypted when executed and stored locally as a regular kix script. Users can then read the contents and therefore the username and password are both readable to the user. Never, NEVER, NEVER, NEVER put an admin username and password in a script unless you want to get screwed by some user that found the password and is actually using it to do and get what he/she wants. I'd probably loose my job or at least get my CEO on my back asking me why the h#ll I shared an admin password with a regular user if this happened. If you know the computers that cause problems (and if you don't find out) then you should create an admin script that deletes the registry keys remotely and (re)starts the service remotely. Much more secure, the users will never know you did something to the computer they are working on and you'll find them all in reporting to WSUS and getting updates. |
||||||||
|
|
|||||||
OK, NTDOC, thanks man. That was the quickest response ever... The "wuauclt /resetauthorization /detectnow" is actually a utility command. So it should be in the path of all users.... Would I be able to execute it if I make the following additions to your code? (See RUN part I've added) also, If I run this from my computer, logged in as my account (domain administrator) will this execute using my credentials on the remote pcs? For Each $sComputer In $sComputers $sComputer=IIf(Not $sComputer,'','\\'+Join(Split($sComputer,'\'),'',3)+'\') If $sComputer $Nul = DelValue($sComputer+$Key,'AccountDomainSid') $Nul = DelValue($sComputer+$Key,'PingID') $Nul = DelValue($sComputer+$Key,'SusClientId') $Nul = fnWMIService('wuauserv','stop',$sComputer) $Nul = fnWMIService('wuauserv','start',$sComputer) RUN "wuauclt /resetauthorization /detectnow" EndIf Mart, Thanks for the information about kixcrypt. I didn't realize that it decrypts to a regular kix file and stores it locally on the computer. Wes |
||||||||
|
|
|||||||
no, this will obviously execute on local computer. |
||||||||
|
|
|||||||
it doesn't seem to be obvious to me for some reason..... scratching my head like a monkey. |
||||||||
|
|
|||||||
Scratching your head like a monkey...LOL never heard that one before. This part Quote: will be executed on the local computer because no computer name is given to execute the command on. You could loose that wuauclt stuff and just stop and start the service so all new settings will be loaded when the service starts and the computers should start showing up in WSUS. Doc showed an example that does the trick. |
||||||||
|
|
|||||||
The code I provided should run okay. It will run against the remote computer (change the name to at least 2 computers you want to test it on, so it stays as an array) The name value for stopping and starting the SERVICE should work if that batch file is correct on the name. You may be able to do without the wuauclt /resetauthorization /detectnow portion of the code. Simply change the $sComputers to the name of 2 computers you want to test and then run the code and check on those computers. |
||||||||
|
|
|||||||
Ok thanks guys. I tested this script on my local machine... and I changed the script to just run for my computer.... $sComputers = 'wrender-lap' I put the kix32.exe in a folder with the script which I called wsusfix.kix and ran them like this... kix32 wsusfix.kix It exits, so I assumed the script ran. When I go to check in my registry on my computer (wrender-lap) the entries are still there... I tried refreshing using the F5 key. |
||||||||
|
|
|||||||
how about simply adding @error line after the delvalue() lines???? |
||||||||
|
|
|||||||
I added a line with @error after the delvalue() lines. and it didn't do anything. I tried putting in two computers for the $sComputers and it got a new error. $sComputers = 'wrender-lap','fe-crosstec' Error: undefined variable [Nul]! |
||||||||
|
|
|||||||
Ok, i've added the $Nul valiable to the Dim's. I don't get the undefined variable error anymore... I ran the script, and it properly removes the registry entries from 'wrender-lap' but does not seem to remove them on the remote computer 'fe-crosstec'. |
||||||||
|
|
|||||||
Quote: not if you pretokenize the script. But agreed, its not really safe either. |
||||||||
|
|
|||||||
well... todays decryption capabilities taken, it is. anyways, error-line always does something. a) you didn't place it in the right place b) your script didn't execute at all c) you didn't execute from command prompt or are using wkix32. then you need to use get $ after the error line but error-line always does give you something, always. |
||||||||
|
|
|||||||
No, i don't think any of those things are what's causing the registry keys to not be deleted on the fe-crosstec computer. What about this? On our network, i have kix32 available on the netlogon share, so it is available to all computers. but since i ran this script from a folder with kix32.exe on my local computer, would that effect where the remote computer looks for the kix stuff when it tries to execute the same script? I guess what I'm trying to get ask is... Does the remote computer on the network need to have access to the kix files. If so, do the files have to be in the same directory or network location as what I have executed them from on my local computer. Wes |
||||||||
|
|
|||||||
no, none of the things I listed would stop the script from working. but all of the choices descripe why you wouldn't have error line return something. get back to scripting and dig up the error. |
||||||||
|
|
|||||||
No. The remote computer does not execute the script so it does not need access to the script files and/or kix32.exe and/or wkix32.exe. This should work. The registry key and the computer names should be changed to fit your setup and the fnWMIService - Use the Win32_Service class of WMI to control services UDF must be included in the script or called from the script. Do not use shell because it executes on the local computer and therefore does not touch the remote computer and is of no use to you. Code:
|
||||||||
|
|
|||||||
Ok, thanks Jooel. How about the question about the availability of kix32.exe and the script for the remote comptuer? Mart, I will put this chunk of code into the script and test it. Thanks. |
||||||||
|
|
|||||||
Mart, Ok. I modified the script with the code.... I execute it and it removes the registry entries on my computer, but not the remote pc.... and it gives the following errors.... 2 The system cannot find the file specified. 2 The system cannot find the file specified. 2 The system cannot find the file specified. |
||||||||
|
|
|||||||
Ok. Show us what you got until now. |
||||||||
|
|
|||||||
;See the UDF: fnWMIService - Use the Win32_Service class of WMI to control services ;http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=83246 ;To do the remote execution of the "wuauclt /resetauthorization /detectnow" look at this UDF ;RemoteExec() - execute a process on remote PCs ;http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=83206 If Not @LogonMode Break On EndIf Dim $SO $SO=SetOption('Explicit','On') $SO=SetOption('NoVarsInStrings','On') $SO=SetOption('NoMacrosInStrings','On') $SO=SetOption('WrapAtEOL','On') Dim $sComputer, $sComputers, $Key, $Nul ;Put all computers into an array. $sComputers = Split("wrender-lap", "fe-crosstec") $key = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\" ;Execute the command bellow on each computewr from the array filled above. For Each $sComputer In $sComputers ;Delete the registry keys. $Nul = DelValue("\\"+$sComputer+"\"+$Key,'AccountDomainSid') ?@ERROR ?@SERROR Sleep 2 $Nul = DelValue("\\"+$sComputer+"\"+$Key,'PingID') ?@ERROR ?@SERROR Sleep 2 $Nul = DelValue("\\"+$sComputer+"\"+$Key,'SusClientId') ?@ERROR ?@SERROR Sleep 2 ;Stop and start the windows update service so new stuff gets initialized. $Nul = fnWMIService('wuauserv','stop',$sComputer) $Nul = fnWMIService('wuauserv','start',$sComputer) Next Function fnWMIService($sService,$sMethod,Optional $sComputer) Dim $objWMI,$objSrvc,$nul If Not $sComputer $sComputer=@WKSTA EndIf $objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\"+$sComputer+"\root\cimv2") If @ERROR<0 Exit VAL("&"+Right(DecToHex(@ERROR),4)) EndIf $objSrvc = $objWMI.ExecQuery('Select * from Win32_Service WHERE Name = "'+$sService+'"') For Each $objSrvc in $objSrvc $nul=Execute("$"+"fnWMIService = $"+"objSrvc."+$sMethod) Next EndFunction |
||||||||
|
|
|||||||
hmm... not sure does it affect anything but, you should reference the HKLM with it's real name when controlling the remote registry. not sure how the hklm shortcut works, but... anyways, try it. |
||||||||
|
|
|||||||
Thanks, but same thing. I don't think that has anything to do with it, because it deletes the proper registry keys from my computer (wrender-lap) , just not the remote one (fe-crosstec). I still don't understand how this script just running on my computer makes changes to the remote computers as well... |
||||||||
|
|
|||||||
Ok, You got your array messed up. Fixed that. The "~" part is the delimiter used in the array so it should be the character that separates the values in your array and not the a computer name. The HKLM shortcut Jooel is talking about works for me in remote admin scripts but it would be worth the labour to change it to the full path if it does not work.. Code:
One other thing... could you use the code tags when posting code? The formatting stays as is when code tags are ussed so it is much easier to read the script. |
||||||||
|
|
|||||||
Quote: The screwed up array is to blame for that. You have Kix splitting wrender-lap on fe-crosstec. Like this: Code:
Fixed this in my previous post. |
||||||||
|
|
|||||||
OK, the script seems to take longer now and is giving new errors. Almost as though it can't connect to the second computer (fe-crosstec)... Code:
|
||||||||
|
|
|||||||
Ok. It works! I needed to turn file and printer sharing on the fe-crosstec machine. I guess this answers my question, of how does the kix script gain access to the remote machine and run on it.... Thanks for all the help |
||||||||
|
|
|||||||
heh... the access actually has nothing to do with file and printer sharing but something called remote registry. but, in xp so many things are tied together and none work if some of the stupid settings is not set. this time, it was file and printer sharing. |
||||||||
|
|
|||||||
Just wild guess, I presume on Layer 4 of the OSI model, the same protocol is used??? SMB??? |
||||||||
|
|
|||||||
Maybe you would prefer setting the FireWall in XP on all computers via Group Policy in Active Directory? Did it and works like a charm. |
||||||||
|
|
|||||||
hmm... you think it's firewall that's the only thing needing to be set? might be right for domain workstations... |
||||||||
|
|
|||||||
Quote: XP (and upcoming Vista) firewall should be off in a domain environment IMHO. There usually is a firewall on the internet connection so the build in firewall on each machine is just working as a firewall to stop domain users from accessing the machines via the LAN and that is a matter of education your users. Just my opinion on the bloody XP firewall and a little of topic. |
||||||||
|
|
|||||||
IMHO, leave it on but finetune it via GPO. Define the networks that are allowed for file and print sharing. Anyway, that is what I did and it works. Maybe this is off topic, but I think Windows FW is too important. Top 10 Reasons to Deploy Windows XP Service Pack 2: Windows Firewall Quote: |
||||||||
|
|
|||||||
well, in our network, firewall is off and when the computer/laptop is not here, as in some other network, the firewall is on. and that's all done via gpo. |
||||||||
|
|
|||||||
And if the computer is in an untrusted network but connects via VPN? I presume you configured Windows XP Firewall to be "on", but with exceptions? |
||||||||
|
|
|||||||
nope. vpn uses virtual adapter which doesn't have the firewall enabled. |
||||||||
|
|
|||||||
K. I see. Maybe other arg. The Firewall helps blocking computer viruses and worms from reaching your computer. I know viruses should not be on your trusted network, but you never know. |
||||||||
|
|
|||||||
lol. that's what the av stuff is for. |
||||||||
|
|
|||||||
On our network we normally keep file and print sharing off, and turn it on with group policy when needed. I think it takes a maximum of 120 min with replication and all that jazz before it takes affect. I do agree, leaving the firewall on with file and print sharing blocked probably decreases the spread of a lot of viruses. |
||||||||
|
|
|||||||
I think File and Print sharing should not be blocked in your trusted networks. Otherwise you cannot remote admin the computers. The trusted networks can be defined in the rule that allows File and Print sharing. In fact, everything should be blocked except the things you need (think about ports for AV, remote assistance, remote desktop, tftp server,...). Maybe AV stuff can help to clean your computer from viruses and worms, but a firewall can help to avoid that one of these things ever enter the computer. Why bet on one horse if you've got two? |
||||||||
|
|
|||||||
lol. if you allow lan traffic through those ports, it's same as if they didn't have the firewall on at all. a) in lan environment, the attack comes from the neighbor machine. the one you opened the hole for b) those ports and services are the ones todays viruses use to attack you so, it's totally useless to use firewall in domain network. imho. |
||||||||
|
|
|||||||
Quote: Plus, in any but very small networks its nearly impossible to administrate. I just had a conversation with a friend of mine who works as an admin in a small to middle sized company (500+ clients). They thought about implementing firewalls for every client. After a week of research they realized that in order to lock down the workstations as much as needed to get a better security, whithout hampering all the special apps running on the pc's, they would have at least 50 or 60 different firewall configurations. They dropped the whole thing. Imho, if you have a tight security on your servers, good local antivirus, no vital data stored on local workstations and a proper firewall/antivirus for all incoming, local FW's would just increase complexity, not security. |
||||||||
|
|
|||||||
Quote: Most viruses in company networks spread via mail or infected documents. You dont catch them via local firewalls. Also, there have been lots of cases in the recent past where spyware or viruses simply disarmed software firewalls. Quote: Because it just increases expenses for administration and suppport without increasing the security significantly. |
||||||||
|
|
|||||||
A firewall is a small part of protecting a computer in a corporate environemnt. The firewall is most useful on travling computers that get exposed to foreign networks. IPS and AV is where corporate computers are protected. |
||||||||
|
|
|||||||
Or there is real protection... Cisco Security Agent. Firewall / AV / Application watching / NAC all rolled into one.. |
||||||||
|
|
|||||||
oh, this became suddenly a ad channel |
||||||||
|
|
|||||||
Ok a bit of an ad, maybe I should have used "Hosted Intrusion Prevention System", but then again being a Cisco Geek.. |
||||||||
|
|
|||||||
WHat the hell are you guys talkin about? A firewall isn't useless inside a domain. I'm running over 150 windows xp clients, and about 100 windows 2000 clients. All 150 XP workstations are running a firewall, sure it adds a bit of processing overhead, but we haven't had any problems with compatibility between applications and server connections. Also, you can adjust the windows Xp firewall in a flinch via group policy... I guess if you aren't running an active directory domain, it could be a pain. If someone is going to attempt at hacking your network, it's most likely going to come from the disgruntled employees on the inside anyways. Not having a firewall on the workstations themselves is only going to make it easier for them. |
||||||||
|
|
|||||||
Thanks, I just gave up. |
||||||||
|
|
|||||||
Hey, if you guys think wearing gloves when having sex prevents you a little bit more from getting aids, thats fine with me. |
||||||||
|
|
|||||||
http://www.microsoft.com/windowsxp/using/security/learnmore/atkin_firewall.mspx#EYF |
||||||||
|
|
|||||||
(not directed specifically to you Witto) Okay this is way off topic now. If everyone wants to post further on this subject please go to the General forum. This has nothing to do with KiXtart. The Starters forum is designed to assist new users in how to use KiXtart now how to convince someone to see things your way for general networking. |
||||||||
|
|
|||||||
This cannot be compared with sex. In the Windows Firewall, holes are deliberately made. You will not make holes in your preservative when having (unsafe) sex. [Edit] Whoops doc, had not seen your post yet. Sorry [/Edit] |