Several years ago, my phone rang late at night. A server hardware upgrade at my company had gone bad. The network card on one of our main file servers failed and no longer had network connectivity. We had spares but were unable to install them because the server didn't seem to have any cached domain credentials on it and the local Administrator account name and password combination didn't work. Thus, we were locked out of our own box. At that time, no handy break-in tools were available to help us out. We eventually hacked into our own server, but in my mind, that experience underscored the importance of maintaining, managing, and verifying server Administrator account names and passwords. Often, systems administrators emphasize the importance of changing Administrator passwords for security reasons. This emphasis is definitely justified because the local Administrator account holds the key to the information kingdom on that server. However, along with this security element, you need to consider the unusual situations in which you must have 100 percent confidence that, when you sit down at the console, your logon information will work. There isn't a more gut-wrenching feeling than having an improper-username/password warning pop up when you're attempting a local logon.
Manually checking and changing passwords on many servers takes a lot of time. Because of the time it takes, an administrator might be tempted to check and change the passwords less often, thereby reducing network security. And errors might creep in—errors that could lead to a serious situation like the one I just described.
Fortunately, scripts can perform repetitive operations such as checking and changing passwords with greater speed and accuracy than is possible with the built-in tools that are typically used. Scripts also offer several advantages over third-party GUI tools. (To learn about these advantages, see the sidebar "GUI Utilities vs. Scripted Solutions," page 62.) Even if you've never done any scripting or code development, you can easily get started in Windows shell scripting by looking at and using PWcheck-change, a fully functional script that checks and changes passwords. After I give you a quick introduction to this script, you'll get to peek under the hood. Then, I'll show you how to customize and use PWcheck-change.
PWcheck-change Basics
PWcheck-change is a simple, practical script that you can use to accurately check and change passwords on many servers in just a few seconds. To effectively maintain, manage, and verify passwords with PWcheck-change, you need to run the script in three situations. First, you need to periodically run the script to perform routine password changes. PWcheck-change will reset the passwords when you launch it with the 6
PWcheck-change.bat -Change
Second, you need to periodically run the script to determine whether any passwords have changed that shouldn't have. PWcheck-change will verify your servers' passwords and report any incorrect passwords when you launch it with no argument:
PWcheck-change.bat
Finally, you need to run the script as soon as possible in an emergency. For example, if the computer security staff determines that the passwords on one or more servers have been compromised, you need to make an emergency run of the script as quickly as possible.
When I wrote PWcheck-change, I had to make several assumptions about the users who would be running the script. There are five assumptions:
1.The script assumes that you're following the standard best practice of using unique Administrator account names and unique passwords for your servers. However, if all your Administrator account names are the same or if you're using one password for all your servers, you can specify that common account name or password for each server, the same way you'd specify the unique name or password.
2.The script assumes that your servers are online. Because Administrator account information is in the local server account database and not in Active Directory (AD), your servers must be online for changes to take place. PWcheck-change will determine whether the server is online before attempting to check or change a password.
3.The script assumes that your passwords comply with the password length and complexity restrictions you've configured for your system. For example, if you've set a minimum length requirement of eight characters for your Administrator passwords, you shouldn't use the script to set a password that's only six characters long. The same holds true if you're using strong passwords—don't use the script to set a password that doesn't contain the required character mix. The good news is, if you violate your own password policies, any errors in the change will be recorded to the log file.
4.The script assumes that your passwords don't include any Windows shell scripting reserved characters. There are a handful of characters that might conceivably be used in passwords that are also reserved characters in shell scripting. Avoid using the following reserved characters as password characters:
, ^ & < > ( ) | = " ;
If you attempt to use these characters in your passwords, the password change will likely fail.
The following characters are OK to use:
$ % @ # ! ` ' ~ . + _ - * : \ /
However, the difference between a back tic (`) and a single quote (') can be difficult to distinguish, as are some common letters and numbers. For example, the lowercase letter l, an uppercase letter I, and the number 1 can all look alike, as can the uppercase letter O and the number 0. You can use hard-to-distinguish characters, letters, and numbers, but make sure that you're using the one you intended.
5.The script assumes that there are no persistent connections open to any of your servers. In check mode, PWcheck-change connects through the IPC$ share to test the username and password combination. If a server has a persistent connection open, the script might not be able to kill the connection and you might get incorrect feedback about your passwords.
A Peek Under the Hood
If you're trying your hand at scripting for the first time, looking under the hood of PWcheck-change might be a bit intimidating. Don't be discouraged. Most all scriptwriters start out thinking that scripts are hard to understand. But, after a while, they start borrowing others' scripts, then they start modifying those scripts. Eventually, they end up writing scripts from scratch.
Listing 1 shows PWcheck-change. Like most all scripts, PWcheck-change includes several important sections of code.
A header area that contains initialization code and configuration information. Callout A highlights the header area, which usually contains some initialization code. The initialization code typically includes the Echo Off command, which turns off a command-echoing feature (so that only a command's results and not the command itself will be displayed on screen), and the Title command, which specifies a title for the command-shell window that will open at run time. You can further customize the command-shell window by, for example, changing the window's font color, background color, or size.
Next, the header area includes the Setlocal command. This command keeps variables in the script local to the script.
Finally, PWcheck-change's header area provides comments about how to configure the script. Scripts often use an input file (which contains information that the script needs to run), an output file (which holds results and other data produced by the script), and tools (Microsoft or third-party tools that the script needs to perform a task). When a script uses an input file, output file, or tool, you need to specify its location. In PWcheck-change, you need to configure paths to an input file (which contains the server name, Administrative account name, and password of each server on which you want to check or change passwords), output file, and two tools (Sysinternals' PsPassword and the local.exe resource-kit utility).
In the header area, you're not limited to comments about configuration information. You can also include comments about other important details, such as the script's author and version number.
Code that reads in the information in the input file. If a script uses an input file, you need code that reads in the information from that file. As the code at callout B shows, PWcheck-change uses a For command to read in and parse each line in the input file. The delims option specifies the delimiter to use to split each line into segments. In this case, a comma is the delimiter. The tokens option specifies the segments (i.e., values) to capture in each line. PWcheck-change captures the first three segments, which it assigns to the Server, AdminName, and Password variables, respectively. The usebackq option handles any spaces in the input file path by allowing the use of double quotes to enclose the file path.
Code that performs an operation or chain of operations. People often write scripts to automate tasks. These scripts must include a section of code that performs an operation or chain of operations to achieve those tasks. Not surprisingly, PWcheck-change includes code that performs a chain of operations, as the code at callout D shows. But what might surprise you is that the first operation is a ping test rather than the operation to check or change a password. Some utilities have long timeouts when they're directed to perform a function on a server that's not online. Thus, it's wise to first test whether the server is online with a simple ping test.
Note that the Ping command is embedded in a For command. Previously, the script used a For command to parse an input file. In this instance, the script uses a For command to parse the Ping command's output and look for the string Reply. If the script doesn't find this string (i.e., the server is offline), it logs an error. If the script finds the string (i.e., the server is online), it begins the password change or check operation.
To change passwords, PWcheck-change uses PsPasswd, which expands the functionality of the built-in Net User command. Net User changes local account and domain account passwords, but it can't change a remote system's local account password, which is what the script needs to do to change the Administrator account passwords.
PsPasswd can change local account passwords on remote systems, but it's designed to change the password on only one machine, which isn't very helpful if you have more than one machine in your environment. Thus, PWcheck-change calls that single-change utility multiple times after reading from the input file the information about the server name, Administrator account name, and password for each server.
In check mode, PWcheck-change skips over the change code and uses the Net Use command and an IPC$ connection to test the existing Administrator password. When a connection is made, the username and password information are correct. If a connection isn't made, the script drops into a section that handles errors.
Code that handles errors that occur while attempting the various operations. As you've seen, some parts of PWcheck-change already handle a few types of errors. However, the script also includes code that handles two special types of errors: incorrect username and incorrect server permissions.
Read about hiding items, merging appointments, multiple windows, creating views, permissions, sending Outlook items to outside recipients, Send As permission, Inbox Assistant, tricks for rules, and tips for obtaining Microsoft Knowledge Base articles. ...
Free Online Event! Virtualization:Get the Facts! Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!
Ease Your Scripting Pains with the Flexibility of PowerShell! Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Previous
)
Register
kcnewton October 18, 2004 (Article Rating: