Sometimes, a well-meaning but absent-minded administrator might change the password or rename the administrator account. To discover this "password drift," the script uses local.exe to determine whether the username is in the local Administrators group, as callout E shows. If the username isn't in the local Administrators group, either an incorrect name is specified in the input file or the correct name is specified but the server no longer has the correct permissions (e.g., someone erroneously changed the Administrator account name on the server). In either case, the script logs an error message that notes the account wasn't found. If the name in the input file and the server permissions are both correct but there's some other type of problem, the script considers the error a general failure and logs the error message PW Check/Change Failure.
Code that sends information to a file or the console. In almost every section, PWcheck-change uses the Echo command to send information (e.g., current date and time, a success or failure message, a command's output) to either the output file or the console. If the Echo command is followed by the code
>>"%Outputfile%"
the script writes the information to the comma-separated value (CSV) output file specified in the header area. If the Echo command isn't followed by the >> redirect symbol, information goes to the console.
There are other ways you can send information to a file or another medium, including:
- You can copy information to a file in a shared folder.
- You can append information to an existing file.
- You can create an HTML file and upload that file to a Web server.
- You can use SMTP mail and Blat (a freeware utility) to send an email or pager message.
Code that performs cleanup operations. Scripts often include cleanup operations, which usually consist of deleting temporary files the script created and closing out local variables that the script used. As the code at callout C shows, PWcheck-change uses the Endlocal command to close out the local variables. The script didn't use any temporary files, so it doesn't include any cleanup code to delete them.
I often joke that the thousands of scripts I've written are really all the same script with just a couple of changes. Indeed, there's an element of truth to that quip. However many scripts you want to write, you just need to include these basic sections of code and follow a few recommended practices. The sidebar "Scripting Best Practices," page 66, discusses those practices.
How to Customize and Use the Script
I tested PWcheck-change on systems running Windows Server 2003, Windows 2000 Server, and Windows NT Server 4.0. To use PWcheck-change in your environment, follow these steps:
1.Download PWcheck-change from the Windows IT Pro Web site. (Column widths in the printed publication force us to wrap code lines, which might cause the printed code to run incorrectly.) Go to http://www.windowsitpro.com, enter InstantDoc ID 43591 in the InstantDoc ID text box, then click the 43591.zip hotlink.
2.Download PsPasswd from Sysinternals (http://www.sysinternals.com/ntw2k/
freeware/pstools.shtml).
3.If you don't already have local.exe, obtain this tool from your Windows resource kit.
4.Create the input file. Include the information for each server (i.e., server name, Administrator account name, and password) on a separate line. Separate the server name, Administrator account name, and password with commas.
5.In the script's header area, configure the paths to the input file, output file, PsPasswd, and local.exe.
6.Test the script on a few servers. In the input file, you might want to intentionally add a server that's offline or an incorrect Administrator account name to become familiar with how the script handles and logs these errors. Run the script in the default check mode. After you're sure that the script works correctly in this mode, add the -Change argument to test the password-change operation. Review the log file for success and failure information, and log on to the server to verify that the passwords were changed correctly.
7.After thoroughly testing the script, use it in your production environment. If you run the script as a scheduled task, you must schedule the task under a user account that has Administrator group membership on the targeted servers.
8.After you have completed a password check or change run, secure the input and output files in a locked-down area. Be sure that server administrators have access to this area in case the Administrator account names and passwords are needed for an emergency local logon.
Be Prepared
In the real world, unusual situations do arise, such as being locked out of a server. By adapting and using PWcheck-change, you'll not only be prepared to solve any unexpected password problems but also be able to quickly and easily maintain, manage, and verify your servers' Administrator account passwords. Plus, by adapting and using this script, you'll become more familiar and more comfortable with a powerful tool: Windows shell scripting.
End of Article
)
kcnewton October 18, 2004 (Article Rating: