How Can I Change Local Passwords on A LOT of Workstations? (2 Years Ago Today)
Jan 5th
I know the feeling of your secure network being compromised by an end user… Passwords do fall into the wrong hands and then what do you do? Scenarios start running through my head and I make a mental list of all the passwords and system configs that need to be changed. These aren’t fun times in Admin land but they usually breed scripts and easier ways to do the necessary!
El Di Pablo tell us of his experiences… And is culminated by using a Great tool that AtA LOVES! Check it out…
I had a bit of a scare the other day. I get a call from a user in the field.
She is traveling with her laptop and she was calling from her hotel. she was complaining that she couldn’t log into her laptop using her normal log in credentials, and that the only way she could log in was using the local administrators account.
“Local Admin what?!?!”
I exclaimed then started hyperventilating. I asked her how she came across the local administrator password, and she told me that one of the techs at the company that is no longer with us gave it to her a long time ago.
I asked her to spell out the password for me, and low and behold it was the corporate standard.
I ran to my bosses office and reported the compromise, and recommended changing the local passwords. He agreed and called a meeting with me, our head desktop technician and one of the senior systems administrators to come up with a plan of attack. I told them that I can easily change these passwords using a script and pspasswd.exe that comes with Sysinternals PSTools.
I told them that I can export a list of all of the workstations on the network from Active directory, and put them in a text file. pspasswd will read directly from the list in the text file and change the password of the specified account on each computer in the list. I showed each of the guys in the meeting how it works, and they agreed that my script would be the best way to go with this.
Here is an example of the syntax used in my script. Keep in mind that this script must be ran from within the directory containing the pspasswd.exe program or else you have to modify the script to change into it’s directory. Of course, if you know batch scripting well, you can add all sorts of stuff to the script, but the basic run command looks like this:
>set /p filename=”Please enter name of computer list (ie: computers): “
>pspasswd @%filename%.txt -u administrator@domain.com -p password
administrator newpassword >> %filename%-results.txt
You’ll notice that I added an output to a text file so I could create a log of which workstations the password was changed on, and which ones it wasn’t. That is a good idea so you can keep whittling away at it until the change has been completed on all workstations. Also, you’ll notice that I added the -u and -p switches. You don’t need that if you are already running the script from an account that has permissions to change local passwords.
There are many other little changes you can do as well. I used the set command because I had different lists for different offices. You could just put the computer names in one list and not use the set command.
Let me know if you have used this or a similar product, and perhaps some other scripting ideas for this.
This is one of those articles where you HAVE to read the comments. You guys have some great insights and ideas! Keep on Commenting, that is what makes this site great. Go ahead pat your self on the back!
Upgrading WordPress to 2.9.1
Jan 5th
Keeping up with the upgrading process over here at http://www.askTheAdmin.com I just finished upgrading to 2.9.1. I backed up my database and did the automatic upgrade via my WP-Admin console as you can see here:
2.9.1 comes out about three weeks after the official release of WordPress 2.9
Bugs that came to bite Bloggers and Webmasters in the ass are now fixed including problems with scheduled posts and pages on some web hosts.
Scheduled posts would not be published at the time configured by the user but appear as missed in the list of posts forcing the webmaster to reschedule and hope for the best or to publish it manually.
There are 23 others fixes that are listed in this ‘minor’ upgrade. Five of the bugs listed have been rated high while the majority received a normal rating. Several updates fix installation and upgrade issues that webmasters might have experienced.
You can use the automatic upgrade feature or download WordPress 2.9.1 from the official WordPress website.
How to lose your data
Jan 5th
See that picture? When it happens to you, it may not look quite that bad (or be quite that obvious), but data loss sucks. And it does happen. I’ve been working with computers for 10+ years, and I’ve had it happen a couple times myself. Did I mention how much it sucks?
I’m not going to spend a couple pages telling you why you should backup, I’m just going to be straight about it, unless you really couldn’t care less if that happened to your computer, you are flat out stupid if you are not backing up your data on a regular basis.
Instead of telling you why to backup, I’m going to tell you how to ensure that you are not going to get your data back, even if you think you are backing it up.
Method 1: I’ll just back the data up to CD/DVD.
Well sure, this will work for a bit, but:
- Ever try to save 20GB to CD? Or 250GB to DVD? Ugh.
- How long do you think that optical desk is going to be readable?
Going this route, you can quickly end up trapped behind a small mountain of plastic. Or lets say you manage to somehow keep the optical disks to a manageable quantity, will the marker you labeled it with make the disk unreadable in a year, or is the dye layer unstable, rendering your disk unreadable in six months, or will the glue on the label you made for the disk make it worthless in a year or two? These are just a couple of examples of why optical media should not be considered an archive grade solution.
Method 2: ok then, I’ll just copy the data to a USB hard drive.
Sure it’s better than nothing, but single HDD solutions are not going to keep your data safe. Hard drives fail. In fact it will happen to every single hard disk you will ever come across. The only question is; when? It’s not a matter of if, or of MTBF (mean time between failure), it is more a matter of “you never know, it could fail in ten years, or in ten seconds”.
Don’t get me wrong, if this is the only way you can back the data up, then it is your only choice, and it’s better than nothing. Just be aware, as soon as you copy the data to that USB HDD, the “Clock of Death” is ticking.
Much better would be to copy the data over to a machine with a RAID storage system (preferably RAID5).
Method 3: I bought actual Backup Software (or use a vetted Open Source solution), and run Incremental Backups (to tape!) every single day!
Ok, so you spent some money on a tape backup solution, spent hours reading the manual and configuring your backup. Congratulations, I bet you think your data is safe! Until you find out how Incremental Backups really work (this usually happens after a disaster, and the tapes is all you have left of your pr0n, illegal mp3’s downloaded movies warez mission critical data).
Let’s pretend for a minute that your backup tapes look something like this:
Full_backup_tape (tape 1 – doesn’t matter what you tell it to be, the first backup is always and without exception, a full backup)
Incremental_backup_1 (tape 2)
Incremental_backup_2 (tape 3)
Incremental_backup_3 (tape 4)
Incremental_backup_4 (tape 5)
Incremental_backup_5 (tape 6)
And then you have a catastrophic failure. So you’re sitting there at 2am merrily running the restore, and you hit a snag: tape 2 won’t read. Doesn’t matter why, the tape could be bad, maybe you left it out of the tape safe overnight, and the radio station next door managed to erase it with the magnetic waves they transmit (this actually happened), the data is gone. So is all data after it. See Incremental backups require that all tapes since the last full backup be present and working. So tapes 3-6 may as well be empty, because you are never getting the data off of them. Ever.
If you can’t run full backups every day, use Differential backups instead of Incrementals. Let’s say that in the scenario the user had been running differentials rather than incrementals. They could then restore to current using just the original full backup, and the last differential.
Method 4: Now I’m running differential backups to tape every single day!
But you fail to check the backup logs every day, and the backup job you though had been running for the last year actually failed 273 days ago, and has been requesting the “correct” tape since then. I’ve seen this one a lot (in fact, I think this would be the most popular reason for data loss if you have backup software running).
You’ve got to check your backup logs. It sucks, and it’s boring, but it’s one of those things you just have to do.
Method 5: Alright, I’m running differentials to tape, and have been checking my logs for the last 2 years every single day!
But you’ve never run a test restore. If you haven’t restored data from the tape successfully, there is no data on the tape. The tape was bad, the backup software failed (silently of course), the gremlins ate it.
Method 6: Ok, now I spend two hours reading the log and then randomly restoring files from my backups (before putting the tapes in the tape safe) every single day!
And then your server room catches fire. All machines, and the safe holding the backup tapes are destroyed. You never took any offsite, because you have a tape safe. It happens. It’s unfortunate.
Method 7: Enough, I give up on tape! Now I run a full backup to a RAID5 NAS every single day!
But you ordered your NAS with the drives form the manufacturer, and they used 4 HDD’s from the same batch, and two failed. This is the one that always gets them! The strength of RAID5 is that more than one drive has to fail before the RAID is unrecoverable. The weakness is that hard drives from the same batch tend to fail at the same time (or thereabouts).
To strengthen your RAID system, always make sure that you have drives from different batches, if not from different manufacturers (this is not always the best idea, but that is an argument for another time). For instance: to take care of my backup needs at home, I bought a Buffalo Terastation. Unfortunately, Buffalo sent me a Terastation with 4 drives from the same batch (you can usually tell if they all have the same date on them, sometimes there will be a batch code on the drive). I bought 3 more of the same model drive from 3 different manufacturers, and now have the most healthy RAID I can.
These are not the only ways to lose data, but they are by far the most common. How would I know? I was the Worldwide Manager of Technical Support for a backup software company for several years. And I always got to be the one to explain to the customers why their data is gone.
So what do I do?
There are as many answers to that question as there are IT shops with backup systems. Here is how I protect data at my office:
I backup all data every day (full backup) to a NAS configured in RAID5, with a hot spare. I check the health of the RAID every day (it takes about two minutes). Once a week I backup the entire RAID to LTO3 tape, and take the tapes offsite (currently I am taking them home, where they go into a DATA rated fire safe (there is a difference, do your homework), and then into my large safe where I keep all my other valuables. My ideal would be to have them delivered to a bank safety deposit box, but that costs money.
At home, I back up all my data to the aforementioned Terastation. Once per month, I copy all the data off to a USB HDD (actually two of them), and take one to work where it goes into the tape safe.
Is it perfect? No. Does it stand a much better chance of keeping that data alive through a catastrophic event? Absolutely. You don’t have to go to these lengths to protect your data, but you should be aware of the risks.
Using a Broadband card to serve a network.
Jan 5th
I often find myself in situations where I wished I could share out my internet with other users. I have tried programs that turn my Touch Pro into a hot spot but it not only kills my phone’s battery but it also slows it down to a crawl. I could tether my laptop to my phone and share that out but why should I when I found a nifty little device called a travel router. When I paired this up with a mobile internet card I had a match made in heave!
The Cradlepoint CTR350 Cellular Travel Router has found a new home in my laptop bag. Using this router with a Verizon Sierra Mobile Broadband Card (EVDO) I can have an instant network setup… Um anywhere I can rig up power.
Simply insert the card into the router. Log into the router and configure firewall, routing and even dynamic name resolution.
This means at your next outdoor event you can not only provide internet to your geeky pals but you could be running a web server that is resolving to a domain name.
I was not only impressed by it’s simplicity but also by how cheap it is. I found the mobile router online for under $150. Cradlepoint CTR-350 Mobile Router
Do any of you use mobile internet for something interesting? We would love to hear about it in the comments!
10 things your IT guy would like you to know
Jan 4th
I didn’t write this. I got it from a site, who got it from a site that no longer exists. Although the tone is a bit whiny, it is essentially true. It is all about the 10 things your IT guy would like you to know. This will make everyone’s lives easier for real! Take a minute to read through this and see if your IT guy thinks you are an idiot or a normal user :)
1. If you ask me technical questions please don’t argue with me because you don’t like my answer. If you think you know more about the topic, why ask? And if I’m arguing with you…it’s because I am positive that I am correct, otherwise I’d just say “I don’t know” or give you some tips on where to look it up, I don’t have the time to just argue for the sake of it.
2. Starting a conversation by insulting yourself (i.e. “I’m such an idiot”) will not make me laugh, or feel sorry for you; all it will do is remind me that yes, you are an idiot and that I am going to hate having to talk to you. Trust me; you don’t want to start a call that way.
3. I am OK with you making mistakes, fixing them is my job. I am not OK with you lying to me about a mistake you made. It makes it much harder to resolve and thus makes my job more difficult. Be honest and we can get the problem resolved and continue on with our business.
4. There is no magic “Fix it” button. Everything takes some amount of work to fix, and not everything is worth fixing or even possible to fix. If I say that you just need to re-do a document that you accidentally deleted 2 months ago, please don’t get mad at me. I’m not ignoring your problem, and it’s not that I don’t like you, I just can’t always fix everything.
5. Not everything you ask me to do is “urgent”. In fact, by marking things as “urgent” every time, you almost ensure that I treat none of it as a priority.
6. You are not the only one who needs help, and you usually don’t have the most urgent issue. Give me some time to get to your problem, it will get fixed.
7. Emailing me several times about the same issue in the same day is not only unnecessary, it’s highly annoying. Emails will stay until I delete them. I won’t delete them until I’m done with them. I will typically respond as soon as I have a useful update. If it is an urgent issue, let me know (see number 5).
8. Yes, I prefer email over telephone calls. It has nothing to do with being friendly, it’s about efficiency. It is much faster and easier for me to list out a set of questions that I need you to answer than it is for me to call and ask you them one by one. You can find the answers at your leisure and while I’m waiting I can work on other problems.
More >
Is it possible to have TOO MUCH RAM?
Jan 3rd
You know the saying, “You can’t have too much RAM or too much storage.”
Well, there is at least one case where a lot of RAM can cause problems.
My current desktop had 1 Gig of RAM and I recently bought an additional 2 Gigs since the price was so low. (And of course I used The AdmiN’s link to give a little back to AtA)
Wow, 3 Gigs of RAM what could possibly be bad about that? Well one night, I went to put the system into hibernate and it beeped and a balloon popped up from the system tray that said “Insufficient System Resources Exist to Complete the API.” After that, the system would only go into standby, not into hibernate. In fact the hibernate tab of the Power Options settings was completely gone.
It turns out this is a known issue and Microsoft has a patch for it. The KB article describes the exact problem I was having and states “This problem typically occurs when the computer uses 1 gigabyte (GB) or more of RAM.“
My favorite part of the article is
“This problem occurs because the Windows kernel power manager cannot obtain the memory resources that are required to prepare the computer to hibernate.“
So basically, you have so much memory that we cannot obtain enough memory! The system had no problem obtaining enough memory resources when there was only 1 Gig of RAM, but with 3 Gigs there isn’t enough.
I applied the patch offered in the article and haven’t had any problem putting the system into hibernate since.
Who knew, it IS possible to have too much RAM!
