Scripts and Batch Files

Add Local Administrators

This script comes from the WinAthena development team and allows you to set specified user/group accounts as local administrators on the machines within your container. This is useful for running remote reboots, status checks, copying files to the machines, etc. Their documentation is here, our summary is below:

This is installed as a system startup script. The syntax is:

\\win.mit.edu\dfs\ops\distrib\addadmin.exe
/domain WIN.MIT.EDU
/g container-admin-containername - a/or
/u username-to-be-admin

[Back to top]

Quickstation (timed logoff)

The quickstation script was developed by the WinAthena team to address two basic issues - users not logging off of the machines and users kerberos tickets expiring. WinAthena team documentation is here, our summary is below:

This is installed as a user logon script. The syntax is:

\\win.mit.edu\dfs\ops\distrib\quickstation.exe
/run /idle:120 /sess:570 /warn:15

This is a standard setting which will log users off after 2 hours of mouse/keyboard inactivity or after 9.5 hours of being logged in (right before their tickets expire).

[Back to top]

Control The System Path

Within a managed windows settings there are many ways that the path may get set incorrectly. Additionally, some programs need to appear in certain positions within the path such as F-Secure. This perl script will set the system path on system startup overwriting any existing path statements.

Example Perl Script:

use Win32;
use Win32::Registry;
$path = "SYSTEM\\CurrentControlSet\\Control\\
Session Manager\\Environment";
$main::HKEY_LOCAL_MACHINE->Open($path, $SetKey);
$SetKey->SetValueEx("Path", 0, REG_SZ,
"C:\\Program Files\\F-Secure\\Ssh\;
C:\\Program Files\\MIT\\Shared Files\;");

Add all of your required path statements to this script.

» If you are going to use variables within your path, for example, using %systemroot% because you have machines setup as C:\WINNT and C:\Windows in the same container, you will need to change REG_SZ in the script above to REG_EXPAND_SZ.

» Important: Removing the MIT related path statements will make your system unusable.

If you need to return to the original path this should do it:

$SetKey->SetValueEx("Path", 0, REG_EXPAND_SZ,
"C:\\Program Files\\MIT\\Shared Files\;
C:\\Program Files\\MIT\\EventSyslogger\\\;
C:\\Program Files\\Kerberos\\\;
C:\\Program Files\\AFS\\Common\;
C:\\Program Files\\AFS\\Client\\Program\;
C:\\Program Files\\MIT\\Shared Files\\\;
C:\\Program Files\\Seagate Software\\NOTES\\\;
C:\\Program Files\\Seagate Software\\NOTES\\DATA\\\;
C:\\Program Files\\Resource Kit\\\;
C:\\Program Files\\Support Tools\\\;
\%SystemRoot\%\;\%SystemRoot\%\\System32\;
\%SystemRoot\%\\System32\\wbem\;\%SystemDrive\%\\Perl\\bin\;
\\\\win.mit.edu\\dfs\\ops\\distrib\;");

[Back to top]

Managing User Temp Directories

Many installations have a user temporary directory a/or certain directories on the machines that users have/need write access to. These need to be kept clean and one must ensure that the appropriate permissions are always set.

For installations who use RIS to install their machines, like the Building 37 cluster, you must also account for additional drives on the system which are skipped over in the RIS process.

The script below is what we use in Building 37 and can be modified to your particular situation. Basically, it performs two separate functions - one is to setup an additional harddrive with the appropriate permissions and two is to keep the users directory clean and setup with write permissions for all users.

Example Batch File:

@echo off
IF EXIST "D:\usertemp" goto :CLEAN
IF NOT EXIST "D:\usertemp" goto :SETUP
:SETUP
\\win.mit.edu\dfs\MSI\ACST\scripts\setacl\setacl.exe
-on "D:"
-ot file
-actn ace
-ace "n:S-1-5-32-545;p:read,read_ex;s:y;m:set;w:dacl"
-ace "n:S-1-1-0;p:read;s:y;m:set;w:dacl"
-ace "n:S-1-3-0;p:full;s:y;m:set;w:dacl"
-ace "n:S-1-5-32-544;p:full;s:y;m:set;w:dacl"
-ace "n:S-1-5-32-547;p:change;s:y;m:set;w:dacl"
-ace "n:S-1-5-18;p:full;s:y;m:set;w:dacl"
-actn setprot -op"dacl:p_nc"
goto :CLEAN
goto :END
:CLEAN
del c:\dclean.txt
dir D:\usertemp\ /s /b /a > c:\dclean.txt
for /F "tokens=*" %%F in (c:\dclean.txt) do "
C:\Program Files\Resource Kit\takeown.exe" "%%F"
rmdir /S /Q "D:\usertemp"
MD "D:\usertemp"
\\win.mit.edu\dfs\MSI\ACST\scripts\setacl\setacl.exe
-on "D:\usertemp"
-ot file
-actn ace
-ace "n:S-1-5-32-545;p:traverse,list_dir,read_attr,
read_ea,add_file,add_subdir,write_attr,write_ea,del_child,
delete,read_dacl;s:y;m:set;w:dacl"
-ace "n:S-1-1-0;p:read;s:y;m:set;w:dacl"
-ace "n:S-1-3-0;p:full;s:y;m:set;w:dacl"
-ace "n:S-1-5-32-544;p:full;s:y;m:set;w:dacl"
-ace "n:S-1-5-32-547;p:change;s:y;m:set;w:dacl"
-ace "n:S-1-5-18;p:full;s:y;m:set;w:dacl"
-actn setprot
-op"dacl:p_nc"
GOTO :END
:END

Explanation:

SetACL is a utility which will set permissions on files, registry keys, etc. More info can be found here.

Takeown is a Resource Kit Utility which will take back ownership if a user made a folder or set of files readable only by them. More info can be found here.

More information on well-known SIDs can be found here.

[Back to top]

Controlling Monitor Resolutions

Users are prone to changing monitor resolution settings and many machines when initially setup with RIS will come up with a low resolution. This script uses a utility called multires to set the monitors to our desired settings each time the machine is rebooted or when a user logs on or off - depending on when you set it up to run.

Example Batch File:

c:
\\win.mit.edu\dfs\MSI\ACST\scripts\multires\MultiRes.exe
/1:1280,1024,32,75 /exit
\\win.mit.edu\dfs\MSI\ACST\scripts\multires\MultiRes.exe
/2:1280,1024,32,75 /exit

Explanation:

MultiRES is a utility which will set resolutions on any monitor. /1 is monitor #1, /2 is #2, /exit stops the program from running minimized on the client and the numbers are the resolutions, color depth and refresh rates. You can download MultiRES here.

[Back to top]

Duplex Printing Setup

Setting up duplex printing on multiple machines can be simplified by importing registry keys rather than manually changing the printer settings. In order to obtain the registry key containing the duplex settings, install the printer driver normally. Under the Control Panel, open up Printers and Faxes and open the Properties of the printer. Under Device Settings, change Duplex Unit to Installed. Apply the changes. Next, execute regedit and find the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Print\Printers\(PrinterName)\PrinterDriverData

Export the entire PrinterDriverData key and save it to your desktop. Next, edit the key and delete every key value except for: "PrinterData", "FeatureKeyword", and "FeatureKeywordSize". Save your changes and you now have a registry key that can be imported on multiple machines and have the duplex setting installed.

We use a simple batch file to accomplish this which is run as a system startup script:

C:\winnt\regedit.exe /S \\win.mit.edu\dfs\dept_folder\printer.reg

[Back to top]

Remote Machine Management

» Note:In order to remotely manage machines in your container you must be on the local administrators list. This can be accomplished by either manually adding your account to the local administrators group on each machine or using the add admin script.

Being listed as a local administrator gives you complete control over the machines. Below are listed some management scripts you may find helpful.

It is also worth noting that you can access the machines in your container with common microsoft tools, such as accessing the registry of a remote machine with regedit (registry/connect network registry) and a remote disk from windows explorer (\\machinename\c$\).

[Back to top]

Remote Checking of Logged In Status

You may want to determine whether or not a machine is currently in use, especially if you are about to run a remote restart on that machine. In order to remotely check if a machine has someone currently logged on, you can use psloggedon, a pstools utility available from Sysinternals. This toolkit is available on the win.mit.edu domain and can be used as such from the command prompt:

\\win.mit.edu\dfs\msi\ACST\scripts\pstools\psloggedon.exe -l \\machine_name

To acquire the status of all the machines in your container, you can create and use the following perl script:

whoseloggedon.pl:

use win32;
my $on = "WIN";
my $off = "Request timed out";
@machines = ("machine_name1","machine_name2","machine_name3"); #modify this line to suite your needs
foreach $machine (@machines) {
$checkit = `C\:\\WINNT\\system32\\ping\.exe -n 1 $machine\.mit\.edu`;
if ($checkit =~ /$off/) {
print "$machine may be down\n";
else {
$output = `\\\\win.mit.edu\\dfs\\MSI\\ACST\\scripts\\pstools\\psloggedon -1 \\\\$machine`;
if ($output =~ /$on/) {
print "----YES---- $machine\n";
else {
print "----no---- $machine\n";}}}

[Back to top]

Remote Restarts

As a local administrator you have the ability to restart or shutdown the machines in your container. For scheduled reboots you should use the container management tools available from the win.mit.edu development team. The scheduled reboots are conditional in that they will not reboot a machine with someone logged in.

The command/script below is for immediate forced reboots for container maintenance purposes. Before forcing a machine restart, please be aware that if a user is currently logged on to that machine, his work may be lost. You should first verify that nobody is logged on.

To force an individual machine to restart, the batch file would look like:

restart_a_machine.bat:

@echo off
"C:\Program Files\Resource Kit\shutdown.exe" "\\%1" /R T:05 "MAINTENANCE REBOOT" /C

The syntax for running this would be: restart_a_machine.bat machine_name
This will cause a forced reboot on machine machine_name in five seconds.

To forcefully restart a group of machines you can run the following batch file: (Remember that this restart will not give users an opportunity to save their work. You should first verify that nobody is logged on.)

restart_all_machines.bat:

@echo off
for /F "tokens=*" " %%F in (machine_list.txt) do "C:\Program Files\Resource Kit\shutdown.exe" "%%F" /R /T:10 "MAINTENANCE REBOOT" /C

Before running this batch file, make a text file, machine_list.txt that has all of your machine names. It should look something like this:

\\machine_name1
\\machine_name2
\\machine_name3

[Back to top]

Cleaning Leftover Profiles

System problems a/or unreleased file handles may result in portions of a users roaming profile being left on the machine after they have logged off. To prevent an accumulation of these profiles on the machines in your container, the script below will delete all unnecessary profiles, only keeping that of the last known user and the "all users" profile which stores the system desktop icons and other important settings.

Our script retains the last known users profile so in cases of a system crash there is the possibility of recovering any information which may have not been written to the users AFS home directory. This is mostly a precaution as it is rare for important data to not be written to AFS. The majority of the files that are left behind are various cookies from the IE cache and some random template files associated with Microsoft Office. You could alter the script to remove all profiles, except "all users," however, in a relatively busy container with multiple users logging on to your machines it is unnecessary.

The script listed below keeps the most recent profile unless it is more than a day old. The script may be run as a system startup script on a daily or even weekly basis depending on your needs.

clean_old_profiles.pl:

#Deletes everything but "all users" and the last user that is not "administrator" "something.win" or "all users".
#Even the last "real" user is deleted if his folder is more than a day old.
my %dates;
my @users;
my $stay = 2; #number of days old the newest profile must be before it is thrown out
my $keepme = "all users";
my $win ="\.win";
@users = `dir \"c:\\Documents and Settings\\\" \/l \/b \/od`;
chomp @users;
($second,$minute,$hour,$day,$month,$year,$weekday,$dayofyear,$IsDST) = localtime(time);
$ancient = (($year + 1900) * 365) + (31 * ($month + 1)) + $day - $stay;
@lines = `dir \"c:\\Documents and Settings\\\" \/l \/ad \/od \/4`;
foreach $user (@users){
if (!(($user eq "all users") || ($user =~ /\.win/) || ($user eq "administrator"))) {
$keepme = $user; }
foreach $line (@lines){
if ($line =~ /$user/){
$dates{$user} = ((substr($line,0,2) *31) + substr($line,3,2) + (substr($line,6,4) * 365));}}
if (($dates{$user} < $ancient) && ($keepme eq $user)){
$keepme = "all users"; #Don't keep the most recent one if it is too old.}}
foreach $user (@users) {
if (($user ne "all users") && ($user ne $keepme)){
`C:\\progra\~1\\resour\~1\\takeown\.exe c:\\docume\~1\\$user \/r`;
`rmdir \/S \/Q c:\\Docume\~1\\$user`;}}

[Back to top]