Thursday, September 15, 2011

Change file shares via scripting

I've come across a problem where users are filling up their hard disks and we need to move the highest utilization users to a new disk. In order to accomplish this I've setup a robocopy to move their files to a new disk and have it constantly mirrored until after-hours; where we run this script to move the file shares:


:backup original shares:
reg export "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares" C:\shares-backup.reg /y

setlocal enabledelayedexpansion
:what we need to do is grab the user name and the key...
for /f "tokens=1-2*" %%A IN ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares" ^| findstr /I /C:"E:\User Files\Corporate" ^| sed.exe "s/Path=E:\\User Files\\Corporate/Path=G:\\User Files\\Corporate/"') DO (
echo reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares /v %%A /t %%B /D "%%C" /f
)

for /f "tokens=1-2*" %%A IN ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares" ^| findstr /I /C:"E:\User Files\Finance" ^| sed.exe "s/Path=E:\\User Files\\Finance/Path=G:\\User Files\\Finance/"') DO (
echo reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares /v %%A /t %%B /D "%%C" /f
)

net stop server /y
net start server


What this script does is:
1) Backs up the existing share structure
2) Queries the file shares for the specific path of the share we're going to move
3) Using SED.exe we change the drive letter from E: to G:
4) Using reg.exe we overwrite the registry key with the new value
5) we then stop and restart the server service to get the new shares working.

And we set that up as a scheduled task to run after-hours :)

Tuesday, September 13, 2011

Saving and restoring ACL's on OU's

Saving and moving OU ACLs

I’ve written a batch file that will move ACLs from one OU to another. It works by you outputting the results of a ACL from a OU to a text file, specifying the new OU in a batch file and inputting the text file you just created. I use three utilities to accomplish this: adfind.exe, sed.exe and dsacls.exe.
The command to save the text file is:

adfind -b "OU=Users,OU=LAB,DC=LAB,DC=CORP" -f (distinguishedName=OU=Users,OU=LAB,DC=LAB,DC=corp) -sddl++ -resolvesids -onlydacl ntsecuritydescriptor -sddlnotfilter ;inherited| sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" > %PATHTOFILE%.txt


From here, you need to delete the header in the text file and the footer.
Once that is done, run this script, changing the two variables at the top:


:RESTORE-OU-ACL.CMD
:Restore OU Properties
SET TARGETOU=OU=Users Accounts,OU=AD Project 3,DC=LAB,DC=CORP
SET TARGETFILE="New Text Document (5).txt"

@ECHO OFF

SETLOCAL ENABLEDELAYEDEXPANSION
for /F "tokens=1-6 delims=;" %%A IN ('type %TARGETFILE%') DO (
SET PROP=
SET INHERIT=0
IF "%%C" EQU " " SET PROP=GA
ECHO CALL :PROPERTYACL %%C
CALL :PROPERTYACL %%C

ECHO CALL :INHERITANCE %%B
CALL :INHERITANCE %%B

SET PROPERTY=
IF /I "%%D" NEQ " " SET PROPERTY=%%D
ECHO PROPERTY=!PROPERTY!
SET TARGET=
IF /I "%%E" NEQ " " SET TARGET=%%E
ECHO TARGET=!TARGET!
ECHO dsacls "%TARGETOU%" !INHERIT! /G "%%F:!PROP!;!PROPERTY!;!TARGET!"
dsacls "%TARGETOU%" !INHERIT! /G "%%F:!PROP!;!PROPERTY!;!TARGET!"

)
GOTO:EOF

:INHERITANCE
REM We need to figure out what ACLS we're dealing with...
FOR /F "tokens=*" %%Z IN ('ECHO %*') DO (
IF '!INHERIT!' EQU '/I:S' GOTO:EOF
ECHO %%Z | FINDSTR /I /C:"[CONT INHERIT]"
IF '!ERRORLEVEL!' EQU '0' SET INHERIT=/I:T
ECHO %%Z | FINDSTR /I /C:"[CONT INHERIT][INHERIT ONLY]"
IF '!ERRORLEVEL!' EQU '0' SET INHERIT=/I:S
ECHO %%Z | FINDSTR /I /C:"INHERIT"
IF '!ERRORLEVEL!' EQU '1' SET INHERIT=/I:P
ECHO INHERIT=!INHERIT!
)
GOTO:EOF

:PROPERTYACL
REM We need to figure out what ACLS we're dealing with...
FOR /F "tokens=*" %%Z IN ('ECHO %*') DO (
ECHO %%Z | FINDSTR /I /C:"WRT PROP"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!WP
ECHO %%Z | FINDSTR /I /C:"READ PROP"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!RP
ECHO %%Z | FINDSTR /I /C:"CTL"
IF '!ERRORLEVEL!' EQU '0' SET PROP=CA
ECHO %%Z | FINDSTR /I /C:"[CR CHILD]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!CC
ECHO %%Z | FINDSTR /I /C:"[DEL CHILD]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!DC
ECHO %%Z | FINDSTR /I /C:"[LIST CHILDREN]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!LC
ECHO %%Z | FINDSTR /I /C:"[LIST OBJECT]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!LO
ECHO %%Z | FINDSTR /I /C:"[READ]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!GR
ECHO %%Z | FINDSTR /I /C:"[FC]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!GA

ECHO PROP=!PROP!
)
GOTO:EOF

:/I:P = This Object Only *BLANK*
:/I:S = Child Objects Only [CONT INERIT][INHERIT ONLY]
:/I:T = This object and all child objects [CONT INERIT]
:Blank inheritance = /I:P
:When "Properties" are set, it should be /I:S
:When there are no properties listed at all ACL should be GA