Wednesday, May 29, 2013

Batch - Get time from remote server write to csv audit log



Purpose: needed a hacked up batch file that was able to read time from a remote server and log to a CSV for user logon auditing. They may have been a better way to do this in batch, but after about 5 hours of looking i decided to just write my own. Wish i could have used powershell. Note:I found that using the net time //x.x.x.x command against a server can return different formatted results I think this script is able to handle the differences but i can not be certain without further testing
@echo off
REM Tony Unger
REM
REM login audit script
REM For Log In
Rem Writes to a CSV file
REM Thanks to http://brisray.com/comp/batch3.htm for length checking in batch


setlocal EnableDelayedExpansion
for /f "delims=" %%i in ('net time \\servername') do (
    if "!CurrentTime!"=="" (set CurrentTime=%%i) else (set CurrentTime=!CurrentTime!#%%i)

)

echo %CurrentTime%
Echo parse the Net Time command
FOR /f "tokens=6,7,8" %%a IN ("%CurrentTime%") DO (
SET _date=%%a
SET _time=%%b
SET _AMPM=%%c
Echo after read ampm is %_AMPM%
If %_AMPM% ==AM#Local (
FOR /f "tokens=14,15,16" %%a IN ("%CurrentTime%") DO (
SET _date=%%a
SET _time=%%b
SET _AMPM=%%c
)
)
If %_AMPM% ==PM#Local (
FOR /f "tokens=14,15,16" %%a IN ("%CurrentTime%") DO (
SET _date=%%a
SET _time=%%b
SET _AMPM=%%c
)
)
Echo Now it is equal to: %_AMPM%

if %_HourUpdate% == 01 (set _HourUpdate=13)
Echo Break up the date to Day Month Year
for /f "tokens=1,2,3 delims=/ " %%A in ("%_date%") DO (
SET _Month=%%A
SET _Day=%%B
SET _Year=%%C
)
Echo Breakup Time to Hour Min Sec
for /f "tokens=1,2,3 delims=: " %%A in ("%_time%") DO (
SET _Hour=%%A
SET _Min=%%B
SET _Sec=%%C
)
Echo Removing spaces
set _Year=%_Year: =%
set _MonthUpdate=%_MonthUpdate: =%
set _Day=%_Day: =%
set _Hour=%_Hour: =%
set _Min=%_Min: =%
set _Sec=%_Sec: =%
REM
Echo Convert Month to two digits
set c=%_Month%
:Monthloop
if defined c (set c=%c:~1%&set /A _MonthCount += 1&goto Monthloop)
Echo Found %_MonthCount% in Month string
if "%_MonthCount%" LSS "2" (set _MonthUpdate=0%_Month%)
IF "%_MonthCount%" GTR "1" (set _MonthUpdate=%_Month%)
Echo %_MonthUpdate%
REM
Echo Convert Day to Two Digits
echo %_Day%
set c=%_Day%
:Dayloop
if defined c (set c=%c:~1%&set /A _DayCount += 1&goto Dayloop)
Echo Found %_DayCount% in day string
if "%_DayCount%" LSS "2" (set _DayUpdate=0%_Day%)
IF "%_DayCount%" GTR "1" (set _DayUpdate=%_Day%)
Echo %_DayUpdate%
REM
Echo Convert Hour to two digits
set c=%_Hour%
:Hourloop
if defined c (set c=%c:~1%&set /A b += 1&goto Hourloop)
Echo Found %b% in hour string
if "%b%" LSS "2" (set _HourUpdate=0%_Hour%)
IF "%b%" GTR "1" (set _HourUpdate=%_Hour%)
REM
Echo %_HourUpdate%
Echo Convert Hour to 24Hour
if %_AMPM%==PM#Local (
  if %_HourUpdate% == 01 (set _HourUpdate=13)
  if %_HourUpdate% == 02 (set _HourUpdate=14)
  if %_HourUpdate% == 03 (set _HourUpdate=15)
  if %_HourUpdate% == 04 (set _HourUpdate=16)
  if %_HourUpdate% == 05 (set _HourUpdate=17)
  if %_HourUpdate% == 07 (set _HourUpdate=19)
  if %_HourUpdate% == 08 (set _HourUpdate=20)
  if %_HourUpdate% == 09 (set _HourUpdate=21)
  if %_HourUpdate% == 10 (set _HourUpdate=22)
  if %_HourUpdate% == 11 (set _HourUpdate=23)
  ) ELSE (
  if %_HourUpdate% == 12 (set _HourUpdate=00)
  )
if %_AMPM%==PM#The (
  if %_HourUpdate% == 01 (set _HourUpdate=13)
  if %_HourUpdate% == 02 (set _HourUpdate=14)
  if %_HourUpdate% == 03 (set _HourUpdate=15)
  if %_HourUpdate% == 04 (set _HourUpdate=16)
  if %_HourUpdate% == 05 (set _HourUpdate=17)
  if %_HourUpdate% == 07 (set _HourUpdate=19)
  if %_HourUpdate% == 08 (set _HourUpdate=20)
  if %_HourUpdate% == 09 (set _HourUpdate=21)
  if %_HourUpdate% == 10 (set _HourUpdate=22)
  if %_HourUpdate% == 11 (set _HourUpdate=23)
  ) ELSE (
  if %_HourUpdate% == 12 (set _HourUpdate=00)
  )
REM
Echo  Convert Mins to two digits
set c=%_Min%
:Minloop
if defined c (set c=%c:~1%&set /A _MinCount += 1&goto Minloop)
Echo Found %_MinCount% in minute string
if "%_MinCount%" LSS "2" (set _MinUpdate=0%_Min%)
IF "%_MinCount%" GTR "1" (set _MinUpdate=%_Min%)
Echo %_MinUpdate%
REM This is done incase seconds doesn't return as in older versions of windowss
if "%_Sec%"==" " SET _Sec=00
REM Remove Spaces from Strings
set _Year=%_Year: =%
set _MonthUpdate=%_MonthUpdate: =%
set _DayUpdate=%_DayUpdate: =%
set _HourUpdate=%_HourUpdate: =%
set _MinUpdate=%_MinUpdate: =%
set _Sec=%_Sec: =%
if not %_MonthUpdate%==is echo Log Off,%_Year%-%_MonthUpdate%-%_DayUpdate% %_HourUpdate%:%_MinUpdate%:%_Sec%,%COMPUTERNAME%,%USERNAME%  >> \\servername\audit\%USERNAME%.csv
if %_MonthUpdate%==is echo %date:~10,4%-%date:~4,2%-%date:~7,2%,%COMPUTERNAME%,%USERNAME% >> \\servername\audit\errors.txt

Tuesday, May 28, 2013

Powershell: Get permissions on each vfiler cifs share.

Purpose: Get a list of all shares on each vfiler on each filer Notes: This script needs some work with the nested foreach loops and some error check cleanup.

Import-Module dataontap

Function Get-ACLPermissions($Share){
 $acl = Get-Acl -Path $Share
return $ACL
}

$myCol = @()

$AllNetappFiler = "filer03","filer02"

foreach ($NetappFiler In $AllNetappFiler){


  write-host "Scanning $NetappFiler"   
 connect-nacontroller $NetappFiler | out-null
    $Vfilers = get-navfiler * | Select -expand Name
 foreach ($Vfiler in $Vfilers){
  connect-nacontroller $Vfiler 
  $vfiler
  $Shares = get-nacifsshare | Select -expand ShareName
  foreach ($Share in $Shares){
   Write-Host "$Vfiler insideloop"
   
   #If $Vfiler Blank then scan shares on filer.. Need to add logic
   $fullpath = "\\$Vfiler\$Share"
   
   
   
   $ShareACL = Get-ACLPermissions $fullpath
   $o = 0
   $ShareACL.Access | ForEach-Object {
    $Detail = New-Object PSObject  
    $Detail | Add-Member Noteproperty SystemName $NetappFiler
    $Detail | add-member Noteproperty Vfiler $Vfiler
    $Detail | Add-Member noteProperty Share $Share 
    
    $FileSystemRights = $ShareACL.Access[$o] | Select -ExpandProperty FileSystemRights #Example ReadAndExecute 
    $AccessControlType = $ShareACL.Access[$o] | Select -ExpandProperty AccessControlType #Example Allow/Deny
    $IdentityReference = $ShareACL.Access[$o] | Select -ExpandProperty IdentityReference #Example Everyone,Username
    $IsInherited = $ShareACL.Access[$o] | Select -ExpandProperty IsInherited #Are Permissions inherited
    $InheritanceFlags = $ShareACL.Access[$o] | Select -ExpandProperty InheritanceFlags #Type of Inheritance ContainerInherit
    $PropagationFlags = $ShareACL.Access[$o] | Select -ExpandProperty PropagationFlags #PropagationFlags
    
    switch -wildcard ($FileSystemRights) 
        { 
            "268435456*" {$FileSystemRights = "FullControl"} 
            "-536805376*" {$FileSystemRights = "Modify, Synchronize"} 
            "-1610612736*" {$FileSystemRights = "ReadAndExecute, Synchronize"} 
        }
     
    $Detail | Add-Member noteProperty IdentityReference $IdentityReference  
    $Detail | Add-Member noteProperty FileSystemRights $FileSystemRights
    $Detail | Add-Member noteProperty AccessControlType $AccessControlType
    $Detail | Add-Member noteProperty IsInherited $IsInherited
    $Detail | Add-Member noteProperty InheritanceFlags $InheritanceFlags  
    $Detail | Add-Member noteProperty PropagationFlags $PropagationFlags 
    $o++
    
    $myCol += $Detail
    }
  }


 } 
}
$myCol | Export-Csv -Path "c:\temp\Audit_NetappVfilerCifis.csv" -NoTypeInformation

Tuesday, May 21, 2013

Powershell: Gather all user objects and report lastlogon and lastlogontimestamp to CSV file


Purpose:
Connects to active directory and pulls a list of all user objects and create a report of lastlogon and lastlogontimestamp values

Note: This is something i did around midnight so i need to do further testing on this script to ensure the data is correct and the lastlogon value will only be from the DC the script is running against

  
#Tony Unger
#Scans all user accounts and reports lastlogon and lastlogontimestamp attr.

Import-Module ActiveDirectory

$AllUsers = get-aduser -Filter * -SearchBase "DC=microsoft,DC=Com" -Property SamAccountName,Lastlogon,LastlogonTimeStamp | Select Name,UserPrincipalname,SamAccountName,@{Name='Last Logon Timestamp';Expression={[System.DateTime]::FromFileTime($_.LastLogonTimestamp).ToString('g')}},@{Name='Last Logon';Expression={[System.DateTime]::FromFileTime($_.LastLogon).ToString('g')}}

$AllUsers | Export-Csv -Path "c:\Audit_UsersLastLogon.csv" -NoTypeInformation




Thursday, May 9, 2013

Powershell: Read servers from AD and search for shares and return ACL permissions


Purpose:
Connects to active directory and pulls a list of all computer objects that are servers and check ACL permissions

  
Import-Module ActiveDirectory
#Most of the information to do this was from this site.
#http://blogs.technet.com/b/heyscriptingguy/archive/2009/09/14/hey-scripting-guy-september-14-2009.aspx

Function Get-ACLPermissions($Share){

    $acl = Get-Acl -Path $Share

return $ACL

}


function Get-MyShares

{
#Function by
#http://www.peetersonline.nl/2008/11/finding-shares-with-powershell/

     param([string]$Server)
     $Shares = Get-WmiObject -Class Win32_Share -ComputerName $Server
     $output = @()
         ForEach ($Share in $Shares)
         {
              $fullpath = “\\{0}\{1}” -f $server, $share.name
              Add-Member -MemberType NoteProperty -InputObject $Share -Name FullPath -Value $fullpath
              $output += $Share
         }
         Return $output
}

#Path to where the CSV file is written to
$PathtoCSV = "C:\temp\AuditACL.csv"

#Create Header in CSV
"Server;Share;Username;FileSystemRights;AccessControlType;IsInherited;InheritanceFlags" > $PathtoCSV 
#Get all computers that are servers from AD
$Servers = Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*"} -Property * | Select -Expand Name
$i = 0
foreach ($Server in $Servers)
# update counter and write progress
{
   $i++
   Write-Progress -activity "Scanning Machine $Server" -status "Scanned: $i of $($Servers.Count)" -percentComplete (($i / $Servers.Count)  * 100)
   
# Get all Shares on server
    $Shares = Get-MyShares $Server | Select -ExpandProperty Name 
        foreach ($Share_Current in $Shares){
        #Process all Shares on Server
            $fullpath = "\\$Server\$Share_Current"
            $ShareACL = Get-ACLPermissions $fullpath
            $o = 0
            $ShareACL.Access | ForEach-Object {
            $FileSystemRights = $ShareACL.Access[$o] | Select -ExpandProperty FileSystemRights #Example ReadAndExecute
            $AccessControlType = $ShareACL.Access[$o] | Select -ExpandProperty AccessControlType #Example Allow/Deny
            $IdentityReference = $ShareACL.Access[$o] | Select -ExpandProperty IdentityReference #Example Everyone,Username
            $IsInherited = $ShareACL.Access[$o] | Select -ExpandProperty IsInherited #Are Permissions inherited
            $InheritanceFlags = $ShareACL.Access[$o] | Select -ExpandProperty InheritanceFlags #Type of Inheritance ContainerInherit
            $PropagationFlags = $ShareACL.Access[$o] | Select -ExpandProperty PropagationFlags #PropagationFlags
            $o++

            switch -wildcard ($FileSystemRights) 
            { #Should be a better way to do this via function
                "268435456*" {$FileSystemRights = "FullControl"} 
                "-536805376*" {$FileSystemRights = "Modify, Synchronize"} 
                "-1610612736*" {$FileSystemRights = "ReadAndExecute, Synchronize"} 
            }
            $Combine = $Server,$fullpath,$IdentityReference,$FileSystemRights,$AccessControlType,$IsInherited,$InheritanceFlags
            Write-Host "$Combine to $PathtoCSV"
            $Combine -join ";" >> $PathtoCSV
        } 
}
}