MSPSS: is there life after the helpdesk?

sharing solutions to uncommon IT problems

Posts Tagged ‘windows service

VBS: List all domain accounts configured on a machine

leave a comment »


Hello,

We recently felt the need of tightening our company security:

  • removing all unnecessary domain accounts from Windows Services, Scheduled Tasks and COM+
  • Reviewing the local admins group for every server

I have used this script to get a CSV of all the domain accounts configured on our servers as windows services, COM+, DCOM and scheduled tasks.

It also creates a txt file with the local administrator group members.

I hope it’ll save you some:

Dim sComputer
Main
 
Sub Main()
 
    Set wshNetwork = WScript.CreateObject( "WScript.Network" )
    do while wshNetwork.computerName = ""
    WScript.Sleep 250
    wshNetwork.computerName
    loop
    sComputer = wshNetwork.computerName
    Dim ObjFSO
    Set objFSO = CreateObject("Scripting.FileSystemObject")
 
    dim objFile, objFileAdmins
    Set objFile = objFSO.OpenTextFile("C:\" & wshNetwork.computerName & "-ServicesOutput.txt", 2, True)
    Set objFileAdmins = objFSO.OpenTextFile("C:\" & wshNetwork.computerName & "-AdminOutput.txt", 2, True)
    
    Call LocalAdminList(wshNetwork.computerName, objFileAdmins)
    Call COMPlusId(wshNetwork.computerName, objFile)
    Call LogInServices(objFile)
    Call SchedTasks(objFile)
    call DCOM(objFile)
    
    objFile.close
    objFileAdmins.Close
    
    'since we used for different servers we benefitted from having all these files in one location hence here I move every single file to a share
    ObjFSO.CopyFile "C:\" & wshNetwork.computerName & "-ServicesOutput.txt", "\\A-Remote-Location\yourfile.csv", True
    ObjFSO.CopyFile "C:\" & wshNetwork.computerName & "-AdminOutput.txt", "\\A-Remote-Location\yourfile.csv", true
    Set objFile = ObjFSO.GetFile("C:\" & wshNetwork.computerName & "-ServicesOutput.txt")
    objFile.Delete
    Set objFile = ObjFSO.GetFile("C:\" & wshNetwork.computerName & "-AdminOutput.txt")
    objFile.Delete
 
End Sub
 
Sub COMPlusId(sComputerName, objFile)
 
    Dim cat 
    Set cat = CreateObject ("COMAdmin.COMAdminCatalog")
 
    Dim apps
    Set apps = cat.GetCollection("Applications")
    
    
    apps.Populate
 
    Dim app
 
    For Each app In apps
    if app.Value("Identity") <> "Interactive User" and app.Value("Identity") <> "LocalSystem" And _
        (InStr(app.Value("Identity"),"YOUR-DOMAIN\") > 0 Or _
        InStr(app.Value("Identity"),"@YOUR-DOMAIN") > 0) Then
        objFile.WriteLine(sComputer & ";" & "COM User List;" & app.name & ";" & app.Value("Identity") & ";")
    end if
    Next 
 
End Sub
 
Sub LocalAdminList(sComputerName,objFile)
    Dim oGroup, oMember
 
    set oGroup = GetObject("WinNT://"& sComputerName &"/Administrators")
    
    for each oMember in oGroup.members
    'Here I wanted to list ONLY the local admins that were not supposed to be there, you might want to personalize this IF with your internal sec policy
    if oMember.adspath <> "WinNT://YOUR-DOMAINROOT/Enterprise Admins" and oMember.adspath <> "WinNT://YOUR-DOMAIN/Domain Admins" and oMember.adspath <> "WinNT://" & sComputerName & "/Administrator" and oMember.adspath <> "WinNT://" & sComputerName & "/Administrator" then
              objFile.WriteLine(sComputer & ";" & "Local Admin List;" & oMember.adspath)
    End if
    next
 
End Sub
 
Sub LogInServices(objServiceFile)
    Dim objFileTemp
    Dim ObjFSO
    Set objFSO = CreateObject("Scripting.FileSystemObject")
 
    
    Set wshShell = WScript.CreateObject ("WSCript.shell")
    wshshell.run "cmd /c regedit.exe /e /a c:\Temp_Services.txt " & """HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services""", 6, True
    set wshshell = nothing
    
    Set objFileTemp = objFSO.OpenTextFile("c:\Temp_Services.txt", 1, True)    
 
    Do Until objFileTemp.AtEndOfStream    
    
        sData = objFileTemp.ReadLine
    
        if instr(sData, """DisplayName""") > 0 then
          sName = mid(sData,instr(sData, """=""") + 3, Len(sData) - instr(sData, """=""") - 3)
    end if
        
    if instr(sData, """ObjectName""") > 0 then
         sIdAcct = mid(sData,instr(sData, """=""") + 3, Len(sData) - instr(sData, """=""") - 3)
         sIdAcct = UCase(sIdAcct)
         If sIdAcct <> UCase("LocalSystem") and _
        sIdAcct <> UCase("NT AUTHORITY\\NetworkService") and _
        sIdAcct <> UCase("NT AUTHORITY\\LocalService") and _
        sIdAcct <> UCase("NT Authority\\NetworkService") And _
        sIdAcct <> UCase("NT AUTHORITY\\NETWORK SERVICE") And _
        sIdAcct <> UCase("NT AUTHORITY\\LOCAL SERVICE") Then
                 objServiceFile.Writeline(sComputer & ";" & "Services running under user accounts;" & sName & ";" & sIdAcct)  
             End if
    end if    
    
    Loop
    
    objFileTemp.Close
    set objFileTemp = objFSO.GetFile("c:\Temp_Services.txt")
    objFileTemp.Delete
End Sub
 
Sub SchedTasks(objServiceFile)
    Dim objFileTemp, wshShell, sData, sName, sIdAcct 
    Dim ObjFSO
    Set objFSO = CreateObject("Scripting.FileSystemObject")
 
 
    Set wshShell = WScript.CreateObject ("WSCript.shell")
    wshshell.run "cmd /c schtasks /query /s " & sComputer & " /fo list /V > c:\temp_schtasks.txt", 2, True
    set wshshell = nothing
    
    Set objFileTemp = objFSO.OpenTextFile("c:\temp_schtasks.txt", 1, True)    
    
    Do Until objFileTemp.AtEndOfStream    
    sData = objFileTemp.ReadLine
    if instr(sData, "TaskName:") > 0 then
         sName = trim(right(sData,len(sData) - len("TaskName:")))
    end if
    if instr(sData, "Run As User:") > 0 then
         sIdAcct = trim(right(sData,len(sData) - len("Run As User:")))
         if sIdAcct <> "LocalSystem" and _
        sIdAcct <> "NT AUTHORITY\\NetworkService" and _
        sIdAcct <> "NT AUTHORITY\\LocalService" and _
        sIdAcct <> "NT AUTHORITY\SYSTEM" then
         
           objServiceFile.Writeline(sComputer & ";" & "Scheduled Tasks;" & sName & ";" & sIdAcct)  
             end if
        end if    
    Loop
 
    objFileTemp.Close
    set objFileTemp = objFSO.GetFile("c:\temp_schtasks.txt")
    objFileTemp.Delete
End Sub
 
Sub DCOM(objServiceFile)
    Dim objFSO, wshShell, sData, sName, sIdAcct, objFileTemp 
    Set objFSO = CreateObject("Scripting.FileSystemObject")
 
    Set wshShell = WScript.CreateObject ("WSCript.shell")
    wshshell.run "cmd /c regedit.exe /e /a c:\Temp_DCOM.txt " & """HKEY_CLASSES_ROOT\AppID""", 6, True
    set wshshell = nothing
    
    Set objFileTemp = objFSO.OpenTextFile("c:\Temp_DCOM.txt", 1, True)    
 
    Do Until objFileTemp.AtEndOfStream    
    
        sData = objFileTemp.ReadLine
    
        if instr(sData, "@=""") > 0 then
          sName = mid(sData,instr(sData, "=""") + 2, Len(sData) - instr(sData, "=""") - 2)
    end if
        
    if instr(sData, """RunAs""") > 0 then
         sIdAcct = mid(sData,instr(sData, """=""") + 3, Len(sData) - instr(sData, """=""") - 3)
             if ucase(sIdAcct) <> Ucase("LocalSystem") and _
        ucase(sIdAcct) <> ucase("NT AUTHORITY\\NetworkService") and _
        ucase(sIdAcct) <> ucase("NT AUTHORITY\\LocalService") and _
        ucase(sIdAcct) <> ucase("Interactive User") then
                 objServiceFile.Writeline(sComputer & ";" & "DCOM Identities;" & sName & ";" & sIdAcct)  
             End if
    end if    
    
    Loop
 
    objFileTemp.Close
    set objFileTemp = objFSO.GetFile("c:\Temp_DCOM.txt")
    objFileTemp.Delete
end sub
 
Function GetCommandLineArgument(name)
 
    Dim Args
    Set Args = WScript.Arguments
 
    Dim index
    While index < args.count
 
        If lcase(args(index)) = name Then
 
            On Error Resume Next
            index = index + 1
            GetCommandLineArgument = args(index)
            On Error Goto 0
 
            If GetCommandLineArgument = "" Then
 
                Usage "Error: Expected a value for argument: " & name
 
            End If
 
            index = args.count ' exit the loop
 
        End If
 
        index = index + 1
 
    Wend
 
End Function

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Advertisements

Written by zantoro

July 28, 2011 at 11:48 am