Microsoft Log Parser

Logs are an important part of daily administration however, getting the data out of the logs can be at times, painstaking!

Microsoft's Log Parser utility - http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en can help with extracting the data you want. While the tool is comprehensive enough, the command line queries can be difficult to create.

For example, after you download and install the tool and you wanted to examine all of the print activities from user name "test".

You would type the following command:

LogParser "SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO report.txt FROM System WHERE EventID = 10 AND SID LIKE '%test%'" -resolveSIDs:ON

The report.txt file output will display, nicely formatted, all the particulars for that user. Of course, you can change the parameters to match the security log too!

Roaming Profiles and Active Desktop Error

If for some reason you get an Active Desktop Recovery error on any Windoes System (Noticeable by a white background and some verbiage about clicking this for recovery) - try this:

KEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Desktop\SafeMode\Components
Change the value of DeskHtmlVersion to zero instead of decimal 272 or whatever value is there.

Linux Network Time Protocol (NTP)

Time sync is important for both Windows and Unix computers and this is usually accomplished in an enterprise environment using an external NTP server. Both operating systems come with their own preferred servers, however, there are a slew of time servers available and the most popular ones can be found at the National Institute of Standards and Technology (NIST) - http://tf.nist.gov/service/time-servers.html

Your ntp.conf is located in the /etc directory on your *nix host. If you examine the file (vi, cat, more) it should look something like this:

Restrict default nomodify notrap noquery
restrict 127.0.0.1
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
keys /etc/ntp/keys
server www.time.gov
restrict time mask 255.255.255.255 nomodify notrap noquery


If you cd to /usr/sbin and run ntpq -p you should see your NTP server listed and the status of the server.

remote            refid                  st t when poll    reach  delay   offset    jitter
==============================================================================
*www.time.gov 192.43.244.18     2 u  987 1024  377   10.471  3.530   1.369



If you don't see the * in front of your time server it signifies that the time is not in sync with the remote time server.  If the jitter is a really large number, that also is a clue that the NTP is not working.  You could have a firewall that is not allowing the time protocol to pass or perhaps that time server is not available.

My recommendation is to use a dedicated host inside your network as the time server, that utilizes a pool of time servers.  Point all your hosts to the local time server and create an alias called "time" that you reference in your ntp.conf file instead of using a specific time host.  This will allow time servers to come and go and you don't have to update the ntp.conf on every host.

Enjoy!

Windows AD dsquery command

If you are trying to bulk update lots of Active Directory users, try using the dsquery and dsmod commands.

For example, to update a users AD description, use the following command:

dsquery user -samid "username" -limit 0 | dsmod user -desc "New Description for User"

This works well for one or many users but may take some tweaking to get the information out of AD. To get the list of users from AD, use csvde.

Type csvde -r objectclass=user -f c:\userlist.csv

Once the file has been created, use excel to tweak the csv file into a useable format. I like using excel and notepad (utilizing the find/replace) to get rid of excess tabs, breaks and use this create the correct syntax.

Enjoy!