commit 649f0466a51f082fce8ea28bb3781544c056ff1c parent e1b77cc642b79d4a1880aacb73d1e59070438d88 Author: Administrator@GAMER.EPIC <Administrator@GAMER.EPIC> Date: Sat, 6 Jun 2020 00:03:00 -0700 added logging (covert ops) Diffstat:
| D | .gitignore | | | 1 | - |
| A | CyberPolice - Shortcut.lnk | | | 0 | |
| M | CyberPolice.bat | | | 129 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- |
| A | CyberPoliceOutput/CPUARCHITECTURE.txt | | | 1 | + |
| A | CyberPoliceOutput/Domain.txt | | | 1 | + |
| A | CyberPoliceOutput/OSVERSION.txt | | | 1 | + |
| A | CyberPoliceOutput/PowershellStatus.txt | | | 1 | + |
| A | CyberPoliceOutput/logs/netstatlog.txt | | | 1 | + |
| A | CyberPoliceOutput/logs/synclog.txt | | | 92 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | CyberPoliceOutput/path.txt | | | 1 | + |
| A | CyberPoliceOutput/users.txt | | | 0 | |
| A | PowershellScripts/AllGPOs.ps1 | | | 8 | ++++++++ |
| A | PowershellScripts/GPOReport.ps1 | | | 8 | ++++++++ |
| A | PowershellScripts/LogFirewall.ps1 | | | 7 | +++++++ |
| A | PowershellScripts/LogServices.ps1 | | | 8 | ++++++++ |
| A | VBScripts/BackupAllGPOs.wsf | | | 205 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | VBScripts/DumpGPOInfo.wsf | | | 337 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | VBScripts/FindDisabledGPOs.wsf | | | 131 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | VBScripts/FindGPOsWithNoSecurityFiltering.wsf | | | 129 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | VBScripts/GetReportsForAllGPOs.wsf | | | 228 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | VBScripts/Lib_CommonGPMCFunctions.js | | | 498 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | VBScripts/ListAllGPOs.wsf | | | 316 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | VBScripts/findorphanedGPOsInSYSVOL.wsf | | | 126 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| D | _config.yml | | | 2 | -- |
24 files changed, 2223 insertions(+), 8 deletions(-)
diff --git a/.gitignore b/.gitignore @@ -1 +0,0 @@ -/CyberPoliceOutput diff --git a/CyberPolice - Shortcut.lnk b/CyberPolice - Shortcut.lnk Binary files differ. diff --git a/CyberPolice.bat b/CyberPolice.bat @@ -2,7 +2,8 @@ SETLOCAL EnableDelayedExpansion -set functions=checkfiles usermgmtff userprop services firewall features passwordpol audit lockout rdp power sessions shares checkdns uac windef backuplsp lsp regharden verifysys auto +set functions=checkfiles usermgmtff userprop services firewall features passwordpol audit lockout rdp power sessions shares checkdns uac windef backuplsp lsp regharden verifysys auto logging +set analysisFunctions=allgpo listgpos listdisabledgpos gpoinfo gporeport backupgpos logfirewall logservices netstat checksync manual for /F "tokens=1,2 delims=#" %%a in ('"prompt #$H#$E# & echo on & for %%b in (1) do rem"') do ( set "DEL=%%a" @@ -14,6 +15,7 @@ set path=%~dp0 if not exist "%path%CyberPoliceOutput" mkdir "%path%CyberPoliceOutput" set output=%path%CyberPoliceOutput set powershellScriptPath=%path%PowershellScripts +set vbScriptPath=%path%VBScripts set configPath=%path%ConfigFiles set toolsPath=%path%Tools set batchScripts=%path%BatchScripts @@ -33,6 +35,9 @@ for /f "tokens=*" %%A in (%configPath%\DefaultPassword.txt) do ( echo CYBER POLICE are making required directories... if not exist "%output%\WindowsFeatures" mkdir "%output%\WindowsFeatures" +if not exist "%output%\gpoInfo" mkdir "%output%\gpoInfo" +if not exist "%output%\gpoInfo\gpoReports" mkdir "%output%\gpoInfo\gpoReports" +if not exist "%output%\logs" mkdir "%output%\logs" set lspEditOs = "Windows10" @@ -92,6 +97,9 @@ echo Powershell installed: true Version: %PowerShellVersion% > %output%\Powershe cecho {0a}Powershell is installed!!{#} echo. echo. +cecho Note: If you plan on using the Logging function you need {0b}cscript.exe{#}! +echo. +echo. for /f "delims=: tokens=2" %%a in ('systeminfo ^| find "OS Name"') do set os=%%a for /f "tokens=* delims= " %%a in ("%os%") do set os=%%a @@ -105,6 +113,12 @@ cecho {0b}The CYBER POLICE have detected {0d}%proArc% {0b}as host's CPU architec echo. echo %proArc%>%output%\"CPUARCHITECTURE.txt" +for /f "delims=: tokens=2" %%a in ('systeminfo ^| find "Domain:"') do set domain=%%a +for /f "tokens=* delims= " %%a in ("%domain%") do set domain=%%a +cecho {0b}The CYBER POLICE have detected {0d}%domain% {0b}as host's domain{#} +echo. +echo %domain%>%output%\"Domain.txt" + cecho {0b}Running as user {0a}%you%{#} echo. echo. @@ -122,11 +136,12 @@ echo Press any key to begin CYBER POLICE OPS... pause>nul echo. -cecho {0e}Do you want [A]uto or [M]anual (Default is [M]anual){#} +cecho {0e}Do you want [{0a}A{0e}]uto, [{0b}M{0e}]anual or [{0d}L{0e}]ogging/Analysis (Default is [{0b}M{0e}]anual){#} echo. -set /p aus="[A/M]: " -if /i "%aus%" neq "A" goto:manual -goto:auto +set /p aus="[A/M/L]: " +if /i "%aus%"=="L" goto:logging +if /i "%aus%"=="A" goto:auto +goto:manual :auto for %%A in (%functions%) do call:autoCheck %%A @@ -145,6 +160,7 @@ if "%~1"=="auto" ( ) call:%~1 goto:EOF + :manual echo. @@ -179,6 +195,38 @@ echo. pause>nul goto:manual +:logging +echo. +cecho {07}Type {0b}exit {07}to {0c}exit {07}and {0b}help {07}for {0a}help{#} [analysis mode] +echo. +set /p act="What should the CYBER POLICE [Covert Ops] check: " +if "%act%"=="exit" exit +if "%act%"=="help" ( + echo CYBER POLICE [Covert Ops] available actions: + for %%F in (%analysisFunctions%) do ( + cecho {0d}%%F{#} + echo. + ) + pause>nul + goto:logging +) +for %%F in (%analysisFunctions%) do ( + if %%F==%act% ( + cecho {0a}CYBER POLICE [Covert Ops] are executing {0b}%act%{#} + echo. + echo. + call:%act% + cecho {0a}CYBER POLICE [Covert Ops] have finished executing {0b}%act%{#} + echo. + goto:endOfLogging + ) +) +cecho {0c}CYBER POLICE [Covert Ops] could not find {0b}%act% {0c}operation!{#} +echo. +:endOfLogging +pause>nul +goto:logging + :checkfiles %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/MakeCheckFileDirectories.ps1" %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/CheckFiles.ps1" @@ -730,6 +778,77 @@ cecho {0a}The CYBER POLICE have cleared the HOSTS file{#} echo. goto:EOF +:allgpo +%powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/AllGPOs.ps1" +goto:EOF + +:backupgpos +if not exist "%output%\gpoBackups" mkdir "%output%\gpoBackups" +cscript.exe %vbScriptPath%\BackupAllGPOs.wsf %output%\gpoBackups /Comment:"Cyber Police Backup" /Domain:%domain% +goto:EOF + +:listgpos +cscript.exe %vbScriptPath%\ListAllGPOs.wsf > %output%\gpoInfo\GposInfoNameAndIDs.txt +cscript.exe %vbScriptPath%\ListAllGPOs.wsf /v > %output%\gpoInfo\GposInfoNameAndIDsVerbose.txt +cecho If you want to delete a GPO run {0a}Remove-GPO -Name {0b}[name]{#} in powershell{#} +echo. +echo. 2>%output%\gpoInfo\Gpos.txt +echo GPOs in this domain: +for /f "tokens=* delims=" %%i in (%output%\gpoInfo\GposInfoNameAndIDs.txt) do ( + echo.%%i|findstr /C:"Name:" >nul 2>&1 + if not errorlevel 1 ( + for /f "delims=: tokens=2" %%j in ('echo %%i') do set gponame=%%j + set gponame=!gponame:~1! + cecho {0b}!gponame!{#} + echo. + echo !gponame! >> %output%\gpoInfo\Gpos.txt + ) +) +echo. +goto:EOF + +:listdisabledgpos +cscript.exe %vbScriptPath%\FindDisabledGPOs.wsf +goto:EOF + +:gpoinfo +echo Getting all GPOS... +call:listgpos +for /f "tokens=* delims=" %%a in (%output%\gpoInfo\Gpos.txt) do ( + set currgpo=%%a + set currgpo=!currgpo:~0,-1! + cecho {0d}Getting {0b}!currgpo!{0d} info{#} + echo. + cscript.exe %vbScriptPath%\DumpGPOInfo.wsf "!currgpo!" + cecho {0d}End of {0b}!currgpo!{0d} info...{#} + echo. +) +goto:EOF + +:gporeport +rem %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/GPOReport.ps1" +cscript.exe %vbScriptPath%\GetReportsForAllGPOs.wsf %output%\gpoInfo\gpoReports +goto:EOF + +:logfirewall +%powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/LogFirewall.ps1" +netsh advfirewall export "%output%\logs\fwBackup.wfw" +goto:EOF + +:logservices +%powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/LogServices.ps1" +goto:EOF + +:netstat +netstat -abno +netstat -abno > %output%\logs\netstatlog.txt +goto:EOF + +:checksync +dcdiag /q +dcdiag /q > %output%\logs\synclog.txt +goto:EOF + :createFile %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/CreateFile.ps1" %~1 %~2 goto:EOF diff --git a/CyberPoliceOutput/CPUARCHITECTURE.txt b/CyberPoliceOutput/CPUARCHITECTURE.txt @@ -0,0 +1 @@ +AMD64 diff --git a/CyberPoliceOutput/Domain.txt b/CyberPoliceOutput/Domain.txt @@ -0,0 +1 @@ +gamer.epic diff --git a/CyberPoliceOutput/OSVERSION.txt b/CyberPoliceOutput/OSVERSION.txt @@ -0,0 +1 @@ +Microsoft Windows Server 2016 Standard diff --git a/CyberPoliceOutput/PowershellStatus.txt b/CyberPoliceOutput/PowershellStatus.txt @@ -0,0 +1 @@ +Powershell installed: true Version: 2.0 diff --git a/CyberPoliceOutput/logs/netstatlog.txt b/CyberPoliceOutput/logs/netstatlog.txt @@ -0,0 +1 @@ +The requested operation requires elevation. diff --git a/CyberPoliceOutput/logs/synclog.txt b/CyberPoliceOutput/logs/synclog.txt @@ -0,0 +1,92 @@ + There are warning or error events within the last 24 hours after the + SYSVOL has been shared. Failing SYSVOL replication problems may cause + Group Policy problems. + ......................... SRV2016 failed test DFSREvent + [SRV2016] User credentials does not have permission to perform this + operation. + The account used for this test must have network logon privileges + for this machine's domain. + ......................... SRV2016 failed test NetLogons + [Replications Check,SRV2016] DsReplicaGetInfo(PENDING_OPS, NULL) + failed, error 0x2105 "Replication access was denied." + ......................... SRV2016 failed test Replications + Could not open NTDS Service on SRV2016, error 0x5 + "Access is denied." + ......................... SRV2016 failed test Services + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:02:57 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:05:14 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:06:30 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:07:20 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:08:32 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:10:00 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:15:50 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:18:04 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:19:23 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:23:28 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:24:19 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:31:27 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:35:06 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:41:21 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:43:37 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:47:53 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:49:57 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:56:20 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + An error event occurred. EventID: 0x00002720 + Time Generated: 06/05/2020 23:59:36 + Event String: + The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID + ......................... SRV2016 failed test SystemLog diff --git a/CyberPoliceOutput/path.txt b/CyberPoliceOutput/path.txt @@ -0,0 +1 @@ +C:\Users\Administrator\Desktop\CyberPolice-CyberPatriotScripts\CyberPoliceOutput diff --git a/CyberPoliceOutput/users.txt b/CyberPoliceOutput/users.txt diff --git a/PowershellScripts/AllGPOs.ps1 b/PowershellScripts/AllGPOs.ps1 @@ -0,0 +1,7 @@ +Write-Host "CYBER POLICE [Covert Ops] are now going to show all GPOs in domain..." -ForegroundColor Magenta +$thispath = Split-Path -parent $MyInvocation.MyCommand.Definition +$path = Split-Path -parent $thispath +$output = Get-content $path/CyberPoliceOutput/path.txt +Get-GPO -all | Out-File -FilePath $output/logs/AllGPOsLog.txt +Get-Content $output/logs/AllGPOsLog.txt +Write-Host "The CYBER POLICE [Covert Ops]: End of File" -ForegroundColor Magenta+ \ No newline at end of file diff --git a/PowershellScripts/GPOReport.ps1 b/PowershellScripts/GPOReport.ps1 @@ -0,0 +1,7 @@ +Write-Host "CYBER POLICE [Covert Ops] are now going to generate reports on this system's GPOs..." -ForegroundColor Magenta +$thispath = Split-Path -parent $MyInvocation.MyCommand.Definition +$path = Split-Path -parent $thispath +$output = Get-content $path/CyberPoliceOutput/gpoInfo/gpoReports +Import-Module GroupPolicy +Get-GPOReport -All -ReportType HTML -Path $output +Write-Host "The CYBER POLICE [Covert Ops]: End of operation" -ForegroundColor Magenta+ \ No newline at end of file diff --git a/PowershellScripts/LogFirewall.ps1 b/PowershellScripts/LogFirewall.ps1 @@ -0,0 +1,6 @@ +Write-Host "CYBER POLICE [Covert Ops] are now going to log firewall rules..." -ForegroundColor Magenta +$thispath = Split-Path -parent $MyInvocation.MyCommand.Definition +$path = Split-Path -parent $thispath +$output = Get-content $path/CyberPoliceOutput/path.txt +get-netfirewallrule | select-object name, group, action, enabled, profile | export-csv $output/logs/FirewallLog.csv +Write-Host "The CYBER POLICE [Covert Ops]: End of logging. Check logs folder in output!" -ForegroundColor Magenta+ \ No newline at end of file diff --git a/PowershellScripts/LogServices.ps1 b/PowershellScripts/LogServices.ps1 @@ -0,0 +1,7 @@ +Write-Host "CYBER POLICE [Covert Ops] are now going to log all current services..." -ForegroundColor Magenta +$thispath = Split-Path -parent $MyInvocation.MyCommand.Definition +$path = Split-Path -parent $thispath +$output = Get-content $path/CyberPoliceOutput/path.txt +Get-Service | Out-File -FilePath $output/logs/RawServicesLog.txt +Get-Service +Write-Host "The CYBER POLICE [Covert Ops]: End of File" -ForegroundColor Magenta+ \ No newline at end of file diff --git a/VBScripts/BackupAllGPOs.wsf b/VBScripts/BackupAllGPOs.wsf @@ -0,0 +1,204 @@ +'//////////////////////////////////////////////////////////////////////////// +'// Copyright (c) Microsoft Corporation. All rights reserved +'// +'// Title: BackupAllGPOs.wsf +'// Author: mtreit@microsoft.com +'// Created: 1/3/2002 +'// +'// Purpose: Takes a domain name and backs up all GPOs in that domain +'// to the specified backup location +'// Revision: Ported from JScript->VBScript by dtsaltas (October 20, 2002) +'// +'//////////////////////////////////////////////////////////////////////////// + +'/////////////////////////////////////// +'// Initialization +'/////////////////////////////////////// +<job> + +' Include necessary libraries + +<script language="JScript" src="Lib_CommonGPMCFunctions.js"/> +<script language="VBScript"> + +' Create global objects for use by the rest of the script +Dim GPM : Set GPM = CreateObject("GPMgmt.GPM") +Dim Constants : Set Constants = GPM.GetConstants() + + +'/////////////////////////////////////// +'// Main script +'/////////////////////////////////////// + +' Handle command line arguments + +Dim ArgumentList : Set ArgumentList = ProcessCommandLineArguments() +Dim szDomainName : szDomainName = ArgumentList.Item("Domain") +Dim szBackupLocation : szBackupLocation = ArgumentList.Item("BackupLocation") +Dim szComment : szComment = ArgumentList.Item("Comment") + +' Validate the path given +Dim bValidPath : bValidPath = ValidatePath(szBackupLocation) + +If bValidPath = false Then + WScript.Echo "The path '" & szBackupLocation & "' could not be found." + WScript.Echo "Verify the path exists." + WScript.Quit +End If + +' Initialize the Domain object +Dim GPMDomain : Set GPMDomain = GPM.GetDomain(szDomainName, "", Constants.UseAnyDC) + +' Backup all GPOs in the specified domain + +BackupAllGPOs szBackupLocation, szComment, GPMDomain + +'/////////////////////////////////////// +'// Function Definitions +'/////////////////////////////////////// + +' Backs up all GPOs in the specified domain to a given file system location +Function BackupAllGPOs(strBackupLocation, strComment, GPMDomain) + + ' Create the search criteria object + Dim GPMSearchCriteria : Set GPMSearchCriteria = GPM.CreateSearchCriteria() + + ' Get all of the GPOs by passing in a default SearchCriteria object + + Dim GPOList + Set GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria) + + ' Now process the list + Dim GPMGPO + + WScript.Echo "== Found " & GPOList.Count & " GPOs in " & GPMDomain.Domain & " to backup ==" & vbCrLf + + ' Loop through the list and print info for each GPO + Dim iSuccessCount : iSuccessCount = 0 + Dim iFailureCount : iFailureCount = 0 + Dim bFailure : bFailure = false + + For Each GPMGPO in GPOList + On Error Resume Next + Dim GPMResult + Set GPMResult = GPMGPO.Backup(strBackupLocation,strComment) + ' call the overallstatus method to force an error if there were any problems + GPMResult.OverallStatus + + + ' FAILURE + ' There was a problem, let the user know the details and increment the failure counter + + If Err.Number <> 0 Then + + If Not IsNull(GPMResult) Then + PrintStatusMessages(GPMResult) + End If + WScript.Echo vbCrLf + WScript.Echo "The backup attempt failed for GPO " & GPMGPO.ID + WScript.Echo "Attempted to backup GPO " & GPMGPO.ID & " to location " & strBackupLocation + WScript.Echo Err.Number & " - " & Err.Description '[todo]wrap with ErrCode + iFailureCount = iFailureCount + 1 + bFailure = true + + End If + + + ' SUCCESS + ' Backup appears to have been successful. Print any status messages in GPMResult and + ' provide the user with some details about the backup + + + If Not bFailure = True Then + + ' Print any status message warnings + PrintStatusMessages(GPMResult) + + Dim GPMBackup : Set GPMBackup = GPMResult.Result + + WScript.Echo vbCrLf & "Backed up GPO '" & GPMBackup.GPODisplayName & "' with the following properties:" + WScript.Echo vbCrLf + WScript.Echo "GPO ID:" & vbTab & vbTab & GPMBackup.GPOID + WScript.Echo "Timestamp:" & vbTab & GPMBackup.TimeStamp + WScript.Echo "Backup ID:" & vbTab & GPMBackup.ID + + iSuccessCount = iSuccessCount + 1 + Else + ' reset the failure flag + bFailure = False + End If + Next + + WScript.Echo vbCrLf + WScript.Echo "Backup succeeded for " & iSuccessCount & " GPOs." + WScript.Echo "Backup failed for " & iFailureCount & " GPOs." + +End Function + + +' Takes a WScript.Arguments object and returns a dictionary object +' containing the named arguments and values that were passed in +Function ProcessCommandLineArguments() + + Dim szBackupLocation : szBackupLocation = "" + Dim szDomainName : szDomainName = "" + Dim szComment : szComment = "" + + ' Check if this is cscript. If not, print an error and bail out + + If UCase(Right(WScript.FullName,11)) = "WSCRIPT.EXE" Then + WScript.Echo "You must use cscript.exe to execute this script." + WScript.Quit(-1) + End If + + If WScript.Arguments.Length = 0 Then + WScript.Arguments.ShowUsage() + WScript.Quit(-1) + End If + + Dim Result : Set Result = CreateObject("Scripting.Dictionary") + + szBackupLocation = WScript.Arguments(0) + + ' Get the comment to use, if specified + If WScript.Arguments.Named.Exists("Comment") Then + szComment = WScript.Arguments.Named("Comment") + End If + + If WScript.Arguments.Named.Exists("Domain") Then + szDomainName = WScript.Arguments.Named("Domain") + End If + + ' Get the current domain if none was specified + If szDomainName = "" Then + szDomainName = GetDNSDomainForCurrentUser() + End If + + Result.Add "Domain" , szDomainName + Result.Add "BackupLocation" , szBackupLocation + Result.Add "Comment" , szComment + + Set ProcessCommandLineArguments = Result +End Function + + +</script> + +<!-- Usage and command line argument information --> +<runtime> + +<description> +Backs up all GPOs in the a given domain to the specified file system location. +</description> + +<unnamed name="BackupLocation" helpstring="File system location to back up to" type="string" required="true" /> +<named name="Comment" helpstring="Optional comment for the backup" type="string" required="false" /> +<named name="Domain" helpstring="DNS name of domain" type="string" required="false" /> + +<example> +Example: BackupAllGPOs.wsf c:\GPO-Backups /comment:"Weekly backup" +</example> + +</runtime> + +</job>+ \ No newline at end of file diff --git a/VBScripts/DumpGPOInfo.wsf b/VBScripts/DumpGPOInfo.wsf @@ -0,0 +1,336 @@ +'//////////////////////////////////////////////////////////////////////////// +'// Copyright (c) Microsoft Corporation. All rights reserved +'// +'// Title: DumpGPOInfo.wsf +'// Author: mtreit@microsoft.com +'// Created: 10/13/2001 +'// Purpose: Lists info for a specific GPO +'// Revision: Ported from JScript->VBScript by dtsaltas (October 20,2002) +'// +'//////////////////////////////////////////////////////////////////////////// + +'/////////////////////////////////////// +'// Initialization +'/////////////////////////////////////// +<job> + +' Include necessary libraries +<script language="JScript" src="Lib_CommonGPMCFunctions.js"/> +<script language="VBScript"> + +' Create global objects for use by the rest of the script +Dim GPM : Set GPM = CreateObject("GPMgmt.GPM") +Dim Constants : Set Constants = GPM.GetConstants() + +' Define flags needed for querying SecurityDescriptor +Dim bOwner : bOwner = true +Dim bGroup : bGroup = false +Dim bDACL : bDACL = false +Dim bSACL : bSACL = false + + +' If you don't have write permissions on a GPO, querying for the SACL +' will fail. The following gives you the necessary flags to only query +' for the 'owner' part of the security descriptor, which is all we care +' about in most cases. 'Owner' can be read with read-only rights + +Dim SecurityFlags +SecurityFlags = Constants.SecurityFlags(bOwner, bGroup, bDACL, bSACL) + +'/////////////////////////////////////// +'// Main script +'/////////////////////////////////////// + +' Handle command line arguments +Dim ArgumentList +Set ArgumentList = ProcessCommandLineArguments +Dim strDomainName : strDomainName = ArgumentList.Item("Domain") +Dim strGPOName : strGPOName = ArgumentList.Item("GPOName") + +' Initialize the Domain object +Dim GPMDomain +Set GPMDomain = GPM.GetDomain(strDomainName, "", Constants.UseAnyDC) + +' Get the current forest +Dim strForest : strForest = CStr(GetForestDNSName(strDomainName)) + +' Initialize the Sites Container Object +Dim GPMSitesContainer +Set GPMSitesContainer = GPM.GetSitesContainer(strForest, strDomainName, "", Constants.UseAnyDC) + +' Print info about a specific GPO +PrintGPOInfo strGPOName, GPMDomain + +'/////////////////////////////////////// +'// Function Definitions +'/////////////////////////////////////// + +' Print info about a specific GPO +Function PrintGPOInfo(strGPOName, GPMDomain) + On Error Resume Next + + ' Get the desired GPO - this will either return a single GPO, or + ' a list if more than one GPO with the specified name exists + Dim GPOList + Set GPOList = GetGPO(strGPOName, GPMDomain) + + If GPOList Is Nothing Then + WScript.Echo "Could not find GPO '" & strGPOName & "' in domain '" & GPMDomain.Domain & "'." + Exit Function + End If + + Dim iGPOCount : iGPOCount = 0 + iGPOCount = GPOList.Count + + If iGPOCount > 0 Then + ' Multiple GPOs were found + WScript.Echo "** " & GPOList.Count & " GPOs were found with name '" & strGPOName & "' **" & vbCrLf + WScript.Echo "Dumping all instances." + + For Each objGPO in GPOList + PrintDetailedGPOInfo objGPO + Next + + Exit Function + Else + ' We have a single GPO, not a list, so just process it + PrintDetailedGPOInfo GPOList + End If + +End Function + + +' Print detailed info about a GPO +Function PrintGPODetails(GPMGPO) + + Dim strCreated : strCreated = GPMGPO.CreationTime + Dim strChanged : strChanged = GPMGPO.ModificationTime + Dim strOwner : strOwner = GPMGPO.GetSecurityDescriptor(SecurityFlags).Owner + + WScript.Echo vbCrLf & "-- Details --" + WScript.Echo "Created:" & vbTab & strCreated + WScript.Echo "Changed:" & vbTab & strChanged + WScript.Echo "Owner:" & vbTab & vbTab & strOwner + + WScript.Echo vbCrLf + WScript.Echo "User Enabled:" & vbTab & GPMGPO.IsUserEnabled + WScript.Echo "Mach Enabled:" & vbTab & GPMGPO.IsComputerEnabled + + WScript.Echo vbCrLf + WScript.Echo "-- Version Numbers --" + '[todo] - variant types of the following not supported in VBScript + WScript.Echo "User DS:" & vbTab & CLng(GPMGPO.UserDSVersionNumber) + WScript.Echo "User Sysvol:" & vbTab & CLng(GPMGPO.UserSysvolVersionNumber) + WScript.Echo "Mach DS:" & vbTab & CLng(GPMGPO.ComputerDSVersionNumber) + WScript.Echo "Mach Sysvol:" & vbTab & CLng(GPMGPO.ComputerSysvolVersionNumber) + +End Function + +' Print the list of trustees with a particular set of permissions on a GPO +Function PrintGPOPermissions(GPMGPO, PermissionType) + + ' Print out a header identifying the type of rights being listed + Dim strHeader : strHeader = "" + Select Case PermissionType + + Case Constants.PermGPOApply + strHeader = vbCrLf & "-- Who this GPO applies to --" + + + Case Constants.PermGPOEdit: + strHeader = vbCrLf & "-- Who can edit this GPO --" + + + Case Constants.PermGPOEditSecurityAndDelete: + strHeader = vbCrLf & "-- Who can edit settings, modify security and delete this GPO --" + + + Case Constants.PermGPORead: + strHeader = vbCrLf & "-- Who only has Read access --" + + + Case Constants.PermGPOCustom: + strHeader = vbCrLf & "-- Who has custom permissions --" + + End Select + + WScript.Echo strHeader + + ' Get the list of security settings on this GPO + Dim GPMSecurityInfo + Set GPMSecurityInfo = GPMGPO.GetSecurityInfo() + + ' Print out the groups who have the specified permission + + Dim GPOPermission + Dim strTrusteeName + + For Each GPOPermission in GPMSecurityInfo + + strTrusteeName = "" + If GPOPermission.Permission = PermissionType Then + On Error Resume Next + strTrusteeName = GPOPermission.Trustee.TrusteeName + If Err.Number <> 0 Then + strTrusteeName = GPOPermission.Trustee.TrusteeSid + End If + WScript.Echo strTrusteeName + End If + Next +End Function + +' Print all places a given GPO is linked +Function PrintGPOLinks(GPMGPO) + + ' Search for all SOM links for this GPO + Dim GPMSearchCriteria + Set GPMSearchCriteria = GPM.CreateSearchCriteria() + GPMSearchCriteria.Add Constants.SearchPropertySOMLinks, Constants.SearchOpContains, GPMGPO + + WScript.Echo vbCrLf + WScript.Echo "-- Where this GPO is linked (Sites,Domain,OU) --" + + Dim SOMList + On Error Resume Next + Set SOMList = GPMDomain.SearchSOMs(GPMSearchCriteria) + If Err.Number <> 0 Then + WScript.Echo ErrCode(Err.Number) + WScript.Echo Err.Description + WScript.Clear + WScript.Quit(-1) + End If + + Dim SiteLinkList + On Error Resume Next + Set SiteLinkList = GPMSitesContainer.SearchSites(GPMSearchCriteria) + If Err.Number <> 0 Then + WScript.Echo ErrCode(Err.Number) + WScript.Echo Err.Description + WScript.Clear + WScript.Quit(-1) + End If + + If SOMList.Count = 0 and SiteLinkList.Count = 0 Then + WScript.Echo "No Site, Domain or OU links found for this GPO" + Exit Function + End If + + ' Print out all domain/OU GPO links that were found + Dim SOM + Dim strSOMType + + For Each SOM in SOMList + Select Case SOM.Type + Case Constants.SOMDomain + strSOMType = "Domain" + Case Constants.SOMOU + strSOMType = "OU" + End Select + + ' Print GPO Domain and OU links + WScript.Echo SOM.Name & " (" & strSOMType & ")" + + Next + + ' Print GPO Site Links + Dim SiteLink + + For Each SiteLink in SiteLinkList + WScript.Echo SiteLink.Name & " (Site)" + Next + +End Function + +'Prints detailed info about a given GPO +Function PrintDetailedGPOInfo(GPMGPO) + + WScript.Echo "==============================================" + WScript.Echo "Name:" & vbTab & GPMGPO.DisplayName + WScript.Echo "ID:" & vbTab & GPMGPO.ID + + ' Print the GPO details + PrintGPODetails GPMGPO + + ' Print apply rights + PrintGPOPermissions GPMGPO, Constants.PermGPOApply + + ' Print edit rights + PrintGPOPermissions GPMGPO, Constants.PermGPOEdit + + ' Print edit, modify security and delete rights + PrintGPOPermissions GPMGPO, Constants.PermGPOEditSecurityAndDelete + + ' Print read rights + PrintGPOPermissions GPMGPO, Constants.PermGPORead + + ' Print custom rights + PrintGPOPermissions GPMGPO, Constants.PermGPOCustom + + ' Print the list of links + PrintGPOLinks GPMGPO + + WScript.Echo vbCrLf + WScript.Echo "==============================================" & vbCrLf + +End Function + + +' Takes a WScript.Arguments object and returns a dictionary object +' containing the named arguments and values that were passed in +Function ProcessCommandLineArguments() + + Dim strGPOName : strGPOName = "" + Dim strDomainName : strDomainName = "" + + ' Check if this is cscript. If not, print an error and bail out + + If UCase(Right(WScript.FullName,11)) = "WSCRIPT.EXE" Then + WScript.Echo "You must use cscript.exe to execute this script." + WScript.Quit(-1) + End If + + + If WScript.Arguments.Length = 0 Then + WScript.Arguments.ShowUsage + WScript.Quit(-1) + End If + + Dim Result + Set Result = CreateObject("Scripting.Dictionary") + + strGPOName = WScript.Arguments(0) + + If WScript.Arguments.Named.Exists("Domain") Then + strDomainName = WScript.Arguments.Named("Domain") + End If + + ' Get the current domain if none was specified + If strDomainName = "" Then + strDomainName = GetDNSDomainForCurrentUser() + End If + + Result.Add "GPOName",strGPOName + Result.Add "Domain" ,strDomainName + Set ProcessCommandLineArguments = Result + +End Function + +</script> + +<!-- Usage and command line argument information --> +<runtime> + +<description> +Given a GPO name or GUID, prints information about that GPO. +</description> + +<unnamed name="GPOName" helpstring="GPO name or ID" type="string" required="true" /> +<named name="Domain" helpstring="DNS name of domain" type="string" required="false" /> + +<example> +Example: DumpGPOInfo.wsf TestGPO /domain:mydomain.com +</example> + +</runtime> + +</job>+ \ No newline at end of file diff --git a/VBScripts/FindDisabledGPOs.wsf b/VBScripts/FindDisabledGPOs.wsf @@ -0,0 +1,130 @@ +'//////////////////////////////////////////////////////////////////////////// +'//Copyright (c) Microsoft Corporation. All rights reserved +'// +'// Title: FindDisabledGPOs.wsf +'// Author: mtreit@microsoft.com +'// Created: 11/7/2001 +'// +'// Purpose: Finds all GPOs in the domain that are disabled or partially +'// disabled and prints them out +'// options. +'// Revision: Ported from JScript->VBScript by dtsaltas (December 2002) +'// +'//////////////////////////////////////////////////////////////////////////// + +'/////////////////////////////////////// +'// Initialization +'/////////////////////////////////////// +<job> + +' Include necessary libraries + +<script language="JScript" src="Lib_CommonGPMCFunctions.js"/> +<script language="VBScript"> + +' Create global objects for use by the rest of the script +Dim GPM : Set GPM = CreateObject("GPMgmt.GPM") +Dim Constants : Set Constants = GPM.GetConstants() + +'/////////////////////////////////////// +'// Main script +'/////////////////////////////////////// + +' Handle command line arguments +Dim ArgumentList : Set ArgumentList = ProcessCommandLineArguments() +Dim szDomainName : szDomainName = ArgumentList.Item("Domain") + +' Initialize the Domain object +Dim GPMDomain : Set GPMDomain = GPM.GetDomain(szDomainName, "", Constants.UseAnyDC) + +' Get all GPOs in the domain +Dim GPMSearchCriteria +Set GPMSearchCriteria = GPM.CreateSearchCriteria() +Dim GPOList +Set GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria) + + +' Print out the GPOs that are totally disabled +WScript.Echo vbCrLf & "== GPOs that are completely disabled ==" + +For Each objGPO in GPOList + If objGPO.IsUserEnabled = False AND objGPO.IsComputerEnabled = False Then + WScript.Echo objGPO.ID & " - " & objGPO.DisplayName + End If +Next + + +' Print out the GPOs where the computer side is disabled +WScript.Echo vbCrLf & "== GPOs with the computer settings disabled ==" + +For Each objGPO in GPOList + If objGPO.IsUserEnabled = True AND objGPO.IsComputerEnabled = False Then + WScript.Echo objGPO.ID & " - " & objGPO.DisplayName + End If +Next + +' Print out the GPOs where the user side is disabled +WScript.Echo vbCrLf & "== GPOs with the user settings disabled ==" + +For Each objGPO in GPOList + If objGPO.IsUserEnabled = False AND objGPO.IsComputerEnabled = True Then + WScript.Echo objGPO.ID & " - " & objGPO.DisplayName + End If +Next + +'/////////////////////////////////////// +'// Function Definitions +'/////////////////////////////////////// + +' Returns a dictionary object +' containing the named arguments and values that were passed in +Function ProcessCommandLineArguments() + + Dim strDomainName : strDomainName = "" + + ' Check if this is cscript. If not, print an error and bail out + + If UCase(Right(WScript.FullName,11)) = "WSCRIPT.EXE" Then + WScript.Echo "You must use cscript.exe to execute this script." + WScript.Quit(-1) + End If + + Dim Result : Set Result = CreateObject("Scripting.Dictionary") + + + If WScript.Arguments.Named.Exists("Domain") Then + + strDomainName = WScript.Arguments.Named("Domain") + End If + + + ' Get the current domain if none was specified + If strDomainName = "" Then + + strDomainName = GetDNSDomainForCurrentUser() + End If + + Result.Add "Domain", strDomainName + + Set ProcessCommandLineArguments = Result + +End Function + +</script> + +<!-- Usage and command line argument information --> +<runtime> + +<description> +Searches for all disabled GPOs in a given domain. +</description> + +<named name="Domain" helpstring="DNS name of domain" type="string" required="false" /> + +<example> +Example: FindDisabledGPOs.wsf /domain:Test.MyDomain.com +</example> + +</runtime> + +</job>+ \ No newline at end of file diff --git a/VBScripts/FindGPOsWithNoSecurityFiltering.wsf b/VBScripts/FindGPOsWithNoSecurityFiltering.wsf @@ -0,0 +1,128 @@ +///////////////////////////////////////////////////////////////// +// Copyright (c) Microsoft Corporation. All rights reserved +// +// Title: FindGPOsWithNoSecurityFiltering.wsf +// Author: mtreit@microsoft.com +// Created: 10/28/2001 +// Purpose: Finds any GPOs in the specified domain +// that do not apply to anyone because +// no apply rights are set on the GPO +///////////////////////////////////////////////////////////////// + +/////////////////////////////////////// +// Initialization +/////////////////////////////////////// +<job> + +// Include necessary libraries +<script language="JScript" src="Lib_CommonGPMCFunctions.js"/> + +<script language="JScript"> + +// Create global objects for use by the rest of the script +var GPM = new ActiveXObject("GPMgmt.GPM"); +var Constants = GPM.GetConstants(); + +/////////////////////////////////////// +// Main script +/////////////////////////////////////// + +// Handle command line arguments +var ArgumentList = ProcessCommandLineArguments(WScript.Arguments); +var szDomainName = ArgumentList.Item("Domain"); + +// Initialize the Domain object +var GPMDomain = GPM.GetDomain(szDomainName, "", Constants.UseAnyDC); + +// Set the permission we are going to look for +perm = Constants.PermGPOApply; + +// Get a collection with all GPOs in the domain +var GPMSearchCriteria = GPM.CreateSearchCriteria(); +var GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria); + +WScript.Echo("GPOs in " + szDomainName + " that are missing 'Apply' rights:\n"); + +// Loop through each GPO and check the permissions +var e = new Enumerator(GPOList); +var GPO, SecInfo, e2, GPMPermission, bFoundPerm; + +for (; !e.atEnd(); e.moveNext()) +{ + GPO = e.item(); + bFoundPerm = false; + SecInfo = GPO.GetSecurityInfo(); + e2 = new Enumerator(SecInfo) + + for (; !e2.atEnd(); e2.moveNext()) + { + GPMPermission = e2.item(); + if (GPMPermission.Permission == perm) + { + bFoundPerm = true; + } + } + + // If the permission was not found, print out the GPO name + if (bFoundPerm == false) + { + WScript.Echo(GPO.ID + " - " + GPO.DisplayName); + } +} + + +/////////////////////////////////////// +// Function Definitions +/////////////////////////////////////// + +// Takes a WScript.Arguments object and returns a dictionary object +// containing the named arguments and values that were passed in +// +function ProcessCommandLineArguments(Arguments) +{ + var szDomainName = ""; + + // Check if this is cscript. If not, print an error and bail out + if (WScript.FullName.toLowerCase().search("wscript") > 0) + { + WScript.Echo("You must use cscript.exe to execute this script."); + WScript.Quit(); + } + + var Result = new ActiveXObject("Scripting.Dictionary"); + + if (Arguments.Named.Exists("Domain")) + { + szDomainName = Arguments.Named("Domain"); + } + + // Get the current domain if none was specified + if (szDomainName == "") + { + szDomainName = GetDNSDomainForCurrentUser(); + } + + Result.add("Domain", szDomainName); + + return Result; +} + +</script> + +<!-- Usage and command line argument information --> +<runtime> + +<description> +Prints a list of all GPOs in the domain that do not have any 'apply' permissions set. +These are GPOs that exist but will not actually apply to anyone. +</description> + +<named name="Domain" helpstring="DNS name of domain" type="string" required="false" /> + +<example> +Example: FindGPOsWithNoSecurityFiltering.wsf +</example> + +</runtime> + +</job>+ \ No newline at end of file diff --git a/VBScripts/GetReportsForAllGPOs.wsf b/VBScripts/GetReportsForAllGPOs.wsf @@ -0,0 +1,227 @@ +'//////////////////////////////////////////////////////////////////////////// +'// Copyright (c) Microsoft Corporation. All rights reserved +'// +'// Title: GetReportsForAllGPOs.wsf +'// Author: mtreit@microsoft.com +'// Created: 8/29/2002 +'// +'// Purpose: Takes a domain name and gets reports for all GPOs in that +'// domain +'// Revision: Ported from JScript->VBScript by dtsaltas (December 2002) +'// +'//////////////////////////////////////////////////////////////////////////// + +'/////////////////////////////////////// +'// Initialization +'/////////////////////////////////////// +<job> + +' Include necessary libraries + +<script language="JScript" src="Lib_CommonGPMCFunctions.js"/> +<script language="VBScript"> + +' Create global objects for use by the rest of the script +Dim GPM : Set GPM = CreateObject("GPMgmt.GPM") +Dim Constants : Set Constants = GPM.GetConstants() + +'/////////////////////////////////////// +'// Main script +'/////////////////////////////////////// + +' Handle command line arguments +Dim ArgumentList : Set ArgumentList = ProcessCommandLineArguments() +Dim szDomainName : szDomainName = ArgumentList.Item("Domain") +Dim szReportLocation : szReportLocation = ArgumentList.Item("ReportLocation") + +' Validate the path given +Dim bValidPath : bValidPath = ValidatePath(szReportLocation) + +If bValidPath = false Then + WScript.Echo "The path '" & szReportLocation & "' could not be found." + WScript.Echo "Verify the path exists." + WScript.Quit +End If + +' Initialize the Domain object +Dim GPMDomain : Set GPMDomain = GPM.GetDomain(szDomainName, "", Constants.UseAnyDC) + +' Generate reports for all GPOs in the specified domain +GetReportsForAllGPOs szReportLocation, GPMDomain + +'/////////////////////////////////////// +'// Function Definitions +'/////////////////////////////////////// + +' Generates reports for all GPOs in the specified domain to a given file system location +Function GetReportsForAllGPOs(szReportLocation, GPMDomain) + + ' Create the search criteria object + Set GPMSearchCriteria = GPM.CreateSearchCriteria() + + ' Get all of the GPOs by passing in the blank + ' SearchCriteria + + Set GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria) + + WScript.Echo "== Found " & GPOList.Count & " GPOs in " & GPMDomain.Domain & vbCrLf + + ' Loop through the list and print info for each GPO + iSuccessCount = 0 + iFailureCount = 0 + szReportName = "" + + For Each GPMGPO In GPOList + ' Generate the XML report + On Error Resume Next + Err.Clear + szReportName = GPMGPO.DisplayName & ".xml" + + ' Get rid of any invalid file name characters + szReportName = GetValidFileName(szReportName) + + WScript.Echo vbCrLf & "Generating XML report for GPO '" & GPMGPO.DisplayName & "'" + Set GPMResult = GPMGPO.GenerateReportToFile(Constants.ReportXML, szReportLocation & "\\" & CStr(szReportName)) + + If Err.Number <> 0 Then + WScript.Echo vbCrLf & "The attempt to generate the XML report failed for GPO " & GPMGPO.ID + WScript.Echo Hex(Err.Number) & " - " & Err.Description + iFailureCount = iFailureCount + 1 + bFailed = True + Else + + ' Call the OverallStatus method on the GPMResult. This will throw an exception if there + ' were any errors during the actual operation. + GPMResult.OverallStatus + + If Err.Number <> 0 Then + ' If we were able to get a GPMResult object, print any status message errors + If Not GPMResult Is Nothing Then + PrintStatusMessages GPMResult + End If + + WScript.Echo vbCrLf & "The attempt to generate the XML report failed for GPO " & GPMGPO.ID + WScript.Echo Hex(Err.Number) & " - " & Err.Description + iFailureCount = iFailureCount + 1 + bFailed = True + End If + End If + + If Not bFailed = True Then + ' Print any status message warnings + PrintStatusMessages GPMResult + + iSuccessCount = iSuccessCount + 1 + + ' Generate the HTML report + On Error Resume Next + Err.Clear + szReportName = GPMGPO.DisplayName & ".html" + + ' Get rid of any invalid file name characters + szReportName = GetValidFileName(szReportName) + + WScript.Echo "Generating HTML report for GPO '" & GPMGPO.DisplayName & "'" + Set GPMResult = GPMGPO.GenerateReportToFile(Constants.ReportHTML, szReportLocation & "\\" & szReportName) + + If Err.Number <> 0 Then + WScript.Echo vbCrLf & "The attempt to generate the HTML report failed for GPO " & GPMGPO.ID + WScript.Echo Hex(Err.Number) & " - " & Err.Description + iFailureCount = iFailureCount + 1 + bFailed = True + Else + + ' Call the OverallStatus method on the GPMResult. This will throw an exception if there + ' were any errors during the actual operation. + GPMResult.OverallStatus + + If Err.Number <> 0 Then + 'If we were able to get a GPMResult object, print any status message errors + If Not GPMResult Is Nothing Then + PrintStatusMessages GPMResult + End If + + WScript.Echo vbCrLf & "The attempt to generate the HTML report failed for GPO " & GPMGPO.ID + WScript.Echo Hex(Err.Number) & " - " & Err.Description + iFailureCount = iFailureCount + 1 + bFailed = True + End If + End If + + ' Print any status message warnings + If bFailed = False Then + PrintStatusMessages GPMResult + iSuccessCount = iSuccessCount + 1 + End If + End If + Next + + WScript.Echo vbCrLf & "Report generation succeeded for " & iSuccessCount & " reports." + WScript.Echo "Report generation failed for " & iFailureCount & " reports." + +End Function + + +' Returns a dictionary object +' containing the named arguments and values that were passed in +Function ProcessCommandLineArguments() + + Dim szReportLocation : szReportLocation = "" + Dim szDomainName : szDomainName = "" + + ' Check if this is cscript. If not, print an error and bail out + + If UCase(Right(WScript.FullName,11)) = "WSCRIPT.EXE" Then + WScript.Echo "You must use cscript.exe to execute this script." + WScript.Quit(-1) + End If + + If WScript.Arguments.Length = 0 Then + + WScript.Arguments.ShowUsage() + WScript.Quit(-1) + End If + + Dim Result : Set Result = CreateObject("Scripting.Dictionary") + + szReportLocation = WScript.Arguments(0) + + If WScript.Arguments.Named.Exists("Domain") Then + + szDomainName = WScript.Arguments.Named("Domain") + End If + + ' Get the current domain if none was specified + If szDomainName = "" Then + + szDomainName = GetDNSDomainForCurrentUser() + End If + + + Result.Add "Domain" , szDomainName + Result.Add "ReportLocation" , szReportLocation + + + Set ProcessCommandLineArguments = Result + +End Function + +</script> + +<!-- Usage and command line argument information --> +<runtime> + +<description> +Generates reports for all GPOs in a given domain to the specified file system location. +</description> + +<unnamed name="ReportLocation" helpstring="File system location to save reports to" type="string" required="true" /> +<named name="Domain" helpstring="DNS name of domain" type="string" required="false"/> + +<example> +Example: GetReportsForAllGPOs.wsf c:\reports +</example> + +</runtime> + +</job>+ \ No newline at end of file diff --git a/VBScripts/Lib_CommonGPMCFunctions.js b/VBScripts/Lib_CommonGPMCFunctions.js @@ -0,0 +1,498 @@ +///////////////////////////////////////////////////////////////// +// Copyright (c) Microsoft Corporation. All rights reserved +// +// Title: Lib_CommonGPMCFunctions.js +// Author: mtreit@microsoft.com +// Created: 7/16/2002 +// Purpose: Provides a library of common helper functions +// for use when scripting the GPMC interfaces. +// +// This library must be included with the sample +// WSH scripts that ship with the GPMC +///////////////////////////////////////////////////////////////// + +/////////////////////////////////////// +// Initialization +/////////////////////////////////////// + +// Create global objects for use by all of the functions +var GPM = new ActiveXObject("GPMgmt.GPM"); +var Constants = GPM.GetConstants(); + +/////////////////////////////////////// +// Common Function Library +/////////////////////////////////////// + +// +// Note: The functions in this section are shared by +// many of the GPMC sample scripts. This section may be +// pasted directly in each individual script to ensure they +// will work stand-alone, or may be collected in a library +// file and accessed using the 'include' functionality +// provided by the WSF script format. +// + +// Takes a GPO name or GUID and returns the GPO +function GetGPO(szGPOName, GPMDomain) +{ + var GPO; + + // Get the GPO object for the specified GPO + try + { + GPO = GPMDomain.GetGPO(szGPOName); + } + catch (err) + { + // The attempt to get the GPO failed. The user may have + // passed in the name instead of GUID, so fetch by name. + try + { + GPO = GetGPOByName(szGPOName, GPMDomain); + } + catch (err) + { + WScript.Echo("Could not find GPO " + szGPOName); + return false; + } + } + + return GPO; + +} + + +// Given a GPO name or ID (GUID), returns that GPO from the directory. +// If no GPO is found, returns null +// If multiple GPOs exist by that name, returns the resulting collection +// +function GetGPOByName(szGPOName, GPMDomain) +{ + // Create a search criteria object for the name + var GPMSearchCriteria = GPM.CreateSearchCriteria(); + GPMSearchCriteria.Add(Constants.SearchPropertyGPODisplayName, Constants.SearchOpEquals, szGPOName); + + // Search for the specified GPO + var GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria); + + if (GPOList.Count == 0) + { + return false; // No GPO found + } + + // The following could return a collection of multiple GPOs if more than one GPO + // with the same name exists in the domain + // + if (GPOList.Count == 1) + { + return GPOList.Item(1); + } + else + { + return GPOList; + } + +} + +// Retrieves the WMI filter with the specified name +function GetWMIFilter(szWMIFilterName, GPMDomain) +{ + var GPMSearchCriteria = GPM.CreateSearchCriteria(); + var FilterList = GPMDomain.SearchWMIFilters(); + var e = new Enumerator(FilterList); + var WMIFilter; + + for (; !e.atEnd(); e.moveNext()) + { + WMIFilter = e.item(); + if (WMIFilter.Name.toLowerCase() == szWMIFilterName.toLowerCase()) + { + return WMIFilter; + } + } + + return false; +} + +// Attempts to retrieve a SOM by name or path from the directory. Will return a single GPMSOM object, or +// an array of such objects if more than one with the given name is found. +// +function GetSOM(szSOMName, GPMDomain) +{ + + // Check if this is the domain level - if so, get the SOM for the domain and return it + if (szSOMName.toLowerCase() == GPMDomain.Domain.toLowerCase()) + { + return GPMDomain.GetSOM(""); // Returns the SOM representing the domain + } + + // First try to get the SOM, in case a valid LDAP-style path was passed in + try + { + var GPMSOM = GPMDomain.GetSOM(szSOMName); + } + catch (err) + { + try + { + // Might be a site instead of a domain or oU + GPMSOM = GPMSitesContainer.GetSite(szSOMName); + } + catch (err) + { + GPMSOM = false; + } + } + + if (GPMSOM) + { + return GPMSOM; + } + + // Search for the SOM by name, using ADSI + + // Create an array to hold the results, as we may find more than one SOM with the specified name + var aResult = new Array(); + + // Define ADS related values - see IADS.h + var ADS_SCOPE_BASE = 0; + var ADS_SCOPE_ONELEVEL = 1; + var ADS_SCOPE_SUBTREE = 2; + var ADSIPROP_CHASE_REFERRALS = 0x9; + var ADS_CHASE_REFERRALS_NEVER = 0; + var ADS_CHASE_REFERRALS_SUBORDINATE = 0x20; + var ADS_CHASE_REFERRALS_EXTERNAL = 0x40; + var ADS_CHASE_REFERRALS_ALWAYS = ADS_CHASE_REFERRALS_SUBORDINATE | ADS_CHASE_REFERRALS_EXTERNAL; + + var szLDAPSuffix = GPMDomain.GetSOM("").Path; + + // Create the ADO objects and open the connection + var ADOConnection = new ActiveXObject("ADODB.Connection"); + var ADOCommand = new ActiveXObject("ADODB.Command"); + ADOConnection.Provider = "ADsDSOObject"; + ADOConnection.Open("Active Directory Provider"); + ADOCommand.ActiveConnection = ADOConnection; + + // First look for OUs + var szDomainLDAPPath = "LDAP://" + szLDAPSuffix; + var szSQL = "select AdsPath from '" + EscapeString(szDomainLDAPPath) + "'"; + szSQL += " where Name='" + szSOMName + "'"; + + // Execute the search + ADOCommand.CommandText = szSQL; + ADOCommand.Properties("Page Size") = 1000; + ADOCommand.Properties("Timeout") = 500; + ADOCommand.Properties("SearchScope") = ADS_SCOPE_SUBTREE; + ADOCommand.Properties("Cache Results") = false; + ADOCommand.Properties("Chase Referrals") = ADS_CHASE_REFERRALS_EXTERNAL; // Needed when querying a different domain + + try + { + var rs = ADOCommand.Execute(); + } + catch (err) + { + WScript.Echo("There was an error executing the DS query " + szSQL); + WScript.Echo("The error was:"); + WScript.Echo(ErrCode(err.number) + " - " + err.description); + return false; + } + + var SOM; + while ( ! rs.eof ) + { + SOM = GetObject(rs.Fields(0)); + + // Ignore objects that are not OUs or the domain level + if (SOM.Class == 'organizationalUnit' || SOM.Class == 'fTDfs') + { + GPMSOM = GPMDomain.GetSOM(SOM.ADsPath) + aResult = aResult.concat(GPMSOM); + } + + rs.MoveNext(); + } + + // Get the LDAP suffix from the forest name + ForestDomain = GPM.GetDomain(szForestName, "", Constants.UseAnyDC); + szLDAPSuffix = ForestDomain.GetSOM("").Path; + + var szSitesLDAPPath = "LDAP://CN=Sites,CN=Configuration," + szLDAPSuffix; + var szSQL = "select AdsPath from '" + EscapeString(szSitesLDAPPath) + "'"; + szSQL += " where Name='" + szSOMName + "'"; + + // Execute the search + ADOCommand.CommandText = szSQL; + + try + { + var rs = ADOCommand.Execute(); + } + catch (err) + { + WScript.Echo("There was an error executing the DS query " + szSQL); + WScript.Echo("The error was:"); + WScript.Echo(ErrCode(err.number) + " - " + err.description); + return false; + } + + while ( ! rs.eof ) + { + SOM = GetObject(rs.Fields(0)); + if (SOM.Class == 'site') + { + GPMSOM = GPMSitesContainer.GetSite(SOM.Name) + aResult = aResult.concat(GPMSOM); + } + + rs.MoveNext(); + } + + // Cleanup + ADOConnection.Close(); + + // Return the result + if (aResult.length == 1) + { + return aResult[0]; + } + + if (aResult.length == 0) + { + return false; + } + + return aResult; +} + +// Retrieves a specific backup from the specified location +function GetBackup(szBackupLocation, szBackupID) +{ + var GPMBackup; + var GPMBackupDir; + + // Get the backup directory specified + try + { + GPMBackupDir = GPM.GetBackupDir(szBackupLocation); + } + catch (err) + { + WScript.Echo("The specified backup folder '" + szBackupLocation + "' could not be accessed."); + return false; + } + + // See if we were passed a valid backup ID + try + { + GPMBackup = GPMBackupDir.GetBackup(szBackupID); + } + catch (err) + { + GPMBackup = false; + } + + if (!GPMBackup) + { + // Not a valid backup ID, so fetch backup by GPO name + var GPMSearchCriteria = GPM.CreateSearchCriteria(); + GPMSearchCriteria.Add(Constants.SearchPropertyBackupMostRecent, Constants.SearchOpEquals, true); + GPMSearchCriteria.Add(Constants.SearchPropertyGPODisplayName, Constants.SearchOpEquals, szBackupID); + var BackupList = GPMBackupDir.SearchBackups(GPMSearchCriteria); + + if (BackupList.Count == 0) + { + WScript.Echo("The specified backup '" + szBackupID + "' was not found in folder '" + szBackupLocation); + return false; + } + else + { + GPMBackup = BackupList.Item(1); + } + } + + return GPMBackup; +} + +// Prints any status messages for a GPO operation, such as backup or import +function PrintStatusMessages(GPMResult) +{ + var GPMStatus = GPMResult.Status; + + if (GPMStatus.Count == 0) + { + // No messages, so just return + return; + } + + WScript.Echo(""); + var e = new Enumerator(GPMStatus); + for (; !e.atEnd(); e.moveNext()) + { + WScript.Echo(e.item().Message); + } +} + +// Returns the DNS domain name for the current user, using ADSI +function GetDNSDomainForCurrentUser() +{ + + var ADS_NAME_INITTYPE_DOMAIN = 1; + var ADS_NAME_INITTYPE_SERVER = 2; + var ADS_NAME_INITTYPE_GC = 3; + + var ADS_NAME_TYPE_1779 = 1; // "CN=Jane Doe,CN=users, DC=Microsoft, DC=com" + var ADS_NAME_TYPE_CANONICAL = 2; // "Microsoft.com/Users/Jane Doe". + var ADS_NAME_TYPE_NT4 = 3; // "Microsoft\JaneDoe" + var ADS_NAME_TYPE_DISPLAY = 4; // "Jane Doe" + var ADS_NAME_TYPE_DOMAIN_SIMPLE = 5; // "JaneDoe@Microsoft.com" + var ADS_NAME_TYPE_ENTERPRISE_SIMPLE = 6; // "JaneDoe@Microsoft.com" + var ADS_NAME_TYPE_GUID = 7; // {95ee9fff-3436-11d1-b2b0-d15ae3ac8436} + var ADS_NAME_TYPE_UNKNOWN = 8; // The system will try to make the best guess + var ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9; // "JaneDoe@Fabrikam.com" + var ADS_NAME_TYPE_CANONICAL_EX = 10; // "Microsoft.com/Users Jane Doe" + var ADS_NAME_TYPE_SERVICE_PRINCIPAL_NAME = 11; // "www/www.microsoft.com@microsoft.com" + var ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME = 12; // "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)" + + + var objWshNetwork = new ActiveXObject("Wscript.Network"); + var objectNameTranslate = new ActiveXObject("NameTranslate"); + var arrNamePart; + var strNTPath = ""; + var strTranslatedName = ""; + var strResult = ""; + + strUser = objWshNetwork.UserName; + strDomain = objWshNetwork.UserDomain; + strNTPath = strDomain + "\\" + strUser; + + objectNameTranslate.Init(ADS_NAME_INITTYPE_DOMAIN, strDomain); + objectNameTranslate.Set(ADS_NAME_TYPE_NT4, strNTPath); + strTranslatedName = objectNameTranslate.Get(ADS_NAME_TYPE_CANONICAL); + + arrNamePart = strTranslatedName.split("/"); + strResult = arrNamePart[0]; + + return strResult; +} + +// Use ADSI to get the LDAP-style forest name of a given domain +function GetForestLDAPPath(szDomainName) +{ + // Get the RootDSE naming context for the specified domain + var RootDSE = GetObject("LDAP://" + szDomainName + "/RootDSE"); + + // Initialize the property cache + RootDSE.GetInfo(); + + // Now get the forest name + var szForestName = RootDSE.rootDomainNamingContext; + + return szForestName; +} + +// Use ADSI to get the forest name of a given domain +function GetForestDNSName(szDomainName) +{ + var ADS_NAME_INITTYPE_DOMAIN = 1; + var ADS_NAME_INITTYPE_SERVER = 2; + var ADS_NAME_INITTYPE_GC = 3; + + var ADS_NAME_TYPE_1779 = 1; // "CN=Jane Doe,CN=users, DC=Microsoft, DC=com" + var ADS_NAME_TYPE_CANONICAL = 2; // "Microsoft.com/Users/Jane Doe". + var ADS_NAME_TYPE_NT4 = 3; // "Microsoft\JaneDoe" + var ADS_NAME_TYPE_DISPLAY = 4; // "Jane Doe" + var ADS_NAME_TYPE_DOMAIN_SIMPLE = 5; // "JaneDoe@Microsoft.com" + var ADS_NAME_TYPE_ENTERPRISE_SIMPLE = 6; // "JaneDoe@Microsoft.com" + var ADS_NAME_TYPE_GUID = 7; // {95ee9fff-3436-11d1-b2b0-d15ae3ac8436} + var ADS_NAME_TYPE_UNKNOWN = 8; // The system will try to make the best guess + var ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9; // "JaneDoe@Fabrikam.com" + var ADS_NAME_TYPE_CANONICAL_EX = 10; // "Microsoft.com/Users Jane Doe" + var ADS_NAME_TYPE_SERVICE_PRINCIPAL_NAME = 11; // "www/www.microsoft.com@microsoft.com" + var ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME = 12; // "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)" + + + // Get the RootDSE naming context for the specified domain + var RootDSE = GetObject("LDAP://" + szDomainName + "/RootDSE"); + + // Initialize the property cache + RootDSE.GetInfo(); + + // Now get the forest name + var szForestName = RootDSE.rootDomainNamingContext; + + // Translate it to DNS style + var objectNameTranslate = new ActiveXObject("NameTranslate"); + objectNameTranslate.Init(ADS_NAME_INITTYPE_DOMAIN, szDomainName); + objectNameTranslate.Set(ADS_NAME_TYPE_1779, szForestName); + + var szTranslatedName = objectNameTranslate.Get(ADS_NAME_TYPE_CANONICAL); + + return szTranslatedName.slice(0,-1); +} + +// Escapes certain characters in a string so they will work with SQL statements +function EscapeString(str) +{ + var result; + + // Handle single quotes + var re = new RegExp(/'/g); + result = str.replace(re, "''"); + return result; +} + +// Replaces invalid characters in a file name +function GetValidFileName(str) +{ + var result = str; + result = result.replace(/\*/g, ""); + result = result.replace(/\\/g, ""); + result = result.replace(/\//g, ""); + result = result.replace(/\|/g, ""); + result = result.replace(/>/g, ""); + result = result.replace(/</g, ""); + result = result.replace(/:/g, ""); + result = result.replace(/\"/g, ""); + result = result.replace(/\?/g, ""); + + return result; +} + +// Checks if the specified file system path is valid. +// Returns true if the path is found, false otherwise. +// +function ValidatePath(szPath) +{ + var fso = new ActiveXObject("Scripting.FileSystemObject"); + try + { + var Path = fso.GetFolder(szPath); + } + catch (err) + { + return false; + } + + return true; +} + +// Returns the hexadecimal string for a number, converting negative decimal +// values to the appropriate winerror style hex values +// +function ErrCode(i) +{ + var result; + + if (i < 0) + { + // Get the winerror-style representation of the hex value + result = 0xFFFFFFFF + i + 1; + } + else + { + result = i; + } + + return "0x" + result.toString(16); // base 16 +} diff --git a/VBScripts/ListAllGPOs.wsf b/VBScripts/ListAllGPOs.wsf @@ -0,0 +1,315 @@ +'//////////////////////////////////////////////////////////////////////////// +'// Copyright (c) Microsoft Corporation. All rights reserved +'// +'// Title: ListAllGPOs.wsf +'// Author: mtreit@microsoft.com +'// Created: 10/11/2001 +'// Purpose: Lists all GPOs in a domain +'// Revision: Ported from JScript->VBScript by dtsaltas [September 15, 2002] +'//////////////////////////////////////////////////////////////////////////// + +'/////////////////////////////////////// +'// Initialization +'/////////////////////////////////////// +<job> + +' Include necessary libraries +<script language="JScript" src="Lib_CommonGPMCFunctions.js"/> +<script language="VBScript"> + +' Create global objects for use by all of the functions +Set GPM = CreateObject("GPMgmt.GPM") +Set Constants = GPM.GetConstants() + +' Define flags needed for querying SecurityDescriptor +Dim bOwner : bOwner = true +Dim bGroup : bGroup = false +Dim bDACL : bDACL = false +Dim bSACL : bSACL = false + +' If you don't have write permissions on a GPO, querying for the SACL +' will fail. The following gives you the necessary flags to only query +' for the 'owner' part of the security descriptor, which is all we care +' about in most cases. 'Owner' can be read with read-only rights +Dim SecurityFlags + +SecurityFlags = Constants.SecurityFlags(bOwner, bGroup, bDACL, bSACL) + +'/////////////////////////////////////// +'// Main script +'/////////////////////////////////////// + +' Handle command line arguments +Dim ArgumentList +Dim szDomainName +Dim bVerbose + + +Set ArgumentList = ProcessCommandLineArguments +szDomainName = ArgumentList.Item("Domain") +bVerbose = ArgumentList.Item("Verbose") + +' Initialize the Domain object +Dim GPMDomain +Set GPMDomain = GPM.GetDomain(szDomainName,"", Constants.UseAnyDC) + +' Print the list OF GPOs in the domain +ListDomainGPOs(GPMDomain) + +'/////////////////////////////////////// +'// Function Definitions +'/////////////////////////////////////// + +' Print information about a GPO +Function PrintGPOInfo(GPMGPO) + + WScript.Echo "Name:" & vbTab & GPMGPO.DisplayName + WScript.Echo "ID:" & vbTab & GPMGPO.ID & vbCrLf + +End Function + + +' Print detailed information about a given GPO +Function PrintDetailedGPOInfo(GPMGPO) + + WScript.Echo "==============================================" + WScript.Echo "Name:" & vbTab & GPMGPO.DisplayName + WScript.Echo "ID:" & vbTab & GPMGPO.ID + + ' Print the GPO details + PrintGPODetails GPMGPO + + ' Print apply rights + PrintGPOPermissions GPMGPO, Constants.PermGPOApply + + ' Print edit rights + PrintGPOPermissions GPMGPO, Constants.PermGPOEdit + + ' Print edit, modify security and delete rights + PrintGPOPermissions GPMGPO, Constants.PermGPOEditSecurityAndDelete + + ' Print read rights + PrintGPOPermissions GPMGPO, Constants.PermGPORead + + ' Print custom rights + PrintGPOPermissions GPMGPO, Constants.PermGPOCustom + + ' Print the list of links + PrintGPOLinks GPMGPO + + WScript.Echo vbCrLf + WScript.Echo "==============================================" & vbCrLf + +End Function + +' Print detailed information about a GPO +Function PrintGPODetails(GPMGPO) + + Dim strCreated : strCreated = GPMGPO.CreationTime + Dim strChanged : strChanged = GPMGPO.ModificationTime + Dim strOwner : strOwner = GPMGPO.GetSecurityDescriptor(SecurityFlags).Owner + + WScript.Echo vbCrLf + WScript.Echo "-- Details --" + WScript.Echo "Created:" & vbTab & strCreated + WScript.Echo "Changed:" & vbTab & strChanged + WScript.Echo "Owner:" & vbTab & vbTab & strOwner + + WScript.Echo vbCrLf + WScript.Echo "User Enabled:" & vbTab & GPMGPO.IsUserEnabled + WScript.Echo "Mach Enabled:" & vbTab & GPMGPO.IsComputerEnabled + + WScript.Echo vbCrLf + WScript.Echo "-- Version Numbers --" + '[todo] - variant types of the following not supported in VBScript + WScript.Echo "User DS:" & vbTab & CLng(GPMGPO.UserDSVersionNumber) + WScript.Echo "User Sysvol:" & vbTab & CLng(GPMGPO.UserSysvolVersionNumber) + WScript.Echo "Mach DS:" & vbTab & CLng(GPMGPO.ComputerDSVersionNumber) + WScript.Echo "Mach Sysvol:" & vbTab & CLng(GPMGPO.ComputerSysvolVersionNumber) + +End Function + +' Print the list of trustees with a particular set of permissions on a GPO +Function PrintGPOPermissions(GPMGPO, PermissionType) + + ' Print out a header identifying the type of rights being listed + Dim strHeader : strHeader = "" + Select Case PermissionType + + Case Constants.PermGPOApply + strHeader = vbCrLf & "-- Who this GPO applies to --" + + + Case Constants.PermGPOEdit: + strHeader = vbCrLf & "-- Who can edit this GPO --" + + + Case Constants.PermGPOEditSecurityAndDelete: + strHeader = vbCrLf & "-- Who can edit settings, modify security and delete this GPO --" + + + Case Constants.PermGPORead: + strHeader = vbCrLf & "-- Who only has Read access --" + + + Case Constants.PermGPOCustom: + strHeader = vbCrLf & "-- Who has custom permissions --" + + End Select + + ' WScript.Echo strHeader + + ' Get the list of security settings on this GPO + Dim GPMSecurityInfo + Set GPMSecurityInfo = GPMGPO.GetSecurityInfo() + + ' Print out the groups who have the specified permission + + Dim GPOPermission + Dim strTrusteeName + + For Each GPOPermission in GPMSecurityInfo + + strTrusteeName = "" + If GPOPermission.Permission = PermissionType Then + On Error Resume Next + strTrusteeName = GPOPermission.Trustee.TrusteeName + If Err.Number <> 0 Then + strTrusteeName = GPOPermission.Trustee.TrusteeSid + End If + WScript.Echo strTrusteeName + End If + Next +End Function + +' Print all places a given GPO is linked +Function PrintGPOLinks(GPMGPO) + + ' Search for all SOM links for this GPO + Dim objGPMSearchCriteria + Set objGPMSearchCriteria = GPM.CreateSearchCriteria() + objGPMSearchCriteria.Add Constants.SearchPropertySOMLinks, Constants.SearchOpContains, GPMGPO + + WScript.Echo vbCrLf & "-- Where this GPO is linked --" + + On Error Resume Next + Dim SOMList : Set SOMList = GPMDomain.SearchSOMs(objGPMSearchCriteria) + If Err.Number <> 0 Then + WScript.Echo Err.Number '[todo] port ErrCode function....use here?? + WScript.Echo Err.Description + End If + + If SOMList.Count = 0 Then + WScript.Echo "No links found for this GPO." + Exit Function + End If + + ' Print out all links that were found + + Dim SOM + Dim strSOMType + For Each SOM in SOMList + Select Case SOM.Type + Case Constants.SOMSite + strSOMType = "Site" + + Case Constants.SOMDomain + strSOMType = "Domain" + + case Constants.SOMOU + strSOMType = "OU" + End Select + + WScript.Echo SOM.Name & " (" & strSOMType & ")" + Next + +End Function + +' Takes a WScript.Arguments object and returns a dictionary object +' containing the named arguments and values that were passed in +Function ProcessCommandLineArguments + Dim szDomainName : szDomainName = "" + Dim bVerbose : bVerbose = false + + ' Check if this is cscript. If not, print an error and bail out + + If UCase(Right(WScript.FullName,11)) = "WSCRIPT.EXE" Then + WScript.Echo "You must use cscript.exe to execute this script." + WScript.Quit(-1) + End If + + Dim Result + Set Result = CreateObject("Scripting.Dictionary") + + If WScript.Arguments.Length > 0 Then + If WScript.Arguments.Named.Exists("V") Then + bVerbose = true + End If + + If WScript.Arguments.Named.Exists("Domain") Then + szDomainName = WScript.Arguments.Named("Domain") + End If + End If + + ' Get the current domain if none was specified + If szDomainName = "" Then + szDomainName = GetDNSDomainForCurrentUser() + End If + + Result.Add "Verbose", bVerbose + Result.Add "Domain", szDomainName + + Set ProcessCommandLineArguments = Result +End Function + +' Print out a list of all GPOs in the domain +Function ListDomainGPOs(GPMDomain) + ' Create the search criteria object + Dim GPMSearchCriteria + Set GPMSearchCriteria = GPM.CreateSearchCriteria + + ' Get all of the GPOs by passing in the blank + ' SearchCriteria + Dim GPOList + Set GPOList = GPMDomain.SearchGPOs(GPMSearchCriteria) + + ' Now print out the list + Dim GPMGPO + + If bVerbose = false Then + WScript.Echo "** For detailed info use the '/v' switch **" & vbCRLF + End If + + WScript.Echo "== Found " & GPOList.Count & " GPOs in " & szDomainName & " ==" & vbCRLF + + ' Loop through the list and print info for each GPO + For Each GPMGPO in GPOList + If bVerbose = true Then + PrintDetailedGPOInfo(GPMGPO) + + Else + PrintGPOInfo(GPMGPO) + End If + Next +End Function + +</script> + + +<!-- Usage and command line argument information --> +<runtime> + +<description> +Prints out data about all GPOs in a domain. +</description> + +<named name="v" helpstring="Verbose mode - displays detailed information about each GPO" type="simple" required="false" /> +<named name="Domain" helpstring="DNS name of domain to query" type="string" required="false" /> + +<example> +Example: ListAllGPOs.wsf /v +</example> + +</runtime> + +</job>+ \ No newline at end of file diff --git a/VBScripts/findorphanedGPOsInSYSVOL.wsf b/VBScripts/findorphanedGPOsInSYSVOL.wsf @@ -0,0 +1,126 @@ +'//////////////////////////////////////////////////////////////////////////// +'// Copyright (c) Microsoft Corporation. All rights reserved +'// +'// Title: FindOrphanedGPOs.wsf +'// Author: jstatia@microsoft.com +'// Created: 01/2/2003 +'// +'// Purpose: Finds All Orphaned GPO objects in Sysvol with no AD Source +'// and Prints them out +'//////////////////////////////////////////////////////////////////////////// + +'////////////////////////////////////// +'/ Initialization +'///////////////////////////////////// + <job> + +<script language="VBSCRIPT"> +Option Explicit +on error resume next + +'/////////////////////////////////////// +'// Main script +'/////////////////////////////////////// + +''// Handle command line arguments +dim ArgumentList +dim szDomainName, szDomainSysvolPolicy,szFolder, szFullADPol, szObject, szBase, szADPol +dim fsoFILE, foPolicy, Folder +dim iCtr +dim ldapRoot + +ProcessCommandLineArguments WScript.Arguments, ArgumentList +szDomainName = ArgumentList.Item("Domain") + +szDomainSysvolPolicy = "\\" & szDomainName & "\sysvol\" & szDomainName & "\policies" + +set fsoFile = CreateObject("Scripting.FileSystemObject") + +set foPolicy = fsoFile.GetFolder(szDomainSysvolPolicy) +if err then + Show_Error(err) +end if + +szBase = replace(szDomainName,".",",DC=") +szADPol = "CN=Policies,CN=System,DC=" & szBase + +WScript.Echo "Policies Not In AD But Located in:" +WScript.Echo " " & szDomainSysvolPolicy +WScript.Echo "" + +iCtr = 0 +for each Folder in foPolicy.SubFolders + szBase = "CN=" & Folder.Name & "," & szADPol + szObject = "LDAP://" & szDomainName & "/" & szBase + Set ldapRoot = GetObject(szObject) + if err then + WScript.Echo " " & Folder.Name + iCtr = iCtr + 1 + err.clear + end if +next + +WScript.Echo "" +WScript.Echo "Total Orphaned GPO's: " & iCtr + + +'/////////////////////////////////////// +'// Function Definitions +'/////////////////////////////////////// + +Public Sub Show_Error(e) + WScript.Echo "An Error Has Occured" + WScript.Echo "Error Number: " & e.number + WScript.Echo "Error Description: " & e.description +' WScript.Quit(1) +End Sub + +'Takes a WScript.Arguments object and returns a dictionary object +'containing the named arguments and values that were passed in +public Sub ProcessCommandLineArguments ( Arguments, Result) + dim szDomainName + + szDomainName = "" + + '// Check if this is cscript. If not, print an error and bail out + if instr(lcase(WScript.FullName),"wscript") <> 0 Then + WScript.Echo "You must use cscript.exe to execute this script." + WScript.Quit(1) + end if + if not IsObject(Result) then + set Result = CreateObject("Scripting.Dictionary") + end if + + if Arguments.Named.Exists("Domain") Then + szDomainName = Arguments.Named("Domain") + End IF + + '// Get the current domain if none was specified + if szDomainName = "" Then + szDomainName = GetDNSDomainForCurrentUser() + end If + + Result.add "Domain", szDomainName +End Sub + + </script> + + <!-- Usage and command line argument information --> + <runtime> + + <description> + Finds and prints all GPOs in SYSVOL with no corresponding Active Directory (AD) source. + These GPOs are usually referred to as orphaned GPOs. A GPO can become orphaned usually in two different ways: 1) if the + GPO is deleted directly through ADSI edit. 2) if the GPO was deleted by someone that had permissions to do so in AD, but not in Sysvol. + In this case, the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind. + </description> + + <named name="Domain" helpstring="DNS name of domain" type="string" required="false" /> + + <example> + Example: FindOrphanedGPOs.wsf /domain:Test.MyDomain.com + </example> + + </runtime> + + </job> diff --git a/_config.yml b/_config.yml @@ -1 +0,0 @@ -theme: jekyll-theme-hacker- \ No newline at end of file