Top Tools for Top Administrators

8/6/2019 Top Tools for Top Administrators

1/7

Article by Mark Boyd www.simpleit.tumblr.com

Thursday, 23 June 2011 Page 1

Top tools for top administrators 1/4All of the information presented in this art icle is the opinion of the author, not the opinion of the any of the

vendors mentioned. The authors experience is in the Managed Services Provider sector, more specif ical ly, the

Education vertical

Top tools for top administrators: Learn to use to simple tools for advanced insight into your network

This is article one of four. Article one will cover Wireshark, PowerShell, Subinacls, and Get-ACL

This article is another one of those Have you ever had a problem you cant fix? articles. In this

article you will come across a whole raft of tools that are easy to use, but produce powerful results. I

recently did a job for a customer auditing their internal file systems, server by server. The customer

was a Microsoft shop, so it was relatively easy to right click on a folder and check the properties, but

for 10 servers? None of that manual rubbish for meWe are all about automation.

Now I am the first person to admit my programmatically skills are lacking, but I am guessing even

with a general lack of programming skills, I can show you how to steal someone elses script and

adapt it for your environment.

Along the way, I will be plugging upwards of 20 or so tools that I think are under rated, and should

be in every good I.T administrators toolbox. Some of the tools are native to the operating system,

some arent. All of the tools unless otherwise specified are completely free.

Lets begin; here are the tools we are going to look at. You might find you know all of these tools

already, dont stop reading, you might find some cool tips and tricks to help you achieve things you

never knew possible. Note some of the tools mentioned below are obvious and mainstream(Microsoft Excel for one). I use these tools to compliment the task I want to carry out, and they are

not used to specifically solve some of the problems I may describe below.

Wire shark PowerShell Get-ACL Subinacls Excel1

vbScript Process

Explorer

Power Gui Putty Tftpd32 nMap Ldefde MSBPA TcpView

All of the above mentioned tools and technologies allow an I.T administrator to extract near any

information needed for the successful audit and administration of any Microsoft desktop / server

environment.

1I will not be explaining how to use Excel. You know what it is and how to use it. It is a supporting tool


2/7



These products perform the following functions, including but not limited to:

Product Usage

Wire Shark Samples traffic travelling across the network

Subinacls Used to audit NTFS share permissions against disk volumes.

Get-Acls Used to audit NTFS share permissions against disk volumes

Microsoft PowerShell Command line driven desktop or Server admin tool. Similar to vbScript but more robust

Microsoft Excel Excel is used to collate and post process the volumes of data collected by Get-Acls

Microsoft Visual Basic Script Used for scripting and automation where PowerShell is not fit for purpose

Power Gui Used for generating PowerShell scripts automatically

Putty Remote telnet / ssh control of switches, routers, firewalls etc

TFTPD32 A simple, powerful telnet server

nMap Used to discover analyse the threats that may exist from remote systems and users

Microsoft LDEFDE Used to audit, query, and export Microsoft Active Directory

MSBPA Microsoft Exchange / SQL Best practise analyser for Exchange and SQL Security

Introducing Wireshark:

Wireshark (formerly ethereal) is a packet capture tool, incredibly powerful in good or evil handsrespectively. Wireshark can be used for the analysis of any data travelling across any network, ever,

full stop, the end. Wireshark is used both for traffic analysis and troubleshooting. I have written an

article that addresses what this application is capable ofhere. It is worth mentioning here though.

I had one issue where I was at a medium site, say 1200 desktops, 2 domain controllers, and 2 file

servers. File server 1 was working properly, the staff members that needed their files would happily

work away, everything was sweet. The second file server however was not so great, at seeming

random times of the day, the file server would crash.

Bring on the investigation. All servers were both on the same subnet, all physical links back to theservers were healthy (they were in a vSphere setup). When the drop out happened, it would affect

every one organisation wide. It made no sense. We had very little idea of what was causing it. The

only symptom was that clients would lose the ability to access anything this file server hosted.

At the time I was a junior, but i worked very closely with the Sys Admin and the I.T Manager, both

amazing talented guys Id work with again any day. We were all puzzled. Of course after the second

or third day, as pressure mounted to get a solution, we called in Microsoft. An engineer worked on

the issue for us, he took memory dumps of the server, did heaps of analysis. All he could tell us to do

was the rebuild the server into a 2008 box and migrate the data. This idea didnt bode too well with

us; at least I should say we werent interested in band aid fixes.
http://tinyurl.com/wirehsharkfortrafficananalysishttp://tinyurl.com/wirehsharkfortrafficananalysishttp://tinyurl.com/wirehsharkfortrafficananalysishttp://tinyurl.com/wirehsharkfortrafficananalysis


3/7



At the time, I figured while they were looking at it, it wouldnt hurt to explore every option known to

man. Enter Wireshark, I first learnt about Wireshark when it was called Ethereal, I sat a security

course at university where we used it to analyse live packets and identify traffic that contained user

names and password

(Packet capture software really does capture everything encrypt your data people).

So I installed Wireshark on a test machine and the File server. We had narrowed the time of day

where the problem happened to lunch time. We sat and waited and sure enough, the system

crashed. I had 10 solid minutes of logs on each end.

The amount of traffic captured was minimal on the desktop, some broadcast traffic, and printers

talking, and VMware ESX host announcements, but it was pretty clear what was going on.

We filtered down to only the traffic we wanted to see

Source traffic: Desktop Client

Destination: Management Subnet

Traffic type: TCP traffic and CIFS traffic in particular (CIFS traffic is a file transfer protocol)

The problem was, nothing showed up that lead us to the cause. We saw the failure, traffic one

second, no traffic the next between desktop to file server. The true beauty of Wireshark is that it

exposed all traffic, we never would have guessed the problem, not even Microsoft themselves

thought of it or saw it. The desktop, every single time it dropped out, was doing a gpupdate. We

hadnt looked at this before, why would gpupdate cause connectivity to a file server to drop out?

This is what the logs showed. When the gpupdate was happening, it was contacting Domain

controller 1 to make sure its policy was correct, at the same time, it also checked against DC2. So

lets not ramble on, we looked at the group policy objects, they looked the same on each server. I

looked at NFS, replication was happening as it should. Microsoft released what they call the

Adminpak, inside it is one of the most valuable tools you could ever come across called GPOTOOL. I

ran gpotool and found the problem. The Sysvol folder that held the Group policy object replication

data had corrupted; one domain controller had different info to the other. When the clients were

checking in and doing a group policy update, they were getting corrupt data, their connection to the

file server was part of that corrupt object, and day after day, the connection to the file server would

be killed.

We repaired the group policy objects, the problem went away. Wireshark, had pointed us in the

right direction, it showed us all the traffic back and forth start to finish. Analysis of that data showed

us that there was categorically nothing wrong with the File Server / Desktop. What it did show us

was there was a big issue connecting to a domain controller when it needed to.

Wireshark 1, Microsoft 0.

Wireshark can be downloaded fromhere

Price: Free
http://www.wireshark.org/download.htmlhttp://www.wireshark.org/download.htmlhttp://www.wireshark.org/download.htmlhttp://www.wireshark.org/download.html


4/7



Introducing PowerShell

I am going to come right out and say it. If you are a server administrator, and you are not using

PowerShell, you are not doing your job properly. It is as simple as that. Let me be politically incorrect

for a minute and say that Microsoft PowerShell is a cmd.exe on steroids.

Microsoft PowerShell is cmd.exe, it is vbScript, it is WMI all rolled into one. You can access .Net

methods if you like. It is an incredible powerful command line shell.

There is on key thing you should know about PowerShell. That is CMDLETS

CMDLETS (Commandlets) are like built in variables or functions, certain cmdlets do certain things on

certain systems, that is, they are mini tools if you like. PowerShell is a feature built into Server 2008.

It is late at night and I dont want to type a thes is of which PowerShell version you should use, and

which platform it works on. Google Download PowerShell and download version 2 if you can

download it as a standalone version. Failing that, Programs and Features on your server will get you

there.

Basically, open PowerShell and run these CMDLETS. (Cmdlets are for Microsoft Active Directory)

CMDLET Server Role Expected Result

Get-ACL Any Gets permissions of a specified file or folder

Add-ADComputerServiceAccount Active Directory Adds a service account to Active Directory

Add-ADGroupMember Active Directory Adds one or more members to an Active Directory group.

Add-ADPrincipalGroupMembership Active Directory Adds a member to one or more Active Directory groups.

Clear-ADAccountExpiration Active Directory Clears the expiration date for an Active Directory account.

Disable-ADAccount

Other cmdlets exist and some are role specific. Some cool things to know about PowerShell cmdlets

1. Some cmdlets are role specific, Exchange can be fully administered through PowerShell2. Active Directory cmdlets can perform any function you need like domain / forest elevation3. If you are importing certificates in and around your systems, use PowerShell4. If you are batch creating thousands of Active Directory accounts, use PowerShell5. If you are auditing a file servers permission structure, use PowerShellPowerShell is a behemoth of a topic to talk about, again, its late at night, and my eyes are getting

tired, I will leave you with some websites I frequent when I am trying to figure out how to dosomething in Microsoft PowerShell.

Microsoft Active Directory PowerShell Guide

Microsoft Exchange PowerShell Guide (.exe file)

Where I learnt everything I know about powershell Dzone

Just about everything else you need to know

www.Google.com
http://technet.microsoft.com/en-us/library/ee617195.aspxhttp://technet.microsoft.com/en-us/library/ee617195.aspxhttp://www.microsoft.com/download/en/details.aspx?mg_id=10048&displaylang=en&id=813http://www.microsoft.com/download/en/details.aspx?mg_id=10048&displaylang=en&id=813http://refcardz.dzone.com/refcardz/windows-powershellhttp://refcardz.dzone.com/refcardz/windows-powershellhttp://refcardz.dzone.com/refcardz/windows-powershellhttp://refcardz.dzone.com/refcardz/windows-powershellhttp://technet.microsoft.com/en-us/library/ee332526.aspxhttp://technet.microsoft.com/en-us/library/ee332526.aspxhttp://www.google.com/http://www.google.com/http://www.google.com/http://technet.microsoft.com/en-us/library/ee332526.aspxhttp://refcardz.dzone.com/refcardz/windows-powershellhttp://www.microsoft.com/download/en/details.aspx?mg_id=10048&displaylang=en&id=813http://technet.microsoft.com/en-us/library/ee617195.aspx


5/7



Subinacls and Get-Acls:

Subinacls and Get-Acls are effectively the same thing. Windows Server file permissions are

effectively an access control list. Access control lists are one of the most fundamental topics you

should learn about in I.T.

Access control lists (ACLs from here on in) are everywhere, command line firewalls are effectively

ACLs, they are used in Switching, Routing, and are present as defining permissions on file structures

Microsoft (and probably other vendors) call them discretionary access control lists (DACLS for short).

Basically, when you right click on a folder and check out its permissions, this is what you seeing.

Lets take a side step for a second. Every object in Microsofts Active Directory has a security

identifier (SID). It is a large string of numbers split by hyphens. Every time you log on, your account is

verified by your SID effectively (sort of).

Why is this important you ask? Well, when you right click on a folder that exists somewhere on the

domain, you will see a list of users that have access to that folder. Go now and delete one of those

users from Active Directory (dont) and you will see that folder now report a large string of numbers,

the SID!

Alright, moving on, so users permissions are really ACLs, and the SID marries up to that ACL, so why

is it important and where does Subinacls and or Get-Acls come into it? Well, another story, read on

A customer of mine reported un-authorized access had occurred to financial data and other sensitive

data at this organisation. They caught the user and they were dealt with accordingly, but the

question was, What was now unsecure, and how do they stop future internal staff getting intoplaces they shouldnt?

The back ground to the attack was that the user had stumbled across the domain admin password,

which was stored in a text file on the C:\ drive of the image 200 machines with the password

organisation wide. Whoops! They knew a little about Active Directory and granted other users

Administrative access. From there, they went around to various folders on the network and granted

ownership permission to them. They never gave up which folders and swore there was too many to

remember.

Enter fantastic I.T guy Mark Boyd. I had never tackled this problem before, but I sure as all heck

wasnt going to look at the properties of every single folder on every server on the network. This is

where Subinacls and Get-Acls come in.

One (Subinacls) is a command line tool to and the other (Get-Acls) is a PowerShell CMDLET

(remember my bit on PowerShell?) that audits permissions on files and folders. Great I said, I am a

useless programmer, this is going to take a while. I dissected it further what was my problem and

how to solve it.

I need a script that will recursively run through a directory, runs Subinacls or Get-Acl and logs as it

goes. I can do that I said. My script stealing skills are impeccable, and what is learning another

programming language to me? We are I.T people, we can learn how to build a fighter jet if we

wanted to, or that is at least the delusion I live under.


6/7



So, Subinacls, I am not going to go on, you know what it is does, what I will do is show you the script

I ran, and the output. This comes with a warning however! Remember the SID? Well, Subinacls and

Get-Acls shows only the SID, not the user, when you have 200,000 objects on a file server. This is not

ideal. We have a few tricks up our sleeve however. Lets being

1. Define what my aim, inputs, outputs.a. Aim: Get a list of all permissions on a file shareb. Input: Subinacls on a file sharec. Output: A file that I can read / analyse later

Problem solved: If I have an excel spread sheet that holds this data. I dont need to know the SID of

every user; I just need to filter by folders and files that users have full control over, and exclude

anything with Administrator in it.

Before I show you the script I used and the logic behind it all, I am making it clear I am not going to

talk about Excel in too much depth. One, Microsoft gets enough plugs. Two, Its not free. Three, Its acomplimentary tool, not one that will solve your problem outright. It is a powerful analytical tool and

you see why I use it below. Four, this article is already five pages long and I am trying to keep it short

So, here is the first script, remember what you learnt about PowerShell? Use it here.

Get-ChildItem -ErrorAction SilentlyContinue D:\Shares\Shared -recurse | Get-Acl | Export-Csv

C:\Users\computelec\Documents\recursive.csv

Thats it. That is what does it! The results? See below

So what does it all mean? Two things here are important

1. These are the folders; This output was thousands of rows big. Here are your folders2. Here is a SID! Oh how beautiful it is. We just caught our culprit.


7/7



From here, you need a program that will convert SIDs to username. I recommend using this script:

' =======================================

' Author: Shane Boudreaux

' Date: 6/20/2001|

' Purpose: Convert SID to Account Name

' =======================================' =======================================

' Main Entry Point

' =======================================

On Error Resume Next

wscript.echo getSID

' =======================================

' =======================================

' Supporting Functions and Procedures

' =======================================

Private Function getSID()

' Get SID from user

Const POPUP_TITLE = "User To SID Conversion"

SID = InputBox("Enter SID",POPUP_TITLE)server = "."

Set objWMIService = GetObject("winmgmts:\\" & server & "\root\cimv2")

Set objAccount = objWMIService.Get("Win32_SID.SID='" & SID & "'")

strUser = objAccount.AccountName

strDomain = objAccount.ReferencedDomainName

If Err.Number 0 Then

getSID = Err.Description

Err.Clear

Else

getSID = "User: " & vbtab & UCase(strUser) & vbcrlf & "Domain: " & vbtab & UCase(strDomain)

End If

End Function

' =======================================

I would like to note I am not taking credit for the script. I dont even know if it works, in the interest

of getting this article done. I am submitting it as is. I think you might need to enter your server

name or at the very least run it on your domain controller. Anyway, there are a billion tools out

there to get this last piece of the puzzle.

I have met my aim, I have explained what SIDs are , shown you in practice one of the two ACL

scripts / CMDLETS that will do what you need to do.

This is the end of part 1 of the Top tools for administrators guide I am hoping my mix of tech and

real world examples help you think outside the circle when you are troubleshooting issues.

Remember, you want quick answers when troubleshooting. Wireshark is that tool as long as you

learn your filters. PowerShell is there for all your automation tasks. And remember, you dont want

to wear out your right click on your mouse button getting to file permissions, use Get-ACL or

Subinacls to get that information, export to a CSV file, and youre set.