Remote Resource Kit Roundup

Systems administrators who rarely have time to visit each machine in a network need Windows NT Server 4.0 administration tools that can execute complex scripts on several remote computers simultaneously. For some administrators, remote-control packages such as Symantec's pcAnywhere or Netopia's Timbuktu Pro are solutions. Such remote-control applications work best for taking over one PC, allowing one-on-one interaction to guide a user through a complicated task, accomplish one-off configuration, or troubleshoot tasks that you can't accomplish remotely through scripting.

However, my goal is to perform every administrative task across many machines simultaneously from the command line within a scripted environment. To accomplish that goal, I use the remote-administration tools in the Microsoft Windows NT Server 4.0 Resource Kit, including Supplement 4. (For more information about Supplement 4, see Mark Minasi, This Old Resource Kit, "Windows NT Resource Kit Supplement 4," page 187.) For those of you who have similar goals, I share a list of the tools that I've found most useful in my day-to-day administrative tasks.

Addusers
Addusers (addusers.exe), a command-line utility for adding user accounts and global and local groups into the NT Server 4.0 SAM, works with the domain controller SAM or a member server or workstation. Addusers accepts a file (i.e., the list of user accounts or groups you want to import) in a particular format as input. The command

addusers \\myPDC /c userlist.txt

adds the users and groups in the userlist.txt file to myPDC. The /c option tells Addusers to create new user accounts as the input file specifies them. You can also use the /d option to dump users to a file from the SAM. The resulting file has the correct format for import.

You can use Addusers to populate a test domain with multiple accounts or to dump the SAM's contents for duplication elsewhere. When you use the dump option for an account, Addusers doesn't retain the account's domain SID. The dump option simply dumps to text the user's name and associated account properties.

Auditpol
Auditpol (auditpol.exe) lets you set domain or local SAM audit policy for a local or remote machine. (You can also set the audit policy from User Manager/Policies/Audit.) When you direct the Auditpol command to the PDC in a domain, the command sets audit policy for the entire domain. You can choose only one option for each audit category; the categories are the same categories as those in User Manager/Policies/Audit. For example, if you enable logon auditing, you can specify auditing on successful logon, auditing on failed logon, or both.

The command

auditpol \\servera /enable /logon:failure /sam:failure

changes the audit policy on server servera. If servera were a PDC, the change would affect the audit policy on the entire domain. The /enable parameter enables the auditing function. The /logon:failure parameter audits logon and logoff events for failed events only. The /sam:failure policy audits attempted SAM changes that were failed events. If the administrator's attempt to delete a user account failed because of insufficient privileges, the /sam:failure audit policy would trigger a security event.

Browmon
Browmon (browmon.exe), a GUI utility, lets you monitor the browser status on your local subnet for each network transport. You can identify the master and backup browsers for your local subnet, examine their browse lists, and troubleshoot browsing problems. Browmon can help you find a problem's source if you notice that, while you're browsing your networks, some machines don't appear on the browse list in Network Neighborhood. You can use Browmon to identify the master and backup browser machines on your subnet. Then, you can examine the browse lists for the master and backup machines and narrow your problem by determining which master or backup browser is missing one or more machines from its browse list. Browmon reports browser status only on the subnet where it's running, and the tool doesn't report information from remote subnets unless the machine running Browmon is physically connected to remote subnets.

Browstat
Browstat (browstat.exe) and Browmon have similar functions, but Browstat also provides statistics about browser flags. Every NetBIOS machine in your network has flags that identify a role the machine plays (e.g., server, workstation, time server). So, if you use the resource kit's Time Service, Browstat can tell you which servers advertise themselves as primary time servers. The command

browstat view NetBT_ELNK3

displays a list of machines on transport NetBT_ELNK3 and the machines' NetBIOS flags. (ELNK3 is the NIC adapter's name.) Browstat comes with several other browser-related commands, including the ability to force a browser election on a remote subnet (using the elect option) or the ability to stop a master browser's operation (using the tickle option), which might be helpful when you use Browmon to troubleshoot browsing problems. Browstat often requires you to type the transport name you're asking about because the browser maintains separate lists on each transport (e.g., TCP/IP, NWLink, NetBEUI). To get the default transport's name, use the Browstat Status command.

Compreg
Compreg (compreg.exe) lets you compare Registry key contents of local and remote machines. For example, to ensure that two machines have the same default user settings for desktop preferences, you would type

compreg "us\.default\control panel\desktop" \\remotews

The example compares the contents of the .default\control panel\desktop key under the HKEY_USERS (us) Registry subtree on a local machine with the same key on remote machine remotews. Similarly, the command could have specified two remote machines by including a Uniform Naming Convention (UNC) path in front of the Registry path (e.g., \\ws2\us\.default\control panel\desktop).

Delprof
Delprof (delprof.exe) lets you delete cached profiles from a local or remote machine. Delprof looks for cached profiles in the HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\WindowsNT\CurrentVersion\ProfileList Registry key. Delprof's default behavior is to prompt you to delete all inactive profiles (i.e., profiles that no one has used for a specified time). To make Delprof prompt you for each profile, use the /p parameter. To set the number of days after which Delprof considers an unused profile to be inactive, use the /d parameter. In the example

delprof /p /c:servera /d:10

Delprof deletes all cached profiles on servera that no one has used in 10 days. The /p parameter tells Delprof to prompt you to confirm each profile's deletion. Delprof won't return any information to you when all system profiles are active.

Occasionally, you might find a cached profile that Delprof misses and that you can't delete manually or with other tools. A bug in NT 4.0 can let a cached profile (specifically, the profile's ntuser.dat file) remain locked even though the user has logged off. The easy solution is to reboot the machine, unless you can determine which process locked the file. For example, the sound device on some Compaq workstations can lock the profile's ntuser.dat file. In this case, you can usually free the file and delete the profile if you stop the sound device within Control Panel.

Dhcpcmd
Dhcpcmd (dhcpcmd.exe), which lets you view and manage DHCP servers, can list active leases on a scope, create new scopes, add or change scope or global options, and modify serverwide parameters. The command

dhcpcmd 192.168.1.1 enumclients 192.168.20.0 -v

creates a verbose listing of active leases on a particular scope. The enumclients option tells Dhcpcmd to list all active leases on the scope I've specified. In the example, 192.168.1.1 is the DHCP server's IP address, and 192.168.20.0 is the scope subnet on which the command lists active leases. The -v option specifies that I want verbose output.

Dhcploc
Dhcploc (dhcploc.exe) helps you detect rogue DHCP servers. In the command, you provide a list of IP addresses for DHCP servers, then Dhcploc pings the DHCP servers and returns a list of responses. The command

dhcploc -p 192.168.1.20 "192.168.1.1 192.168.20.1"

executes a Dhcploc command on the interface that has an IP address of 192.168.1.20. The first address in the command line is typically the address of the machine from which you're running the command. The IP addresses in quotation marks are addresses for authorized servers. If the responses aren't on the valid-server list, the responding servers are rogues. The -p option tells Dhcploc not to display responses from valid servers you've specified in the list. Thus, you can assume any responses you get are rogues. The utility also can send alerts to specified users (at intervals you determine) when Dhcploc detects rogues. To send alerts, use the -a and -I options. The command

dhcploc -p 192.168.1.20 "192.168.1.1 192.168.20.1" 
-a:"administrator" -I:1800

sends an alert to the administrator account (-a option) every 30 minutes (-I option in seconds).

Dhcploc uses broadcast-based DHCP discover packets to determine which DHCP servers respond, and the way your network forwards these broadcasts can limit the utility's effectiveness. In a routed network, you need to configure your network routers to forward DHCP discover packets to all subnets that might have rogue DHCP servers. If this configuration isn't practical, you might use a tool such as the NT scheduler service to run a Dhcploc instance on a workstation on each subnet.

Dnscmd
Dnscmd (dnscmd.exe) helps you manage NT 4.0 DNS servers. (This utility doesn't work for UNIX-based DNS implementations.) Using Dnscmd, you can gather server statistics, list zone files, create or delete new zones, and switch between primary and secondary zone types on a specified DNS server. The command

dnscmd myserver getserverinfo

gathers server statistics on DNS server myserver.

Dommon
Dommon (dommon.exe), a GUI utility, lets you monitor the secure-channel trust connections between domain controllers in NT 4.0 domains. Dommon provides a bird's-eye view of all domain controllers and their status in all of your trusted domains, letting you troubleshoot trust problems and identify domain controllers that break secure-channel connections. If you've ever tried logging on to a domain from a workstation or server and received the message No logon servers available to service your request, you might find Dommon useful in tracking the problem. Generally, this error happens because of a failed secure-channel connection between a BDC and the PDC. Dommon can help you find this problem by showing the status of all domain controllers in a domain, or even across domain trusts. In large networks, Dommon can take several minutes to list all trusted domain connections to all of your domain controllers. If you detect a problem, I recommend using Nlmon (nlmon.exe) or Nltest (nltest.exe) to pinpoint the source.

Dumpel
Dumpel (dumpel.exe) uses filter information that you provide to dump a local or remote NT event log's contents to a file. Dumpel is a command-line version of NT Event Viewer's filtering and Save As function. The command

dumpel -d 5 -e 515 -m Security -l security -s remote >remotesecurity.log

dumps the Security event log from a remote machine called remote (-s option), filtering for the past 5 days (-d option) on event ID 515 (-e option). In the example, the -m option specifies the NT subsystem that triggered event ID 515. If you specify -e, you also need to specify -m. The -l security option specifies that I want to dump events from the Security event log, rather than from the Application or System logs. In the example, I use the DOS redirection operator (>) to redirect Dumpel's output to the remotesecurity.log file. Dumpel provides the -f option to redirect output to a file, but -f doesn't appear to work correctly in this version of the tool.