Browse CLASSROOM TRAINING Find ONLINE TRAINING CONTACT us

SAPIEN Solutions

SAPIEN homepage
PrimalScript script editor+ide
PrimalScope script debugger
Free Tools script utilities
SAPIEN Press tech books
ScriptingAnswers.com learn+share
ScriptingOutpost.com online store
Blog.Sapien.com official blog
Contact Us

Welcome to the ScriptVault, where ScriptingAnswers.com users share their administrative scripts.

Have you written a script that accomplishes some administrative task? Please share it! Just navigate to the appropriate category and click the "Contribute to this category" link!

You are here: Top > Security

Contribute to this category

Sub-Categories

(no categories are available)

Scripts

Change local Admin password Contributed by Don Jones
Input text file is expected to contain one computer name per line, and you of course must have Admin permissions on each targeted machine. Be sure to change the script to have the password you want used.
Changing local passwords, en masse Contributed by donj
Here's a sample reprinted from a Forums response. Use this script to change the password of any given local computer account on any number of computers. You can follow-up on this script in the VBScript Language forum. This script accepts an input file, c:computers.txt, which contains one computer name per line in a simple text file. It outputs c:missed.txt, which contains the names of computers unable to be contacted byt he script. As written, the script will change the password for the local Administrator account; you can plug in another account (and a more creative password) if you like. Note that the user running the script must have permission to change passwords on the remote system, generally meaning you'll need to be in the local Administrators group somehow. Although this script uses ADSI, it doesn't require Active Directory.
Dormant NT Users Contributed by Tony kenny
Identify local machine accounts and their last logon date. Compares last logon date to today and lists active and inactive users with last logon over 90 days
Find and Disable Inactive Users Contributed by Don Jones
This uses the WinNT provider and should work with any NT or AD domain. It only looks at users in the Domain Users group, although that can be modified (along with the domain name - you'll need to change that from "MyDomain"). This looks at the last login date to determine unused accounts. WARNING: Only Win2003 DCs properly replicate LastLogin. In prior domains, not every DC has the correct LastLogin date, so this script can cause unexpected disabling of EVERY account if you have more than one DC in a pre-2003 domain.
Parse Your Security Logs Contributed by Shane Boudreaux
Here's teh script for parsing those logs created by query your Security Event Log. It will put your log file into a format that is easily imported into a database for further analysis! Look for the script i posted for querying your Security Event Log for unsuccessfull logon attempts (event code 529: bad username/password).
Read and search XML database Contributed by Stefan Suesser
This script demonstrates how to use VBScript to read XML files and find specific information using XPath statements. The script determines the Operating System and Service Pack of the local or a remote machine using WMI. It then searchs Mssecure.xml (the XML database with all security patches that MS Baseline Security Analyzer uses) to find the appropriate OS and Service Pack IDs. With this information, we then search the XML database for all security hotfixes that apply to the computer this script runs against. The output is on the Command Line, so run this script using cscript.exe. It will output the Bulletin-ID, the Q-Number and a description of the security patch. You can get the mssecure.xml file when you install and run MS Baseline Security Analyzer. The XML file will be in the installation folder of the tool.
Reset local admin account by SID Contributed by Anonymous
Since a common practice is to rename the Administrator account, this script will reset it based on SID, instead of name.
Signing Scripts Contributed by Don Jones
You can digitally sign any script that Windows Script Host (WSH) runs, including VBS, JS, WSH, and so forth; you cannot sign CMD or BAT files, though. To sign a script, you need to have a digital certificate already installed in your personal certificate store: Use the Internet Options control panel applet (on the Content tab) to access your certificates and import a certificate if you own one. Make a note of the certificate's name - you'll need to know that for the script.

In the script below, replace the filename with the name of your script. Replace "IT Department" with the name of your certificate. That's it! Your script will be signed. Remember, once it is signed, you won't be able to change the script code without re-signing the script.

Change local Admin password	Contributed by Don Jones Input text file is expected to contain one computer name per line, and you of course must have Admin permissions on each targeted machine. Be sure to change the script to have the password you want used.
Changing local passwords, en masse	Contributed by donj Here's a sample reprinted from a Forums response. Use this script to change the password of any given local computer account on any number of computers. You can follow-up on this script in the VBScript Language forum. This script accepts an input file, c:computers.txt, which contains one computer name per line in a simple text file. It outputs c:missed.txt, which contains the names of computers unable to be contacted byt he script. As written, the script will change the password for the local Administrator account; you can plug in another account (and a more creative password) if you like. Note that the user running the script must have permission to change passwords on the remote system, generally meaning you'll need to be in the local Administrators group somehow. Although this script uses ADSI, it doesn't require Active Directory.
Dormant NT Users	Contributed by Tony kenny Identify local machine accounts and their last logon date. Compares last logon date to today and lists active and inactive users with last logon over 90 days
Find and Disable Inactive Users	Contributed by Don Jones This uses the WinNT provider and should work with any NT or AD domain. It only looks at users in the Domain Users group, although that can be modified (along with the domain name - you'll need to change that from "MyDomain"). This looks at the last login date to determine unused accounts. WARNING: Only Win2003 DCs properly replicate LastLogin. In prior domains, not every DC has the correct LastLogin date, so this script can cause unexpected disabling of EVERY account if you have more than one DC in a pre-2003 domain.
Parse Your Security Logs	Contributed by Shane Boudreaux Here's teh script for parsing those logs created by query your Security Event Log. It will put your log file into a format that is easily imported into a database for further analysis! Look for the script i posted for querying your Security Event Log for unsuccessfull logon attempts (event code 529: bad username/password).
Read and search XML database	Contributed by Stefan Suesser This script demonstrates how to use VBScript to read XML files and find specific information using XPath statements. The script determines the Operating System and Service Pack of the local or a remote machine using WMI. It then searchs Mssecure.xml (the XML database with all security patches that MS Baseline Security Analyzer uses) to find the appropriate OS and Service Pack IDs. With this information, we then search the XML database for all security hotfixes that apply to the computer this script runs against. The output is on the Command Line, so run this script using cscript.exe. It will output the Bulletin-ID, the Q-Number and a description of the security patch. You can get the mssecure.xml file when you install and run MS Baseline Security Analyzer. The XML file will be in the installation folder of the tool.
Reset local admin account by SID	Contributed by Anonymous Since a common practice is to rename the Administrator account, this script will reset it based on SID, instead of name.
Signing Scripts	Contributed by Don Jones You can digitally sign any script that Windows Script Host (WSH) runs, including VBS, JS, WSH, and so forth; you cannot sign CMD or BAT files, though. To sign a script, you need to have a digital certificate already installed in your personal certificate store: Use the Internet Options control panel applet (on the Content tab) to access your certificates and import a certificate if you own one. Make a note of the certificate's name - you'll need to know that for the script. In the script below, replace the filename with the name of your script. Replace "IT Department" with the name of your certificate. That's it! Your script will be signed. Remember, once it is signed, you won't be able to change the script code without re-signing the script.