Perl for Windows NT Administrators
BY ROBERT MANGOLD Perl for Windows NT Administrators
s the author demonstrates, scripting in Perl can save Windows NT administrators time when Aperforming a variety of tasks.
this ever happened to you? The phone rings at WHY PERL? HAS your NT support desk. You are the person on duty, and the security enforcement officer tells you that the screen What is Perl? Perl stands for “Practical Extraction and saver should start after 10 minutes of idle time, not 15 minutes. Report Language,” or “Pathologically Eclectic Rubbish You’re faced with the agonizing task of changing the screen Lister”— both definitions are sanctioned by the Perl com- saver start time on the 1,000 Windows NT workstations that munity (seriously!). Perl is a programming language, like C you just deployed. What can you do? or Java. Wait! Before you mutter in disgust and hastily flip to In another scenario, say you are in a meeting with your the next article, bear with me. You may be thinking, “I’m not boss, and he tells you to rename the server that holds the a programmer, nor do not want to be a programmer. I will not roaming profiles. You will need to change the profile path on ‘go gentle into that good night.’” (I could not resist using a roughly 700 user accounts. Your boss asks you how long it quote from Dylan Thomas.) will take to accomplish this task, and you know that you will So, why should you become familiar with Perl? Simple. It have to make the changes after hours, but it’s your son’s second can save you time, win you friends, allow you to have a more birthday party tonight. Where do you begin? predictable daily departure time, and increase your net worth. In a third scenario, your friend Terry tells you at the water Your fellow NT administrators will grunt like Tim Allen cooler that the Engineering department got a hold of the local when you pass them in the hallway (assuming you think that administrator password for all 500 of your NT machines. is a good thing). Will it be painful to learn? Probably, depending How did this happen? on your background. I took some programming classes in Do these things happen to you all too often? Do you college. I do not know Java or C, and I really do not under- want to be able to say, “No problem,” in the first scenario; stand object-oriented programming. However, armed with a “Five or 10 minutes after hours,” to the question presented strong determination, I purchased some manuals and played in the second scenario; and “I’ll fix that when I get back to around for a few months. Now, I am regularly helping NT my desk,” in the third scenario and really mean it? If so, administrators make their lives easier. Still not convinced? read on! “What exactly can Perl do for me?” you ask. It excels at processing text files and creating text reports. Although that THE POWER OF SCRIPTING may not sound very interesting to an NT administrator, consider this: Web pages are nothing more than text files of The Unix world has long appreciated the power of scripting. HTML code. I currently use Perl at my site to update our intranet Many NT administrators I have encountered, however, seem web pages and create images of graphs with performance data. unaware that clicking and typing their way through changes In fact, Perl is used extensively for web programming. Still to 700 user accounts is an unnecessary waste of time. Some not convinced? How about Registry processing and querying? NT administrators use batch files to ease their suffering, but I wrote a program to add, delete or change Registry keys, values not many administrators use Perl. and data on one or more machines in a domain. This program
TECHNICAL SUPPORT • JANUARY 2001 ©2001 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. even has a graphical user interface (GUI) front-end. How about user account main- USEFUL PERL SITESITES AND AND RESOURCES tenance? I wrote a script that changes the local administrator password on all machines http://jenda.krynicky.cz/perl/ in the domain. Some of my scripts send an www.divinf.it/dada/perl/ email when a certain condition occurs. All of www.freecode.com/index.html these programs were written in Perl. www.perl2exe.com/index.html Now I have you thinking, right? Well, The PERL Journal — www.itknowledge.com/tpj/. The site provides a table of contents before you can do calculus you have to for previous issues. If you are like me, you are bombarded with periodicals that you learn some algebra. First, you have to have little or no time to read. Check out the site and form your own opinion. The acquire Perl. Then, you need to load some magazine is published quarterly, so I have plenty of time to read it before the next modules. Next, you need to acquire some edition comes out. manuals. The good news is that only the last In addition to the books I mentioned earlier, there are several other books that part is going to cost you any money. might prove useful also. As I said before, I use Perl to update web pages and create So, ready to install Perl? Great! But do performance graphs. I have found the book Programming Web Graphics with PERL not install the version that comes with the & GNU Software (ISBN 1-56592-478-9) indispensable for that purpose. For GUI NT Resource Kit, as it is a really old version. front-end programming, I purchased Learning Perl/Tk (ISBN 1-56592-314-6), Rather, go to www.activestate.com/ActivePerl/, which I’d recommend you avoid until you learn some of the basics. I am just getting click on the “Download Now” link, and into GUI programming, and it is not easy by any measure. Another book that is wonderful once you get the basics down is Windows NT: Win32 PERL Programming: download Perl for free! The Standard Extensions (ISBN 1-57870-067-1). I have not found a single book that The download and installation processes contains more on how to do useful NT administration tasks than this book. However, are straightforward. However, note that it is be forewarned; this book is not for beginners. important that you leave the default destina- tion path of C:\perl alone. Let the set up program modify your path so you can run Perl scripts from any directory. and any other relevant details. Don’t waste tem than Windows NT. Check out the mailing Once you have Perl installed, you are time posting questions that can be lists and newsgroups for more information. ready for the big leagues. Both the answered by reading the first chapter of a ActiveState’s Perl comes with a batch file ActiveState and CPAN sites contain some beginner Perl book. You are liable to get called Perl Package Manager (PPM). When great documentation and frequently asked scolded in a public forum for wasting you run PPM, it helps you install modules. questions (FAQs). Also, I recommend that people’s time and Internet bandwidth. I Otherwise, you need a C compiler to compile you read Learning PERL on Win32 Systems personally prefer the digest version of the it yourself. Personally, I would rather sit (ISBN 1-56592-324-3). It was not the first mailing list, which sends you an email once through a Jerry Springer marathon than book I bought or read, but it provided me a day with all the messages from the previous mess with a C compiler. To run PPM, simply with the basics. If you have programming day. To sign up for the Perl mailing lists go to type “ppm” at a command prompt and the experience and understand the concepts of www.activestate.com/Support/Mailing_Lists/ “ppm>” prompt will appear. Type loops, condition statements, and all that index.html. Mailing list subscription is, of “ppm>install /location
©2001 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. TECHNICAL SUPPORT • JANUARY 2001 FIGURE 1: PERL SCRIPT TO CHECK ON LOCKED ACCOUNT STATUS want to visit some of the sites indicated in the sidebar. These sites contain some # ************************************************************************** interesting modules ripe for the picking, # Script Name: smsunlock.pl # free scripts, and a conversion utility that # Description: This script checks to make sure the SMS Token Account is and makes Perl scripts into executable files. # stays unlocked during a package distribution. # # Dependencies: NetAdmin, AdminMisc A WAR STORY # # Author: Robert Mangold # So far I have tantalized you with the # Date: 11/19/99 # ************************************************************************* possibilities and capabilities of Perl. Theories and pie-in-the-sky potential use Win32::NetAdmin; rewards are one thing, but you face the harsh use Win32::AdminMisc; $User = “SMSCliToknAcct&”; reality of supporting your infrastructure. I $dom = “DOMAIN1”; # enter your domain name inside the quotes will share in the following section an $counter = 0; $Flag = SV_TYPE_DOMAIN_BAKCTRL | SV_TYPE_DOMAIN_CTRL; # set flag to domain controllers instance where Perl came to my rescue. Win32::NetAdmin::GetServers(‘’, $dom, $Flag, \@DC); # get list of domain controllers open(LOG, “>>C:\\temp\\smsunlock.txt”); # this is a log file that records its activity $fh = select(LOG); FIXING SMS 2.0 WITH PERL $| = 1; # this is a Perl special variable that says don’t buffer the output print LOG “Beginning smsunlock log...\n”; # print header in log file while () { # endless loop; press CTRL-C to end program Recently, I had the privilege of setting up foreach (@DC) { # iterate through each domain controller Microsoft Systems Management Server 2.0 $DC = “\\\\”.$_; # add two backslashes to beginning of computer name # get a list of attributes for the specified user account in our organization. Overall, the product Win32::AdminMisc::UserGetMiscAttributes($DC, $User, \%Attribs); works pretty well, and I admire the if($Attribs{USER_FLAGS} & UF_LOCKOUT) { # if account is locked out print LOG “$User account locked out on $DC.\n”; improvements Microsoft has made in its $counter++; # increment counter (just like C and C++) functionality and interface over previous $Flags = $Attribs{USER_FLAGS} & ~UF_LOCKOUT; # set the flag to unlock print LOG “So far, the $User account has been successfully unlocked $counter times.\n”; versions. However, we have had our share # if the account can be successfully unlocked of problems. if(Win32::AdminMisc::UserSetMiscAttributes($DC, $User, USER_FLAGS=>$Flags)) { First, there was money in the budget to print LOG “$User successfully unlocked on $DC.\n”; } else { buy SMS, but none for training. Sound print LOG “Error unlocking $User account\n”; familiar? If you are in a similar situation, } } your best course of action may be to secure } an area that can be used as a test lab. We sleep(1); # pause 1 second } were fortunate to stumble across two work- stations and four servers that we used as a � obtain the user’s account name perl/packages Win32-AdminMisc lab. We spent about a month configuring, � ppm>quit obtain the name of the domain’s primary C:\> experimenting and reloading SMS on these domain controller (PDC) systems. In fact, we reloaded SMS so many � obtain a list of the user accounts in Could it be any easier? times we have the product ID code on the the domain The NetAdmin module has much of the back of the CD-ROM case memorized! � obtain a list of machine accounts in same functionality as the AdminMisc module. Secondly, the SMS product still has some the domain You can learn more about this module by “undesired features,” a.k.a. bugs. The bug going to www.activestate.com/ActivePerl/ that really slammed us is detailed in The AdminMisc module also allows you to docs/. Once there, scroll down to Win32 and Knowledge Base article Q226368. This article set or change attributes of a user’s account click on NetAdmin. This module is included details a bug where the SMS Client Token including the password. with ActiveState’s current version, so you do account, a user account created by the SMS You could use this module in a script that not need to use PPM to get it. setup utility and critical to software distri- is run every day to determine how much Another module bundled with ActiveState’s bution, locks us out when a network drive hard drive space is remaining, and email the Perl is Win32-Eventlog. This module allows is present in a search path. Specifically, information to the Domain Administrator you to add or read events from the NT Event this account is used to upgrade the security group. I should mention that AdminMisc is Log, as well as clear the event log. A useful context of users to domain administrators called “Win32-AdminMisc” as its module script would be to extract all the information strictly for the process of installing the name in PPM. Specify “www.roth.net/perl/ from the event logs, import that information software. Since users might not have the packages” as the location. Now you can use into a database, and then clear the log. You rights to install software, this account all the module’s functions. Check out could then use the database to search for allows this to happen with no user or admin- www.roth.net/perl/adminmisc for details on particular events, possibly selecting only istrator intervention. Microsoft has provided how to use the functions. To install it, simply critical errors. detailed steps to circumvent the problem of type the following: Once you become more comfortable with the Token account locking out. The first the basics of Perl and feel like exploring the suggestion is to remove network drives from C:\>ppm ppm>install /location http://www.roth.net/ web for more Win32 modules, you may the search paths. Unfortunately, performing
TECHNICAL SUPPORT • JANUARY 2001 ©2001 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. this “solution” on an enterprise involves an account was locked out. If it was, the script even offered to sell them the script, but they awful lot of work — plus there are reasons should unlock it. The script was run contin- did not think that was funny. we have it set up this way. The second solution uously, and the test we conducted in the lab is to deactivate account lockout in the allowed SMS to function. Because of our CONCLUSION domain where the SMS Client Token solution, SMS’s software distribution account resides. Account lockout prevents worked until the eventual release of SMS Perl is great because most things an password guessing utilities from cracking Service Pack 2 fixed the underlying problem. administrator needs to do fall somewhere into your system, and is just a good idea to We recently shut down this script, which between being very easy and being very implement in general. I was surprised had been running continuously for many hard. If something is really easy to do, I Microsoft even proposed this as a solution. months. I have included a copy of the script would probably use a batch file. If something The third solution was to download patch in Figure 1. is really hard, I would put in a request to 1380.1007. Unfortunately, while we enjoyed have an application written, which I probably initial success with this patch, it just kind of CODE DESCRIPTION would not see for quite some time. For stopped working. We are still not sure why. everything in between, which is 95 percent We called Microsoft and, after being on This script is fairly straightforward, even if of the time, Perl’s power is unmatched. hold for two-and-a half-hours, we were told it looks ugly at first glance. The script gets a Learning Perl is time well spent. See you on they are working on it but had no estimated list of domain controllers (primary and back- the Perl user groups! fix date. Since this account is used to raise up) and loops through them one at a time. It the security context of the user during then examines the SMSCLiToknAcct& user software distribution and installation, we account to see if it is locked out. If it is, it Robert Mangold is a principal network engineer were effectively looking at a temporary hiatus unlocks it. I also set up logging so you can for Getronics Government Solutions. He is a to the software distribution process. Our follow the activity of the script, including Microsoft Certified Trainer, a Microsoft customer found this to be unacceptable, so counters to tell you how often the account Certified Systems Engineer, a Cisco Certified we needed another solution. That solution gets unlocked. Check out the comments Network Associate, and Network+ certified. turned out to be Perl. included in the script (they are followed by He can be reached at [email protected]. We decided that although we could not the “#” character). disable domain account lockout, we could In a subsequent tech support call to use a script to check to see if that particular Microsoft, I told them of our solution. I
WWW.NASPA.COM TECHNICAL SUPPORT • JANUARY 2001