#SecureSenses --verbose

I've recently needed to add a security group to an ACLs of a number shared folders. The problem was that adding a group to the top level folder and propagating permissions down the folder tree would wipe existing permissions. After some time playing with ICACLS I have managed to put toghether a command that just did the trick. A bit of terminology first: ACE - Access Control Entry - is a single entry in an ACL, such as "GroupA - Read" ACL - Access Control List - is a collection of ACEs  Effectively the below command adds an ACE to an ACL.  I recommend reading the following article before proceeding: How Security Descriptors and Access Control Lists Work http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx Thiws KB article provides documentation for ICACLS: http://technet.microsoft.com/en-us/library/cc753525(v=ws.10).aspx Now the magic command:  icacls "f:\user" /grant builtin\Administrators:(OI)(CI)(F) /T /c The above co

WMIC is a command line interface to WMI (Windows Management Instrumentation). WMI is a powerful management interface that we can access from directly from command line.  WMIC can be used to manage remote computers.  If we want to execute WMIC commands on a single computer we prepend command with /node: as shown below: /node:hostname123   - specifies single server  ( wmic /node:hostname123 qfe where hotfixid="KB974571" list full) If we want to execute WMIC commands on multiple computers listed in c:\nodes.txt we prepend command with /node:@ as shown below: /node:@'c:\node.txt' - specifies text file with server names    ( wmic /node:@'c:\node.txt' qfe where hotfixid="KB974571" list full) It's worth keeping in mind that not all WMI classes have corresponding classes (called aliases) in WMIC. It is however possible to access WMI classes directly from WMIC: wmic /namespace:\\root\ NAMSPACE path CLASSNAME To directly acces

How do I count number of lines in a command output? findstr /r/n "^" | find /c ":" Above commands will display number of lines output by whatever command (well, nearly whatever) you specify in the front.  For example:  C:\>ping localhost | findstr /r/n "^" | find /c ":" FINDSTR: // ignored 12 This comes handy if you want to find out how many OUs you have in Active Directory: dsquery ou  -limit 0 | findstr /r/n "^" | find /c ":" How many user accounts there are: dsquery user -limit 0 | findstr /r/n "^" | find /c ":" Computers: dsquery computer -limit | findstr /r/n "^" | find /c ":"

Recently I needed to check if a large number of hostnames were resolving to valid IP addresses on an internal network. This is what I came up with: for /F %i in (names.txt) do @echo %i & nslookup %i | findstr /n "Address" | findstr /b "5" The output looks as follows:  TESTBOX1 5:Address:  10.11.20.43 TESTBOX2 5:Address:  10.11.20.44 TESTBOX3 5:Address:  10.11.20.45 TESTBOX4 *** dnsbox1.lab.local can't find TESTBOX4: Non-existent domain As we can see first three records resolve. The fourth one doesn't have DNS record.  For this to work, each hostname must be on a separate line in a text file "names.txt" and the command must be run from directory where the file sits. Alternatively you can specify full path (i.e c:\names.txt). Let's break it down and see what's actually going on.  We use for /f loop to parse names.txt and assign each line to variable %i, we then suppress output  (@echo) of nslookup and parse it