IT works, But I dont know why…

Just a quick entry as i got an email requesting this today, “How can i schedule a restart on a remote server to run out of hours?”

This script uses at.exe which is soon replaced by schtasks.exe. This can only be run by an administrator of the server you wish to restart, obviously.

Rem setting vars:
set server=servertorestart
set time=05:00

REM performing check for previous file and deleting it:
if exist \\%server%\c$\rebootme.bat del \\%server%\c$\rebootme.bat

Rem Creating reboot batch file:
echo shutdown -r -t 03 >> \\%server%\c$\rebootme.bat

Rem Schedueling the job:
at \\%server% %time% c:\rebootme.bat

To Create a reuseable, error checking script with idiot proof options! save  the following as a .bat file:

@echo off
cls
Rem setting vars:
set /p server=[Please enter the name of the server you wish to restart:]
cls
echo Selected server = %server%
set /p time=[Please enter the time  in HH:MM format at which you wish to restart the server: e.g. 05:00]
cls

REM performing final idiot check
echo Are you absolutely sure you wish to restart %server% at %time%?
Pause

REM performing check for previous file and deleting it:
if exist \\%server%\c$\rebootme.bat del \\%server%\c$\rebootme.bat & echo deleted previous file

Rem Creating reboot batch file:
echo shutdown -r -t 03 >> \\%server%\c$\rebootme.bat

Rem Ensuring reboot file exists:
if exist \\%server%\c$\rebootme.bat echo reboot script created successfully.
if not exist \\%server%\c$\rebootme.bat goto Failed

Rem Schedueling the job:
at \\%server% %time% c:\rebootme.bat
Echo Job schedueled, Script complete.
pause

:failed
echo something failed, I’d look into that if i were you.

pause
exit

We had this problem recently with our XenApp servers, as part of the latest service pack DEP (or Data Execution Protection) has now been enabled for all applications accross all platforms and this can cause havok in a terminal services environment.

The problem with Dep is simple, its not a Reg Key, its not an environment variable its a system setting loaded on startup from the boot.ini file. To make matters worse its a kinda complicated setting as it sounds opposite to what it is exactly doing.

Take this for example, this is a server with DEP enabled:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Windows Server 2003, Standard” /NoExecute=OptOut /fastdetect

What confuses me with the above statement is why Opting out means DEP is enabled? To disable DEP you need to change this switch to OptIn, which makes no sense to me at all.

To automate this change, i used a tool called RPL.exe, this is a direct translation of the Unix command/tool to replace text inside of a text file. Using RPL i could search the boot.ini for the optout statement and replace it with the optin (aka turn off Dep).

Because boot.ini is a system and read only file by default, i needed to use the attrib command so first i set about removing the read only, hidden and system file attributes on the file in order to edit it:

attrib -r -h -s c:\boot.ini

once the file was editable, i now performed the rpl command to search and replace:

rpl.exe -i /noexecute=optout /NoExecute=OptIn c:\boot.ini

Once the file had been changed if neccessary it was time to set the file back to read only, hidden and system before closing the script:

attrib +r +h +s c:\boot.ini

And voila, next reboot and Dep is gone

We had a problem recently with the adobe professional suite installing a local printer on the XenApp server, this was great for users licensed to use Adobe Professional, but for users that weren’t it gave them a possibility to infringe the licensing simply by printing to this printer.

To limit the printer, you simply need to assign custom permissions to the printer. Allowing members of a group the ability to print to it (i.e. adobe professional users) and restricting everyone else. This works brilliantly as if the user has no permissions to the printer the user cant even see it!

This can be done manually if you wish, but you can also script it using SetAcl.exe.

The documentation on their website is shockingly bad for printers, so below is an example of how to remove the permissions from a local printer:

setacl.exe -on “adobe pdf” -ot prn -actn clear -clr dacl,sacl

The following will grant the “local administrators” group full control of the printer for troubleshooting:

setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:administrators;p:full”‘

And the following will grant the domain group “apps acrobat writer” the ability to view and print to the printer

setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:domain\Apps Acrobat Writer 9;p:print”

 The whole lot together is below in Enteo scripting format:

Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn clear -clr dacl,sacl’)/?
Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:administrators;p:full”‘)/?
Execute(‘.\extern$\setacl.exe -on “adobe pdf” -ot prn -actn ace -ace “n:emea\LPGP CTX Apps Acrobat Writer 9;p:print”‘)/?