As an NT Administrator, I found my job occasionally crossing over into development. And it seemed the more I did with scripting, the more things I found that could be done by scripting. Since my predecessor had built some tools using Perl, I have been maintaining those and building new ones. Unfortunately, there seems to be a real shortage of code available on the Internet. I hope this helps someone else out. I encourage anyone who finds these helpful to reciprocate by putting your work online as well.
All of these use the ActiveState Perl for Win32. They were originally written using version 5.005, but most seem to work just fine under version 5.6. Most of them also use Dave Roth's AdminMisc module.
The first group is designed to run on an IIS server, and be accessed through a web browser. IE4 or above works best. See the NTAdmin page for more detailed information about how I set up the directories on my IIS box. Most of these have evolved based on the needs of an offsite centralized help desk. By giving them access to the web server, they are able to pull account information and perform certain limited account administration tasks. All this with only port 80 open on the firewall. There is a private frame relay circuit between us and the help desk. I would strongly suggest that if you were to run these over the internet (which I would not suggest), use SSL.
The second group is designed to be run from a command line, and in most cases dumps the output to a time-and-date stamped CSV file. In many cases, the input directory is set to H:\input, and the output directory to H:\output. That's because I was using my H: drive, with those directories. (Duh!) I hope to put up a zip of darn near everything I've done eventually.
Unless otherwise noted, I consider these finished, because they work for my purposes. Since the code is often derived from others, it's all covered by the some sort of open-source license. The flip side of that is, I make no guarantee that they will work, and there are no promises that they won't break anything. Feel free to hack them as you wish, the worst that will happen is they'll break. Thanks to Ivan Lim and Dave Roth in particular for inspiration, and O'Reilly for their very good books on the subject.
Note that I've pulled out domain names and server names from these scripts. I will be continuing this process and posting mor scripts as I get the time.
User Login Query
I did a complete rewrite of Ivan's User Login Query quite a while back. His was designed and implemented at Equifax, and was rather kludgy. It worked well, but when I went to Six Continents, it didn't do everything I wanted. For example, the login script at Equifax is about 300 lines, with various drive mappings based on group membership. So Ivan's script parses all that. Six Continents has a six line login script, with everyone mapped to a root share that group folders are off of. Which means I care about group memberships rather than drive mappings.
And because it was such a mess (an ASP page written in VBScript, calling Perl) it was due for a rewrite. I decided to start all over, just pulling out a few subroutines. I really haven't touched it in a while, as it really does everything I need now. I've got a "specific server" option, because we have a domain with about 100 DCs, scattered over most of the US. It notes if an account is disabled, if the password is expired, and if it's locked out. It will list all global and domain local account memberships. And Terminal Server information.
Group Member Query
Yes, this duplicates User Manager to some extent. However, I find the old-style interface incredibly annoying. For example, when I looked at the members of a group in User Manager, the end of the user's full name was cut off. And since the company I was working for when I originally created this uses three character IDs that have nothing to do with the user's real names, this can be tremendously useful information. This one is for IIS. Choose the domain, and a drop-down box populates with all the global groups in the domain. If for some reason, you just want to know how many users are in a group (we have some groups that are more for management purposes than for access control), you can uncheck the "Show Group Members" box, and it will just give you the count. That's a big time saver if it's a 6000 member group...
Password Reset
While I was at Equifax, our help desk moved local after being offsite, we wanted to allow them to reset passwords. However, I prefer not to give people more than they need. Since NT4 does not have a "reset password" privledge - a serious oversight in my opinion - I wrote this script. It runs on an IIS server, configuration instructions are in the comments. Note that the people running it will need to be Account Operators or Administrators. The main use of this is to avoid loading NT Server Tools on everyone's PCs. It can also be useful when there is no NetBIOS connection between the people using it and the domain, which is the situation at Six Continents. It clears both the "User Cannot Change Password" and "Password Never Expires" flags, as well as making you confirm the password.
Account Reset
When a rogue administrator suddenly changed the account policy for the domain, we were presented with a problem. We had wanted to do this, but in a more orderly fashion, so we wanted to minimize the impact but leave things like password expiration and account lockouts in place. We had the password reset funtions set up already, but the help desk had no way to unlock accounts. So I whipped this up that day. It's worked just fine, so I have had no reason to do anything else to it yet. The easiest way to set it up is to put it in the same directory as the password reset tool; NTFS security and IIS authentication needs to be the same.
ArcServeParse3.zip
If you've ever used ArcServe for NT backups, you know how difficult it can be to figure out if the backups were actually successful or not. This script is designed to be run as a Scheduled Task every day that backups run. It finds all the errors and warnings in the logs from the past 24 hours and dumps them to a CSV file. As long as I keep having to deal with ArcServe, I will most likely continue to work on this one. I'd like to put the output in an Excel spreadsheet, using OLE, and format it better.
CCmailParse.zip
This is just a variation of the ArcServe script above, rewritten to parse a CC:mail address list into a tab-delimited text file.
DA_accounts2.zip
I wrote this one when I was moved to a new outsourcing account. We soon determined that there were a lot of accounts that had been disabled, with no indication made anywhere that could be easily seen in User Manager. Run it at a command line, and it dumps the disabled accounts in the domain to a CSV file.
GroupCounter3.zip
I wrote the original version of this when we were rolling out a virus update through the logon script. (By the way, I do NOT recommend doing this. There were numerous problems caused by this quick fix.) We wanted to be careful how many people we hit with the update each day, so we used this to find out how many users were in each group. I later updated and improved it slightly, again when I changed locations. We found over 100 groups with less than five users in them. Literally dozens of groups had either one or zero users in them.
mappings3.zip
"Mappings" may not be the best name for this, but it's the name it's been given. It actually creates a CSV file of all the users in the domain and the logon script assigned, if any. If there is no logon script, it notes that. Useful when you want to clean out the NETLOGON shares.
PasswordAge2.zip
This is a script that shouldn'r be neccessary. Unfortunately, I've needed it at two straight jobs. It dumps all the usernames in the domain, along with the age of the password, to a CSV file. I have used it when putting password age limits in place. (Yes, I know they should be there from day one, but apparently not everyone understands this.) By running this script regularly, you can lower the maximum password age in steps, affecting a predetermined number of users in each step. This keeps from causing too much havoc at one time, and perhaps even more importantly keeps from having everyone's password expire at the same time over and over.
HelpDesk.zip
We needed to add the help desk people to the Print Operators group, so I wrote this quick command-line script to do it. Basically, it is designed to take anyone who is in two particular groups and add them to a third group. While it is currently specific, it can be generalized. Kind of a "No Big Deal" script...
Remember, don't reinvent the wheel if you don't have to.