LUSER _Lookup User_ – v2.21 - Safetoland.com

Document Sample
LUSER _Lookup User_ – v2.21 - Safetoland.com Powered By Docstoc
					                                      LUSER (Lookup User) – v2.21
                                   Paul Price (readysound@gmail.com) – June 2012
                               Download from : http://www.safetoland.com/pctools.html

What is it?
LUSER started life as a program that attempts to find a user’s hostname and IP address by searching on their Active
Directory logon name. It has developed significantly over the years… there are many pre-defined admin ‘tools’ and
functions that can be remotely executed on the target machine. If you already know the IP / hostname for a user, no
problem, the program allows for hosts to be entered manually so you can just run the admin tools directly. LUSER
now also has various other functions : Quickly list Terminal Services sessions on servers and kill them off if you wish
(quicker than loading TS Manager), run strong cryptography (AES256-PGP) and secure wiping tools, make batch
folder ACL changes to multiple folders in one go, perform detailed reporting in Active Directory, and more…

Why?
To make my life a lot easier! I work in a Microsoft Active Directory server environment with hundreds of PC clients
and servers. We have a large support team and are constantly using remote assistance to help users. I was initially
frustrated by the fact that there was no easy way to find a users’ machine name / IP just from their logon name,
without consulting the user or perhaps using fsmgmt.msc to search on file servers.

So I made LUSER (‘Lookup User’. The search completely depends on finding a users’ network session on a server, it
may be more successful in some companies than others (we use a lot of file servers). I’ve slowly added
functionality to this program over a long period of time, and have decided to release a ‘public’ version which has
received positive feedback from IT people all over the world. A lot of effort has gone into creating this version, so if
you use it and like it, please consider donating to encourage development and to help with hosting costs (contact me
for details).


Who is it for?
This is for network admin’s / domain admin’s / IT Support Desks etc working in a Microsoft Active Directory
environment. Note however that by default, the search functionality and AD query functions of LUSER should work
for anyone regardless of permissions.


How to use it
The program is a single standalone executable, “Luser.exe”. I personally drop this into a system ‘%Path%’ folder
(eg,”…Windows\system32” or make your own) so I can call it quickly from the START\RUN (Windows key + R)
command. Feel free to put it on your desktop, rename it etc.

The program can be run directly (by double-clicking the icon) or from the command line. When run from the
command line (EG, via Windows START \RUN) you can pass it a username (logon name) parameter or a user display
name parameter to search on straight away:

                                    Luser.exe {optional username/~displayname}

NOTE: If you provide a username (samaccountname), LUSER will begin the search immediately. If you want to search
on a users’ display name instead (full or partial), you may specify this using the ~ character before your entry. See
“FIND HOST FROM USERNAME” later in this document.

LUSER doesn’t use a GUI, since it is quicker to operate (once learned) using the keyboard only.
Configuring LUSER for your environment (do this before using)
Create a folder in the root of your %systemdrive% (usually the C: drive) called “LUSER”. Within this folder, create
four text files, named as follows:

    •   Servers.txt
    •   Domain.txt
    •   DNSsuffix.txt
    •   ExcludeServers.txt (This file is optional)
    •   VNCsettings.reg (This file is optional)

SERVERS.TXT: This is used for the user/PC search functionality of Luser. List all of the servers that you want to search
on in this file, one per line. You may use hostnames or IP addresses (hostnames recommended for ease). The more
servers you have in this file, the longer the search may take – so make sure you use servers that are likely to have
user network sessions on, eg, file servers, print servers, application servers. I use around 20 servers in my search
which is fine (searching is pretty quick per server, often less than 1 second). See the “DISCOVER SERVERS TO USE
FOR SEARCH” feature details later in this guide.

DOMAIN.TXT: Put the name of your domain in this file, on a single line. Do not use the fully qualified domain name
(FQDN). For example, if your domain is “Acme.local” use “Acme” (without quotes).

DNSSUFFIX.TXT: Put the DNS suffix in this file, on a single line. The DNS suffix is the part that comes after your host
names to make them fully qualified in your domain (eg, MYPC.ACME.LOCAL). You must enter this with a leading ‘.’
character. So, using the previous example, the value would be “.acme.local” (without quotes).

EXCLUDESERVERS.TXT: OPTIONAL. Put the hostnames that you want to ignore in this file, one per line. If a user is
found to be on one of these hosts during the search, it will be ignored (however you will be informed). This is handy
if you have Citrix servers for example, and you’re not interested in including them in the search (perhaps because
you only want to find actual users PC’s instead). If using this feature, enter both the DNS hostname and the IP for
each host if possible (on separate lines).

VNCSETTINGS.REG: This registry file should be created to use the “VNC INSTALL” function. It allows you to install
pre-defined TightVNC settings on a remote computer when installing TightVNC, I.E, password, session parameters,
connection port etc. To create this file, set up TightVNC on your own PC, set the password and other settings to your
liking, then export the relevant registry keys below to the VNCSETTINGS.REG file.

        “[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]” for 32 bit machines
        “[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TightVNC]” for 64 bit machines

NOTE: You can include both 32 bit and 64 bit keys in the reg file if you deploy VNC to a mixture of 32 and 64 bit
clients.

IMPORTANT: If you don’t do the above correctly, various features may not work.

To fully use all of the remote tools, the account that you run LUSER under should ultimately have local admin rights
on the target (remote) machines.

If you have Windows 7 or Vista target machines, ensure that the “Remote Registry” service is started on all of them.
This can be enforced by Group Policy in your organisation. Without this service running, various tools will not run
properly.
LUSER Main Menu




S = FIND HOST FROM USERNAME
This will allow you to find the host name and IP address of the PC’s that a particular user is logged into. Enter the
username of the user to begin the search. If you want to search based on the users actual name (display name) you
may do this by preceding your entry with the ~ character, eg, ~paul price. This will initiate an Active Directory
lookup. Partial names may also be provided in this way, eg, ~smith will return all users with “smith” anywhere in
their active directory display name. If multiple users are returned, you are asked to select the one you want to
search on (job title, department and username are given for each to help you differentiate). If only one user is found,
that one is used for the search (without prompting).

Once a user has been found, further information is gathered and you can perform various admin tasks (see “Admin
Tools Menu”)

H = ENTER HOST TO RUN TOOLS ON
If you already know the IP or DNS Hostname of a machine that you wish to perform the admin tasks on, you may
enter it using this option.

TS = KILL TS SESSION
Here you may specify a server to view Terminal Services session information. You may then kill a session if required
(quicker than loading Terminal Services Manager etc).

ACL = BULK MODIFY NTFS FOLDER PERMISSIONS
This will allow you to modify the NTFS permissions on many folders in one go. This is very handy for granting or
denying permissions to multiple users or groups, for one or many folders.

C = CRYPTO + SECURE WIPE
From here you can access various security and encryption tools. You can encrypt or decrypt a file or clipboard text,
securely wipe a file or directory, or securely clean the free space on your hard disk preventing people from
undeleting data. The encryption / decryption uses GnuPG’s PGP implementation utilising 256bit AES.

SVR = DISCOVER SERVERS TO USE FOR SEARCH
This attempts to discover the best Windows servers to use for the Search functionality (FIND HOST FROM
USERNAME). These servers can then be specified in the “servers.txt” file mentioned earlier. It works by getting a list
of all Windows Server computers in your AD, finds out which are online (using a single ping, so ICMP must be
enabled) then it enumerates all network sessions on each server and presents the results in a CSV/spread sheet. Sort
this by most sessions first. These are the servers to use. Servers below 15 sessions probably won’t be much use.
U = UTILITIES




The UTILITIES menu contains various network and system utilities that you may find useful.

DL = DNS RECORD LOOKUP

This provides a GUI for DNS record lookup for multiple domains at once (all common DNS record types can be looked
up). The Google public DNS server (8.8.8.8) is used by default but this can be changed.

DR = DNS AND MAC RESOLVER [IP RANGE]

This allows you to query DNS (‘A’ records) for a range of IP’s as well as performing ARP lookups for MAC address
resolution (for LAN nodes only). Note that this doesn’t perform a ping to confirm that nodes are responding (use the
PR utility below for that). This simply looks up DNS names for the IP range. The key benefit of this tool is the MAC
resolution, as this usually indicates a ‘Live’ routable node regardless of whether it has a DNS entry or even if it
doesn’t ping (eg, a firewall). MAC lookup will only work for LAN nodes because MAC addressing works at layer 2 of
the network, not 3, so make sure you run this from the subnet you’re scanning.

P = PING IP RANGE + STATS

This allows you to periodically ping a range of IP addresses and view stats in a GUI. Handy for auditing a network and
for checking when multiple hosts come back up, if doing bulk reboots for example. Also useful to see connectivity
stats (average latency, percentage failure/success etc) to establish basic WAN / LAN health. This will not work for any
nodes that block ICMP traffic, eg firewalls, so don’t rely on this to identify all network nodes. If auditing a LAN, the
MAC resolver in the above tool coupled with the PR tool below are best.

PR = PING SCAN AND DNS RESOLVE

This allows you to ICMP (ping) scan an IP range and resolve the hostnames of the nodes that respond. Note that
some nodes (firewalls etc) will block ICMP traffic so they will not show using this utility.

PS = PORT SCAN IP/IP RANGE

This allows you to perform a port scan on a range of IP’s to see which TCP and/or UDP ports are open. From this you
may determine what services are available (see ICAAN registered ports below)

PO = SHOW ICAAN REGISTERED PORTS

Displays a list of all ‘well known’ and registered TCP and UDP ports. Use this with the port scanner to help determine
what services are available on a machine.

RS = REGISTRY SCANNER

This is a very comprehensive registry scanner (GUI). Found registry entries can automatically be navigated to via
Regedit. This tools can also scan remote PC registries.
FS = FILE SEARCHER

A comprehensive file searcher (GUI). I often find myself using this instead of the Windows search.

AD = ACTIVE DIRECTORY FUNCTIONS




This takes you to the AD Functions area where you can query Active Directory using some pre-set functions or you
can use the Custom Query option to get very specific and detailed reports. Most functions output to CSV for easy
manipulation in Excel. Note that you can’t make changes to AD here, so it’s safe to experiment. Below is a
description of each function:

G = DISPLAY MEMBERS OF A GROUP
This allows you to view the members of a group in Active Directory. It sorts the members in alphabetical order. It
also gives you the option of expanding all nested sub-groups in the output results; very handy for enumerating
everyone who ultimately has membership of a group.

GPO = LIST ALL GROUP POLICY OBJECTS
This simply displays the names of all GPO’s in your Active Directory.

M = SHOW USER GROUP MEMBERSHIPS
This allows you to see what groups a particular user is a member of. You also have the option of seeing what
inherited/indirect groups the user is a member of, as a result of their direct group memberships.

U = SHOW DETAILED USER INFORMATION
This allows you to pull detailed information for the user you specify. This function is also available directly from the
Search user/hostname function when a user is found. Information includes user object SID, Distinguished Name,
password last set, Last logged on, Office, Dept, Job Title, phone numbers, default email address, mail server, home
drive, profile path etc…

C = SHOW INFO FOR ALL COMPUTERS
This will pull various information from all computer objects in your Active Directory domain, including Name,
Operating System, DN, Last Password Set (NOTE: This value shows when the Computer last authenticated with AD
and is accurate within 14 days by default, due to how AD replicates this attribute). This is a great way to see what
OS’s are out there, and what old Computer objects to get rid of.

P = SHOW ENABLED USERS WITH NO PASSWORD EXPIRY
This is handy as part of your security audit. It will show only enabled User objects that are set with “password never
expires”. The report also shows when the password was last set.

US = USER SEARCH
This allows you to report on “all enabled users”, “all disabled users” or “all users” in AD. Alternatively, you can type
in part of a name or username and it will search for a match using that instead (handy if you only know part of a
users name and need more info on them). The report is very detailed allowing you to see many attributes.
DI = DOMAIN INFO
This will tell you various things about your domain including; Domain Policy (password policy etc), which
forest/domain functional mode is in use, which servers host the 5 Operations Masters (FSMO) roles, all Domain
Controllers, a list of all sites and their associated subnets, any trusts with other domains and the trust type.

CQ = CUSTOM QUERY [ADVANCED]
This allows you to enter your own LDAP query, and specify your output attributes to be included in the CSV report.
This is very powerful if you’re familiar with LDAP. The syntax must be correct or it won’t work, and you must know
the names of the attributes you want returned. A help document is available within this mode (type H to see it)
which provides handy search criteria and lists all common attributes for objects. Unfortunately the logic operators &
| ! normally used in LDAP need to be substituted for alternatives due to issues with user input interpretation,
however this is all explained. I recommend you use notepad to hammer out your queries and paste them in so you
don’t lose them if it goes wrong!

OU = OU VIEWER UTIL [QUICKLY COPY DN’s]
This will display a GUI showing the OU structure of your Active Directory. It allows you to quickly copy the
Distinguished Names of an OU, for use in reporting and custom queries.

E = SHOW EXCHANGE SERVERS IN USE
This will list all Exchange servers (MTA’s) in use by Users in your organization.

NOTE: Distinguished Name filtering…
For some of the functions above, you are given the option of filtering the Distinguished Names of the objects you
search. This is accomplished using an INCLUDE and/or EXCLUDE DN filter. This ultimately allows you to control what
OU’s these functions include or exclude. The filters work by matching your criteria ANYWHERE in the DN of objects.
So, EG, if you type ‘accounts’ in the exclude filter, any objects that have ‘accounts’ ANYWHERE in their DN’s will not
be returned. To exclude any OU called ‘accounts’ you’d type ‘ou=accounts,’ (note the end comma). If you wanted to
exclude a particular OU called ‘accounts’ within the domain Acme.com : ‘ou=accounts,dc=acme,dc=com’
FIND HOST FROM USERNAME : Admin Tools Menu




When a user is found, their full name, telephone number and roaming profile status is displayed along with the
hostname and IP address of the machine they’re logged on to. Hit UI if you need more detailed user info.

As well as the above, there are various admin tasks that you can perform. Below is a description of each.

RET = REMOTE ASSIST
Hitting the return key will launch the Windows remote assistance window allowing you to control the users’ PC.
This function adapts to your OS and launches the appropriate remote assistance tool.

C = CONTINUE SEARCH
This will continue the user search on the rest of the file servers specified in your “SERVERS.TXT” file. This is useful if
the user is logged on to more than one machine, and the one you’ve found isn’t the correct one.

V = VNC CONNECT
This will launch the included TightVNC viewer and attempt to connect to the machine using VNC.

EV = EVENT VIEWER
This will launch the Windows Event Viewer allowing you to browse the remote machine’s event logs.

TR = TRACE ROUTE
This will perform a trace route from your machine to the users machine.

PI = PING [CONTINUOUS]
This will continuously ping the remote host in a separate window. Handy when rebooting a remote machine or
testing network connectivity.

ST = SCHEDULED TASKS
This will show you the scheduled tasks that are set to run on the remote machine.
IP = SHOW IP ACTIVITY
This will show you the Netstat activity on the remote machine, allowing you to see all TCP / UDP activity, including
ports, source and destination addresses etc. If you chose the Full Report, you will see the names of the processes
that have established these connections.

LA = LOGON AUDIT XP PC
This will query the remote PC’s Security event log (ensure this is enabled on your client PC’s, eg, via GPO). This
reports user logon activity on the remote machine and distinguishes between interactive (console) logons, remote
logons via RDP, workstation unlocking and even scheduled task logons amongst others. It has options to report on
the specified user, all domain users, or just Remote Assistance logons so you can see how often and when a user has
been helped via Remote Assistance. You can choose to open the results in notepad as a txt file or in Excel. I
implemented this when being asked by managers if it was possible to check logon times for employees (for lateness).

DI = DISK SPACE
This will quickly show you the disk space stats for all fixed disks on the remote machine.

? = HELP / INFO
Info about LUSER

E = EXPLORE C$
Navigates to the C$ administrative share on the remote computer (if enabled)

U = UNLOCK XP PC
Yes, believe it or not, this will remotely unlock a locked XP workstation. Once unlocked, hitting return will lock the
machine again. NOTE: If you unlock a machine in this way, a side effect is that the machine cannot be shutdown,
restarted or logged out at the console, you must re-lock the machine by hitting return. This is a ‘safe hack’, but a
hack none the less, so use with caution.

VI = INSTALL VNC
This will silently install TightVNC on the remote machine. After installing it will apply the VNCSETTINGS.REG registry
information (if you’ve created it – see “Configuring LUSER for your environment”)

T = TASK MANAGER
This will launch a text based version of the Task Manager (processes tab) for the remote machine, which updates
regularly. This is very handy to quickly see what is taking up system resources on a remote machine without logging
on directly.

LS = LIST SOFTWARE
This will list all of the software installed on the remote machine, including Windows hotfixes. Also displays other host
information (OS, CPU, Memory, IE Version etc).

I = PC INFO
This will display various system information for the remote PC including up-time, make and model of machine,
memory and virtual memory (total and available) and also screen dimensions in use.

D = LIST DEVICES
This lists every device within and connected to the remote PC, as would be shown in the device manager. It will open
in Notepad, make sure that word-wrap is off to make sense of it.
ER = LAST 300 ERRORS
This will interrogate the remote PC’s event logs. It will show the last 300 System error events and the last 300
Application error events and display them in Notepad. Make sure word-wrap is off to make sense of it. Very handy
for quickly diagnosing problems, eg, physical disk errors, GPO client side extensions not running, apps crashing –
remember this just shows the errors, not warnings or information events.

LI = LOGGED IN INFO
This shows the details of whoever is currently logged in on the remote machine. Handy if you’ve manually specified
the hostname and want to quickly see who’s logged on at the console.

S = SEARCH NEW USER
This will prompt you to enter a new username to search for from scratch.

SS = SERVICE STATES
This will show the Services for the remote machine and will list them as either STARTED or STOPPED.

Q = Quit
Quits back to the main menu.

L = LIST PROCESSES
This will list all of the processes running on the remote machine, including their memory usage and Process ID (PID).
This can be used in conjunction with the KILL PROCESS option.

K = KILL PROCESS
This will prompt you for the PID number of the process you wish to kill on the remote machine. Be careful that you
pick the correct process! This option will attempt to force a close, so any unsaved work etc could be lost depending
on what you’re killing. Very handy but use with caution.

VR = REMOVE VNC
This will silently remove the Tight VNC installation from the remote machine. Registry settings will remain.

H = ENTER HOST MANUALLY
This will allow you to enter an IP / Hostname manually rather than searching from a username. This is handy if you
know the host hostname / IP, and you just want to run the tools on it. LUSER adapts in this mode and removes any
options that don’t apply in ‘Host only mode’ (like “Show RSOP Data”, or “List User Memberships”).

R = RESTART/SHUTDOWN PC
This will allow you to either restart or shutdown the remote machine. A word has to be typed for security so it’s not
easy to do this by accident.

A = LIST ADMINISTRATORS
This will list the members of the local Administrators group on the remote machine.

P = SHOW RSOP DATA
This shows the Resultant Set Of Policies (RSOP) information for the user on the remote machine. This is great for
quickly seeing what computer and user policies have been applied to the remote session and for diagnosing Group
Policy issues.

SE = STARTUP ENTRIES
This will display a list of all programs that are set to run at startup on the remote machine. It will also tell you under
which user account they are set to start up on. This lists both startup entries set in the registry, and the user Startup
folder.
DN = DISTINGUISHED NAMES
This will show you the DN’s for the user and remote computer (or just computer if in ‘host only’ mode). This allows
you to see where in your Active Directory OU structure these objects exist.

M = USER MEMBERSHIPS
This will show you what security and distribution groups the user belongs to in AD. It also gives you the option of
displaying all inherited group memberships of the user.

CMD = REMOTE CMD PROMPT
This will open a CMD (command line) window as if you were logged on to the remote machine.

UI = DETAILED USER INFO
This will show you detailed information on the user stored in Active Directory. (See the ACTIVE DIRECTORY
FUNCTIONS menu, U command, detailed earlier)


Disclaimer and other fun stuff…
This program is provided ‘as is’ and I’m not responsible for anything that happens as a result of its use.
You use this software at your own risk.

This program makes use of the following freely available software which is all virus free :

    •   TightVNC (www.tightvnc.com)
    •   Remote Unlock Service (www.codeproject.com/KB/system/RemoteUnlock.aspx) – Source code available.
    •   Various Microsoft Sysinternals tools (www.sysinternals.com) and other MS commands : “devcon.exe” and
        “quser.exe” which are available in Server 2003 / downloadable MS admin tools.
    •   GnuPG (www.gnupg.org) – Used for encryption and decryption (PGP protocol).
    •   Various tools from www.nirsoft.net – Big thanks to Nir Sofer for creating these utilities.
Some utilities, especially the Remote Unlock Utility will be considered by some virus checkers as ‘Grayware’, after all,
it is a ‘hack’ to unlock a remote workstation. Check the link above for more info. Obviously use this with discretion,
but what I can say is that it is not a virus, and doesn’t intentionally harm a PC in any way.
Feel free to get in touch with any comments or suggestions, or to report any bugs.

If you like LUSER and use it, please donate
LUSER is currently freeware. However, if you use this program a lot, please consider a PayPal donation to encourage
development and contribute towards web hosting costs. Get in touch for details on how to donate. Many thanks to
those who have already donated.

Have fun!
Paul Price (readysound@gmail.com)

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:2
posted:11/5/2012
language:Unknown
pages:10