List members of a Group

You can retrieve a list of users from a Security or
Distribution Group in domain by using DSget tool – a new tool introduced in
Windows 2003. This tool and other related tools ships with Windows 2003 CD.

Let’s say you need to gather a list of users (+nested groups) from a domain group. This is bit easy. You can use the following command to accomplish the goal:

dsget group “DN_of_group” -members -expand > userlist.txt

The output will be saved in userlist.txt

This is the sample output saved in userlist.txt

“CN=Shan Dallis,OU=Users,DC=test,DC=local”
“CN=Tapihe C Mdwa,OU=Users,DC=test,DC=local”

and so on…

Add a user to Local Admin group on All machines.

Scenario: You need to add a user (test1) to local Administrators group on all computer. How do you achieve this??? no no…you’re wrong here – don’t need to use VBScript or something like that simply use PSEXEC to accomplish this! – intersting!

Here it is:

psexec.exe net localgroup administrators test.local\test /add -@server.txt

Isn’t simple as pie?

-@server.txt - This file includes the list of servers to be processed by psexec to run the Net Localgroup Administrators test.local\test /add command.

net localgroup - This command directs NBT API to execute a command using Windows Low-level sub-system. You should use Net Group for Global security group if you’re gonna add to Global Security Group.


Ping Servers in DMZ

Let’s say in a situation you need to check the connectivity of few servers in DMZ from your management server.

Scenario: You have 20 Servers running in your DMZ network. You need to check connectivity of these servers everyday or once a week to make sure they are up and running. The manual process would be:

1. From your working computer you log on to your Management Server from which you can ping these servers. You use RDP to connect to Management server.

2. Ping each_server and get response from Management Box.

To avoid manual process you can use PSEXEC from to do so.

This is how you do it:

You know these servers are in DMZ and can be pinged only from Management Server. You use a simple script to do so:

For one server you can use the following:

\\management_server ping server_in_dmz > c:\PingResponse\Response.txt

For more than one server you use the following:

1. A server.txt file to put all the servers in it.
2. A CMD or BAT file to ping all the servers and store their result in %server_name%.txt file.


@echo off
Check Servers Ping Response in DMZ network.

set srvlist=servers.txt
rem ———————————–

echo.if not exist “%srvlist% (
echo Can’t find Server List file: %srvlist%

echo Processing all Servers……….
for /f “tokens=* delims=AU” %%m in (%srvlist%) do call:checknow “%%m”



set srvname=%~1set srvname=%srvname: =%
psexec.exe \\management_server ping -w 1000 %srvname% > C:\PingResponse\%srvname%.txt




Ping computers with Time Stamp

Here it is: A small script that pings computer with Time Stamp:

@Echo off
echo %time% > c:\PingServer.txt
Ping >> C:\PingServer.txt

Note the “>>” in above redirector. This redirector enables you to append the file rather than overwrite it.

Will sought more on this if time permits :)


Domain Controller’s Log on Locally rights removed or set to "Not Configured".

In a situation where you have accidentally locked yourself. You have removed Domain Controller’s policy: “Log On Locally” and no one is allowed to log on locally on the domain controller. There are few methods that you can use to retrieve the logon rights back.

This is only possible if you are facing problems logging on locally. If you have accidentally removed the following rights or have denied yourself then there is no way to make DC operable in this case – but there is way!

Access This Computer From Network

Deny Access This Computer From Network

Okay, let’s talk about “Log on Locally” right and how to get it back.

You can use the following methods outlined below to get it back on track:

Users or Administrators should be able to access this computer remotely as long as the “Access This Computer From Network” logon right is enabled and configured properly.

Method 1

1. Go to a Workstation (XP) or Windows Server
2. Open Active Directory Users and Computers.
3. Right Click on Domain Controllers OU > Property > Group Policy Tab.
4. Change the setting in there for “Log on locally” right.
5. Run PSEXEC to enforce policies on DC.

PSEXEC \\Dc_name secedit /refreshpolicy user_policy
PSEXEC \\Dc_name secedit /refreshpolicy machine_policy

6. Wait for five minutes.
7. Now try to log on to DC locally.

Everything should work.

Method 2

If problem still persists you can follow the steps listed below to manually reset it.

1. Go to a Working DC.
2. Go to SYSVOL.
3. Look for two GPO in there:

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}         switch to this one – This is the Default DC GPO.

4. Copy the contents.
5. Access remote computers C:\ drive.
6. Switch to SYSVOL share.
7. Look for two GPO in there:

Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
DC GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}        Double click to open this folder.

6. Paste the contents here.
7. Now run PSEXEC command with Secedit to enforce policies.

Please note copying GPO from one DC to another will cause your all settings to be removed.

Two SYSVOL shares or SYSVOL missing!

Sometimes you may get in a situation where you have two-two SYSVOL shares and you don’t know which one is working and replicating information to other domain controllers.

No problem – sometimes SYSVOL may not be working properly and you get JOURNAL_Wrap error messages on domain controller. When FRS activates itself to replicate contents of SYSVOL to other domain controller it searches registry to find the correct path of SYSVOL. Registry contains the information such as SYSVOL folder location, SYSVOL share name etc. These information are supplied back to FRS to replicate its contents to other domain controller – Well! here is the problem – FRS says: “I don’t know what is what : This SYSVOL folder is not the one I’m looking for”. Folder have missing information. Now you’re stuck up here! Can’t go any more, can’t do anything with the system. FRSs second step to check DNS for SRV records registered by domain controller – that’s the other problem if it can’t find other DCs using DNS – that’s not the matter here.

Microsoft has written an article on Troubleshooting SYSVOL:

Check out here:

D4 registry entry in above article makes this domain controller authoritativ for whole SYSVOL share.

Also check: Troubleshooting Missing SYSVOL and Netlogon shares: