Tiny Deathstars of Foulness

The options for Open Directory continue to get more refined, aligning with opendirectoryd. The odutil command is becoming more and more useful with each version of OS X. Let’s inspect the directory service cache, using odutil with the show verb and the cache option:

odutil show cache

You can also view statistics for opendirectoryd using that show verb but with the statistics option:

odutil show statistics

And to see everything, use odutil with the show verb and the all option to get plenty of data to grep through:

odutil show all

The final show option we’ll look at is configuration. Here, you will also need to feed a directory nodename into the command:

odutil show configuration /Search

Now, /Search is a node but there are a lot. You can use show with nodes to see a listing of all the nodes:

odutil show nodes

You can then see which pids have references to opendirectoryd as well as the nodenames, reference IDs, and session IDs.

All of this can be very helpful when troubleshooting Open Directory issues. One thing I find I do pretty frequently is resetting statistics then repeating a process that is causing a problem so I can view only the updated statistics. To do so:

odutil reset statistics

You can also disable statistics (I’ve seen them create performance concerns:

odutil set statistics off

Or to turn them back on:

odutil set statistics on

Once upon a time you could killall DirectoryService with a -usr level to set various logging levels. With opendirectoryd, we can still do that, but it’s less cludgy with odutil. Here, we’ll set the logging level as detailed as we can get:

odutil set log debug

Other levels, in ascending order of verbosity, include alert, critical, error, warning, notice, and info.

July 10th, 2015

Posted In: Active Directory, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

You can destroy an LDAP server using the Server app (and still using slapconfig -destroyldapserver). To do so, open the Server app and click on Open Directory. Then click on the Open Directory server in the list of servers.

Screen Shot 2015-01-16 at 11.22.15 PM

When prompted to destroy the LDAP Master, click on Next.

Screen Shot 2014-12-15 at 10.09.56 PM

When asked if you’re sure, click Continue.

Screen Shot 2014-12-15 at 10.10.00 PM

When asked if you’re really, really sure, click Destroy.

Screen Shot 2014-12-15 at 10.10.03 PM


January 19th, 2015

Posted In: Active Directory, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

You can gracefully stop Windows processes using the Stop-Process command let. For example, to stop Chrome:

Stop-Process -Name Chrome

Or to stop it by ID. To locate the ID of a process, use get-process:

get-process Chrome

You can then use the -ID operator to stop the process:

Stop-Process -ID 6969

Kill is a command that all Mac and Unix admins know. It’s similar to Stop-Process, except it’s anything but graceful. And you use the -processname option to stop a process:

kill -processname calc

January 12th, 2015

Posted In: Active Directory, Windows Server, Windows XP

Tags: , , , , , ,

There are 3 registry keys that admins in the Windows world use to enable automatic logins, often required for deployments that require a logged in user to setup user environments, such as configuring app deployments as part of a mass deployment.

The required keys in the registry are:

December 8th, 2014

Posted In: Active Directory, Mass Deployment, Microsoft Exchange Server, VMware, Windows Server, Windows XP

Simple request: Search for all files in a directory and the child directories for a specific pattern and then return the filename without the path to the file. There are a few commandlets we end up needing to use:

  • Get-ChildItem: Creates a recursive array of filenames and pipes that output into the For loop.
  • ForEach-Object: Starts a for loop, looping through the output of the command that has been piped into the loop (much easier than an IFS array IMHO).
  • If: This starts the if pattern that ends after the select-string in the below command, but only dumps the $_.PSPath if the pattern is true.
  • Select-String: Searches for the content in the file.
  • Split-Path: This is the Powershell equivalent of basename and dirname. You can use this commandlet to extract parts of the path to a file. In this case, we’ll use the -Leaf option which effectively runs the basename, or just the file name in the path to a file.

Get-ChildItem -include * -recurse | ForEach-Object { if( ( $(Get-Content $_) | select-string -pattern "Finished processing mailbox") ) { $_.PSPath }} | Split-Path -Leaf

You can also search for the files that specifically don’t have that given pattern included in them instead by adding a ! in front of the Get-Content:

Get-ChildItem -include * -recurse | ForEach-Object { if( !( $(Get-Content $_) | select-string -pattern "Finished processing mailbox") ) { $_.PSPath }} | Split-Path -Leaf

Note: This runs recursively from the existing working directory (and yes, you can use pwd to return a path, just like the bash built-in).

Finally, the > operator can then be placed into the end to dump our data to a file:

Get-ChildItem -include * -recurse | ForEach-Object { if( !( $(Get-Content $_) | select-string -pattern "Finished processing mailbox") ) { $_.PSPath }} | Split-Path -Leaf > Complete.txt


April 18th, 2014

Posted In: Active Directory, Microsoft Exchange Server, Windows Server

Tags: , , , , , , , , , , ,

There are a number of tools available for using Syslog in a Windows environment. I’ll look at Snare as it’s pretty flexible and easy to configure. First download the snare installation executable from Once downloaded run the installer and simply follow all of the default options, unless you’d like to password protect the admin page, at which point choose that. Note that the admin page is by default only available to localhost.

Once installed, run the “Restore Remote Access to Snare for Windows” script.

Screen Shot 2014-04-10 at 10.56.43 AM

Then open and click on Network Configuration in the red sidebar. There, we can define the name that will be used in syslog (or leave blank to use the hostname), the port of your syslog server (we used 514 here) and the address of your syslog server (we used logger here but it could be an IP or fqdn).

Screen Shot 2014-04-08 at 10.58.04 AM


Once you have the settings you’d like to use, scroll down and save your configuration settings. Then, open Services and restart the Snare service.

Screen Shot 2014-04-08 at 10.56.22 AM

Then run the Disable Remote Access to Snare for Windows option and you’re done. Now, if you’re deploying Snare across a lot of hosts, you might find that scripting the config is faster. You can send the Destination hostname (here listed as meh) and Destination Port (here 514) via regedit commands (Destination and DestPort respectively) and then restart the service.

Screen Shot 2014-04-08 at 10.56.51 AM

I’ll do another article at some point on setting up a logstash server to dump all these logs into. Logstash can also parse the xml so you can search for each attribute in the logs and with elasticsearch/hadoop/Kibana makes for an elegant interface for parsing through these things.

April 13th, 2014

Posted In: Active Directory, Windows Server, Windows XP

Tags: , , , , , , ,

You have a lot of boxes. You would like to be able to parse through the logs of all those boxes at the same time, searching for a given timestamp across a set of machines for a specific string (like a filename or a port number). elasticsearch, logstash and kibana are one way to answer that kind of need. This will involve downloading three separate packages (which for this article, we’ll do in /usr/local) and creating a config file.

First, install the latest Java JDK. This is available at jdk8-downloads-2133151.html.

The following is going to download the latest version of logstash and untar the package into /usr/local/logstash (I like nesting that logstash-1.4.0 inside logstash so when the next version comes out I can have it there too, I have plenty of space so keeping a couple versions back helps in the event I need some old binary and can’t get to it ’cause they revved out the version I wrote a script against at some point):

curl -O
mkdir /usr/local/logstash
tar zxvf logstash-1.4.0.tar.gz -C /usr/local/logstash

Once we have log stash, we’ll grab elastic search similarly:

curl -O
mkdir /usr/local/elasticsearch
tar zxvf elasticsearch-1.0.1.tar.gz -C /usr/local/elasticsearch

Then we’ll untar kibana in the same manner:

curl -O
mkdir /usr/local/kibana
tar zxvf kibana-3.0.0.tar.gz -C /usr/local/kibana

Next we’ll make a very simple config file that we call /usr/local/stashbox.conf that listens on port 514 for syslog:

input {
tcp {
port => 514
type => syslog
udp {
port => 514
type => syslog
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }

Next, we’ll enable elastic search:


And finally, in a different window we’ll call logstash with that file as the config file:

/usr/local/logstash/logstash-1.4.0/bin/logstash -f /usr/local/stashbox.conf

Having each of these open in different Terminal windows allows you to see logs in stdout. Next, point a host at your new syslog box. You can use for installing Windows clients or for  a Mac. Once done, let’s get Kibana working. To do so, first edit the config.js.

vi /usr/local/kibana/kibana-3.0.0/config.js

Locate the elastic search setting and put the name of the host running logstash in there (yes, it can be the same as the actual logstash box as long as you install a web server on the logstash box). Then save the changes.

Now move the contents of that kibana-3.0.0 folder into your web directory. Let’s say this is a basic OS X Server, that would be:

cp -R /usr/local/kibana/kibana-3.0.0/* /Library/Server/Web/Data/Sites/Default/

You can then check out your Kibana site at http://localhost or http://localhost/index.html#/dashboard/file/logstash.json for the actual search pages, which is what I’ve bookmarked.

Screen Shot 2014-04-10 at 10.37.51 PM

For example, to see the impact of periodic scripts in System Logs:

Screen Shot 2014-04-12 at 9.07.44 AM


April 11th, 2014

Posted In: Active Directory, Mac OS X, Mac OS X Server, Microsoft Exchange Server, Network Infrastructure, Ubuntu, Unix, VMware, Windows Server

Tags: , , , , , ,

According to how you’ve been creating accounts, you might be the best friend of the office manager, who calls looking to see if you can generate a quick phone list. Or you might be useless. Either way, you should know how to obtain the data and therefore possibly how to be helpful to others. Or again, you might be a lost cause. Sorry, had to be said before I take over the entire Tri-State area. Anyway, let’s assume that you want to just grab the office phone number and that you’ve entered that into Active Directory. So let’s pull that and print it to the screen:

Get-AdUser -Filter * -Properties OfficePhone | FT OfficePhone,UserPrincipalName

Now that you can dump a list to the screen, let’s pipe the output to CSV instead, so we can open it in Excel:

Get-AdUser -Filter * -Properties OfficePhone | FT OfficePhone,UserPrincipalName | grep Export-CSV c:\phonelist.csv

April 10th, 2014

Posted In: Active Directory, Windows Server

Tags: ,

Next Page »