I wrote this script but it's not working properly.Anyone can help?
It's supposed to check download limit and download used by a user and then do some action i.e to remove the user from active ppp list but it has some flaws which is that I can't get the actual-profile value in a variable so instead I save the Profile name in Comment with the user manager user account so then I can get the profile name in the variable but that's not how I want it to be..So that's why how to get the actual-profile value in a variable and also there is one problem..Why I can't change the user account profile directly instead I am doing it the long way but in that way I loose the statistics of the user account so any way that I do not lose the statistics of the user account and the job get's done also???
SCRIPT V1.0:
:foreach i in=[/tool user-manager user find] do={
:global uname [/tool user-manager user get $i username];
:global upass [/tool user-manager user get $i password];
:global dused [/tool user-manager user get $i download-used];
:global uprofile [/tool user-manager user get $i comment];
:global dlimit [/tool user-manager profile limitation get [find name="$uprofile"] download-limit];
:if ($dused > $dlimit) do={
/ppp active remove [find name=$uname]
/tool user-manager user set $i disabled=yes
:log warning "$uname account has been disabled due to downloading limit exceeding";
/tool user-manager user remove $i
:log warning "$uname account is removed on package expiring";
/tool user-manager user add customer=admin disabled=no username=$uname password=$upass;
/tool user-manager user create-and-activate-profile $uname customer=admin profile="Expired User";
:log info "$uname account has been created again with expired profile";
}
}
HOW SCRIPT V1.0 WORKS :
It looks for all users who has exceeded their downloading limit past the profile download limit so their account is removed and created back again with Expired profile being assigned to them so they won't be getting internet anymore.
But it has one problem which is that I loose the Statistics of the user account when I remove the account.So that's why it's not a good solution.
SCRIPT V2.0 :
:foreach i in=[/tool user-manager user find] do={
:global uname [/tool user-manager user get $i username];
:global upass [/tool user-manager user get $i password];
:global dused [/tool user-manager user get $i download-used];
:global uprofile [/tool user-manager user get $i comment];
:global dlimit [/tool user-manager profile limitation get [find name="$uprofile"] download-limit];
:if ($dused > $dlimit) do={
:global uip [/tool user-manager user get $i ip-address];
:global hostip [:pick $uip 11 14];
/tool user-manager user set $i ip-address="10.10.10.$hostip"
/ppp active remove [find name=$uname]
:log warning "$uname has been assigned to expired ip pool with ip 10.10.10.$hostip";
}
}
HOW SCRIPT V2.0 WORKS :
It looks for all users who has exceeded their downloading limit past the profile download limit and get their static IP and then split the ip into the network address and host address and then adds the expired ip pool network address to it and then adds the host address to that expired ip pool network address and then each user is assigned the ip and hence like that their working internet ip pool is changed into expired pool and hence the statistics are not lost in the process and also they don't get any internet now anymore..!
So it's a better solution..but I am looking forward if it can be even made even better than this..! :D
Why you are getting involved in a a wild goose chase?
Why use script for this function? why not assign it directly using user manager? Something like discussed here
... its just to share some thoughts on it, maybe you can further enhance it as per your requirements.
Mikrotik User manager is a nice mini billing system but its not the focus of mikrotik since long. it have its flaws and limitations.
If you are a commercial entity like ISP/Net_Operator, then I recommend you to use some dedicated billing billing system like freeradius or radius manager which can do the job nicely.
It can also perform many other fancy functions like sending sms / redirection / and much MORE...
Related
Developing Active Directory for a scalable and hackable student environment and I cannot manage to preserve the Domain Trust Relationship after the VM's restart. On first launch everything works, but after stopping/starting the AD Set, the trust relationship is broken.
Configuration Basics.
Three machines built and running in AWS (Windows Server 2012)
Domain Controller (Pre-Built Forest, Domains, Users, Computers, GPO's, etc)
Two "Targets" with varying permissions.
AMIs are built and domian joined before imaging.
Prior to imaging, Target Boxes are REMOVED from the domain, leaving a single DC and two un-joined Windows Server 2012 boxes.
Boxes are stopped without SysPrep to preserve SIDs and other variables like admin passwords, and an image is taken. User data is enabled
At this point, I can relaunch these boxes from AMI, re-join the domain, and I have no issues after restarting.
Here are the next steps.
The AMI's are run through a code pipeline that applies user data to the boxes to Domain Join and set the DNS to the IP of the DC.
Code exists to prevent the targets from crating until the DC is listening so they can join the domain.
On creation, things work flawlessly again.
After stopping and restarting, however, I start getting "NO_LOGON_SERVER" errors with tools, and cannot login with a domain user.
There are obvious solutions, but nearly all of them manual, and this must be automated. Furthermore, I must configure this in a way that no passwords are exposed on the box or retained as tickets or hashes in lsass that could ruin the exploint path.
If it helps, here is the User-Data that domain joins the targets.
<powershell>
# Checking for response from DC
do {
Start-Sleep 30
} until(Test-NetConnection -InformationLevel Quiet '{DC_IP_ADDR}')
# "true" if Domain Joined
$dCheck = (Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain
# Join domain if not already, skip if joined.
if ($dCheck -eq 'True') {
echo "I was domain joined after restarting." >> C:\Windows\Temp\log.txt
}
else {
# Allows 'rdesktop' by disabling NLA as a requirement
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 0
# Set DNS to DC IP address via custom variable
$adapterIndex = Get-NetAdapter | % { Process { If ( $_.Status -eq "up" ) { $_.ifIndex } }}
Set-DNSClientServerAddress –interfaceIndex $adapterIndex –ServerAddresses ('{DC_IP_ADDR}','8.8.8.8')
#Set DA Credential object and join domain
$username = 'MYDOMAIN\ADMINISTRATOR'; $password = ConvertTo-SecureString -AsPlainText 'NotTheActualPasswordButReallySecure' -Force; $Credentials = New-Object System.Management.Automation.PSCredential $Username,$Password
Add-Computer -Domain 'MYDOMAIN.LOCAL' -Credential $Credentials -Force -Restart
}
</powershell>
<persist>true</persist>
And here is the Domain Controller. It is scheduled to change it's DA Password after 4 minutes so that the password exposed in the user data above is no longer valid
<powershell>
# Enable Network Discovery
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
# Allows 'rdesktop' by disabling NLA as a requirement
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 0
Start-Sleep -Seconds 240
# Recycle DA Password
powershell.exe -C "C:\Windows\Temp\recycle.ps1"
echo "Done" > "C:\Users\Administrator\Desktop\done.txt"
</powershell>
I need to login into 50 hosts and perform a specific task.
Each host has one of 2 passwords (ex: pass1 and pass2) for a specific user (ex: foo).
I do not know on which host "foo" is set with "pass1" and on which host "foo" is set with "pass2". I have both passwords in a vault file.
Using Ansible, how can I first make a task where I try to login as "foo" with "pass1", then if unsuccessful login with "pass2" and finally setting a fact with the correct vault value (depending on which password worked i.e. "foo" managed to login).
I then want to use that fact to perform additional tasks on that same host.
We would like to add groups, that are allowed to login to a system, to common-account.
At the moment we initially template pam.d common-account file via Ansible.
After that, the file gets changed by hand a lot and is not consisent accros the infrastructure.
Now we would like to add groups, also per ansible.
Problem is the unkown state of the file and the incrementing succes=1 - success=... of pam_succeed_if.so.
That leaves us with editing the file maunally to add groups, after initial templating.
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the account modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
#account required pam_unix.so try_first_pass
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so use_first_pass
account requisite pam_deny.so
account [default=ignore success=7] pam_succeed_if.so quiet uid < 10000
account [default=ignore success=6] pam_succeed_if.so user ingroup SGOps
account [default=ignore success=5] pam_succeed_if.so user ingroup SGDev
account [default=ignore success=4] pam_succeed_if.so user ingroup SGAnsible
account [default=ignore success=3] pam_succeed_if.so user ingroup SGDba
account [default=ignore success=2] pam_succeed_if.so user ingroup SGAdmin
account [default=ignore success=1] pam_succeed_if.so user ingroup SGTSAdmins
account [default=bad success=ignore] pam_succeed_if.so user ingroup doesnotexist
account required pam_permit.so
account required pam_tally2.so
Is there a more convenient way like
account [default=ignore success=1] pam_succeed_if.so quiet uid < 10000
account [default=ignore success=ok] pam_succeed_if.so user ingroup /etc/grouplist
I am looking to automate the tasks like providing access to a new user on shared path through Microsoft Computer management console compmgmt.msc in windows server 2003. I am looking for power shell cmdlets for the same. Can someone please direct me to a place where I can find these.
Thanks,
Sambhav
On W2K3 you only have PSv1 or 2 and their supported .Net libraries. So you are stuck with those.
Providing access though is just setting permissions, manually or via code. You don't use PS to control the Compmgmt.msc. PS, goals really don't include GUI management.
You can grant permissions on a share, via automation, with no reason to touch a GUI.
The PSv2 (assuming you've got that on the boxes), you only have thee cmdlets
https://social.technet.microsoft.com/wiki/contents/articles/13876.powershell-2-0-cmdlets.aspx
So, from that list it is the...
Get-Acl
Set-Acl
… cmdlets you are after.
Otherwise, the below can show a different approach.
How can I set SHARE permissions using powershell v2.0?
https://social.technet.microsoft.com/Forums/ie/en-US/7fd11f99-c45b-4e8f-acb1-bd7df870a811/how-can-i-set-share-permissions-using-powershell-v20
#Creating Security Descriptor
$sd = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
#Creating ACE for Authenticated Users and setting it to Security Descriptor
[System.Security.Principal.NTAccount]$account="NT Authority\Authenticated Users"
[INT]$rights='1179817'
$ace = Create-WMIAce $account $rights
$sd.DACL += #($ace.psobject.baseobject) # append
$sd.ControlFlags="0x4" # set SE_DACL_PRESENT flag
#Creating ACE for Administrators and setting it to Security Descriptor
[System.Security.Principal.NTAccount]$account="BUILTIN\Administrators"
[System.Security.AccessControl.FileSystemRights]$rights='FullControl'
$ace = Create-WMIAce $account $rights
$sd.DACL += #($ace.psobject.baseobject) # append
$sd.ControlFlags="0x4" # set SE_DACL_PRESENT flag
#Setting Share Permissions
$Share = gwmi win32_share -filter "name='ShareName'"
$Share.SetShareInfo($Share.MaximumAllowed,$Share.Description,$SD)
I have a user in my workplace domain, I want to add him to a specific domain group then assign him some privileges on a specific folder.
I wonder how this can be done using command line or a more automated process than doing it step by step as I do this quite often.
I'm using AD on Windows 10
Looks like dsmod group can be used but I don't know how.
If I have a user with username userh01 in domain mydom how I can add him automatically to group mydomgroup1?
I've tried this command:
dsmod group "mydomgroup1" -addmbr "userh01"
but I get this error
dsmod failed:Value for 'Target object for this command' has incorrect format.
Any advice?
Maybe using powershell to add memeber to a domain group is an alternative way.
here below th script for example
Add-ADGroupMember -Identity "Groupmane" -Memebers "Username to add"
Add-ADGroupMember -Identity "mymdomgroup1" -Memebers "userh01"
ps:you may need to import active diretory modul. before using Add-ADGroupMeber parameter use this command 'Import-Module ActiveDirectory' at begining
for different syntax and detailed description to add-adgroupmember parameter follow this link
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617210(v=technet.10)